VIRUS-L Digest Sunday, 9 Jun 1996 Volume 9 : Issue 92 Today's Topics: Re: Word Macro Virus on a large LAN Re: Scanning incoming mail Re: Scanning incoming mail Re: Best antivirus program for NT ??? (NT) Re: McAfee Viruscan for DOS vs Viruscan for OS/2 (OS/2) Re: Virus detection in boot manager (OS/2) Re: Sudden loss of RAM memory in windows (WIN) Re: Disaster recovery of compressed volume (PC) Re: ResQdisk - Please Help (PC) Re: 850MB HD now 333MB--virus? Clock is messy to(PC) Re: Disaster recovery of compressed volume (PC) Re: Bye (PC) Re: Dull-Boy questions (PC) Re: Help disinfecting HLLO.RUW (PC) Re: Disaster recovery of compressed volume (PC) Re: New Virus ? Help please. (PC) How to rewrite the MasterBoot ? (PC) Strange timing behavior...possible virus? (PC) Re: New Virus ? Help please. (PC) Re: Disaster recovery of compressed volume (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Sat, 08 Jun 1996 15:10 +0000 From: Graham Cluley Subject: Re: Word Macro Virus on a large LAN X-Digest: Volume 9 : Issue 92 In-Reply-To: <01I5OG1EL5OGUBBBAR@csc.canterbury.ac.nz> "B.MacDonald" writes: > We run MS word 6.0 as part of our Office Pro system at work. We have two > LANs, totalling over a 150 PCs. We have had an outbreak of the Word > Macro virus which we believe came in via a download from an agency in > Italy. Since then it has spread throughout the organization. A couple of > points are noteworthy: > > a. it spreads quickly, but not predictably > > b. we have Norton Anti-Virus running in the background on each of our > LAN subset servers. However, the NAV detection rate is very poor against > this virus ( off the top of my head, about 1 in 10 max). You don't say which macro virus you are encountering. I am presuming that it's Concept as that is the most widespread - by far - of any of the macro viruses. > c. we are using the Microsoft patch which also boasts innoculation > against any re-infection. By our experience this is just NOT TRUE. We > have had numerous re-infections against PCs supposedly *fixed* by this > patch. I've heard reports from many users who have bad experiences of the Microsoft "fix". My recommendation would be to leave the anti-virus stuff to the anti-virus specialists rather than Microsoft. > d. As a result of the above, we have been unable to gain the upper hand > and eradicate the pest. We are now considering looking at other > alternatives (eg, dumping Norton as well as the Microsoft patch and > seeking solutions and protection elsewhere.) Dr Solomon's is high on our > list of potential AV systems. We also are about to approach Dr S for a > fix. Dr Solomon's have a 32-bit VxD for on-access virus protection under Windows 3.x and Windows 95. It is available in a different form for Novell NetWare servers. We are also just about to release the same protection for Windows NT workstation and servers. This means that a macro virus gets intercepted (and named by name) whenever an infected document is accessed. Not just when someone tries to load the infected document into MS Word, but when it gets copied from disk, or someone tries to email it etc. This means the virus infection gets "strangled to death" and has no chance of spreading any further or reinfecting. > e. we are also considering modifying the software (ie, Macro & template > files and directory = read only). However, this is a last resort as we > would lose some important functionality. Quite. It would also not work with a macro virus which changed the attributes of these files. A specific anti-virus solution would be best. > Any solid definitive solutions to our plight gratefully recvd. I'd recommend Dr Solomon's WinGuard - apart from the macro viruses it will also protect you against the regular viruses, including the complex polymorphics. It's easy for your users as well - they're unaware that they're running it unless a virus is intercepted. > Dr Alan Solomon, are you or one of your folks out there? Sure are. Contact details in the sig. You'll find a lot of information about macro viruses which may be of use to you on our website. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 ------------------------------ Date: Sat, 08 Jun 1996 20:42:58 +0000 (GMT) From: Iolo Davidson Subject: Re: Scanning incoming mail X-Digest: Volume 9 : Issue 92 In article <0003.01I5OG1EL5OGUBBBAR@csc.canterbury.ac.nz> mnemonic@pobox.com "Jazzman" writes: > Scanning for viruses in incoming mail is a bigtime no-no. > Tell me how is it different from evesdroping on your employees > conversations in order to stop violent crimes? I understand that employers in the USA have the right in law to read any correspondence passing through their premises and equipment. When you are in the workplace, security and privacy belong to the company. Keep your own private stuff at home. > Both constitute gross abuse of privacy. Convince me otherwise. Logical fallacy. "The government is controlled by Alpha Centaurans. Convince me otherwise." - - THE CHICK FELT HIS CHIN AND HE WED FLEW THE COOP LET OUT A