VIRUS-L Digest Wednesday, 10 Jul 1996 Volume 9 : Issue 110 Today's Topics: Re: ONLINE AV program [2nd Posting] CFP: Symposium on Network and Distributed System Security Re: ONLINE AV program Re: ONLINE AV program Hackers, Crackers, Sniffers Re: Missing Files (MAC) Re: Lost files (MAC) Re: Slow virus checking with McAfee Win95 antivirus (WIN95) Windows 95 reboot virus??? (WIN95) McAfee Scan95 double-load? (WIN95) Problems removing QUANDARY in Win95 (WIN95) Re: mcafee Virus Scan 2.2 (WIN) Re: mcafee Virus Scan 2.2 (WIN) Re: HELP!!...I'm being FORM-ed to death! (PC) Re: Dangerous virus scanner (PC) Re: HELP!!...I'm being FORM-ed to death! (PC) Re: Tremor vs InVircible (PC) Re: Tremor vs InVircible (PC) Re: Dangerous virus scanner (PC) What does Fair.Z do?? (PC) Re: How good is McAfee (PC) Re: Dangerous virus scanner (PC) Re: System date set to 2096 (PC) Re: Dangerous virus scanner (PC) Re: Dangerous virus scanner (PC) Re: Tremor vs InVircible (PC) CMOS/BIOS Virus questions (PC) Re: Anti.exe caused fatal exceptions? (PC) Which AV strategy? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Mon, 08 Jul 1996 10:21 +0000 From: Graham Cluley Subject: Re: ONLINE AV program X-Digest: Volume 9 : Issue 110 In-Reply-To: <01I6TWK6TJQIWHZC3A@csc.canterbury.ac.nz> Eli Ross writes: > I need advise on a AV program that will detect viruses from > email, newgroups and WWW sites that I d/l. > > I know that Symantec and McAfee have such programs. > > Anyone have actual experience with these. I would like feedback > on ease of installation, does it slow down badly accessing and > efficiency. Although it is possible to buy something web-specific for your virus protection it doesn't make a lot of sense. After all, viruses can still infect you via your floppy disks and network - so are you going to run *another* anti-virus product for those entry points? What makes more sense is to run an anti-virus product which can protect you from all angles - including the web, email, networks, floppy disks, etc.. A regular good quality on-access scanner (TSR or VxD) can do this. Such an on-access scanner is also not vulnerable to the security hole found in web-specific products (see Computer Weekly, July 4th 1996 where it was uncovered that web-specific anti-virus products can be circumvented simply by using the righthand mouse button under Netscape rather than the left!) Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Mon, 08 Jul 1996 10:35:27 -0700 From: Matt Bishop Subject: [2nd Posting] CFP: Symposium on Network and Distributed System Security X-Digest: Volume 9 : Issue 110 CALL FOR PAPERS The Internet Society Symposium on Network and Distributed System Security February 10-11, 1997, San Diego Princess Resort, San Diego, California Submissions due: August 1, 1996 Notification to Authors: October 1, 1996 Camera-Ready Copy due: November 1, 1996 GOAL: The symposium will bring together people who are building hardware and software to provide network and distributed system security services. The symposium is intended for those interested in the practical aspects of network and distributed system security, focusing on actual system design and implementation, rather than theory. We hope to foster the exchange of technical information that will encourage and enable the Internet community to apply, deploy, and advance the state of available security technology. Symposium proceedings will be published by the IEEE Computer Society Press. Topics for the symposium include, but are not limited to, the following: * Design and implementation of communication security services: authentication, integrity, confidentiality, authorization, non-repudiation, and availability. * Design and implementation of security mechanisms, services, and APIs to support communication security services, key management and certification infrastructures, audit, and intrusion detection. * Requirements and designs for securing network information resources and tools -- WorldWide Web (WWW), Gopher, archie, and WAIS. * Requirements and designs for systems supporting electronic commerce -- payment services, fee-for-access, EDI, notary -- endorsement, licensing, bonding, and other forms of assurance. * Design and implementation of measures for controlling network communication -- firewalls, packet filters, application gateways, and user/host authentication schemes. * Requirements and designs for telecommunications security especially for emerging technologies -- very large systems like the Internet, high-speed systems like the gigabit testbeds, wireless systems, and personal communication systems. * Special issues and problems in security architecture, such as interplay between security goals and other goals -- efficiency, reliability, interoperability, resource sharing, and cost. * Integration of security services with system and application security facilities, and application protocols -- including but not limited to message handling, file transport, remote file access, directories, time synchronization, data base management, routing, voice and video multicast, network management, boot services, and mobile computing. GENERAL CHAIR: David Balenson, Trusted Information Systems PROGRAM CHAIRS: Clifford Neuman, University of Southern California Matt Bishop, University of California at Davis PROGRAM COMMITTEE: Steve Bellovin, AT&T Research Tom Berson, Anagram Laboratories Doug Engert, Argonne National Laboratory Warwick Ford, Bell Northern Research Richard Graveman, Bellcore Li Gong, SRI Burt Kaliski, RSA Laboratories Steve Kent, BBN Tom Longstaff, CERT Doug Maughan, National Security Agency Dan Nessett, Sun Microsystems Hilarie Orman, DARPA Michael Roe, Cambridge University Christoph Schuba, Purdue University Jonathan Trostle, CyberSafe Theodore Ts'o, Massachusetts Institute of Technology Doug Tygar, Carnegie Mellon University Vijay Varadharajan, University of W. Sydney Roberto Zamparo, Telia Research LOCAL ARRANGEMENTS CHAIR: Thomas Hutton, San Diego Supercomputer Center PUBLICATIONS CHAIR: Steve Welke, Institute for Defense Analyses REGISTRATIONS CHAIR: Donna Leggett, Internet Society SUBMISSIONS: The committee invites technical papers and panel proposals for topics of technical and general interest. Technical papers should be 10-20 