VIRUS-L Digest Friday, 5 Jul 1996 Volume 9 : Issue 107 Today's Topics: Re: Scanning incoming mail Re: Disknet Re: AV guys misnaming viruses What's the best for WinNT? (NT) Mysterious Fireworks on screen? (WIN95) LASTRUN, without screen messages? (PC) Re: The Quandary Virus (PC) Re: Hard Disk like ramdisk - is it a virus? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Thu, 04 Jul 1996 20:37:02 +1000 From: Grahame Grieve Subject: Re: Scanning incoming mail X-Digest: Volume 9 : Issue 107 At 01:09 AM 03/07/96 +1200, Zvi wrote: >Susceptibility to false alarms is increasing with the number of viruses >handled. Take F-Prot for example, version 2.19 had about 25% of false >positives against a given AVPL scenario. The latest version 2.23a has 100% >susceptibility with the very same scenario - with dismembered carcasses of >archaic viruses from the late eighties. I work in Pathology. In Pathology we have an understanding of False positives etc rooted in our soul. For similar reasons that it's being talked about here. So. 100% percent false positives? If the same degree of care and objectiveness in the reporting of the data was applied to the test, the number means nothing. Normally False positives are reported as a percentage of total scanned files. So are we to assume that F-prot reported every file scanned as infected when it wasn't? If this is true, *good test* wasn't it! Methinks that 100 percent refers to the degree of skill in the construction of the test to render the required result. >Biological viruses are far more harmful than computer viruses. Yet you >don't 'scan' anyone that you shake hand with, nor even go to bed with. :-) >Then what's the fuss about computer viruses? Now this is an interesting argument. Keep us pathology people in business, this argument would. Now on that subject, has anyone noticed that Zvi is quite happy to recommend that fdisk/burn be used? And that when the regular parade of visitors roll up, having just done that when they shouldn't have, Zvi's quick off the blocks to suggest that they *buy* his resqdisk to save their data? Or do I draw the wrong conclusion? Grahame St Vincent's Hospital Melbourne. - -------------------- Notice at the smoking spot outside the hospital: Oncology Unit Business Generation Centre ------------------------------ Date: Thu, 04 Jul 1996 15:44:22 +0100 From: Francois Pirsch Subject: Re: Disknet X-Digest: Volume 9 : Issue 107 Martin Taylor wrote: > There are some virus issues it doesn't address, notably that of infected > dowmloads from networks. However, it is very effective in an organisation > like the one I work for, in preventing BSV infections, which are the vast > majority of potential infections for us. Secret hint (schhht, don't tell anyone) : to protect your organization against BSV (I mean boot sector _only_ viruses, "which are the vast majority of potential infections"), just setup your boot sequence from "A:,C:" to "C:,A:", enable the "virus warning" if your BIOS has this feature* (it will probably have another name on your computers), then protect your system setup with a password. Cost : $0.00 . Even a multipartite infector like Tequila will be stopped : it needs to be loaded from the MBR to become resident in memory. But of course, "there are some virus issues it doesn't address". Francois Pirsch * some BIOSes verify both MBR and boot sector write attempts. ------------------------------ Date: Thu, 04 Jul 1996 13:06:46 -0400 (EDT) From: Karsten Ahlbeck <100554.2356@CompuServe.COM> Subject: Re: AV guys misnaming viruses X-Digest: Volume 9 : Issue 107 jhb wrote: >A good question from a newbie: > how can I know if a av product will remove a virus if I do not even know >if the AV product can find that virus yet. Since the virus anounces it You can not be certain of a virus being removed even if it is known by the AV product :-( >self as say Bizatch but I can't find an av product that removes it because >everyone calls it Boza but I am a newbie and I only know what the virus >showed me on the screen. How did you get your hands on this virus? I mean, it is *very* rare and this must be considered an extreme case. I would guess 99% of viral attacks are made by known viruses. At the time you got your hands on this virus, any newly updated well-known AV-product should have been able to find the virus when scanning. If the AV program gives you a warning - DONT run it, send a copy to the AV developer to see if it really is the virus. For unknown viruses, I would recommend an integrity checker (installed on a clean system). > Oh yeah just buy the most expinsive one hmm >that did not work I know call Tech support hmm "erase all infected files >and restore from backup" Gee I guess trusting the AV people to help is >great. >Just what happen to a friend of mine when he bought a well know AV >product to remove the Manzon virus. Luckily he mentioned to me his Why not install an antivirus program BEFORE you get infected, and scan all your incoming files before you execute them? The safest way *ever* to get rid of a virus is to clean-boot and then remove the infected file(s). Desinfection could be tried, but in that case you should check the file before and after desinfection with an integrity checker to see that it was