VIRUS-L Digest Monday, 1 May 1995 Volume 8 : Issue 48 Today's Topics: Re: Viruses in binaries? Maybe. computer virus industry association Re: Would like to increase virus knowledge Re: How do unix viruses work? (UNIX) Re: Novell network virus? (Novell) Re: Novell network virus? (Novell) WELCOMEB virus!!! HELP!!! (PC) Problem with fdisk (PC) Junkie in my machine! (PC) Re: Piggybacking and memory scanning (PC) Re: How many antivirus products does it take? (PC) Restoring Mirror File (PC) I need anti-virus & virus detectors. (PC) Re: Windows virus (PC) Sigalit Boot Virus - How to Get Rid Of? (PC) Re: /\/\ Can't get that Stupid Stealth_C virus off!! /\/\ (PC) cud Material -- virus? (PC) Re: Need info on ANTIEXE/NEWBUG (PC) Re: NATAS query & incident report (PC) Leandro virus: info needed (PC) Do I have a Virus? (PC) Re: In InVircible Performance Tests (PC) Re: One Half Virus - Anybody know? (PC) Re: Which virus scanner is best? (PC) Re: Can this HardDisk be saved? (PC) Re: LiXi (PC) Re: Need info on Steath-C (PC) Re: Thunderbyte cleaning (PC) Re: Stoned virus (PC) Re: HELP - infected boot sector - DA'BOYS (PC) Re: InVircible is a Trojan Horse! (PC) Re: 4915 (PC) Re: Effectiveness of Sophos Sweep (PC) Re: TSR to scan all floppy disk activity? (PC) Re: Tai Pan Virus (PC) Re: Pathogen/Queeg (PC) Re: Piggybacking and Memory Scanning (PC) Re: F-PROT detects "Circular Infection" (PC) Tai Pan Virus - FAV-Description (PC) ANTICMOS getting more common? (PC) Available information resources (PC) Re: antiviral tool kit pro (PC) Re: NATAS? (PC) Re: NATAS Background? (PC) Shareware - registered vs. not registered (PC) Re: Mouse Error with AVP2.1??? (PC) Re: VSafe & WFWG (PC) Ripper Virus (PC) Anyone seen...Helloween? (PC) Virus in Flash ROM??? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Sun, 30 Apr 95 16:11:14 -0400 From: iandoug@aztec.co.za (Ian Douglas) Subject: Re: Viruses in binaries? Maybe. tom_van_vleck@taligent.com (Tom Van Vleck) wrote: >>Frank Sofsky wrote: >>>There has been so much debate on whether or not a virus can come >>>from a binary picture file; I have read so many times that viruses can >>>only come from execute and command files; does anyone really have >>>the correct answer to this? >It's possible in theory. A bad guy could find a picture viewing program that >doesn't check for ill-formed picture files, and create a picture file that >tricks the viewer into executing data that happens to be a virus-inserting >trojan. Impossible. Data is DATA. Viewers interpret it, not execute it. How exactly is data that is being read going to 'trick' a viewer into doing something it should not? >Nobody's seen one yet. Wonder why? :-) > The fact that damaged data files will sometimes >crash PC applications suggests that one can be written; these apps >leave their normal execution sequence on some bad data, and might execute >file data, given just the wrong data file. I believe this when I see it... It will only be possible if the viewer was written with that capability in mind. Which thought leads me to a very nasty method of introducing viruses onto a system...:-( .. when is a trojan a trojan? ..[enter philosophical mode..] Cheers, Ian - -------------------------------------------------------------------- Ian Douglas If 35 iandoug@aztec.co.za P.O. Box 484 no_goals 1,73 7532 Sanlamhof Then 58 South Africa no_achievements XNTX PGP key available - -------------------------------------------------------------------- ------------------------------ Date: Mon, 01 May 95 15:02:52 -0400 From: jlange@gtd.eds.com (Joe Lange) Subject: computer virus industry association I would like to know is any one has the new phone number for the Computer Virus Industry Assoc. or any organization which could help my Computer Literacy Class obtain info for research papers. Please respond me via e-mail address: jkennedy@bdm202t.attmail.com ------------------------------ Date: Mon, 01 May 95 16:27:34 -0400 From: Abelardo Garcia Vizcaya Subject: Re: Would like to increase virus knowledge You may try and locate a book called "V.I.R.U.S: Vital Information Resources Under Seige" By Dr. Pamela Kane. It contains (IMHO) some very good background material on the different types of viruses around, and some of the antiviral techniques used to counter them. I read it quite sometime ago, But I am sure you can find an updated version. Good luck on your research ! A. Garcia ------------------------------ Date: Sun, 30 Apr 95 10:52:38 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: How do unix viruses work? (UNIX) Samiullah S.M (sam@wipinfo.soft.net) writes: > How do viruses on unix work given the fact there are is so > much protection( permissions ) ?. They usually rely on the transitivity of the information flow on most Unix implementations and also on the fact that in systems with discretionary access controls the program currently being executed usually runs with the privileges of the user who has executed it. (The latter is not always the case - e.g., SUID/SGID programs - but when it is not, it introduces a whole lot of security problems on its own.) Here is how a Unix virus could spread. Suppose that I want to attack our machine with a virus. I write one and release it. Since I have only very basic privileges, the virus will be able to infect only my programs - but it will infect all of them. Now, I am not the only user on our machine. For instance, I might be working on a joint project with a colleague. When this colleague runs one of my programs - to see how far I have reached with my part of the project - the virus that has infected it will run with my colleague's privileges and will infect *his* programs. One day our boss might decide to take a look at how far we have reached with this dreaded joint project of ours. He might even suspect *me* of being a disgruntled employee and willing to attack the system with a virus - but he would probably trust my colleague. If he runs one of my colleague's programs, my virus (which has meanwhile infected them) will run with my boss' privileges. Then it will be able to infect all of my boss' programs - and all other programs in accounts to which my boss has write access - which is probably much more than those that *I* have write access to. After some time, my boss might have some trouble with one of his programs - maybe even as a result of the infection. He would ask the system administrator for help. Now, the sysadmin certainly doesn't have a reason to suspect my boss in virus writing, does he? So, he won't have any trouble running one of my boss' (now infected) programs - - to see what the problem is. Ooops, now my virus is running with root privileges and can do whatever it damn well pleases... Of course, the above is a very simplistic example - usually the chain to root is much longer - but I hope that you get the general idea. The main problem is that trust is not transitive - unlike the information flow on most systems. