VIRUS-L Digest Wednesday, 10 May 1995 Volume 8 : Issue 51 Today's Topics: A public reply to a note in VLAD#4 More on "mail" virals and "Good Times" Re: How do unix viruses work? (UNIX) HELP : FD trouble, is it a virus ? - my_story.txt [01/01] (PC) Hey,got any info for a Newbie? (PC) Million Dollar Virus (PC) Antiviral Toolkit Pro (PC) How do I get rid of Monkey Virus? (PC) Mouse Error with AVP2.1??? (PC) Tai Pan Virus (PC) Virus and floppies (PC) Risky Business Virus (PC) Urkel Virus help need (PC) Urkel (PC) Dr. Solomon's Anti-Virus Toolkit (PC) Win95 and Current Antiviruses (PC) Update Signatures for MS-AV? (PC) WELCOMEB virus: is there a cure? (PC) how to kill ANTICMOS A virus? (PC) Re: Here's info on new(?) virus "Havoc ][". Discussion Welcome. (PC) Help: Yankee.doodle.tp.44 or Yankee-45 (PC) Re: Copying a boot sector to a file (PC) Info on Dr.Web Anti-virus and CRYPT.Virus? (PC) CPAV updates (PC) Re: Boot sector viruses (PC) Re: Pluto.666 Virus? (PC) Re: NT Anti-Virus Software (PC) Re: Should I delete InVircible? Does it destroy files? (PC) Re: Help Parity BootB[GenB] Virus (PC) Re: Pathogen/Queeg (PC) Re: Stoned virus (PC) Re: Bad Boy virus (PC) Re: BIOS_AV (PC) Re: Copying a boot sector to a file (PC) Re: Shareware - registered vs. not registered (PC) Re: Dr. Solomon's Anti-Virus Toolkit (PC) 100% Virus Protection (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 08 May 95 11:43:44 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: A public reply to a note in VLAD#4 This is a public reply to a note in the VLAD#4 magazine. - ----------------------------------------------------------------------------- > Dear Sir: > > This letter is in regard to the "grey list" you made reference to about > the virus distribution made available at kaiwan.com. > > I felt strongly compelled to comment about your actions concerning > disallowing the users from kaiwan.com access to your ftp site, WWW site, > and personal technical support. To clarify: We intend to close our FTP site, and (upcoming) WWW site to virus distribution sites, including kaiwan.com, netcom.com and io.com. We will, however, provide support to customers on those sites in emergencies, but will recommend that they get a different account provider. > When I was informed about your actions concerning the public distribution > of the Virus Collector Kits, I was more than appalled. While it is > obvious you cannot support the creation of computer viruses, it seems > hypocritical to try to diminish their public distribution. Hypocritical ? Well, you are entitled to your opinion. As far as I am concerned, I see the irresponsible distribution of viruses and related material as a problem, and I am doing whatever I can to combat that problem. I do not expect you to agree with my position or even to understand it. > The University I attend is currently a customer of Frisk Intl., and uses > F-Prot as their main source of anti-virus protection in all of their > academic computer labs. My question to you is this: If I were to offer > computer viruses for research via anonymous ftp or other means, would my > school, a customer of Frisk Intl., also be included on the said "grey list"? If the school would not interfere, and stop you from distributing the viruses on their machines, then yes - indeed. Moreover, I would consider them having cancelled their F-PROT license - and order them to remove my software from all of their machines....of course they would be refunded a part of the license fee. > I am curious about the integrity of Frisk Intl, curious enough to "try > out" your threats of being denied support from Frisk Intl. Where do you > draw the line between public/customer support, and your personal > feelings about virus distribution. The line in simple: I do not want my product to be associated with sites that allow unrestricted distribution of viruses. > I also feel compelled to point out you're freely offering disassembled source > of particular viruses. I would readily consider this "virus distribution" > and view it as hypocrisy on your part, at best. THIS IS A LIE, AND YOU KNOW THAT. I do not "freely offer disassembled source of particular viruses" - never have, and never will. > I hopefully await a response concerning this matter. If you would prefer > to speak rather than communicate via e-mail, I would be more than happy > to make any arrangements you see fit. > > Please, consider this query, and reply with an appropriate response. > > sweasel@netherlands.ypsi.mi.us Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Tue, 09 May 95 16:51:23 -0400 From: "Rob Slade, Social Convener to the Net" Subject: More on "mail" virals and "Good Times" This is going to have to be quick, so please be kind as regards technical accuracy. A virus, like any other program, has to be executed. Unfortunately, "one man's data is another man's program". (Please excuse the sexist language.) There is no hard and fast