VIRUS-L Digest Monday, 1 Jul 1996 Volume 9 : Issue 104 Today's Topics: AVPVE Virus Encyclopedia Updated! Re: Disknet EXPONET TI 96 Re: Virus in plain text files (was Re: Scanning incoming mail) Distributor Sought For Leading Security Product TBAV 7.02 released Re: AV advice for new NW supervisor... Re: Scanning incoming mail Zvi, Invircible, and the others Dr Solomon's FindVirus 7.61 available for download Re: Scanning incoming mail Re: Forms virus on NT (NT) Re: Information on NT A-V Software (NT) Re: Forms virus on NT (NT) Re: Subject: Wandering mouse cursor--virus? (WIN95) Virstop and Client32 (WIN) Complete Antivirus Guide, available on the net (PC) SW producer accused for spreading viruses (PC) virus id? creates "nit Succ ess" directory (PC) Who can help with a PEACEKEEPER.A-type infection? (PC) Re: Help: The bad sectors in my NEC HD are growing! (PC) System date set to 2096 (PC) NOT SO sporadic Hangs/Lock ups-Virus?!? (PC) Four viruses on one machine--suspicious?? (PC) How good is McAfee (PC) Re: Scanning Incoming Mail (PC) Untouchable (PC) File corruption (PC) Re: N40 virus?? (PC) Re: SYS and FDISK/MBR, safe or not? (PC) Re: Help - ANTICMOS A virus (PC) Re: Hard disk partition disappeared (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Wed, 26 Jun 1996 13:12:31 +0000 From: Keith Peer Subject: AVPVE Virus Encyclopedia Updated! X-Digest: Volume 9 : Issue 104 AntiViral Toolkit Pro Virus Encyclopedia the largest and most accurate virus description database has been updated! AVPVE contains thousands of technical virus descriptions plus hundreds of live demonstrations! The best of all it's FREE * Thousands of virus descriptions * Graphical user interface (GUI) * Live demonstrations of the Video and sounds effect produced by hundreds of viruses. * FREE You can get a copy of the AVPVE from the following sites: www.command-hq.com/command ftp.command-hq.com pub/command/avp www.metro.ch www.datarescue.com Simtel and Simtel Mirrors Enjoy, Keith =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Central Command Inc. USA Distributor for P.O. Box 856 AntiViral Toolkit Pro Brunswick, Ohio 44212 Internet: info@command-hq.com Compuserve:102404,3654 FTP: ftp.command-hq.com /pub/command/avp :GO AVPRO WWW: http://www.command-hq.com/command Phone: 330-273-2820 Fax: 330-220-4129 BBS: 330-220-4036 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ------------------------------ Date: Wed, 26 Jun 1996 15:35:06 +0000 (GMT) From: Jan Hruska Subject: Re: Disknet X-Digest: Volume 9 : Issue 104 >I am looking at an ad for a product called Disknet, that makes the >claim "Disknet provides 100% protection! With over 1,000,00 users, >Disknet in conjunction with their normal scanner has a record of >achieving NO REPORTED VIRUS ATTACK since disknet was installed." This is excessively optimistic on the part of the Reflex Magnetics marketing department. We are aware of a number of Disknet customers who say they have had viruses despite the PCs being "protected" by Disknet. It may be that they sincerely believe in "no reported virus attacks" as a result of not having a reporting system in place :-) Or this may just be a case of "nicht sein kann, was nicht sein darf". ------------------------------ Date: Thu, 27 Jun 1996 16:23:25 +0000 (GMT) From: Rui Moreira de Sa' Subject: EXPONET TI 96 X-Digest: Volume 9 : Issue 104 EXPONET TI 96 Computing criminology and legislation and Virtual Enterprises are two of the nine virtual forums / conferences that are taking place until 3rd July at EXPONET TI 96 - 1st International Virtual Fair and Conferences for the Information Technology on the Internet. We believe this event can be interesting for our group http://www.exponet.pt ------------------------------ Date: Thu, 27 Jun 1996 23:49:36 +0000 (GMT) From: Mike McCarty Subject: Re: Virus in plain text files (was Re: Scanning incoming mail) X-Digest: Volume 9 : Issue 104 In article <0004.01I6AA9C7DKOWHYXF7@csc.canterbury.ac.nz>, Kenneth Albanowski wrote: )On Wed, 19 Jun 1996, Gerard Mannig wrote: )> >>X-Digest: Volume 9 : Issue 97 )> >. Plain text cannot be a carrier for viruses. )> )> Hmm...YES, they are )> )> As recently as last Sunday, I was sent some samples of viruses including a )> copy tailored as a plain ASCII file. I mean of course an auto-executable )> ASCII file ) )I assume you mean a .COM file that is written using only characters )between ASCII 32 & 126? This is definitely an executable, but I'm not sure )how it qualifies as a text file. If it's stored with a .TXT extension, )most virus scanners probably won't see it by default, but nobody will be )able to execute it either. If it's stored with a .EXE or .COM extension )then a person could execute it, but virus scanners would see it as well. ) )> This utility, basically written for noble purposes, can obviously be )> circumvent to hide even very known/ITW viruses within a plain ASCII text )> file. This utility is intented to offer to users a clone of UU/XXENCODing )> system that requires *no* utility to decode such binaries files sent by )> electronic mailing systems ) )But it's not _auto_ executing. You still have to save it as an executable )file and run it. This is no different (from a virus standpoint) then )UUdecoding it. I think you missed the point. What he is describing is files which contain, indeed, only printable ASCII characters (along with ^M and ^J, perhaps). They UUDECODE -themselves-. They are -not- normal executables. They are more like self-extracting .ZIP files. Normal scanning looking for devious instructions will not work. Of course, that does not mean that more intelligent scanning will not work. Mike - - - --- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} I don't speak for DSC. <- They make me say that. ------------------------------ Date: Fri, 28 Jun 1996 07:00:01 +0100 From: Stephen Addison Subject: Distributor Sought For Leading Security Product X-Digest: Volume 9 : Issue 104 DISTRIBUTOR SOUGHT FOR MARKET LEADING SECURITY SOFTWARE We are currently seeking distributors/agents for our unique new awareness product and for our proven risk analysis knowledge based products: 1. Essential Awareness System This newly released product employs an original approach to the problem of increasing the awareness/knowledge of devolved staff/employees. It is based on the premise that the awareness mechanism MUST attract the interest of the user to be successful. The product can be used to enhance awareness on many issues. However, PC