VIRUS-L Digest Friday, 12 May 1995 Volume 8 : Issue 53 Today's Topics: ** Careful! ** Big Caibua has two stage payload - (PC) "Alive" mailing list by Celustka Re: Viruses in binaries? Maybe. Re: Virus and floppies (PC) Re: Million Dollar Virus (PC) ** READ Write scancode in assemler (PC) RE: Win95 and Current Antiviruses (PC) Re: RE: Pathogen/Queeg (PC) AntiExe virus with circular infection (PC) Re: Big Caibua virus alert on net - (PC) Re: Form Virus (PC) Virus Profile (PC) 100% Virus Protection (PC) Re: Anyone heard of this virus??? (PC) Re: Shareware - registered vs. not registered (PC) Re: Hey,got any info for a Newbie? (PC) 1014 virus (PC) Re: Scanners getting slower (benchmarks) (PC) Re: Shareware - registered vs. not registered (PC) Re: Pepper virus (PC) New virus? (PC) Chip-away virus (PC) Warning Vshield 2.2.221 Doesn't work (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 12 May 95 04:20:16 -0400 From: netz@actcom.co.il (Zvi Netiv) Subject: ** Careful! ** Big Caibua has two stage payload - (PC) XCAIBUA.EXE is a virus scanner dedicated to spot and neutralize programs infected with the Big Caibua (aka Butthead) virus. Caibua is dangerous because of its TWO STAGES PAYLOAD. It activates a simple payload first, that consists of a phallic animation on screen. The first payload is a diversion to distract the user from the second payload which is more harmful. It will format track 0 of drive C:, delete the first file in the directory, create junk directories and trash data at random. On the execution of an infected file, two more COM files will be infected. Each consecutive infected file will be one byte longer than the former infected one. An internal counter is advanced with each generation of infection. When the counter reaches the value of 2296, the second (andf destructive) payload is activated. The initial value of the counter was set at about 2260, yet the copy of the virus we got showed already 2277. The animation was devised to encourage users demonstrate the virus to friends, and unknowingly progress the counter until it will eventually go off. Twenty generations for a virus is very little, and it's quite likely that users will get really affected by Caibua, shortly. To scan for the virus just run XCAIBUA.EXE on the suspected drive. To rename the infected files to a non-executable extension (*.IVC), add the /R switch to the command line. All DOS legal pathnames are acceptable such as \, C:\, C:\*.COM etc. The /R switch can be put before or after the pathname to search. XCAIBUA is hereby donated to the public domain. The author, and NetZ Computing assume no responsibility of any sort for the program, nor for its performance, nor for any consequences from its use. XCAIBUA is derived from InVircible's technology. XCAIBUA and the new version 6.02 of InVircible, with the "Sofia" problem fixed, are available from the sites below. Safe computing, Zvi Netiv - ------------------------------------------------------------------------- Zvi Netiv, author InVircible NetZ Computing Ltd, Israel Fax +972 3 532 5325 email: netz@actcom.co.il netz@InVircible.com CompuServe 'GO InVircible' Author's: ftp.datasrv.co.il/pub/usr/netz/ Anonymous ftp: InVircible.com - ------------------------------------------------------------------------- ------------------------------ Date: Thu, 11 May 95 14:36:24 -0400 From: "Rob Slade, Social Convener to the Net" Subject: "Alive" mailing list by Celustka MLALIVE.RVW 950508 "Alive 0, Alive 1", Suzana Stojakovic-Celustka, 1994 %A Suzana Stojakovic-Celustka celustka@sun.felk.cvut.cz %B Alive Ejournal %C Prague/Zagreb %D March 1994, July 1994 %E Suzana Stojakovic-Celustka celustka@sun.felk.cvut.cz %P Alive 0, 25K Alive 1, 100K %S Alive %T Alive 0, Alive 1 Suzana Celustka is part of the international virus research community. She became active in research while attending university in Prague, but comes originally from Croatia and is currently resident in Zagreb. In 1993 she attempted to spur development of a proper definition of a viral program (which still eludes researchers and writers) by promoting a virus definition contest. (She did put a bit of life into the proceedings by calling for definitions not only in text and mathematical forms, but also jokes and poetry.) The lack of success in this area will be familiar to workers in the field of artificial life, who have had similar difficulties in delineating life. As it happens, this is another area of Ms. Celustka's interests, and in 