VIRUS-L Digest Friday, 19 Jul 1996 Volume 9 : Issue 117 Today's Topics: The Scanner Homepage Re: About need of 'clean' booting before scanning process Re: Virus scanner for http/ftp proxy on firewalls? (UNIX) Re: unix viruses (UNIX) Linux anti-virus availible (UNIX) Re: What Mac Anti-Virus packages does Word Macro checks (MAC) Re: What Mac Anti-Virus packages does Word Macro checks (MAC) Re: MDMA virus questions? (MAC,WIN) Re: Any NT Viruses?? (NT) Re: What's the best Win95 anti-virus software? (WIN95) Re: Dr Solomon's (WIN95) Is PC-Cillin 95 any good? (WIN95) F-macro and Concept word macro question (WIN95) Re: How good is McAfee's V-Shield? (WIN95) Re: ATTN: TBAV users (WIN95) Re: Tentacles virus-- help? (WIN) Re: Tentacles virus-- help? (WIN) Re: Sudden loss of RAM memory in windows (WIN) Re: Tentacles virus-- help? (WIN) Re: Tentacles virus-- help? (WIN) Re: Strange Duck... (WIN) Virus Affecting Schedule+ (WIN) Re: How good is McAfee (PC) Re: F-PROT scanning compressed files (PC) Re: Does F-PROT score over SOLOMON or vice-versa (PC) Re: F-Prot comments (PC) Re: Info. for Virus/Vaccine Tool (PC) Re: Zvi's tests of Findviru.exe (PC) Re: Which AV strategy? (PC) RE: Possible new stealth virus? (PC) Re: How good is McAfee (PC) Re: F-Prot comments (PC) pedophile virus? (PC) Re: F-Prot comments (PC) Re: F-PROT scanning compressed files (PC) Re: F-Prot comments (PC) New Kind Of Viruses? (PC) McAfee VirusScan and WebScan? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Wed, 17 Jul 1996 14:43:35 +0000 (GMT) From: Howard Wood Subject: The Scanner Homepage X-Digest: Volume 9 : Issue 117 The Scanner homepage is now on line.: http://diversicomm.com/scanner The Scanner is an AV newsletter FREE to all. The 'comeback' issue is just about ready for release. The Page also has an AV Resource section where users can click on the AV site of their favorite AV software. Articles by Chengi Jimmy Kuo and Rob Slade. This is a dynamic page and will be in constant motion. If you are an AV author and wish to have your site added please let me know (I will more than likely be in touch with you sooner or later) Woody ------------------------------ Date: Wed, 17 Jul 1996 20:56:42 +0000 (GMT) From: Bruce Burrell Subject: Re: About need of 'clean' booting before scanning process X-Digest: Volume 9 : Issue 117 Gerard Mannig (mannig@world-net.sct.fr) wrote: > X-Digest: Volume 9 : Issue 115 [Henri Delger, probably, wrote]: > [../..] > >>If a virus has been detected, and you have a program that can > >>recognize it by name, that program can most likely remove it. > >>However, you MUST turn power off, and re-boot from an UNinfected > >>system boot disk in A> drive. That step is necessary to get the > >>virus out of memory. ^^^^^^^^^^^^ > > No, sorry. See hereafter No, Henri is correct, in general. First, he gave generic help, not AVP-specific. Second, AVP can't necessarily deal with a virus it doesn't know without spreading it, if the new nasty is a fast infector. Third, one doesn't know, _a priori_, whether the AV program to be used recognizes the virus that might be infecting the machine at hand. > >> An anti-virus program should then tell you that the virus is now > >>gone from memory, but on the hard disk, and then you can remove the > >>virus. > > These two steps are automatically done by AVP when you fire it up as long > as, so you told it yourself, it is faced to a known virus ^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ You've snipped the original, so I can't see what he said about that. But this is an important proviso; *no* virus can spread from a clean boot with an uninfected scanner; even AVP may spread a virus it doesn't know if that virus is active in memory. Bottom line: Being able to disinfect viruses correctly while they are active in memory is a Good Thing, and AVP is to be commended for this. But the best, safest procedure remains the clean floppy boot. Hence Henri uses the imperative to say that it MUST be done, meaning that in order to be completely safe, one should do it; he doesn't mean that no other alternative exists. > Anyone willing to check this now can since AVP22E-A.ZIP is available on > most ( if not all ) SimTel mirror sites Glad to see that AVP is available in a full, eval version again. -BPB ------------------------------ Date: Wed, 17 Jul 1996 20:16:58 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Virus scanner for http/ftp proxy on firewalls? (UNIX) X-Digest: Volume 9 : Issue 117 Brian Wolfe writes: >Someone told me that they had heard of a product that will run >on a unix firewall as a proxy and scan http and ftp downloads. > >Can anyone tell me if such a product exists? I suppose it would >be nice to centrally control downloads this way at the firewall >rather than having to goof around with every PC that has >Internet access. This is what we listed in our press release for WebShield, a product scheduled to be released in August, I think/hope. Jimmy cjkuo@mcafee.com ------------------------------ Date: Wed, 17 Jul 1996 23:47:24 +0000 (GMT) From: OrangeTide Subject: Re: unix viruses (UNIX) X-Digest: Volume 9 : Issue 117 On 15 Jul 1996 07:15:58 -0000, cforbes@ibm.net wrote: >Anyone knows if there are any Unix viruses, or where can I get any >information on the subject? On what I know about UNIX it would be next to impossible to write a virus for it. Other than one that infects the User's personal shell scripts, but getting it to cross to other users would be difficult if not impossible. [Moderator's note: Maybe Fred Cohen made up the results of his thesis research then??? For the myriads of readers who apparently do not understand, I am tiring of the ill-informed speculation that "secure OSes are somehow more inherently virus proof -because of- their security features". This is utter bollocks and you should read the FAQ for some pointers to real research on the spread of viruses on real, secure (and UNIX!! 8-) ) OSes. Attempting to support this -myth- based on the relative frequencies or rates of virus infection is equally ill-founded.] ------------------------------ Date: Wed, 17 Jul 1996 22:39:14 -0400 From: N2URO Subject: Linux anti-virus availible (UNIX) X-Digest: Volume 9 : Issue 117 Are there anti-virus programs availible for Linux ? My searches for them on the internet have been futile. ------------------------------ Date: Wed, 17 Jul 1996 11:42 +0000 From: Graham Cluley Subject: Re: What Mac Anti-Virus packages does Word Macro checks (MAC) X-Digest: Volume 9 : Issue 117 In-Reply-To: <01I770RBW8DWXZM9T6@csc.canterbury.ac.nz> "Gerry D. Novak" writes: > Could anyone tell me what Macintosh Anti-Virus packages > also check for Word Macro viruses? The Macintosh version of Dr Solomon's Anti-Virus Toolkit can detect macro viruses both with its on-demand and on-access scanners. I guess other Macintosh products can do something similar. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Wed, 17 Jul 1996 06:52:03 -0400 From: AFASusan@aol.com Subject: Re: What Mac Anti-Virus packages does Word Macro checks (MAC) X-Digest: Volume 9 : Issue 117 Re: <01I770RBW8DWXZM9T6@csc.canterbury.ac.nz> from: "Gerry D. Novak" : > Could anyone tell me what Macintosh Anti-Virus packages also > check for Word Macro viruses? Yes, and corrections are welcome. There are two. Symantec AntiVirus for Macintosh (SAM) and Virex by Datawatch are both fortunately excellent programs. (Central Point for Macintosh is no longer updated or a viable antivirus program for most purposes, and Disinfectant does not scan for document viruses.) SAM's current version is 4.0.8; newest definitions are from July. Virex latest version is 5.6.8; newest definitions are dated 10-Jul-96. They both detect the same set of macro viruses and trojans: 9508 Concept, 9509 Nuclear, Colors, DMV Demo, FormatC, HOT, Atom, Wazzu, Imposter, Xenixos, French Concept, Infezione, and Irish. I don't know what or how well they do if they *find* a virus. Also we should note that the free tool MW1222 or SCANPROT.DOT from Microsoft for Macintosh scans only for Concept, Nuclear, and DMV Demo, and will most likely not be updated. - - Susan Lesch Forum Assistant Macintosh Utilities Forum America Online (volunteer remote staff) ------------------------------ Date: Wed, 17 Jul 1996 20:37:10 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: MDMA virus questions? (MAC,WIN) X-Digest: Volume 9 : Issue 117 "Henry C. Jones" writes: >Has anyone found an occurrence of the MDMA Word macro virus? >I recently received a panic memo from one of our Power users >about a potential MDMA infestation. > >Does any one in this group have any experience with this, is it >real, a hoax or a major problem? It's not a hoax. So far, we have tracked the virus to have originated in Texas and spread to Illinois and Georgia. The IL and GA infections had direct contact to Texas as their infection vectors. The fact that it has spread as far in its first week of discovery is troubling. But it probably has not reached "major problem" unless you happen to have contacts to Texas, or you got hit. The description of this virus is available at http://www.mcafee.com follow the path down through Virus Info, NEW Word Macro Virus. (It was recently posted here as well in article: >From: "Marlon B. Rabara" >Subject: Re: Possible Word Macro virus? (WIN) >Date: 16 Jul 1996 11:22:46 -0000 Other CARO members have been given appropriate files as needed to respond to this situation. Lastly, our beta DAT file had named it Stickykeys. But CARO agreed on MDMA as the name of the virus. Jimmy cjkuo@mcafee.com ------------------------------ Date: Wed, 17 Jul 1996 13:16 +0000 From: Graham Cluley Subject: Re: Any NT Viruses?? (NT) X-Digest: Volume 9 : Issue 117 In-Reply-To: <01I770RBW8DWXZM9T6@csc.canterbury.ac.nz> "Bratton, Douglas S." writes: > Does anyone have information on viruses written for NT?? There aren't any NT-specific viruses as yet, but many existing viruses can infect NT machines. For instance, boot sector viruses. These don't care what operating system you're running on your PC, they just splat themselves over your partition sector regardless. Some of these splat over too much of the disk and prevent NT from booting up properly (the virus author can't have tested them properly), but some like Michelangelo mean that NT will still boot up just fine and if you don't run a decent anti-virus you won't know it happened until March 6th Also, it should be remembered that Concept, one of the Word macro viruses, is now undoubtedly the world's most common virus. That doesn't care that you're running NT either as it infects Word document files and doesn't do anything "low level". Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Wed, 17 Jul 1996 13:01 +0000 From: Graham Cluley Subject: Re: What's the best Win95 anti-virus software? (WIN95) X-Digest: Volume 9 : Issue 117 In-Reply-To: <01I770RBW8DWXZM9T6@csc.canterbury.ac.nz> "B.MacDonald" writes: > If you buy Dr Solomon's Anti-Virus Toolkit for Win95, you get the DOS > scanner with it, plus a scheduler for auto-scans, plus it will scan your > whole system - inside Windows and out. As well, you get quarterly > software updates by 1st class post right to your door. I know "B" knows this, but for everyone else: monthly updates are also available (obviously they cost more). > I bought it for my home PC. We have Norton at work... I like it > a whole lot less than Dr S. I don't have the URL handy right now, > but you can download a free trial version of the AVTK from the > Solomon's website. http://www.drsolomon.com To be strictly accurate we make available an evaluation version of Dr Solomon's FindVirus for DOS. FindVirus is just one part of the full commercial Toolkit. We produce anti-virus software for DOS, Windows, Win95, Win NT, Novell NetWare, OS/2, UNIX, and - just released - Apple Macintosh. Data sheets and loads of other goodies (including independent comparative reviews and a great animated virus tutorial) can all be found on our website. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Wed, 17 Jul 1996 11:35 +0000 From: Graham Cluley Subject: Re: Dr Solomon's (WIN95) X-Digest: Volume 9 : Issue 117 In-Reply-To: <01I75P145UUGWI1CSD@csc.canterbury.ac.nz> Tim Dowling writes: > I wonder whether anyone else is having problems running Dr. Solomon's > Win95 Virus Toolkit? A friend of mine bought this, and cannot get it > to run on his machine. [long description of problem snipped] > As a test, I tried running Dr. Solomon's on my own PC (a similar spec of > Pentium), and it ran fine. Has anyone else encountered anything like > this? I haven't heard of this one before. I would recommend contacting Dr Solomon's technical support directly (contact details below) with a description of your friend's problem. They'll probably want details of your system setup, configuration and INI files etc.. that will help them nail this one down. Hope that's been some help. