VIRUS-L Digest Thursday, 27 Apr 1995 Volume 8 : Issue 44 Today's Topics: Virus Hoaxes - How Many?? How do unix viruses work? (UNIX) Symptoms: Anyone know what this might be? (PC) Virus vs. NetWare (PC) Stoned virus (PC) Invircible (PC) IV strikes out! (PC) CMOS virus?? (PC) Characteristics of Joshi. (PC) HELP - infected boot sector - DA'BOYS (PC) Re: Allocation??? (PC) Re: Can this HardDisk be saved? (PC) Re: LILO and the MBR...please help (PC) Re: removing Natas (PC) Re: Trying to figure out if I have a virus... (PC) B1 Virus: Definition? (PC) QUESTION about MONKEY/STONED/EMPIRE (PC) Natas vs VET (PC) Re: Need help with NATAS! (PC) Re: Warning NEW Virus (PC) Re: One Half Virus - Anybody know? (PC) a Tai-Pan incident (PC) Clean.dat was infected? (PC) Stoned.Angelina op bootsector D-drive (PC) Re: Need Info about viruses? Get VSUM... (PC) Haifa and Da'boys Virus (PC) Re: InVircible is a Trojan Horse! (PC) Effectiveness of Sophos Sweep (PC) Need info on Steath-C (PC) Re: Junkie Virus (PC) Re: Invircible Strike One (PC) Re: Monkey B virus (PC) Re: Need help selecting virus softwares (PC) Here's info on new(?) virus "Havoc ][". Discussion Welcome. (PC) Lack of virus info (PC) ** Does my comp have a virus? ** (PC) Re: MS AntiVirus (PC) Re: Software to archive boot sector viruses? (PC) Re: Monkey B virus (PC) Re: die hard 2 virus - help! (PC) Re: ANTIEXE Virus (PC) Re: Anti CMOS virus cleaner (PC) Re: Crazy Boot Virus (PC) Re: HELP!! DH2 Virus (PC) Re: Mail Spooler detected virus (PC) Re: How many antivirus products does it take? (PC) Re: Best AV Product (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 25 Apr 95 12:41:34 -0400 From: olpopeye@ix.netcom.com (Walter Murdock) Subject: Virus Hoaxes - How Many?? Okay, I blew it. Never claiming to be an "expert" or NetGod or other guru, I stupidly fell for and reposted a Hoax message about a "deadly" computer virus recently on another newsgroup. Well, it's been a week and I'm STILL getting nastygrams on the subject. There's so much CO-2 around here from putting out the flames that one could skate on it. Question: I'm well aware of the several lists of "real" viruses; no huhu. However, is there a list anywhere of Virus Hoaxes for future use? ^^^^^ ^^^^^^ If so, can someone please post here or better yet, EMail me a copy to either address below? Mille Grazie in advance! Regards, Walt Walter E. Murdock olpopeye@ix.netcom.com olpopeye@svpal.org U.S. Navy Retired Computer Virus Ignoramus ex-"Mustang" & Proud Of It. par excellence! ------------------------------ Date: Mon, 24 Apr 95 03:37:49 -0400 From: sam@wipinfo.soft.net (Samiullah S.M) Subject: How do unix viruses work? (UNIX) Dear readers How do viruses on unix work given the fact there are is so much protection( permissions ) ?. I shall be grateful if someone could elaborate on the modus operandi of the unix viruses . Also i can understand if in e-mail some characters are sent so that the terminal at the other end gets programmed , like esc getting programmed for rm -rf * but that is not a virus . I shall be grateful if someone could elaborate on the modus operandi of viruses sent by e-mail. Regards ------------------------------ Date: Tue, 25 Apr 95 11:00:47 -0400 From: Harold Sinclair Subject: Symptoms: Anyone know what this might be? (PC) This is long. Apologize. But I never saw anything like it. Has anyone? Running netware/tokenring/dos6.2/win3.1 email also to uswlxhas@ibmmail.com Thanks to everyone Symptoms/History 1) Booted one PC from the hard drive and after machine did memory test and tried to load dos received message: Non-system disk or disk error, remove and press and key to continue. (There is no diskette in drive a:) Same result after 3 tries. Then boot machine from a system diskette. Look in c:\ with dir /ah and find that files io.sys and msdos.sys do not exist. Copy these two files back into the c:\ directory. Tried to boot from hard drive, receive Non-system disk error message again. Boot again from floppy and run disktool.exe on c: Disktool reports: Unable to make disk bootable, unable to move cluster 67 to cluster 2 (this is from my memory. I think those were the numbers. It was definitely cluster 67.) Use NDD to correct. Ran ndd on the drive, twice. No errors were found on drive c: Attributed the event to cosmic uncertainty, booted the pc and copied a picture of the c:\drive to a network drive. Reformatted the local drive, and copied all files back down. Everything seems back to normal at workstation. 2) Three weeks later, another workstation wont boot from the hard drive, with the same non-system disk or disk error message. Boot from floppy and look in the root for dir /ah, to find that io.sys and msdos.sys are again gone. A file called bank.wk4 exists in c:\ which the user had put there after receiving it as an email attachment. Further search of the hard drive reveals a directory called: c:\123r4w\. It has subdirectories \bank.wk4 and \apps\organize. This directory and structure did not exist before. The file io.sys is in the directory c:\123r4w\bank.wk4. Its date and size are the same as the files in the DOS directory. The branch \apps\organize is a copy of an existing branch on the c:\ drive. The entire directorys creation date is the day before the machine wouldnt boot. Ran disktool on c: to try to make it bootable, with the same message as above: unable to move cluster 67 to cluster 4 I think it was 4 this time. Use NDD to correct. NDD reports no problems on drive c:. Ran NAV on the drive (update April 01, 1995, for version 3.0) Scanning all files, no viruses detected. Ran McAffee with the same results, no viruses found, all files scanned. Receive advice from NAV tech support by phone to try fdisk /mbr. This does not solve the problem; the pc still wont boot from the c:\drive. Copy files down to lan off workstation and reformat drive, copy them down, everything seems ok on the workstation now. 3) Go to look at the picture of the workstations c: drive on the network drive, before deleting it. The directory \123r4w\ is there but its subdirectory structure is different from the workstation it came from, and it includes a subdirectory structure from somewhere else on the lan, like: \123r4w\programs\. \Programs\ has 6 subdirectories. Use the dos 6.2 deltree command from the network directory immediately above to delete the picture of the c: drive, as: P:> deltree cdrive The deltree command takes a minute to remove (or so it seems) the cdrive directory. P:> dir reveals that cdrive has not been removed. The directories \cdrive\123r4w\ and \cdrive\cpqdos (for compaq dos, from the oem) are still there. These are not hidden or read-only. Thanks again, uswlxhas@ibmmail.com ------------------------------ Date: Sun, 23 Apr 95 04:25:52 -0400 From: rbe@stud.hibo.no Subject: Virus vs. NetWare (PC) I'm working on a problem whith virus vs. NetWare. Do anyone of you have information on this subject or any information about where I kan get such information?? I'll be grateful if someone could mail it to rbe@cyber.hibo.no Greetings from Rune ------------------------------ Date: Sun, 23 Apr 95 06:27:00 -0400 From: bill.lambdin@woodybbs.com (Bill Lambdin) Subject: Stoned virus (PC) gcluley@sands.co.uk writes netz@actcom.co.il (Zvi Netiv) writes: >You are misinformed. Because the