1994 she started "Alive" magazine, distributed electronically, in order to examine the relation between computer viral programs and artificial life. Two editions of the magazine have been published so far, with a third now in process. (The move back to Croatia and a period of ill health contributed to the delay.) "Alive 0" is stated to be the zeroth, or beta, edition, and explains the background of the project. It also contains the results of the first contest the definition of a computer virus in the technical categories. There are also articles on the "lifelike" characteristics of code for LAN token regeneration and on Cohen's theorem of the "undecidability" of viral detection. In "Alive 1", Ms. Celustka contributes two articles herself, one on the nature and limitations of language (in regard to the problem of technical definition), and another on the "Great Debate" about the benefits versus dangers of viral programs. In addition to the feature and invited articles, each edition includes an interview with at least one (and usually more) researcher prominent in the field. The participants in "The Great Debate", for example, were Fred Cohen (cf BKSHRTVR.RVW and BKITSALV.RVW), Mark Ludwig (cf BKLUDWIG.RVW) and Vesselin Bontchev. The questions asked are incisive and insightful. Alive is available in a number of ways. Subscriptions requests should be sent to mxserver@ubik.demon.co.uk. Back issues are available from ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/alive, ftp://ftp.demon.co.uk/pub/antivirus/journal/alive, ftp://ftp.elte.hu/pub/virnews, ftp://ftp.u.washington.edu/public/Alive, gopher://saturn.felk.cvut.cz, and gopher://ursus.bke.hu. Send your contributions and comments to celustka@sun.felk.cvut.cz. Alive represents very real explorations in both virus and artificial life research. The opinions and thought presented are sometimes radical departures from mainstream discussion. With careful moderation and editing, however, there is no chance of the "high noise/low signal" traffic one usually sees in many more well known fora. Alive is highly recommended for any interested in viral or artificial life studies. copyright Robert M. Slade, 1995 MLALIVE.RVW 950508 Postscriptum: As this review was being written, anti-personnel rounds were falling on Zagreb. Although the situation seems to have eased, momentarily, Croatia still does not seem to be a preferred situation for raising a family. Although Ms. Celustka does not know I am adding this message, I have reason to believe that she would appreciate any assistance with employment or immigration which those in safer parts of the world could give her. ============= Vancouver ROBERTS@decus.ca | "The only thing necessary Institute for Robert_Slade@sfu.ca | for the triumph of evil Research into Rob_Slade@mindlink.bc.ca | is for good men to do User slade@freenet.victoria.bc.ca | nothing." Security Canada V7K 2G6 | - Edmund Burke ------------------------------ Date: Thu, 11 May 95 16:22:03 -0400 From: tom_van_vleck@taligent.com (Tom Van Vleck) Subject: Re: Viruses in binaries? Maybe. Kenneth Albanowski wrote: >Ah, but what if the viewer has a bug? Yes. If the viewer code, whether a word processor or a JEPG viewer, doesn't check every possible value, e.g. uses strcpy instead of strncpy somewhere, there is a vulnerability. >... So, yes, it _might_ be possible to create an image that would >cause a viewer to do something unusal, possibly including starting up a >virus, but this would be incredibly difficult, and almost certainly will >never be done. It has been done *twice* now; once by the internet worm, attacking fingerd, and once this year, attacking httpd, subject of recent CERT advisiories. In each case, platform and viewer (interpreter) specific. [Moderator's note: Please tell us what _viewer_ was affected by the Internet worm?] Saying almost-certainly-will-never-be-done about something that's been done twice seems odd, to me. ------------------------------ Date: Thu, 11 May 95 11:49:15 -0400 From: garcia@assist.mil (GF-USER ACCOUNT) Subject: Re: Virus and floppies (PC) Israel Kay (100112.2001@compuserve.com) wrote: : Patrick T. Hurley (phurley@umd.umich.edu) writes: : When copying files for distribution it is : always wise to use the verify option. I've never trusted the verify option. When copying for distribution I use a batch file that uses the old "comp" program from DOS 5 and before: copy %1 a: comp %1 a: Comp will accept wildcards, unlike the later