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Wed, 17 Jul 1996 20:21:22 +0000 (GMT) From: Khufus Buddy Subject: Is PC-Cillin 95 any good? (WIN95) X-Digest: Volume 9 : Issue 117 excuse me if ive missed relevant comments in the past, but what is the prevailing experts opinion on Cillin ? in UK magazines we get so many contradiction on subjects like AV one reviewer will praise, another deride the same item, difficult to know what to believe. Solomons is always good, but then its three times the price. same spectacle with those "ram doublers". thanks, kaman. ------------------------------ Date: Wed, 17 Jul 1996 16:34:19 -0500 From: John Guynn Subject: F-macro and Concept word macro question (WIN95) X-Digest: Volume 9 : Issue 117 I have a user running Windows 95 that had about 40 Word 7.0 documents infected with what F-macro version 1.15 with search strings 2.23a identified as Concept. About 20% of the files got truncated to a length of 1593 bytes. Has anyone ever seen the concept word macro damage a document? Has anyone ever seen F-Macro damage a document? Any ideas as to what caused the file corruption? John Guynn jag@univel.telescan.com Network Admin Telescan Inc. "He set out to do what could not be done... and he bloody well couldn't do it!" - -Benny Hill ------------------------------ Date: Thu, 18 Jul 1996 01:28:10 +0000 (GMT) From: owner-virus-l@fidoii.cc.lehigh.edu Subject: Re: How good is McAfee's V-Shield? (WIN95) X-Digest: Volume 9 : Issue 117 MKrebs wrote: >I've been running it on my Win '95 machine at home and it has caught quite >a few viruses before they could infect it. The younger kids at home swap >disks with their friends (one of whom is a wannabe virus-writer. great >goal to have, huh?) and it stopped those. My mother wanted to access on >my PC a document she'd made on a machine her company had set up and sent >to her. Her PC was infected with SANPO and no one had noticed it yet, but >VShield stopped it and we were able to clean her PC and the others at her >office. So far I've been very satisfied with it. > >OTOH, it doesn't do a good job with archived files unless you unzip them. >Archived archives (like the way TENTACLE was transmitted) would probably >slip through. Also, all the viruses it stopped are ITW, so I don't know >how good it would be at some of the rarer viruses or new ones. > >But I do want to publicly thank McAfee's for their product and the way it >integrates into the Win95 environment. One of the viruses it stopped was >MONKEY which was the first virus I came across and the one that convinced >me the virus threat was real. After almost losing a hard drive full of >data from the accounting department, MONKEY is probably the virus I hate >the most. Thanks! 8-) Hmmmmm.....I have YET to see the V-Sheild work. I have it running all the time, yet I unknowingly brought home the Stealth-C virus from work, and it infected my computer. Luckily I had to take my computer in to have some upgrades done, and the computer guy found it and cleaned it. But the V-Sheild didn't detect it before it infected my computer.....can you tell me why this is???? What good is the V-Sheild if it doesn't detect viruses BEFORE they get on your computer??? (P.S. I am running Win 3.1) ------------------------------ Date: Wed, 17 Jul 1996 23:21:31 +0000 (GMT) From: Wayne Riddle Subject: Re: ATTN: TBAV users (WIN95) X-Digest: Volume 9 : Issue 117 Krazy Russian wrote: > I have recently updated my OS to win'95 and began having problems >with the 16bit TBAV 7.02. So I uninstalled it, and deleted all >references to it from the autoexec.bat and system.ini files. Then I >downloaded the win'95 version of TBAV 7.03, which seemed to be working >fine untill I realized that the I/O monitor wasn't functioning. The >way I know this is because i dont get the I/O status in the status >window, and when I execute new files I dont get the warning saying >that the file is not authorized. I have reinstalled the software and >double checked all options, but I couldnt find the problem myself. I don't think that the Windows 95 version alerts you to new files in the I/O monitor, only changed files. I have tested the I/O Monitor only on infected files so far and it has worked everytime. Wayne Riddle riddler@agate.net http://www.agate.net/~riddler ------------------------------ Date: Wed, 17 Jul 1996 18:00:48 -0700 From: Jon Daggar Subject: Re: Tentacles virus-- help? (WIN) X-Digest: Volume 9 : Issue 117 Sirs & Madamses, Thank you all very much, I Didn't know I'd get so much help on the subject. After recieving several replies all containing helpful information, I, not knowing too much on the subject, decided to try the first thing on the list and proceed on until the virus got beaten out of the system. The first thing on the list, Dr. Solomon's FindVirus, fixed it, although I'm sure any of the rest of the suggestions also could have fixed it-- I didn't know there were so many competent people left on Usenet :). Mr. Kuo, to answer your question, I did download what I thought to be the standard shareware version of Dogz off a local BBS recently. Thank you all again, - - ___________ This mind left intentionally blank. Jon Daggar http://www.urich.edu/~jtd3h/ ------------------------------ Date: Wed, 17 Jul 1996 11:35 +0000 From: Graham Cluley Subject: Re: Tentacles virus-- help? (WIN) X-Digest: Volume 9 : Issue 117 In-Reply-To: <01I75P145UUGWI1CSD@csc.canterbury.ac.nz> Jonathan Daggar writes: > My Windoze 3.1 recently got infected with an ugly little monster that > Mcafee scan calls 'Tentacles'. It seems to infect only executables > in the \windows directory, and a few select others. Anyway, I let > Mcafee destroy all the files that were infected, restored them > from backup, scanned them again, and found the backups were clean. > All Hail Mcafee, problem solved, I thought. > > A few hours later, I reran the scan, and found that the virus had > popped up again. I again deleted them and restored them, then ran > all my hard drive partitions and boot sectors through the scan > twice, and found it nowhere. Hoping it was just