VIRUS-L Digest Saturday, 8 Jun 1996 Volume 9 : Issue 91 Today's Topics: Word Macro Virus on a large LAN Thanks Re: Scanning incoming mail Re: Cryptoviruses Re: Help with virus history fp-223a.zip Virus Protection system by Fridrik Skulason 6th USENIX Security Symposium- Focusing on Applications of Cryptography Re: Best antivirus program for NT ??? (NT) McAfee Viruscan for DOS vs Viruscan for OS/2 (OS/2) Virus detection in boot manager (OS/2) Win95 + Mcafee 2.03 Word problem (WIN95) McAfee Bug in Win95 ? (WIN95) Re: NAV Auto-Protect not always loading (WIN95) No Clean Boot from diskette under WIN95 (WIN95) Re: Absolutely Bogus WPS Printer Driver VIRUS (WIN95) Sudden loss of RAM memory in windows (WIN) Bye (PC) Re: F-Macro (PC) Re: New Virus ? Help please. (PC) Dull-Boy questions (PC) Re: New Virus ? Help please. (PC) Re: Disaster recovery of compressed volume (PC) Re: F-Macro (PC) Re: Hard disk partition disappeared (PC) Re: Hard disk partition disappeared (PC) Re: InVircible and Word macro rogueware (PC) Re: Form (PC) Re: Volume Label Virus (PC) Boot-437 Help (PC) Re: F-Macro (PC) Re: fp-223 bug? (PC) Re: Disaster recovery of compressed volume (PC) Re: Were_wolf.1500 (PC) Help disinfecting HLLO.RUW (PC) CFP: 1997 Symposium on Network and Distributed System Security [long] VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Wed, 05 Jun 1996 15:32:48 +0100 From: "B.MacDonald" Subject: Word Macro Virus on a large LAN X-Digest: Volume 9 : Issue 91 We run MS word 6.0 as part of our Office Pro system at work. We have two LANs, totalling over a 150 PCs. We have had an outbreak of the Word Macro virus which we believe came in via a download from an agency in Italy. Since then it has spread throughout the organization. A couple of points are noteworthy: a. it spreads quickly, but not predictably b. we have Norton Anti-Virus running in the background on each of our LAN subset servers. However, the NAV detection rate is very poor against this virus ( off the top of my head, about 1 in 10 max). c. we are using the Microsoft patch which also boasts innoculation against any re-infection. By our experience this is just NOT TRUE. We have had numerous re-infections against PCs supposedly *fixed* by this patch. d. As a result of the above, we have been unable to gain the upper hand and eradicate the pest. We are now considering looking at other alternatives (eg, dumping Norton as well as the Microsoft patch and seeking solutions and protection elsewhere.) Dr Solomon's is high on our list of potential AV systems. We also are about to approach Dr S for a fix. e. we are also considering modifying the software (ie, Macro & template files and directory = read only). However, this is a last resort as we would lose some important functionality. Any solid definitive solutions to our plight gratefully recvd. Dr Alan Solomon, are you or one of your folks out there? - - B.MacDonald, Northwood, Middlesex, UK E-mail burns@nthwd.demon.co.uk or burns@dircon.co.uk ------------------------------ Date: Thu, 06 Jun 1996 11:59:04 -0100 From: Antonio Stano Subject: Thanks X-Digest: Volume 9 : Issue 91 I want to thank you guys for the help in removing Wulf_1500.. My best regards.. Antonio Stano ------------------------------ Date: Thu, 06 Jun 1996 20:30:22 +1030 From: Jazzman Subject: Re: Scanning incoming mail X-Digest: Volume 9 : Issue 91 Kolar Mahesh wrote: > Eli Ross wrotein Digest: Volume 9 : Issue 87 > > >Who produces the best anti-virus scanner for incoming Internet > >files, ie, email (and attachments), newsgroup headers and > >postings and WWW site downloading files? [Blah deleted] > MIMEsweeper (developed by Integralis) will scan your incoming files Hold your horses. Get a grip. Just because you CAN abuse privacy does not mean you should. We as IT professionals should be carefull that we do not twist our society into an orwellian nightmare, just because we can. Scanning for viruses in incoming mail is a bigtime no-no. Tell me how is it different from evesdroping on your employees conversations in order to stop violent crimes? Both constitute gross abuse of privacy. Convince me otherwise. ================================================================== Jase H. Przychodzen - Network Admin - Adelaide Institute of TAFE Phone: 0414-393904 Fax: +61-8-3449089 Mail : mnemonic@pobox.com WWW: http://www.dfw.net/~decker - Standard Disclaimer ------------------------------ Date: Thu, 06 Jun 1996 11:30:44 +0000 (GMT) From: "A.D.B.Monro" Subject: Re: Cryptoviruses X-Digest: Volume 9 : Issue 91 In article <0001.01I558WO6TI0UB9Q2Q@csc.canterbury.ac.nz> "Adam L. Young" writes: The paper: "Cryptovirology: Extortion-Based Security Threats and Countermeasures" can be downloaded from: http://www.cs.columbia.edu/~ayoung Is there an ftp address for this? Lynx doesn't seem to be able to access this document, and "ftp.cs.columbia.edu" gives unknown host. Alex ------------------------------ Date: Thu, 06 Jun 1996 13:01:15 -0400 (EDT) From: The Radio Gnome Subject: Re: Help with virus history X-Digest: Volume 9 : Issue 91 >From: Ted Davis >erleg@sdinter.net wrote in Digest: Volume 9 : Issue 86: >>> I once read about two rogue programs that ran simultaneously in >order to protect each other. When one of the programs was removed >from memory, the remaining one would restore the first on again. This >would ensure that each one survived. The two programs had cute names >like Frick & Frack, Hansle & Grettle, or something to that effect. > > If anyone remembers this virus history, could you please point me >toward where I could find it again? > >The only thing that comes to my mind is the story about the Xerox "Robin >Hood" hack. The story can be found in "The Jargon File", Appendex A >(URL=http://www.eps.mcgill.ca/jargon/appa.htm) Two highschool hackers in my class wrote something like this back in 1979 on the West Chester (PA) Xerox CP5 system. 