VIRUS-L Digest Wednesday, 15 May 1996 Volume 9 : Issue 71 Today's Topics: Re: Internet Anti-virus Software Comparison Report?? Re: Word Macro Virus cleaner wanted Re: Is virus writing illegal? Re: How can you tell a false positive from a REAL virus? Re: Is virus writing illegal? Re: Internet Anti-virus Software Comparison Report?? How to select an anti-virus product? Re: Is virus writing illegal? Final decision ZIP drive write protection Re: False Alarms in TBAV for Windows 95 (WIN95) Start MS Office - and system hangs... (WIN95) Win95 bug or Virus??? (WIN95) Writing to Win95 MBR? (WIN95) Re: Possible floppy virus? (PC) Re: Partition virus that slows floppy? (PC) Help needed with Burglar virus!!! (PC) Re: Help to get rid of NATAS virus (PC) Re: EXEBUG VIRUS (PC) Re: Who knows the "Parity Boot B" virus? (PC) Re: Identification (not detection): Dr Solomons vs F-Prot (PC) Virus Comparisons (PC) false alarms? (PC) Harmless viruses? (PC) Activation (PC) EXEBUG (PC) Macro Viruses (PC) InVircible (PC) F-prot's Virstop (PC) Client based virus scanner for Lotus Notes ?? (PC?) re: Sporadic system slow-downs virus related? (PC) Re: Please inform how to fix "readibios"(?) virus ? (PC) McAfee hangs while scanning one .exe (PC) Re: McAfee's Scan (PC) Re: Slow Boot (PC) Tremor help (PC) Re: Help to get rid of NATAS virus (PC) Disinfecting Skater virus?? (PC) Major Floppy/Boot Problem - Out of ideas! (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Mon, 13 May 1996 21:01:46 +0200 From: Gerard Mannig Subject: Re: Internet Anti-virus Software Comparison Report?? X-Digest: Volume 9 : Issue 71 [About PC Magazine AV tests] >>Was this the review that thought that Dr. Solomon's couldn't do >>virus removal (when in fact it is one of the best removers)? ... and which Editor's choice points out NAV ? 8-) Regards, - ---------------------------------------------------------------- Gerard MANNIG Virus Consultant Phone : +33 (16) 3559-9344 Fax : +33 (16) 3560-5011 Report a virus attack: http://www.primenet.com/~mwest/vir-vrf.htm Member of R . E . C . I . F data +33 1 3415-4959 Voice machine +33 1 3072-9443 =-=-=- I do NOT speak for RECIF unless otherwise specified -=-=- ------------------------------ Date: Mon, 13 May 1996 22:44:30 +0000 (GMT) From: Zvi Netiv Subject: Re: Word Macro Virus cleaner wanted X-Digest: Volume 9 : Issue 71 Zhong You wrote: > We have some virus on our pc, WinWord.Concept Virus > and the other one is called the WordMacro. Concept Virus. > > They behaves like attaching to Word Documents. > Can you give us some clue about this kind of virus, like > how to remove them other than deleting the file itself > , we already have a program for detecting > them. If there is some program to protect the files from > this virus and clean it if anything is effected by them, > we would like to know the name , version. The latest release of InVircible has a generic solution to the Word macro malware problem. Generic as generic can be ! :-) InVircible detects macro malware in Word files (both documents and templates) and assesses their potential risk. InVircible also cleans them without ruining the files on a global or file by file basis. Thanks to its generic nature, InVircible is now the only product on the market that not only detects ALL current Word macro malware but will also handle future macro viruses, Trojans and droppers. Moreover, the new macro feature of InVircible empowers network administrators to track down an affected workstation, and even to clean it right at login. The new IV version 6.11a works directly under DOS, Win 3.x, NT, Win 95 and OS/2 and on all platforms that can run DOS or in DOS compatible mode. Available now from all IV vendors' web sites, from Compuserve and AOL. Regards, Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 http://invircible.com/ ftp.invircible.com CompuServe: go INVIRCIBLE E-mail: netz@actcom.co.il netz@invircible.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Mon, 13 May 1996 23:45:30 +0000 (GMT) From: Mike McCarty Subject: Re: Is virus writing illegal? X-Digest: Volume 9 : Issue 71 In article <0013.01I4LK6P5J06SKXBI6@csc.canterbury.ac.nz>, B.MacDonald wrote: )In article <0009.01I4HGHM908WSKVUM0@csc.canterbury.ac.nz>, James Coulter ) writes [stuff cut] )> My point is, virus writing is a form of programming. It should )>not be illegal even if a NON-DESTRUCTIVE virus is released. Those authors )>of DESTRUCTIVE viruses, however, should be prosecuted as they have done )>harm to your private property. )> )>PS: To date, not a single one of my viruses has had destructive code or )>even been released into the "wild". I think of them as trophies of )>accomplishement. [more cut] )First, by infecting my system with your virus you have commited virtual )trespass. He said his viruses are not in the wild. If I read him properly, his virus is not, and never will be, on your machine without you knowing it and deliberately putting it there yourself. [stuff cut] )Secondly, the deliberate dissemination of a virus is irresponsible. Also irrelevant. His viruses aren't in the wild, remember? )No, I don't think writing viruses is a good hobby, James. I know you )have said that you have not released any viruses, but perhaps there is a )more constructive outlet for your talents. Have you thought of getting a )job countering viruses (ie, switch to the other side of the chess )board)... or taking up gardening? I don't think that virus writing is "better" or "worse" than any other kind of program writing. It's actually a little bit boring once one has done it one time. Mike - - - --- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} I don't speak for DSC. <- They make me say that. ------------------------------ Date: Tue, 14 May 1996 09:38:13 +0000 From: Fridrik Skulason Subject: Re: How can you tell a false positive from a REAL virus? X-Digest: Volume 9 : Issue 71 In <0012.01I4K4FQHQT4SKXBI6@csc.canterbury.ac.nz> JMCarlini writes: >Is there any accurate way to tell a false positive from a REAL virus? Disassemble and analyse it. If you settle for less than 100% accuracy, there are several rules of thumb you can employ, like: If only one (or a few) programs on the machine are reported as infected, and the warnings are