an oversight, I > went on, only to find my windows executables infected a few hours > later. Sounds like McAfee is missing some of the infected files. You might like to try scanning your system with some other well-regarded scanners (eg. Dr Solomon's FindVirus, AVP, and F-Prot). You can download the evaluation version of FindVirus from our website - this can detect and clean-up Tentacle virus (well, it can clean-up those Tentacle-infected files which haven't been corrupted). > Does anyone have any suggestions of what to do, short of reformatting > my hard drive? That isn't necessary. > Or, if I need to, could I move my existing files from my main > partition to another and reformat it, or would the virus follow > along? Tentacle doesn't live in the partition - it is a file virus. Here's a description from Dr Solomon's: Tentacle Tentacle is an in-the-wild Windows virus. Tentacle was spread on the alt.cracks Usenet newsgroup, attached to a posted file called DOGZCODE.ZIP. Tentacle is a direct action file virus, which infects Windows programs (we have confirmed this with Windows 3.1, 3.11 and 95) Each time an infected program is run, one file in the current directory becomes infected, followed by two files in the Windows directory. The payload acts between midnight and quarter past midnight: a program that becomes infected within this time has its standard icon changed to an icon of a tentacle (rather like those seen in the game "Day of the Tentacle"). This change is not immediately obvious. It is not until you attempt to change the icon, delete the icons in the program group and attempt to replace them, or if you run and minimize the program that the tentacle icon will display itself. You can read more about Tenatcle at the Dr Solomon's website: http://www.drsolomon.com/vircen/tent.html Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Wed, 17 Jul 1996 09:50:01 -0200 From: rgattoni Subject: Re: Sudden loss of RAM memory in windows (WIN) X-Digest: Volume 9 : Issue 117 Andrew Wing wrote: > Desmond Huang (bnhuang@netspace.net.au) wrote: > : > Another solution: > : > a) free about 30 Mbyte on your HD > : > a) edit \windows\system.ini > : > b) go [386Enh] line > : > c) search the line "MinPagingFileSize=xx", replace xx with 20000 > : > (if you don't have this line insert it AFTER [386Enh]) > : > : Could you please kindly explain what's the line "MinPagingFileSize" for? > > I looked in my Windows Resource Guide and could not find it. What I > *did* find is MaxPagingFileSize which sets an upper limit on a temporary > swap file. There is also PermSwapSizeK that sets the size of the > *permanent* swap file. I didn't find any kind of information concerning to the MinPagingFileSize including the Microsoft Developer Network CD, but, I think that this entry refers to the INITIAL size of the swap file. In other words, this is the size that Windows allocates on the Hard Disk to the file used for swaps on the memory. If I get more information I'll send to you, OK? Roberto Gattoni rgattoni@i2.com.br ------------------------------ Date: Wed, 17 Jul 1996 17:13:28 +0000 (GMT) From: F/WIN Anti-Virus Support/Ordering Subject: Re: Tentacles virus-- help? (WIN) X-Digest: Volume 9 : Issue 117 > ... Mcafee >destroy all the files that were infected, restored them from backup, >scanned them again, and found the backups were clean. All Hail >Mcafee, problem solved, I thought. Several products, including ours can detect and remove Tentacle. Because of F/WIN's generic approach to removing this virus, it should also be able to detect and remove new strains of Tentacle (if there are any). Please visit our web site (in my signature below) and click on the option for those who are experiencing virus emergencies. Follow those directions and we can send you on a one time basis, a fully functional evaluation copy of F/WIN to help you get past this current virus emergency. Gary Martin Computer Virus Solutions E-mail: fwin_sup@ix.netcom.com WWW: http://www.gen.com/fwin Phone: (614) 337-0995 Authorized Distributor of F/WIN Anti-Virus ------------------------------ Date: Wed, 17 Jul 1996 17:32:59 +0000 (GMT) From: Iolo Davidson Subject: Re: Tentacles virus-- help? (WIN) X-Digest: Volume 9 : Issue 117 In article <0019.01I770RBW8DWXZM9T6@csc.canterbury.ac.nz> jtd3h@sunny.urich.edu "Jonathan Daggar" writes: > My Windoze 3.1 recently got infected with an ugly little monster that > Mcafee scan calls 'Tentacles'. > > Anyway, I let Mcafee > destroy all the files that were infected, restored them from backup, > scanned them again, and found the backups were clean. > > A few hours later, I reran the scan, and found that the virus had > popped up again. I again deleted them and restored them, then ran all > my hard drive partitions and boot sectors through the scan twice, and > found it nowhere. Hoping it was just an oversight, I went on, only to > find my windows executables infected a few hours later. Sounds like you are running McAfee in Windows, without a clean boot. I seem to remember that McAfee for Windows 3 doesn't scan memory. That would mean that it wouldn't warn you that Tentacle was active in memory. If Tentacle is active in memory, it will reinfect executable files when they are run, even if you manage to get rid of all the infected files each time you run the AV. > Does anyone have any suggestions of what to do, short of reformatting > my hard drive? Don't do that. It is never necessary, and usually useless. What you need to do is boot clean, from a known clean DOS floppy (write protected to avoid accidents). Then run the DOS version of McAfee, or another capable AV. I think there are other AV programs that can remove Tentacle from files, instead of having to delete the files. - - PUT YOUR BRUSH NEEDS A BACK ON THE SHELF SHAVE ITSELF THE DARN THING Burma-Shave ------------------------------ Date: Wed, 17 Jul 1996 20:05:16 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: Strange Duck... (WIN) X-Digest: Volume 9 : Issue 117 "Marcio V. Pinheiro" writes: >When I boot Uninstaller 3 from Program Manager...before the booting is >complete, a small 2/3" square appears in the left upper corner of my >screen. This square is light blue. Then...when I click the Undelete >Programs option...this square appears again with a black duck >inside... > >After the programs boot, it seems