VIRUS-L Digest Wednesday, 20 Mar 1996 Volume 9 : Issue 37 Today's Topics: Command Software solicits votes for Infosecurity News award. Can two hard drives help keep viruses controlled? CyberSoft web page Macro virus FAQ F-PROT 2.22 is out fp-222.zip Virus Protection system by Fridrik Skulason Re: What I need in an enterprise-wide scanner Re: Virus Damage Statistics Re: Hard drive hardware write protection Enterprise Security Workshop Extended deadline Good Mac Virus Software (MAC) Re: Macintosh Ram Virus?? (MAC) Disk problem--virus? (MAC) Re: Effects of Word.Concept Virus? (MAC,WIN) Re: WinWord.Nuclear (MAC,WIN) Win95 and TBAV (WIN95) Re: McAfee 2.0 for Win95 "feature" (WIN95) New Scanner finds/removes UNKNOWN Winword macro viruses (WIN) Re: Nov 17th virus (PC) CONCEPT/Word Perfect macro: really no cure? (PC) Havoc ][ and Virus List (PC) Microsoft Anti-virus memory problems (PC) Info on Smiley Boot? (PC) Re: Cpw Virus (PC) Re: AntiExe- What are the sysptoms? (PC) Re: NYB Virus (PC) Disk drivers with boot sector protection (PC) Re: Michelangelo recovery methods (PC) Re: Modem snag: Virus or NAV? (PC) New virus?!? or Disk drive problem (PC) MSAV says files changed (PC) Re: Directory problem (PC) Possible new virus??? (PC) Re: Virus in Memory--sometimes (PC) Re: Viruses that damages hardware (PC) Re: FORM_D boot sector virus (PC) Novice with a virus? (PC) Re: Directory problem (PC) HELP! Floppy disks messed up! (PC) Re: Ripper and NYB (PC) Form Virus On A Lan (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Fri, 08 Mar 1996 10:54:00 -0800 From: 'Mike' M Ramey Subject: Command Software solicits votes for Infosecurity News award. X-Digest: Volume 9 : Issue 37 I just got an unsigned fax from "Command Software Systems" which says: "Dear Valued Customer: "F-PROT Professional has been chosen as a finalist in the 'Best Anti-Virus Product' category of the Infosecurity News Readers Trust Awards. ... "Winning this award requires an additional type of recognition - a vote from you, our valued customer. Please show your support by completing the ballot attached. It's up to you to select F-PROT Professional as the 'Best Anti-Virus Product.' "The magazine is offering an incentive. When you vote in the Infosecurity News Readers Trust Awards, you become eligible to win many prizes. See the attached materials for details." "... Please fill out the attached ballot and fax it to Infosecurity News by April 26th. Their fax number is ... " I resent being solicited by a manufacturer to vote for their product in a magazine popularity contest. I have some experience with anti-virus products and report problems I encounter to the product vendor and sometimes to the comp.virus and alt.comp.virus newsgroups. I do *not* consider myself a virus expert, capable of performing thorough, meaningful tests on anti-virus products. I would not trust this "Award" to guide me in the selection of an anti-virus product. I have been a licensed user of F-PROT shareware for several years; I have tried an evaluation copy of F-PROT professional, and I am also considering Dr. Solomon's Anti-Virus Toolkit for multiple platforms including Macintosh. -mr ------------------------------ Date: Fri, 08 Mar 1996 16:56:01 -0800 From: WhiteD Subject: Can two hard drives help keep viruses controlled? X-Digest: Volume 9 : Issue 37 If you have two hard drives and one hard drive has the virus will the other get contaminated??? -WhiteD ------------------------------ Date: Fri, 08 Mar 1996 18:17:24 -0500 (EST) From: Pete Radatti Subject: CyberSoft web page X-Digest: Volume 9 : Issue 37 Our web page (www.cyber.com) should now be available. It doesn't say much of anything yet but stay tuned. We plan to have white papers, tools, updates and anything else that may be useful available. Pete Radatti radatti@cyber.com ------------------------------ Date: Sat, 09 Mar 1996 22:44:45 +0000 (GMT) From: Edward Fenton Subject: Macro virus FAQ X-Digest: Volume 9 : Issue 37 Version 2.0 of Richard Martin's FAQ on MS WORD 6.x MACRO VIRUSES, written for the alt.comp.virus newsgroup, is available for anonymous FTP at the ChekMate FTP site. ftp.gate.net/pub/users/ris1/word.faq +---------------------+------------------------+----------------------+ | Ed Fenton | U.S./Canadian agent for ChekMate | ris@transit.nyser.net| +---------------------+------------------------+----------------------+ | ChekMate - a Generic Anti-Virus Utility that works under