Security and Continuity/Resumption-Planning are the options presently available. The user WILL wish to employ the software.... and once started, their awareness of the topic WILL increase. We believe that the most effective way an organization can reduce its losses (via security breach or unavailability) is by stemming the cumulative losses in the devolved environment. This product is designed specifically to achieve this. 2. Knowledge Based Systems These products are already established as market leaders and are in use at such organizations as Lloyds Bank, Barclays Bank, ICL, Littlewoods, UK Government, and many more. The risk analysis system is renowned for taking the process into the business (security is NOT just a technical matter). Other components check compliance with security standards and also review/audit existing security measures. Neither product set is usually licensed to individuals. The customer base is generally medium/large corporate or public sector body (eg: the unit price for the main component of the knowledge based range is of the order of 5,000). ABOUT US We are a UK based security product development company, operating largely through selected distributors and agents. Our products cover four areas: awareness, knowledge based systems (risk analysis), cryptography and mainframe. Established in 1991 we have a substantial user base, largely in the UK. ABOUT YOU We are seeking distributors: - of a substantial turnover and size, with the capability of applying investment to ensure market penetration and volume. Or: - with significant knowledge and expertise in this niche area (IT security) and the necessary commitment/contacts to resource the marketing sufficiently. This is NOT a job advertisement.... we seek only credible partners to handle the products within the medium/large corporate and organizational sector. THE NEXT STEP If this is of interest to you, please respond to: s.add@zetnet.co.uk Please specify some basic information about your company and your location(s). We can then reveal further information about the product(s) and our company, leading to further dialogue ------------------------------ Date: Fri, 28 Jun 1996 08:23:22 -0400 (EDT) From: "C.J. Mackay" <101444.1435@compuserve.com> Subject: TBAV 7.02 released X-Digest: Volume 9 : Issue 104 ESaSS - ThunderBYTE - PRESS RELEASE ThunderBYTE develops revolutionary macro cleaner! Wijchen, The Netherlands, June 20th 1996 - ESaSS BV, the developer of ThunderBYTE anti virus software herewith announces the development of the first macro cleaner which uses its own advanced technology. This cleaner, which is incorporated in the new version ThunderBYTE anti virus 7.02 not only removes the virusmacroname, like some competitive products, but cleans the entire file. ThunderBYTE anti virus software version 7.02 also contains an intelligent macroscanner, which recognizes the OLE2 file structure of the Microsoft products. ThunderBYTE's Macrocleaner ThunderBYTE's knowledge of the OLE2 file structure, has made it possible for the ESaSS Research Team to develop a new macrocleaner for Word macroviruses. This macrocleaner not only removes the virusmacro from the template database, but also the binary code containing the actual virus code. The intelligent ThunderBYTE product finds and cleans all Word macroviruses, even the encrypted variants. ThunderBYTE only removes the virusmacro, contrary to several competitive products that have come up with a cleaning device which even removes all Word macro's. The 7.02 version of ThunderBYTE This new version of ThunderBYTE anti virus utilities does not only scan the document files for macroviruses, but also cleans the documentfiles, without disturbing the user or damaging the word document file. The ThunderBYTE macroscanner and cleaner in version 7.02 are not hindered by different language versions of MS Word, unlike some macroviruses. A number of macroviruses are language version depend, because the function definition of such versions of MS Word (in German, Dutch etc) for which the virus is written, may be language dependent. The ThunderBYTE Development Team already released a revolutionary new macro scanning engine in release 7.01. This macroscanner, which is implemented in the existing well known and proven ThunderBYTE virus scanners, is the fastest and most intelligent scanner available. It has acquired this status because it is able to interprete the OLE2 file structure -Object Linking and Embedding- the format used by Microsoft to save document files. It does not scan the entire file for macroviruses, but only the macrosections. Advantages of this approach are a high scanning speed, no false alarms and the ability to handle document files which are internally fragmented or encrypted. ThunderBYTE offers the same high detection and prevention technology for the OLE2 environment as in its other products. Macroviruses: the new generation The macroviruses form the next generation of viruses. Macroviruses can affect documents created by programs which make use of a macrolanguage. A well known example of a macrolanguage is WordBasic which is incorporated in MS Word. Its document files can easily contain macro's, which are most often automatically executed as soon as the offended documents are opened. Once a macrovirus is activated it is able to redefine functions like printing and saving. Most viruses change the file saving function (FileSaveAs) in such a way that, when saved, the virus will attach to every document file and template, including Normal.dot. The virus can spread very rapidly here, especially because document files are often used by multiple people. Due to their nature, document files are much more often exchanged among people than executable files, so the macro virus infections tend to spread much faster than 'normal' viruses. ESaSS BV: General Information ESaSS BV in Wijchen, The Netherlands was founded in 1988. Since its founding, the company has fully specialized in the development of information security software. The development of ESaSS products takes place in The Netherlands. The security products are called ThunderBYTE. The introduction of all ThunderBYTE security product in 37 countries is supported by distributors and own offices in North America and Canada. All ThunderBYTE support sites in the various countries offer an online service for downloading of ThunderBYTE evaluation packages. For The Netherlands and Belgium ThunderBYTE for DOS/WIN3.x/WIN95 can be