FC, so it is far more useful. - -- Steve Garcia garcia@bakersfield.geoquest.slb.com ------------------------------ Date: Thu, 11 May 95 13:06:45 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Million Dollar Virus (PC) JimBogart@aol.com writes: >An antii-virus program -InnocLan - has identified "The Million Dollar Virus" >running on one IBM PC on the network. It cannot clean the virus. The >sys.admin is not familiar with this virus. It has not spread to any other >workstations. No apparent damage has been done to the one infected PC. >Can we use F-Prot to clean this virus? A very difficult question, considering that I do not know which virus this is. This is not a CARO standard name, and I have no idea what virus this is. - -frisk Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Thu, 11 May 95 13:20:29 -0400 From: Benjamin Steiner <100552.1430@CompuServe.COM> Subject: ** READ Write scancode in assemler (PC) Hi there, I need to write a simple char when i have only the scancode. Ideas ? I had a idea, but i need a last info : simulate a key pressing ? (which port do i have to write to?->i know that to read, you have to say "in al,60h", but to write ? "out 60h,al" ???) Thanks for any response (please email) BCS : 100552.1430@compuserve.com - -- BCS : 100552.1430@compuserve.com ------------------------------ Date: Thu, 11 May 95 14:44:42 -0400 From: richardb@intecolor.com Subject: RE: Win95 and Current Antiviruses (PC) >I'm using Win95 Preview, and was wondering what effects this >would have on my current antiviral programs. I use Virstop, which >seems to be pretty much uneffected , but I was more concerned about >TBAV since it keeps a closer watch on my HD. What problems might >occur, and how can I prevent them? Are there any antiviruses that are >specifically designed for Win95? Interestingly, the ONLY A-V software available on the Microsoft Network (MSN) is F-Prot V2.17 (my personal choice as well). I have been using Frisk under win95 since Beta 1 (currently build 462) and have never had the slightest problem. The only (theoretical) problem occurs with long filenames. Win95 keeps a long and short filename for every file, and if a file is edited (read: cleaned) then the long filename would get lost. In practice, this has not happened. I have deleted (not cleaned) files that were changed and then restored from a backup, and everything is fine. I think that the possibility exists for an MBR relocator to trash a file (this risk exists under oldwin/dos also) and then a critical file would be worthless, again with the possible loss of the long filename. I do not believe that this increases the risk. Since my last post concerning win95, I have intentionally released stealth_boot_c and antiEXE (not concurrently) with no surprises. I am going to also try Monkey, but I wanted to get some work done this week. Anyone with additional information, please fill in. - --------------------------------------------------------------- o o >`))))>< Ein seliger Sprung in die Ewigkeit richardb@intecolor.com Richard_Bodor@msn.com - --------------------------------------------------------------- ------------------------------ Date: Thu, 11 May 95 15:05:27 -0400 From: martijn@wirehub.nl (Talkie Toaster) Subject: Re: Pathogen/Queeg (PC) swidlake@rl.ac.uk (S Widlake) writes: >>From: gcluley@sands.co.uk >[Much Snip'd] >>Well, assuming it's not a false alarm - here's the info. >>Pathogen and Queeg are actually two separate viruses, both written using >>SMEG (Simulated Metamorphic Encryption Generator) by The Black Baron. >> ... Pathogen displays the message: >> Your hard-disk is being corrupted, courtesy of PATHOGEN! >> Programmed in the U.K. (Yes, NOT Bulgaria!) [C] the Black Baron 1993-4. > ^^^^^^^^^^^^^^^^^^^^^^ >NOTE - writing and releasing viruses in the .UK is a very BAD idea !!! >> Featuring SMEG v0.1: Simulated Metamorphic Encryption Generator! >> 'Smoke me a kipper, I'll be back for breakfast.....' >> Unfortunately some of your data won't!!!!! >>Dr Solomon's Anti-Virus Toolkit can detect and repair this virus. I >>believe F-Prot can do the same. >I believe I'm right in thinking that the "Black Baron" was caught and >was prosecuted under the Computer Misuse Act (was it?). Does anyone >have any further details on what his punishment was and was he really >sorry about writing these viruses ;-( Eeeh, the way I understand it it is very hard to catch a virus writer, not because of inadequate laws, but because of the technical problems