distinction between data and programs. The CHRISTMA EXEC worm was text, contained in an email message. However, the VM systems which it targetted had REXX interpretters associated with the mail system, so REXX source code, which was text, was able to be "run" as a program. You can, in fact, write an MS-DOS executable program using only "printable" text characters. This could be sent as a text message. You would, however, have to trim and save and then execute the program in order to have it run. This is not likely to happen by accident. With the rise of "user-friendly" systems, certain other things *can* happen more easily by accident. I believe that Microsoft's network email system requires only a single mosue click to execute an "attached" file with an email message. Most systems are not that capable yet, but they are moving in that direction. "Good Times" is generally associated with the AOL system, and it is interesting that AOL is one of the systems which has its own, proprietary, user interface. These proprietary systems can do an awful lot which is not evident to the user. At present, there is no known method for triggering an executable simply by sending text in an email message. Finally, there are the terminal function effects. ANSI emulation allows keyboard remapping, and Wyse terminals (as well as certain UNIX systems) allow not only remapping, but have provision to "call" keys from the terminal. These functions were used for pranks by students who would remap a key to the logout command and then "call" the remapped key--all from the *subject* line of a message. As I said in the previous message, none of these functions is likely to be used for malware. They are, for one thing, too system specific. An executable file sent from a Microsoft equipped system, is likely to be unreadable on a MIME system. However, there are some possibilities within current, and developing, technologies. And, just to leave you with some real good news for the day (NOT!), some mini-mind in the vx community has, of course, come out with a "Good Times" virus. Nothing like the hoax, but some additional confusion, nonetheless. ====================== DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 Author "Robert Slade's Guide to Computer Viruses" 0-387-94311-0/3-540-94311-0 ------------------------------ Date: Tue, 09 May 95 10:23:42 -0400 From: Subject: Re: How do unix viruses work? (UNIX) The following is from the on-line hacker Jargon File, version 3.0.0, 27 JUL 1993. "Ken Thompson's 1983 Turing Award lecture to the ACM revealed the existence of a back door in early UNIX versions that may have qualified as the most fiendishly clever security hack of all time. The C compiler contained code that would recognize when the `login' command was being recompiled and insert some code recognizing a password chosen by Thompson, giving him entry to the system whether or not an account had been created for him. "Normally such a back door could be removed by removing it from the source code for the compiler and recompiling the compiler. But to recompile the compiler, you have to *use* the compiler --- so Thompson also arranged that the compiler would *recognize when it was compiling a version of itself*, and insert into the recompiled compiler the code to insert into the recompiled `login' the code to allow Thompson entry --- and, of course, the code to recognize itself and do the whole thing again the next time around! And having done this once, he was then able to recompile the compiler from the original sources; the hack perpetuated itself invisibly, leaving the back door in place and active but with no trace in the sources. "The talk that revealed this truly moby hack was published as "Reflections on Trusting Trust", "Communications of the ACM 27", 8 (August 1984), pp. 761--763." ------------------------------ Date: Sun, 07 May 95 07:52:08 -0400 From: joy@euronet.nl (Joost Peters) Subject: HELP : FD trouble, is it a virus ? - my_story.txt [01/01] (PC) BEGIN -- Cut Here -- cut here On 3 different machines I have suddenly, since two days, identical problems. When writing data on a floppy disk I get cross linked files. It doesn't matter if I use old or new disks or use disks from different brands. - - In the machines are different floppy drives and controller cards. - - The problem only occurs on floppy disks, my hard disks seems OK (tested with CHKDSK and SCANDISK). - - When I read older disks (older then two days) the data is 100 % OK. Only disks that I written data on for the last two days have the problem. So the problem occurs after writing data on a floppy disk. - - I can run programms and read data from older disks without any problems. - - There are no bad sectors on any of the problem disks. - - It can't be done by any normal TSR-programm, because I disabled loading my config.sys and autoexec.bat. - - I tried booting from a clean write protected disk and use "FDISK /MBR and SYS