1 minute after starting the second 'module' the system would crash with "5700 out of granules". BTW, that URL bombs with a 404 error :-( ------------------------------ Date: Thu, 06 Jun 1996 16:01:52 +0300 From: ts@UWasa.Fi (Timo Salmi) Subject: fp-223a.zip Virus Protection system by Fridrik Skulason X-Digest: Volume 9 : Issue 91 Thank you for your contribution. This upload is now available as 744849 Jun 6 02:23 ftp://garbo.uwasa.fi/pc/virus/fp-223a.zip : Date: Thu, 6 Jun 1996 12:08:21 +0000 (GMT) : From: frisk@complex.is (Fridrik Skulason) : To: pc-up@uwasa.fi : Subject: fp-223a.zip F-PROT Anti-Virus 2.23 uploaded : : : File name: fp-223a.zip : One line description: Version 2.23a of the F-PROT anti-virus package : Replaces: fp-223.zip : Suggested Garbo directory: : Uploader name & email: Fridrik Skulason (frisk@complex.is) : Author or company: Frisk Software : Email address: f-prot@sales.is, sales@complex.is, support@complex.is : Surface address: Postholf 7180, IS-127 Reykjavik, Iceland : Special requirements: No : Shareware payment required from private users: No : Shareware payment required from corporates: Yes : Distribution limitations: May not be distributed together with viruses : Demo: No : Nagware: No (well, I don't think so) : Self-documenting: Mostly : External documentation included: Yes, some .DOC files. : Source included: No : Size: 740K : 10 lines description: : : This version includes a few changes from 2.23, including a fix for a bug in : 2.23, where F-PROT could run out of file handles, while doing a heuristic : scan. The reason for this problem was that when it encountered a non- : executable file, the analyser would occasionally return with a result of : "don't bother analysing this", and not closethe file...resulting in a : steady "leak" of file handles. : : We also added detection of a few viruses, as well as disinfection of the : polymorphic Werewolf.1500 virus, which is "in the wild". : : The F-MACRO program has been updated to version 1.15, and some bugs in it : have been fixed. All the best, Timo .................................................................... Prof. Timo Salmi Co-moderator of news:comp.archives.msdos.announce Moderating at ftp:// & http://garbo.uwasa.fi archives 193.166.120.5 Department of Accounting and Business Finance ; University of Vaasa ts@uwasa.fi http://uwasa.fi/~ts BBS 961-3170972; FIN-65101, Finland ------------------------------ Date: Fri, 07 Jun 1996 10:29:22 -0700 (PDT) From: Toni Veglia Subject: 6th USENIX Security Symposium- Focusing on Applications of Cryptography X-Digest: Volume 9 : Issue 91 If you are responsible for your company's computer security, you may want to attend the 6th USENIX Security Symposium - Focusing on Applications of Cryptography, in San Jose, CA, July 22-25, 1996. There will be refereed papers, invited talks, BoFs, and Vendor Exhibits. Tutorial speakers include Ed DeHard, CERT; Dan Geer, Open Market; Jon Rochlis, BBN Planet; Marcus Ranum, V-One; Matt Bishop, UC Davis; and Bruce Schneier, Counterpane Systems. For detailed information, please visit our Web site: http://www.usenix.org, or send email to: conference@usenix.org. ------------------------------ Date: Thu, 06 Jun 1996 15:48:51 +0000 (GMT) From: Zvi Netiv Subject: Re: Best antivirus program for NT ??? (NT) X-Digest: Volume 9 : Issue 91 Per Eriksson wrote: > Has anyone got a suggestion about a good antivrusprogram > for running on a NT 3.51-server ?? I would like to have it > scanning for viruses on the servers disks and incoming > files, an possibly even on the remote workstations. InVircible runs on NT servers and workstations as well as under DOS, Win 3.x and Win 95 with a single multi-platform version. IV can run from the network login script on shared and remote drives. It can also be configured to refuse access to the net from an infected workstation. The last version has the new integrated security auditing features added. Available from the vendors' sites as well as those in my signature. Regards, Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 CompuServe: go INVIRCIBLE ftp.netzcomp.com www.invircible.com E-mail: netz@actcom.co.il netz@netzcomp.