WHOOP Burma-Shave ------------------------------ Date: Sat, 08 Jun 1996 18:33:07 -0700 (PDT) From: watson@tds.com Subject: Re: Scanning incoming mail X-Digest: Volume 9 : Issue 92 Jase H. Przychodzen (aka Jazzman wrote: >> MIMEsweeper (developed by Integralis) will scan your incoming files ... >Scanning for viruses in incoming mail is a bigtime no-no. >Tell me how is it different from evesdroping on your employees >conversations in order to stop violent crimes? >Both constitute gross abuse of privacy. Convince me otherwise. ... Two issues. First, many email systems are corporate, and many corporate mail providers maintain the ownership of mail and electronic files by some variation of the 1992 US DoJ recommendations. Monitoring for defensive purposes is different from traditional eavesdropping. Second, and more relevant to the Virus List, is how "smart" anti-virus products will become. I don't feel very much threatened by current products like Mimesweeper, which seem unlikely to cause me any damage by their monitoring of my mail, any more than the routers that sent it along to my desktop. Scanning for viruses is different than eavesdropping today because the software hasn't learned to take actions like reporting my incorrect behaviors...which companies can probably already do anyway (right, Depti?). Dave ------------------------------ Date: Sat, 08 Jun 1996 16:37 +0000 From: Graham Cluley Subject: Re: Best antivirus program for NT ??? (NT) X-Digest: Volume 9 : Issue 92 In-Reply-To: <01I5KH2RENKGUBAT4D@csc.canterbury.ac.nz> Per Eriksson writes: > Has anyone got a suggestion about a good antivrusprogram > for running on a NT 3.51-server ?? I would like to have it > scanning for viruses on the servers disks and incoming > files, an possibly even on the remote workstations. Have you looked at Dr Solomon's Anti-Virus Toolkit for Windows NT? The new version about to ship (v7.61) will include on-access scanning for NT workstation and server. It's a kernel mode device driver, coupled with a user mode service. You can read more about our new on-access scanning capability for NT at the following URL: http://www.drsolomon.com/company/press/ntguard.html You'll find some independent comparative reviews of anti-virus software (including NT anti-virus software) at http://www.drsolomon.com/avtk/reviews Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Sat, 08 Jun 1996 14:19:10 +0000 (GMT) From: Pierre Tremblay Subject: Re: McAfee Viruscan for DOS vs Viruscan for OS/2 (OS/2) X-Digest: Volume 9 : Issue 92 In <0009.01I5OG1EL5OGUBBBAR@csc.canterbury.ac.nz>, Tom Williams writes: >Hello. Has anyone out there had problems with the OS/2 version of >Viruscan not reporting viruses that the DOS version finds and cleans? I >don't know if I can trust the OS/2 version and if that's the case, how can >I scan my HPFS drives? > >Any help would be greatly appreciated. Well, had no virus at all, but OS2SCAN complained about 5 Win'95 command line programs from C:\WINDOWS\COMMAND being inaccessible (COUNTRY and ANSI.SYS, SUBST.EXE and both XCOPY and XCOPY32.exe). SCAN.EXE run in a DOS box could access them, F-PROT 2.23 also, and I even rebooted to Win'95 to try McAfee's Scan'95 (from v95203e.zip), and all said they were OK. File sharing was not active and the files could be copied, moved and deleted by all other programs both from the command line or the GUI. E-mail to McAfee's Mr. Kujo got "I'll put my OS/2 man on it" answer a week ago. To answer your other question you would catch any partition or DOS boot sector with ordinary SCAN or F-PROT in a DOS box; I think the chances of a virus hiding in a long filename file and nowhere else are quite small. You could also buy F-PROT for OS/2. ------------------------------ Date: Sat, 08 Jun 1996 04:19:33 +0000 (GMT) From: George Wenzel Subject: Re: Virus detection in boot manager (OS/2) X-Digest: Volume 9 : Issue 92 In article <0010.01I5OG1EL5OGUBBBAR@csc.canterbury.ac.nz>, Yew Teik Meng wrote: >I'm sorry if this has been posted before, but i want to know whether >normal dos virus scanners like sweep will be able to detect a boot sector >virus residing in the boot manager (from os/2 )?....if so is the virus >removal as simple as just writing fdisk/mbr ?....or maybe using some other >virus removal programs are required, if so could anyone recommend >anything...? While I'm not familiar with OS/2 boot managers, I will say that Fdisk/mbr is NOT a virus removal program, and should not by used by anybody that is not VERY familiar with what they are doing. Using Fdisk in the wrong situation can multiply the problems several times over. Regards, George Wenzel - - ("`-''-/").___..--''"`-._ George Wenzel `6_ 6 ) `-. ( ).`-.__.`) (_Y_.)' ._ ) `._ `.``-..-' Student of Wado Kai Karate _..`--'_..-_/ /--'_.' ,' U of A Karate Club (il),-'' (li),' ((!.