different, it is much more likely to be a false alarm than if numerous files produce exactly the same warning. However, if you use TBAVs "high-sensitivity" mode at all, you *have* to be able to determine for yourself how accurate the reports are. We (F-PROT) offer a similar option with the /PARANOID switch, but just like the high- sensitivity mode of TBAV it should not be used by everyone. -frisk - - Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Tue, 14 May 1996 09:41:37 +0000 From: Fridrik Skulason Subject: Re: Is virus writing illegal? X-Digest: Volume 9 : Issue 71 In <0010.01I4K4FQHQT4SKXBI6@csc.canterbury.ac.nz> Pfunk240 writes: >Even if Virus writing is a crime, what is that going to stop?....people >won't stop writing virii just because its a crime...people write virii and >destribute them because it is exciting to see something you created and >put together do what you expected it to. I wonder if the author of the Smeg viruses still agrees....he got sentenced to what...18 months ? -frisk - - Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Tue, 14 May 1996 09:50:43 -0700 From: Hok Lam Un Subject: Re: Internet Anti-virus Software Comparison Report?? X-Digest: Volume 9 : Issue 71 > Andre Xavier wrote: > > I'm trying to setup a internet and Intranet for my company and we are in > the stage of searching a right Internet Anti-Virus solution for our > network(You don't what will happen next to your network right!!?). > > Please... Anyone came across any comparison/report on internet Anti-virus > software or solution. I'll be very greatful if you can let me know!! Visit my web site below should help you! Let me know what you think. - - Don't surf the Net without taking the next wave to http://www.geocities.com/Tokyo/1348 Don't leave my home without signing my state of the art, multi-media guest book! ------------------------------ Date: Tue, 14 May 1996 20:47:00 +0200 From: Donald Heering Subject: How to select an anti-virus product? X-Digest: Volume 9 : Issue 71 I had no idea about the plethora of anti-virus utilities available on the market... Which one should I use? What I'd like is a product that can monitor file access in the background (running Win '95 ), like TBAV and McAfee do. And of course it should be able to detect (and clean, if possible) as many viruses as possible. Does one product suffice, or is it better to use more than one? Any input is welcome. Regards, Donald. ------------------------------ Date: Tue, 14 May 1996 14:20:09 -0700 (PDT) From: eriko@phoenix.net Subject: Re: Is virus writing illegal? X-Digest: Volume 9 : Issue 71 Speaking of which, what legally defines a virus? ------------------------------ Date: Tue, 14 May 1996 18:42:54 -0400 From: C0SYS0P Subject: Final decision X-Digest: Volume 9 : Issue 71 F-Prot, Dr. Sol, McAfee Which is the Best or two best AV's around for scanning. "" "" "" for use as a TSR "" "" "" for cleaning ....I assist in running a DOOM BBS and need to know which one(s) to implement. What should we choose......We have been running this BBS for some time but are now going to get really serious on an Antivirus program. We are getting more and more files (all types) and would like to assure our players that they WILL NOT BECOME INFECTED through us. Luckily not one has gotten a virus from our file libraries yet! Any suggestions? Should we shut downt the BBS and this way we can be 100% safe :) ? Well thanks in advanced for any input you may have for me. I'm planning to pay as much as possible but, not something that is unreasonable ($ 250 tops). Am I being reasonable? Charles Beltran Im Charles@aol.com Charles Beltran ------------------------------ Date: Tue, 14 May 1996 22:47:22 -0700 From: Dennis G German Subject: ZIP drive write protection X-Digest: Volume 9 : Issue 71 Have there been any reports of virus which bypass the Iomega Zip software write protection? ------------------------------ Date: Mon, 13 May 1996 14:20 +0000 (GMT) From: CLAYTON E RUTH Subject: Re: False Alarms in TBAV for Windows 95 (WIN95) X-Digest: Volume 9 : Issue 71 I've been reading the various postings indicating confusion regarding false alarms from TBAV and would like to shed some light on the situation based on my recent experience evaluating TBAV on behalf of my employer. I initially installed TBAV 7.00 for Windows 95 and couldn't get it to complete a TBSetup or TBScan run; it kept crashing with GPFs. I downloaded TBAV 7.01 for Windows 95 and now the GPFs are gone, but I found that TBSetup and TBScan for Windows 95 don't always agree with one another as to what a file's CRC really is. The first scan, performed immediately following a TBSetup run, said that several programs (e.g., the MACROGEN.EXE component of Borland C++ 4.51) had changed (the CRC no longer matched what TBSetup recorded). Once this had occurred, false alarms started popping up all over the place due to the "Auto heuristic sensitivity" setting, which increases sensitivity when it "knows" a virus has been found. Validating the mismatch fixed the problem, so long as I didn't run TBSetup again. Therefore, my recommendation to anyone trying to use TBAV for Windows 95 is as follows: 1) Be sure to download the latest release. Don't use 7.00. 2) Under TBScan, Advanced Options, set "Low heuristic sensitivity". 3) Select the desired targets and click the Setup button. 