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Thu, 06 Jun 1996 16:17:20 +0000 (GMT) From: Tom Williams Subject: McAfee Viruscan for DOS vs Viruscan for OS/2 (OS/2) X-Digest: Volume 9 : Issue 91 Hello. Has anyone out there had problems with the OS/2 version of Viruscan not reporting viruses that the DOS version finds and cleans? I don't know if I can trust the OS/2 version and if that's the case, how can I scan my HPFS drives? Any help would be greatly appreciated. Thanks in advance.... Tom Williams tom.williams@dssi-jcl.com ------------------------------ Date: Fri, 07 Jun 1996 08:08:23 +0000 (GMT) From: Yew Teik Meng Subject: Virus detection in boot manager (OS/2) X-Digest: Volume 9 : Issue 91 I'm sorry if this has been posted before, but i want to know whether normal dos virus scanners like sweep will be able to detect a boot sector virus residing in the boot manager (from os/2 )?....if so is the virus removal as simple as just writing fdisk/mbr ?....or maybe using some other virus removal programs are required, if so could anyone recommend anything...? thanx in advance for any help given....and please e-mail me any answers.. Yew ------------------------------ Date: Thu, 06 Jun 1996 10:18:39 +0000 (GMT) From: ken Subject: Win95 + Mcafee 2.03 Word problem (WIN95) X-Digest: Volume 9 : Issue 91 When I install Mcafee 2.03 for 95 it doesn't install or find MS Word. I instal it on my home machine and it finds and installs the macro protection. Need help, Thanks. I also checked the FAQ's at Mcafee. No fixes found yet. Thanks ------------------------------ Date: Thu, 06 Jun 1996 17:56:26 +0000 (GMT) From: Joseph Martellotta Subject: McAfee Bug in Win95 ? (WIN95) X-Digest: Volume 9 : Issue 91 I downloaded McAfee Windows95 virusscan 2.03 Everytime I exit win95 it accesses the "a" drive; no matter what options I change such as scan on exit etc. I telephoned McAfee about this twice, with no results. I initially installed it on a lap top, when I noticed this; I uninstalled it and the problem went away, I installed it on 2 other computers using win95 and the same problem occurs... Any help or suggestions will be appreciated. Joe martell@midget.towson.edu ------------------------------ Date: Thu, 06 Jun 1996 18:14:32 +0000 (GMT) From: "Dale A. Whittemore" Subject: Re: NAV Auto-Protect not always loading (WIN95) X-Digest: Volume 9 : Issue 91 George wrote: >I am running NAV for Win95 and have all of the latest signature files >including this month (May). > >For the last 2 months, every now and then, the NAV Auto-Protect Icon will >not load in the window with the clock on the taskbar when I boot up. When >that happens I re-boot, then the Icon loads into the window where it >belongs. > >It seems to have started doing this since I loaded the April signatures, >but I can't be positive. Again today I had to re-boot twice for the Icon >to show up in that window with the clock. Have you installed the patch for the win95 version of NAV? I don't know if this will fix your problem but when I added the April update, I read where I had to install the patch if my NAV was dated before December 1995. On another note, the June 96 virus update file is available at FTP.SYMANTEC.COM Dale Whittemore "Not employed by nor have any interest in SYMANTEC other than I use NAV also" ------------------------------ Date: Fri, 07 Jun 1996 12:55:02 -0400 From: "Bob Witham Jr." Subject: No Clean Boot from diskette under WIN95 (WIN95) X-Digest: Volume 9 : Issue 91 I have encountered an interesting problem with WIN95, and I was wondering if others had encountered it. I know it is generally recommended to boot from a clean bootable floppy before attempting to clean boot sector viruses. I infected the hard drive of a DOS 6.22 / WIN3.1 machine with ANTIEXE, NYB, and ANTICMOS.A (not at the same time). I then attempted to clean boot using a system floppy created on a WIN95 machine. When I ran McAfee SCAN, I got a message indicating that memory was infected with the virus, and I should boot from a clean floppy. And yes, the diskettes are clean. I have two machines, and I checked the floppy on the second machine and there are no viruses on the floppy. I also use two different floppies formatted on different machines. If I booted from a DOS 6.22 diskette, the virus was not active in memory. I did get some information from one source indicating problems when booting from drives with extended partitions, but this machine has a drive of only 405 Mb. I thought the extended partition thing was only on drives over 1 Gb in size, though I must admit I do not completely understand the 'extended partition" problem anyhow. At any rate, it appears that it is impossible to "clean boot" using a WIN95 formatted system disk. Can anyone else verify this or has anyone else encountered this? Thanks, Bob Witham Jr. Info Sys Security Analyst Bureau of Info Svcs State of Maine ------------------------------ Date: Fri, 07 Jun 1996 20:24:52 -0500 From: "rbryan@nettap.com" Subject: Re: Absolutely Bogus WPS Printer Driver VIRUS (WIN95) X-Digest: Volume 9 : Issue 91 melodiem@ix.netcom.com wrote: > My first virus was either caught or activated today - most likely > from the web. It changes my HP 5L printer driver to "Absolutely > Bogus WPS Printer Driver' and won't let me revert back to the old > drivers - although they are there. > > I ran a text search for the phrase "absolutely bogus WPS.." and 4 > files were returned [snip] Just for the heck of it, do you have a current McAfee scanner you can try on it? You ought to save those files on floopys and I believe McAfee has facilites for you to upload or maybe it's mail, virus infected files to them to be checked out. Let us know how it comes out. Good luck! ------------------------------ Date: Thu, 06 Jun 1996 19:58:25 -0700 From: Douglas Subject: Sudden loss of RAM memory in windows (WIN) X-Digest: Volume 9 : Issue 91 I have 20 megs of RAM running on my 486DX4/100. All of the sudden while attempting to check my mail, through Netscape 2.01, I was given a error message stating that i was out of memory and to close any programs or windows that were open. Well, the only program running was Netscape. However, prior to this loss of memory, I had recieved 4 email from the same person, ( didn't recognize the name of the sender.) 