C:", but the problem remains. - - I tried repairing and/or removing cross linked files with SCANDISK. After the procedure new cross linked files are detected. - - I tried testing the floppy drives with Checkit 3.0, but it aborts any write test. - - I even bought some new floppy drives (a Mitsumi and a Panasonic) but I am still getting cross linked files on all the disks I write on. - - I downloaded from several official sides the lastest anti-virus software (McAfee etc.). Not one scanner detected a possible infection by a virus. Can anybody telling me what's going on ? Please let me know ! All other ideas of helping me to deal wtih this problem are also welcome. Thanks for reading ... (!?) Joost Peters (joy@euronet.nl) END -- Cut Here -- cut here - ------------------------------------------------------ Joost Peters joy@euronet.nl - ------------------------------------------------------ Who's General Failure, And Why Is He Reading My Drive? Backup My Hard Drive ? I Can't Find The Reverse Switch. REALITY.SYS Corrupted! Reboot Universe? [Y/N] - ------------------------------------------------------- ------------------------------ Date: Sun, 07 May 95 19:10:23 -0400 From: walkerc@capitalnet.com (Chris Walker) Subject: Hey,got any info for a Newbie? (PC) I'm quite new to concept of viruses (virri?) and I was wondering if any of you out there experienced in such matters would take the time to answer a few questions for me. 1)Can viruses be written in any programming language or are they restricted to assembly and/or machine language? 2)If they can be written in a high-level language,which ones are the most efficient? 3)What exactly is the difference between the master boot record and the boot sector? 4)What is a partition table? Thanx in advance to those able to help me out. - ------------------------------------------------------------------------------- If two wrongs don't make a right,try three. - ------------------------------------------------------------------------------- ------------------------------ Date: Sun, 07 May 95 21:30:33 -0400 From: JimBogart@aol.com Subject: Million Dollar Virus (PC) An antii-virus program -InnocLan - has identified "The Million Dollar Virus" running on one IBM PC on the network. It cannot clean the virus. The sys.admin is not familiar with this virus. It has not spread to any other workstations. No apparent damage has been done to the one infected PC. Can we use F-Prot to clean this virus? Are there any special precautions needed? Any advice would be appreciated. ------------------------------ Date: Sun, 07 May 95 22:07:34 -0400 From: Israel Kay <100112.2001@compuserve.com> Subject: Antiviral Toolkit Pro (PC) Sheldon Deluty (sdeluty@mcan00.med.nyu.edu) writes: > Could somebody PLEASE post the exact and correct address for accessing > a copy of this program [AVP]. FTP oak.oakland.edu simtel/msdos/virus/avp*.* > Does anyone know for a fact if this program can really detect viruses > within zip files. Yes. Regards, Israel ********************************************************************* * I S R A E L K A Y * * PC ANTI-VIRUS & DATA SECURITY CONSULTANCY * * LONDON OFFICE * * 137 Wargrave Avenue, London, N15 6TX. U.K. * * Tel: +44 (0)181 800 7278 Fax: +44 (0)181 802 9880 * * CIS: 100112,2001 Internet: 100112.2001@compuserve.com CIX: ik * *****************-----------------------------------***************** * LONDON NEW YORK * ************************************* ------------------------------ Date: Sun, 07 May 95 22:07:37 -0400 From: Israel Kay <100112.2001@compuserve.com> Subject: How do I get rid of Monkey Virus? (PC) Alligator (CHINACAT.CRIS.COM@cris.com) writes: > I'm not sure what this virus does due to my lack of virus software. I > have used McAffee Virus Scan, but it doesn't get rid of the virus. Can > anyone give me some help in order to solve my problem. By the way, > did I happen to mention that my comp. is only 2 months old and it would > be a real dissapointment if it would crash? Discovered in Edmonton, Canada, in 1991. Monkey shares many attributes with Stoned. It is a Boot Sector Virus. Monkey also encrypts the Master Boot Record and relocates it. It has stealth capabilities as well. Since it relocates the MBR it is not possible to use FDISK /MBR. Neither can you use a disk editor to restore the MBR on track zero. Dr. Solomon's Toolkit, F-Prot, or Scan should remove it. Regards, Israel ********************************************************************* * I S R A E L K A Y * * PC ANTI-VIRUS & DATA SECURITY CONSULTANCY * * LONDON OFFICE * * 137 Wargrave Avenue, London, N15 6TX. U.K. * * Tel: +44 (0)181 800 7278 Fax: +44 (0)181 802 9880 * * CIS: 100112,2001 Internet: 100112.2001@compuserve.com CIX: ik * *****************-----------------------------------***************** * LONDON NEW YORK * ************************************* ------------------------------ Date: Sun, 07 May 95 22:07:35 -0400 From: Israel Kay <100112.2001@compuserve.com> Subject: Mouse Error with AVP2.1??? (PC) Simon Davies (S.Davies-2@plymouth.ac.uk) writes: > I have an evaluation copy of AVP (update 04.24.95) and my mouse > doesn't want to go more than half way down the screen. All my other DOS > apps work fine with the mouse. Is this a small programming error? > I would have e-mailed the author(s) if there was an address in the > documentation. Your mouse should be fully compatible with AVP. I suggest you e-mail Eugene Kaspersky at: eugene@kamis.msk.su Regards, Israel ********************************************************************* * I S R A E L K A Y * * PC ANTI-VIRUS & DATA SECURITY CONSULTANCY * * LONDON OFFICE * * 137 Wargrave Avenue, London, N15 6TX. U.K. * * Tel: +44 (0)181 800 7278 Fax: +44 (0)181 802 9880 * * CIS: 100112,2001 Internet: 100112.2001@compuserve.com CIX: ik * *****************-----------------------------------***************** * LONDON NEW YORK * ************************************* ------------------------------ Date: Sun, 07 May 95 22:07:39 -0400 From: Israel Kay <100112.2001@compuserve.com> Subject: Tai Pan Virus (PC) Hans Kazan (m.vanotterlo@student.utwente.nl) writes: > Can someone give me more information about the Tai-Pan virus? > Like, is it dangerous, which files doe it infect etc etc... Tai-Pan also known as Whisper was discovered in Sweden around the middle of 1994. It is a virus that goes memory resident and only infects .EXE files. File sizes grow by 438 bytes. It will only infect .EXE files that are larger than 64k. It will not do anything more than replicate once it is in memory. F-Prot, and Dr. Solomon's AVTK accurately identify and remove it. Regards, Israel ********************************************************************* * I S R A E L K A Y * * PC ANTI-VIRUS & DATA SECURITY CONSULTANCY * * LONDON OFFICE * * 137 Wargrave Avenue, London, N15 6TX. U.K. * * Tel: +44 (0)181 800 7278 Fax: +44 (0)181 802 9880 * * CIS: 100112,2001 Internet: 100112.2001@compuserve.com CIX: ik * *****************-----------------------------------***************** * LONDON NEW YORK * ************************************* ------------------------------ Date: Sun, 07 May 95 22:07:41 -0400 From: Israel Kay <100112.2001@compuserve.com> Subject: Virus and floppies (PC) Patrick T. Hurley (phurley@umd.umich.edu) writes: > Is anyone aware of a virus that will prevent or disrupt access to floppy > drives or interfer with use of ZIP files? This may seem like a strange > combination, but there is a certain individual who is trying to sue me > for not delivering some code. I have sent it repeatedly and he fails > to read it properly. If things progress leagally - I would like to > investigate the various problems at his end that could be causing these > problems. When copying files for distribution it is always wise to use the verify option. To my knowledge there are no viruses that actually intefere with the ZIP operation. You can also try using ARJ compression. To ensure that you and your customer are virus free I recommend you use a shareware package such as F-Prot. This is obtainable via FTP from: oak.oakland.edu simtel/msdos/virus/fp*.* If you experience any further difficulties please e-mail me. Regards, Israel ********************************************************************* * I S R A E L K A Y * * PC ANTI-VIRUS & DATA SECURITY CONSULTANCY * * LONDON OFFICE * * 137 Wargrave Avenue, London, N15 6TX. U.K. * * Tel: +44 (0)181 800 7278 Fax: +44 (0)181 802 9880 * * CIS: 100112,2001 Internet: 100112.2001@compuserve.com CIX: ik * *****************-----------------------------------***************** * LONDON NEW YORK * ************************************* ------------------------------ Date: Mon, 08 May 95 07:05:54 -0400 From: Darren Jones Subject: Risky Business Virus (PC) Does any know about the Risky Business Virus. One of our computers just came up with it but our current virus checkers cannot detect it. What is it Is it dangerous What will detect and remove it. Thanks in advance for your help ------------------------------ Date: Mon, 08 May 95 12:32:45 -0400 From: orrin@csc.albany.edu (Matt Orrin) Subject: Urkel Virus help need (PC) Ok, I am curious to see if anyone knows anything about the Urkel (sp?) Virus. Any information would be appreciated. What it does, how to kill it, how to fixed the MBR after it infects the computer. It is somewhat important if anyone has information. If there is anything I missed, please inform me. Thanks for your time. - Matt - -- Matt Orrin Master of Bob Fu orrin@cnsunix.albany.edu "Woo Hoo...4 day weekend!" - Homer J. http://www.albany.edu/~orrin "Sometimes truth is stranger than fiction" http://www.albany.edu/~orrin/ramones.html - Rockaway Beach - Ramones WWW ------------------------------ Date: Mon, 08 May 95 14:13:57 -0400 From: Duncan Frissell Subject: Urkel (PC) The Urkel virus is wandering through New York City. We got hit a few weeks ago. It