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sun, 30 Apr 95 02:11:35 -0400 From: chakra@ix.netcom.com (Chakrapani Venkatesan) Subject: Re: Novell network virus? (Novell) rivalino@inf.ufsc.br(Rivalino Matias Junior) writes: >Where can I get informations about Novell Netware Virus ? >Any Problem with this type Virus was reported ? I have a simillar question. I heard that there is an AntiVirus Software for the Netware from Intel. If this information is correct, can someone give me some details about it. If you could also give the price of the software I would really appreciate. My email address is chakra@ix.netcom.com Thanks In Advance. Chakra. ------------------------------ Date: Sun, 30 Apr 95 11:15:00 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Novell network virus? (Novell) Rivalino Matias Junior (rivalino@inf.ufsc.br) writes: > Where can I get informations about Novell Netware Virus ? There are about 6,500 IBM PC viruses. Most of them (probably) can run in a Netware environment. About a dozen of them are Netware-aware. I am unable to provide you with more precise information until you specify which particular virus you have in mind. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 29 Apr 95 07:30:05 -0400 From: hangyong@merlion.singnet.com.sg (Wee Hang Yong) Subject: WELCOMEB virus!!! HELP!!! (PC) I have downloaded a couple of files from various sites on the Internet recently and I fount that my system has contracted the WELCOMEB virus. I downloaded scn-211I.zip from the WWW site of McAfee today. The scan programme is able to detect the virus but no cleaner is available!! The virus is now infecting my Master Boot Record and probably some other files. Also, while I was scanning, I also found other viruses in the system memory: OHIO, FILLER and ISAELI BOOT. But this viruses can only be detected sometimes... PLEASE HELP!! ANYONE OUT THERE!! Please send your help to my e-mail... hangyong@singnet.com.sg I WILL APPRECIATE ALL YOUR HELPS!!! THANKS!!!!! ------------------------------ Date: Sat, 29 Apr 95 07:38:55 -0400 From: David E Robinson Subject: Problem with fdisk (PC) I need some help. I have had a virus attack (I don't know which one) and in my attempt to deal with it I immunized the boot sector of my c: drive with TBAV. After doing this I still had some strange behavior (files were disappearing from my DOS subdirectory at a rapid rate) even though my scan with McAfee and TBAV showed nothing. At this point I decided to re-format my c: drive since I have a good backup. The format went smoothly up until the point it displayed "Format Complete" and then my machine hung with the HD light on. I had to reset the machine to exit then I discovered the drive had not been formatted! At this point I panicked and deleted the partition with fdisk but when I try to re-create a primary partition, fdisk just hangs. I'm stuck. Any ideas or suggestions would be appreciated. Thanks in advance. ------------------------------ Date: Sat, 29 Apr 95 09:18:08 -0400 From: Branden Barber Subject: Junkie in my machine! (PC) Bummer. And then I went to reformat the machine, reinstalled dos and restarted. It said "Missing Operating System". I tried a different version of dos. no go. VET killed of waht was left of Junkie as well as Ginerbread on other machines on the same network. But how do I get my machine to breathe again? FDISK? What? Bogus. Thanks for any help you can offer. ************************************************************************* Branden Barber | "Man argues, Nature acts." -Voltaire Greenpeace Oz | "Eighty percent of pollution is caused | by plants and trees." -Ronald Reagan ************************************************************************* ------------------------------ Date: Sat, 29 Apr 95 14:02:41 -0400 From: njb@csehost.knoware.nl (Niels Bjergstrom) Subject: Re: Piggybacking and memory scanning (PC) Robert Casas (rc.casas@ix.netcom.com) writes to Vesselin Bontchev: > Vesselin, you have been the paid consultant for AV product > manufacturers. Without any desire to involve myself in this mud-slinging contest, which currently debases this interesting forum I would like to add this comment: Vesselin as well as the other members of the virus test centre at Hamburg University have over a period of several years always been willing to use their time and provide expert assistance to us as AV product developers. They have never ever asked for payment or any kind of services in return. Rgds, Niels Bjergstrom - - - ------------------------------------------------------------------------ - -- Niels J Bjergstrom, Ph.D., m/ISACA Tel. +31 70 362 2269 -- - -- Computer Security Engineers, Ltd. Fax. +31 70 365 2286 -- - -- Postbus 85 502, NL-2508 CE Den Haag London: +44 181 534 7104 -- - -- Netherlands Email: njb@csehost.knoware.nl -- - -- PGP Public key available on request - please use when mailing vira -- - ------------------------------------------------------------------------ ------------------------------ Date: Sat, 29 Apr 95 14:02:45 -0400 From: njb@csehost.knoware.nl (Niels Bjergstrom) Subject: Re: How many antivirus products does it take? (PC) "Ken Kriesel, Physical Sciences Lab, UW-Madison" writes: >I have yet to see quantitative data from anyone that says what the risks are. An attempt towards performing a virus risk analysis in an organisation was described by Bernard P. Zajac, jr. in the paper "Cost Effectiveness of Anti-Viral Scanners" delivered at CompSec 94, London 1994. Mr. Zajac presented a simple model to calculate the Net Present Value of the project "anti-virus defence". Unfortunately crusial assumptions regarding the probability of encountering as virus attack were based on Peter Tibitt's faulty study from 1990. I suspect that what you would like to see is the probability of contracting a computer virus with the capability to penetrate x layers of anti-virus defences of the known types y, z, etc. I know of no research project able or attempting to provide this (and I can see no reason to undertake such a project). The reason for this is that it has no scientific importance that I can see, and that practical risk analyses/audit criteria can be established without this detailed knowledge. I would recommend that you study one of the many interesting textbooks about about risk analysis in information systems. I think you will find that five steps ranging between