VIRUS-L Digest Tuesday, 16 Jul 1996 Volume 9 : Issue 115 Today's Topics: Re: List of "false viruses" and/or hoaxes? Is there a virus help file? Antiviral Quick Reference Review Chart (fwd) CERT(sm) Advisory CA-96.13 re: unix viruses (UNIX) Re: unix viruses (UNIX) Virus scanner for http/ftp proxy on firewalls? (UNIX) F-Prot DVPLOAD error? (WIN95) Drives in MS-Dos Mode, Win95, VIRUS?? (WIN95) Re: Possible Word Macro virus? (WIN) Strange Duck... (WIN) Smile or Laughing virus (PC) Re: Which AV strategy? (PC) Re: Virus-problem, William Shakespeare-virus? (PC) Re: How good is McAfee (PC) Re: INDEPENDENCE virus (PC) Re:Does TBAV disinfect macro viruses properly? (PC) Re: Which AV strategy? (PC) F-PROT scanning compressed files (PC) Re: How good is McAfee (PC) Re: Stealth C Virus (PC) Re: Tequilla infection (PC) Re: stealth C Virus (PC) Re: Stealth C Virus (PC) Re: Which AV strategy? (PC) Re: How good is McAfee (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Mon, 15 Jul 1996 07:15:16 +0000 (GMT) From: "Azazel Diabolus (aka Fetelgeuse)" Subject: Re: List of "false viruses" and/or hoaxes? X-Digest: Volume 9 : Issue 115 The messages you get about PKZIP300.EXE are probably just trying to tell you that the file os BS. It is merely a hack of an older version of PKZIP. If I remember correctly it is 2.03 or something older with the text edited to read 3.0. Also, the same dorks who try to pass this file off as some neat "new" ware just might be the type to wither intentionally introduce a virus before uploading it, or just not be capable enough to prevent there own infections and thus inadvertantly uploading a virus-laden file to you. [Moderator's note: There -have- been (are still?) trojanized versions of PKZip around masquerading as v3.00 that in fact format your hard drive. Further, just recently, a new variant of the Hare family was widely distributed around the net in a posting purporting to be PKZip v3.00. So, anything claiming to be PKZip v3.00 should be treated with total suspicion. PKWare, the makers of PKZip, etc, never make an "official" version with the same number as any cracked, hacked or otherwise maligned version, so no v3.00 of PKZip will ever be "legitimate".] ------------------------------ Date: Mon, 15 Jul 1996 09:07:46 -0500 From: "Charles N. Fish" Subject: Is there a virus help file? X-Digest: Volume 9 : Issue 115 Hello. I've been reading this list for quite some time, this is my first question to the group. Recently someone posted to the group the location of a windows help file that had virus information, since then I have managed to loose the information. What I am looking for is, as I have said, is a windows help file that contains basic virus information... the name of the virus, how it it operates, what products are effective for disinfecting, ect. I know that most av software applications have virus info in them. What I don't want is to be PRODUCT SPECIFIC. No flame wars, or product pushing, please... Thank you in advance, - - Charles N. Fish fishc@heidelberg-emh11.army.mil ------------------------------ Date: Mon, 15 Jul 1996 14:24:21 -0500 (EST) From: "Rob Slade, doting grandpa of Ryan & Trevor" Subject: Antiviral Quick Reference Review Chart X-Digest: Volume 9 : Issue 115 QUICKREF.RVW 960713 Quick reference antiviral review chart maintained by Robert M. Slade This listing is intended to give a quick overview guide to the comparative features and effectiveness of the many different antiviral products. If the version numbers are out of date, please send updated copies for review to Rob Slade at the address given at the end of this list. The companion files "Antiviral Software Evaluation FAQ" (AVREVIEW.FAQ) and "Antiviral contacts listing" (CONTACTS.LST) provide additional related information. All three files are available in the Computer Virus SIG of the Victoria (BC, Canada) Freenet (telnet://guest@freenet.victoria.bc.ca and give the command "go virus"). (This file is the basis for Appendix B of "Robert Slade's Guide to Computer Viruses".) Product Ver Type UI Doc Ease Ovrl Price Comments SDRIMOE CG 1-4 I U 1-4 | | | | | | | | Amiga BootX (discontined)5.23 SDRM G free amiga.physik.unizh.ch, ux1.cso.uiuc.edu or wuarchive.wustl.edu /mirrors2/amiga.physik.unizh.ch/util/virus Computer Malware B.9508 info 4 4 Free VTC, cert LDV 1.73 VirusChecker 6.26 free amiga.physik.unizh.ch, ux1.cso.uiuc.edu or wuarchive.wustl.edu VirusZ 3.06 Virus Tracker 2.45 ZeroVirus Atari Chasseur II D ATCHSSR2.RVW atari.archive.umich.edu FCHECK 25 I ATFCHECK.RVW atari.archive.umich.edu Protect6 DR ATPROTCT.RVW atari.archive.umich.edu or larserio@ifi.uio.no Sagrotan 4.12 S ATSAGRTN.RVW atari.archive.umich.edu VIRUSDIE S ATVIRDIE.RVW atari.archive.umich.edu Computer Malware B.9508 info 4 4 Free VTC, cert VKILLER 3.84 SD ATVKILLR.RVW woodside@ttidca.com or atari.archive.umich.edu /atari/Utilities/Virus Mac Computer Malware B.9508 info 4 4 Free VTC, cert Disinfectant 3.6 SDR Free nwu, sumex-aim.stanford.edu, mac.archive.umich.edu Gatekeeper 1.3 R MO Free (no longer supported) Chris Johnson Rival Microseeds Publishing SAM 5 SD M $99 Symantec/Norton Virex 4.5.5 (see MS-DOS, product not by same author) VirusDetective 5.10.5 Jeff Shulman MS-DOS AntiViral ToolKit 2.2 SDRI $59.95 KAMI, various agents Antivirus (IRIS) SDR M C 2 2 4 2 $49 PCANTIVR.RVW Fink Enterprises Antivirus-Plus SDR M C 2 2 4 2 $99 PCANTIVP.RVW Trend Micro AVAST! 