3 of the for emails were empty and the forth was a letter. nothing really seemed supspect, untill I attempted to delete the messages, that when I got the out of memeory error. I exited to dos through windows to do a "mem" check and out of 20,480K total, 18,887K was being used and only 1,593k was free. Is it possible something in the emmail did this? Any suggestions on how I can get my ram to work right again, would sure be greatly appreciated. Thank you Douglas ....P.S. and since I am not able to access my email because of the loss of memory, a response posted here would be best. thanks again! ------------------------------ Date: Thu, 06 Jun 1996 12:30:30 +0200 From: Bent Schack Iversen Subject: Bye (PC) X-Digest: Volume 9 : Issue 91 Our computer has been infected by the memory-virus Bye. How can we remove it??? Thanks Bent Schack Iversen bent-schack.iversen@jrc.it ------------------------------ Date: Thu, 06 Jun 1996 09:05:31 +0000 From: Fridrik Skulason Subject: Re: F-Macro (PC) X-Digest: Volume 9 : Issue 91 Michael Kessler wrote: > I just downloaded the latest version of F-Prot which contains the > F-Macro program that eliminates Word macro viruses. I have a problem > with it: When I try to scan a disk, it will freeze on one file or > another, and then the station must be rebooted. I believe this (and other problems) was fixed in 2.23a, which is being released right now. -frisk - - Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Thu, 06 Jun 1996 12:12:31 +0000 From: Fridrik Skulason Subject: Re: New Virus ? Help please. (PC) X-Digest: Volume 9 : Issue 91 In <0012.01I5J3SUT73UUBAT4D@csc.canterbury.ac.nz> Frank Bucher writes: >I got a Problem on one of our PC, and think it might by an new virus, >though neihter the Mcaffe nor the F-Prot antivirus programms founds any >hints of an virus. > >Is it a Virus? probably yes....possibly the new polymorphic 'Hari' virus, which has been reported all over the world in the past few days....however, without a sample it is not possible to say for certain if it is that or a different one. -frisk - - Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Thu, 06 Jun 1996 15:40:47 +0000 (GMT) From: Jose Luis Cilleruelo Subject: Dull-Boy questions (PC) X-Digest: Volume 9 : Issue 91 Recently when scanning my PC I got the presence of Dull-Boy virus. Does anybody know its behaviour ? ... and how to remove it? Thanks Jose-Luis jlc@sers002.rpi.ses.alcatel.es ------------------------------ Date: Thu, 06 Jun 1996 15:48:43 +0000 (GMT) From: Zvi Netiv Subject: Re: New Virus ? Help please. (PC) X-Digest: Volume 9 : Issue 91 George Wenzel wrote to Frank Bucher : >> Every .com file i once started had 7679 bytes more than before the start. >> The most COM Files wouldn`t work afterwards. I thought about an Virus, >> and booted the PC with a Floppy, to let a scanner do its work. >> >> But after I Booted from Floppy disk, there was no Hard disk anymore. > > This is common with viruses - just place the AV program on the floppy, and > run it from there, ignoring the fact that DOS can't see the drive. The AV > program can, and can still remove the virus. Nonsense, no program can access files on an inaccessible drive, not even antivirus programs. Besides, the user DID boot clean from a floppy and ran two AV programs (McAfee and F-Prot, neither found anything). >> I decided to save my datas from the disk an rebuild the Disk completly. >> So I after the backup I booted from a clean disk, run fdisk (/mbr first) > > NO!!! You backed it up, right? I'd suggest restoring the backup (if it's > possible still), booting clean, and running the AV program. If this sort > of thing happens again - read the FAQ - it details quite explicitly why > NOT to use Fdisk. Your situation is a prime example of why Fdisk is a BAD > idea. Beware of amateurish and bad advice. Mr. Bucher acted correctly. He first backed up his DATA then ran FDISK before reformatting, to make sure the MBR is clean. Finally. he rebuilt the applications from source. FDISK/MBR is perfectly okay in these circumstances although I doubt this is what the did. Since the partition was inaccessible then he necessarily created a new one, possibly followed with fdisk/mbr, for luck! :-) The fdisk/mbr conditioning syndrome is known to have adverse effects on perception for details and logical reasoning. >> and formatet the Partitions. After I had almost everything new installed >> on the PC the same things happend again. Maybe I copyed an infected file >> back on the system, but I thought I deleted every file, that could >> distribute an virus. > > Viruses don't always get transmitted via files. It's likely you had a > boot sector virus. If possible, restore the backup, and do as I recommend > above. More bad advice. >> This time I tryed to get rid of the Problem by deleting the infected >> files, rebuild the partions, delete the System from the disk and restore >> everything from clean disks. >> >> But it doesent work. The things occur again, but no viruses were found! > > I believe you did have a virus, and then the cleanup was botched. > If you have a backup, try restoring it and doing as I recommended above. Going back to the original post, it appears that the virus in question is a multipartite, possibly new virus, since COM files increased by 7679 bytes and the partition was inaccessible from clean boot. This would explain the reappearance of the virus after rebuilding the hard disk from scratch. One infected COM file is all that it takes to restart the infection all over again. Installing InVircible immediately after rebuilding the hard drive and using the correlator, IVX, can spot the culprit in no time, whether new or common. No need to guess or improvise. IV is also handy in restoring rapidly the MBR, boot sector and files, instead of needing to rebuild the drive time after time. Regards, Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 CompuServe: go INVIRCIBLE ftp.netzcomp.com www.invircible.com E-mail: netz@actcom.co.il netz@netzcomp.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Thu, 06 Jun 1996 15:48:56 +0000 (GMT) From: Zvi Netiv Subject: Re: Disaster recovery of compressed volume (PC) X-Digest: Volume 9 : Issue 91 George Wenzel wrote: > Zvi Netiv wrote: > >> And last, consider if dubious virus _prevention_ is worth risking your >> data. The most dangerous are anti virus TSR, activity blockers and VxD. >> As a rule, any program that may intervene and block an ongoing process >> is a much bigger threat than what it tries to prevent. > > I would really doubt this statement. TSRs and VxD's intercept a call to a > file, scan it, and then pass on the call if the file is clean. Sure, this > causes some system slowdown, but the amount of protection it provides is > well worth it. The original poster lost 800 meg of data and files for no viral reason at all, just because he had an AV TSR misfiring. In thousands of reported infections, nobody suffered such extreme damage from virus. The best protected are those that use generic and integrity based AV - no virus damage at all. To take it to the extreme: You are better of without antiviral software at all than being exposed to even one in 10,000 chance that an antiviral will misfire. Just an hour ago we recovered over the phone (the third drive today) a 1.6 gig drive that was downed by a TSR misfire. From statistics based on actual incidents the chances of loosing the hard disk in a year are 1 in 600 if using an AV TSR or VxD, compared to 1 in 5000 if not, form other reasons. Your chances to incur comparable virus damage without an antivirus at all are smaller than 1 in 100,000. With generic AV they are less than one in a million, hardware reliability becomes the dominant factor then. As for slowdown, here is a simple test anyone can do. Run each of the following programs on a single directory with sufficient files in it, say C:\DOS, and note the time it takes with and without the AV TSR loaded to memory. When testing with Dr. Solomon's GUARD 7.59, F-Prot took 2.5 times longer with Guard than without it (a net loss of performance of 60%), Integrity Master took 5 times longer (80% performance loss!) and IVB took 16 time longer (94% performance loss!). Just six months ago, with Guard version 7.54, these figures were 50% better than today's With the constantly increasing number of viruses, you may assume performance degradation of 75% per year. The risk of misfiring roughly doubles per year. My advice is to stay away from on-access and on-execution antivirals. Use integrity based and generic AV for ongoing protection, and scan new software with a good scanner. Regards, Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 CompuServe: go INVIRCIBLE ftp.netzcomp.com www.invircible.com E-mail: netz@actcom.co.il netz@netzcomp.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Thu, 06 Jun 1996 04:45:32 +0000 (GMT) From: George Wenzel Subject: Re: F-Macro (PC) X-Digest: Volume 9 : Issue 91 In article <0010.01I5LMCGWKKYUBAT4D@csc.canterbury.ac.nz>, "Mikko H. Hypponen" wrote: >George Wenzel (gwenzel@gpu.srv.ualberta.ca) wrote on the same subject: >> you might want to contact frisk@complex.is to see if he can help. > >Please direct any queries on F-MACRO to Data Fellows' support >at F-PROT-Support@datafellows.com. F-MACRO is developed here. Oops... my mistake... I was assuming that Frisk put together the whole Shareware version. I suppose I should have read the documentation a little more closely. :-) >In any case, support issues on the shareware version of F-PROT should >not be sent personally to Fridrik Skulason; use the support address >f-prot@complex.is instead (and you'll probably get an answer sooner). Once again, my mistake. My apologies to Frisk for any increased mail. Regards, George Wenzel - - ("`-''-/").___..--''"`-._ George Wenzel `6_ 6 ) `-. ( ).`-.__.`) (_Y_.)' ._ ) `._ `.``-..-' Student of Wado Kai Karate _..`--'_..-_/ /--'_.' ,' U of A Karate Club (il),-'' (li),' ((!.