place that Stoned stores the original >boot sector does not change according to the kind of diskette it >infects, it causes problems on 1.2MB floppies if they have more than 32 >files, by overwriting the directory entries for files 33 to 48, and I have never seen Stoned B infect 1.2 MEG diskettes. Bill bill.lambdin@woodybbs.com 9CCD47F3C765CA33 blambdin@aol.com PGP fingerprints C77D698B260CF808 - --- * CMPQwk 1.4 #1255 * VIOLATOR activates after Aug 14th, 1990 ------------------------------ Date: Sun, 23 Apr 95 06:27:02 -0400 From: bill.lambdin@woodybbs.com (Bill Lambdin) Subject: Invircible (PC) Iolo Davidson writes >I believe Vesselin just pointed out that Invircible could not >cope with some existing boot sector viruses. Also add Tremor, and most if not all companion infectors. InVircible has some rather serious flaws, but it wouldn't take much work to close these problems. Bill bill.lambdin@woodybbs.com 9CCD47F3C765CA33 blambdin@aol.com PGP fingerprints C77D698B260CF808 - --- * CMPQwk 1.4 #1255 * JERUSALEM (Payday) activates Fridays (not 13th) ------------------------------ Date: Sun, 23 Apr 95 06:27:57 -0400 From: bill.lambdin@woodybbs.com (Bill Lambdin) Subject: IV strikes out! (PC) I'm not scared of IV (I use and recommend generic virus detectors myself). I just wish IV offered the level of protection that ZVI claims it does. The users of IV should be afraid. Be very afraid. These are facts not fiction. IV DOES NOT detect Tremor active in RAM or on infected files When Tremor is active in RAM. IV DOES NOT detect companion infectors. IV DOES NOT check the entire file, but only gathers a small signature IV DOES NOT have an option to check the integrity of all files. Many viruses also infect files regardless of extension as they are loaded and executed with DOS function call B4h when accessed through INT 21h. IV DOES NOT detect 100% of all viruses (As Zvi claims). IV DOES NOT remove 100% of all viruses (as Zvi claims). IV DOES place the integrity data files on the hard drive, leaving them open to attack from viruses. IV DOES name all integrity data files the same. If the integrity data files are deleted or corrupted, the generic detection is removed. IVSCAN DOES detect a whopping 15% of my collection. AVP, F-Prot, and TBAV only detect 98+% of my virus collection That's 10 strikes Zvi. How many strikes do you need in your version of Baseball? I have already struck out InVircible three times and then some. Do you want me to throw some more strikes? I can use any A-V software I want. I certainly don't use IV, and will never recommend it until these security holes are patched. I wish Zvi would patch these gaping security holes instead of continuing to spout the 100% detection and removal rubbish. It would not take much time or effort to close these security flaws and turn IV into a decent A-V program. Bill bill.lambdin@woodybbs.com 9CCD47F3C765CA33 blambdin@aol.com PGP fingerprints C77D698B260CF808 - --- * CMPQwk 1.4 #1255 * JERUSALEM activates Friday 13th ------------------------------ Date: Sun, 23 Apr 95 09:03:48 -0400 From: asu1@cornell.edu (A. Sinan Unur) Subject: CMOS virus?? (PC) Hi, I have a (seemingly) small problem the source of which I am unable to identify. A couple of days ago I by-passed my config.sys and autoexec.bat files and realized that the computer reported only 639K memory instead of 640K. I booted from the DOS disk I had prepared the day I got my computer and used F-PROT and SCAN to check but they reported no viruses. When boot normally, mem reports 640K but if I bypass the startup files, it says I have 639K. Also, I have quite an old copy of PC-TOOLS which (when I boot normally) says the DOS reports 639K. Anyway, after reading a couple of postings in this group about the CMOS virus, I decided to try the FDISK /MBR remedy. Nothing seems to have changed. Does anyone think I really have the CMOS virus or something similar or is there an explanation for this which I am not able to see (like the extended-BIOS area or something like that). Responses will be greatly appreciated, If you so prefer you can send me e-mail at asu1@cornell.edu. Sinan. ------------------------------ Date: Sun, 23 Apr 95 11:00:08 -0400 From: Simon Davies Subject: Characteristics of Joshi. (PC) I have sometimes got warnings of this virus on my system. Can anyone give me some advice as to how this virus manifests itself? as I am not sure if it is just a false-alarm. Thanks. (*******************) *Simon Davies * *s2davies@plym.ac.uk* (*******************) ------------------------------ Date: Sun, 23 Apr 95 14:50:20 -0400 From: Kerfurdt@sam.NeoSoft.com (Insert Name Here) Subject: HELP - infected boot sector - DA'BOYS (PC) while running a regular virus scan I found that the boot sector on my PC may be infected with DA'BOYS virus. All of the files on my hard disk test negative for the virus though. I would appreciate any answers anyone can give. When I tried running CLEAN on my PC it said that it couldn't clean this particular virus. HELP! kerfurdt@sam.neosoft.com ------------------------------ Date: Sun, 23 Apr 95 15:02:33 -0400 From: ruben@ralp.satlink.net (Ruben Arias) Subject: Re: Allocation??? (PC) James@stega.smoky.ccsd.k12.co.us (JAMES PAK) 19 Apr 1995 10:57:46 - Wrote: Hello: >Hi. I think I have a virus, but any of my virus checkers can't detect >it. What kind of AV Software did You use ?? Maybe some older ones. BTW, did You note some files growing in Your system, slowdown of Your PC, unexpected hangs ??? This are symptoms of virus precence in a system. Look for them. >From time to time, I get file allocation errors if I type "chkdsk." I >hope I find a cure for this virus like problem. Well, this will be hardware errors or something bad if You have a virus and are currently using compression software like "Doublespace" or similar. Is not a good idea repair allocation errors with Chkdsk. If You have a Virus these errors will continue appearing. Try to get this Software: - - Integrity Master Version 2.42 c. (Shareware) - - F-prot Version 2.17 - - TBAV Regards Ruben Arias - ----------------------------------------------------------------------------- Ruben Mario Arias |> /| | |> |\ | | |_ | E-mail: ruben@ralp.satlink.net RALP - Computer Security - Virus Buenos Aires, ARGENTINA. - ----------------------------------------------------------------------------- ------------------------------ Date: Sun, 23 Apr 95 15:49:26 -0400 From: djlevine@umich.edu (Daniel Jed Levine) Subject: Re: Can this HardDisk be saved? (PC) Apparently, my PC has been infected with, as F-PROT refers to it, STONED.EMPIRE.MONKEY.B. After booting off of a floppy, I discovered that F-PROT can not access my Hard disk, which was, according to F-PROT's virus definitions, characteristic of MONKEY (and perhaps Empire, I don't know...) Problem: as the only other computers that share disks with my PC are Macs, I don't scan often, and have a great deal of information that is not backed up, etc. My idiot roommate, however, was not quite so bright, and simply used an infected disk in my machine without checking it. What is advisable in this situation? Should I run f-prot without memory checking? Reformatting, etc., is the last thing I want to do. I was saving up to buy a tape drive this summer, to avoid just this sort of problem from