to work well but the icons are >really crooked...Instead of the normal icons for each program as it >appears in Program Manager, I get a totally dark square icon or an >icon with black lines... > >I have uninstalled the Uninstaller...I have run again my windows 3.11 >and I even got a new disk from Microhelp. The same square with the >black duck is there when I boot...with the same consequences. >This doesn't happen when I boot from the Control Panel or when I boot >from the File Manager. Only happens when I boot from Program Manager. No *known* Windows virus does this. And as for black boxes, I do cover that topic in my What's NOT a Virus article: http://www.mcafee.com/new/notvirus.html Jimmy cjkuo@mcafee.com ------------------------------ Date: Thu, 18 Jul 1996 15:40:23 -0700 From: Information Subject: Virus Affecting Schedule+ (WIN) X-Digest: Volume 9 : Issue 117 Has anyone seen a virus that gives the following error when entering Schedule+ for Windows for Workgroups. Schedule+ will not run becasue someone has tampered with the program files. Check your machine for viruses. Whatever it is it affects more than schedule+ but that is the most noteable. It also seems to attack win95 exe as well as WFWG. The string is JB9!B91B99BJ Thanks for all your help Paul Salter email: paul.salter@tsy.nzlgovtsy.synet.net.nz ------------------------------ Date: Wed, 17 Jul 1996 10:56:16 +0000 From: Fridrik Skulason Subject: Re: How good is McAfee (PC) X-Digest: Volume 9 : Issue 117 In <0015.01I7427PGTW6WHZC3A@csc.canterbury.ac.nz> Harry Healer writes: >>i recommend PC-Cillin... > >It came out last in PC Worlds test June 1996. The PC Worlds test was utter garbage anyhow....like most (all?) anti-virus tests done by "popular" magazines. -frisk - - Fridrik Skulason Frisk Software International phone: +354-5-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-5-617274 ------------------------------ Date: Wed, 17 Jul 1996 11:41:40 +0000 (GMT) From: Fridrik Skulason Subject: Re: F-PROT scanning compressed files (PC) X-Digest: Volume 9 : Issue 117 >F-PROT claims to be able to scan inside executables compressed with >PKLITE, DIET, LZEXE, and others. But it seems not. It does scan...however....it will only find non-polymorphic viruses. Not polymorphic ones like the Tequila that you tested this with...and actually, it will not find all non-polymorphic viruses either. Both limitations are a side-effect of the way the scanning engine is written, and currently it is undergoing a complete rewrite. -frisk ------------------------------ Date: Wed, 17 Jul 1996 12:48 +0000 From: Graham Cluley Subject: Re: Does F-PROT score over SOLOMON or vice-versa (PC) X-Digest: Volume 9 : Issue 117 In-Reply-To: KIRAN SHIVESHWAR writes: > Our company is planning to secure anti-virus software in a big way. In > the final analysis we found F-PROT and SOLOMON to be equally good. Well done, sounds like your analysis worked well. Dr Solomon's is (obviously!) excellent and F-Prot for DOS is also highly regarded. > Can anyone help me to select between F-PROT and SOLOMON. Well, my problem is that I'm affiliated with Dr Solomon's. So don't believe anything I'm about to say. :-) It all rather depends on what is important for you. For example, detection rate, technical support (presumably you've been speaking to our guys in India? They're excellent), identification capability (different from detection as this is the precision with which you identify which virus you are infected by), clean-up capabilities, on-access detection rate, multiple platform support, ease of use, speed, propensity to false alarm, ability to scan inside compressed and archived files (Dr Solomon's can scan inside ZIP, LZH, ARC, ARJ, ICE, Diet, PKLite, LZExe, CryptCOM compressed files *recursively* without writing to the hard disk - that might be important if you encounter a lot of compressed files), heuristic detection rate without false alarming, etc etc Something else worth considering for all users evaluating anti-virus software is to evaluate the thing you're going to actually use! For example, I've seen some companies decide on which anti-virus to use based on the detection rate of the on-demand/commad-line scanner. That's fine - but what they actually plan to install on their computers is the on-access scanner!! In which case - why not evaluate the on-access scanner!!? Not all anti-virus products use the same virus-finding engine in their different "bits". So, for example, an on-access scanner may find less viruses than the on-demand scanner. Or an anti-virus for DOS may find more viruses than a version for Windows 95 - even though they have the same brandname! I can only speak for the product I represent and that uses the same virus-finding engine on all operating systems, and also uses it in its on-access VxD scanner. So it can detect just as many viruses, however you're running it. You can find some competent independent comparative reviews of anti-virus software (including the two you're interested in) from the likes of Virus Bulletin, Secure Computing, University of Tampere, etc at our website: http://www.drsolomon.com/avtk/reviews You can also find links to other anti-virus vendors to hear their side of the story. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Wed, 17 Jul 1996 13:01 +0000 From: Graham Cluley Subject: Re: F-Prot comments (PC) X-Digest: Volume 9 : Issue 117 In-Reply-To: <01I770RBW8DWXZM9T6@csc.canterbury.ac.nz> Calvin Hayden x2254 writes: > A co worker indicated that he had read a couple of bad reviews on > the net about fprot and supposed bogus scanning. He mentioned that > what he read indicated that fprot in some cases only printed file names > and never really scanned them. Anyone else out there heard this or > have any info on it? I am surfing now trying to see for myself. Doesn't sound very likely to me. Maybe what they're suggesting is the default operation of F-Prot (just like most other anti-virus products) is to scan only those files which normally contain viruses (.EXE, .COM, .DOC, .DOT, .OV?, etc etc.. the list varies depends on which anti-virus you're talking about). You usually need to run your anti-virus in "all files" mode in order to scan virus-infected files which have been renamed to, say, .TXT F-Prot is one of the more highly regarded anti-virus products, I don't think