of the investigation. How do you trace something back to its source that is designed to copy itself everwhere. The only time they catch a virus programmer is when he starts bragging about his viruses in a pub or on a bbs. Martijn _ _ _ mart __________ "Oh, wow, Technofear! It's / / \_/ /_\ ijn@ /\_-_-_-_-_\ happening again! All the \_ / / \ _ hack _/ / ___ \__ machinery's ganging up on / tic. \// /___\ \/ me!" NEIL - The Young Ones T A L K I E nl \/______________\ +-+-+-+-+-+-+-+-+-+-+-+-+- ------------------------------ Date: Thu, 11 May 95 16:32:31 -0400 From: cshuman@ix.netcom.com (Charles Shuman) Subject: AntiExe virus with circular infection (PC) We have a disk that is infected with the antiexe virus. The only virus removal program that will remove this is F-Prot Ver 16+ we are using ver 17 and still no luck. (information from vsum latest version) F-prot reports a circular virus( the original boot sector is replaced and moved to a new location but the original boot is also infected) The bottom line is f-prot will not remove it. The bad news for us is that the file on this floppy has no back up(Dont flame me, it is a secretary for this hospitals director) I have had the most experience with eliminating viri but this has me stumped. Any ideas? ------------------------------ Date: Thu, 11 May 95 18:20:44 -0400 From: Julia Nathan Subject: Re: Big Caibua virus alert on net - (PC) O.K. a number of people have asked me and I give up, what does the word CAIBUA mean or stand for? On 11 May 1995, Zvi Netiv wrote: > ================================================================ > Big Caibua Virus, Information Sheet: From NetZ Computing, Israel > ================================================================ ------------------------------ Date: Thu, 11 May 95 19:07:41 -0400 From: pitway@cix.compulink.co.uk ("Tim Hetherington") Subject: Re: Form Virus (PC) > JLINDER@ccmail.turner.com (Jack Linder) wrote: > >I go hit with the Form virus. More specifically, Intel's VSAND > reports it >found virus 'Form' in the boot sector. > > > >I think I have it cleaned out, and am scanning all disks/floppies, > etc, but I >have a question. > > > >What does this virus do, how sure should I be that I got it out? > (Scanners >show it to be cleaned out). > > If you ever start up windows after get infected, you windows might be > lock up at the start up time even after you clean it out. The only way > around is to copy about four files under windows directory from a clean > source. Yep! windows does mess about after striping out form virus. In my case it is stopping the 32 bit access to the hard drive but still allows me to continue in 16 bit. I haven't had time to sit down and sort it out yet but I guess a windows re-install will sort it with the least fuss. Tim... ------------------------------ Date: Thu, 11 May 95 20:20:20 -0400 From: captkos@wis.com (Kevin D. Butcher) Subject: Virus Profile (PC) Can somebody email me the profile for the DIE_HARD and Yankee_doodle Clone virus(s).. Thank you. ------------------------------ Date: Thu, 11 May 95 21:01:43 -0400 From: wombat@pipeline.com (Steven J Wilson) Subject: 100% Virus Protection (PC) I work for a company with over 1,000 users where we use diskettes quite frequently. Since installing Disknet (virus protection brand name) last January, we have had no incidences of viral infection on ANY of our machines. As an additional benefit to Software Adminstrators (like me), you can prevent people from loading software on their machines without your knowledge or authorization. This feature keeps the amount of help calls down. If you'd like more details or a full report on why it's so effective, e-mail me at wombat@pipeline.com - -- wombat@pipeline.com NYC ------------------------------ Date: Thu, 11 May 95 22:28:13 -0400 From: "Lic. Jose Anaya P." Subject: Re: Anyone heard of this virus??? (PC) ICCULUS@frost.oit.umass.edu (Neal S Kaiser) wrote: > Quote Begins When I print through DOS on my HP everything works fine. BUT, when I print through windows, the true type fonts print little marks all over the paper. They kindaa resemble bar codes. The regular (not true type, forgot the name) fonts print fine. Is this a virus?? If anyone has experienced this or can help me out, please email me directly at "icculus@student.umass.edu" > Quote Ends Here at my office I experienced the same problem, it turned to be a particularly hard one to solve. The source was an upgrade to the UNIDRV.DLL printer driver which