desinfected properly (compare signatures before and after). Yours Sincerely, Karsten Ahlbeck * The opinions expressed above may not be my own but entirely those of Karahldata, my employer :-)* =========================================================== Karahldata Sverige - dataintegritet och antivirus Swedish Integrity Master agent =========================================================== ------------------------------ Date: Thu, 04 Jul 1996 13:10:12 -0400 From: "Myron A. Semack" Subject: What's the best for WinNT? (NT) X-Digest: Volume 9 : Issue 107 I'm running Windows NT Workstation (3.51). Which anti-virus program do you consider to be the most-effective? I'd appreciate any insight you might have. Thanks! - - Myron A. Semack mailto:semack@unix.gaianet.net http://www.gaianet.net/~semack/ ------------------------------ Date: Fri, 05 Jul 1996 00:11:08 +0000 (GMT) From: Pete Crayne Subject: Mysterious Fireworks on screen? (WIN95) X-Digest: Volume 9 : Issue 107 Background: Pentium90 Win95, Running McAfee ViruScan95 2.04 Virus definition 2.2.9606. So, At exactly 1:00am July 3rd, My screen goes black, and fills with fireworks. They're the little 4-pixel square kind that you'd expect from a hack program. I have no mouse pointer, or other apparent input. After about 5 seconds it goes away. Norton Disk doctor shows no damaged files. Nothing appears missing or malfunctioning. In other words, no apparent damage. I've scanned with McAfee, Dr. Solomen, and Thunder-byte Anti-virus. No viruses or suspicious activity found. In "High Heuristic sensitivity" mode, TBAV found a few files that "could be viruses", but nothing that I really believe is. ('sys.com determines whether a file is .com or exe'. That sort of thing.) Since then it's happened again to me, and twice on other people's machines here at work. Anyone recognize this? Is this a new virus, or an easter egg built into one of the programs we use? TIA.. pcrayne@halcyon.com ------------------------------ Date: Thu, 04 Jul 1996 15:38:10 +0000 (GMT) From: Richard Evans Subject: LASTRUN, without screen messages? (PC) X-Digest: Volume 9 : Issue 107 Just an iratating point that sombody might be able to suggest an answer to. We are using Dr. Solomons Toolkit and I have written a batch file to scan user hard drives every couple of weeks. For this I am using the TKUTIL LASTRUN command. The problem is that it seems to insist on sending a message to the screen saying X number of days since last lastrun. Some users see these messages appearing on their screens and are confused by them, and make comments such as how come it is telling me that it is X amount of days. Is their any way to use LASTRUN without it sending its output to the screen. I have tried the CTTY NUL trick, but TKUTIL seems to bypass this one. If there is no way to turn these messages off, is there any chance of future releases including a switch to do this. Richard. ------------------------------ Date: Thu, 04 Jul 1996 18:22:51 +0000 From: Fridrik Skulason Subject: Re: The Quandary Virus (PC) X-Digest: Volume 9 : Issue 107 In <0018.01I6NNKBOXT2WHZC3A@csc.canterbury.ac.nz> Hunter@elmo.cadvision.com writes: >Does anyone know exactly what the quandary virus does to my boot sector, >and how I can eliminate this virus? > >It seems that F-prot and McAfee have agreed to not be able to disinfect >this virus Huh ? As far as I can determine, F-PROT does not have any problem removing it... disinfection simply involves moving head 0, track 0, sector 14 to head 0, track 0, sector 1.....what happens when you try to remove it ? -frisk - - Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Thu, 04 Jul 1996 15:04:36 -0400 (EDT) From: Kenneth Albanowski Subject: Re: Hard Disk like ramdisk - is it a virus? (PC) X-Digest: Volume 9 : Issue 107 On Wed, 3 Jul 1996, Scott Ehrlich wrote: > At work, we've recently seen various computers (top-brand Pentiums) > develop a problem where the hard disk appears to be a ramdisk. When > information is written to the disk, the information appears changed, > but, when rebooted, is restored to its original form. > [...] > The only thing which DID work was to reformat the hard drive. I > reformatted, clearly saw hard disk activity, and the disk WAS formatted. > I then rebooted, fdisk/mbr, rebooted, fdisk, rebooted, fdisk again, and > all was fine. I installed the necessary stuff from a special boot > floppy which accesses the LAN. > > Writing to the network drive showed no problems. I hate to point this out, but did you have SMARTDRV (or any other disk cache) loaded when you tried to write to the disk? Many disk caches have a "write-behind" mode that does exactly what you describe. You need to wait some amount of time (30 seconds to 3 minutes might be common figures) before it actually writes the data to disk. Modern caches should make sure all data is written before returning to the prompt, and also should default to "write-through" (the opposite of write-behind) so that this sort of loss doesn't happen. I sincerely hope you didn't go through all the reformatting just because a cache was loaded... - - Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126) ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 107] ******************************************