they would be trying to pull a "fast one". :-) Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Wed, 17 Jul 1996 13:27 +0000 From: Graham Cluley Subject: Re: Info. for Virus/Vaccine Tool (PC) X-Digest: Volume 9 : Issue 117 In-Reply-To: <01I770RBW8DWXZM9T6@csc.canterbury.ac.nz> Jinwoo Kim writes: > We are currently developing a system for our > telecommunication customer whose clients environment > will include approximately 4000 PCs. > While I am designing the system, virus is going to be one > of my major concern to maintain the PC operating environment. In my experience most corporate customers choose an on-access scanner for their virus protection. An on-access scanner can intercept a virus before it infects the computer, displaying a suitable message and sending a note to the system supervisor. In the last eighteen months or so, VxDs have come on the scene. These are on-access scanners for Windows, Windows 95, and - although not really called VxDs - Windows NT. VxDs have a big advantage over the old DOS-based TSRs in so much as they are not restricted by the old DOS 640k limit. VxDs can now detect just as many viruses as the old command-line scanners, including the complex polymorphic viruses and Word macro viruses. A VxD literally strangles, say, a Concept macro virus outbreak to death. Users can't be infected: they can't copy an infected file, they can't load an infected file, they can't run an infected file, they can't email an infected file. So, that covers the users. We do, however, find there is a case for command-line (or on-demand) scanners. These usually have more support for compressed and archived files than on-access scanners, so they can be useful for "sheepdipping" of new disks, and they also include clean-up facilities to aid the MIS team when an infection is discovered. Most anti-virus companies can supply tools along the lines of the ones I am describing. You can read some competent independent reviews from the likes of Virus Bulletin, Secure Computing, University of Tampere, etc at http://www.drsolomon.com/avtk/reviews You can also download from our website an animated tutorial all about how viruses and anti-virus software work. This includes helpful tips on anti-virus strategy (without pushing a product too much!). You'll also find technical papers describing example anti-virus policies for corporate enterprises. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Wed, 17 Jul 1996 13:28:08 -0002 From: DONNY@iris.co.il Subject: Re: Zvi's tests of Findviru.exe (PC) X-Digest: Volume 9 : Issue 117 I corresponded with the moderator about a similar topic in the past and I thought this is a good opportunity to mention my opinion here for everyone to read. :personal-opinion on. I think virus-l is a place where users come to find out information about viruses and anti-viruses. I do not think most of the users are interested in watching anti-virus vendors at each other's throat (I don't even think that anti-virus vendors SHOULD be at each other's throat :-) ). Why not set up a rule or two to prevent such "discussions" from being on virus-l and leave it for discussions about viruses and about anti-viruses that solve those viruses? I am a worker of an anti-virus company and yet I do not find the need to continuingly convince users with an ACTIVE virus problem to immediately drop everything else and buy OUR product. If the user has a virus it is more important to remove the virus as correctly as possible with WHATEVER means possible. I DO think our product is the best and I'll do all I can to convince users to buy it but I don't think that this marketting effort should be focused mainly on virus-l or on users crying for help (similar to a doctor saying "first sign these forms that you will become my patient and then I'll administer CPR. What do you mean by 'gasp gasp arrggghhh'?"). Why not keep virus-l a bit smaller with information about viruses and without lots of fist-fighting? :personal-opinion off. :suggestion on. How about: (a) Any appends that say that a particular product is dreadful should not be allowed. Even pointing out that the product destroys data and is worse than >place-favorite-word-here< should not be allowed. (b) Praising your product should be kept to a minimum (something like "you can use Kill-All to remove the virus" or "Kill-Them is the best I've seen"). No long explanations how to install, run, select options, wipe, delete log file, etc. That type of explanation should be in the documentation for the product. Exception: If a user says "I have Kill-All, how do I scan for multi-poly viruses", you can definitely explain how to "click on the multi-poly button and press OK". :suggestion off. Please? Donny. Donny Gilor (Dr. Virus) donny@iris.co.il - ----------------------------------------- Development manager, Iris Software (Israel) Tel: (972)-3-9221280 Fax: (972)-3-9228060 ------------------------------ Date: Wed, 17 Jul 1996 07:50:08 -0600 From: George Wenzel Subject: Re: Which AV strategy? (PC) X-Digest: Volume 9 : Issue 117 >>Indeed. You'd also end up with an OS that's pretty much useless. > >OTOH, in normal use of UNIX, it's much harder to create a virus that >does unlimited damage -- because most users don't run with unlimited >permissions. But UNIX is far from useless. Please note that the >claim was NOT that the problem would disappear ENTIRELY. The reason that Unix isn't as much of a carrier for viruses isn't because it's a safer OS (it is, but not by much) - it's because it's not nearly as common as DOS/Windows boxes, and not nearly as many people are versed in programming for Unix. >Viruses are easier to write when there are security holes. Yes, but most viruses don't exploit security holes - they exploit the same things that regular programs exploit. They use file access interrupts, they use the boot sector of floppies. Et cetera. >But even regular, everyday programs DON'T usually have to run with >the permission to write every file on the system. True, but we're not talking about multi-user systems here. My computer has the permissions it needs to function. How can the OS decide what files different programs should be able to write to? Regular programs often write temporary files. It'd be hard to modify DOS to deny read/write to certain files, without seriously limiting its functionality. >>The