was some buggy. We turned back to the older UNIDRV.DLL (the one which came with Windows 3.1) and the nightmare is going forever. BTW, the new driver came with Lantastic 6.0 Regards, Jose ------------------------------ Date: Thu, 11 May 95 22:58:34 -0400 From: "Lic. Jose Anaya P." Subject: Re: Shareware - registered vs. not registered (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote: > Quote Begins I am sorry, but you are wrong. First, the Professional version uses exactly the same scanning engine as the freeware version, so it is exactly the same as a scanner. Its advantages are in having some additional features - like an integrity checker, being updated twice more often, having a Windows version, with scheduler, a resident scanner that really works under Windows, and so on. > Quote Ends No, I'm not wrong and your statement confirms this. I said both both products are not the same, I didn't say their engines are different, but the products as a package. There's no Windows module in the shareware edition. > Quote Begins Second, the shareware version *is* free for individual use - please read carefully the accompanying documentation. It has to be paid ($1 per machine per year) only if used in a corporate environment ($0.75 if used in an educational environment). > Quote Ends I agree on this one, however, it should be pointed out that there are at least two "F-PROT Professional" packages from different publishers (Command Software Systems and Data Fellows). The shareware edition clearly states you should contact these companies for a corporate environment license. Regards, Jose ------------------------------ Date: Thu, 11 May 95 23:05:17 -0400 From: spynx@jobes.sierra.net (Jack Durst) Subject: Re: Hey,got any info for a Newbie? (PC) : 1)Can viruses be written in any programming language or are they : restricted to assembly and/or machine language? Yes, a virus can be written in any language that can be compiled into machene code. Writing in a higer level language also allows for making a virus which can attack different kinds of machenes. : 2)If they can be written in a high-level language,which ones are the : most efficient? It all depends on what machene you are compileing for. I personally have had the best luck on the most machenes with Turbo C++, It compiles well for Windows, Mac, OS2, the more modern versions of UNIX, and Amega. Borland makes the best compilers. Unfortunately, if you want to affect computers running on older DOS and UNIX systems you will need to do more work to make sure it compiles properly. ------------------------------ Date: Thu, 11 May 95 23:05:14 -0400 From: "Jamon E. Bailey" Subject: 1014 virus (PC) I was running Mcafee scan not too long ago and it reported the 1014 virus in memory but not on the hard disk. I suspect it was a false alarm, but when I called Mcafee technical support they said they had no information about what the virus does. If anybody has any info I'd appreciate it. Jamon Bailey ------------------------------ Date: Fri, 12 May 95 04:29:19 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Scanners getting slower (benchmarks) (PC) >about twice as long to scan a hard disk than it took a year ago. Twofol= >d=20 >increase in number of known viruses has also doubled time required for=20 >scanning.=20 Eh, well, the speed decrease is not directly caused by the doubling of known viruses, but rather by the appearance of a few really difficult viruses, which require significant time to scan for. Adding several thousand simple viruses should not seriously affect the speed of any decent sanner - adding a few really difficult ones might do so. However, there are ways around this...expect to see the performance of some of the scanners improve in the near future. >Number of viruses known to each program: > 1994 1995 >F-PROT 1063 1584 (families) uh...this is extremely misleading. Why on earth do you give the number of families for F-PROT, and the number of variants for the other two ? (for your information - today, F-PROT (version 2.17e) knows 6132 different viruses, belonging to 1680 families). >McAfee Scan 2738 5059 >Solomon Findviru 3687 6006 - -frisk Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Fri, 12 May 95 08:30:25 +0000 From: andsaar@utu.fi (Andreas Saarvuo) Subject: Re: Shareware - registered vs. not registered (PC) Lic. Jose Anaya P. (joanaya@academ01.mty.itesm.mx) wrote: : at your will unless you pay their price. F-PROT, on the other : hand comes in two