pages in length. Panel proposals should be two pages and should describe the topic, identify the panel chair, explain the format of the panel, and list three to four potential panelists. Technical papers will appear in the proceedings. A description of each panel will appear in the proceedings, and may at the discretion of the panel chair, include written position statements from each panelist. Each submission must contain a separate title page with the type of submission (paper or panel), the title or topic, the names of the author(s), organizational affiliation(s), telephone and FAX numbers, postal addresses, Internet electronic mail addresses, and must list a single point of contact if more than one author. The names of authors, affiliations, and other identifying information should appear only on the separate title page. Submissions must be received by 1 August 1996, and should be made via electronic mail in either PostScript or ASCII format. If the committee is unable to print a PostScript submission, it will be returned and hardcopy requested. Therefore, PostScript submissions should arrive well before 1 August. If electronic submission is difficult, submissions should be sent via postal mail. All submissions and program related correspondence (only) should be directed to the program chair: Clifford Neuman, University of Southern California, Information Sciences Institute, 4676 Admiralty Way, Marina del Rey, California 90292-6695, Phone: +1 (310) 822-1511, FAX: +1 (310) 823-6714, Email: sndss97-submissions@isi.edu. Dates, final call for papers, advance program, and registration information will be available at the URL: http://www.isoc.org/conferences/ndss97. Each submission will be acknowledged by e-mail. If acknowledgment is not received within seven days, please contact the program chair as indicated above. Authors and panelists will be notified of acceptance by 1 October 1996. Instructions for preparing camera-ready copy for the proceedings will be sent at that time. The camera-ready copy must be received by 1 November 1996. ------------------------------ Date: Mon, 08 Jul 1996 16:45:35 -0700 From: Jonathan conley Subject: Re: ONLINE AV program X-Digest: Volume 9 : Issue 110 Eli Ross wrote: > I need advise on a AV program that will detect viruses from > email, newgroups and WWW sites that I d/l. > > I know that Symantec and McAfee have such programs. > > Anyone have actual experience with these. I would like feedback > on ease of installation, does it slow down badly accessing and > efficiency. macafee webscan I dont know how whell it works but you can find it at computer warehouse in jonesbor ar ------------------------------ Date: Mon, 08 Jul 1996 20:03:57 -0600 From: George Wenzel Subject: Re: ONLINE AV program X-Digest: Volume 9 : Issue 110 In article <0003.01I6TWK6TJQIWHZC3A@csc.canterbury.ac.nz>, eross@enteract.com says... >I need advise on a AV program that will detect viruses from >email, newgroups and WWW sites that I d/l. You don't need an anti-virus program specifically for that purpose. What you need is an on-access scanner (a VxD if you're running Windows) that will scan all files as they're written to the disk (alternatively, when they're run). >I know that Symantec and McAfee have such programs. Almost all major anti-virus companies produce on-access scanners. They're called TSR scanners (under DOS) and VxD's (virtual device drivers under Windows). >Anyone have actual experience with these. I would like feedback >on ease of installation, does it slow down badly accessing and >efficiency. A well designed VxD should have an easy installation, cause virtually no noticable slowdown (it will slow things down when you run executable files, but not much) and be as accurate as the full on-demand scanner in accuracy. Personally, I'd recommend Dr. Solomon's anti-virus toolkit. It's a bit pricey, but it's got a high (very high) detection rate, and includes numerous tools aside from just the scanner. I've tried (literally) dozens of anti-virus products, and DSAVTK is the one that I use on a regular basis. Regards, George Wenzel - - ("`-''-/").___..--''"`-._ George Wenzel `6_ 6 ) `-. ( ).`-.__.`) (_Y_.)' ._ ) `._ `.``-..-' Student of Wado Kai Karate _..`--'_..-_/ /--'_.' ,' U of A Karate Club (il),-'' (li),' ((!.-' http://www.ualberta.ca/~gwenzel/ ------------------------------ Date: Mon, 08 Jul 1996 22:08:59 +0000 From: Keith Peer Subject: Hackers, Crackers, Sniffers X-Digest: Volume 9 : Issue 110 "Perils of the Internet and Pratical Solution" Confronting threats from Hackers, Crackers, and Sniffers September 24-26, 1996 Sheraton Inn, Cleveland Airport Cleveland, Ohio USA Sponsored by: NASA, NCSA, ISSA North Coast Chapter ================================================== Computer Virus Workshop - Speaker slots available! ================================================== Exhibitor space available! ========================== To be a speaker or to obtain exhibitor space contact for more information: Keith Peer Secretary / ISSA North Coast Chapter P.O. Box 856 Brunswick, Ohio 44212 PH (330) 273-2820 FAX (330) 220-4129 E-mail keith@command-hq.com Current list of presentations and/or lectures by: - ------------------------------------------------ Dr. Julian Earls, Chief Information Officer, NASA Lewis Research Center John Hairston, Director of External Affairs NASA Lewis Research Center John Gibbons, Science & Technology Policy Advisor to President Clinton Dr. Peter Tippett, PhD., President, National Computer Security Association Dr. John Alger, Dean School of Information Warfare Strategy National Defense University Dr. Martin Harris, PhD. Cleveland Clinic Foundation James Wade, President, International, Systems Security Association Guy Moins, BIM Engineering Europe Current list of Workshops and/or panel discussions - ------------------------------------------------- Using the Internet Security Scanner National Incident Response Teams Government and Industry Dealing with Computer Crimes Who you gonna call? Network Management Viruses how they effect Corporations Security Awareness Training Electronic Commerce Technology Protection and Control Hacker Techniques Information Security Industry =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Central Command