4) Immediately following the TBSetup run, click Scan. Each time it says a file has changed, click "Validate" and continue the scan. The product should now produce very few false alarms, so long as you leave the Heuristic Sensitivity at its lowest setting and don't run TBSetup again. When you install new or upgraded software, run TBSetup on the affected directory only, then run TBScan and validate the "changed" files. For Windows applications, you can expect some changed files in the Windows and System directories too. Increasing the heuristic sensitivity generates false alarms on a lot of innocuous programs, so I recommend leaving it on "low" permanently. Clay Ruth PC Configuration Manager / Senior Lead Systems Software Analyst Sargent & Lundy, L.L.C., Chicago, IL Clayton.E.Ruth@SLChicago.Infonet.com ------------------------------ Date: Tue, 14 May 1996 01:00:06 +0200 From: Andre Jacomet Subject: Start MS Office - and system hangs... (WIN95) X-Digest: Volume 9 : Issue 71 Yesterday I d/lded some files from the internet with my Aptiva computer. I copied some of them to two of our notebooks (IBM ThinkPad 760). One was making trouble the whole day, the other one started this evening, when I tried to install MS Office 7.0 on it. After setup was complete it stated four or five messages, "that you cannot open more than one MS Office setup at once" and crashed. Whenever I start Office now the System (Win 95) hangs (blue screen indicating severe problems with application "Windows"). Can anybody help? Thank you very much in advance. - - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Andre E.F. Jacomet, Sales&Account Manager jacomet@dial.eunet.ch ------------------------------ Date: Mon, 13 May 1996 23:12:28 +0000 (GMT) From: Jamey Ratzlaff Subject: Win95 bug or Virus??? (WIN95) X-Digest: Volume 9 : Issue 71 Last week I got a floppy from a co-worker, and when I put it in my drive, my anti-virus shield immediatly detected the ANTI-EXE virus. I re-booted from HD and cleaned the floppy and checked my HD which came up clean, but now, every once in a while in Windows95, for no appearent reason, the system HAMMERS ON THE A: DRIVE. I have no apps open that are set to drive A: and I get no error about not having a disk in the drive, just that annoying drive A access. Now dig this... I gave some files to a friend on a floppy (that was clean) and he called me later and said that since he put my disk in his machine, it periodically TRIES TO ACCESS SOMETHING ON THE FLOPPY DRIVE!! Has anyone else had this problem???? ------------------------------ Date: Tue, 14 May 1996 22:35:03 -0700 From: Dennis G German Subject: Writing to Win95 MBR? (WIN95) X-Digest: Volume 9 : Issue 71 How does one go about re-writing the master boot record when running WIN95. Friend of my ( no, really) has detected NYB. Can MBR be re written? ------------------------------ Date: Mon, 13 May 1996 14:00:16 +0000 (GMT) From: Richard Evans Subject: Re: Possible floppy virus? (PC) X-Digest: Volume 9 : Issue 71 usmciris@ix11.ix.netcom.com wrote: : I was just wondering if anyone recognizes the symptoms of the : following problem: : : i've got something up with my A drive that seems strangely virus-like. : whenever i load an executable from a floppy, such as an "install" or : "setup" program, while trying to run the program, the floppy's files : become cross-linked, renamed and/or lost. Happens every single time. : I can copy files from the drive onto the hard disk and i can save to : the drive, but running from it screws it up every time. I've replaced : the drive and the cable and formatted the hard disks twice with no : luck. : : if *ANYONE* knows what this sounds like, I would immensely appreciate : some sort of reply. Right now, i have to copy all files from floppies : before installing software. You could try moving the write protect tab on the floppy drive to the read only position ( So that the hole is open ). This should prevent anything from writing to your floppy. Not sure what you can learn from this, but at least you wont trash your floppys. Another idia. See if you can find a bootable floppy that you are sure is free of viruses. Write protect it, switch off your computer, insert the bootable floppy, and switch on, so that the computer boots from the floppy. ( Note. not a warm boot or a reset. Actually switch off the computer ). Now there should be no viruses in memory. So now run somthing from a floppy and see if the same problem occurs. If it does then the problem can not be a virus. If it does not then it could be a virus. Note. None of the above is conclusive, it can only give you vague clues as to what is happening. What you realy need is a good Virus scanner. Hope this helps. Richard. ------------------------------ Date: Mon, 13 May 1996 16:32:46 +0000 (GMT) From: Steve Roberts Subject: Re: Partition virus that slows floppy? (PC) X-Digest: Volume 9 : Issue 71 The virus has resurfaced - and the latest and greatest version of Dr Solomons' findvirus identifies it as Int.C1 (on a floppy - boot sector) or Int.40 (on hard drive - partition table). We can now find it and destroy it, so we are happy. But can anyone tell us any more about the Int.xx virus? It is not the old Int13, which is all I can find on the Web. Does it have a payload other than slowing down our floppy drives? Any information gratefully received, Steve. ------------------------------ Date: Mon, 13 May 1996 18:58:45 +0200 From: Joeri Roels Subject: Help needed with Burglar virus!!! (PC) X-Digest: Volume 9 : Issue 71 My friend has a BIG problem. His computer is infected with a virus !! We think it is the 'burglar' virus. In the infected files we find always the two sentences : "Burglar" and : "Eat grandmother's grave" Do you have any idea how to KILL it (fast!) ?? Joeri ------------------------------ Date: Mon, 13 May 1996 22:44:14 +0000 (GMT) From: Zvi Netiv Subject: Re: Help to get rid of NATAS virus (PC) X-Digest: Volume 9 : Issue 71 Eric L Huynh wrote: > Recently my computer got infected with a virus called NATAS and I > tried to get rid of it by formating my entire hard disk. Somehow > after formating completed, I turned off computer ( to ensure nothing > in system memory) and reload DOS 6.22. Well, guess what when I boot > up F-PRO still reports NATAS in my computer. It's a waste of time (and isn't necessary) to reformat your hard drive to get rid of a virus, and NATAS in particular. The reason it's back is because NATAS is multipartite and loads itself from either an overloay on track 0 (initialized through the MBR) or by running an infected file. NATAS is also full stealth and a fast infector. On booting, Natas has 1 in 512 chance to trigger and commit suicide, trashing the hard drive. Any decent antivirus would remove Natas, as will InVircible. Regards, Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 http://invircible.com/ ftp.invircible.com CompuServe: go INVIRCIBLE E-mail: netz@actcom.co.il netz@invircible.