is a boot sector infector which is hard to dodge because it prevents you from accessing the C: drive if you boot from the A:. McAfee will find it but not clean it. The new f-prot finds it and trys to clean it but gives up when it is unable to find the C: drive (after finding the Urkel in the MBR). Any suggestions for another line of attack? DCF ------------------------------ Date: Mon, 08 May 95 19:42:53 -0400 From: simonb@melbpc.org.au (Simon Basterield) Subject: Dr. Solomon's Anti-Virus Toolkit (PC) The company that I work for is considering a site-license for Dr. Solomon's Anti-Virus Toolkit. I would be interested in hearing from people who have used, or are using this product and what your impressions of it are (whether you have good or bad things to say). Cheers TIA, :-) Simon. ,-._|\ Simon Basterfield / Oz \ Member, Melbourne PC User Group \_,--.x/ Melbourne v AUSTRALIA ------------------------------ Date: Mon, 08 May 95 21:33:55 -0400 From: jrice@pomona.edu (Jeffrey Rice) Subject: Win95 and Current Antiviruses (PC) I'm using Win95 Preview, and was wondering what effects this would have on my current antiviral programs. I use Virstop, which seems to be pretty much uneffected, but I was more concerned about TBAV since it keeps a closer watch on my HD. What problems might occur, and how can I prevent them? Are there any antiviruses that are specifically designed for Win95? Jeff Jeffrey Rice "I think I've been net-surfing too long; Netscape's jrice@pomona.edu pointer-finger just flipped me off." http://www.webcom.com/~jrice ------------------------------ Date: Tue, 09 May 95 02:22:48 -0400 From: "Bruce Breidfjord Dimon, Idaho Gold Wing" Subject: Update Signatures for MS-AV? (PC) Where can I get updated signatures for Microsoft's Anti-Virus? Thanks. - -- Bruce B. Dimon, Idaho Gold Wing Wing for Go, Not for Show! ------------------------------ Date: Tue, 09 May 95 02:27:22 -0400 From: Abraham Harris Subject: WELCOMEB virus: is there a cure? (PC) My PC contracted the WELCOMEB virus. Has anyone discovered any cure or disinfectant for it? ------------------------------ Date: Tue, 09 May 95 02:57:34 -0400 From: engp3004@leonis.nus.sg (Xu Yuan Ping) Subject: how to kill ANTICMOS A virus? (PC) Traces of ANTICMOS VIRUS A found in my hdd. Any tools to kill it?? Its very bothersome and infect all my diskettes. Help!!!!!!! ------------------------------ Date: Tue, 09 May 95 04:35:22 -0400 From: mrj@nemetschek.de (Martin Roesler) Subject: Re: Here's info on new(?) virus "Havoc ][". Discussion Welcome. (PC) Jim Hoy (hoy@falcon.bgsu.edu) wrote: : Our site is infected with (apparantly) a rather new virus. : We have called the virus by the name of "The Havoc ][ Virus", because : that's what it calls itself in its code. It is not detected by F-Prot, nor : is it identified by any of the other virus detection programs we have : tried. A couple of the programs know something's wrong after a computer : has been infected, but don't identify or protect against the virus. As I read the things you wrote, it seems to me like the Neuroquila Virus, which is in the wild in Germany. There exists a pprogram called K-NQ.ZIP which is designed to clean an infected PC from Neuroquila and N8fall, an other virus from Neurobasher (the writer of this virus). If you can't find the program, you can download it from my mailbox (49-8084-94071) or request it from a FIDO system (2:2480/8849). - -- bye mrj Dipl.-Ing.(FH) Martin Roesler Nemetschek Programmsystem, Riedenburger Str. 2, 81677 Munich, Germany Phone +49-89-92793-0, Fax +49-89-92793-579 e-mail mrj@nemetschek.de ------------------------------ Date: Tue, 09 May 95 15:36:22 -0400 From: pliu@calvin.stemnet.nf.ca (Pengfei Liu) Subject: Help: Yankee.doodle.tp.44 or Yankee-45 (PC) Would any body tell me how to get rid of the memory virus Yankee-45 or Yankee.doodle.tp.44 (detected by McAFee 2.2 but cannot be removed)? About 10 sotfware packages have been used (VDS30T, ChekMate, McaFee, etc.), and cannot get them worked. The Sharewere Version of McAFee for DOS (downloaded from simtel) does not include the scan.exe file which is useless. Thank you in adcance. - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Pengfei Liu Eastern College, Burin Campus Box 369, Burin, NF Canada A0E 1E0 ------------------------------ Date: Tue, 09 May 95 15:53:21 -0400 From: moseley@netcom.com (Willy) Subject: Re: Copying a boot sector to a file (PC) sergio.nadal@mest.unizar.es says... >Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) wrote: >> However, if indeed all you want is to copy the boot sector of a floppy >> to a file, you can do it with DEBUG. Create a text file, say >> "debug.scr", with the following contents: >> >> L 100 0 0 1 >> rcx >> 200 >> n drive_a.boo >> w >> q Note that the above saves the DOS boot record, not the MBR. To save the MBR you would need to use INT 13 routines - and be careful. There are also a number of programs that will do this for