downloaded via Compuserve: GO TBYTE or via Internet: http://www.thunderbyte.com. In addition, ThunderBYTE is supported by a Bulletin Board Service which can be reached on number: +31 59 1382011. //////////////////////////////////////////// ESaSS BV-ThunderBYTE Headquarters Saltshof 1018 6604 EA WIJCHEN Tel: +31 (0)24 6422282 The Netherlands Fax:+31 (0)24 6450899 Additional press information: ESaSS BV - Caroline Mackay, Public Relations, Cserve ID: 101444.1435@compuserve.com Commercial information: ESaSS BV - ThunderBYTE Headquarters, Mr. H. Zeeman, International Sales Manager.Cserve ID: 100140.3046@compuserve.com Visit our Website: http://www.thunderbyte.com ------------------------------ Date: Fri, 28 Jun 1996 15:54 +0000 From: Graham Cluley Subject: Re: AV advice for new NW supervisor... X-Digest: Volume 9 : Issue 104 In-Reply-To: <01I6GFPGT4IQWHZ0LR@csc.canterbury.ac.nz> Steve Baker writes: > I have recently taken on the responsibilties of network > administration on 75 or so Novell netware 3.1 networked pc's. > I also handle the WWW integration for our company. This > involves uploading and downloading files to and from our > Internet server (of which we have contracted out server space) > > My question is how to avoid compromising the security of our > network and at the same time continue our Internet marketing > practices? I am new to this and would like any suggestions > available. One of my colleagues, David Emm, has written a corporate anti-virus policy. The paper is available on our website at http://www.drsolomon.com/vircen/papers and includes much useful and valuable advice regarding how to protect a network against viruses. Regarding the web - you don't need web-specific virus protection; a good on-access scanner can protect you from viruses from *whatever* direction they're coming from. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Fri, 28 Jun 1996 17:40:26 +0000 (GMT) From: Oeyvind Pedersen Subject: Re: Scanning incoming mail X-Digest: Volume 9 : Issue 104 In article <0007.01I6GFPGT4IQWHZ0LR@csc.canterbury.ac.nz>, Zvi Netiv wrote: >Michael Head wrote: >> Perhaps we should pause before proceeding to organization-wide >> scanning of files ,incoming/outgoing mail,etc. and ask the A-V >> providers to assure us that their products can indeed only look for >> virus code . Fridrik, Zvi, Graham ? > >Biological viruses are far more harmful than computer viruses. Yet you >don't 'scan' anyone that you shake hand with, nor even go to bed with. :-) >Then what's the fuss about computer viruses? I don't about you Ziv, but I don't usually go to bed with all my buisness partners. >Organization-wide scanning of files, incoming/outgoing mail, etc. is >neurotic and doesn't make any sense. Which is what you meant, I suppose. > I strongly disagree, but then again, I don't have sex with strangers either. (unless I use protection of some sort :-) -oep ------------------------------ Date: Fri, 28 Jun 1996 16:47:04 -0700 From: Francois PIRSCH Subject: Zvi, Invircible, and the others X-Digest: Volume 9 : Issue 104 Dear Zvi, you said about removing ANTICMOS.A : >There is no need to reformat anything, removing viruses with InVircible >is easy and straightforward. Alright. When you register, because the shareware version won't remove anything, just detect. Everyone knows there is no need of InVircible or any other AV product to remove such a virus (which represents the great majority of infections). It really gets on my nerves reading in this newsgroup messages such as : > I have a problem. What can I do ? Buy MY AV product, the best AV ever, and you will no longer have any problems. MY AV also makes a very good coffee and washes the dishes. The others don't. In most cases, any AV will be all right. And in some rare cases (like the STONED + MICHELANGELO infection you wrote about), almost all AVs will trash your MBR or something like that (not InVircible, I must admit). The fact is that all AVs have security holes. InVircible, for instance - can't detect slow infectors (they are especially designed for that purpose) - can easily be targetted by specific retro-viruses (what if an MBR virus deletes the PART.NTZ file, or modifies it ?) - can't be properly used by lambda users (I think only scanners can, anyway). It's too powerful, and therefore much too complex to use if you don't know anything about viruses. and so on... The only thing that can stop virus writers is their imagination. And the only way not to have viruses at all is : don't buy a computer ! InVircible *IS* efficient and powerful and anything you want. Right. But it's not perfect. So please stop shouting it from the rooftops. Same thing for Graham, Fridrik, and anyone else. Francois PIRSCH ------------------------------ Date: Fri, 28 Jun 1996 17:18 +0000 From: Graham Cluley Subject: Dr Solomon's FindVirus 7.61 available for download X-Digest: Volume 9 : Issue 104 Dr Solomon's FindVirus v7.61 is now available for download and evaluation via the web and ftp. Here's what's new 1. This version of Dr Solomon's FindVirus detects 284 new viruses bringing the total detected to 9084 (including an additional driver for detecting the new Hare virus). Here is a description of Hare from Dr Solomon's: Hare [aliases Krsna and HDEuthanasia] is a new virus which has been reported repeatedly in many countries around the word [United States, Canada, United Kingdom, Switzerland, Russia]. Hare is a multipartite, stealth, slow polymorphic virus. It is memory resident and infects COM and EXE files on execution. The virus also infects the partition sector [Master Boot Record, MBR] of the hard disk and the boot sector of floppy disks. Infected files grow in size by between 7630 bytes [approximately] to 7800 bytes [approximately]. The virus overwrites the partition table in the MBR. When the PC is booted from a clean system disk, the hard disk is inaccessible at a DOS level. Access is normal when the PC is booted from the hard disk. The virus triggers on 22 August and 22 September, displaying the message: "HDEuthanasia" by Demon Emperor: Hare Krsna, hare, hare... and overwriting all hard disks in the system, destroying all data on them. The file EXTRA.DRV should enable FindVirus to remove the virus from infected files. It will detect the virus in the partition sector and the floppy disk of boot sectors, but will not remove the virus from these sectors. However, this can be done using the programs CLEANPAR and CLEANBOO in the commercial version of Dr