occurring. If I leave my computer on for a while (I do anyways), will I be fairly safe? What are the long-term destructive effects of this virus? Since I don't use disks, will I be safe if I just leave it alone? Please answer ASAP to this group or (preferably) to djlevine@umich.edu. Thanks - Dan : S. : - - -- : sig II Still Under Construction ... ------------------------------ Date: Sun, 23 Apr 95 19:53:48 -0400 From: ltravis@ibm.net Subject: Re: LILO and the MBR...please help (PC) elk@cb.att.com (nd33023d0-Ed King(CB2004)000) writes: >Can someone please tell me how to rewrite the MBR on a hard drive >to what it *should* be? Have you tried to use FDISK to recreate the partition(s)? That might do the trick for you. Otherwise, if Linux is still on the hdd, re-run the Lilo setup, telling it to default to the DOS partition at boot time. Hope this helps... ------------------------------ Date: Sun, 23 Apr 95 21:54:31 -0400 From: "Lic. Jose Anaya P." Subject: Re: removing Natas (PC) "A.Appleyard" wrote: > When will VET and SCAN (or any other antiviral) remove NATAS from files > properly???? Just use F-PROT 2.14+ and get rid of Natas forever. As far as I can tell, F-PROT shareware solved the problem of Natas infections from version 2.14, The Professional version did it from 2.12c. Best regards, Jose ------------------------------ Date: Sun, 23 Apr 95 21:59:51 -0400 From: "Lic. Jose Anaya P." Subject: Re: Trying to figure out if I have a virus... (PC) michael@karlsberg.usask.ca (Michael Craggs) wrote: > Quote begins However, whenever I exit Windows, my disk drive accesses for approximately 2 minutes. I tried removing smartdrv, the swap file, wiping clean win.ini and system.ini and also scanning and defragmenting the hard drive, but nothing seems to affect it. > Quote ends. Just by chance, do you have stacked or in any other way compressed your hard disk? It seems your Windows is working hard to remove it's temp files. Regards, Jose ------------------------------ Date: Sun, 23 Apr 95 22:21:37 -0400 From: cschweiter@lightside.com (Grafix) Subject: B1 Virus: Definition? (PC) I just worked on a computer whose hard drive was pretty well chewed up by a virus called the B1. Does anyone have any information on this virus? So far all I know about it is that it causes a Data Read Error all over the HD. It looks to me like it munches the partition table, or goes in and corrupts the format of the drive. ------------------------------ Date: Mon, 24 Apr 95 00:19:53 -0400 From: djlevine@umich.edu (Daniel Jed Levine) Subject: QUESTION about MONKEY/STONED/EMPIRE (PC) I have what I feel MIGHT be a unique problem, which is not explained anywhere in the numerous FAQ's, etc, I've looked at. Yesterday night, I came back to my room and found my screen blank, and my CPU issuing a periodic beep. I rebooted and everything was fine. Curious, I ran F-PROT, which stopped after the memory check, warning of the presence of STONED. I tried booting from a floppy, but could not access my HD - the error message was the one referred to as symptomatic of monkey in the description. I don't recall specifically what it was. I spent much of last night running and re-running F-PROT, with the same result every time, after multiple boots, etc. I got the same result early this morning, with FP-216 and 217. I didn't have a copy of 217 at first, but finally got one from a clean machine and ran it. This morning, it found what it called monkey to be present. When it asked if I wanted it to disinfect, I answered yes, and it gave me an error message basically saying I have no C: drive, which makes sense, according to FP's description. Here's the weird part. I tried running killmnk3, from a clean floppy. It found nothing. Or at least I think the floppy was clean. In any case, killmonk detected and did nothing at all. Now, however, both versions of F-PROT work from floppy and HD, and there is no virus found. I am also able to boot from A: and then access C:. Do you have any idea what's going on? I'd be glad to answer (or try, at least) any other questions, but I'm kind of at a loss beyond what I've said. Thanks, Dan ------------------------------ Date: Mon, 24 Apr 95 02:56:25 -0400 From: jakub@tmxmelb.mhs.oz.au (Jakub Kaminski) Subject: Natas vs VET (PC) A.Appleyard writes: > The VET that we have deletes Natas-infected files instead of cleaning them. >That is a nuisance, because I then have to restore the files. > The McAfee SCAN that we have, on finding a NATAS-infected file, shies at it >and leaves it alone. That is a nuisance and a treacherous danger, as NATAS can >corrupt directory trees. > When will VET and SCAN (or any other antiviral) remove NATAS from files >properly???? VET could detect infected files, detect Natas in memory, detect and clean infected boot sectors. Since version >8.2 (8.20+) it can restore original programs. Regards, Jakub jakub@tmxmelb.mhs.oz.au (Jakub Kaminski) CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Mon, 24 Apr 95 02:59:59 -0400 From: aa484@freenet.Buffalo.EDU (Bill Jenney) Subject: Re: Need help with NATAS! (PC) In a previous article, JYCW25B@prodigy.com (Dosdevil Mackenzie) says: >The real problem seems to be NATAS. I can't boot from the hardrive, and >no utilites can seem to get rid of it. I've already tried formatting, >wiping the drive, and have considered unplugging the battery. Also, You will need a RECENT copy of F-PROT and/or SCAN 2.2 and maybe some luck. ------------------------------ Date: Mon, 24 Apr 95 03:09:04 -0400 From: Stefan Kurtzhals Subject: Re: Warning NEW Virus (PC) Martin Overton wrote: > > A new virus has been discovered in the UK. It > was passed to me for analysis by one of the infected sites. > > Details known to date: > - --------------------- It's also a fast-infector and will destroy data VERY fast if it becomes resident before SMARTDRV or any other disk-cache. It takes 1616 (1632) Bytes of memory which are labeled with the filename of the program which activated the virus. > Tests: > - ----- > A sample infected file was scanned with the following products: [ some stuff deleted ] Well, the virus isn't unknown at all. TBAV 6.34 will find all samples as QUICKY, and AVP with the latest updates with detect it as V.1376 and is able to clean the virus. > Infections Known to date: > - ------------------------ > Three systems in the UK > > If the above is true it may be 'in the wild' in Germany also. It's in the wild in Germany, especially around Munich. It was spread with an infected mouse-driver. bye, Stefan ------------------------------ Date: 24 Apr 95 10:18:44 +0200 From: gara@ludens.elte.hu Subject: Re: One Half Virus - Anybody know? (PC) woloshin@emr1.emr.ca (Dale Woloshin) writes: > McAfee 2.1.5 has discovered occurances of the "One Half Virus" on one of > the new PC's coming into our department. > > McAfee's Virlist does not have any record of it (listed as N/A), nor does > my copy of Hoffman's VSum. > > It has so far infected four .EXE files on the infected PC, and does not > seem to be in memory. > > I am looking at this pc tomorrow morning, and if anyone happens to have > information on it, I would appreciate hearing from them. Hello Dale! The One Half is a very intelligent virus from Slovakia. If I know well, this virus sits at the end of the conventional memory