you - HS.COM and AAVIRUS are two that come to mind now. They are really more for detecting changes in the MBR/DBR and system files. You can easily use AAVIRUS to save the MBR and DBR and restore them when needed. - -- __________________________________________________________________ Bill | moseley@netcom.com | ------------------------------ Date: Tue, 09 May 95 16:20:06 -0400 From: ltf@utic.unicomp.net (Lance Franklin) Subject: Info on Dr.Web Anti-virus and CRYPT.Virus? (PC) Recently, my company received a fax from a customer who had been shipped some disks with our software. After receiving these disks, the customer ran a virus-check on the disks with an Anti-Virus program called Dr.Web, from a company called DialogueScience Moscow. The program reported that two files were "possibly infected" with a virus called CRYPT.Virus. Both files were pkzip-format files, neither containing executables. Now, I have not been able to find ANY information on a virus called CRYPT.Virus...the closest I've come is Cryptlab. So I'm hoping that someone here might have some information, either on the virus itself or the program Dr. Web, which says it found the virus. So...any help? Lance ------------------------------ Date: Tue, 09 May 95 16:39:22 -0400 From: rkutai@utkux.utcc.utk.edu (Raymond Steven Kutai) Subject: CPAV updates (PC) Is there any ftp sites for Central Point's Anti-Virus updates? The last update I have was about two years ago. I think it is a little "obsolete" now. Thany you in advance. - --- rsk 05.08.95 - -- +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ Raymond Steven Kutai "Think imaginary!" -- Stephen Hawking rkutai@utkux.utcc.utk.edu http://funnelweb.utcc.utk.edu/~rkutai +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ ------------------------------ Date: Tue, 09 May 95 17:06:20 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Boot sector viruses (PC) Jm Valera (the_borg@ix.netcom.com) writes: > Can boot sector viruses travel over networked drives (VIA DOS's > InterLink and InterServer)? No, pure boot and master boot sector viruses cannot do that. The reason is because the network does not provide sector-level access to the network drives. However, there are viruses which infect both files and boot sectors. Such viruses can spread to the network drives - by infecting files. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 09 May 95 17:13:26 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Pluto.666 Virus? (PC) Adam Stein-Sapir (steins84@futures.wharton.upenn.edu) writes: > I found Pluto in a Norton Antivirus file of all places. Anyone > know what it does? It's not a virus; it's a false positive. Ignore it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 09 May 95 17:14:24 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: NT Anti-Virus Software (PC) Mark Smith (msmith@halcyon.com) writes: > >Any Anti-Virus software recommendations for machines running Windows > >NT? > There was a long article in the Houston Chronicle about anti-virus > software. There is an even longer paper of mine about one of the anti-virus packages mentioned in that article. See below. > They said they tried all the virus detection software. They were incompetent. > The only one they reccomended was a program called Invercible. > (this is the correct spelling for this software.) No, it is not. The correct spelling for it is InVircible. > It is supposedly available from different bulletin boards. > I have not been able to find it. The reason is that it was discovered that this software trashes the files of the user that have some particular names (e.g., SOFIA or WRITEST). That's why, most major ftp sites have removed the product from their archives. > If you locate it please let me know where it is. It should be available from the ftp site of the US distributor. Try ftp://ftp.netcom.com/pub/an/antivir/invircible/invb601d.zip However, please have in mind the problem mentioned above (it might trash some of your data). Also, have in mind that it is full of bugs and security holes. For a detailed description of them, see ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/invircib.zip Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 09 May 95 17:34:01 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Should I delete InVircible? Does it destroy files? (PC) Heather A Thomas (hthomas@cs.buffalo.edu) writes: > After reading a few posts on the net, I seem to be getting the idea that > InVircible is a "Trojan Horse" out there and thousands of unsuspecting > people have DL'd it and it is destroying their HDs. This is not quite true. In reality, it destroys only some files with particular names (e.g., SOFIA or WRITEST), cuts off the string "MsDos" if it finds it at the end of the executable files, and so on. In short - - yes, it is destructive, but "destroying their HDs" is an overstatement. > I have anti-vir.dat > and *.ntz files on my C: drive which are from some AV Prgm, I assume > InV, are they just check list files? The NTZ files are from InVircibles, yes. The ANTI-VIR.DAT files are from TBAV - another anti-virus program. They are all just checksum database files, yes. > Should I delete this program and > stick with McAfee/F-Prot? Deleting InVircible is a good idea. Sticking with McAfee/F-PROT *alone* is not. They are scanners. A good anti-virus protection scheme should not rely on scanners alone (although they *are* needed). You should also use some integrity checker. Unfortunately, I can't recommend a really good one, but take a look at Integrity Master, VDS, or ADInf - they are quite acceptable. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 09 May 95 17:41:48 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help Parity BootB[GenB] Virus (PC) Marcus Elwert (100420.1272@CompuServe.COM) writes: > scan 9.21 VIII from Mc Afee tells me > that there is the Parity Boot B [GenB] Virus active in memory, > but no infected files where found on my hard disk. That's quite normal, since this virus does not infect any files. It infects the master boot record. > How can I get rid of this virus. Use a good virus remover which can remove it. F-PROT or AVP are two excellent choices. Before using the remover, cold-boot from a write-protected uninfected system diskette. I emphasize - cold-boot. If you just press Alt-Ctrl-Del, the virus will remain in memory. This is probably the most widespread virus in Germany. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 09 May 95 17:41:51 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Pathogen/Queeg (PC) S Widlake (swidlake@rl.ac.uk) writes: > NOTE - writing and releasing viruses in the .UK is a very BAD idea !!! Yep, as the ARCV virus writing group and the author of that particular virus have found out... > I believe I'm right in thinking that the "Black Baron" was caught and Correct. > was prosecuted under the Computer Misuse Act (was it?). Does anyone > have any further details on what his punishment was and was he really > sorry about writing these viruses ;-( Nope. According to the information I have, he hasn't been prosecuted yet. The case has been adjourned, due to the fact that the prosecution has failed to get the case ready. However, my information comes from a printed magazine ("Secure Computing"), is it might be about one month out-of-date. > It's a shame that most other countries have no similar legislation ;-( Couldn't agree more with you on this... On the other hand, Christopher Pile (a.k.a the Black Baron) will probably be prosecuted because he infected other people's machines - not because he wrote those viruses - - and many other countries already do have similar legislation in this aspect. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 09 May 95 17:41:54 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Stoned virus (PC) Walnut Creek Library (wclib@ccnet.com) writes: > : > I have never seen Stoned B infect 1.2 MEG diskettes. > : What do you mean exactly by "Stoned B"? Most Stoned variants have no > : problems infecting 1.2 Mb floppies. However, they infect only floppies > : (regardless of the size) in drive A:; maybe this is why you have never > : observed it. > Stoned-B ("Your PC is now stoned", displayed once in a while on > booting, infects floppies and MBR's; apparently the first variation of > Stoned -- added MBR infection -- after the original "A" got out of Unfortunately, the above description of yours holds for probably more than a dozen Stoned vartiants. I was asking for the exact identification of the variant that reportedly does not infect 1.2 Mb floppies. Essentially, that means to run Dr. Solomon's FindVirus or F-PROT on it and see what exactly is reported (since those two scanners perform exact identification for many of the viruses they detect). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 09 May 95 17:43:46 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Bad Boy virus (PC) WJP (wjp@ios.com) writes: > We have encountered a virus called Bad Boy - both F-prot and Mcafee > report it's existence as boot sector virus, but are unable to remove. That's kinda strange, because the Bad_Boy viruses are file infectors and therefore cannot be in the boot sector. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 09 May 95 17:50:00 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: BIOS_AV (PC) CELTA (sergio.nadal@mest.unizar.es) writes: > What is exactly the function of the BIOS AV, it only makes > that programs don't write in the MBR ??? I'm not sure that I understand your question. Do you mean 1) "What is the menu item of the CMOS configuration program that enables the boot sector protection?" This depends on what kind of BIOS you have. For those AMI BIOSes that have this function, enter the "Advanced settings" menu and look for "anti-virus protection: enabled" or for "boot sector protection: enabled". 