Solomon's Anti-Virus Toolkit. Archive formats now supported: ZIP, ZIP2EXE, ARJ, ARC, LZH (also known as LHA) Compression formats now supported: PKLite, LZExe, ICE, Diet, CryptCom, and Microsoft Expand This version of Dr Solomon's FindVirus is for evaluation purposes only. It is NOT free, shareware or public domain. The evaluation period for this version ends 30th August 1996. At that point the evaluation period will have expired, and the program will no longer run. If you require longer to evaluate the product then we recommend that you download a more recent version of the evaluation software from the approved sites (see DISTRIB.TXT in the zip file), as this will be more up-to-date and detect more viruses. FindVirus can scan recursively inside compressed and archived files (ZIP, ZIP2EXE, LZH, ARJ, ARC, ICE, Diet, CryptCom, Microsoft Expand, PKLite, and LZExe) without writing to the hard disk. Additionally its advanced heuristic capability means it can detect a large number of new and unknown viruses without the false alarm problem found in some other products. You can download the evaluation version of FindVirus v7.61 from: Website: http://www.drsolomon.com http://members.aol.com/gcluley AnonFTP: ftp://ftp.drsolomon.com/pub/progs/dsav761.zip ftp://members.aol.com/pjevansssi ftp://members.aol.com/gcluley CompuServe: GO DRSOLOMON AOL: VIRUS Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Fri, 28 Jun 1996 17:50:57 +0000 (GMT) From: Iolo Davidson Subject: Re: Scanning incoming mail X-Digest: Volume 9 : Issue 104 In article <0007.01I6GFPGT4IQWHZ0LR@csc.canterbury.ac.nz> netz@actcom.co.il "Zvi Netiv" writes: > As far as generic AV is concerned, we can tell genuine viruses > from false alarms and deceptive code with great certainty. How come Invircible calls both Word macro viruses and non-viral Word macros "suspicious" then? - - IT SPREADS SO SMOOTH LIKE VELVET IT SHAVES SO SLICK AND IT'S QUICK IT FEELS Burma-Shave ------------------------------ Date: Thu, 27 Jun 1996 23:54:36 +0000 (GMT) From: Mike McCarty Subject: Re: Forms virus on NT (NT) X-Digest: Volume 9 : Issue 104 In article <0018.01I6AA9C7DKOWHYXF7@csc.canterbury.ac.nz>, Scott Jacobsen wrote: )We have the forms virus running around over here so I have a few )questions. ) )First, Forms is a boot sector virus so I'm wondering can an infected )floppy disk infect a system if that system is NOT booted from the )infected floppy. More generally can a boot sector virus become active )if it is on a disk that is never used to boot a system. ) )Second, we have some infected NT systems. Will a virus scanner written )for DOS work well on an NT computer. We currently have F-PROT 2.23a, )NAV, and several WIN95 scanners. I've heard the boot sector on an NT )machine is different than a DOS machine. Will I need an NT specific )scanner because of this. Well, if it's like the versions of FORMS I have encountered, then no, it cannot infect your machine unless you boot from the floppy. It -can- infect even if you don't successfully boot. In other words, the floppy does not have to be -bootable-, but if you try to boot from it, successfully or not, you can be infected. There are viruses which infect .COM, .EXE, Boot Sectors, and MBRs. These groups are -not- mutually exclusive. Soon to come, probably, are those infecting BIOS. If you get one which infects both boot records and .EXE, then you could get an infected boot record by running an infective .EXE; FORMS (at least the versions I know about) -only- infects from a floppy by a boot. Once in memory, though, it does not require reboots to replicate. Mike - - - --- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} I don't speak for DSC. <- They make me say that. ------------------------------ Date: Fri, 28 Jun 1996 16:25:20 +0000 (GMT) From: Lou Rabon Subject: Re: Information on NT A-V Software (NT) X-Digest: Volume 9 : Issue 104 > I am currently using F-PROT, and I have a question regarding its > use under Win NT. > > I am trying to determine the differences using my current > F-PROT(running under DOS or Win 3.1) and F-PROT under NT? > > What does an NT version for any A-V product do that the current > versions do not. Are the scanning and detection techniques for > recognizing bsv and other viruses the same? > > The question goes beyond the technical to one of economics. Does a > corporate enterprise need to invest in a different product for the > Win NT operating system? I'm invlovled with the decision for an A-V product for NT for my company. The answer to your question: definitely. Since NT is a native 32-bit operating system, it's important to use a 32-bit scanning program for full compatibility. Also, there are some great features that apps written specifically for NT incorporate, including real-time scanning and network (administrative) alerts. In my research, the most robust product I have come across is McAfee VirusScan for NT. It has more features than any, including real-time inbound and outbound scanning. In addition, it has all types of administrative alerts, including alphanumeric paging! The only seet-back: It has been buggy on the install, and McAffe's tech support hasn't been too helpful. I just receieved a copy of the latest release, though, so the bug could be fixed. Feel free to contact me with any questions. Lou Rabon louis.rabon@lazard.com - --- ------------------------------ Date: Fri, 28 Jun 1996 16:27:11 +0000 (GMT) From: Lou Rabon Subject: Re: Forms virus on NT (NT) X-Digest: Volume 9 : Issue 104 > Second, we have some infected NT systems. Will a virus scanner written > for DOS work well on an NT computer. We currently have F-PROT 2.23a, > NAV, and several WIN95 scanners. I've heard the boot sector on an NT > machine is different than a DOS machine. Will I need an NT specific > scanner because of this. You should be able to boot up with a DOS-based floppy with a virus scanner and clean the boot sector that way. ------------------------------ Date: Thu, 27 Jun 1996 11:43:24 +0000 (GMT) From: Hans von Lieven Subject: Re: Subject: Wandering mouse cursor--virus? (WIN95) X-Digest: Volume 9 : Issue 104 Thanks everybody who helped so generously. In the meantime I got it fixed. I had tried everything I could think of including cleaning the mouse and running several virus programs. It didn't help. However, the purchase of a new mouse did. What fooled me, and what I still don't understand, is why it kept changing direction on the screen with no movement of the mouse, such as