-' http://www.ualberta.ca/~gwenzel/ ------------------------------ Date: Sat, 08 Jun 1996 20:52:42 +0000 (GMT) From: Iolo Davidson Subject: Re: Sudden loss of RAM memory in windows (WIN) X-Digest: Volume 9 : Issue 92 In article <0016.01I5OG1EL5OGUBBBAR@csc.canterbury.ac.nz> d2329@idt.liberty.com "Douglas" writes: > I have 20 megs of RAM running on my 486DX4/100. All of the > sudden while attempting to check my mail, through Netscape 2.01, > I was given a error message stating that i was out of memory and > to close any programs or windows that were open. "Out of memory" reports in Win95 often don't have anything to do with the amount of free RAM. Of course, you don't mention whether you are running Windows 95 or not. - - THE CHICK FELT HIS CHIN AND HE WED FLEW THE COOP LET OUT A WHOOP Burma-Shave ------------------------------ Date: Sat, 08 Jun 1996 12:39:12 +0300 From: Zvi Netiv Subject: Re: Disaster recovery of compressed volume (PC) X-Digest: Volume 9 : Issue 92 At 08:41 PM 7/6/96, David Sumners wrote: In article <0024.01I5J3SUT73UUBAT4D@csc.canterbury.ac.nz>, you say... > The chance of UNFORMAT working is a big as Windows not > having GPF's. The chances to recover with Unformat do not depend on whether Windows crashed due to GPF or else. To substantially increase recoverabilty use either MIRROR or IMAGE in your autoexec, before starting Windows. If working under Win 3.11 on top of DOS, then run defragmentation as a DOS exclusive task, never under Windows, when other tasks are open, or in a Win/DOS spawn shell. If running under Win 95 then your problems are serious enough, no need to add defragmentation to them. Regards, Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 CompuServe: go INVIRCIBLE ftp.netzcomp.com www.invircible.com E-mail: netz@actcom.co.il netz@netzcomp.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Sat, 08 Jun 1996 12:39:19 +0300 From: Zvi Netiv Subject: Re: ResQdisk - Please Help (PC) X-Digest: Volume 9 : Issue 92 At 08:45 PM 7/6/96 GMT, pfelix@ilink.nis.za wrote: > I read your thread on the disappearance of a partition on a hard disk. > I had the same problem 2 days ago. I was replying to Email when my > mouse cursor disappeared. I tried to reboot and at that time I no longer > had access to my Hard Disk. I have a 800Mb drive, with info that I would > prefer not to lose. I am (was) using Win95, with MSplus. I booted of Stiffy > and ran Fdisk and it saw no partition. First, here is how to handle the mouse problem in case in happens again. Forced rebooting when tasks are still open, or worse, when DOS or Windows is updating the FAT is a bad idea. This shouldn't necessarily end with loosing the partition, but it might. More frequently the FAT gets corrupted, which is even worse. If the mouse disappears in the middle of a Windows session, or freezes, then try this: Temporarily shell to DOS (I use a shortcut key for the purpose, Alt+Ctrl+D) and "exit" the shell back to Windows. It will return the mouse in most cases. If it doesn't, then exit all tasks ORDERLY (Alt+F4), exit Windows and reboot. Also look at the SMARTDRV line in the autoexec, it should have "/X" as the LAST parameter (no write buffering). > Could you perhaps tell me where I could download a copy of resQdisk, > and maybe some info on how to use it? I would really appreciate your help. Download invir-en.zip from any of the sites below. ResQdisk is one of the modules in the package. Just start RESQDISK and see if it indicates "Press ^F1" at the bottom when running on the inaccessible drive. If it does, then all you need is a registered copy of IV, do just that (press ^F1) and have your drive back after rebooting. Any authorized IV agent (see the list in the package) can give you a single-session authorization for ResQdisk, over the phone. Unfortunately, we don't yet have an agent for South Africa, so you will have to call long distance for this one. If you had IV previously installed and its ResQstiffy :-) made, then the non-registered version would had sufficed to recover the drive by just booting of the rescue and following instructions. > Thanks for the very informative thread. You are welcome. Regards, Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 CompuServe: go INVIRCIBLE ftp.netzcomp.com www.invircible.com E-mail: netz@actcom.co.il netz@netzcomp.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Sat, 08 Jun 1996 00:28:44 +0000 (GMT) From: Gerard Hein Subject: Re: 850MB HD now 333MB--virus? Clock is messy to(PC) X-Digest: Volume 9 : Issue 92 Kommer Kleijn wrote: >"S. Widlake" wrote: > >>>From: "Scott A. Hauert" >>>Subject: Re: 850MB HD now 333MB--virus? (PC) >>>Date: 21 Apr 1996 06:11:42 -0000 >> >>Hold on there just a moment... this implies that if Disk Mangler gets >>whacked by a virus, you can kiss good-bye to all your data ?!? Surely >>there must be a better way of restoring everything back to normal... > >If it is Ontrack Diskmanger you use, you can rebuilt your partition >table by using DM /M (manual mode) without reformatting. Make it a >"read/write partition" (- not a DOS partition) if it was before! If >you boot from a floppy that loads the Ontrack driver "dmdrvr.bin" in >the config.sys of the floppy you should be able to acces the