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Mon, 13 May 1996 22:44:25 +0000 (GMT) From: Zvi Netiv Subject: Re: EXEBUG VIRUS (PC) X-Digest: Volume 9 : Issue 71 PAUL HENNION wrote: > I have a Compaq Presario 425 with 4 mb ram and lately detected that I > have an exebug (the scanner said that it was not sure but it > thourght that it was an a1 version of the virus)( I found this out > because I scanned with Mcafee Virus Checker). The virus has messed up > my disk drive so I cannot boot up from a bootable system disk Now you got three problems: 1) The disk is infected with a virus, 2) You cannot boot (or access the drive) and 3) It's a Compaq Presario. Exebug, if this is what you have (there is a common virus in South Africa named Hooker, that for some reason some products identify as ExeBug) messes with the MBR. Compaq machines have a peculiar hard disk configuration that makes things more complicated in case of boot infections. For some obscure reason Compaq places a non-DOS partition upfront, with their proprietary diagnostics. The main DOS partition starts with a boot sector (no partition sector) at cylinder 4 to 7, depending on the disk type. In case you lose the MBR, which is quite common with boot viruses, then ordinary disk repair utilities are unable to find the DOS partition and it usually ends in formatting the disk and losing the data. Although acceptable to DOS, it's inconsiderate to expose the users to such problems for no apparent good reason. InVircible warns the users that the hard disk is at risk because of the irregular configuration. Compaq are aware of the problem, since their engineering department called us on the subject. If you can see drive C: when booting from a clean DOS floppy, then run FDISK/MBR. In spite of the controversy about this undocumented command, this is your best shot, provided you can see C! If not, then ResQdisk Professional can help you, provided you are confident enough in your ability to handle the problem. Otherwise, seek for data recovery expert assistance. We have a section dedicated to disk recovery in The InVircible forum on Compuserve. You are invited to join and we'll be glad to help you. Regards, Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 http://invircible.com/ ftp.invircible.com CompuServe: go INVIRCIBLE E-mail: netz@actcom.co.il netz@invircible.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Mon, 13 May 1996 14:51:41 +0000 (GMT) From: George Wenzel Subject: Re: Who knows the "Parity Boot B" virus? (PC) X-Digest: Volume 9 : Issue 71 In article <0010.01I4OEGXRLXYSKYBYJ@csc.canterbury.ac.nz>, Gangolf Mittelhaeusser wrote: >I have got the above virus on my PC with Windows95. After a >format of the hard drive and a new installation I have at least >one file (shudlog) that is still infected. > >Has anyone experience with that virus? I don't know how it >could survive the formating and don't feel really save now. > >[Moderator's note: That file is not "infected"--it contains an image of >your pre-Win95 MBR, so is likely to contain a copy of the virus if your PC >was infected before installing Win95.] The shudlog file is created upon installation of Win95 to return the MBR to a pre-installation state in the case of an uninstall. If your anti- virus program reports the MBR clean (make sure you clean boot first, and use a reputable anti-virus product), you can be quite certain that the system is clean. Unless you are planning to uninstall Win95, I'd suggest deleting the file. Even if you are planning to uninstall it, I'd probably say that deleting the file and re-installing your previous OS from the originals is the way to go, since restoring the image of the MBR to the MBR upon an uninstall will leave you infected again. Regards, George Wenzel ------------------------------ Date: Mon, 13 May 1996 23:24:25 +0000 (GMT) From: Iolo Davidson Subject: Re: Identification (not detection): Dr Solomons vs F-Prot (PC) X-Digest: Volume 9 : Issue 71 In article <0007.01I4OEGXRLXYSKYBYJ@csc.canterbury.ac.nz> bpb@umich.edu "Bruce P. Burrell" writes: > Iolo Davidson (iolo@mist.demon.co.uk) wrote: > > > If the real world ever gets so dirty that ordinary users harbour > > more than ten viruses at a time, then the number required to drop > > the precise identification can easily be bumped up to twenty or > > whatever. > > If S&S makes that change, the documentation will have to be modified > to account for it, correct? No. It isn't documented now. That is the beauty of not documenting those features which the users don't need to know about. > Fix the onscreen/logfile message, and be done with it. Once more, this isn't up to me (and wouldn't be up to me even if I was an S&S employee). However, I believe that S&S have made the right decision in regard to their reporting. > > > Is it your position that you should make a product look as bad as > > > possible to the clueless reviewer? That's not a loaded question; I can > > > see that perhaps it might help to discredit future work by that > > > individual. Nonetheless, I would think it a better strategy both to be, > > > and to appear to be, better than the competition, regardless of the > > > competence of the reviewing party. > > > > Missed the point. > > Nope. It was perhaps a tangential question, but the point is clear > in my mind. > > > The trade off is precise identification > > against speed. Clueless reviewers may or may not notice the > > precision (probably not, since other products being compared > > won't have it, and the reported virus names won't match between > > many products anyway), but the difference in speed if precise > > identification is left on will be noticed. It's a judgement > > call, and the designers have made the right choice in my view. > > Sure, it's a judgement call about switching to a fast scan; I agree > with that. It's also a judgement call about allowing unclear descriptions > to remain in a product; if S&S don't modify this before the next manual > revision, they will have made the wrong choice in my view. You REALLY HAVE missed the point. The descriptions you get with the precise identification disabled are not "unclear", they just don't differentiate between variants. There is actually an extra step involved to figure out the variant, which is not performed in the fast mode. Without that step, you get the name of the main virus in what one might loosely call that virus