bouncing backwards and forwards and then suddenly up and down and so forth. That's why I thought it was a virus and not a hardware problem. Have a good one, Hans von Lieven ------------------------------ Date: Thu, 27 Jun 1996 14:38:38 -0800 From: Michael Kessler Subject: Virstop and Client32 (WIN) X-Digest: Volume 9 : Issue 104 We are anticipating switching to NW4.1 but still running 3.12 with Windows 3.1 and DOS 6.22. For the sake of conventional memory space (some people are still running large DOS programs), we would like to run Client32 software which saves more conventional space than VLM's. In the process of doing that, we discovered that Virstop does not work with Client32 software, that we have to use virstop2 and can only use it in the autoexec.bat file. Has anyone else experienced that problem? ************************************************************************** Michael Kessler voice (415) 338-1662 College of Humanities MKessler@ceres.sfsu.edu San Francisco State University FAX (415) 338-7030 1600 Holloway Ave. San Francisco, CA 94132 ------------------------------ Date: Wed, 26 Jun 1996 19:11:28 +0300 From: Zvi Netiv Subject: Complete Antivirus Guide, available on the net (PC) X-Digest: Volume 9 : Issue 104 NetZ Computing released a free Anti Virus Guide in printable format. The printed guide has 80 pages (A4 size), with screen captures and can be viewed and printed with the Microsoft Viewer for Word or under Winword 6 or 7. The AV guide is based on InVircible, yet it covers many topics of general interest in virus, antivirus and disk recovery matters. The AV guide could be of special interest to system administrators in the institutional and corporate environment as well as users interested in these subjects. The following is a list of the general topics, from the guide's table of contents. 4. A Primer On Computer Viruses 4.2 Virus Risks 4.3 Categories of Computer Viruses 4.3.1 File Infectors 4.3.2 Boot Viruses 4.3.3 Multipartite Viruses 4.3.4 Cluster infectors 4.3.5 Winword Macro Viruses 4.4 Techniques Used by Computer Viruses 4.4.1 Stealth 4.4.2 Encryption 4.4.3 Polymorphic Viruses 4.4.4 Companion Viruses 5.6 Integrated Antivirus Protection 6.1 Antivirus in the Single User Environment 6.2 Antivirus in Network 6.3 In the Non-DOS Environment 6.4 In a Corporate Environment 7. The Rescue Diskette 8. Optimizing Your Anti-Virus Strategy 9. Antiviral Protection in Network 9.1 The Virus Problem in Networks 9.2 Virus Propagation in a Network 9.3 Protecting a Network 9.4 Refusing Access if Not Checked Daily 9.5 Disinfecting a File Server 9.6 Network Shared Drives, Viruses and Antivirus 15. Security Auditing 19. Hard Disk Recovery 19.1 Troubleshooting Hard Drive Access Problems 19.2 Resetting a Bad or Forgotten Password 19.3 Identifying Hardware Problems 19.4 Finding the Hard Drive Original Setup 19.5 Verifying Configuration Compatibility 19.6 Figuring Out a Non-Standard Configuration 19.7 Reconstruction of the MBR 19.8 MBR Reconstruction Procedure 19.9 Manual Editing of the MBR 19.9.1 Special Partition Types 19.9.2 Editing the MBR 19.9.3 Compaq Models Partitioning 19.10 The Active Partition Boot Sector 19.10.1 Precautions in Hard Disk Recovery 19.10.2 Boot Sector - MBR Mismatch 19.10.4 Wrong Boot Sector Style 19.10.5 Wrong Data in Bios Parameter Block (BPB) 19.11 Reconstruction of the Boot Sector 19.11.1 Editing the Boot Sector 19.11.2 Searching for Existing FAT Partitions 19.12 Fixing Damage to File or Directory Structure 19.13 Improving Data Survivability and Recoverability 20. Primer to Generic Antiviral Methods 20.1 Symptoms of Virus Presence or Doing 20.2 What to Do in Case a Virus is Found 20.3 Collecting Information on an Attacking Virus 20.4 Recovering an Infected Computer, Step by Step 20.5 Analyzing Virus Characteristics 20.6 Virus-Cooperative Integrity Recovery 20.7 Virus-Cooperative Piggybacking 20.8 Virus-Cooperative Boot Block Recovery 20.9 Removing Stealth Boot Viruses from SCSI and MFM 20.10 Removing Boot Viruses from Floppies 20.11 Regaining Access to a Hard Drive 20.12 Handling Cluster Infectors 21. Screening New Software 21.2 Active Screening 21.2.1 The Quarantine Method 24. Programs Injection and Inoculation 25. Memory Resident Anti-Virus (TSR) 26. Practicing Antivirus, the AV Practice Lab (AVPL) 30. EIDE Drives and Dynamic Drive Overlay (DDO) The NetZ Antivirus Guide can be reprinted for tutorial purposes, provided it's for non-commercial, non-profit purposes. The AV Guide is available from the following addresses: ftp.netzcomp.com/private/netz/av-guide.zip ftp.invircible.com/invircible/av-guide.zip The guide is also available from the InVircible forum on Compuserve and from AOL. Regards, Zvi Netiv - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 CompuServe: go INVIRCIBLE ftp.netzcomp.com www.invircible.com E-mail: netz@actcom.co.il netz@netzcomp.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Wed, 26 Jun 1996 21:03:59 +0300 From: Zvi Netiv Subject: SW producer accused for spreading viruses (PC) X-Digest: Volume 9 : Issue 104 On 26/6/96, Natalie wrote: > I work for a small software development company. We have > distributed a demo disk of our product that is being accused of > containing a virus. We've checked all of our in-house copies and > they are all clean. Our distribution system is also clean. We feel > we are being wrongly accused but we don't know the best way to > demonstrate this to the accusing party. Does anybody have any > suggestions for how we can show that it is not our disks? and > possibly how the accusing party might accurately pinpoint the source > of the virus? Welcome to the club of the innocents! Your message doesn't contain sufficient information. It could help if you answered the following questions: - What antivirus product claims that your distribution floppies are infected and what's the exact message, including the name of the virus it claims having found? - When you check with the same antivirus product on your premises, does it also find the virus? - Is the virus a boot infector or is it found in the software you developed (a file virus). This might have great importance in proving your innocence, or the contrary. - Do you regularly use an antivirus product? Which one? May I offer that you download InVircible and install it immediately to your computers. IV will tell if there is anything viral going on your machines, whether a common virus or new. Virus specific AV can usually tell if your computers are infected with common and known viruses, yet not always! Generic AV will dig out anything viral. If InVircible finds nothing viral on your computers then you are on much more solid grounds as all that rests to prove then is: - Either the floppies got infected on the user's machine, or - The user's antivirus is false alarming. IMPORTANT: InVircible provides two powerful features that can help resolving your problem: 1) You can secure and distribute your software with the IV integrity signature. Since IV is widely available then your software can be checked against its signature. This is sufficient proof whether the software was infected at factory or on the user's premises. 