data on >your harddrive. I don't know if i have a virus, none of my AV programs says so but my Maxtor hd partitioned with dm 7.04 is getting smaller and smaller evry day Actually when i boot from diskette dos tells me that there is 500mb free but when i boot from c:\windows 95 tells me it is 95 mb this morining i just looked and it has become 62 MB so it looks like the incredable shrinking woman :-(( The 1 st partition is 850 mb C: and the 2 nd 150 mb D: O yes And my time is also messed up after I boot again.. I've downloaded the invercible 6.11 b And when i was about to create a resqdisk it reported a bootstealth virus. I did a a clean boot from floppy and SYS /C from a clean disk and update DM with (W)rite new MBR and updated te DDO overlay file. After this my harddisk was back to normal size, but what virus do I have? And why is no one reporting this ? Except Invercible, wich also did not find it in the first place.. Please give me a suggestion. Gerard Hein ------------------------------ Date: Sat, 08 Jun 1996 15:10 +0000 From: Graham Cluley Subject: Re: Disaster recovery of compressed volume (PC) X-Digest: Volume 9 : Issue 92 In-Reply-To: <01I5OG1EL5OGUBBBAR@csc.canterbury.ac.nz> Zvi Netiv writes: > As for slowdown, here is a simple test anyone can do. Run each of the > following programs on a single directory with sufficient files in it, > say C:\DOS, and note the time it takes with and without the AV TSR > loaded to memory. When testing with Dr. Solomon's GUARD 7.59, F-Prot > took 2.5 times longer with Guard than without it (a net loss of > performance of 60%), Integrity Master took 5 times longer (80% > performance loss!) Err.. this is meaningless. I would suspect the vast majority of users running Dr Solomon's VirusGuard are also running Dr Solomon's FindVirus for their on-demand scanning. Why aren't you quoting figures for that? I don't believe there are that many users who have a site licence for Dr Solomon's VirusGuard running alongside a site licence for F-Prot. Anyway, any knowledge of the real world would find that the majority of our site licence customers use Windows (of one flavour or another) and so tend to use our 32-bit VxD, Dr Solomon's WinGuard. That can provide on-access protection against macro viruses as well as boot sector and file viruses (including polymorphics). We find our users want on-access protection to prevent known viruses infecting them in the first place. We find users don't want an anti-virus that works on the principle of them becoming infected, allowing users to spread the infection further and then later discover that their files have changed for perhaps virus-related reasons. I think I can understand where our customers are coming from on this. > and IVB took 16 time longer (94% performance loss!). So, InVircible slows down more than F-Prot. That's interesting. Maybe you should consider rewriting InVircible so it is more economical with the number of file accesses it makes. That would make it faster. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Sat, 08 Jun 1996 15:10 +0000 From: Graham Cluley Subject: Re: Bye (PC) X-Digest: Volume 9 : Issue 92 In-Reply-To: <01I5OG1EL5OGUBBBAR@csc.canterbury.ac.nz> Bent Schack Iversen writes: > Our computer has been infected by the memory-virus Bye. How can we > remove it??? Which anti-virus product told you you had this virus in memory? Was the virus detected on your hard disk when you scan after cold-booting from a clean, write-protected floppy disk? Consider the possibility that you may have a false alarm. You may like to do a double-check with an anti-virus product less prone to false alarms. You can download an evaluation version of Dr Solomon's FindVirus v7.60 (part of the commercial version of Dr Solomon's Anti-Virus Toolkit) from our website: http://www.drsolomon.com Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Sat, 08 Jun 1996 15:10 +0000 From: Graham Cluley Subject: Re: Dull-Boy questions (PC) X-Digest: Volume 9 : Issue 92 In-Reply-To: <01I5OG1EL5OGUBBBAR@csc.canterbury.ac.nz> Jose Luis Cilleruelo writes: > Recently when scanning my PC I got the presence of Dull-Boy virus. > Does anybody know its behaviour ? ... and how to remove it? Which anti-virus product told you you had this virus in memory? Was the virus detected on your hard disk when you scan after cold-booting from a clean, write-protected floppy disk? Consider the possibility that you may have a false alarm. You may like to do a double-check with an anti-virus product less prone to false alarms. You can download an evaluation version of Dr Solomon's FindVirus v7.60 (part of the commercial version of Dr Solomon's Anti-Virus Toolkit) from our website: http://www.drsolomon.com Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Sat, 08 Jun 1996 15:20 +0000 From: Graham Cluley Subject: Re: Help disinfecting HLLO.RUW (PC) X-Digest: Volume 9 : Issue 92 In-Reply-To: <01I5OG1EL5OGUBBBAR@csc.canterbury.ac.nz> "Scott J. Dygert" writes: > After doing a scan, PC-CILLIN detected a virus "HLLO.RUW