so when you use mem command you will see perhaps 636 Kb memory. The best program for your problem is onehalf.zip, which can be found on ftp.elf.stuba.sk server and in pub/pc/avir directory. I hope you will solve your problem successful. Peter Gara gara@ludens.elte.hu ------------------------------ Date: Mon, 24 Apr 95 05:10:30 -0400 From: "A.Appleyard" Subject: a Tai-Pan incident (PC) enok@lysator.liu.se wrote to djgpp@sun.soe.clarkson.edu on Thu 8 Dec 1994 15:23:43 +0100 (Subject: go32 error solved!):- At the moment I [= ENOK@LYSATOR.LIU.SE] feel extremely embarassed for taking up your [= the djgpp email group's] time. The problem I have been yelling about for a week now was caused by a virus (Whisper: TaiPan for anyone interested). The virus infected all .exe files smaller than 64kB (gas and sed for example) and caused some strange errors (specially whan an infected stub was merged with a coff- file using an infected coff2exe). I finally noticed the changed lengths of the exe files and the string "Whisper presents TaiPan" in the code. Thanks anyway for your help in this, a side-effect of this is that I have learned a lot about gcc and djgpp. /Oskar Enoksson ------------------------------ Date: Mon, 24 Apr 95 06:51:16 -0400 From: wl.leung@auckland.ac.nz (Evans Leung) Subject: Clean.dat was infected? (PC) I downloaded the scn-221e.zip from mcafee.com on Sunday and also fp-217.zip from oak.oakland.edu To my surprise, when I run f-prot to scan the whole hard disk (which contains the clean.dat from scn-221e.zip), it complains that clean.dat had been infected by "Possibly a variant of November_17th", HUH? Of course, there is no problem when I am using Scan to scan it. Makes me wonder why it happens... :) - -- Evans Wing Lun Leung Department of Electrical & Electronic Engineering School of Engineering, University of Auckland. Private Bag 92-019. Auckland. New Zealand. Phone: 64 09 373-7599 ext. 8151 Fax : 64 09 373-7461 Email Address: wl.leung@auckland.ac.nz http://www.auckland.ac.nz/ele/staff/leung/index.html ------------------------------ Date: Mon, 24 Apr 95 07:28:24 -0400 From: AMSSXXS@typeb.sita.int Subject: Stoned.Angelina op bootsector D-drive (PC) We have seen several cases of infection with the Stoned.Angelina virus. A few of these infections were on harddisks with several partitions (drive C:, D: and E:) which were all infected. TbScan claims to find it on all partitions but TbUtil refuses to clean it. Can anybody tell me of a simple and safe way to remove the virus. Also, would this create extra problems in a system with several boot options like with OS/2's bootmanager? Thanks! Dries - ------------------------------------------------------------------------ Dries Bessels Telephone -> +31-20-6069147 RIME -> REFLEX SITA Network -> AMSSXXS FAX -> +31-20-6812021 Internet -> AMSSXXS@typeb.sita.int FIDO -> 2:280/202 Snailmail -> Heathrowstraat 10, 1043CH Amsterdam, The Netherlands - ----------------------- Windows '95: The last word in Plug 'n Pray ----- ------------------------------ Date: Mon, 24 Apr 95 07:45:17 -0400 From: gcluley@sands.co.uk Subject: Re: Need Info about viruses? Get VSUM... (PC) swidlake@rl.ac.uk (S Widlake) writes: > Seconded. The best (anti-) virus info. is IMHO in old copies of Dr. > Solomon's AVTK - a couple of pages on each virus - unfortunately > these old manuals aren't too good for the newer viruses but we don't > get too many of them. By "old", I mean a couple of versions ago. Thanks for the recommendation. We're working on making our virus information even better with a new version of the Virus Encyclopaedia book released later this year. Regards Graham - --- Graham Cluley [gcluley@sands.co.uk] Senior Technology Consultant, CompuServe Tech Support: GO DRSOLOMON Dr Solomon's Anti-Virus Toolkit UK Support: support@sands.co.uk S&S International PLC, UK USA Tel: +1 617 273 7400 UK Tel: +44 (0)1296 318700 USA Support: 72714.2252@compuserve.com - ----- Free tech support: 800-595-9175. Registered USA customers only! ----- ------------------------------ Date: Mon, 24 Apr 95 07:56:01 -0400 From: g95i0563@warthog.ru.ac.za (MR BVW IRWIN) Subject: Haifa and Da'boys Virus (PC) Hi Could anyone send me further information about these viri? thanks Barry - ---------------------------------------------------------------------- Barry Irwin aka Balin on IRC |These views are soley my G95i0563@kudu.ru.ac.za |own and have nothing to G95i0563@warthog.ru.ac.za |do with Rhodes. }8) Tel +27 461-24800 Snail: Box 972, Grahamstown, 6140, South Africa ____________________________________________________________________ ------------------------------ Date: Mon, 24 Apr 95 11:00:22 -0400 From: oliver@cs.unc.edu (Bill Oliver) Subject: Re: InVircible is a Trojan Horse! (PC) Vesselin Bontchev wrote: >Hello everybody, > >Recently there has been a lot of hype about the anti-virus product >called "InVircible" produced by Zvi Netiv from NetZ Computing Ltd., >Israel, and distributed as shareware by several companies - mostly >in the USA... > > [complains that it deletes some specifically-named viruses] Isn't calling this a trojan-horse a little strong? Just about all installation scripts for larger programs on the PC that I am aware of do some writing and deleting -- particularly Windows programs. The more considerate of these programs tell you what they are doing, and ask you before they delete what may be assumed to be files created by a previous installation. The less considerate ones don't tell you about those basic assumptions. My impression is that there is a difference between being a trojan horse and being poorly designed. Admittedly the difference may amount to little more than intent in some cases. Nonetheless, I suggest the label of "Trojan Horse" is a little strong. Maybe he dislikes gender stereotypes in Jungian analysis rather than having it out for your capital? :-) billo ------------------------------ Date: Mon, 24 Apr 95 11:05:16 -0400 From: j.s.elrick@stir.ac.uk (Ian Elrick) Subject: Effectiveness of Sophos Sweep (PC) Hello I am looking for some advice on the effectiveness of Anti-virus protection using client -server sophos sweep. My site has approx 1000 PCs and Apple Macs. Our current approach is for PCs to run a standalone AV package such as F-prot. Can anyone comment on the performance of the sweep scanner compared to F-Prot??? Thanks in advance. Ian Elrick ------------------------------ Date: Mon, 24 Apr 95 11:19:53 -0400 From: kruise@rs6a.wln.com (kruise) Subject: Need info on Steath-C (PC) We recently got hit by the stealth-c virus. Does anyone know what damage it's capable of doing? This question seems to be posted oftened but never answered. kruise@wln.com kreuzrsk@dfw.wa.gov ------------------------------ Date: Tue, 25 Apr 95 09:33:37 -0400 From: coreilly@calvin.stemnet.nf.ca (Cyril E. O'Reilly) Subject: Re: Junkie Virus (PC) Sean Flynn (sflynn@freenet.vancouver.bc.ca) wrote: : Does anyone have any information on this virus? What it does, how it : works, what sets it off, what it infects, how badly, etc. Also, how do : you get rid of it? Several of my friends have found it's little : footprints on their computers (so far I seem to be lucky) but we've had : no luck getting rid of it. Each time one of them thinks he's cleaned it : off his harddisk, it appears