-' HTTP://www.ualberta.ca/~gwenzel/ ------------------------------ Date: Thu, 06 Jun 1996 05:03:45 +0000 (GMT) From: George Wenzel Subject: Re: Hard disk partition disappeared (PC) X-Digest: Volume 9 : Issue 91 In article <0004.01I5LMCGWKKYUBAT4D@csc.canterbury.ac.nz>, Zvi Netiv wrote: >The interesting part is the role of AV. In 80% of the cases, antivirus >TSR/VxD was running on the machines at the time they crashed. Only about >15% or less of the surveyed computers population use any form of antivirus >TSR or VxD. Therefore, AV TSR / VxD contribute in increasing the chances >of such incident to occur. Other factors are bad or poorly designed >software and sheer statistics. This is, of course, 80% of incidents reported to you, which is a tiny minority compared to the amount of people using AV TSR's and VxD's. Most people run these programs with absolutely no problems (myself included). >As far as on-access / on-execution virus prevention is concerned, the cure >is more dangerous than the disease itself. It is also redundent, >especially so since there is a better and safer alternative. People would debate whether your alternative is better and safer. Many people (myself included) have protected themselves from becoming infected because they were using a TSR/VxD. I believe that TSR's and VxD's are indeed safe and effective layers in an anti-virus strategy. >PS. Forgot to mention: Cats have four legs and one tail. Ducking out. :-) Perhaps you didn't look close enough. Lucky has four legs and one tail. One of his legs isn't visible because of the angle you're viewing him. Regards, George Wenzel - - ("`-''-/").___..--''"`-._ George Wenzel `6_ 6 ) `-. ( ).`-.__.`) (_Y_.)' ._ ) `._ `.``-..-' Student of Wado Kai Karate _..`--'_..-_/ /--'_.' ,' U of A Karate Club (il),-'' (li),' ((!.-' HTTP://www.ualberta.ca/~gwenzel/ ------------------------------ Date: Thu, 06 Jun 1996 17:16:27 +0000 (GMT) From: Iolo Davidson Subject: Re: Hard disk partition disappeared (PC) X-Digest: Volume 9 : Issue 91 In article <0004.01I5LMCGWKKYUBAT4D@csc.canterbury.ac.nz> netz@actcom.co.il "Zvi Netiv" writes: > The interesting part is the role of AV. In 80% of the cases, antivirus > TSR/VxD was running on the machines at the time they crashed. Only about > 15% or less of the surveyed computers population use any form of antivirus > TSR or VxD. Therefore, AV TSR / VxD contribute in increasing the chances > of such incident to occur. Other factors are bad or poorly designed > software and sheer statistics. Bogus statistics. This is exactly what you would expect in a population where 80% percent of computers were running TSR/VxDs, when that had no connection with the problem. You cannot produce valid statistics on the affected population alone; you must have figures on the unaffected population as well, to make a valid statistical correlation. There is also an issue of the size of the sample, which you do not mention, so is probably too small to render valid statistics. That having been pointed out, I must also say that I have no confidence in the accuracy of your reporting of the figures you do report. We have seen too much distortion in your past statements. - - THE CHICK FELT HIS CHIN AND HE WED FLEW THE COOP LET OUT A WHOOP Burma-Shave ------------------------------ Date: Fri, 07 Jun 1996 10:41:15 +0000 (GMT) From: Larry Dehaan Subject: Re: InVircible and Word macro rogueware (PC) X-Digest: Volume 9 : Issue 91 Iolo Davidson wrote: >Works with 100% of viruses! Never needs updating! I'd rather take my chances with Perfect.Bat! - - =LDH= ------------------------------ Date: Thu, 06 Jun 1996 20:45:32 -0400 From: Bill lambdin Subject: Re: Form (PC) X-Digest: Volume 9 : Issue 91 Earlier; I posted a message explaining how users can safely remove FORM and the BOOT.437 viruses by Sysing the active partition on the hard drive. Some people took exception to the fact that I released this technique in public instead of directing users to use this routine in private E-Mail. The routine is safe, and works quite well. I have been using this technique for a long time, and would not have posted this unless I had not had success with this. Most of the people that read Virus-L also read other forums relating to viruses. I posted this routine publicly to prevent users from recommending this technique for viruses rather than the two intended. This way the disclaimer, and caveats are a matter of public record. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Fri, 07 Jun 1996 05:11:50 +0000 (GMT) From: Aryeh Goretsky Subject: Re: Volume Label Virus (PC) X-Digest: Volume 9 : Issue 91 Jimmy's paper, "What's NOT a Virus" can be found at ftp://ftp.ncsa.com/pub/notvirus.txt Regards, Aryeh Goretsky - - ______________________________________________________________________________ Mr Aryeh Goretsky EMAIL goretsky@netcom.com 627 W Midland Ave CompuServe 76702,1714 Woodland Park, CO TEL +1 (719) 687-0480 USA 80863-1100 FAX +1 (719) 687-0716 ------------------------------ Date: Fri, 07 Jun 1996 09:25:06 -0700 From: Feuchaux Alain Subject: Boot-437 Help (PC) X-Digest: Volume 9 : Issue 91 I got a Boot-437 virus on my system and I can't remove it with NAV or F-Prot shareware. Can somebody help me ! Regards. feuch@distri.be ------------------------------ Date: Fri, 07 Jun 1996 17:24:53 -0500 From: "R. Zalk" Subject: Re: F-Macro (PC) X-Digest: Volume 9 : Issue 91 Just use the latest Mcaffe AV, it does the trick. Make sure you get the