zero and infinity is all you will normally need. Two significant digits is more than enough. :-). >But if the virus was not detected before it hit my files, or before >I generated checksums rather, that defense is gone. It seems a weak >defense and likely to mislead. Checksumming has a number of fallacies, which a number of widely available products suffer from. The same is the case with scanning or behaviour checking. Using the available technologies together and correctly will provide a close to 100% defence against DOS vira. >Well, I can pretty well determine whether my machine has caught fire >or been stolen, at any point in time. I can not determine if it is >or is not infected. This is a fundamental difference. The risks can >be numerically comparable but the nature is clearly different. Not really - just a question of choosing the right sensors... Thanks for the discussion, and keep up your interest! Regards, Niels - ------------------------------------------------------------------------ - -- Niels J Bjergstrom, Ph.D., m/ISACA Tel. +31 70 362 2269 -- - -- Computer Security Engineers, Ltd. Fax. +31 70 365 2286 -- - -- Postbus 85 502, NL-2508 CE Den Haag London: +44 181 534 7104 -- - -- Netherlands Email: njb@csehost.knoware.nl -- - -- PGP Public key available on request - please use when mailing vira -- - ------------------------------------------------------------------------ ------------------------------ Date: Sat, 29 Apr 95 14:16:58 -0400 From: sgbrush@bu.edu (Scott Brush) Subject: Restoring Mirror File (PC) After running the mirror /partn command, how do I restore the partition table from the backup? I am trying to recover from the Monkey virus; the biggest pain in the butt I have come across because when I try to boot from a clean floppy to disinfect my HD, the fixed drives are not recognised because of what the virusa does to the boot records... Well, thanks for any help. - -sgbrush ------------------------------ Date: Sat, 29 Apr 95 14:44:48 -0400 From: dr.doome@ix.netcom.com (carl cook) Subject: I need anti-virus & virus detectors. (PC) If someone would please give me detailed directions to the anti-virus files so I can dnload them I would be extremely gratefull. I have been looking for 2 days and have had no luck.(I have only been on the net for 4 days) I will be checking my e-mail often.I will also check here. When it is my turn to help some "newbie" on the net I will return your favour. Thanks CWC TEXAS ------------------------------ Date: Sat, 29 Apr 95 19:36:48 -0400 From: botman@rabo.nl (Fons Botman) Subject: Re: Windows virus (PC) : saqureshi@ucdavis.edu "Shehrzad Qureshi" writes: : > Does anyone know of a Windows virus that afflicts applications in : > the following manner? Whenever the mouse cursor is on part of a windows : > scrollbar the scrollbar just goes crazy? Hmm, it happend on my pc also when I started the "windows" virus. :-) If I remember correctly the solution was to install a newer mouse driver. The Fons ------------------------------ Date: Sat, 29 Apr 95 20:56:24 -0400 From: PAKG45A@prodigy.com (Bill Dougan) Subject: Sigalit Boot Virus - How to Get Rid Of? (PC) I'm looking for help/info on how to deal with the Sigalit or Sigalit PT boot-type virus. CP Anti-Virus recently identified this on my system. Being a boot-type virus, CP Anti-Virus can extract and remove it from memory once my PC is booted, but it does not actually remove the virus, since it is there again when you reboot. Apparently it affects the partition table of the hard drive, and will remain resident in memory unless extracted/cleaned after booting. Short of reformatting my hard drive, is there any other way to deal with this beast? Any help or advice would be appreciated, since I don't necessarily want to "toast" my hard drive and start all over except as a last resort. Thanks. Bill Dougan: pakg45a@prodigy.com Sitka, AK or: tswrd@acad1.alaska.edu "Letting the days go by and the water hold me down" ------------------------------ Date: Sat, 29 Apr 95 21:25:11 -0400 From: war@westnet.com (W. Mjollnir Ransom) Subject: Re: /\/\ Can't get that Stupid Stealth_C virus off!! /\/\ (PC) Chuck Davis (cdavis@usit.net) wrote: a whole bunch of stuff that i deleted yet i added: i just found this virus on my system and i think i've had it for a while, but anyway. i'm curious about this virus, does anyone know anything about it? like where it comes from, how old it is, what it can do to my machine? one strange thing that tipped me off was that when i was infected, i could not load windows if i had the 'ram' switch on when i loaded emm386. weird, eh? so give me the scoop if anyone can, i'd like to get to know this critter i just purged! thanks ahead... - -- This is my signature. There are many like it but this one is mine... ------------------------------ Date: Sat, 29 Apr 95 21:35:04 -0400 From: swynk@primenet.com (Steve Wynkoop) Subject: cud Material -- virus? (PC) I received a message loading Windows just after the splash screen -- "cud Material>" as the prompt with the system locked up. Has anyone heard of this being a virus? Thx. ------------------------------ Date: Sun, 30 Apr 95 02:12:32 -0400 From: aleonard@access.digex.net (Andrew Leonard) Subject: Re: Need info on ANTIEXE/NEWBUG (PC) listorj@richmond.infi.net (Ron Listo) wrote: >Bob Thorsen says: >>One of our users has a disk that she bought home. Husband's system >>(with MacAfee) said the disk was infected with ANTIEXE. Our CPAV >>found nothing. Newer signatures for CPAV found a virus it called >>NEWBUG. CPAV's data base says NEWBUG only infects diskette boot >>sectors. >We have found Antiexe & Newbug to be the same. Depends which AV program >you run. They'll report different names. >It is also easily removed by all (I think) AV programs, including >Microsoft AV. > //RON// I have a problem. I had NEWBUG, and I downloaded the new signatures off Compuserve, and it was fixed. But the damage is done. My CD-ROM will not load. I have continuous errors in MSCDEX. Sometiems when I type "dir" in the CD-ROM prompt, I get something, I get the wrong something, or I get nothing except "Error on CD-ROM. Abort, Retry, Fail?". Now, MWAV is choking. AFTER it removed the virus! Could there be a second virus on my system, or could NEWBUG have permanently damaged my CD-ROM? (I reinstalled MSCDEX twice) ------------------------------ Date: Sun, 30 Apr 95 02:48:42 -0400 From: Sean Embry Subject: Re: NATAS query & incident report (PC) We had a client call with two systems down. We used Mcafe on it, would not recover. The machines were DOS 6.22, with compressed vols. on them. Dos's virus checker didn't catch it, and the NATAS corrupted