again. I'd appreciate any help and advice : any of you can give. Thanks. I'm not sure about the "how's" and "where's" but I was able to remove this virus from about 25 computers by using McAfee 2.17. I used the: scan /clean command and it removed the virus. (or so it said. :-)) I'm fairly certain that this version of McAfee is at any of the simtel mirrors in the msdos/virus directories. Good luck, Cyril - -- Cyril O'Reilly St.Edward's Elementary coreilly@calvin.stemnet.nf.ca P.O.Box 149 15 Atlantic Ave. Placentia, A0B 2Y0 Placentia, Nfld. A0B 2Y0 227-2911/2924: FAX-227-5314 ------------------------------ Date: Tue, 25 Apr 95 09:47:56 -0400 From: rogert@mindspring.com (Roger Thompson) Subject: Re: Invircible Strike One (PC) xdos@cybrtxt.com (Race Banner) writes: >Date: 25 Apr 1995 10:43:44 -0000 >>Normally I'm a die hard fan of Invircible, and I also use McAfee and >>F-Prot to be totally sure. I found one today that Invircible missed. >>The virus is called Jerusalem.Sunday.Unam and F-Prot called it Jeru.1808(x). >>Not a big deal to me because it was caught by the others, but for those >>who only have IV, beware. >Your right, it isn't a big deal. You used InVircible's IVSCAN in this test. >InVircible is not a scanner based product. If you executed Jerusalem >on your machine you would have found that IVTEST, IVINIT, and RESQDISK >would have captured it. Huh? Somebodies scanner missed _Jerusalem_??? Robert, that's not too cool. >ResQdisk would have removed it on reboot. Please try it and report the >positive results you find. It is a simple boot infector. No it's not. It's a program infector. There's enough confusion about viruses without posting blatently wrong advice to the unsuspecting public. Cheers Roger Thompson Thompson Network Software Developer of The Doctor Anti Virus System ------------------------------ Date: Tue, 25 Apr 95 09:59:27 -0400 From: rogert@mindspring.com (Roger Thompson) Subject: Re: Monkey B virus (PC) shari@stimpy.acofi.edu (Shari Saunders) writes: >Date: 25 Apr 1995 10:43:48 -0000 >Posted this a couple of weeks ago....had monkey here at work and the ONLY >thing that will remove it is Norton's Antivirus. Approx. $150. Tried Central >Point, Symantec, and Fprot.....nothing would work. Good Luck! What? F-Prot might be an opposition product, but I refuse to believe it wouldn't remove Monkey.B. You must have had a _really, really_ old version. Regards Roger Thompson Thompson Network Software Developer of The Doctor Anti Virus System ------------------------------ Date: Tue, 25 Apr 95 11:43:31 -0400 From: jfl@hobbes.cca.rockwell.com (Joe Lawrence) Subject: Re: Need help selecting virus softwares (PC) rc.casas@ix.netcom.com (Robert Casas) says: >bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >>So, I stand firmly on my original opinion. Your product is next to >>useless and I, as an anti-virus expert, wouldn't recommend it to >>anybody. > >This kind of remark can hardly be called objective, Vesselin. It is >far too generalized a statement for an empirically minded person >to find useful. Your comment is evaluative rather than objective. The dictionary defines empirical as "Relying on experience or observation alone often without due regard for system or theory". Sounds just like what you've been doing. Incidentally, empiric is defined as 1. charlatan 2. One who relies on experience alone. >I am sure there are "anti-virus experts" who have a different >evaluation of the product. None that I've heard of. I've heard a few "unsolicited testimonials", though and we know what they're usually worth. Just what you pay for them. >You appear to focus on evaluative rather than objective issues. The >former are so much more influenced by subjective, non-empirical >factors. Again, the dictionary defines evaluative as the adjectival form of evaluate "To determine the worth or significance of usu. by careful appraisal and study". Sounds just like what Vesselin's been doing. Are you sure you don't mean subjective? Evaluative make little sense here. >Indeed, an expert knows this and generally avoids biasing conclusions >with evaluative comments and instead focuses on data. It is so simple >to distort facts when such evaluative generalizations are made. Again, the word evaluative is meaningless here. But it sure sounds great. Joe Lawrence |"All opinions are mine, not Rockwell's" Engineering Support Services | To do is to be - Nietzsche Rockwell International | To be is to do - Sarte jfl@hobbes.cca.rockwell.com | Do be do be do - Sinatra ------------------------------ Date: Tue, 25 Apr 95 13:11:41 -0400 From: hoy@falcon.bgsu.edu (Jim Hoy) Subject: Here's info on new(?) virus "Havoc ][". Discussion Welcome. (PC) Our site is infected with (apparantly) a rather new virus. We have called the virus by the name of "The Havoc ][ Virus", because that's what it calls itself in its code. It is not detected by F-Prot, nor is it identified by any of the other virus detection programs we have tried. A couple of the programs know something's wrong after a computer has been infected, but don't identify or protect against the virus. Here's what we have observed about the virus so far: After a hard drive has been infected: The machine appears to run normally until it is booted from a floppy disk that is not infected with the virus. However, as soon as you boot the machine from a non-infected floppy disk, various problems become apparent, such as: - -The system will not recognize drive C:. - -The hard drive Master Boot Record has been changed. - -The hard drive partition table is sometimes corrupted. - -The machine can usually still be booted from drive C:. As a quick check to see if a machine is infected, one can use the DOS MEMory command and see if CONVENTIONAL memory is 635K TOTAL rather than the 640K TOTAL that it should be. (The numbers may be different for different machine configurations, but you get the idea.) If 5K appears to be missing, the machine is probably infected. We suspect that the virus attacks the MBR first, and then at a later time corrupts the hard drive partition table. When the partition table is corrupted, FDISK shows it as being a single **non-DOS** partition, typically with a length of zero bytes. What it is: The Havoc ][ Virus is a master boot record virus. It infects systems by reducing conventional memory by about 4.5K bytes and placing part of itself (the large payload) in that memory. It hides itself on disk by intercepting an operating system interrupt known as INT 13, which services disk and diskette operations. It appears to be either a member of the stealth boot sector viruses, or very similar. It is quite similar in some respects the PMB virus recently observed at our site. The PMB virus was found and removed by the F-Prot anti-virus software, though F-Prot cannot, as yet, detect or correct Havoc ][. What it does: When the Havoc ][ virus receives control at the time an infected hard disk or floppy disk is booted from, it places itself in Random Access Memory (RAM), where it takes over certain functions of the computer. The computer RAM remains infected until it is rebooted from a "clean" floppy diskette or "clean" hard disk. While a computer is infected, a copy of the virus also frequently resides on the hard disk. The virus appears to be designed so that