Inc. USA Distributor for P.O. Box 856 AntiViral Toolkit Pro Brunswick, Ohio 44212 Internet: info@command-hq.com Compuserve:102404,3654 FTP: ftp.command-hq.com /pub/command/avp :GO AVPRO WWW: http://www.command-hq.com/command Phone: 330-273-2820 Fax: 330-220-4129 BBS: 330-220-4036 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ------------------------------ Date: Mon, 08 Jul 1996 02:04:15 +0000 (GMT) From: dd Subject: Re: Missing Files (MAC) X-Digest: Volume 9 : Issue 110 I've had the same thing happen to me using those sites. I have not detected any virus on my Mac, I try later and everything works fine, the file comes accross and Expander does it's job. I am guessing that sometimes things just go awry traveling along..... dd ------------------------------ Date: Mon, 08 Jul 1996 08:19:11 -0400 (EDT) From: "Lupu.R@WWG" Subject: Re: Lost files (MAC) X-Digest: Volume 9 : Issue 110 On Friday, 05 July, 1996, someone in cyberspace wrote: > I have picked up a virus on my Power Macintosh (Performa 6200CD)... I > believe its source to be an Info-Mac mirror site (can't remember which > site I got the file from). Details follow... > > I downloaded a BBedit HQX from one of the info-mac mirror sites using > Anarchie. > Stuffit Expander automatically kicked off trying to expand the file > (normal action). I stopped the expansion to continue with other > downloads. > > After downloading 2 other files (names escape me, but they're not > important) I moved the bbedit HQX and other hqx files out of the > Anarchie Download folder and threw the rest of the stuff in the trash. > I then dragged (drug???) the bbedit HQX to the Stuffit Expander icon > on my launcher. > > At this point ALL HELL BROKE LOOSE... I am about as far from an expert as you can get but this sounds like more of a Trojan Horse scenario than a virus. Did you actually execute any file or where you just expanding the archive? You might want to e-mail the host for the FTP site and have them check the archive in question. I have had this happen to me twice on obscure BBSs where the inane have felt it to be funny to leave harmful .exe (PC) files in public download directories. I hope this helps. Richard M. Lupu rlupu29@ally.ios.com RomaWolf Designsrlupu29@mail.idt.net http://ally.ios.com/~rlupu29/ ------------------------------ Date: Mon, 08 Jul 1996 05:13:41 -0400 From: Jeffrey Kaplan Subject: Re: Slow virus checking with McAfee Win95 antivirus (WIN95) X-Digest: Volume 9 : Issue 110 While checking out the new Starfuries, Capt. Sheridan heard Phil Lewis talking to Mr. Bester: >With the two latest versions of McAfee Win95 antivirus, I've discovered >that the virus checking is very slow, especially once it starts checking >the Netscape directory with the Java .dll's, etc. in them. Once it >finishes with those things pick up speed again. I had the same problem. Since McAfee has never returned my email, I called them. The told me to disable the "scan compressed files" option. I disabled it in the default.vsc file. No speed problems since. - - ttul8r, Jeffrey Kaplan <*> PGP KeyID: 0x70c5a7cd via MIT's keyserver or Email ------------------------------ Date: Mon, 08 Jul 1996 11:31:55 -0400 From: Gil Cabral Subject: Windows 95 reboot virus??? (WIN95) X-Digest: Volume 9 : Issue 110 - - As anyone been having problems with WIN95 (rebooting). It started several weeks ago. On my 1st start up every other day Windows boots up and goes to main screen with no problems. After 30 seconds it reboots and then it gives me no further problems. It won't happen again no matter how many times I shut down and restart during the same day. The next day or two it does it again. No damage to any files... Is this a virus or a problem with hardware???? Anyone else have this minor bug? I d/load alot from the internet... Thanks Cabral's in Rochester, Ma. (Cape Cod Area, Massachachuset.) ------------------------------ Date: Mon, 08 Jul 1996 05:13:45 -0400 From: Jeffrey Kaplan Subject: McAfee Scan95 double-load? (WIN95) X-Digest: Volume 9 : Issue 110 I have a .vsc file in my Start Up folder in Win95. Normally, Scan95 will load normally, do it's thing and quit. Sometimes, more and more frequently, though, I find that Scan95 is loading twice. Once from the .vsc in Start Up, and once from default.vsc in the program directory. (I know the difference, because they have different options enabled.) Can anyone tell me: Why this happens? How can I stop it from happening? - - ttul8r, Jeffrey Kaplan <*> PGP KeyID: 0x70c5a7cd via MIT's keyserver or Email ------------------------------ Date: Mon, 08 Jul 1996 20:21:32 +0200 From: Rolf Hechtenberg Subject: Problems removing QUANDARY in Win95 (WIN95) X-Digest: Volume 9 : Issue 110 can anyone help me ? I have the Quandary-Virus on my PC-system. I tried the normal way with a clean WIN95-bootdisk and the latest version of F-PROT - but the virus still remains there... thanks in advance for your help :-))) love & energy rolf ------------------------------ Date: Mon, 08 Jul 1996 19:12:36 -0700 From: Bill Crocker Subject: Re: mcafee Virus Scan 2.2 (WIN) X-Digest: Volume 9 : Issue 110 Bob D Makowski wrote: > help. loaded on virus scan and ALL windows programs run extremely > slow, i mean very slow. i am running a 486, 8meg memory. any ideas? > i was under the impression that this is a very good virus detection and > removal program, however, the time being consumed by this program is > unbearable. lmk You're probably running McAfee in the resident mode. Try going into setup and tell it not to run in the background...just run it when you need it. Bill Crocker ------------------------------ Date: Mon, 08 Jul 1996 20:04:17 -0600 From: George Wenzel Subject: Re: mcafee Virus Scan 2.2 (WIN) X-Digest: Volume 9 : Issue 110 In article <0008.01I6TWK6TJQIWHZC3A@csc.canterbury.ac.nz>, makowb@ix.netcom.com says... >help. loaded on virus scan and ALL windows programs run extremely >slow, i mean very slow. i am running a 486, 8meg memory. any ideas? >i was under the impression that this is a very good virus detection and >removal program, however, the time being consumed by this program is >unbearable. lmk You leave out one critical detail: What anti-virus program were you using? This detail will make it a lot easier for people to help you, as the tech support people for that particular product should be able to help you. Regards, George Wenzel - - ("`-''-/").