every EXE on the compressed Vols. McAffe could not clean the compressed vols. Since nothing else we had could touch the virus, we had to reformat and fdisk the machines. Too bad that the client didn't have a backup newer than 6 months. We beleive that the infection came from a shrink wrapped insurance application. The company that produces the software has contacted thier duplicating sub-contractor, and they are checking the duplication systems. This is a nasty one. ------------------------------ Date: Sun, 30 Apr 95 04:16:12 -0400 From: ebottoni@cat.cce.usp.br (Eduardo Benedicto Ottoni) Subject: Leandro virus: info needed (PC) Hi! I'd appreciate any information on the Leandro virus. Please reply to my personal e-mail address. Thanks in advance! Eduardo B. Ottoni ------------------------------ Date: Sun, 30 Apr 95 05:28:13 -0400 From: rocco.quattrucci@enest.com (ROCCO QUATTRUCCI) Subject: Do I have a Virus? (PC) Hi All, Could what I have be a virus? One day I ran the mem command and found the largest executable file I could run was 1k less than it previously was. (now it is at 617k) I recently had added some programs to the computer so I thought it might have been that but when I ran memmaker it told me I had something like 632,832 (618k) but when I ran the mem command it said I had only 631,808 bytes (617k). I have been using Mcafee's vshield since I got my system. I also run 3 scanners: MSAV, Mcafee's scan 220 and F-Prot 217 and none of them have turned up a thing. Any help in this matter would be greatly appreciated. Rocco . ARRRRRGGGHHH!!!! ... Tension breaker, had to be done. ___ Blue Wave/QWK v2.12 ------------------------------ Date: Sun, 30 Apr 95 10:13:52 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: In InVircible Performance Tests (PC) Race Banner (wombat@skippy.com) writes: > Second, the neutered code that I refered to is virus code from the > Jerusalem family, with the damaging code removed. I see. By doing this, you have created a new virus variant. While it is still a virus (since it does replicate), it is a *new* virus. True, it is closely related to the original, so it is pretty natural to expect that most scanners will still detect it. Nevertheless, it is also a new variant, and since by definition the known-virus scanners can detect only *known* viruses, you shouldn't be surprised if some scanners do not detect it. Usually, those that will miss it perform some form of exact (or nearly exact) identification of the viruses they detect. > It still has the > self-reproduction and stealth code intact. Stealth? Which particular Jerusalem variant did you use? How does F-PROT call the original (non-modified) variant? > I also have obtained > a copy of F-Prot and Disk Secure II to be added to the tests at the > suggestion of members of this group. Please, be careful. Disk Secure II, while a fine product by itself, is *not* a known-virus scanner and should not be tested together with products like F-PROT. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sun, 30 Apr 95 10:17:26 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: One Half Virus - Anybody know? (PC) Keith@slip.netcom.com (Keith@slip.netcom.com) writes: > > decrypt it and then remove the virus. This is the only program I am > > aware of that will handle both the infection and the damage caused by > > this virus. > Vesselin: AVP with the 4/24/95 update for registered users of version 2.2 > can virus scan and clean the Onehalf virus *and* decrypt the damage. Yes, I know now, but I posted the message you have quoted *before* Eugene Kaspersky published the update of his product that decrypts the One_Half-encrypted disks. Since by now at least three products claim to be able to repair the damage caused by this virus (the product I mentioned, AVP, and NAV), I have the following question to their producers: Under DOS 6.x, One_Half does not encrypt the hard disk and does not infect files (it infects only the MBR). Does your product correctly deal with this situation and how is it done? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sun, 30 Apr 95 10:26:10 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Which virus scanner is best? (PC) Gerald Pfeifer (e9025064@student.tuwien.ac.at) writes: > What does Integrity Master leave to desire? Any security wholes? > *) perhaps an optional database instead of one file per directory Yes, this is one thing that is needed. Also, a few others: 1) It doesn't use anti-stealth techniques like TBAV. 2) It doesn't detect PATH companions. 3) It doesn't handle intelligently some often modifiable but infectable objects - like PIF or GRP files. Sure, you can tell it to checksum those files too, but, since they often change, this is not going to be very useful - especially for the GRP files. An intelligent way to handle those files is to know about their structure and checksum only the infectable parts of them, ignoring the rest. 4) It doesn't handle kernel infectors properly - at least didn't the last time I looked at it. Maybe Wolfgang has fixed this since the 3APA3A virus appeared. 5) It doesn't handle slow viruses. 6) I am not sure it can handle some special boot sector viruses, if the virus is active at the time of the check - i.e., the kind of special handling used by HS or DiskSecureII. But, in general, this is one of the better shareware integrity checkers available. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sun, 30 Apr 95 10:34:59 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Can this HardDisk be saved? (PC) Daniel Jed Levine (djlevine@umich.edu) writes: > Apparently, my PC has been infected with, as F-PROT refers to it, > STONED.EMPIRE.MONKEY.B. After booting off of a floppy, I discovered that > F-PROT can not access my Hard disk, which was, according to F-PROT's > virus definitions, characteristic of MONKEY (and perhaps Empire, I don't > know...) If, after booting from a floppy, you cannot access the hard disk, you should use the option /HARD when invoking F-PROT. Add the option /DISINF, if you want F-PROT to attempt to remove the virus(es) it finds. > Problem: as the only other computers that share disks with my PC > are Macs, I don't scan often, and have a great deal of information that > is not backed up, etc. My idiot roommate, however, was not quite so > bright, and simply used an infected disk in my machine without checking it. > What is advisable in this situation? Three things: 1) If your CMOS configuration program permits it, instruct the computer to always boot from drive C:, instead of from drive A:. 2) Instally some kind of automatic boot sector virus remover like HS or DiskSecureII. 