once in a while (with a *probability* of 1/600) it will wipe out all of a large (such as 1.44 MB) floppy disk or much of a hard disk, making either unusable. This appears to occur when the computer's clock happens to be set at the very specific times (right to the second) of 00:00, 10:00, 20:00, 30:00, 40:00, or 50:00 (minutes:seconds) past any hour, at the time the machine is rebooted. The virus otherwise continues with less destructive activities. It appears that infected computers will infect floppy disks (if they are not write protected) very quickly (usually every time). When "clean" systems are booted from an infected floppy diskette, the virus is always loaded into RAM from the floppy, but it isn't as clear how often the virus code that gets loaded into RAM proceeds to corrupt the hard drive. Also, once a computer hard drive is infected by the Havoc ][ Virus, if the computer is booted from a floppy disk, another part of the virus needs to be loaded from an *infected* floppy disk each time the computer is booted, in order to put all the pieces of the virus together so the infected computer will be able to operate (of course, under control of the virus). If you boot an infected computer from a *non-infected* floppy disk, the computer will usually not be able to find the C: drive, since the virus will not be activated in RAM to tell the computer where it (the virus) has hidden the C: drive information. On diskette, the virus writes some of its information at the end of the diskette. If any information was already stored there, it is replaced by the virus information. If, for example, that information is part of a file which exists at the end of the diskette, there are two implications. First, that particular part of the file is overwritten by the virus information and is lost. Second, if that particular information (belonging to the virus) in the file is changed, the virus (and the computer being booted) will probably be made inoperable when the changed information gets loaded into the computer as the computer boots from the floppy disk. This happens because the (now corrupted) virus information (that the infected computer needs when booted from that floppy disk) is now useless for making the infected computer operate. This virus has infected a great many of our IBM and compatible computers at this University, disrupting classes, and doing essentially what the author must have wanted, --creating havoc!! Is anybody familiar with this virus? Are there any scanners able to identify this virus and disinfect both computers and floppy disks? Any help or comments would be greatly appreciated! Thanks. Jim - ---------------------------------------------------------------------- Jim Hoy | Computer Security Administrator | hoy@BGNet.bgsu.edu University Computer Services | Phone (419) 372-7752 Bowling Green State University | FAX (419) 372-7723 Bowling Green, OH 43403 USA | - ---------------------------------------------------------------------- ------------------------------ Date: Tue, 25 Apr 95 14:02:43 -0400 From: dgoza@flipper.alvin.cc.tx.us (David Goza) Subject: Lack of virus info (PC) need help-please! small college on a low budget. have 75 pc's in a lab with v-sign (cansu) virus and 2 major pc's with da'boys virus. have ftp'd, unzipped and tried all the programs available on the net and no luck. latest versions of macafee and f-prot will detect but will not clean. any info or help would be greatly appreciated. please forgive me if this is not the right forum for this request, but i need help. mr. dave ------------------------------ Date: Tue, 25 Apr 95 14:10:51 -0400 From: emcontre@acs3.acs.ucalgary.ca (Edgar Mendoza Contreras) Subject: ** Does my comp have a virus? ** (PC) I have a PC that occasionally reboots on me. I noticed that it happens right after I move the mouse. I have a serial mouse and no there are no IRQ problems. Even if I was using the mouse for a bit and paused for a minute and used it again, it would reboot. I'm not exactly sure what else triggered it but that is what I noticed. This has happened to me several times now whether I was using Windows or even when I was playing a game in DOS. Has anyone else experienced anything like this or can anyone help me? Thanks in advance. Edgar ------------------------------ Date: Tue, 25 Apr 95 15:08:10 -0400 From: LXKK82A@prodigy.com (William Darling) Subject: Re: MS AntiVirus (PC) Hi, the installation instructions are in the "readme.txt" file on the floppy disc. Put disc in drive A and from "file mgr." click on the A drive icon"button" you will see the file there. ------------------------------ Date: Tue, 25 Apr 95 15:24:05 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Software to archive boot sector viruses? (PC) Woody (woody@expert.cc.purdue.edu) writes: > I have a collection of viruses and up until this point has only been > executable files because they can be safely kept. I have heard that > with boot sector viruses you can keep them safely by copying the boot > sector to a file. Does any one know an easy way to do this. I am > looking for either some software that will copy the boot sector or a > method to do it. Any help appreciated. First, let me mention that keeping just the boot sector is often not enough. True, many viruses (e.g., all Stoned variants) consist of only a single sector. However several others (e.g., Ping Pong, Disk Killer, etc.) consist of several sectors which they place in different places on the disk - in clusters marked as bad, on the last track of the floppy, on an additionally formatted track, and so on. Therefore, it is advisable to use some kind of software that can keep a (possibly compressed) image of the whole infected diskette. A good one that I often use is TeleDisk - I think it can be found on SimTel - but several other such utilities undoubtedly exist. However, if indeed all you want is to copy the boot sector of a floppy to a file, you can do it with DEBUG. Create a text file, say "debug.scr", with the following contents: L 100 0 0 1 rcx 100 n drive_a.boo w q Then you can use the command "debug < debug.scr" to read the boot sector of the floppy in drive A: and store it in a file named DRIVE_A.BOO. If you want to read from drive B: instead, replace the first line in the above script with "L 100 1 0 1". Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 25 Apr 95 15:59:49 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Monkey B virus (PC) Shari Saunders (shari@stimpy.acofi.edu) writes: > Posted this a couple of weeks ago....had monkey here at work and the ONLY > thing that will remove it is Norton's Antivirus. Approx. $150. Tried Central > Point, Symantec, and Fprot.....nothing would work. Good Luck! I am afraid that you've got something slightly confused. First, Norton's Antivirus is sold by Symantec - so how can you say that it worked, while Symantec (?) not? Second, F-Prot can remove the Monkey viruses. Just make sure you boot from a clean floppy and use the /HARD option (because the drive C: will be inaccessible to DOS). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 25 Apr 95 16:01:37 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: die hard 2 virus - help! (PC) Michel Cherbuliez (cherbu@cui.unige.ch) writes: > Try F-Prot 2.16, I guess this version is able to remove Die Hard 2. No, unfortunately, F-Prot cannot remove the Die_Hard virus - neither version 2.16, nor version 2.17. Try AVP 2.1 instead - it can remove this virus. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 25 Apr 95 16:04:21 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: ANTIEXE Virus (PC) Gordon Taylor (gtaylor@io.org) writes: > The only way I've ever found of getting rid of this this virus is by > deleting the infected files. The files, from what I understand, are > unfixable because the virus REPLACES some of the existing code. Since > the original code is destroyed, there is no way of knowing what it > was, making it irreplaceable. Sorry, but you are wrong. The AntiEXE virus does not infect files at all. It infects the DOS boot sectors of the floppy disks and the master boot records of the hard disks. > If someone else finds a way to actually clean it, I'd love to hear of it. Many anti-virus programs can remove it - F-Prot, AVP, etc. You can remove it from the hard disk even without any anti-virus program, using the FDISK/MBR trick. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 25 Apr 95 16:04:24 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Anti CMOS virus cleaner (PC) Zule (idkajai@singnet.com.sg) writes: > hi there, which antivirus software to use against this virus and where > can i get it ? (by FTP) Most good anti-virus programs can disinfect this virus. For instance, try ftp://oak.oakland.edu/SimTel/msdos/virus/fp-217.zip. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 25 Apr 95 16:07:10 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Crazy Boot Virus (PC) Anhminh Tran (eaiu400@rigel.oac.uci.edu) writes: > s anyone heard of the Crazy Boot Virus?? if you do.. I would like to know what > i'm up against and how I would be able to kill it without losing anything.. It is really amazing how this incredibly buggy virus has succeeded to spread in the wild... Anyway, AVP 2.1 can remove it. You can get it from ftp://ftp.informatik.uni-hamburg.de/pub/virus/progs/avp/ You'll need all files in that directory. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 25 Apr 95 16:10:50 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: HELP!! DH2 Virus (PC) JaDe (jadestar@netcom.com) writes: > If I've heard correctly, all you have to do is ZIP up the infected files > (while DH2 is active in memory), delete them (and the copy of ZIP that > you used to .ZIP them). and use a clean copy of PKUNZIP to restore the files. > I've read that DH2 has a resident mechanism for detecting that its files > are being compressed and uninfecting them on the fly. The apparent purpose > was to slow down the submission of samples to AV companies (most of which > ask for the samples to be .ZIP'ed > Please, someone correct me if I'm wrong. OK, you're wrong. :-) The reason why the PKZIP trick works is not because Die_Hard has any code to detect compression - it doesn't have any. The real reason is because this virus is full-stealth. When PKZIP reads the infected file while the virus is active in memory, the virus presents to it the image of the original (uninfected) file. Since this is what PKZIP will put in the archive, this means that the archive will contain a disinfected copy of the infected files. This trick works with almost all full-stealth file infectors. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 25 Apr 95 16:12:43 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Mail Spooler detected virus (PC) Ng Bee Yong (byng@technet.sg) writes: > I encountered the following message on my networked PC (connected to Novell > NetWare 4): > Mail Spooler has detected a virus problem in a .dll > Restall from a clean copy of ... > I have run a number of anti-virus software on the entire server and cannot > detect anything. I believe it is a false alarm from Microsoft Mail. Has > anyone encountered the above before? Hmm. No, I haven't seen it, but the reason might be because the DLL has become somehow corrupted and the program is checking the integrity of its files before using them. Try restoring that file from the originals and see whether the problem goes away. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 25 Apr 95 16:14:39 -0400 From: "Ken Kriesel, Physical Sciences Lab, UW-Madison" Subject: Re: How many antivirus products does it take? (PC) njb@csehost.knoware.nl (Niels Bjergstrom) wrote: > > On Thu, 06 Apr 95 "Ken Kriesel, Physical Sciences Lab, UW-Madison" > wrote: > > >Using 2 leading products might raise the probability of detection from 97% > to 98 or or so but one can not >reach levels of 99.9% even with several > scanners. The lag between scanner updates and new virii > >means (all numbers approximate) >7/day * 20 days = roughly 140 of which > many likely will be missed by > >generic detection techniques. > > Why do you assume that? Your argument merely illustrates that it is unsafe Maybe unjustifiably. Based on responses I've previously received, which omit numerical values for the probabilities but indicate that scanners, by the nature of what they are looking for, tend to scan for similar groups. (The only ones worth scanning for are the known or generic code sequences which can be scanned for in a usable time period. Something like that.) I inferred that they were scanning for generic code fragments and still missing around 3% each. Maybe I just don't understand the terminology yet. Sorry, I'm new around here. > to rely on scanners as the primary anti-virus defence. It does not Yes, others who seem expert also said that, and I was summarizing their objection to a scanner-only approach. Also hoping for a recommendation of products (by name) which used together fill some of each other's blind spots. > substantiate the notion that new vira will not be detected by > generic/heuristic methods. The difference between scanners and generic > methods is precisely that the generic methods, if correctly implemented, > require that a new virus *technique* be invented to avoid detection. It is > not important if five or 140 new vira are let loose, so long as these do not > incorporate hitherto unknown (or unforeseen) principles. Considering the > current level of virus inventiveness this involves well under 1% of the new > vira. As for the risk of encountering a new virus which is inventive *and* a > fast reproducer (much faster than the reaction time of the anti-virus > community), we are talking very small figures. I hope you are right. I was trying to assess how many new risks are out there at any given time. You seem to be saying it's likely (but certainly not guaranteed) each month's batch of new viruses has 0 or 1 new attack approach (well under 1% of roughly 140). Comparing that to a crude estimate of 140 individuals, that's much more encouraging. I have yet to see quantitative data from anyone that says what the risks are. > If we consider a correctly implemented modern anti-virus system with a > behaviour-checker as the first line of defence, a checksummer as the second > and a scanner as the third, a virus in order to pose a real threat must be > able to bypass two generic methods simultaneously, using hitherto unknown > techniques. Most unlikely! But if the virus was not detected before it hit my files, or before I generated