7.50 SDRIMO CG 3 3 2 3 PCAVAST.RVW ALWIL Software Computer Malware B.9508 info 4 4 Free (note also CARObase VTC, cert and CMB) Data Physician + 4.01 SDRIM C 2 2 2 2 PCDATPHS.RVW Digital Dispatch DISKSECURE 2.42 IM C 2 3 3 4 BSIs only risc, urvax, eugene cf also FixMBR, FixUTIL PCDSKSEC.RVW SafeMBR, CHKSMBR, CHKMEM, CHKBOOT in FixUtil etc. are free Dr. Sol. AVToolkit 7.61 SDRIMO CG 3 2 3 4 PCDSAVT.RVW S&S International Ltd., support@sands.co.uk, support@us.drsolomon.com F-PROT 2.23a SDR CG 3 3 3 4 home - free, bus. - $1/CPU frisk@complex.is, risc, urvax, eugene, garbo PCFPROT.RVW F-PROT Profession 2.22 SDRI CG 3 3 3 4 Data Fellows PCFPROTD.RVW Command Software PCFPROTC.RVW Hoffman Summary 606 info G 3 3 $35 risc, urvax, eugene HS 3.58 I C 2 2 2 3 $15 PCHS.RVW Stroem System Soft HyperACCESS/5 S C 2 1 2 2 PCHA5.RVW, term program Higraeve with scanner IBM Antivirus/DOS 2.4.1SRDI CG 2 2 2 3 $35 PCIBMAV.RVW local IBM rep Immune II 4.1 SD M CG 1 1 3 2 $40 PCIMMUN2.RVW Higher Ground Diagnositcs (see also PC-Cillin) Integrity Master 2.61bS I CG 4 3 3 3 $28 PCIM.RVW risc, urvax, eugene LANProtect 1.1 S CG 1 2 2 2 Intel Norton AntiVirus 3.0 SDRI G 2 3 2 3 $130 PCNRTNAV.RVW Symantec PC-Cillin 5.02 SDRIM G 3 3 3 2 $139 PCCILL2N.RVW Trend Micro Rising Anti-Virus M C 1 2 2 2 PCRAVC.RVW Rising Science and Technology Inc. SafeWord Virus-Safe1.12 I C 2 3 4 3 PCSAFWRD.RVW Enigma Logic SIX (also BRECT) 3.08 I C 2 3 2 2 Free PCSIX.RVW DriftNet BBS +1-506-325-9002 Thunderbyte Utility7.03 SDRIMOE C 2 2 3 3 $29 PCTBSCAN.RVW risc, urvax, eugene, garbo VACCINE (WWS) 5.00 SD IMO C 2 1 2 2 PCWWSVCN.RVW The Davidsohn Group VACCINE (Sophos) 9111 S I CG 2 2 2 3 PCSOPHOS.RVW Untouchable 1.1 SDRIM CG 2 2 2 2 PCUNTUCH.RVW (unsupported?) VDS 2.10T I CG 2 2 3 2 PCVDS.RVW risc, urvax, eugene VET 9.0 SDRIM CG 3 3 3 3 PCVET.RVW Cybec Victor Charlie 5.0 IM C 3 2 3 3 $99 PCVC.RVW Delta Base Enterprises Virex-PC 2.96 SDRIM G 4 2 4 4 $49 PCVIREX.RVW Datawatch (VIRx now assumed under this product) Virus0Buster 4.84 SDRIMO CG 3 3 3 4 PCVRBSTR.RVW Leprechaun Software (70451.3621@compuserve.com) VIRUSCAN Suite 2.22 SDRIM C 2 2 2 3 ~$25/module risc, urvax, SIMTEL, garbo, mcafee.com PCSCAN.RVW VirusNet PC SDRI CG 3 3 3 3 PCVIRSNT.RVW SafetyNet (See also F-PROT) VirusSafe LAN 6.8 SDRI O CG 2 2 3 2 PCVIRSAF.RVW EliaShim Micro Vi-Spy 14.0 SDR M CG 2 2 3 3 $150 PCVISPY.RVW RG Software Systems OS/2 HyperACCESS/5 S C 2 1 2 2 PCHA5.RVW, term program Higraeve with scanner IBM Antivirus/OS/2 2.4 SRDI CG 2 2 2 3 $35 PCIBMAV.RVW local IBM rep SCAN/OS/2 Suite 2.22 SDRIM C 2 2 2 3 ~$35/module risc, urvax, SIMTEL, garbo, mcafee.com UNIX Computer Malware B.9508 info 4 4 Free VTC, cert Tripwire I Free ftp.cs.purdue.edu pub/spaf/COAST/Tripwire VirusScan/Solaris SD U$200/server risc, urvax, SIMTEL, garbo, mcafee.com | | | | | | | | Key: Type - S=scanner, D=disinfection (restoration of state), R=resident, I=integrity checking, M=activity monitor, O=operation restricting, E=encryption UI - user interface - C=command line, G=menu or GUI The following are based on a 1=poor - 4=excellent scale Doc - documentation Ease - I=installation, U=use Ovrl - overall rating for general use Sites: VTC - ftp.informatik.uni-hamburg.de (134.100.4.42) cert - virus materials now moved to cs.ucr.edu eugene - eugene.utmb.edu (129.109.9.21) garbo - garbo.uwasa.fi (128.214.87.1) nwu - ftp.acns.nwu.edu (129.105.113.52) risc - risc.ua.edu (130.160.4.7) simtel - mirrored at oak.oakland.edu among other places urvax - urvax.urich.edu (141.166.36.6) For more detailed reviews see /pub/virus-l/docs/reviews at cert For general virus info see the VIRUS-L/comp.virus FAQ at ftp://cs.ucr.edu/pub/virus-l/vlfaq200.txt Please send updated versions of antivirals to Rob Slade at 3118 Baird Road, North Vancouver, BC, Canada, V7K 2G6. Publishers shipping from outside of Canada are advised to label the materials as samples per GST section 215(1), without value and not subject to GST. Also please note that UPS seems to have extreme difficulty in getting shipments into the country. Neither Rob Slade nor V.I.R.U.S. take any responsibility for shipments delayed or refused at Customs for failure to follow these directions. copyright Robert M. Slade, 1992-96 QUICKREF.RVW 960713 ====================== roberts@decus.ca rslade@vcn.bc.ca slade@freenet.victoria.bc.ca link to virus, book info at http://www.freenet.victoria.bc.ca/techrev/rms.html Author "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 (800-SPRINGER) ------------------------------ Date: Mon, 15 Jul 1996 16:53:47 -0500 (EST) From: Tom Zmudzinski Subject: (fwd) CERT(sm) Advisory CA-96.13 X-Digest: Volume 9 : Issue 115 Only one problem, Jeff Goldblum's character wasn't running Windows. ______ Forward Header ______ Subject: c4i-pro CERT(sm) Advisory CA-96.13 Author: "Perce, Clayton, Capt, SAF/AQII" at smtp Date: 7/15/96 7:05 AM "Perce, Clayton, Capt, SAF/AQII" Just had to pass this on... From: Michael Brightwell =============================================================== CERT(sm) Advisory CA-96.13 July 4, 1996 Topic: ID4 virus, Alien/OS Vulnerability ---------------------------------------------------------------------------- -- The CERT Coordination Center has received reports of weaknesses in Alien/OS that can allow species with primitive information sciences technology to initiate denial-of-service attacks against MotherShip(tm) hosts. One report of exploitation of this bug has been received. When attempting takeover of planets inhabited by such races, a trojan horse attack is possible that permits local access to the MotherShip host, enabling the implantation of executable code with full root access to mission-critical security features of the operating system. The vulnerability exists in versions of EvilAliens' Alien/OS 34762.12.1 or later, and all versions of Microsoft's Windows/95. CERT advises against initiating further planet takeover actions until patches are available from these vendors. If planet takeover is absolutely necessary, CERT advises that affected sites apply the workarounds as specified below. As we receive additional information relating to this advisory, we will place it in ftp://info.cert.org/pub/cert_advisories/CA-96.13.README We encourage you to check our README files regularly for updates on advisories that relate to your site. ---------------------------------------------------------------------------- -- I. Description Alien/OS contains a security vulnerability, which strangely enough can be exploited by a primitive race running Windows/95. Although Alien/OS has been extensively field tested over millions of years by EvilAliens, Inc., the bug was only recently discovered during a routine invasion of a backwater planet. EvilAliens notes that the operating system had never before been tested against a race with "such a kick-ass president." The vulnerability allows the insertion of executable code with root access to key security features of the operating system. In particular, such code can disable the NiftyGreenShield (tm) subsystem, allowing child processes to be terminated by unauthorized users. Additionally, Alien/OS networking