2) "Is the only function of the anti-virus BIOS to prevent the programs from writing to the MBR?" Again, this depends on the particular brand of BIOS. For AMI BIOSes, the answer is "Yes". Some computers have the Trend Microdevices "ChipAwayVirus" protection - if you have this one, it is supposed to do much more than just write-protecting the MBR, but what exactly it does and whether it really lives up to its claims - I don't know. 3) "How do the anti-virus BIOSes achieve protection of the MBR?" In most cases - by intercepting the disk access interrupt (INT 13h) and examining whether the write access requests are directed to the sector on which the MBR resides. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 09 May 95 17:57:45 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Copying a boot sector to a file (PC) CELTA (sergio.nadal@mest.unizar.es) writes: > > L 100 0 0 1 > > rcx > > 200 > > n drive_a.boo > > w > > q > > Then you can use the command "debug < debug.scr" to read the boot > > sector of the floppy in drive A: and store it in a file named > Well, all is Ok, but i'd very pleased if someone could said me > how can I put the contents of the file drive_a.boo in the boot sector > of other disk using the debug, Create a script with the following contents: n drive_a.boo l w 100 0 0 1 q If you call it, say, "writeboo.scr", then the command "debug < writeboo.scr" will load the contents of the file DRIVE_A.BOO and will write the first 512 bytes of it over the boot sector of the floppy disk in drive A:. Be careful, however, by doing this you can make the floppy disk inaccessible to DOS, especially if it is a 1.44 Mb 3.5" floppy disk. > and, if possible, how can I do it using > assembler or C source. In assembler that would be too messy - I'll have to write two screenfuls of instructions. In C - check the help of your compiler. You need the functions fopen() and fread() to read the file and the function abswrite() to write on a sector level. In short - read the documentation. This holds also about DEBUG, BTW. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 09 May 95 18:01:57 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Shareware - registered vs. not registered (PC) Lic. Jose Anaya P. (joanaya@academ01.mty.itesm.mx) writes: > F-PROT, on the other > hand comes in two flavors: shareware and Professional, the > latest being quite different from the shareware distributed > counterpart, but also, in any case, none is for free, only the > chance to test the product for a limited time is free. I am sorry, but you are wrong. First, the Professional version uses exactly the same scanning engine as the freeware version, so it is exactly the same as a scanner. Its advantages are in having some additional features - like an integrity checker, being updated twice more often, having a Windows version, with scheduler, a resident scanner that really works under Windows, and so on. Second, the shareware version *is* free for individual use - please read carefully the accompanying documentation. It has to be paid ($1 per machine per year) only if used in a corporate environment ($0.75 if used in an educational environment). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 09 May 95 18:02:01 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Dr. Solomon's Anti-Virus Toolkit (PC) Simon Basterield (simonb@melbpc.org.au) writes: > The company I am currently contracting for is thinking of obtaining a site > license for Dr.Solomon's Anti-Virus Toolkit. > I would be interested in hearing reports, either good or bad, about this > product from people who have used it and/or reviewed it. This product contains one of the best scanners around. It also contains a resident scanner which is excellent - in fact, I am using it. However, the product also contains an integrity checker, which is extremely bad - in fact, it is a sorry excuse for the term "integrity checker". If you need a good scanner and can afford Dr. Solomon's - get it. If you need an integrity checker - better look elsewhere. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.6.i public key on the keyservers. Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 09 May 95 18:46:41 -0400 From: wombat@pipeline.com (Steven J Wilson) Subject: 100% Virus Protection (PC) I work for a company with over 1,000 users where we use diskettes quite frequently. Since installing Disknet (virus protection brand name) last January, we have had no incidences of viral infection on ANY of our machines. As an additional benefit to Software Adminstrators (like me), you can prevent people from loading software on their machines without your knowledge or authorization. This feature keeps the amount of help calls down. If you'd like more details or a full report on why it's so effective, e-mail me at wombat@pipeline.com - -- wombat@pipeline.com ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 51] *****************************************