in my > C:\PBTOOLS\BACKUP\AUTO-DET.EXE file. This sounds suspiciously like a PC-Cillin false alarm to me. > PC-CILLIN gives a message when I attempt to clean it indicating that it > cannot clean that file. That's because it's a false alarm, not a real virus infection. > I'm not sure what the file that is infected > does, or what kind of damage this virus can or could do. I'd bet my bottom dollar on it being a false alarm, not a real virus. > Any help or suggestions are definitely appreciated. You can either ignore the false alarm, upgrade to a version of PC-Cillin which doesn't contain this particular false alarm or use a different anti-virus (no prizes as to which one I recommend). You should probably contact PC-Cillin technical support and ask them for a fix for the false alarm. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Sat, 08 Jun 1996 04:01:07 +0000 (GMT) From: George Wenzel Subject: Re: Disaster recovery of compressed volume (PC) X-Digest: Volume 9 : Issue 92 In article <0022.01I5OG1EL5OGUBBBAR@csc.canterbury.ac.nz>, Zvi Netiv wrote: >> I would really doubt this statement. TSRs and VxD's intercept a call to a >> file, scan it, and then pass on the call if the file is clean. Sure, this >> causes some system slowdown, but the amount of protection it provides is >> well worth it. > >The original poster lost 800 meg of data and files for no viral reason at >all, just because he had an AV TSR misfiring. In thousands of reported >infections, nobody suffered such extreme damage from virus. The best >protected are those that use generic and integrity based AV - no virus >damage at all. Of course, most generic and integrity based AV products have to wait until you are infected before they spring into action, and this could be when you perform your integrity check a day later. In that day, you could have spread infected files or disks to a dozen people. Those people could become very upset, and the damage they cause can be far worse than any software could ever do, especially if they are customers. >To take it to the extreme: You are better of without antiviral software at >all than being exposed to even one in 10,000 chance that an antiviral will >misfire. Just an hour ago we recovered over the phone (the third drive >today) a 1.6 gig drive that was downed by a TSR misfire. From statistics >based on actual incidents the chances of loosing the hard disk in a year >are 1 in 600 if using an AV TSR or VxD, compared to 1 in 5000 if not, form >other reasons. Your chances to incur comparable virus damage without an >antivirus at all are smaller than 1 in 100,000. With generic AV they are >less than one in a million, hardware reliability becomes the dominant >factor then. Your statistics are meaningless, since you don't understand the real damage viruses cause. Viruses, truly, do not cause direct harm to somebody's computer, and they (usually) do not damage the data either. The real damage comes when person A spreads a virus to person B, and person B sues/injures/etc. person A. This is an especially important thing when we're talking about customers - if you distribute an infected disk to a customer, you had better be able to make some good excuses about it. AV TSR's/VxD's, according to you, have a one in 600 chance in a year of causing a hard drive to fail. I'd take those chances over the possibility of accidentally spreading a virus to a customer any day. Therein lies the advantage of on-access products - they catch a virus when you first ge it on your computer, before you can become infected, and they also protect you from infecting floppies, so they stop viruses from spreading with very high certainty. >As for slowdown, here is a simple test anyone can do. Run each of the >following programs on a single directory with sufficient files in it, say >C:\DOS, and note the time it takes with and without the AV TSR loaded to >memory. When testing with Dr. Solomon's GUARD 7.59, F-Prot took 2.5 times >longer with Guard than without it (a net loss of performance of 60%), >Integrity Master took 5 times longer (80% performance loss!) and IVB took >16 time longer (94% performance loss!). A) this shows nothing, since most people would be using FindVirus if they were using VirusGuard. B) Why is your product (IVB) so slow when a TSR is in memory? >Just six months ago, with Guard version 7.54, these figures were 50% >better than today's With the constantly increasing number of viruses, you >may assume performance degradation of 75% per year. The risk of misfiring >roughly doubles per year. Again, meaningless scaremongering. The amount of people that have problems with on-access programs compared to those using them is very small. >My advice is to stay away from on-access and on-execution antivirals. Bad advice, in my opinion. >Use >integrity based and generic AV for ongoing protection, and scan new >software with a good scanner. Personally, I'd trust Winguard to scan every floppy I use, and every new file I bring in, since Winguard is considerably better than