___..--''"`-._ George Wenzel `6_ 6 ) `-. ( ).`-.__.`) (_Y_.)' ._ ) `._ `.``-..-' Student of Wado Kai Karate _..`--'_..-_/ /--'_.' ,' U of A Karate Club (il),-'' (li),' ((!.-' http://www.ualberta.ca/~gwenzel/ ------------------------------ Date: Mon, 08 Jul 1996 02:56:19 +0000 (GMT) From: Howard Wood Subject: Re: HELP!!...I'm being FORM-ed to death! (PC) X-Digest: Volume 9 : Issue 110 gstats@pixi.com wrote: >I just brought back the FORM virus from a class on campus. I accidentally >left the disk in the drive when I booted up my system. I used the Anti >virus program already installed in my computer, but when it got to a >specific point, the system froze. OK. First, never never never scan you system from within the system. You are scanning with the virus in memory. This can really be a mess depending on the type of virus you have. ALWAYS use a clean bootable disk to scan your system. >The computer had shown the following phrase before it halted: > > MEMORY WAS INFECTED BY THE FORM VIRUS. > THE VIRUS WAS EXTRACTED AND DESTROYED. > >Now if this is true, then why does the computer find a virus everytime I >run the Anti-virus program.......and why does it cause my system to >freeze??? FORM goesinto high DOS memory once it infects. >I have a Packard Bell Force 845CD Multimedia computer running Windows 95. > >The Anti-Virus software was already installed, and I can't >find any book/manual about the software or this virus. To set up a good AV disk you must: 1. Format a disk with the /S option. 2. Put you AV program on the disk 3. Write protect the disk 4. Now, turn your system off, place the disk in the boot floppy drive and turn the system on. By doing this you are in control of your system NOT the virus. Scan the sytem remove the bug and then turn the sytem off. Remove the floppy disk, place it where you can get to it in the futere if needed. Now is the time to put the AV program on the hard drive to scan any new diskettes you get or files you recieve BEFORE you run them. But first, scan all the diskettes that have been introduced into the new system. The only safe way to cover this is to scan ALL the diskettes you have. Check the DOCS on the AV program you are using and see if the is a TSR program that will scan diskettes introduced into yuor system. This may not be a popular choice with some of the more experianced folks but it is a good one for new folks to situation IMNSHO. :-) I would suggest yopu also get the FAQ200.TXT file and read it for further information to assist you in future encounters. This is a great file for those jsut getting started and want to learn more about AV programs, what viruses do and how to protect yourself from them. One FTP site is FTP://corsa.ucr.edu/pub/virus-l/docs/vtc FROM F-PROT Virus Information: Name: Form Origin: Switzerland Type: Residnet Boot This is a non-remarkable virus from Switzerland. It is able to infect hard disks as well as floppies, and stores the rest of itself, as well as the original boot sector on the last track of the hard disk, or in clusters marked as "bad" on a diskette. It contains the following test: The FORM-Virus sends greetings to everyone who's reading this text. FORM doesn't destroy data! Don't panic! Fuckings go to Corinne. Unlike most other boot sector viruses, Form infects the DOS boot sector on hard drives instead of the Master Boot Record. Form is only able to infect a hard disk when you try to boot the machine from an infected diskette. At this time Form infects boot sector,and after that it will go resident to high DOS memory during every boot-up from the hard disk. Once Form gets resident to memory, it will infect practicly all non-write protected diskettes used in the machine. Form activates on the 18th of any month; on that day it will cause a 'click' from the PC speaker every time a key is pressed. On most machines this activation routine will not be heard, because the routine will fail a keybopard driver (typically keyb.com) is loaded. Form is one of the most widespread viruses in existance Copyright (c) 1989-1996, Frisk Software International Hope this helps Woody Gulf Coast Anti Virus Biloxi, Ms. [Moderator's note: Although the corsa.ucr.edu address is valid, I have been told that cs.ucr.edu is the "proper" address for the UCR FTP archive.] ------------------------------ Date: Mon, 08 Jul 1996 06:04:25 -0400 From: Bill lambdin Subject: Re: Dangerous virus scanner (PC) X-Digest: Volume 9 : Issue 110 Zvi Netiv writes >I have been experimenting recently with Dr. Solomon's Antivirus >Toolkit and stumbled on something that I think AV users should know. Zvi: When are you going to stop evaluating competing programs. Since you are a competitor of Dr. Solomon's, F-Prot, etc, your comments are far less than credible. I would much prefer for you to repair the gaping security holes in your own program (InVircible), and leave evaluation of A-V software to the independent unbiased avaluators. >The S&S scanner needs a lot of memory to run. The largest portion >is needed for the database driver - FINDVIRU.DRV, of about 628 So what does this matter? I don't care how much RAM a Dr. Solomon's A-V takes. The only thing that matters to me is "detection" of viruses Dr. Solomon's works as advertized. It detects about 95% of my virus collection. Your scanner (IVSCAN) only detects 15% of my collection. If you are going to continue to make unfair comments about your competitors programs. at least spend some time and fix your own program first. >This is no problem when booted from the hard drive and extended >memory is available. FindVirus then loads the database in extended >memory. The problem is when you need the antivirus most, when the >hard drive is infected by a virus. In such event, the product >documentation suggests that you boot clean of a floppy and run the >antivirus of a floppy. You are flat wrong here. Just last week, I helped one of my clients remove Monkey with Dr. Solomon's Anti-Virus toolkit run from a floppy. It was a tight squeeze placing all necessary drivers on a 1.4 MEG diskette, but it worked, and Dr. Solomon's AVTK removed Monkey without difficulty. You should check your facts before opening mouth, inserting foot, and echoing internationaly. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Mon, 08 Jul 1996 10:40:12 -0400 From: JMccorm245 Subject: Re: HELP!!...I'm being FORM-ed to death! (PC) X-Digest: Volume 9 : Issue 110 Boot up to DOS with a clean bootable floppy diskette. Then run a reliale scanner (F-PROT or McAfee) to clean it off. Win95 is just DOS 7.0. So it'll recognise the files & all with no problems. jmccorm245@aol.com ------------------------------ Date: Mon, 08 Jul 1996 10:14 +0000 From: Graham Cluley Subject: Re: Tremor vs InVircible (PC) X-Digest: Volume 9 : Issue 110 In-Reply-To: <01I6TWK6TJQIWHZC3A@csc.canterbury.ac.nz> Zvi Netiv of Invircible rants: > IV version 6.01 beats Hare Krsna hands > down while Dr. Solomon's version 7.61 (with the special Hare driver!) > is incapable of restoring an infected hard drive! Sigh.. If you read the documentation with the special driver for Hare you'd see that it only detects and cleans-up file infections of Hare. Although it can detect partition sector infections of Hare, it goes on to explain that other tools in the commercial version of Dr Solomon's Anti-Virus Toolkit can clean-up the partition sector and boot sector of floppies. You have now been corrected about this on a number of occasions - but you continue to spread this falsehood. When are you going to learn that you would sell more of your product the more you concentrate on promoting its benefits rather than your constant, below-the-belt attacks on competing anti-virus products? Some may find your attacks unprofessional and lacking in courtesy. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Mon, 08 Jul 1996 08:17:36 -0400 From: Bill lambdin Subject: Re: Tremor vs InVircible (PC) X-Digest: Volume 9 : Issue 110 Anyone that says anything about IV is criticized and labeled as incompetent, anti semitic, accused of reverse engineering IV, or accused of writing the viruses used in the test. Zvi may continue to call me incompetent as much as he likes. However; facts are stuborn things. Zvi keeps forgeting to mention IV's failure to handle companion viruses. Is this an admission that I am correct Zvi? I have tested four versions of InVircible. 5.07 tested August 1994 6.01c tested March 1995 IV failed to detect Tremor. and failed or partialy failed on other viruses as well. Part of the results of this test were published in Virus-L digest, and in a text file named ivdebunk.zip 6.10a tested October 1995. IV failed to detect Tremor again, and failed or partialy failed on other viruses. The results of this test was in iv-test3.txt 6.10c Tested February 1995. IV failed to detect Tremor again, and failed or partialy failed on other viruses as well. The results of this test are in IV-4-whl.txt. These results were published in alt.comp.virus in March 1996, and submitted to the Virus-L Digest. >- Tremor is caught being active in memory by baiting. Right at startup, >IVINIT when run from the autoexec traps Tremor, indicating there is a "fish >caught in the net" and samples the bait into a file. Absolutely not! Below is a snipet from my test results that demonstrates IV's inability to handle Tremor. - -------------------------------------------------------------------- Tremor This virus was selected because it is a resident, appending, polymorphic, fully stealthed, and Tunneling virus. This virus is in the wild. IVINIT.EXE reported "No virus activity detected in memory!" IVTEST.EXE reported "No virus activity detected at this time!" IVB.EXE reported "All file(s) match their recorded signature(s)." Since none of these report anything (while Tremor was active in RAM. the users would incorrectly assume there is no virus activity while Tremor continued to infect their programs. Since IV's Modules were unable to detect Tremor active in RAM or on infected files while Tremor is active. Users of IV are very succeptable to this and other similar viruses. The only way IV can find Tremor is to boot clean and run IVB from the secured rescue diskette mentioned earlier. After I booted clean. and IV was in a position to take control; IV found Tremor easily. How are users supposed to know there is anything wrong, and know to boot clean from a secured diskette? Failure. - ------------------------------------------------------------------------- I don't ask anyone to take my word for this. In my test results, I include the CARO (Computer Anti-virus Research Organization) name of the viruses used for identification purposes, the EXACT responces that InVircible gives while detecting or failing to detect the viruses that were present, the 32 bit CRCs for the archive tested, and a descriprion of the test machine IV was tested on. Anyone may duplicate any or all of the test results. As I said before, Zvi may call me incompetent as much as he likes, but it will not change anything. Read both sides of this debate, and my test results, and decide for yourself which one is placing their facts and data on the table for analysis, and duplication, and which is asking you to take their word for it. If you want a second opinion to my test results read the InVircible paper by Vesselin Bontchev, Dr, Keith Jackson's review of InVircible in the December 1994 issue of Virus Bulletin. Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ Date: Mon, 08 Jul 1996 10:33 +0000 From: Graham Cluley Subject: Re: Dangerous virus scanner (PC) X-Digest: Volume 9 : Issue 110 In-Reply-To: <01I6TWK6TJQIWHZC3A@csc.canterbury.ac.nz> Zvi Netiv writes: > Here is what Bontchev wrote about this in section 2.2 of his paper > "Vircing the InVircible" (May 1995 - the report is available from > Dr. Solomon's web site): A number of technical papers regarding viruses are available on our website at http://www.drsolomon.com/vircen/papers. You make it sound like we are giving a headline position to Bontchev's paper. Papers available at the Dr Solomon's website include: "Windows 95 and Viruses" - David Emm "Guidelines For An Anti-Virus Policy" by David Emm "Viruses in Chicago: The Threat to Windows 95" - Ian Whalley "Vircing the InVircible" - Vesselin Bontchev "Security Loopholes in Microsoft Anti-Virus" - Yisrael Radai "Future Trends in Virus Writing" - Vesselin Bontchev "Are 'Good' viruses a bad idea?" - Vesselin Bontchev "The Bulgarian Virus-Writing Factory" - Vesselin Bontchev "The Problems With Goat Files" - Igor Muttik "Scanners In The Year 2000: Heuristics" - Dmitry Gryaznov We'll be adding more as time goes by. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Mon, 08 Jul 1996 11:45:19 +0000 (GMT) From: Subject: What does Fair.Z do?? (PC) X-Digest: Volume 9 : Issue 110 Has anyone heard of the Fair.Z virus and does anyone have any idea what it does Clare Boylan Liverpool John Moores University PS Am on holiday until 19th July 1996 CB ------------------------------ Date: Mon, 08 Jul 1996 05:13:39 -0400 From: Jeffrey Kaplan Subject: Re: How good is McAfee (PC) X-Digest: Volume 9 : Issue 110 While checking out the new Starfuries, Capt. Sheridan heard Rob talking to Mr. Bester: >Vshield does not protect you against virusses coming from the internet or >via email attachments,for this you need an additional product called >webscan (contact your local McAfee dealer) which automatically scans files >downloaded with a web browser and files which are send as email >attachments before executing in memory. Maybe there is somebody out there >with experiences. WebScan is currently 16bit only. VShield has always given me problems. However, I swear by Scan and Scan95. - - ttul8r, Jeffrey Kaplan <*> PGP KeyID: 0x70c5a7cd via MIT's keyserver or Email ------------------------------ Date: Mon, 08 Jul 1996 10:49:40 +0200 From: Stefan Kurtzhals Subject: Re: Dangerous virus scanner (PC) X-Digest: Volume 9 : Issue 110 Zvi Netiv wrote: > I have been experimenting recently with Dr. Solomon's Antivirus > Toolkit and stumbled on something that I think AV users should know. [...] > I suppose that Dr. Solomon's FINDVIRU easily qualifies as a Trojan. > A Trojan is a program that pretends doing one thing while it deliberately > does something else. As shown above, FV pretends fixing your hard drive > and disinfecting from viruses while it overwrites critical data with its > swap files, without even asking the user's permission. Writing the swap > files to the hard drive is a deliberate procedure, thus fully qualifying > as a Trojan. A Trojan needn't necessarily to be harmful or destructive, > yet FINDVIRU qualifies here too. > > It is recommended that users think twice before running Dr. Solomon's > scanner of a floppy on their hard drive. In case of doubt, better use > quality antivirus software. Where's the problem? You just copy HIMEM.SYS to the bootdisk and edit a CONFIG.SYS for it. There are more antivirus programs which needs extended memory for swapping, but I don't see a problem in this. And the situation you described above isn't quite the standard situation when one of those ITW viruses infects the hard disk. If something like Concept, NYB, Monkey, Delwin and so on infects the hard disk, swapping won't cause problems. Why don't you go ahead and say to Microsoft that their SMARTDRV and VCACHE are trojans too? These both are causing most of the data loss in the PC world. You can destroy data with almost every program which access critical data. Even with RESQDISK if you restore a partition to the wrong system and ignore all warnings. A trojan is written with the intention to destroy data, do you say that S&S wrote FINDVIRU to destroy data? All this talking about if generic or regular virus detection is the best is nonsense! Nothing of both is "the best". Both have their advantages and disadvantages. What I miss, is a AV package which has both a very good generic part (CRC checking/cleaning, MBR protection, behaviour blocker and memory checking, heuristic scanning) and a very good regular scanner with code emulation and high detection rates. And in the momemnt, there's no such package which offers all that features. bye, Stefan Kurtzhals ------------------------------ Date: Mon, 08 Jul 1996 11:28:33 -0700 From: Don Phipps Subject: Re: System date set to 2096 (PC) X-Digest: Volume 9 : Issue 110 Howard Wood wrote: > "Steven C. Zinski" wrote: > >Here at the University of Richmond, we are experiencing a problem where > >the date is being bumped ahead 100 years (i.e., 2096) on some of our PC > >compatible systems. > > Very common in several viruses. > > >The problem seems to be totally random and will occur once and not happen > >again on that machine. Other machines experience the problem more > >frequently. > > depending on the virus present, what files are executed, how often > they are executed etc etc etc. One new virus that is known to add one hundred years to a 16-bit windows application executable is called WinLamer. This virus is not memory resident, and is a direct infector of the NE (new executable) EXE files. For more information see the article in the May 1996 issue of Virus Bulletin. For more information on Virus Bulletin check out the url HTTP://WWW.VIRUSBTN.COM/. ------------------------------ Date: Mon, 08 Jul 1996 14:37:49 -0400 (EDT) From: Karsten Ahlbeck <100554.2356@CompuServe.COM> Subject: Re: Dangerous virus scanner (PC) X-Digest: Volume 9 : Issue 110 Zvi Netiv wrote: >A simple test will prove how sloppy the design of FindVirus is. Create >text files in the root of your C: drive an name one FINDVIRU.$$$, the >other MESSAGES.$$$, boot clean of a floppy and run FindViru. The Darn! I knew I did something wrong when I wrote a letter and named it "command.com". Zvi - with all respect, I do not think users name their files FINDVIRU.$$$ or MESSAGES.