flavors: shareware and Professional, the : latest being quite different from the shareware distributed : counterpart, but also, in any case, none is for free, only the : chance to test the product for a limited time is free. F-PROT is free for private use. Companies etc have to get the professional version (which includes mailed updates too). - -- -------------------------------------------------------- S.Andreas Saarvuo +358-21-2133 8807 (Work) P.O.Box 790 2501 430 (Home) SF-20101 Turku/Finland 2518 994 (Fax) Sage-Soft Oy (Ltd) -- SAS-(M)BBS 2518 835 (BBS) -------------------------------------------------------- ------------------------------ Date: Fri, 12 May 95 04:40:16 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Pepper virus (PC) josephk@pacifier.com (Joseph Keto) writes: >Does anyone have any information on the Pepper virus or a virus named >yom.com (128 bytes long and supposedly a modification of the Pepper >virus) What do these viruses do? I have looked for information on them in >f-prot but none is available. Well, we have not bothered to update the old virus infoamation database, as we are in the process of completely replacing it. Currently this virus (Pepper, received in the file YOM.COM) is described as follows: This is a 529 byte non-resident virus which appends itself to .COM files. It contains the text "[pepper] yesterday once more". This virus can be disinfected. A brief examination reveals that it also includes the text "*.COM" (encrypted, in order to hide it from heuristic scanners), and that it may change the current daye...set it back one da, seems to be fairly harmless otherwise.. - -frisk Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Fri, 12 May 95 05:03:00 -0400 From: mswan@herbie.unl.edu (MICHAEL SWAN) Subject: New virus? (PC) What am I up against??????????????????????????????????????????????? I recently recovered (I think) from the Stealth.B virus, by formatting my HD (which hurt), and scanning and cleaning all of my floppies. All was fine for a while, then I began to get some wierd stuff. Only on certain disks (ones that WERE NOT hit by Stealth.B) will it occur. When you put then in the A drive, and access the drive, it takes a bit longer than normal to read, and then when you type DIR, it replaces EACH file name with the disk label, and says each file is 0 bytes, for a total of 0 bytes, with 0 bytes free on the disk. Type DIR for a second time, everything returns to normal. But then for example, if you type in an invalid command, the drive will then act as if you just accessed the drive, and if you type DIR once again, the goofy styff mentioned above occurrs. I have NAV 3.0 and have the current virus definitions update, and when I scan either the hard drive or the floppies that it screws up on, it comes up with absolutely nothing! I also tried FDISK /MBR and nothing changed. Originally I figured it was my dos. Reinstalled, and it still was there. Hardware configuration problem....Naah! Since I have nailed it to a specific pattern, I figure that it has to be a new one. I have made a sample disk to be sent to Norton where they will analyze it, but in the meantime I was hoping to get insight from someone here. So if anyone has any insight or ideas, please post here, or e-mail me at: mswan@herbie.unl.edu Thanks! ------------------------------ Date: Fri, 12 May 95 05:42:07 -0400 From: J.Berg@sheffield.ac.uk Subject: Chip-away virus (PC) Has anyone heard of a virus called chip-away? No virus detector I've tried has even detected it. Does it have a more common name? And how do I get rid of it? Help please. >From J.Berg. (J.Berg@Sheffield.ac.uk) ------------------------------ Date: Fri, 12 May 95 05:55:42 -0400 From: gkuijper@inter.nl.net (Gerrold Kuijpers) Subject: Warning Vshield 2.2.221 Doesn't work (PC) I have been testing the latest version of McAfees Vshield (2.2.0 with 2.2.221 data file). Sofar every virus I tested , Vshield did NOT work. [Moderator's note: Could you please post your test procedures so that others can validate this claim?] It should prevent an infected program from starting up. Well it doesn't! It doesn't give a warning and the virus is free to do harm!! An earlier version of McAfee (2.1.5 with datafile 2.1.216) works better. Sofar the Scan program is able to detect the virussus I tested with. Please report simular experiences to me. Gerrold ------------------------------ End of VIRUS-L Digest [Volume 8 Issue 53] *****************************************