3) Install a memory-resident scanner (e.g., VirStop from F-PROT). > Should I run f-prot without > memory checking? No. If you do it, you will miss the warning that a virus is active in the memory of the computer and this might have bad consequences. > Reformatting, etc., is the last thing I want to do. I Correct; you shouldn't do it. Boot from a floppy and use the options /HARD /DISINF - if you are running F-PROT, that is. Alternatively, you could get the program KillMnk3. It can remove this particular virus even if the virus is active in memory. Another alternative is to use AVP. This scanner is often able to disable the viruses it finds in memory - although I have not tested this ability with this particular virus. > What are the long-term destructive effects of this virus? This virus is not intentionally destructive. > Since I don't use disks, will I be safe if I just leave it alone? No, it is better to remove it - otherwise your machine is spreading the virus on all non-write-protected floppies it accesses and from there - on other machines. You wouldn't like to be accused of spreading a virus, would you? > Please > answer ASAP to this group or (preferably) to djlevine@umich.edu. Done. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sun, 30 Apr 95 10:36:51 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: LiXi (PC) Chengi J. Kuo (cjkuo@alumni.caltech.edu) writes: > I have in my notes that Lixi is AntiCmos.A. Correct your notes. :-) The variant reported as Lixi (by FindVirus) is AntiCMOS.B, not .A. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sun, 30 Apr 95 10:38:38 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Need info on Steath-C (PC) kruise (kruise@rs6a.wln.com) writes: > We recently got hit by the stealth-c virus. Does anyone know what damage > it's capable of doing? > This question seems to be posted oftened but never answered. This virus is not intentionally destructive. It just spreads. When it infects the hard disk, it overwrites parts of track 0. Normally those parts are unused, but sometimes some programs (usually - security password and/or encryption software) are using it, and in those cases the virus would cause unintentional damage. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sun, 30 Apr 95 10:40:26 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Thunderbyte cleaning (PC) Jason Lee (r2506053@csie.ntu.edu.tw) writes: > Isn't it dangerous since it use INT 1 to trap and execute the virus ? Yes, it is dangerous. If it is not implemented *very* carefully, a virus could "escape" while being traced. This has already happened - a variant of Npox used a bug in an old version of TbClean to gain control and infect the machine. Since then, the producer has fixed this particular bug. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sun, 30 Apr 95 10:54:26 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Stoned virus (PC) Bill Lambdin (bill.lambdin@woodybbs.com) writes: > I have never seen Stoned B infect 1.2 MEG diskettes. What do you mean exactly by "Stoned B"? Most Stoned variants have no problems infecting 1.2 Mb floppies. However, they infect only floppies (regardless of the size) in drive A:; maybe this is why you have never observed it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sun, 30 Apr 95 10:57:22 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: HELP - infected boot sector - DA'BOYS (PC) Insert Name Here (Kerfurdt@sam.NeoSoft.com) writes: > while running a regular virus scan I found that the boot sector on my > PC may be infected with DA'BOYS virus. May be or is? Get a good scanner and find out. > All of the files on my hard > disk test negative for the virus though. Not surprising, having in mind that this virus does not infect files. > I would appreciate any > answers anyone can give. That would be kinda difficult, since you didn't ask any questions. :-) > When I tried running CLEAN on my PC it said > that it couldn't clean this particular virus. HELP! Boot from an uninfected, write-protected, system diskette, containing the same version of the operating system that is installed on your hard disk, and execute the command "SYS C:" (assuming that C: is your hard disk's bootable partition). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sun, 30 Apr 95 11:07:01 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: InVircible is a Trojan Horse! (PC) Bill Oliver (oliver@cs.unc.edu) writes: > Isn't calling this a trojan-horse a little strong? Well, I guess that this is a matter of classification. I classify as Trojan Horses the programs that destroy data, if the destructive actions are performed intentionally (and are not, say, a result of a bug). There is no doubt that InVircible is destroying data - it can be easily verified by anyone who doubts it; and many people have verified it. The code that performs this destruction is undoubtedly put there intentionally. Therefore, I classify this program as a Trojan Horse. Now, it can be claimed that the author didn't intend his code to cause this kind of damage. Could be; I can't read the author's mind. My definition relies only on what can be objectively determined; not on what the author of the product might have been thinking when writing it. For all you know, someone might be honestly trying to do you a service, when releasing a program that silently removes Windows from your hard disk... :-) > Just about all > installation scripts for larger programs on the PC that I am aware > of do some writing and deleting -- particularly Windows programs. There is big difference between modifying some existent files during the installation of the product (and doing it in a reversible way) and silently deleting some of my data files without telling me or asking me for permission. > The more considerate of these programs tell you what they are > doing, and ask you before they delete what may be assumed to be > files created by a previous installation. If they tell you, then they are not Trojan Horses. > The less considerate ones > don't tell you about those basic assumptions. It seems that our disagreement is because we call different things "basic assumptions". I definitely do not accept as a basic assumption that a file named SOFIA can be safely deleted from my directories. The same goes for the other kinds of data damge that InVircible performs. > My impression is that there is a difference between being a trojan > horse and being poorly designed. Admittedly the difference may > amount to little more than intent in some cases. True. That's why, in my original warning I used the wording "I classify such programs as Trojan Horses". I do not force anyone to accept my classification and have provided verifiable explanations for my reasoning. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sun, 30 Apr 95 11:07:56 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: 4915 (PC) RB-RACER@ix.netcom.com (Roger Billings) writes: >Does anyone have any information on a virus called 4915? Called by which anti-virus program ? "4915" is not the CARO-standard name of any virus ... it might be used by one of the few programs that do not follow the standard at all to indicate a virus that is 4915 bytes long, but no such virus seems to be known. So, well...I guess the answer to your question is "no". - -frisk Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Sun, 30 Apr 95 11:11:28 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Effectiveness of Sophos Sweep (PC) Ian Elrick (j.s.elrick@stir.ac.uk) writes: > I am looking for some advice on the effectiveness of Anti-virus protection > using client -server sophos sweep. It is a relatively good scanner - one of the better ones. However, there are some quirks in its user interface that make it a bit difficult to test. > My site has approx 1000 PCs and Apple Macs. Our current approach is for PCs to > run a standalone AV package such as F-prot. > Can anyone comment on the performance of the sweep scanner compared to > F-Prot??? F-PROT definitely provides a more favorable cost/performance ratio. I also have the impression that its detection rate is better than the detection rate of SWEEP, but haven't run detailed tests recently, so I have no data to back up this claim of mine. However, F-PROT does not detect Mac viruses. I do not know whether SWEEP does - you should ask Sophos. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sun, 30 Apr 95 11:17:08 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: TSR to scan all floppy disk activity? (PC) Ian H. Chan (koksl@singnet.com.sg) writes: > I'd like to know if there are any TSRs that scan all floppy activity, > like copying, reading, even dir. Almost all memory-resident scanners can do it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sun, 30 Apr 95 11:18:08 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Tai Pan Virus (PC) Hans Kazan (m.vanotterlo@student.utwente.nl) writes: > Can someone give me more information about the Tai-Pan virus? This virus is described in CARObase. You can get the currently available CARObase entries from ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/carobase/carobase.zip Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sun, 30 Apr 95 11:19:59 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Pathogen/Queeg (PC) Russ Rowen (rusrow@pops.mohave.cc.az.us) writes: > (original disks). I can find no information about it. The NAV 3.0 TSR > detected it when attempting to load the com file, but when I run a scan > of the Hard Drive it does not find it. The TSR is unable to kill it. This is a very polymorphic virus. It is quite possible that the resident scanner of NAV is wrong and gives you a false positive. Try one of the better scanners - if they don't detect anything, then you do not have this virus. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sun, 30 Apr 95 12:34:07 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Piggybacking and Memory Scanning (PC) casas@netcom.com (Robert C. Casas Ph.D.) writes: >> There is also a failure in logic, here, [snip]. Why is it that >> _generic_ methods ( i.e., not specific to a virus ) "only work on >> some new viruses." Fridrik Skulason responds: >Why ? Because the generic methods may not be designed to detect the >kind of activity performed by a particular virus. Proper generic >methods will work against "most" new viruses, however... I think you make my point well. :-) If you do not have a generic method that detects _a_ mode of action a virus uses then you will not be able to detect that _specific feature_ of the virus. It is likely, however, that a comprehensive set of generic tools will detect one or more actions of the virus. Even new ones. An InVircible site licensee just forwarded us a simple memory resident COM infector that executes with Virstop ( v. 2.17 ) resident. The virus resides in memory with Virstop without complaint. F-Prot.exe ( v.2.17) does not detect it, but does issue a warning when run in heuristics mode. The user is asked to send the suspicious file to you for analysis. Unfortunately. the heuristic analysis also issued a false positive on Jeremy Lilley's EXECOMB ( i.e., "Infection: Mte" ) which I use. Of course, f-prot.exe can not clean the COM files infected by the new virus because it does not have a virus specific algorithm for it. On the other hand, using completely generic methods InVircible 6.01D performs as follows. IVTEST immediately finds it and drops a sample in the root directory. IVX takes the VIRUSAM.PLE created and correlates to the source quite easily using the default parameters. No other file is identified as similar except the infected files. IVB restores infected files to their original condition. DOS's and Norton's File Compare utilities find no differences between the original and the restored files. There is no wait for detection/cleaning routines in the next release. I will forward the virus to you PGP encrypted if you wish. Please post a message if I am incorrect. >>Furthermore, only poorly designed generic methods, or virus >>specific methods for that matter, "often give false alarms." >I am afraid that virus specific methods give false alarms less >often than generic methods...which is one reason why integrity >checkers and similar programs are less popular than scanners. With a caveat or two, I agree with you. CRC based integrity checkers and poorly designed generic methods give more false alarms than well designed and comprehensive virus-specific false scanners. Well designed generic methods do not. I could list many examples but restrain myself to one. A generic system that monitors levels of conventional memory will issue an alert that conventional memory has decreased if the user loads a new TSR. The alert "Conventional memory has decreased by 6 kbytes" is an a correct one. It is not a false alarm. The change has indeed occured. I suppose user's may call such alerts "unwanted" but it would not be correct to call them "false alarms." Fortunately, InVircible appeals to "power users" who understand it's many features and value them. Regards, Robert C. Casas, Ph.D. CPC Ltd - InVircible Available by FTP at: pyro.slip.ais.net/crypto/invircible - -- ________________________________________________________________________ Robert C. Casas, Ph.D. On CompuServe: GO INVIRCIBLE CPC Ltd. Computer Security