$$$. It looks like you have been looking to find something wrong with a competing product. Why not just write about your program and let the other folks write about theirs? Yours Sincerely, Karsten Ahlbeck * The opinions expressed above may not be my own but entirely those of Karahldata, my employer * =========================================================== Karahldata Sverige - dataintegritet och antivirus (programvara + utbildning) Swedish Integrity Master agent =========================================================== ------------------------------ Date: Mon, 08 Jul 1996 17:54:39 +0000 (GMT) From: Iolo Davidson Subject: Re: Dangerous virus scanner (PC) X-Digest: Volume 9 : Issue 110 In article <0015.01I6TWK6TJQIWHZC3A@csc.canterbury.ac.nz> netz@actcom.co.il "Zvi Netiv" writes: > First, a temporary file should have a unique filename, secondly, before > writing the temp file, one should check that there doesn't exist a file > that uses the same name as the temp file will overwrite it would be > impossible to recover the old file. So you wouldn't just pick a filename out of the air, like, say, "SOFIA"? - - IF CRUSOE'D HE MIGHT HAVE FOUND KEPT HIS CHIN A LADY FRIDAY MORE TIDY Burma-Shave ------------------------------ Date: Mon, 08 Jul 1996 18:05:42 +0000 (GMT) From: Iolo Davidson Subject: Re: Tremor vs InVircible (PC) X-Digest: Volume 9 : Issue 110 In article <0010.01I6TWK6TJQIWHZC3A@csc.canterbury.ac.nz> netz@actcom.co.il "Zvi Netiv" writes: > A last word about update vs upgrades. We prefer using the term > upgrades in regard of InVircible rather than updates. Glad to hear that you have updated your product to cope with Tremor at last. Whatever you call it. Can we hope that it will be updated to reliably find and disinfect the extremely prevalent Word macro viruses soon? Don't you think that a regular upgrade policy to deal with new viruses, such as those offered by other AV producers, would serve your customers better than these somewhat hit-and-miss adhoc additions? > IV version 6.01 beats Hare Krsna hands down while > Dr. Solomon's version 7.61 (with the special Hare driver!) > is incapable of restoring an infected hard drive! Checked and > witnessed! :-) Last time you made this claim, you said it had been admitted by Dr. Solomon's staff. I see you are no longer making that claim. I also see in another place that a spokesperson for Dr. Solomon's refutes the substance of your allegation, as well as challenging you to prove that any Dr. Solomon's staff confirmed it. - - IF CRUSOE'D HE MIGHT HAVE FOUND KEPT HIS CHIN A LADY FRIDAY MORE TIDY Burma-Shave ------------------------------ Date: Mon, 08 Jul 1996 13:12:46 -0700 From: Ryan Border Subject: CMOS/BIOS Virus questions (PC) X-Digest: Volume 9 : Issue 110 I suspect I may have a virus on my system... well actually I'm guessing it might be a trojan horse; since Norton Anti-Virus seems to think the system is/was clean. Symptom: System locks up while just sitting there with the screen-save (actually the energy saver) on. Then it won't boot. When powered on, it briefly scans the CDrom, and the hard disk, but that's all. No scanning of the floppies, no "press F1 to enter setup", nothing. There's no way to boot the system or to do further diagnosis. The monitor never even leaves the energy saver mode. First time it happened, we (me and my retailer) pulled the battery for an extended period of time, and the system managed to boot from floppy. Sure enough "Anticmos" was detected and cleaned from the system. I installed Norton Anti-virus, scanned everything, and kept the auto- protection on. 2 days later, it happened again. This time pulling the battery isn't helping, and there is no way I can see to boot the system. Retailler believes it is hardware, and is replacing the motherboard. I am optimistic, but not confident that this will permanently solve the problem. I'm thinking what I might have is a corrupted piece of software that is writing into the flash-bios. Once corrupted, the bad bios is preventing the system from booting and/or entering the CMOS setup program. With no way to boot, I have no way to re-load a clean bios: sort of a chicken and egg problem. I've requested, from the manufacturer, instructions for resetting the bios to factory (eprom) defaults. My understanding is that there should be a way to do this- probably involving jumper switches and power-cycles. Is the scenario I've described possible? I thought the bad code might be on the hard-disk, and so I disconnected it and tried to boot from floppy. No-go. If what I have is a software problem, then it's in the BIOS/CMOS/ Eproms somewhere- as the symptoms didn't change. With the hard-disk disconnected, the system still didn't even check for the existence of a floppy drive. Sound familliar to anyone? One service place I took it to indicated that they've seen "this virus" before; and that it trashes the Eproms (something I don't think is possible with software) on the video card, motherboard, hard-disk, etc., that I was "really screwed" and that I was probably going to need a lot of new parts. Needless to say, I've opted to have it serviced elsewhere. This ringing bells with anyone? Thanks- Ryan Border. PS: Please reply via email as well, as I'm just trying to get my newsreader working here... ------------------------------ Date: Mon, 08 Jul 1996 23:37:15 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Anti.exe caused fatal exceptions? (PC) X-Digest: Volume 9 : Issue 110 Michele Ward writes: >I recently used a floppy infected with anti.exe in my a: drive. After >MacAfee Virus Scan cleaned the floppy, I clicked on the floppy (in >Windows Explorer) to format it, and my computer completely locked up. > >Now, my computer (connected to a network with Novell Netware) will boot >up, but won't connect to the network (I get a fatal exception in the >nwredir.vxd). Our network support people re-loaded all network software, >but that didn't correct the problem. > >Virus scans don't find any viruses lurking. Does anyone have any idea >what the problem might be? Stick it in an NT machine and have the guy copy off any files you need. Then have the guy reformat the diskette. The reason is, the BPB has been replaced by NULLs. As a result, a division by 0 error occurs on OSes that pay attention to those things (DOS 4+, W95). NT does not care (or it knows better than to do a division by 0). The problem of replacing the BPB with NULLs at inappropriate locations is being addressed. Jimmy cjkuo@mcafee.com ------------------------------ Date: Tue, 09 Jul 1996 02:27:09 +0300 From: Zvi Netiv Subject: Which AV strategy? (PC) X-Digest: Volume 9 : Issue 110 The following was posted by Robert Green <74603.3627@compuserve.com> in reply to Keith Peer (distributor of AVP for the US). I found it interesting enough to bring it here. Keith Peer wrote: > Here is the problem. In a perfect world generic non-memeory resident > antivirus software would work, but it doesn't in the REAL world. The > problem is that we live in a troubled world that is full of accidents. > Users don't 100% prescreen