2) Registered IV users can process their floppies with the IV Armor (patent pending). The armor process installs a passive protective jacket on distribution disks that prevents file viruses from infecting the software even when floppies are write-enabled. This is especially important if your distribution disk requires write enabling for personalizing, etc. (like with Microsoft's Office, Stacker and Quarterdeck's products). The IV integrity system and Armor provide both functional and legal protection to software producers and distributors against virus liabilities and risks. InVircible is available from any of the sites in my signature Regards, Zvi - -------------------------------------------------------------------- NetZ Computing Ltd, Israel Producer of InVircible & ResQdisk Voice +972 3 532 4563, +972 52 494 017 (mobile) Fax +972 3 532 5325 CompuServe: go INVIRCIBLE ftp.netzcomp.com www.invircible.com E-mail: netz@actcom.co.il netz@netzcomp.com Compuserve: 76702,3423 - -------------------------------------------------------------------- ------------------------------ Date: Wed, 26 Jun 1996 23:41:38 +0000 (GMT) From: Thomas Jue Subject: virus id? creates "nit Succ ess" directory (PC) X-Digest: Volume 9 : Issue 104 Virus infection on pentium/2 HD: Symptoms: 1. C: boot drive no longer recognized. Slave D: drive not detected. 2. Rebooting from clean system diskette dos6.2 gives A> prompt. But sys c: will not effect system tranfer from floppy to hard drive. Extended hard drive seek ending with a Message: insufficient memory space ( even though memory is available). FDISK/mbr doesn't restore system. 3. Note with MSD (microsoft diagnostic program) that dblspace is active, block device (TSR). Yet drive is not a compressed one. Same result, even when computer is booted with clean system floppy diskette. Cannot execute dblspace program. Message: another dblspace.bin is currently in use. 4. Not detectable with FPROT or McAfee virus scanners. Virus ID? Any suggestion for removal? ------------------------------ Date: Thu, 27 Jun 1996 12:47:19 +0000 (GMT) From: jelitto@em.uni-frankfurt.de Subject: Who can help with a PEACEKEEPER.A-type infection? (PC) X-Digest: Volume 9 : Issue 104 some days ago I caught a virus on my PC. I am not aware, whether it happened on WEB or UUNET. I think the infection is connected with a unknown file, I discovered on my PC. If I remember correctly its name was something like 'arrested', but written in Greek letters. Unfortunately I erased this file in the same moment and before I noticed that I have a problem.. The virus seems to apend about 4 kB of material to *.exe and *.com-files. Moreover it seems to spoil NETSCAPE from time to time. McAfee's most recent checker noticed 8 files infected by 'PEACEKEEPER.A'. There is no cleaner for this type of virus. But when these files were erased after a reboot everything seemed to be o.k. No further infection was smgnalized any longer. But after a short time it began again, and I cannot get rid of it. Some word on my configuration: DOS6.2, 4DOS5.0, Windows3.11, Win32- overlay, Token-ring, Netscape2.02, FAgent, ... (~ 500 MB harddisk used by 8800 files in 300 directories). Therefore I would not like at all to reconfigurate my PC. This ist the reason, why I ask you for help! I am not a computer expert, but only a user. So what I wrote down may be a little bit unsharp. Please be free to cotact me also by e-mail: - ---> jelitto@em.uni-frankfurt.de <------ Thanx in advance, R.J. Jelitto ------------------------------ Date: Thu, 27 Jun 1996 13:07:02 +0000 (GMT) From: eike Subject: Re: Help: The bad sectors in my NEC HD are growing! (PC) X-Digest: Volume 9 : Issue 104 Chia-yin Shih (chiayin@u.washington.edu) wrote: : Even if I do ScanDisk immediately after I just finish one, the number of : clusters containing bad bytes will still increase. This abnormal thing : does not happen to my other two hard drive (one Maxtor and one : Samsung), so I think it should be the NEC drive which has gone wrong. : : In my NEC drive, there used to be only about 2,000 bytes in bad : sectors, but the number has increased to 1,056,768 bytes in bad : sectors during only two days. : : Can this be caused by virus? (But I have checked the NEC drive with : F-PROT program several time and found nothing wrong.) : Could anyone tell me how to prevent it from getting worse? I strongly recommend a full backup of your data, because i think, that the possibility of a head crash within the next days is 99%. I have seen problems like this several times on different machines, mostly UNIX boxes, and each time, the disk was dieing! Eike ------------------------------ Date: Thu, 27 Jun 1996 18:59:07 +0000 (GMT) From: "Steven C. Zinski" Subject: System date set to 2096 (PC) X-Digest: Volume 9 : Issue 104 Here at the University of Richmond, we are experiencing a problem where the date is being bumped ahead 100 years (i.e., 2096) on some of our PC compatible systems. The problem seems to be totally random and will occur once and not happen again on that machine. Other machines experience the problem more frequently. The thought has crossed my mind that this could possibly be some type of new virus. I have tried every virus scanner I can get my hands on and they all report no problems. The problem has been occuring here for about a year on both our Windows 3.x systems and, more recently, on our new Windows 95 systems. On the Win3 systems, certain programs (i.e., WordPerfect 6.x, Eudora, Netscape, WinQVT, etc.) will begin generating crashes or GPFs. On the Win95 systems, we receive errors stating that the system registry is corrupt and must be restored from backup. The same programs will fail even though we've upgraded all the software to the newer 32-bit versions (with the exception of WordPerfect 6.x). This