checksums rather, that defense is gone. It seems a weak defense and likely to mislead. And if a virus is not detected yet by the commercial scanner I happen to be using, that leaves only the behaviour-checker as a defense to detect newly introduced virii, doesn't it? For new attack methods, the scanner doesn't yet cover them, and the behavior checker might be weak in the area of the new attack method. Then if such a virus gets onto my system in between times when I generate checksums for new files, by being able to defeat the behavior blocker, the virus is now incorporated into my checksum information. As you say, multiple defenses are better, but there are no guarantees. > > >It is unclear to me how to get a situation where the files are clean and > the signatures saved are for the >uninfected file, regardless of which > virus(es) may be around now or have been present for some time. > > In all questions of security, including Information Security, we operate > with probabilities, levels of risk, levels of trust. There are no absolutes, > and even the most rigorous risk analysis/risk reduction iteration will leave > a residual risk, which must be *managed*, i.e. covered by insurance, > contingency plans, etc. This is quite normal, and it is the case for > computer vira as well as for fire or theft. Well, I can pretty well determine whether my machine has caught fire or been stolen, at any point in time. I can not determine if it is or is not infected. This is a fundamental difference. The risks can be numerically comparable but the nature is clearly different. > An important question to ask yourself in case you have to implement security > on a network, is whether there are areas of the system (as shown by your > risk analysis) that need *better than* baseline security, e.g. with regard > to the virus risk. If so, take steps to implement better defences to cover > the particular assets and processes in that part of the system. Isolate it. > Run it on a VAX instead of on PCs. Use a diskette authorisation system that > is virus immune. Same thing as when connecting to the Internet. You probably > wish to prevent anonymous ftp to your administrative databases...:-). I assume you mean running on a VAX changes the odds, but does not zero them. Same thing for any other environment. (Viable in a corporate environment if you are willing to trade off things like application availability and pricing, but not at home.) (snip) > Yes, and if those who decided to market the sub-standard operating systems > used on most PCs had shown the least bit of responsibility instead of > turning us all into their cash cows, we would not have had the problem at > all. It is ironic that good 8-bit operating systems (e.g. LDOS and NEWDOS), > which at least had started to address security issues, already existed (and > only needed to be ported) at the time MS-DOS was chosen as the operating > system of the future...! Some joke. :-( Yup, we've traveled a strange path as the result of many steps which looked rational. Take memory management (Please!) Bill Gates understands the mass software market is like any other consumer market. Pricing isn't the only thing but it's big. In 1982, I saw MSDOS at $40, CP/M86 at $200, and UCSD? at $950. Guess what I bought. Security was a nonissue at the time. So were a lot of things. IBM called their pc operation Entry Systems Division for a reason. It's all us end users who let this happen. ------------------------------ Date: Tue, 25 Apr 95 16:24:37 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Best AV Product (PC) naoh@yvax.byu.edu (naoh@yvax.byu.edu) writes: > I've been doing some experimenting recently to try to determine which > antivirus products are the best. And I've come up with the following > conclusions. These opinions are mine and mine alone. I don't work > for any AV companies, etc. Thunderbyte V. 6.30. Works great. It > caught most of them, even the polymorphic ones. (I was using maximum > heurestic scans, and it usually catches the following symptoms: > Encryption, code that is usually generated by polymorphic viruses, and > codes that aren't usually used on a 386-486.) It did have several > false alarms. [snip] > The next best is F-Prot V. 2.17. It catches many viruses, although it > won't even try to clean any that are not exactly known. (Any Hm, according to my tests, F-Prot has a slightly better detection rate than TbScan - not much though, something like 96% vs. 94%. However, there is a slight unfairness in your tests. You have tested TbScan with "maximum heuristics". It is only fair to test F-Prot in a similar way. Try using the option /PARANOID. Just like with TbScan, this will increase the detection rate - but will probably cause some false positives. > varients, etc.) It missed the polymorphic ones, though. (But it Which ones? In general, F-Prot performs rather well in polymorphic virus detection, although indeed there are some polymorphic viruses (e.g., the Uruguays) that it does not detect properly yet. > probably detects most of the known common ones.) I also like the > program VIRSTOP. It will detect boot sector viruses, and other > _known_ viruses when they are run, and will deny access to that file. Well, TBAV has a similar component - TbScanX. > The only problem is that it only detects known ones, and I don't think > it will detect any polymorphic ones, because that would take too much That's not entirely correct. A more precise statement is to say that the detection rate of VirStop is significantly worse than this of F-Prot, and most of the problems are caused by polymorphic viruses. > Plus, it will detect many > viruses that are running in memory, and I don't think that TBYTE will. Yep, TbScan is particularly bad in this aspect. Its producer claims that it is not needed, because the scanner cannot be spoofed by a stealth virus, but I disagree. Detecting that a virus is present in memory is important for the user, not for the scanner. > I have also tried Invircible 6.01B. I like the "Boot-spoofing" > technology that it uses. It seems to catch many stealth viruses that Have you noticed that it does not work at all on SCSI and MFM hard disks? > It will also check the boot sector/partition table and how much > RAM is available. (All things that viruses change.) Unfortunately, viruses are not the only programs that change it. Try running InVircible in a DOS box under DesqView - it will report that some memory is missing, regardless that there is no virus in memory. > I think it is > good as an integrity checker. I think that it is not. It has a lot of security problems; too numerous to list here. I am preparing a separate report (3,000+ lines so far), listing all bugs and security holes in this product; it will be available soon. > scanner. And you have to register to use most of the functions, so I > don't know how well they work. No, this is not true. The only thing that you get in addition when you register is the ability to repair. Everything else is already present in the shareware version. > I would be happy to test out any other AV products, if anyone has one > to recommend. NaOH Take a look at AVP. It is one of the best scanners around. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 44] *****************************************