only solution I can see is to build a new OS, from the ground up, that >>isn't based on DOS at all, and uses different interrupts, and so on. Of >>course, that'd mean that all current DOS/Windows/Win95 software would be >>pretty much useless. > >Probably. Which is why it'll never happen. We're only talking hypothetically here. DOS isn't going to die soon (despite Microsoft's claims to the contrary), and it's bringing a whole mess of viruses with it. >>Well, fatally insecure environments are the ones that people work in all >>the time. > >True. Not only with computers. People are fatally insecure all the time. Just look at automobile accidents as an example. >>They generally are the only ones where people can actually get work done >>in. > >Disputable. UNIX is far more secure than Windows, and it's still plenty >possible to get work done with it. Is it fatally insecure? Probably. >Just less so than Windows. As I said, the reason that UNIX has fewer viruses is because it's less common, and because fewer people have the expertise to write a UNIX virus, compared to DOS. Regards, George Wenzel - - |\ zz _,,,--,,_ ,) George Wenzel /,`.-'`' -, ;-;;' |,4- ) )-,_ ) /\ U of A Karate Club Homepage: <---''(_/--' (_/-' http://www.ualberta.ca/~gwenzel/ ------------------------------ Date: Wed, 17 Jul 1996 09:38:31 -0400 From: "A. Padgett Peterson P.E. Information Security" Subject: RE: Possible new stealth virus? (PC) X-Digest: Volume 9 : Issue 117 Not sure where you found that version as it is rather old and without seeing it do not even know if it is something someone "fixed". The current version is DS242 and has been available on SimTel mirror sites for several years. I have no knowlege of any such problems but will check. If it would be possible to send the the master boot record that is being flagged as infected and a uuencode of the version of DS you downloaded, I will check it out. Incidently, DS is designed to use only hidden sectors of track 0 and check to see if occupied by OS files before installing. Padgett [Moderator's note: SimTel is now SimtelNet .simtel.net and I've just checked the msdos/virus directory and both ds23ib.zip and dsii242.zip are there.] ------------------------------ Date: Wed, 17 Jul 1996 10:18:59 -0700 From: aspaeth@bogle.com Subject: Re: How good is McAfee (PC) X-Digest: Volume 9 : Issue 117 Graham Cluley said: >Was this the PC World test where they used half a dozen-or-so viruses? >Hardly a comprehensive test of anti-virus products, stretching their >abilities to the limit.. Bill Lamdbin said: >To start with, I do not place much credibility in Magazine A-V tests. I >usualy send a 2-6 page fax after reading many of these reviews ;-(. FWIW, I definitely agree with Graham and Bill on the credibility of most trade mag AV reviews. For example, a review of NLM scanners a few months ago in LAN Times had the following as the total discussion of actual virus detection and cleaning, "both products could detect all our test viruses." When I asked how many viruses that was (pointing out that virus detection tests using large libraries generally do not result in even 100% ties), the reply was only that "the viruses obtained in the test environment were from a large production network." In other words, likely just what the reviewer happened to have on hand from his day job. I certainly wouldn't try to do published reviews of AV products using my _very_ limited virus library. >McAfee's Scan is NOT the best scanner. I have heard that McAfee's Scan has >failed the NCSA certification. I can neither confirm this nor deny it. FWIW, I just checked and various McAfee products are currently listed on the NCSA web site as certified. Now maybe that certification is up for renewal, in which case there might be some midnight oil burning. I do remember that it took a while for a bunch of products to show up on the list as having passed the new tighter certification standards. >However; there is some good news for McAfee. C.J. Kuo was hired by McAfee >associates recently, and I believe there will be an improvement in >McAfee's Scan shortly. AFAIK, Jimmy Kuo has been with McAfee since at least last summer (I discussed this at the time with both Symantec and McAfee reps.) On the topic of McAfee and the trades, I was also "amused" lately to see an article in LAN Times giving McAfee as an example of how AV vendors were now "introducing" VxD-based Windows real-time scanners. Dr. Solomon's and F-Prot Prof. have had VxD-based real-time scanning since last year. Odd how it takes McAfee or Symantec to come out with something to make the trades sit up and notice . And then they seem to think that McAfee is a technology leader for finally coming out with their long promised VxD alternative to the VSHIELD DOS TSR... - ----------------------------------------------------------------- Alan Spaeth Email: aspaeth@bogle.com Systems Development Coordinator Bogle & Gates P.L.L.C. (A Professional Limited Liability Company) Portland, Oregon, USA Opinions expressed here are mine and do not necessarily reflect those of Bogle & Gates P.L.L.C. - ----------------------------------------------------------------- ------------------------------ Date: Wed, 17 Jul 1996 17:40:43 +0000 (GMT) From: Iolo Davidson Subject: Re: F-Prot comments (PC) X-Digest: Volume 9 : Issue 117 In article <0021.01I770RBW8DWXZM9T6@csc.canterbury.ac.nz> tijc02!cgh018@uunet.uu.net "Calvin Hayden x2254" writes: > A co worker indicated that he had read a couple of bad reviews on > the net about fprot and supposed bogus scanning. He mentioned that > what he read indicated that fprot in some cases only printed file names > and never really scanned them. Anyone else out there heard this or > have any info on it? There was a long thread in another group about this. It was not a "review" but basically a lot of garbage, put out by someone who has a grudge against the author of F-Prot, and followed by a lot of remonstration by people who knew better. There was in fact a bug affecting scanning of particular viruses only, on network drives only, in one particular OEM version of F-Prot only. It didn't affect scanning on local drives, nor the detection of the vast majority of viruses on network drives, nor was it present in the normal distribution versions of F-Prot. It was fixed right away, and no