protocols can provide a low-bandwidth covert timing channel to a determined attacker. II. Impact Non-privileged primitive users can cause the total destruction of your entire invasion fleet and gain unauthorized access to files. III. Solution EvilAliens has supplied a workaround and a patch, as follows: A. Workaround To prevent unauthorized insertion of executables, install a firewall to selectively vaporize incoming packets that do not contain valid aliens. Also, disable the "Java" option in Netscape. To eliminate the covert timing channel, remove untrusted hosts from routing tables. As tempting as it is, do not use target species' own satellites against them. B. Patch As root, install the "evil" package from the distribution tape. (Optionally) save a copy of the existing /usr/bin/sendmail and modify its permission to prevent misuse. ---------------------------------------------------------------------------- The CERT Coordination Center thanks Jeff Goldblum and Fjkxdtssss for providing information for this advisory. ---------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). We strongly urge you to encrypt any sensitive information you send by email. The CERT Coordination Center can support a shared DES key and PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key CERT Contact Information ------------------------- Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from http://www.cert.org/ ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org Copyright 1996 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included. CERT is a service mark of Carnegie Mellon University. ------------------------------ Date: Mon, 15 Jul 1996 10:48 +0000 From: Graham Cluley Subject: re: unix viruses (UNIX) X-Digest: Volume 9 : Issue 115 In-Reply-To: <01I7427PGTW6WHZC3A@csc.canterbury.ac.nz> cforbes@ibm.net writes: > Anyone knows if there are any Unix viruses There are a handful of UNIX viruses, but none are in the wild and none of them are ever likely to be. A more pressing issue are regular DOS viruses in DOS files contained on a UNIX server. > or where can I get any information on the subject? You may like to take a browse of our website, where we have some information on UNIX viruses and Dr Solomon's Anti-Virus Toolkit for SCO Unix (it detects both DOS and UNIX viruses, as well as all the usual clever stuff) Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Mon, 15 Jul 1996 11:55:58, -0500 From: MR HENRI J DELGER Subject: Re: unix viruses (UNIX) X-Digest: Volume 9 : Issue 115 cforbes@ibm.net wrote, in Issue 114 >Anyone knows if there are any Unix viruses, or where can >I get any information on the subject? It is possible to write UNIX-based viruses, and a few experimental viruses have been created for that environment, but not circulated. Those who possess enough knowledge and have the necessary access to create such viruses don't seem inclined to do so, preferring to write useful programs. Also, multi-user systems prevent direct access to the hardware, so that the Operating System can control and allocate access among the users. DOS will grant "requests" for memory, but only if another program hasn't requested it. In a protected-mode system, only the Operating System normally can access a program. DOS, for example, will allow a block of memory to a program, and allow it to write anywhere. Unix does not grant such privileges. Since UNIX is a multi-platform Operating System which hides the actual assembly language, a virus would have to be able to recognize every platform and be able to breach security in every platform. Virus writers are unlikely to waste their time with UNIX viruses, since most platforms are constantly being changed/upgraded. In the unlikely event some vandal attempted to spread a "UNIX virus," software sharing methods in Unix environments would make that difficult, with corrupted file integrity, and unstable memory problems. The fact that UNIX itself is individualized from one site to another also would deter a virus spreading very far. However, scanning UNIX systems for PC viruses is recommended, especially those like PC-NFS which act as a file server for DOS-based computers. Such a server can host file infectors which can infect the client computers. Also, PC-compatibles running UNIX can still be infected by PC Boot/MBR viruses, including Stoned and Michelangelo, which are not operating-system dependent. However, such an infection on a UNIX- based PC would likely prevent a boot from the UNIX disk partition(s). For more information on viruses, how to get rid of them, and to download F-Prot (for PC-compatibles) or Disinfectant (for Macintoshes), go to my Home Page: http://pages.prodigy.com/virushelp Regards, Henri Delger ------------------------------ Date: Mon, 15 Jul 1996 12:19:52 -0500 From: Brian Wolfe Subject: Virus scanner for http/ftp proxy on firewalls? (UNIX) X-Digest: Volume 9 : Issue 115 Someone told me that they had heard of a product that will run on a unix firewall as a proxy and scan http and ftp downloads. Can anyone tell me if such a product exists? I suppose it would be nice to centrally control downloads this way at the firewall rather than having to goof around with every PC that has Internet access. Any pointers appreciated, Brian - - Brian Wolfe Voice: 708-916-7570 Open Business Systems Inc. FAX: 708-916-7630 2121 Army Trail Rd Suite 106 bwolfe@obs.net Addison, IL 60101 http://www.obs.net ------------------------------ Date: Mon, 15 Jul 1996 16:42:09 +0000 (GMT) From: Daria Thomas Subject: F-Prot DVPLOAD error? (WIN95) X-Digest: Volume 9 : Issue 115 I'm trying to use the DVP (Dynamic Virus Protection) offered by F-Prot Professional, and I keep getting error messages. I'm using F-Prot 2.22.2 on Win '95, and the regular scanning works fine on hard disk, floppy, and network. But when I try to enable the DVP, I get two error messages in a row--the first is "DVPLOAD Error -2 registering ring-3 callback" followed by "DVPLOAD Error unregistering ring-3 callback" and no scanning is done. Has anyone encountered these errors? Thanks! - - -Daria Thomas dthomas@mailsrvr.bussvc.wisc.edu ------------------------------ Date: Mon, 15 Jul 1996 21:01:31 +0000 (GMT) From: "A.Roervik & R.A. MAcDougall" Subject: Drives in MS-Dos Mode, Win95, VIRUS?? (WIN95) X-Digest: Volume 9 : Issue 115 Here's my problem: All my drives, Floppy, CD-ROM and Harddrive was set to MS-DOS mode by WIN95, this after I ran a program downloaded from the NET. Computer turned really slow, of course and then "died". Prior to this slow death all animated cursors stopped working and I got warning messages about low memory. When computer was restarted or booted, the RAM would be scanned 4 times before win95 got booted up. To correct the situation, the hard drive was reformatted and all drives except CD-Rom was working properly. A few days later, all drives returned to MS_Dos mode, again we reformatted the hard drive and all the drives were up and running nicely in Win95. 