Consultants V:708-729-3565 F:708-729-3575 casas@netcom.com <> 75162,241@compuserve.com <> rc.casas@ix.netcom.com ________________________________________________________________________ ------------------------------ Date: Sun, 30 Apr 95 16:10:19 -0400 From: iandoug@aztec.co.za (Ian Douglas) Subject: Re: F-PROT detects "Circular Infection" (PC) rshea@netcom.com (rex) wrote: >sgarcia@campus.mty.itesm.mx (Ing. Salvador Garcia Mu~oz) wrote: >> I'm using F-Prot v 2.17 to scan a 5.25in floppy and it detects a >> Stoned.NoInt.A virusin the boot sector, after the program detects the virus >> it displays a message like this: >> >> "Alert! A "Circular Infection" has been found. This means that the sector which >> should contain the original boot sector is itself infected. F-PROT will not >> attempt to remove the virus" Since the experts (including Vess :-) ) went to great lengths to tell you how to clean your HD, which was not infected, I'll tell you how to clean your diskette, which is. :-) Simple: copy all the files off to another floppy or the HD, then do an unconditional format [format a: /u, I believe] of the diskette. Copy the files back. Cheers, Ian - -------------------------------------------------------------------- Ian Douglas If 35 iandoug@aztec.co.za P.O. Box 484 no_goals 1,73 7532 Sanlamhof Then 58 South Africa no_achievements XNTX PGP key available - -------------------------------------------------------------------- ------------------------------ Date: Sun, 30 Apr 95 18:14:52 -0400 From: "Frank W. Felzmann - BSI" Subject: Tai Pan Virus - FAV-Description (PC) FAV = Frequently Asked Virus FAV ---------------------------------------------------------------- start Tai-Pan-Virus Naming: Tai-Pan (part of a string whitin the virus code) Kind of virus: file virus Description: Tai-Pan is a simple file virus, with no encryption or stealth techniques. The virus goes memory resident if a infected program starts. Tai-Pan controls the DOS system call Int21h function 4B00h (load and execute). This means the virus infects programs if they are executed. Tai-Pan infects program files beginning with 'MZ' with a file length lower or equal 64833 bytes of code. The virus doesn't infects 'read only' files. The file length of infected programs increase by 438 bytes. Time and date stamp is not changed. Tai-Pan makes a installation test by calling Int21h function 7BCEh. The virus contains no programmed payload routine. It contains the text string: "[Whisper presenterar Tai-Pan]" Infection: - of program files If the virus is memory resident by execution of a program. - of memory: By executing a infected program. Remove: It is saver to delete the infected file include the virus. Files just deleted with DEL command can be reconstructed with the UNDELETE command. First overwrite infected files and then delete it. Date: 1995-01-09 Author: Hubert Schmitz, BSI V2 email: hsm@bsi.de FAV ----------------------------------------------------------------- end Regards, Frank W. Felzmann e-mail: fwf@bsi.de - ---------------------------------------------------------------- BSI - Bundesamt fuer Sicherheit in der Informationstechnik, Bonn Voice +49-228-9582-248 / FAX +49-228-9582-427 GISA - German Information Security Agency - ---------------------------------------------------------------- ------------------------------ Date: Sun, 30 Apr 95 19:15:09 -0400 From: Ian Staines Subject: ANTICMOS getting more common? (PC) I have encountered three separate and unrelated infections of ANTICMOS infections in the last several months. What are the effects of this virus on activation? >From what I have seen, the virus appears to be rather harmless. One machine appeared to be losing the time periodically, but there appeared to be no other adverse affects. Is the fact that the virus is benign contributing to is ability to remain undetected and spread? The machines that I found infected appeared to have had the infection for some time, and thus the virus was able to spread to many machines. One company was running an early version of MSAV, which did not appear to detect the virus. I realise that MSAV is a poor virus detector, but surely it should be able to a least report a simple boot infector? - --- Toyota Land Cruiser WWW page: Richmond, BC Canada ------------------------------ Date: Mon, 01 May 95 09:04:51 -0400 From: AMSSXXS@typeb.sita.int Subject: Available information resources (PC) In a recent issue, Fridrik Skulason (frisk@complex.is) wrote: >unfortunately, the number of errors in VSUM is huge....I recommend staying >away from the package. >Also, Patty never seems to respond to any corrections sent to her...I have >been trying to tell her for several years that the "RAM virus" description >is just one big error, but as far as I know it is still in there. >Also, the information on how to disinfect is usually incorrect, the names >are wrong, virus sizes are inaccurate, her diagrams of relationships are a >joke etc... >I consider VSUM a waste of time..... While appreciate what he is saying, it leaves me with one BIG question, is there an alternative source of such info available? Thanks! Dries ------------------------------ Date: Mon, 01 May 95 09:31:40 -0400 From: Keith@slip.netcom.com Subject: Re: antiviral tool kit pro (PC) writes: > Could somebody PLEASE post the exact and correct address for accessing a >copy of this program. > > Does anyone know for a fact if this program can really detect viruses within > zip files. Yes! Antiviral Toolkit Pro can detect viruses within ZIP and ARJ files. You can get a evaluation copy from: ftp.netcom.com pub/ka/kapeer You will want the files avp21bas.zip and avp21upd.zip. Version 2.2 is the latest but it was not released as shareware. Keith A. Peer Central Command Inc. ------------------------------ Date: Mon, 01 May 95 09:55:02 -0400 From: Raul Quintanilla Subject: Re: NATAS? (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote: > > Natas is not just a boot sector virus. It infects COM and EXE files, > as well as MBRs and floppy disk boot sectors. Natas infects all sort of files: com, exe, dll, flt, 386, doc (word) xls (excell), and many more, as long as they have a header of some sort. Regards Raul F-Prot Professional Mexico ------------------------------ Date: Mon, 01 May 95 10:03:23 -0400 From: Raul Quintanilla Subject: Re: NATAS Background? (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote: > > It was written by James Gentilly - a virus writer known also under the > handles "Priest" and "Little Loc". He is also the author of other > viruses, such as Priest, Jackal, Sat_Bug, etc. He was interviewed by > the FBI, but it has been found that he's too young (below 16) to be > prosecuted. I wonder if the FBI knows the extent of the damage done by Natas in Mexico. Natas is almost under control but after a little more than a year active in this country the loses for all sort of business are more than an infection. Thousands -millions?