family, and you do not get the "identified" tag, because the precise identification hasn't been done. Instead of saying the virus has been identified, it says it is "like" the main family name. It cannot say it "is" the family name because that name is the name of one of the variants in the family (the first known or most common) and it has not been identified as that variant. Other AVs are not capable of making the distinction, so they don't have to use differentiating words in their reports. > > > Apparently someone somewhere read the report; that's why the complaint > > > was lodged in the first place. > > > > Not by a user, but by someone scanning a collection. This > > feature does not affect users at all. > > Sure it affects users. In fact, it probably affects the very ones > who are making purchase decisions: if I use a particular AV product that > is unable for an extended period of time to deal with a virus common at my > site, I will search for a product that can handle it. But the ability to deal with viruses is not affected. You only get the fast mode when you run a scan on a disk with more than ten different viruses on it. It still detects *all* the viruses (though it doesn't give maximum accuracy in naming them). You don't get the fast mode if you specify /remove no matter how many viruses you have. In no way is the ability to "handle" viruses affected. And it still doesn't effect users, only people doing tests on collections or otherwise dicking around. > Moreover, I will > be certain to ascertain that it also handles other viruses we encounter > regularly. What might I or someone else in this situation do? Certainly > I'd check the independent reviews, but I'd also test first-hand that the > product can detect and remove properly those viruses we know and loathe. And FindVirus will detect and remove viruses regardless of the fast mode. It won't miss any viruses in fast mode (it just doesn't bother to figure out precisely which variant they are) and if you ask it to remove viruses, it won't even go into fast mode (because it needs the precision to do removals). > How would I do that? I'd probably put all the viruses on a diskette > and let the scanner have at it. For BSIs, perhaps I'd make a binary > image and use, with DSAV /!DOBOOTS or whatever the switch is; the point > is that it would be reasonable to assume that a large institution would > have little trouble finding ten or more viruses to test. Testing on such a limited sample won't tell you anything at all, but go ahead. Findvirus will detect all the viruses it knows regardless of the fast mode. Testing boot sector viruses in files really has no validity, though. > What happens? All products but DSAV might identify those viruses in a > way that I consider "accurate", while DSAV reports in what appears a > vague manner. So DSAV loses points in that aspect. Well, if you are performing a flawed test in the first place, based on an insignificant sample size, I expect that you may be doing your timing on the scan of infected samples, so you will be happier with the fast scan timings. You will *still* get all the viruses reported as viruses, even if you don't understand why the FindVirus report wording is correct and meaningful. That's the trade-off. > Assuming that I don't reject the product at that point, I suspect its > accurate disinfection will raise its stature sufficiently that it may win > the evaluation. But why put it in a hole to start? Like I say, this is S&S's decision, and they seem happy with it. I dare say they have given it more thought than you have, and they have decided to do it the way they do. > Note that S&S personnel have recommended the test against > "known viruses", so this is not a hypothetical. I don't get this part. > Also, with the benefit of this > thread, I would know better than to reject DSAV based on the result. Can > you say that of the average evaluator? No. Can S&S afford to take that > chance? Sure, but to what benefit to them or the potential customer? You can assume that S&S have assessed the trade-off, and decided to do it this way. > > > > You don't think that any software company lets programmers decide > > > > this stuff do you? > > > > > > For companies that value excellence? Sure do, though perhaps not ones > > > on the scale of S&S. Still, I bet the prestige of some of the programmers > > > there might able to get such a change designated Priority One (not that > > > this particular issue deserves it). [Hmm. Maybe not 'decide', but > > > certainly 'influence'.] > > > > I have actually worked in the company concerned, and can assure > > you that it is not a straightforward as you believe. Even Dr. > > Solomon couldn't always get what he wanted done. What happens in > > a big company is that you get fifteen people with the power to > > say "stop" and no one with the power to say "go with it". > > Noted. But my comment wasn't about S&S, it was (originally) > about the time to effect the actual change in the code. And my original answer was that this decision isn't up to the programmer. The amount of work involved to change the wording of a message is simply nothing to do with the point at issue, which is deciding what the message should say. That isn't a programming task. > That remains trivial; Sure, the part of what you want which is not at issue is easy. If a decision was made to change the wording, the code would be the easiest thing to change. The hard part is getting the decision made and sorting out the other issues. S&S have already made a decision which they are apparently happy with. > frankly, I don't care about the internal workings of any company. > I just want clear, accurate docs and effective code. This feature is not documented, and a jolly good thing too, as no user is going to stumble across it. Fiddlers and journos *still* get accurate reports and effective detection. > > > > What happens about the printed manuals? > > > > > > Easy; a README.1ST file could take care of the manual until its next > > > reprint. This is not exactly an industry innovation. > > > > Another thing that people don't read. I've been through this > > manual writing stuff, you know. I think my name is still in the > > cast list of