1: Has anyone else had this problem, and is it a virus?? (McAfee can't find any) 2: Does anyone have an idea about what may cause this?? Hope you can help, Oz ------------------------------ Date: Mon, 15 Jul 1996 09:27:25 -1000 From: "Marlon B. Rabara" Subject: Re: Possible Word Macro virus? (WIN) X-Digest: Volume 9 : Issue 115 > Jason Curnow (jasonc@edc.org) wrote: > > We've been having a rash of problems suddenly appearing on many of our > > PC's running word 6.0. Users are getting error messages when trying to > > save and/or retrieve files. (It's happening on hard drives, floppies, > > and network drives). The message they receive is "Word has detected a > > serious disk error in wrd*.tmp" (where * is a four-digit number). They > > are given a choice of "OK" or "Cancel". If they choose Cancel, their > > document is lost. If they choose OK, they get the same thing several > > more times, until it finally allows them to continue. This is information I have gathered off McAfee's website this weekend: NEW WORD MACRO VIRUS DEFINITION: MDMA is a macro virus, which infects documents in the Microsoft Word environment. MDMA is destructive and has the potential to delete files. This virus infects across many platforms: Windows, Windows 95, Macintosh and Windows NT. MDMA infects NORMAL.DOT and files using the AutoClose macro. Upon closing a document, it will be saved as a template with a copy of AutoClose. INDICATIONS OF INFECTION: MDMA activates on the first day of the month, if the virus is executed. The payloads for MDMA are as follows (organized according to operating system): On Macintosh: Kill MacID$("****") (deletes all files) On Windows 3.x: Kill "c:\shmk."; "deltree /y c:" is added to autoexec.bat On Windows NT: Kill "*.*"; Kill "c:\shmk." If none of the above (Windows 95): Kill "c" \shmk."; Kill "c:\windows\*.hlp"; Kill "c:\windows\system\*.cpl" SetPrivateProfileString ("HKEY_CURRENT_USER\Control Panel\Accessibility\Stickykeys", "On", "1", "") SetPrivateProfileString ("HKEY_LOCAL_MACHINE\Network\Logon","ProcessLoginScript", "00", "") SetPrivateProfileString ("HKEY_CURRENT_USER\Control Panel\Accessibility\HighContrst", "On", "1", "") The following text is displayed in a message box: "You are infected with MDMA_DMV. Brought to you by MDMA (Many Delinquent Modern Anarchists)." METHOD OF INFECTION: Macro viruses spread by having one or more macros in a document. Opening or closing the document or any activity which invokes the viral macros, activates the virus. When the macro is activated, it copies itself and any other macros it needs, sometimes to the global macro file NORMAL.DOT. If they are stored in NORMAL.DOT they are available in all open documents. At this point, the macro viruses try to spread themselves to other documents. Macro viruses spread easily through e-mail packages. The ability of these packages to send and quickly launch documents can infect hundreds of users at a time. Documents are much more mobile than executable files, passing from machine to machine as different people, write, edit or access them. Macro viruses can therefore spread very quickly through business offices and corporations PREVENTION AGAINST MDMA AND MANY WORD MACRO VIRUSES: Mark NORMAL.DOT as read only. Toggle between writable and read only mode if you know you are going to change the normal.dot. This may not even be the problem, but I at least hope that this information has been helpful. ****************************************** Marlon B. Rabara Computer Programmer HONBLUE, Inc. Reprographic Solutions marlon@honblue.com R-Tech, Inc. Software Development marmi@aloha.com ------------------------------ Date: Tue, 16 Jul 1996 03:05:47 +0000 (GMT) From: "Marcio V. Pinheiro" Subject: Strange Duck... (WIN) X-Digest: Volume 9 : Issue 115 Please... Is this a virus? F-Prot did not find it... When I boot Uninstaller 3 from Program Manager...before the booting is complete, a small 2/3" square appears in the left upper corner of my screen. This square is light blue. Then...when I click the Undelete Programs option...this square appears again with a black duck inside... After the programs boot, it seems to work well but the icons are really crooked...Instead of the normal icons for each program as it appears in Program Manager, I get a totally dark square icon or an icon with black lines... I have uninstalled the Uninstaller...I have run again my windows 3.11 and I even got a new disk from Microhelp. The same square with the black duck is there when I boot...with the same consequences. This doesn't happen when I boot from the Control Panel or when I boot from the File Manager. Only happens when I boot from Program Manager. Please advise!!!! Marcio mvp1@ix.netcom.com Baltimore, MD ------------------------------ Date: Mon, 15 Jul 1996 07:47:51 +0000 (GMT) From: asiaonline!ahmorris@uunet.uu.net Subject: Smile or Laughing virus (PC) X-Digest: Volume 9 : Issue 115 Anyone have any experience of a virus which appears after the start of Windows (in my case using Win 3.1) - it says it's attached to the partition table and basically has a laughter sound (checked no WAV files on HDD). I think it may also be known as a Smile virus but cannot find any data on it - especially how the remove it. I've re-loaded Windows from disk and it's still here. Regards Alan ------------------------------ Date: Mon, 15 Jul 1996 05:29:32 -0400 (EDT) From: Kenneth Albanowski Subject: Re: Which AV strategy? (PC) X-Digest: Volume 9 : Issue 115 On Sun, 14 Jul 1996, Totally Lost wrote: > It doesn't take much work