every diskette they bring to the office. > Users do accidently leave a diskette in a machine and reboot. This > is life. It just happens no matter how much training and enforcement > you give. > > Ok, lets say you have done all the steps to ensure you installed *your > generic non-memory resident antivirus software* onto a clean machine > for your secretary. It is virus free. (this fits for any employee) > > 1. Since most non-memory resident antivirus software once installed > on a clean machine is only used during a reboot (possible the first > boot daily). How often does a secretary reboot a machine? Not as > often as I do I assure you. Probably a lot less than her boss also. Keith, you are very single minded on the issue of integrity checking. I already pointed out that there is much than that to a generic AV strategy. There are other tools that run recurrently during the day, not just at boot time. See below. > Can you guarentee with a 100% certainty that she will pre-screen all > diskettes she uses? Obviously, you cannot. She, one day uses a diskette > she did not pre-screen and it is infected with a virus (any memory > resident virus, non-memory resident virus, anyone that infects files) > and the virus now has control of the machine since you have *no* > memory resident antivirus software the virus lives all day replicating. > This could be a serious problem, or maybe not depending on how > lucky you are. Thank you for introducing the real world. I feel more comfortable there :-). And if the real world is the subject, then you chose an excellent example, with which I completely agree: users cannot be counted on to scan their diskettes. This fact is, of course, important in how we think about and finally implement an AV strategy. There are two possible approaches. First, we can refuse to concede the issue, in which case we will apply some kind of additional access control method. This could be as Draconian as using diskless work stations, or it could be something less extreme, but whatever it is, it will be onerous to some degree. More reasonable, though, to go ahead and make the concession. This entails consequences, but we will cover for them by making sure the rest of our strategy is solid. This has an interesting outcome: we have just made our strategy cheaper, simpler and more respectful of users' needs, and we really didn't give up much. This is where you are with your secretary: you are conceding that infected files will sooner or later be present in the system due to her forgetfullness, but you are going to cover yourself with a TSR (see below). But I want to go a step further. I want to know if I can make yet another concession that will make my strategy even simpler, less expensive, and easier to manage. So what if I am not only willing to allow an infected file in the system, I am willing to let the virus go ahead and infect something? Is this reasonable? First, look at the technical side. I could also use a TSR, even a generic one (a behavior blocker), but for several reasons I reject that approach. But I can have an alternative to a TSR in the form of a non-resident memory probe - you just run it from a batch file that calls the next program. It will detect virtually any resident file infector - much better detection capability than a known-virus or behavior blocking TSR without the down side of those. But I have to accept that a virus *will* go resident and there will be a few files infected. So what? The benefits of this second concession outweigh the consequences. I can keep my strategy 100% generic, I won't have to worry about the hassles of administering updates for 200+ sites and 1500 or so workstations (or the expense of paying for them, either, since your principal actually charges money for updates). I won't have to be bothered by the problems inherent in AV TSRs - resource wastage, false alarms, conflicts with other components of a system, various weird behaviors, confusion of users, needless calls to the help desk, and on and on. Meanwhile, I will get rid of the infections easily in virtually all cases, because generic disinfection is in every way superior to known- virus disinfection. Your statement that they are equal (this is from your first draft) is nonsense. Known-virus disinfection depends on detailed prior knowledge of the virus, a very iffy matter. Generic disinfection depends on prior knowledge of the file, which is not so iffy. And known-virus disinfectors are even impossible for some classes of virus: cluster infectors, highly polymorphics. But generic disinfection deals with those easily. Perhaps you should arrange to witness a generic disinfector in action. I have done that with InVircible's IVB, setting up many infection scenarios, some of them quite complex. The only word to describe IVB in action is "relentless." It even repaired files whose disinfection had just been botched by a known-virus disinfector. I realize that my position is, for the time being, counter to orthodoxy. But it is also superior to orthodoxy. It rescues users from being in the very strange position that their AV software is more troublesome to them than any virus will ever be. > What if the virus she was infected with has a trigger date? That > same day she infected the computer? Big problem if the virus > does damage. Generic antivirus software did not save her or > the data on the PC. What if it was the very next day that was the > trigger date? Still big problem. (think of March 5th the day before > Michaelangelo, March 6th for just one example). The data on the > PC along with the generic antivirus software is unusable. What if > the virus encrypted the disk like KOH? Big problem. Keith! You actually brought up Michelangelo, aka the HYPE virus! And the infamous disk encryptor KOH. Pardon me if I am not impressed by the evil doings of these reprehensible fellows You (here I am addressing most of the AV community) will do better marketing if you stop farming the job out to virus writers and gullible reporters. -Bob Green- Reposted to Virus-L with the permission of Robert Green. The latter has no affiliation to InVircible or NetZ. Regards, Zvi ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 110] ******************************************