DOS, OS/2 | | and Windows (3.x, 95 and NT). Detects Known and UNKNOWN Viruses. | | Support (UK) chekmate@salig.demon.co.uk (US) ris@transit.nyser.net | +---------------------------------------------------------------------+ Download it from our FTP site: ftp.gate.net/pub/users/ris1/cm200.zip ------------------------------ Date: Thu, 14 Mar 1996 12:56:18 +0000 From: Fridrik Skulason Subject: F-PROT 2.22 is out X-Digest: Volume 9 : Issue 37 F-PROT 2.22 is now out. Changes since 2.21 include: Better handling of boot sectors with multiple infections. Continuing renaming of viruses The VIRSTOP program has been rewritten Detection (and in most cases disinfection) of around 400 new viruses. You can download this version from ftp://garbo.uwasa.fi/pc/virus/fp-222.zip The program has also been uploaded to Keith Petersen for distribution on SimTel, but does not seem to be availabe for download yet. -frisk - - Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Fri, 15 Mar 1996 11:54:30 +0000 (GMT) From: ajh@UWasa.Fi (Ari Hovila) Subject: fp-222.zip Virus Protection system by Fridrik Skulason X-Digest: Volume 9 : Issue 37 Thank you for your contribution. This upload is now available as 649065 Mar 14 14:14 ftp://garbo.uwasa.fi/pc/virus/fp-222.zip : Date: Thu, 14 Mar 1996 12:19:10 +0000 (GMT) : From: frisk@complex.is (Fridrik Skulason) : To: pc-up@uwasa.fi : Subject: fp-222.zip F-PROT anti-virus 2.22 uploaded : : : File name: fp-222.zip : One line description: Version 2.22 of the F-PROT anti-virus package : Replaces: fp-221.zip : Suggested Garbo directory: : Uploader name & email: Fridrik Skulason (frisk@complex.is) : Author or company: Frisk Software : Email address: f-prot@sales.is, sales@complex.is, support@complex.is : Surface address: Postholf 7180, IS-127 Reykjavik, Iceland : Special requirements: No : Shareware payment required from private users: No : Shareware payment required from corporates: Yes : Distribution limitations: May not be distributed together with viruses : Demo: No : Nagware: No (well, I don't think so) : Self-documenting: Mostly : External documentation included: Yes, some .DOC files. : Source included: No : Size: 611K : 10 lines description: : : The DOS shareware version of the program includes a virus scanner, with : disinfection capabilities as well as a memory-resident virus "blocker". : : While it does not include the Windows interface, the integrity checker, or : some of the other features of the "Pro" version, it is a fully functioning : program, able to handle the vast majority of viruses known today. ................................................................. Ari Hovila, ajh@uwasa.fi http://www.uwasa.fi/~ajh/ Moderating garbo.uwasa.fi http://garbo.uwasa.fi/ FTP archives Computer Centre, University of Vaasa, Box 700, FIN-65101 Finland ------------------------------ Date: Thu, 07 Mar 1996 19:35:45 -0800 From: Glen D Moffitt Subject: Re: What I need in an enterprise-wide scanner X-Digest: Volume 9 : Issue 37 Jim Richardson wrote: > I have been trying for some time to find a viable enterprise virus > protection solution. My network consists of Windows NT servers, with Mac > and Win 95 clients. Important issues to me are: [snip] > So far I've looked at Intel VirusProtect, Cheyenne Inoculan, McAfee > VirusScan,and Symantics products. I'm trying to get Dr. Soloman, and > F-Prot. > > Has anyone found a solution that answers these issues? You might start with a comparative review in PCWEEK, 9/18/95, in the NetWeek section. There are also others, look at some of the major antivirus web sites, they usually have either reviews posted or have links to sites with reviews. Just in my humble opinion, of course the servers are paramount in being protected, both because of their critical relation to business operations as well as the data they hold. However, (someone correct me if I'm wrong), my reading of antivirus liturature is that by far the main entry point of viruses to networks is through the workstations (assuming prudent physical control of the server area). So having a strong defense there is very important. I see the server file scan and real-time scan as 2nd and 3rd lines of defense. Glen ------------------------------ Date: Mon, 11 Mar 1996 14:25:24 +0000 (GMT) From: David Harley Subject: Re: Virus Damage Statistics X-Digest: Volume 9 : Issue 37 Jeff Beaubien (AnarchyX@charger.newhaven.edu) wrote: : I am interested in obtaining statistical