my memory. Generic AV does not provide ongoing protection - it generally just checks for changes in files and boot sectors, and responds to those with 'possible virus', and it only does this when you run the program, which could be daily or weekly. If you get infected just after you run the generic program, a virus could have plenty of time to spread before you run the program again and detect the virus. Generic AV can be a good layer to protect from viruses not known to the scanner, but it usually does a much poorer job than a scanner on viruses that the scanner knows about. I believe that a good integrity checker is indeed a part of an anti-virus strategy, but it by no means can be more important than using a good scanner. Regards, George Wenzel - - ("`-''-/").___..--''"`-._ George Wenzel `6_ 6 ) `-. ( ).`-.__.`) (_Y_.)' ._ ) `._ `.``-..-' Student of Wado Kai Karate _..`--'_..-_/ /--'_.' ,' U of A Karate Club (il),-'' (li),' ((!.-' http://www.ualberta.ca/~gwenzel/ ------------------------------ Date: Sat, 08 Jun 1996 04:17:43 +0000 (GMT) From: George Wenzel Subject: Re: New Virus ? Help please. (PC) X-Digest: Volume 9 : Issue 92 In article <0021.01I5OG1EL5OGUBBBAR@csc.canterbury.ac.nz>, Zvi Netiv wrote: >>> Every .com file i once started had 7679 bytes more than before the start. >>> The most COM Files wouldn`t work afterwards. I thought about an Virus, >>> and booted the PC with a Floppy, to let a scanner do its work. >>> >>> But after I Booted from Floppy disk, there was no Hard disk anymore. >> >> This is common with viruses - just place the AV program on the floppy, and >> run it from there, ignoring the fact that DOS can't see the drive. The AV >> program can, and can still remove the virus. > >Nonsense, no program can access files on an inaccessible drive, not even >antivirus programs. Besides, the user DID boot clean from a floppy and ran >two AV programs (McAfee and F-Prot, neither found anything). My mistake regarding the floppy... I should have said 'Known clean floppy'. He didn't say that he knew that the floppy he was using was uninfected. I didn't say that the drive was unaccessable, I said that DOS couldn't see it. This happens with, for example, a Monkey infection... the c: drive is visible after a HD boot, but not after a floppy boot. The AV program, however, can still access the drive and remove the virus. >> NO!!! You backed it up, right? I'd suggest restoring the backup (if it's >> possible still), booting clean, and running the AV program. If this sort >> of thing happens again - read the FAQ - it details quite explicitly why >> NOT to use Fdisk. Your situation is a prime example of why Fdisk is a BAD >> idea. > >Beware of amateurish and bad advice. Sorry, but saying not to use Fdisk to remove a virus is GOOD advice. >Mr. Bucher acted correctly. He first backed up his DATA then ran FDISK >before reformatting, to make sure the MBR is clean. Finally. he rebuilt >the applications from source. FDISK/MBR is perfectly okay in these >circumstances although I doubt this is what the did. Oh really? What if he was using disk management software? What if he was infected with One_half? There are dozens of situations where Fdisk is a BAD idea, and because of these, I don't recommend anybody using it unless they know EXACTLY what they are doing. >Since the partition >was inaccessible then he necessarily created a new one, possibly followed >with fdisk/mbr, for luck! :-) Fdisk /mbr is an unsupported switch, which Microsoft does not document or support, and it is considered by most of the AV community to be a bad idea, since safer methods (i.e. shareware anti-virus programs) are available. >The fdisk/mbr conditioning syndrome is known to have adverse effects on >perception for details and logical reasoning. Pardon me, but suggesting not to use Fdisk is a good idea. Anybody who goes around saying that Fdisk is a good method of virus removal should check the facts first. Fdisk can, in some cases, remove viruses safely. There are, however, numerous cases where Fdisk will cause more harm than good, leaving the data inaccessable. Unless the person giving advice knows EXACTLY the situation of the person with the virus, it is bad advice and is not safe. Aside from that, recommending Fdisk as a method of virus removal in a public forum, with thousands of people reading, is careless. Somebody might actually think they can use Fdisk to remove a virus any time, and that can cause far more problems than it ever could fix. As Bruce Burrell put it, 'Just Say NO! To FDISK/MBR!' >> Viruses don't always get transmitted via files. It's likely you had a >> boot sector virus. If possible, restore the backup, and do as I recommend >> above. > >More bad advice. Restoring a backup is bad advice? What color is the sky in your world, Zvi? Backups are ALWAYS the first line of defence against viruses. >Going back to the original post, it appears that the virus in question is >a multipartite, possibly new virus, since COM files increased by 7679 >bytes and the partition was inaccessible from clean boot. This would >explain the reappearance of the virus after rebuilding the hard disk from >scratch. One infected COM file is all that it takes to restart the >infection all over again. >Installing InVircible immediately after rebuilding the hard drive and >using the correlator, IVX, can spot the culprit in no time, whether new or >common. No need to guess or improvise. IV is also handy in restoring >rapidly the MBR, boot sector and files, instead of needing to rebuild the >drive time after time. Personally, I'd rather get a sample of the infected files, send it to a trusted virus lab, and have a cleanup driver within a day or so. Regards, George Wenzel - - ("`-''-/").