- of dollars in man/computer time have been lost over the past 15 months. Personally i have a friend who would gladlly go to this "young man" and tell/do him a couple of things after having to redo all his multimedia hard drives and know a lot more companies that would do worst things to him. If this "kid" assults the 7-11 he'll go to juvenile, but if he assults thousands of computers he's too young to go to jail. Regards Raul F-Prot Professional Mexico ------------------------------ Date: Mon, 01 May 95 10:11:13 -0400 From: embu36@chemeng.ed.ac.uk (Chem Eng 4th Year) Subject: Shareware - registered vs. not registered (PC) What is the difference between using a shareware version of say McAfee scan and say a regestered version. I know that F-Prot is free for personnal use, so is there really any point in buying a commersial virus checker so long as constant up-dates can be obtained from the various FTP sites. Or do the commersial versions contain better checking algorithms, etc..?? Thanks to anyone who replies......... c.copeland@sms.ed.ac.uk ------------------------------ Date: Mon, 01 May 95 12:31:29 -0400 From: Keith@slip.netcom.com Subject: Re: Mouse Error with AVP2.1??? (PC) > I have an evaluation copy of AVP (update 04.24.95) and my mouse doesn't > want to go more than half way down the screen. All my other DOS apps work fine > with the mouse. Is this a small programming error? > I would have e-mailed the author(s) if there was an address in the > documentation. authors e-mail is "eugene@kamis.msk.su" I have not heard of this problem before. Are you saying that you cannot move the mouse below mid screen? What are you doing when this happens? Are you in any of the dialog boxes? What screen are you in? Keith A. Peer Central Command Inc. ------------------------------ Date: Mon, 01 May 95 16:06:18 -0400 From: ruben@ralp.satlink.net (Ruben Arias) Subject: Re: VSafe & WFWG (PC) BENEDICT@VAX.CS.HSCSYR.EDU 28 Apr 1995 10:21:53 - Wrote: >VSafe (with DOS 6.2, for what it's worth) and the Program Manager in Windows >for Workgroups 3.1.1 seem to be incompatable. At any rate I can't get both to >run at the same time, and starting WFWG then running VSAFE from the DOS >command gives only ugly results. The reverse sequence won't let Windows start. >Is there a solution? Or do I need to find a new antivirus solution before I >continue migrating? You may check other TSR utilities, if You like to have TSR's in memory to controll access to files, direct write attemps, change to executable files. I'm a TSR fanatic too and dissapoint with any people that say the're not enough good. Sometimes maybe problemathic but only depends the way You manage them. By the other hand, is SO difficult not to have problems with programs like windows or others (like QEMM). I encourage You to check any TSR programs. I make my own -personal- division and call "Monitors" to that programs that don't have enough capabilities to detect viruses by its name (that mean that they don't recognize any virus string) and call "Shields" to that who recognize virus strings. Monitors: ========= - - Diskmonitor (from Norton Utilities vers 5.0 or 6.0), I don't know if Symantec have a new version of this program. - - Vtac (of Randolph Beck) a Shareware utility of the 90's that detects some changes in files. WORKS WELL !!!!!! - - F-defend An utility of Dmitry S. Komanyuk. This is Actual and works well. Its a driver. Shields: ======== - - Vshield of Mc Afee. I thimk last version is 2.1.7. - - TBAV related all TSR's that came with TBAV antivirus. Regards Ruben Arias - ----------------------------------------------------------------------------- Ruben Mario Arias |> /| | |> |\ | | |_ | E-mail: ruben@ralp.satlink.net RALP - Computer Security - Virus Buenos Aires, ARGENTINA. - ----------------------------------------------------------------------------- ------------------------------ Date: Mon, 01 May 95 18:45:01 -0400 From: "John L. Nevill" Subject: Ripper Virus (PC) I have just received another dose of the Ripper Virus. (Second Time). I seem to get it when logged on to European Sites. It eats base memory and attatches itself to the MBR. Does anyone know anything about it? By the way I have removed it. John ------------------------------ Date: Mon, 01 May 95 19:04:53 -0400 From: g9479105@wlv.ac.uk (martin) Subject: Anyone seen...Helloween? (PC) I have, its all over me flippin' Hard Disk. I think i've just about got rid of it. Could anyone give me some info' on what it does? Or any suggestions on how to make sure I'm rid of it? Cheers! ------------------------------ Date: Sun, 30 Apr 95 02:58:19 -0400 From: steven.hoke@expressl.com (Steven Hoke) Subject: Virus in Flash ROM??? (PC) Iolo Davidson was heard to say on 19 Apr 95: >a148poon@cdf.toronto.edu "Poon Jacob Tin Hang" writes: >> Is it possible that a virus attacks flash ROM memory and make >> antiviral apps impossible to remove this kind of virus >> I am planning to use motherboards with flash ROM support >> but I don't know the risk of doing so. >To be safe, they should be fitted with a hardware write-enable >switch which needs to be moved by hand before the flash memory >can be altered. I don't know of any that are. Manufacturers >have ignored warnings from the anti-virus community on this. >Apparently *all* laptops now use flash BIOS. One flash BIOS that does have that capability is Phoenix BIOS. I have a Micronics motherboard with a Phoenix flash BIOS, and there is a hardware jumper on the motherboard to enable writing or to write protect the flash ROM. Its very important on some to have that normally jumpered for write protection. In the Windows 95 Preview, there is mention of one brand/model that has been identified as having had flash ROM corruption occur from the Windows 95 installation where the flash ROM had not been jumpered for write protection. Having had a flash ROM fail during a firmware update, I can say that even if there is a recovery jumper that will recover in some instances, it doesn't always work, and you can be facing a day or two of down time while the manufacturer expresses you a pre-flashed replacement ROM (or longer if you don't have a reputable dealer). - -=Steve=- * CMPQwk 1.42-R2 #408 * Ben to Luke after his 9th failed marriage - 'Divorce will be with you, always ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 48] *****************************************