information regarding PC : virus damage. Examples include: how many viruses are there? what is the : estimated amount of financial cost incurred by computer viruses? etc. There are no reliable estimates of financial cost. When you think about it, there can't be: there's no standard method of measurement, and most non-specialists don't have the understanding of the field to implement such a method if it existed. What statistics there are mostly consist of suppositions supplied by individuals with insufficient knowledge to similarly qualified researchers. To take one example: the cost of damage attributed to the recently-convicted virus-writer Christopher Pile has varied between #40k and #500k, according to various sources I've seen. Furthermore, You'd be surprised at the number of people who know a great deal about firewalls and Orange Book and Unix security, but come up with the most amazing rubbish when they talk about viruses.... Many so-called virus incidents are so-called on the basis of "There's something wrong with it - must be a virus...". Many real infections are undiagnosed, and many that are diagnosed are not acted upon. Many infections are not made public, as a PR/damage-limitation exercise. The better-protected organisations are driven to attempt to estimate what the cost of damage would be if they didn't have protection. Not a promising basis for hard data. Viruses cost to protect against and they cost if they're not protected against: the cost factors are many and complex, and I don't know of a published study which considers them in depth. None of this means that there is no case for implementing virus protection: only that making that case on the basis of a set of figures is impractical. : If someone could provide a reference to an article or book (relatively : recent), I would greatly appreciate it. I'm working on a paper considering the problems, and you're welcome to have a look at it, as it stands, but it's no problem-solving magic bullet. There are a couple of books by Dr. Fred Cohen which address some of the issues - I don't have any of them to hand, so I may misquote the titles, but 'A short course on computer viruses' and the one about data security and the Information SuperHighway certainly include relevant material, though the latter isn't particularly virus-orientated. : I am presenting a training session on how to avoid/determine if you have : a computer virus. Such information would be esstential to : "drive the point home" that viruses cause a great deal of financial : damage to corporations, universities, etc. Therefore, this information : would give the training participants an incentive to apply the : knowldege/skills they learned to the actual workplace. There's a Price Waterhouse report from last year on the top 200 companies in Ireland which reported that the rate of attack from viruses had more than doubled to 61%. That's in line with other reports I've seen. A survey by Ernst and Young/Information Week indicated that 12% of security problems resulting in financial loss reported by respondents were virus- related. At least 20 of those respondents had lost info worth more than $1m, so 12% is not necessarily negligible. Personally, I place very little faith in the precise figures: however, the trend may be sufficient to frighten your trainees appropriately... : Thanks in advance for any help provided. You're welcome. I'm sorry I can't be more encouraging.... David Harley ------------------------------ Date: Sun, 10 Mar 1996 15:24:24 +0000 (GMT) From: Espen Holje Olsen Subject: Re: Hard drive hardware write protection X-Digest: Volume 9 : Issue 37 Fridrik Skulason wrote: >In <0001.01I1X44CWLTKQKI9KO@csc.canterbury.ac.nz> Dave Pearce > writes: >>I'm looking for information on the following: >>1) Is it possible to take a stock IDE or SCSI controller and write-protect >>the hard disk, i.e., so that all writes fail? >should be possible to cut one vire in the cable....haven't done it >though... ..and you migth do it the software-way by intercepting int 13h, of course .. [Moderator's note: Yes, but all s/w write-protection schemes are able to be circumvented by other s/w with techniques like those used in existing viruses (at least under today's popular OSes).] ------------------------------ Date: Fri, 15 Mar 1996 16:52:59 +0000 (GMT) From: Yahya Alsalqan Subject: Enterprise Security Workshop Extended deadline X-Digest: Volume 9 : Issue 37