DAT9605.ZIP file, this contains a fully functional Word virus remover. http://www.macafee.com Good Luck! RZ of EZ ------------------------------ Date: Fri, 07 Jun 1996 15:03:40 +0000 From: Fridrik Skulason Subject: Re: fp-223 bug? (PC) X-Digest: Volume 9 : Issue 91 In <0013.01I5J3SUT73UUBAT4D@csc.canterbury.ac.nz> David Shao writes: >If I am misusing the product could you tell me what I am doing >wrong? I never had this occur using F-PROT 2.22. Ok...basically there are two different issues: 1) The "Error opening F2___TMP.TMP" message. This is normal - this file is open and in use. However, F-PROT only attempts to scan this file if it set to scan *all* files, which is in general a waste of time. 2) The "error opening file", which happens in heuristic scan, after a large number of files has been scanned.....this is a bug, which was fixed in 2.23a. I hope this clarifies things.... -frisk - - Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Fri, 07 Jun 1996 13:03:33 -0400 From: OllyConen Subject: Re: Disaster recovery of compressed volume (PC) X-Digest: Volume 9 : Issue 91 Im Artikel <0016.01I5KH2RENKGUBAT4D@csc.canterbury.ac.nz>, George Wenzel schreibt: >>And last, consider if dubious virus _prevention_ is worth risking your >>data. The most dangerous are anti virus TSR, activity blockers and VxD. >>As a rule, any program that may intervene and block an ongoing process >>is a much bigger threat than what it tries to prevent. > >I would really doubt this statement. TSRs and VxD's intercept a call to a >file, scan it, and then pass on the call if the file is clean. Sure, this >causes some system slowdown, but the amount of protection it provides is >well worth it. Judging from the number of people that use these types of >products, and the relative number of problems with them, I'd say that >their are well worth any risk that they provide. I use a VxD constantly, >and have never had a problem with it. I would have had problems with >viruses, though, if the VxD hadn't caught them before they became >something for me to worry about. Yes, that's right. I prefer a slight slowdown at work rather than having a virus and loosing important data ! I'm using a VxD under Windows95 and have never had any problems ! Ciao, OLLY ------------------------------ Date: Fri, 07 Jun 1996 19:59:25 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Were_wolf.1500 (PC) X-Digest: Volume 9 : Issue 91 Zvi Netiv writes: >Antonio Stano wrote: >> Guys i got Were_wolf.1500 virus..found only with f-prot 2.23 ..how can i >> clean it?? > >The latter versions of Dr. Solomon (7.59 and 7.60) remove WereWolf >(checked!). I suppose F-Prot will remove it too in their next version, if >you have the patience to wait. McAfee's Scan can detect and remove as well. All the major products maintain a vigilance against outbreaks such as this. >The name of the virus is Wulf.1500, WereWolf is the writer alias and to The CAROname for the virus is Werewolf.1500. There apparently are two minor variants (for the really picky) but as the removal information for both are the same, that may not be relevant. (I hate when anyone says, "The name of the virus is..." Maybe, "We call it..." Or, " said..." But "The name of the virus is..." is never valid in this industry.) >this date he released seven viruses, some are in the wild. Wulf first >appeared in France in February but spread rapidly, since at the beginning >of April it already paralyzed an international company's HQ for four days >(a few hundred PCs and servers). The 1500 byte version seems very widespread. All variants are in the wild (ITW) to some extent, but the 1500 byte variant seems all over the world. We believe it must have gotten posted on Internet or some-like. Another variant, Werewolf.1367 which might also be known as Fullmoon, is also ITW more than the others. The author is indeed from France and all but the 1500 variant can be traced to first originating in France. But as I said, the 1500 spread way far, way fast. Jimmy cjkuo@mcafee.com ------------------------------ Date: Fri, 07 Jun 1996 21:26:05 -0700 From: "Scott J. Dygert" Subject: Help disinfecting HLLO.RUW (PC) X-Digest: Volume 9 : Issue 91 After doing a scan, PC-CILLIN detected a virus "HLLO.RUW in my C:\PBTOOLS\BACKUP\AUTO-DET.EXE file. PC-CILLIN gives a message when I attempt to clean it indicating that it cannot clean that file. I'm not sure what the file that is infected does, or what kind of damage this virus can or could do. Any help or suggestions are definitely appreciated. Thank you, Scott J. Dygert ------------------------------ Date: Fri, 07 Jun 1996 13:20:17 -0700 From: Matt Bishop Subject: CFP: 1997 Symposium on Network and Distributed System Security [long] X-Digest: Volume 9 : Issue 91 CALL FOR PAPERS The Internet Society Symposium on Network and Distributed System Security February 10-11, 1997, San Diego Princess Resort, San Diego, California Submissions due: August 1, 1996 Notification to Authors: October 1, 1996 Camera-Ready Copy due: November 1, 1996 GOAL: The symposium will bring together people who are building hardware and software to provide network and distributed system security services. The symposium is intended for those interested in the practical aspects of network and distributed system security, focusing on