___..--''"`-._ George Wenzel `6_ 6 ) `-. ( ).`-.__.`) (_Y_.)' ._ ) `._ `.``-..-' Student of Wado Kai Karate _..`--'_..-_/ /--'_.' ,' U of A Karate Club (il),-'' (li),' ((!.-' http://www.ualberta.ca/~gwenzel/ ------------------------------ Date: Sat, 08 Jun 1996 17:10:47 -0400 (EDT) From: Laurent Destailleur <101642.2125@CompuServe.COM> Subject: How to rewrite the MasterBoot ? (PC) X-Digest: Volume 9 : Issue 92 As I had a virus on my masterboot, i used fdisk /mbr to rewrite it. But I've got Windows 95 and my multi-boot menu disappeared. How can I retrieve it without reinstalling Windows ? (TBAV rewrite it but doesn't install a new WINDOWS95 MULTI-BOOT). ------------------------------ Date: Sat, 08 Jun 1996 15:18:09 -0700 From: John Lynker Subject: Strange timing behavior...possible virus? (PC) X-Digest: Volume 9 : Issue 92 Equipment: Pentium P100 w/ 32MB, 256K cache, IDE -> Maxtor 203 MB Future Domain ISA SCSI card -> NEC x3401 triple speed, ZipDrive and Seagate 1GB HD PhoneBlaster w/ Yamaha DX-50 WaveBlaster compatibe card, 3Com Elnk III netcard Diamond Stealth Video card Dual Serial/Parallel IO card Symptom: Sometimes the mouse cursor locks up, sometimes it drags as if it were pushing up against something that was flexible. Tried cleaning the ball and pad many times. Symptom: With a long file of code, starting at the top, press the down arrow and after a while, the scrolling is very slow. Then, even without screen scrolling, the cursor will move from the top of page to the bottom by stopping every 3rd or 4th line for .5 to 1.0 seconds. Symptom: In Developer's Studio, I open the Help Search, select the Hierarchy Chart page then press the right scroll button. At first it scrolls fine, then starts to slow down more and more until it is only crawling at 1.5 to 2 second line scroll rate. Symptom: Recently, while downloading using IE 3.0 beta, the copy animated icon begins to crawl at one frame per second or so. Other Symptoms: Buttons don't press...that's nothing new to Windows...but moreso here. Then buttons press but don't react...well, that's nothing new either...but sometimes it's every other button press. Whatever it is, it's a very cripling and obnoxious/anoying behavior. I've scanned using scn-227, I've run a couple of (First Aid, Norton...etc...). I actually doubt it's a virus - perhaps an interrupt problem...but how to find it? Any help appreciated, JLynker@cerfnet.com ------------------------------ Date: Sat, 08 Jun 1996 20:05:52 +0000 (GMT) From: Iolo Davidson Subject: Re: New Virus ? Help please. (PC) X-Digest: Volume 9 : Issue 92 In article <0021.01I5OG1EL5OGUBBBAR@csc.canterbury.ac.nz> netz@actcom.co.il "Zvi Netiv" writes: > George Wenzel wrote to > Frank Bucher : > > >> Every .com file i once started had 7679 bytes more than before the start. > >> The most COM Files wouldn`t work afterwards. I thought about an Virus, > >> and booted the PC with a Floppy, to let a scanner do its work. > >> > >> But after I Booted from Floppy disk, there was no Hard disk anymore. > > > > This is common with viruses - just place the AV program on the floppy, and > > run it from there, ignoring the fact that DOS can't see the drive. The AV > > program can, and can still remove the virus. > > Nonsense, no program can access files on an inaccessible drive, not even > antivirus programs. The file virus is not the reason that the guy has "no Hard disk anymore". He apparently has a partition sector virus as well, and that has to be dealt with to make his drive accessible after a clean boot so that the files can be cleaned. > Besides, the user DID boot clean from a floppy and ran > two AV programs (McAfee and F-Prot, neither found anything). A very new virus or out of date versions of the AV software. > Beware of amateurish and bad advice. Like that you are about to give? > Mr. Bucher acted correctly. He first backed up his DATA then ran FDISK > before reformatting, to make sure the MBR is clean. Finally. he rebuilt > the applications from source. FDISK/MBR is perfectly okay in these > circumstances although I doubt this is what the did. Since the partition > was inaccessible then he necessarily created a new one, possibly followed > with fdisk/mbr, for luck! :-) Reformating is never necessary to get rid of a virus, and is often ineffective. Fdisk/mbr is of course