in an OS to close up 99.99% of the entry > points that give rise to real worries of distruction that a malware > virus/trojan could cause. How do you cut off the boot-sector entry point? > Sadly most A-V products attempt to achieve the same goals of preventing > unauthorized access to disk data ... which a sound OS design, even with > a very high degreee of binary compatability with the MSDOS/WIN API, can > achieve with a near 100% success. How do you distinguish an authorized program accessing a file from an un-authorized program? (Without extreme file typing information, which the MSDOS/WIN API certainly could not support.) Viruses don't have to subvert the OS. How do you stop macro viruses with a sound OS design? > Just plain false. If any code segment can not take over hardware control > of the system (denial of service attacks excluded), then the foundation > for basic security controls is in place. How does this stop a macro virus? > As a secondary control, if the filesystem normally disallows write > access to selected binaries, in particular those which have > administrative priv's and the primary applications, then the means of > replication for a virus is largely blocked. How does this stop a macro virus? How does this stop a (hyptothetical) virus which inserts itself into C source code? > MS-DOS/Windows is not a high-level OS. High Level OS's such as UNIX, NT, > generally incorporate the basic security to prevent an application > from hijacking the CPU, from doing direct disk I/O, and contain a > filesystem with Ownership semantics and ACL's to prevent arbitrary access > to files, in particular, executable binaries in the system libraries from > being modified unless accessed in root/supervisory/sysadmn mode. I'm not sure that the term "high-level" as you use it has a generally accepted meaning, but yes, UNIX, NT, etc., provide much better control over file and memory access then MSDOS (or MacOS, for that matter). Viruses are rampant under DOS, but very uncommon under UNIX. > These OS features do a much better job at controlling/preventing the > spread of a virus than the equiv TSR functions that A-V vendors are so > proud of. Definitely. Unfortunately, everyone is using this incredibly old hack called "MS-DOS". If you figure out some way of doing something about that, I'm sure we'd all like to hear about it. > If fundemental security semantics are present in the OS API, then a > virus simply lacks the means to do wholesale distruction ... period. If security has been turned off? If the kernel is world-writable? If the virus is executing in the same group the mondo-important documents are stored under? No, it limits damage. Only the particular instance of a payload execution can determine how much destruction can actually be accomplished. Just because an OS has security capabilities doesn't mean the security is actually used effectively in a way that would restrict a virus. > The means to replicate may still exist to a very minor degree for > certain development users who produce and execute their won binaries - > but in the same sense you could also completely limit access to trusted > binaries for the typical office worker. Such actions would reduce > viruses to an annoyance, from the huge threat they represent today. Ah, then secure OSs don't prevent viruses. Thank you. > Total and utter BS. > > DOS has no security holes, since it has NO security at all. Adding > security API's to DOS would not materially affect 99.9% of the traditional > MSDOS/WIN office applications. It would however affect a few system type > utilites which would have to be re-written to negotiate access to raw > hardware in controlled environments with the OS. I'd like to see you add these APIs, seriously. I'd like to know how to deal with all the weird stuff (custom overlays, executable expanders, memory managers, XIP-EMS, etc.) and stop programs from being able to stomp all over each other at the same time. Personally, I'd prefer to drop MS-DOS and start over. (Funny, that's what Microsoft did for NT, now didn't they?) > Historically true. Historically people didn't need car's, electricicty, > or computers either. Times change ... insecure OS's require strong AV > products wich attempt to provide a small part of the protections that a > Security based OS does a much better job at providing. Ah, so AV vendors have held up the entire computer industry by making people use cruddy operating systems? I don't see a relevant causal link. > Nearly every major application on MSDOS/WINdows I am aware of either has > a version ported to a secure server OS, or has an equiv competitive > product which is available, or can be run on a secure OS with a > MSDOS/win emulation environment (AKA merge under unix). And that last provides security, does it? You could have a dozen DOS boxes running on a machine, each with their own unique collection of viruses that think they have control over a virtual PC and the applications therein. I don't think DOS really belongs in the same equation as "security". - - Kenneth Albanowski (kjahds@kjahds.com, CIS: 70705,126) ------------------------------ Date: Mon, 15 Jul 1996 10:48 +0000 From: Graham Cluley Subject: Re: Virus-problem, William Shakespeare-virus? (PC) X-Digest: Volume 9 : Issue 115 In-Reply-To: <01I7427PGTW6WHZC3A@csc.canterbury.ac.nz> Erik Hall writes: > I4ve got a problem with some virus called William Shakespeare Which anti-virus called it that? What do other well-regarded anti-virus products say (for example, Dr Solomon's, AVP, F-Prot)? > and it shows up when I connect to internet under windows-95 > "connect to internet" command. What is the precise message displayed? Consider the possibility that you may not have a virus, but a false alarm instead. You can download an evaluation version of Dr Solomon's FindVirus (part of the full commercial Dr Solomon's Anti-Virus Toolkit) from our website. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Mon, 15 Jul 1996 10:48 +0000 From: Graham Cluley Subject: Re: How good is McAfee (PC) X-Digest: Volume 9 : Issue 115 In-Reply-To: <01I7427PGTW6WHZC3A@csc.canterbury.ac.nz> Harry Healer writes: > On 13 Jul 1996 05:32:18 -0000, tony ogden wrote: > >I use PC-Cillin 95, it automatically adjusts the amount of virus > >projection as you start to use more devices. > > > >i recommend PC-Cillin... > > It came out last in PC Worlds test June 1996. Was this the PC World test where they used half a dozen-or-so viruses? Hardly a comprehensive test of anti-virus products, stretching their abilities to the limit.. > Best buy : Virus scan - Mc Afee.... The tests done by bodies such as Virus Bulletin, University of Tampere, etc tend to be more highly regarded. You can read some of their findings at http://www.drsolomon.com/avtk/reviews The University of Tampere can be commended for testing other things besides on-demand scanning detection (for example, testing on-access scanners). Secure Computing magazine now test anti-virus products ability to scan inside compressed and archived files, and their propensity to false alarm. Some anti-virus products false alarm so much it makes them impractical in a corporate environment. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Mon, 15 Jul 1996 11:03 +0000 From: Graham Cluley Subject: Re: INDEPENDENCE virus (PC) X-Digest: Volume 9 : Issue 115 In-Reply-To: <01I7427PGTW6WHZC3A@csc.canterbury.ac.nz> walkerv@smtpgtwy.sad.usace.army.mil writes: > Does anyone have any information on the > "independence" virus. > > Received it with some Packard Bell restore > &recovery disks. > > McAfee does not recognize this virus but when > running PC-Cillin 95 it says virus is on disk. Sounds like it might be a PC-Cillin false alarm. What do other well-regarded anti-virus products report? (For example, Dr Solomon's Anti-Virus Toolkit, F-Prot or AVP). Get an up-to-date version of them (you can download the latest evaluation version of Dr Solomon's FindVirus from our website) and tell us what they report. I have a sneaky feeling it may be a PC-Cillin false alarm, however. Dreadful things false alarms. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Mon, 15 Jul 1996 14:34:24 +0000 From: Szappanos Gabor Subject: Re:Does TBAV disinfect macro viruses properly? (PC) X-Digest: Volume 9 : Issue 115 LIDVIXS@typeb.sita.int wrote in Digest: Volume 9 : Issue 113: >The new TBAV (V7.03) claims to be able to find and clean Macro virusses. >However, when it found a document with the Concept virus, it simply >disables the virus (in some sort of way) and when viewed, the macro names >at least are still in the document. TBAV not only disables the macros (i.e. modifyes the document so that the total macro count will be zero) but also deletes the macro bodies themselves. Only the macro table remains in the cleaned documents (actually it should be cleared also) which can only be found by a hex viewer. So TBAV cleans the documents (almost) all right. Szapi ------------------------------ Date: Mon, 15 Jul 1996 15:53:38 +0100 From: Francois Pirsch Subject: Re: Which AV strategy? (PC) X-Digest: Volume 9 : Issue 115 Totally Lost wrote: > George Wenzel wrote: > >Indeed. You'd also end up with an OS that's pretty much useless. The OS > >that my calculator runs is totally secure - no virus can possibly infect > >it. Of course, it only has one function - it adds and multiplies and so > >on. > > Frankly, few will acknowledge your claim that the firmware in your four > function calculator contains an operating system at all. Many more will He meant that viruses can exist in ANY OS. He was pulling your leg... :) > consider this lame claim as patently false. It doesn't take much work > in an OS to close up 99.99% of the entry points that give rise to real > worries of distruction that a malware virus/trojan could cause. Sadly > most A-V products attempt to achieve the same goals of preventing > unauthorized access to disk data ... which a sound OS design, even with > a very high degreee of binary compatability with the MSDOS/WIN API, can > achieve with a near 100% success. Of course. I'd even say that DOS & Windows were deliberately written to allow viruses to spread better. > > Viruses do not exist because of security holes - they exist because > >somebody wrote a program that would replicate itself. This is possible on > >pretty much all high-level OS's. > > Just plain false. If any code segment can not take over hardware control Protected mode operating systems (Windows, UNIX) are not so protected. There are already Windows95 viruses (Bizatch). Their number will soon grow. There are always backdoors that can be used by viruses. > MS-DOS/Windows is not a high-level OS. High Level OS's such as UNIX, NT, > generally incorporate the basic security to prevent an application > from hijacking the CPU, from doing direct disk I/O, and contain a For normal applications, yes. And lame viruses, too. But don't underestimate virus writers. There aren't many Unix viruses, that's right. But the main reason is that there aren't many computers running Unix, compared to DOS & Win. It's a question of popularity, not of security. Unix is just *a bit* more secure than DOS & Win. Francois Pirsch ------------------------------ Date: Mon, 15 Jul 1996 16:07:39 +0100 From: Francois Pirsch Subject: F-PROT scanning compressed files (PC) X-Digest: Volume 9 : Issue 115 F-PROT claims to be able to scan inside executables compressed with PKLITE, DIET, LZEXE, and others. But it seems not. Here is exactly what I did : 1. I decompressed DEBUG.EXE (this point is not important) 2. Had it infected by Tequila 3. Scanned it with F-PROT 2.23, which detected the virus. 