actual system design and implementation, rather than theory. We hope to foster the exchange of technical information that will encourage and enable the Internet community to apply, deploy, and advance the state of available security technology. Symposium proceedings will be published by the IEEE Computer Society Press. Topics for the symposium include, but are not limited to, the following: * Design and implementation of communication security services: authentication, integrity, confidentiality, authorization, non-repudiation, and availability. * Design and implementation of security mechanisms, services, and APIs to support communication security services, key management and certification infrastructures, audit, and intrusion detection. * Requirements and designs for securing network information resources and tools -- WorldWide Web (WWW), Gopher, archie, and WAIS. * Requirements and designs for systems supporting electronic commerce -- payment services, fee-for-access, EDI, notary -- endorsement, licensing, bonding, and other forms of assurance. * Design and implementation of measures for controlling network communication -- firewalls, packet filters, application gateways, and user/host authentication schemes. * Requirements and designs for telecommunications security especially for emerging technologies -- very large systems like the Internet, high-speed systems like the gigabit testbeds, wireless systems, and personal communication systems. * Special issues and problems in security architecture, such as interplay between security goals and other goals -- efficiency, reliability, interoperability, resource sharing, and cost. * Integration of security services with system and application security facilities, and application protocols -- including but not limited to message handling, file transport, remote file access, directories, time synchronization, data base management, routing, voice and video multicast, network management, boot services, and mobile computing. GENERAL CHAIR: David Balenson, Trusted Information Systems PROGRAM CHAIRS: Clifford Neuman, University of Southern California Matt Bishop, University of California at Davis PROGRAM COMMITTEE: Steve Bellovin, AT&T Research Tom Berson, Anagram Laboratories Doug Engert, Argonne National Laboratory Warwick Ford, Bell Northern Research Richard Graveman, Bellcore Li Gong, SRI Burt Kaliski, RSA Laboratories Steve Kent, BBN Tom Longstaff, CERT Doug Maughan, National Security Agency Dan Nessett, Sun Microsystems Hilarie Orman, DARPA Michael Roe, Cambridge University Christoph Schuba, Purdue University Jonathan Trostle, CyberSafe Theodore Ts'o, Massachusetts Institute of Technology Doug Tygar, Carnegie Mellon University Vijay Varadharajan, University of W. Sydney Roberto Zamparo, Telia Research LOCAL ARRANGEMENTS CHAIR: Thomas Hutton, San Diego Supercomputer Center PUBLICATIONS CHAIR: Steve Welke, Institute for Defense Analyses REGISTRATIONS CHAIR: Donna Leggett, Internet Society SUBMISSIONS: The committee invites technical papers and panel proposals for topics of technical and general interest. Technical papers should be 10-20 pages in length. Panel proposals should be two pages and should describe the topic, identify the panel chair, explain the format of the panel, and list three to four potential panelists. Technical papers will appear in the proceedings. A description of each panel will appear in the proceedings, and may at the discretion of the panel chair, include written position statements from each panelist. Each submission must contain a separate title page with the type of submission (paper or panel), the title or topic, the names of the author(s), organizational affiliation(s), telephone and FAX numbers, postal addresses, Internet electronic mail addresses, and must list a single point of contact if more than one author. The names of authors, affiliations, and other identifying information should appear only on the separate title page. Submissions must be received by 1 August 1996, and should be made via electronic mail in either PostScript or ASCII format. If the committee is unable to print a PostScript submission, it will be returned and hardcopy requested. Therefore, PostScript submissions should arrive well before 1 August. If electronic submission is difficult, submissions should be sent via postal mail. All submissions and program related correspondence (only) should be directed to the program chair: Clifford Neuman, University of Southern California, Information Sciences Institute, 4676 Admiralty Way, Marina del Rey, California 90292-6695, Phone: +1 (310) 822-1511, FAX: +1 (310) 823-6714, Email: sndss97-submissions@isi.edu. Dates, final call for papers, advance program, and registration information will be available at the URL: http://www.isoc.org/conferences/ndss97. Each submission will be acknowledged by e-mail. If acknowledgment is not received within seven days, please contact the program chair as indicated above. Authors and panelists will be notified of acceptance by 1 October 1996. Instructions for preparing camera-ready copy for the proceedings will be sent at that time. The camera-ready copy must be received by 1 November 1996. ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 91] *****************************************