the current Toolkit manual, though I haven't worked > > on it for years. > > The point isn't whether it is read; it is whether the information is > provided in a clear manner *somewhere*. That's just wrong. If the documentation changes aren't going to be read, it is better not to make the changes in the software. Some features don't have to be documented at all, though. > Some of us -do- read the manual, by the way; > of course, a company is probably less likely to get tech > support calls from those folks. They will get a lot of calls if the manual says one thing and the software does something else, the change explained only in an unread README file or addendum. This is worse for AV products than for other software, because AV users are in a peculiar frame of mind when they use the product. > > At one time, the manual was loose-leaf, with extra pages sent out > > with the updates. That doesn't work very well either, unless you > > actually replace existing pages with new ones (and that only > > works if customers actually do the page changes). Addenda don't > > get read. > > > > Yes, it is *easy* to add a readme file, but it isn't effective. > > Perhaps, but tech support can point to it in any event. One can't > make the user read the docs; one can't make the user install the > software. So what? One still tries to make the best product and the > best docs possible, no? Like I say, add on documentation is useless. Any non-vital change that needs to be documented is better left until it can coincide with a full manual rewrite. > > > > What happens about the scripts that people run to analyse logs? The > > > > tiniest change in any of the report wording brings existing customers, > > > > especially the corporate support personnel, down on you like an air > > > > strike. > > > > > > You can't have it both ways. Since this never happens to "real users", > > > no user will have a script that needs to be changed. Or it *does* happen, > > > on a corporate server, perhaps, in which case your claim that the message > > > never occurs to "real users" is invalid. Which one will you have us > > > believe? > > > > Explain that to the people who make such decisions. I hold that > > real users won't come across this feature. The decision makers > > would answer that it doesn't need changing then. > > See above for a real world example of where this happens. No, that wasn't a real user. That was a fiddler performing a non-significant test. That test *would* bring in scripting issues regarding wording changes if you want to talk about not having it both ways. > > There are other > > undocumented features used in house for testing and other > > purposes, you know. There is a really convenient feature in > > VirusGuard which can be used when testing which S&S tell NO ONE > > about, even when asked for it specifically. > > So what? I don't care about things I can't possibly encounter; I > expect clarity and full disclosure in the things I will, and hope for the > same in the things I might. You are not complaining as a user, but as a tester. You are defined as a tester by FindVirus going into fast mode. FindVirus user documentation doesn't cover testing on virus collections, but if you ask S&S, they will explain the fast mode. > > > > Report wording is one of the *hardest* things to get changed. > > > > > > All the more reason to get it right the first time. But when it > > > isn't, fix it as soon as possible, assuming you believe that it merits > > > improvement. > > > > Two things there. I say it doesn't need changing, and it seems > > S&S don't think it needs it either. But that is beside the > > other point you were making about how any programmer could insert > > the wording of *your* choice in seconds. That isn't so, for the > > simple reason that programmers are not allowed to make that kind > > of design decision. They are allowed to file "change request" > > forms. > > S&S implementation detail; my comment was about how long it would > take to do. So was mine. It would take a *long* time. That is because you are not talking about a code change, you are talking about a decision to make a reporting change. > I think it's great that changes aren't just made willy-nilly; the > point remains that if a change in the text is implemented, it will be > extremely quick to effect. Sure, if you ignore the long slow difficult part, it would be very quick. But the decision making process *is* the pivotal process. > > > It's details like this that make the good documentation > > > very good, and the very good, excellent. Shouldn't the > > > quality of the documentation match that of the software? > > > > Features effecting only testers and experimenters need not be > > documented at all. Look at the fuss the discovery of this very > > unimportant feature has raised in here. > > Perhaps we'll just have to agree to disagree, then. It's really an > issue between S&S and its users (potential or current), not between you > and me. Again, users don't see this feature. > BTW: I notice that you have snipped my counter to your assertion that I > could be sequestered in a room with several other [rational -- my > requirement -BPB] folks, and that we could not generate better wording in > a reasonable length of time. I take this to mean that you accept that we > could, indeed, do a better job. No, I don't accept that you could come to a true agreement on any wording at all, let alone better wording or wording acceptable to S&S. - - SOAPS TURN JOLLY GENTS THAT IRRITATE TO JITTERBUGS THEIR MUGS Burma-Shave ------------------------------ Date: Tue, 14 May 1996 04:58:58 -0400 From: Bill lambdin Subject: Virus Comparisons (PC) X-Digest: Volume 9 : Issue 71 Andrew Gagarin writes >PC Magazine, May 1996 has a good comparison. It is probably available >online at pcmag.com Andy Gagarin I discontinued my subscription to PC Magazine after they published a virus test where they had tested several programs with 4 viruses in 1994. I hope they have improved their testing protocol since then. I have seen many reviews in other magazines in Net Guide, PC Sources, and Win Sources, and I would not label any of these other tests credible. I have a fair collection of viruses, and I recommend all scanners that detect a minimum of 90% of my collection. The short list of recommended scanners, and generic A-V programs was posted to a recent issue of the Virus-L digest, and is available on the home page run by Mark West. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Tue, 14 May 1996 04:58:37 -0400 From: Bill lambdin Subject: false alarms? (PC) X-Digest: Volume 9 : Issue 71 Bruce Burrell writes JMCarlini (jmcarlini@aol.com) wrote: >Sure: > 1. Run the possibly-infected code, assuming it's executable, to see > whether it reproduces. Note that this while this will make it > obvious for some viruses, others reproduce under arcane > circumstances you might not happen to mimic. Are you kiding!? The user should never run a virus (even if it is a flase alarm) They should send the file to an A-V developer or a virus researcher for analysis. If the user wants ri run a virus, they should run the program on a separate computer without taking the risk of infecting other files, boot sector, or MBR on their computer. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Tue, 14 May 1996 04:58:42 -0400 From: Bill lambdin Subject: Harmless viruses? (PC) X-Digest: Volume 9 : Issue 71 "patrick.post" writes >In article <0009.01I4HGHM908WSKVUM0@csc.canterbury.ac.nz> > webmaster@bl-net.com "James Coulter" writes: > >> What's the harm in a simple replicator? Absolutely nothing! > >Wrong. At the very least, viruses steal computer resources from >the owner of those resources, and waste them. At worst, the >virus is buggy, and the bugs cause problems running the software >the owner wishes to run, or even causes damage to data. Good answer; but allow me to add two cents. The Frodo virus is supposed to drop the multipartite section of the virus onto the MBR on September 22nd. However; this portion of the virus is extremely buggy, and none of the infected files will run from September 22nd - December 31st of any year. Generaly viruses are poorly written, and many of them crash often, This is why there are not up to 8000+ viruses in the wild. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Tue, 14 May 1996 04:59:12 -0400 From: Bill lambdin Subject: Activation (PC) X-Digest: Volume 9 : Issue 71 George Wenzel >Oops... I did mean to write activate, but for some reason, wrote 'infect'. > >This was the point that I was trying to make. > >Sorry for any confusion. Thanks for the clarification. Objection withrawn. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Tue, 14 May 1996 04:59:03 -0400 From: Bill lambdin Subject: EXEBUG (PC) X-Digest: Volume 9 : Issue 71 Iolo Davidson writes >Exebug does a trick that forces the computer to boot from the >hard disk even when there is a boot floppy in the floppy drive. >It doesn't work on every computer, but it looks like it has Iolo: Doesn't EXEBUG accomplish this by modifying the CMOS the A: drive is not installed? Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Tue, 14 May 1996 04:59:07 -0400 From: Bill lambdin Subject: Macro Viruses (PC) X-Digest: Volume 9 : Issue 71 Brandon writes >but when you pay twenty something thousand a year to go to college and >have your gpa ruined by a paper destroyed, lost, or mutilated by a virus - >trust me, it's a big deal. and when new versions are created faster than Thank you for posting this. I couldn't agree more! No virus threat is negligable: whether A-V develepers agree with me or not. Users are confronted by viruses on a daily basis, and are trusting A-V software to detect the viruses they encounter. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Tue, 14 May 1996 05:38:30 -0400 From: Bill lambdin Subject: InVircible (PC) X-Digest: Volume 9 : Issue 71 Zvi Netiv writes. >and it will tell you there is stealthing active, switch SeeThru ON and >browse track 0. You will see a whole sequence of code (the virus boot >overlay) occupying the last sectors, in one of them you can read "Dis >is One Half" [sic]. Now Zvi: Aren't you making reckless assumptions here? Section 10.8 paragraph 6 in the hypertext manual for InVircible states "IV's SeeThru functions only with IDE and EIDE drives" Which means the SeeThru aspect of InVircible does NOT function with the following types of hard drives. ARLL ESDI MFM RLL SCSI SCSI 2 Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Tue, 14 May 1996 07:33:37 -0700 From: unknown Subject: F-prot's Virstop (PC) X-Digest: Volume 9 : Issue 71 For some reason when I run F-prot's Virstop in a dos shell in Windows it crashes my system with the error message 'EMM368 has detected a fault at (some memory address)'. I realize that virstop is intended for DOS, but I need a program that will function under Windows 3.x. Can anyone suggest either another program for Windows 3.x or a way to configure my system so that virstp will work? Thanks for any help in advance. Reems@ix.netcom.com ------------------------------ Date: Tue, 14 May 1996 15:02:33 +0200 From: Anders Storm Subject: Client based virus scanner for Lotus Notes ?? (PC?) X-Digest: Volume 9 : Issue 71 Does anybody know of any virus protection products that are client based for Lotus Notes? It should be able to scan for virus in file attachments before they are detached or lunched, preferably it should be able to use any virus- scanners available on the market (e.g. McAfee, Dr. Solomon's). Anders Storm ------------------------------ Date: Tue, 14 May 1996 11:22:19 -0400 From: Ben Danielson Subject: re: Sporadic system slow-downs virus related? (PC) X-Digest: Volume 9 : Issue 71 On Wed, 08 May 1996 James R. Mac Donald wrote: >Further to my previous post, another friend seems to be having the following >problem lately: > >In performing simple, rudimentary tasks (i.e. dos edit from within >Windows, being in Netscape, running Windows Apps, etc.) his system >"hangs" for approx. 