customers were affected. You won't even be able to obtain the version of F-Prot that had the bug. > Please reply by email to cgh018%tijc02@uunet.uu.net Just this once, on condition that you tell your friend that he has been listening to garbage and should stop repeating it. - - PUT YOUR BRUSH NEEDS A BACK ON THE SHELF SHAVE ITSELF THE DARN THING Burma-Shave ------------------------------ Date: Wed, 17 Jul 1996 14:53:11 -0500 From: "Thomas J. Roussel, Jr." Subject: pedophile virus? (PC) X-Digest: Volume 9 : Issue 117 anybody ever know of a virus that places the two sentences "i hate pedophiles why don't you pick on someone your own size" at the beginning of ini files? i've got a computer (w/win95) that had those lines added and now the modem cannot be recognized. in search for new hardware, when the computer gets to the com port, everything freezes and i have to reboot? McAfee doesn't find anything. thanks in advance TROU roussel@linknet.net ------------------------------ Date: Wed, 17 Jul 1996 20:21:58 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: F-Prot comments (PC) X-Digest: Volume 9 : Issue 117 Calvin Hayden x2254 writes: >A co worker indicated that he had read a couple of bad reviews on >the net about fprot and supposed bogus scanning. He mentioned that >what he read indicated that fprot in some cases only printed file names >and never really scanned them. Anyone else out there heard this or >have any info on it? I am surfing now trying to see for myself. I guess your coworker just can't believe that a product could run that fast. :-) No, FProt does not ever print file names without scanning them. FProt is one of the best overall AV products out there. (Second to ours, of course. :-) ) Jimmy cjkuo@mcafee.com ------------------------------ Date: Wed, 17 Jul 1996 20:26:02 +0000 (GMT) From: "Chengi J. Kuo" Subject: Re: F-PROT scanning compressed files (PC) X-Digest: Volume 9 : Issue 117 Graham Cluley writes: >Francois Pirsch writes: >> F-PROT claims to be able to scan inside executables compressed with >> PKLITE, DIET, LZEXE, and others. But it seems not. Here is exactly what >> I did : >> >> 1. I decompressed DEBUG.EXE (this point is not important) >> 2. Had it infected by Tequila >> 3. Scanned it with F-PROT 2.23, which detected the virus. >> 4. Recompressed it with PKLITE 1.13 >> 5. scanned it again, and F-PROT found nothing. > >I may be wrong but I *think* F-Prot does not scan inside compressed files >by default. You have to use a command-line switch like /PACKED or >something like that. Did you do that? FProt does scan inside specific versions of the above listed 'lited' files without additional parameters. PKLite has many different versions which use slightly different compression/decompression algorithms. Perhaps FProt does not support that particular version. Jimmy cjkuo@mcafee.com ------------------------------ Date: Wed, 17 Jul 1996 21:04:51 +0000 (GMT) From: Bruce Burrell Subject: Re: F-Prot comments (PC) X-Digest: Volume 9 : Issue 117 Calvin Hayden x2254 (tijc02!cgh018@uunet.uu.net) wrote: > A co worker indicated that he had read a couple of bad reviews on > the net about fprot and supposed bogus scanning. He mentioned that > what he read indicated that fprot in some cases only printed file names > and never really scanned them. Anyone else out there heard this or > have any info on it? I am surfing now trying to see for myself. One version (from Command) of F-PROT Pro had this problem for a very brief time, and it was corrected quickly. It's questionable whether or not actual viruses were used for the "review"; in any event, it's fixed long since. > Thanks, > Please reply by email to cgh018%tijc02@uunet.uu.net And you'll summarize the responses you get here, correct? Netiquette demands that you do so, and that you make the offer when you post your request. [Sent as followup and private email.] -BPB ------------------------------ Date: Wed, 17 Jul 1996 23:03:50 -0400 From: Subject: New Kind Of Viruses? (PC) X-Digest: Volume 9 : Issue 117 I once talked to a virus author and he told me that he has an idea. His idea is to make a BATCH file virus and to convert it to .COM and this would make it completely unscanable by any virus scanners including batch file heuristic scanners which is used to check BATCH files for infection of a virus. I would like to ask if this is possible. And can he really make a virus from a batch file. please e-mail if you know the answers to these question ------------------------------ Date: Thu, 18 Jul 1996 03:44:26 +0000 (GMT) From: Jonathan Perkins Subject: McAfee VirusScan and WebScan? (PC) X-Digest: Volume 9 : Issue 117 A somewhat neophyte question for the resident anti-virus gurus--what are the major differences between McAfee's VirusScan program and its WebScan product? I have seen the VirusScan program come highly recommended in the recent PC MAGAZINE tests for general detection abilities and overall usability, but from reviewing past posts, I realize that this is open to some debate. What are its major faults compared to other leading Windows anti-virus products? Please bear in mind that I am looking for a decent mix between ease of use and comprehensive detection and cleaning abilities, but put more stress on the latter requirement. Specifically, I am looking at acquiring Windows 3.1-based anti-virus software (previously tried TBAV, but found it a bit too cryptic) capable of detecting macro viruses, etc., so the VirusScan product looked good. However, I am also increasingly receiving document files and binary attachments via the Internet (99% word processor files), as well as doing more WWW browsing via Netscape 2.0. In this connection, I understand that McAfee also sells WebScan, which appeared to be some sort of add-on to the basic VirusScan software. What, exactly, is the relationship between the two? If one has the VirusScan software, what is the need for the WebScan software, and what are its principal advantages? Furthermore, what are WebScan's direct competitors and how do they rate? Appreciate any advice/opinions/recommendations that people care to share... Regards, Jon - - - --------- Jon Perkins--Ottawa, Canada jperkins@ccs.carleton.ca "fortiter in re, suaviter in modo" ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 117] ******************************************