OK in some circumstances, but the average person with a virus problem is not able to tell whether it is safe in *his* circunstances. Therefore they must regard it as unsafe. > The fdisk/mbr conditioning syndrome is known to have adverse effects on > perception for details and logical reasoning. You have shown a consistent inability to understand that people with virus problems usually lack specialised anti-virus skills or knowledge. For this reason, general advice on dealing with viruses must not rely on virus victims being able to make correct technical choices. > Going back to the original post, it appears that the virus in question is > a multipartite, possibly new virus, since COM files increased by 7679 > bytes and the partition was inaccessible from clean boot. This would > explain the reappearance of the virus after rebuilding the hard disk from > scratch. One infected COM file is all that it takes to restart the > infection all over again. So copying the data with the virus active in memory then reformating the drive wasn't the answer after all, was it? The real answer is to approach the supplier of your anti-virus for an update. If the virus is a new one, the AV suppliers research team ought to be able to provide the victim with a field update in a day or two at most, and possibly within hours. - - THE CHICK FELT HIS CHIN AND HE WED FLEW THE COOP LET OUT A WHOOP Burma-Shave ------------------------------ Date: Sat, 08 Jun 1996 20:40:08 +0000 (GMT) From: Iolo Davidson Subject: Re: Disaster recovery of compressed volume (PC) X-Digest: Volume 9 : Issue 92 In article <0022.01I5OG1EL5OGUBBBAR@csc.canterbury.ac.nz> netz@actcom.co.il "Zvi Netiv" writes: > The original poster lost 800 meg of data and files for no viral reason at > all, just because he had an AV TSR misfiring. So you assert. In view of other statements you have made in this group, I have no confidence in your assertion being correct on this occasion. > To take it to the extreme: You are better of without antiviral software at > all than being exposed to even one in 10,000 chance that an antiviral will > misfire. Nonsense. > From statistics > based on actual incidents the chances of loosing the hard disk in a year > are 1 in 600 if using an AV TSR or VxD, compared to 1 in 5000 if not, Who compiled these "statistics"? You? I have never seen this proposition even put by anyone else, let alone seen any data. > Your chances to incur comparable virus damage without an > antivirus at all are smaller than 1 in 100,000. With generic AV they are > less than one in a million, hardware reliability becomes the dominant > factor then. More of your own "statistics"? If not, what is the source? > As for slowdown, here is a simple test anyone can do. Run each of the > following programs on a single directory with sufficient files in it, say > C:\DOS, and note the time it takes with and without the AV TSR loaded to > memory. When testing with Dr. Solomon's GUARD 7.59, F-Prot took 2.5 times > longer with Guard than without it (a net loss of performance of 60%), > Integrity Master took 5 times longer (80% performance loss!) and IVB took > 16 time longer (94% performance loss!). Running a foreground scanner with a background scanner active is pure silliness, but if you want to run such a test, do it with both the foreground and background scanners from the same AV package, and you will find that there is no slowdown, as they cooperate with each other instead of scanning everything twice. In short, your "test" is artificially contrived to give a result that you hope will mislead people who do not understand the inner workings of AV packages. > Just six months ago, with Guard version 7.54, these figures were 50% > better than today's With the constantly increasing number of viruses, you > may assume performance degradation of 75% per year. May we? Actually, the increase in number of viruses doesn't affect VirusGuard that much. What happened in the period of time you mention was that a new methodology was put into VirusGuard to deal with polymorphics. That had a one time effect on speed which has nothing to do with the increase in the number of viruses over that period. > The risk of misfiring roughly doubles per year. More Netiv "statistics"? Any data at all to support this guff? > My advice is to stay away from on-access and on-execution antivirals. Use > integrity based and generic AV for ongoing protection, and scan new > software with a good scanner. Lots of people said for a long time that TSRs were not the way to deal with viruses, but it didn't make any difference to the customer, who wants the convenience. I don't have to argue this case. TSR's won long ago, against the advice of people who know more about viruses than you, and who are more highly thought of in the industry. Customers have more say than experts. - - THE CHICK FELT HIS CHIN AND HE WED FLEW THE COOP LET OUT A WHOOP Burma-Shave ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 92] *****************************************