30 to 60 secs. After this time, he then audibly will >hear the hard drive engage and he'll be free to continue his processes. >Does anyone know of a virus that would simulate this scenario? We tried >running thru a recent log file of possible virii, but we didn't see one >that accomplishes a momentary "hang". Your hard drive is parking its heads and restarting. This usually is caused by a faulty power supply, but could also be a failing drive. Ben Danielson bendan@asu.edu ------------------------------ Date: Tue, 14 May 1996 15:50:38 +0000 From: Fridrik Skulason Subject: Re: Please inform how to fix "readibios"(?) virus ? (PC) X-Digest: Volume 9 : Issue 71 In <0013.01I4MPK5C2EYSKXBI6@csc.canterbury.ac.nz> Lee Suk-Jae writes: >It'll be highly appreciated if someone inform this virus to me ? "readibios" ? Do you mean "readiosys" ? -frisk - - Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Tue, 14 May 1996 09:17:04 -0700 From: Vic Doubroff Subject: McAfee hangs while scanning one .exe (PC) X-Digest: Volume 9 : Issue 71 I just downloaded a program from the net and immediatly ran the latest version of Mcafee. While scanning the 275k executable, the AV program hangs for 12 seconds. Although no viruses are reported, should I be at all suspicious of a virus evading detection, or is this normal for scanning some files? ------------------------------ Date: Tue, 14 May 1996 14:21:13 -0700 (PDT) From: eriko@phoenix.net Subject: Re: McAfee's Scan (PC) X-Digest: Volume 9 : Issue 71 > a. many programs check their self integrity, and will stop functioning if > they are modified. > b. this self check can not detect companion viruses > c. this self check can not detect fully stealthed viruses. > d. this self check can not detect path companion viruses > e. this self check can not detect tunneling viruses. Yeah, but it does help to find new virii that modify executable files. While it cannot detect the preceding types of virii, it is like an added layer of protection for your exe files. This is very similar to the reason that you should always use at least 2 different virus scanners. This method may help detect something that another one may miss... ------------------------------ Date: Tue, 14 May 1996 16:06:56 -0400 From: Gilles Ethier Subject: Re: Slow Boot (PC) X-Digest: Volume 9 : Issue 71 >Now, although I have a relatively fast computer, 90MHz, my computer >seems to take progresively longer to boot up. When I first got the >computer last July, it just seemed to zip along faster than I've ever >seen, but compared to that it takes a bit longer to boot up! Mind you, >it still is going fast, I am only using Windows 3.11, and have 32MB RAM, >but I think I might have only of those viruses that make the computer >slow down just a bit every time you boot up. It may just be the fact >that although I defragment my hard drive regularly, it may be putting the >files in different spots or something (meaning I would only have to >backup my files, wipe the drive, then put them back on). I don't really >care what's causing it, just as long as I know what it is, and what I can >DO about it. So far it is not critical, I was hoping to fix it BEFORE it >became a problem. Any ideas of what viruses ect.. might cause this, and >what programs ect... I'd have to get or do to remedy this situation? Why don't you try running a anti-virus program to see if you actually have a virus on your computer. There are many different types of anti-virus software that you can get. GE ------------------------------ Date: Tue, 14 May 1996 21:42:30 +0000 (GMT) From: Roy Mahfouz Subject: Tremor help (PC) X-Digest: Volume 9 : Issue 71 does anybody knows how to kill TREMOR??? please send me a mail if yes! roy wooyhjha@sp.zrz.tu-berlin.de ------------------------------ Date: Tue, 14 May 1996 17:49:21 -0600 From: Jaime Roberto Castro Subject: Re: Help to get rid of NATAS virus (PC) X-Digest: Volume 9 : Issue 71 In Mexico we had hard time with NATAS virus last year. If you use PC-cillin antivirus you can clean it completely. The NATAS infects both: hard disk boot sector, floppy boot sector and executable files. You have to check all your diskettes to make sure you eliminated the virus. If you want more information check http://www.antivirus.com Regards Jaime Castro jrcastro@spin.com.mx ------------------------------ Date: Wed, 15 May 1996 10:06:32 -0700 From: Peter Gauci Subject: Disinfecting Skater virus?? (PC) X-Digest: Volume 9 : Issue 71 My command.com file is infected with the skater virus. McAfee scan ver 2.2.11 will not clean it. Please help!! Peter Gauci Mail: rabpg@rmitcc.xx.rmit.edu.au ------------------------------ Date: Tue, 01 Jan 1980 08:01:15 +0000 (GMT) From: Randy Subject: Major Floppy/Boot Problem - Out of ideas! (PC) X-Digest: Volume 9 : Issue 71 My floppy drive has recently stopped working properly, and I suspect a virus. I have tried everything I have read plus a few other things I thought of along the way. I am at my wit's end! Help! My machine: No-name 486DX4-100 PCI, 8MB, Matrox MGA 2M VRAM, Maxtor 1024M HD, DOS 6.22, WfW 3.11. I originally noticed the problem when Quicken (for DOS) attempted to back up at the end of a session and could not write to the floppy. I went out to scandisk the floppy. Scandisk could not access the floppy (actually, Scandisk successfully completed all phases except when it got to where it should have asked me if I wanted a surface scan, it errored out - this behavior continues.) When I dir a floppy (any floppy), dir works fine. When I try to either copy from or to a floppy, I get this error message: Sector not found ... drive A When I try to boot from my original (write-protected) MS-DOS diskette, I get the Non-system disk error. This disk has NEVER had the write-protect off, since it doesn't even have the slider in it. I have tried warm boots and cold boots. I have removed the battery and disconnected the power and let the machine sit for three days (thus having to reset all the BIOS settings.) I have tried disconnecting the hard drive all together - same scenario. I have disabled the on-board FDC and put in a card. I have replaced the floppy drive. A couple of weeks ago, I had the same problem when exiting quicken. My local computer guru told me it sounded like a virus; so, I got NAV. I booted from my original DOS diskette, etc per the instructions. My system hung when WfW started, but on reboot, everything worked okay. NAV has never issued any warning regarding any virus. I have downloaded the most recent descriptions. Any new ideas would be greatly appreciated! ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 71] *****************************************