4. Recompressed it with PKLITE 1.13 5. scanned it again, and F-PROT found nothing. I didn't make more tests (no time). Are DataFellows aware of this? Regards, Francois Pirsch ------------------------------ Date: Mon, 15 Jul 1996 09:39:22 +0000 (UTC) From: RMORTON@vm.tulsa.cc.ok.us Subject: Re: How good is McAfee (PC) X-Digest: Volume 9 : Issue 115 In article <0015.01I7427PGTW6WHZC3A@csc.canterbury.ac.nz> Harry Healer writes: >>i recommend PC-Cillin... > >It came out last in PC Worlds test June 1996. > >Best buy : Virus scan - Mc Afee.... Reports like that are useless to me, unless I know the criteria used. If it was evaluated on ease of use, then it may not be a good scanner, if on scanning ability, then it may not be easy to use. If both, then it might not be good enough for either. What was their basis on?? Bob Morton rmorton@vm.tulsa.cc.ok.us Tulsa Community College also rmorton1@juno.com check out www.geocities.com/timessquare/4286 ------------------------------ Date: Mon, 15 Jul 1996 11:57:20, -0500 From: MR HENRI J DELGER Subject: Re: Stealth C Virus (PC) X-Digest: Volume 9 : Issue 115 matty@ykt0.attnet.or.jp wrote, in Issue 114 >My questions: >1. I am quite sure that I could be operating Mcafee's >software improperly in regards to the boot-sector cleaning. >Does Mcafee clean boot-sector virii? It can, if you turn power off, and re-boot from an UNinfected system boot disk in A> drive. That step is necessary to get the virus out of memory. >2. What is this file SUHDLOG.DAT? I found this file >on my Pentium 90 as well, but the machine checks clean. The SUHDLOG.DAT file is created by Win95's installation, and contains a copy of the Master boot, and DOS boot records of your hard disk. The file is created so that if you UNinstall Win95, it can restore the data from these sectors as they were, so your PC will boot with the old version of DOS you had, prior to installing Win95. If your PC was infected before installing Win95, that file will contain a mirror image copy of the virus, and if your PC is now UNinfected, UNinstalling Win 95 will restore not only DOS, but the virus as well. If the PC is not infected now, and you plan on keeping Win95, delete the SUHDLOG.DAT file. >3. Is my laptop cured? Did just removing the file solve >my problem? or Do I have some residual Stealth C virus >symptoms lurking about that I am unaware of? Yes to the first two, if it's no longer detected by your software. As to the latter, did you check for infected diskettes? Copies of the virus could be lurking on them. >4. Should I remove the file (SUHDLOG.DAT) from my Pentium 90? I wouldn't. >5. I'd like to know if it is indeed a virus. >Here's the kicker. I do not know where I have this virus, >aside from the file on the floppy, that is. Obviously I D/L >the virus from somewhere and it is lurking about in my >shareware collection. It is a virus, but you didn't download it; you infected your PC from a floppy disk. The Stealth Boot virus originated in Tucson, Arizona and was written by Mark Ludwig. He published it in his book ("The Little Black Book of Computer Viruses") and also made it available on an accompanying diskette. If an infected diskette is in A> drive at boot-up, the virus "program," partially contained in the Boot Sector (Sector 0), will be read into memory. The virus then takes control of the system, and infects the hard disk, copying code to (cylinder&head 0, sector 1), moving the Partition and MBR data from there to (cylinder&head 0, sector 7), and copying the rest of its code to Sectors 2 through 6. Ordinarily, data are not lost from the hard disk, because the sectors which the virus uses are not used by DOS. If those sectors are used by third-party software to store data, during formatting, or for password access, or by drivers to access large partitions, obvious problems can result, however. At every boot-up thereafter, Stealth Boot will become resident, using 4Kb of Conventional memory. The virus then infects diskettes used in A> and B> drives which are not already infected, or write- protected, by copying part of its code to the Boot Sector, moving the disk's original Boot data to the end of the disk, along with the rest of its code, marking those sectors AS IF they were "bad," so that DOS won't use them, overwriting the virus. While its author gave it the name "Stealth Boot," it is but one of a number of similar viruses which use the "stealth" technique of mis-directing reads away from sectors it is using (if it is in memory), thus keeping anti-virus programs from reading the infected sectors, where the virus code has been located. >6. Will Mcafee find the Stealth C virus if it is hidden >in a shareware program, zipped or self-extracting? Don't worry about those; check your floppies. For more information on viruses, how to get rid of them, and to download F-Prot (for PC-compatibles) or Disinfectant (for Macintoshes), go to my Home Page: http://pages.prodigy.com/virushelp Regards, Henri Delger ------------------------------ Date: Mon, 15 Jul 1996 11:56:36, -0500 From: MR HENRI J DELGER Subject: Re: Tequilla infection (PC) X-Digest: Volume 9 : Issue 115 patrickv@win.tue.nl wrote, in Issue 114 >How do I get rid of this virus? If a virus has been detected, and you have a program that can recognize it by name, that program can most likely remove it. However, you MUST turn power off, and re-boot from an UNinfected system boot disk in A> drive. That step is necessary to get the virus out of memory. An anti-virus program should then tell you that the virus is now gone from memory, but on the hard disk, and then you can remove the virus. After that, check again to make sure it's gone, and if it is, start checking for infected diskettes, and remove the virus from them. It's all a step-by-step procedure, and if you follow it, the virus will be gone forever. If you don't, you'll continue to have problems. Tequila infects EXE files, and the hard disk's Master Boot Record (cylinder&head 0, sector 1). If an infected EXE is run, the virus will run first, and write a copy of itself near the end of the hard disk's file storage area. It then alters the Partition data, reducing the number of data sectors available to DOS, in order to prevent DOS from overwriting its code. It also modifies the Master Boot Record to "point" to the location of the virus code. At this point, the virus is not yet resident in memory. However, at the next boot-up, the virus will be read into memory as a TSR, and begin infecting EXEs. Because it's a stealth-type virus, when in RAM, it hides the 2468 bytes it adds to the length of EXEs, and can cause File Allocation Table errors (causing data loss if Chkdsk /F should be run). For more information on viruses, how to get rid of them, and to download F-Prot (for PC-compatibles) or Disinfectant (for Macintoshes), go to my Home Page: http://pages.prodigy.com/virushelp Regards, Henri Delger ------------------------------ Date: Mon, 15 Jul 1996 13:18:05 -0400 (EDT) From: Karsten Ahlbeck <100554.2356@CompuServe.COM> Subject: Re: stealth C Virus (PC) X-Digest: Volume 9 : Issue 115 Matthew DiTarando wrote: >Stealth