leads me to believe that the problem lies in a buggy BIOS or a certain application is causing the problem. Since we've replaced the operating system and most applications (with the exception of WP6.x) with new 32-bit versions, the problem might be a glitch in WordPerfect. I would appreciate those people experiencing the same problem posting me email describing the type of system (BIOS manufacturer, processor type, etc.) and what applications software you use regularly. Hopefully we can narrow this down and figure out what is causing the glitch. - -Steve ------------------------------ Date: Fri, 28 Jun 1996 00:43:03 -0700 From: Simon Juncal Subject: NOT SO sporadic Hangs/Lock ups-Virus?!? (PC) X-Digest: Volume 9 : Issue 104 first off I'd like to say to Iolo that the Moderator cliped a part of my message (to the effect that I was currently looking for F-PROT and having trouble finding it)and He/she sent me an Email with an ftp for it (F-PROT) but by no fault of the moderator it was only V2.22 In my defense Id like to say that all thoe I didn't mention it I had scanned with a number of older AV's and found nothing I was simply looking for some useful advice on how to best go about finding and fixing my problem (such as good AV programs and methods for using them ) I'm sorry if I offended anyone by not knowing the _exact_ steps to take before posting my symptoms To (hopfully) add a little info on my problem: F-PROT (2.22) and a small scanner called Fast scan (v1.10? put out in april I think?) did not find any virus activity and I am still getting these strange errors it is not Bad command.com but Invalid command.com, could not load command most resently windows froze solid (had to turn off the computer to get going again) upon getting back to windows, my video driver couldn't be loaded (I guess the the hard drive was writing something to the driver file at the time of the freez up but this seems strange as I didn't think that drivers get written to [but I'm no programer so...]) shortly after I had a HD controller failure after a warm boot but a power off fixed this (and it hasn't happend again, never before either) I may be vastly wrong but it seems to me that these problems are only consistant with 1) Major hardware failure all happening at the same relative time 2) a virus or 3) increadibly bad system configuration (a note on this, I have been fooling with hardware upgrades [from mother boards to networks], IRQ's, including and excluding specific memory areas [to get perfs. functioning properly etc.]and otherwise managing my own memory, for around seven years and four diferent computers now I think I have a handle on system configuration but you never know...) Thanks for any help - - Simon Midzilla Music & sound Mailto:sjuncal@erols.com, sjuncal@aol.com web site http://users.aol.com/sjuncal/theax.html ------------------------------ Date: Fri, 28 Jun 1996 08:44:40 -0400 From: "William D. Witten" Subject: Four viruses on one machine--suspicious?? (PC) X-Digest: Volume 9 : Issue 104 I recently accepted a position replacing a systems analyst with whom my company had become disenchanted. Because I had experienced a plethora of viral infections in my last position, one of my first actions was to secure all of the computers. While scanning, I discovered 1)NATAS 4746, 2)Jerusalem.Sunday.Q, 3)Armagedon.1079.B, 4)Stealth Boot C My question is this: What is the likelihood of these virii finding their way into a closed LAN and embedding themselves at the exact opposite ends of the network? I think I already know the answer, but I wanted to check with others who have a bit more knowledge than myself before I come to any conclusions. All four of these respective virii were on the two computers. I used fdisk/mbr to deal with Stealth Boot C and was able to restore all of the .com and .exe files from backups and have not seen a new infection. Any thoughts would be appreciated. Thanks, William ------------------------------ Date: Fri, 28 Jun 1996 15:55:13 +0200 From: Rob Subject: How good is McAfee (PC) X-Digest: Volume 9 : Issue 104 Vshield does not protect you against virusses coming from the internet or via email attachments,for this you need an additional product called webscan (contact your local McAfee dealer) which automatically scans files downloaded with a web browser and files which are send as email attachments before executing in memory. Maybe there is somebody out there with experiences. - - With kind regards, Rob Vrouwenfelder. Any comments or statements made do not necessarily represent the views of NAM or any other Shell Group company. ------------------------------ Date: Fri, 28 Jun 1996 09:05:13 -0400 From: Bill lambdin Subject: Re: Scanning Incoming Mail (PC) X-Digest: Volume 9 : Issue 104 Zvi Netiv writes >As far as generic AV is concerned, we can tell genuine viruses from false >alarms and deceptive code with great certainty. This is ones of the >aspects demonstrated in AVPL (the antivirus practice lab). AVPL has an What about genuine viruses like Tremor that IV can not detect? <> a. IV modules can not detect Tremor in RAM, nor on infected files while Tremor is active in RAM. b. IV can not detect Tremor at the next bootup when IV modules run from the AUTOEXEC.BAT. c. How are users supposed to be aware of a virus infection when IV's modules keep reporting all clear. d. What's worse If Tremor is infecting the computer during installation of IV, and preparation of the rescue diskette; Tremor will infect COMMAND.COM on the rescue diskette, and Tremor will be active in RAM, and IV's modules can not detect Tremor from the hard drive or the rescue diskette. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Fri, 28 Jun 1996 09:05:24 -0400 From: Bill lambdin Subject: Untouchable (PC) X-Digest: Volume 9 : Issue 104 Zvi Netiv writes >Untouchable's integrity checking and restoration is as functional >as it was in 1992, when it first appeared on the market. I agree completely. The integrity Checker in Untouchable is still good. However; I would not recommend Untouchable for users that have super size hard drives with thousands of executable files. There is a security problem with Untouchable that Untouchable crashes when the integrity data reaches about 360K or so >You may wish to take a look at InVircible, it's an all-generic antiviral >solution. It has integrity checking and recovery as well. IV pioneered the >distributed integrity database, now used in other integrity systems as >well, compared to the unified database that you know from Untouchable. Comparing the integrity checking of Untouchable to the integrity checking in InVircible makes me sick! A. Untouchable has the ability to check the integrity of all files. InVircible doesn't b. Untouchable will detect companion infectors. InVircible detects the ones that wander into the InVirvible directory, and use the same name as an IV module. InVircible ignores the rest. c. Untouchable will detect path companion infectors. InVircible doesn't. d. Untouchable automaticaly prepares a bootable diskette with Untouchable, integrity data, and insists users boot clean and perform a full integrity check ever n days. InVirvible doesn't. e. Untouchable goes through the Autoexec, and CONFIG.SYS as asks which drivers should be installed onto the rescue diskette ie drivers to access compressed partitions, etc. InVirvible doesn't. f.Untouchable checks the integrity of the entire file with CRCs, and will detect cavity viruses that do not modify the entrypoint of files. InVircible only performs a spot integrity check file ares likely to be modified by a virus. G. Untouchable comes with a TSR that will detect many known viruses while attempting to run an infected file. InVircible doesn't. H. Untouchable passed my generic A-V test on the second attempt. InVircible has failed my test four times in a row! This is the difference bewteen a quality A-V program with A-V developers that listen to constructive criticism, and take steps to close security problems, and an inferior A-V program with an A-V developer that refuses to listen to anyone. I have been complaining about security problems in IV since August 1994. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Fri, 28 Jun 1996 09:05:19 -0400 From: Bill lambdin Subject: File corruption (PC) X-Digest: Volume 9 : Issue 104 Zvi Netiv writes >File corruption isn't due to virus doing, in the majority of cases. Yet >you can assure yourself by running InVircible. IV's 'speciality' is >digging out new and evasive viruses. Zvi is the sky blue in your world? ALL file corruption is not done by viruses, but a lot of file corruption is done by viruses. Look at viruses like Frodo, Dark Avenger, all overwriting viruses, viruses with bugs that corrupt the files instead of infecting them properly, etc. Any quality integrity checking program like Integrity Master, Untouchable, etc will determine if the change is done by virusesm or faulty hard ware. I won't go into the lack of security with IV again. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Fri, 28 Jun 1996 15:54 +0000 From: Graham Cluley Subject: Re: N40 virus?? (PC) X-Digest: Volume 9 : Issue 104 In-Reply-To: <01I6GFPGT4IQWHZ0LR@csc.canterbury.ac.nz> "Kwang S. Kye" writes: > While attempting to remove the junkie virus from an infected P.C. > with McAfee(Dos}, a late May version. It came across a virus that > it identified as "N40." It could not be cleaned. I never heard of > this virus before and would appreciate any info. on this virus. > In regards to it's characteristics, and the best way to remove it > from the infected system. Sounds suspiciously like a McAfee false alarm to me. Have you tried scanning your systems with some other highly regarded anti-virus products (eg. Dr Solomon's Anti-Virus Toolkit, F-Prot, or AVP)? You can download an evaluation version of Dr Solomon's FindVirus (part of the commercial version of Dr Solomon's Anti-Virus Toolkit) from our website: http://www.drsolomon.com/software/ Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Fri, 28 Jun 1996 18:07:15 +0000 (GMT) From: Iolo Davidson Subject: Re: SYS and FDISK/MBR, safe or not? (PC) X-Digest: Volume 9 : Issue 104 In article <0030.01I6GFPGT4IQWHZ0LR@csc.canterbury.ac.nz> netz@actcom.co.il "Zvi Netiv" writes: > As for the "not yet written" viruses, why unnecessarily scaring > the users about what doesn't exist? No point at all in generics, then. Get something that deals properly with known viruses, and forget about those that don't yet exist. > Bottom line: C:\DOS\SYS C: and C:\DOS\FDISK /MBR can be used > safely when booted clean of a floppy. This is simply bad advice and will cause those not familiar with viruses and anti-virus measures no end of trouble. - - IT SPREADS SO SMOOTH LIKE VELVET IT SHAVES SO SLICK AND IT'S QUICK IT FEELS Burma-Shave ------------------------------ Date: Fri, 28 Jun 1996 13:21:52 -0600 From: George Wenzel Subject: Re: Help - ANTICMOS A virus (PC) X-Digest: Volume 9 : Issue 104 In article <0031.01I6GFPGT4IQWHZ0LR@csc.canterbury.ac.nz>, netz@actcom.co.il says: >When clean, install InVircible, prepare the rescue diskette as instructed >in the on-line help and process with FIXBOOT all floppies that went trough >the infected computer's drive. FIXBOOT will clean them from any boot virus >without affecting the data on them and even preserve their bootability. Are you assuming that the floppy that infected the user's system was bootable? Not necessarily. To infect a system with a pure BSV, you only need two conditions to be fulfilled: 1) you need an infected floppy, and 2) you start them machine with the infected floppy in the drive. The floppy does not need to be bootable. I just thought I'd clear this up, since users might think that a non bootable floppy couldn't spread a BSV. Regards, George Wenzel ------------------------------ Date: Fri, 28 Jun 1996 13:21:33 -0600 From: George Wenzel Subject: Re: Hard disk partition disappeared (PC) X-Digest: Volume 9 : Issue 104 In article <0026.01I6GFPGT4IQWHZ0LR@csc.canterbury.ac.nz>, netz@actcom.co.il says... >Keith Peer wrote: >> What Robert Casas fails to mention is that using a non-memory >> resident *generic* antivirus solution needlessly opens your systems >> to virus attack. > >Hyped nonsense. Pot. Kettle. Black as night. >Not using any antiviral product isn't exactly safe, but >even then, you don't necessarily "open your system to virus attack". Um, if you're not using any anti-virus methods, you ARE opening your system to virus attack. If you don't have a method of preventing virus infection, you are opening your system to attack. Am I being clear here? I think what Mr. Peer was trying to say was that a non-memory resident generic anti-virus opens a system to virus attack, since a virus can infect the system before the generic anti-virus has a chance to do its thing. Regards, George Wenzel ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 104] ******************************************