C virus. Apparently I could not clean this virus because it was a >boot-sector virus. To my understanding Mcafee does not clean boot-sector I will not go into McAffees product (because I do not have the knowledge about it), but you *can* remove boot sector viruses (virii). >virii. To solve my dilemma, I reformatted, F-disked and reloaded all my >software. Solving it? It must have given you lots of trouble! Remember the next time ;-) you certainly do not have to reformat your hard disk; there are even viruses that will still be left when having done so. >3. Is my laptop cured? Did just removing the file solve my problem? or Always remember the general principle - do clean boot before you remove a virus. You can not clean a system if a virus still is in memory. >Here's the kicker. I do not know where I have this virus, aside from the >file on the floppy, that is. Obviously I D/L the virus from somewhere and >it is lurking about in my shareware collection. Or any other collection. Do not assume that shareware spreads viruses; that is a myth. >6. Will Mcafee find the Stealth C virus if it is hidden in a shareware >program, zipped or self-extracting? Or any other program, not being shareware (now wait a second. How in the world can a virus get into a shrink-wrapped package ?!). Yours Sincerely, Karsten Ahlbeck * The opinions expressed above may not be my own but entirely those of Karahldata, my employer * =========================================================== Karahldata Sverige - dataintegritet och antivirus (programvara + utbildning) Swedish Integrity Master agent =========================================================== ------------------------------ Date: Mon, 15 Jul 1996 17:45:55 -0400 From: "Scott I. Remick" Subject: Re: Stealth C Virus (PC) X-Digest: Volume 9 : Issue 115 SUHDLOG.DAT is a Windows 95 file that contains an image of your partition sector of your hard drive. An infection of the partition table would get backed up into this file and cause somewhat of a false alarm. For more info, I direct you to: http://www.mcafee.com/new/notvirus.html Scott I. Remick vertigo@sover.net ------------------------------ Date: Mon, 15 Jul 1996 19:30:23 +0000 (GMT) From: Iolo Davidson Subject: Re: Which AV strategy? (PC) X-Digest: Volume 9 : Issue 115 In article <0011.01I7427PGTW6WHZC3A@csc.canterbury.ac.nz> idletime@netcom.com "Totally Lost" writes: > In article <0024.01I715RHU6Y2WHZC3A@csc.canterbury.ac.nz>, > George Wenzel wrote: > > Viruses do not exist because of security holes - they exist because > >somebody wrote a program that would replicate itself. This is possible on > >pretty much all high-level OS's. > > Just plain false. If any code segment can not take over hardware control > of the system (denial of service attacks excluded), then the foundation > for basic security controls is in place. As a secondary control, if the > filesystem normally disallows write access to selected binaries, in > particular those which have administrative priv's and the primary > applications, then the means of replication for a virus is largely > blocked. Too rosy a view. Even in DOS, there are viruses called "slow infectors" that wait for the right conditions to spread without alerting access control packages or AV. Someone has to be able to write system files and executables; you just wait for that guy to come along before doing your infecting. - - IF CRUSOE'D HE MIGHT HAVE FOUND KEPT HIS CHIN A LADY FRIDAY MORE TIDY Burma-Shave ------------------------------ Date: Mon, 15 Jul 1996 18:50:00 -0400 From: Bill lambdin Subject: Re: How good is McAfee (PC) X-Digest: Volume 9 : Issue 115 Harry Healer writes >It came out last in PC Worlds test June 1996. > >Best buy : Virus scan - Mc Afee.... Harry: You're comment about PC-cillin, and Mcafee's Scan intrigues me. To start with, I do not place much credibility in Magazine A-V tests. I usualy send a 2-6 page fax after reading many of these reviews ;-(. I will not place the PC World review in the bad list because I haven't read it. But for the most part, I wish the magazines that publish bad tests would select one of the three options below. a. stop testing A-V software. b. hire an independent virus researcher to perform the test. c. send the review to an independent virus researcher for checking before the review is published. This comment will not win me many friends or influence people, but one credible published review beats 100 bad reviews hands down. Now to your comments. - ------------------------------------------------------------------------- PC-cillin Did PC World evaluate the scanner in PC-cillin, or did they test the behaviour blocker. If the test was on the scanner component of PC-cillin, I might agree with PC-World's review because I also refuse to recommend PC-cillin as a scanner, but I do recommend the behaviour blocker as a generic A-V program. I also recommend Victor Charlie, and Untouvhable as generic A-V programs, and refuse to recommend them as a scanner. - ------------------------------------------------------------------------- McAfee's Scan McAfee's Scan is NOT the best scanner. I have heard that McAfee's Scan has failed the NCSA certification. I can neither confirm this nor deny it. However; in my tests, McAfee's Scan is about to fall off of my recommended list of scanners. I refuse to recommend any scanner unless it detects a minimum of 90% of my virus collection. Another scanner that used to be recommended, and was removed later is VIRx from Datawatch software. All of the following scanners detect more than McAfee's Scan. These scanners are placed in alphabetical order. AVP Dr. Solomon's Anti-Virus Toolkit F-Prot Integrity Master Norman Data Defence Thunderbyte Anti-virus However; there is some good news for McAfee. C.J. Kuo was hired by McAfee associates recently, and I believe there will be an improvement in McAfee's Scan shortly. - -------------------------------------------------------------------------- Bill Lambdin - -------------------------------------------------------------------------- vfreak@skn.net PGP fingerprints 9C CD 47 F3 C7 65 CA 33 102524.2206@compuserve.com C7 7D 69 8B 26 0C F8 08 ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 115] ******************************************