VIRUS-L Digest Saturday, 20 Jul 1996 Volume 9 : Issue 119 Today's Topics: Fighting Macro Virus in Campus Labs Windows Security Setup Re: Linux anti-virus availible (UNIX) Angelina vs NT 3.51 (NT) Re: Any NT Viruses?? (NT) Re: How good is McAfee's V-Shield? (WIN95) Re: Is PC-Cillin 95 any good? (WIN95) Re: TBAV for win'95 question (WIN95) Re: Unknown Windows virus/need help finding/cleaning (WIN95) Re: Autoprotect In Norton Antivirus (WIN95) Fiel infectors and Windows (was: Virus Affecting Schedule+) (WIN) Re:New Kind Of Viruses? (PC) Re: Which AV strategy? (PC) Re: Which AV strategy? (PC) Re: New Kind Of Viruses? (PC) Re: Zvi's tests of Findviru.exe (PC) Macro/Concept problems with TBAV and F-PROT (PC) Re: Which AV strategy? (PC) Re: Zvi's tests of Findviru.exe (PC) Re: McAfee VirusScan and WebScan? (PC) Re: New Kind Of Viruses? (PC) Re: F-Prot comments (PC) Re: How good is McAfee (PC) Re: New Kind Of Viruses? (PC) buten message at bootup -- virus? (PC) Re: McAfee VirusScan and WebScan? (PC) Re: How good is McAfee (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Fri, 19 Jul 1996 15:51:08 -0700 From: Helpdesk Subject: Fighting Macro Virus in Campus Labs X-Digest: Volume 9 : Issue 119 Does anyone have an idea what we could do? There has been a rapid increase of Macro virus infections on our campus. Our labs are not staffed to deal with the problem, so we used Windows batch utility to automatically replace NORMAL.DOT with the one from the network server. This way the users will have a clean NORMAL.DOT to work with every time they start Microsoft Word. However, we can't stop users from opening up documents containing the Macro virus. SCANPROT will only detect the presence of the macro and the users could proceed to open them regardless. We use F-MACRO to clean infected files, but we also found that the only virus protection software that would detect the Macro virus when using Word was McAfee, which would alert you that the document contains Macro virus. Our department does not have the budget to pay for the hundreds of licensed McAfee copies that are needed to protect our PC labs. Could someone offer some other alternatives? ATUS Help Desk Western Washington University Bellingham, Washington ------------------------------ Date: Sat, 20 Jul 1996 01:54:26 -0500 (CDT) From: "Charles S. Lin" Subject: Windows Security Setup X-Digest: Volume 9 : Issue 119 I had a brief opportunity to visit a PC network that I found interesting. It was using Windows 3.1, and was somehow set up so that whenever a user started any application that would use disk space for documents, it would tell the user that a floppy disk was required for all documents, and to select a drive (from a dialog box). Then it would say, please wait, your disk is being scanned for viruses. It would then run F-PROT, and if your disk was/could be cleaned, it would then start the program. I was very interested in this, being a student administrator at my school. However, I could not find anyone who could or would explain how they did this, I suspect for security reasons. However, I find this very useful. Could someone please give suggestions on how I could do this? Thank you very much. - - Charles Lin charles@fermat.lsmsa.edu ------------------------------ Date: Fri, 19 Jul 1996 21:05:29 +0000 (GMT) From: Robert Michael Slade Subject: Re: Linux anti-virus availible (UNIX) X-Digest: Volume 9 : Issue 119 N2URO (n2uro@aol.com) wrote: : Are there anti-virus programs availible for Linux ? My searches for them : on the internet have been futile. UNIX viruses, although they do exist, are relatively rare and few, and not much of a problem. Therefore, you will not find specific scanner type antivirals for UNIX (or Linux). For UNIX systems in general, a good candidate is the Tripwire change detection system, available at ftp://ftp.cs.purdue.edu/pub/spaf/COAST/Tripwire. If you are running Linux on an Intel box, and running DOS programs as well, get a decent DOS scanner and make a sweep of the disk every once in a while. ====================== roberts@decus.ca rslade@vcn.bc.ca slade@freenet.victoria.bc.ca link to virus, book info at http://www.freenet.victoria.bc.ca/techrev/rms.html Author "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 (800-SPRINGER) ------------------------------ Date: Fri, 19 Jul 1996 11:30:06 +0200 From: "A. Breeden" Subject: Angelina vs NT 3.51 (NT) X-Digest: Volume 9 : Issue 119 Anybody out there to tell me a virus checker to find angelina-virus on NT? got bad experience with f-prot, mcafee and norton. Is there anybody out there? (wasn't it roger waters???) thanks for answers Andreas ------------------------------ Date: Fri, 19 Jul 1996 09:26:20 +0000 (GMT) From: "nelis w.j.m." Subject: Re: Any NT Viruses?? (NT) X-Digest: Volume 9 : Issue 119 Graham Cluley (sandspm@cix.compulink.co.uk) wrote: : In-Reply-To: <01I770RBW8DWXZM9T6@csc.canterbury.ac.nz> : "Bratton, Douglas S." writes: : : > Does anyone have information on viruses written for NT?? : : There aren't any NT-specific viruses as yet, but many existing viruses : can infect NT machines. : : For instance, boot sector viruses. These don't care what operating : system you're running on your PC, they just splat themselves over your : partition sector regardless. Some of these splat over too much of the : disk and prevent NT from booting up properly (the virus author can't have : tested them properly), but some like Michelangelo mean that NT will still : boot up just fine and if you don't run a decent anti-virus you won't know : it happened until March 6th : : Also, it should be remembered that Concept, one of the Word macro : viruses, is now undoubtedly the world's most common virus. That doesn't : care that you're running NT either as it infects Word document files and : doesn't do anything "low level". There is at this very moment one known 32-bit virus. The so called BOZA virus. This virus can infect WIN95 and WIN NT computers. There are several sources (Thunderbyte AV,F-prot,etc.) who are confirming this information. Also there is a lot of rumours going on about the HARE virus. As of now there are not yet official confirmations of this virus spreading under 32-bit computers. So make regalur back-ups and use your virus checker with the latest update. Greetings, F-J kamenz Tele/data comm. specialist ------------------------------ Date: Fri, 19 Jul 1996 11:10 +0000 From: Graham Cluley Subject: Re: How good is McAfee's V-Shield? (WIN95) X-Digest: Volume 9 : Issue 119 In-Reply-To: <01I78O961T78XZM9T6@csc.canterbury.ac.nz> owner-virus-l@fidoii.cc.lehigh.edu (that can't be right, but that's what it said) writes: > Hmmmmm.....I have YET to see the V-Sheild work. I have it running all > the time, yet I unknowingly brought home the Stealth-C virus from > work, and it infected my computer. Luckily I had to take my computer > in to have some upgrades done, and the computer guy found it and > cleaned it. But the V-Sheild didn't detect it before it infected my > computer.....can you tell me why this is???? You catch this virus by booting (or attempting to boot) off an infected floppy disk. At that stage the anti-virus is not in memory (well, you've just done a power-off so that's understandable) so it cannot intercept the virus. However, an on-access TSR, like McAfee VShield in your case, should be able to detect the virus whenever you normally access the floppy disk. It can then warn you that you have an infected floppy and this helps prevent spread and accidental booting off it. > What good is the V-Sheild if it doesn't detect viruses BEFORE they > get on your computer??? They should be able to detect boot sector viruses when you access floppies during normal computer usage. For example, when you copy a file to the floppy or do a DIR of the floppy the on-access scanner should also jump in and do a scan of the floppy's boot sector. I imagine McAfee VShield does this, Dr Solomon's VirusGuard and WinGuard certainly do. > (P.S. I am running Win 3.1) I seem to remember that McAfee WScan for Windows 3.1 doesn't scan for viruses in memory. That means if you hard disk is infected with a stealth boot virus like the one you mention that it won't detect it in memory (because it's not looking in memory for viruses) and won't find it on the hard disk either (because the virus is stealthing). AntiEXE, Monkey and Parity Boot are other common stealthing boot sector viruses. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Fri, 19 Jul 1996 12:01 +0000 From: Graham Cluley Subject: Re: Is PC-Cillin 95 any good? (WIN95) X-Digest: Volume 9 : Issue 119 In-Reply-To: <01I78O961T78XZM9T6@csc.canterbury.ac.nz> Khufus Buddy writes: > Solomons is always good, but then its three times the price. Hmm.. I don't think that's quite right. Have a flick through some of the UK computer magazines and you'll see you can get Dr Solomon's for Win95 for a lot less than the RRP (but still including updates, the full DOS version as well as Win95, free technical support 24-hours-a-day, etc etc). Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Fri, 19 Jul 1996 16:34:23 +0000 (GMT) From: PEREGRINE Subject: Re: TBAV for win'95 question (WIN95) X-Digest: Volume 9 : Issue 119 Krazy Russian (ielperin@netwizards.net) wrote: >I just upgraded from the 16bit TBAV to the 32bit TBAV, and it stopped >scanning files before executing. It used to show the I/O monitor >status in the status window, and evry time I executed the >non-authorized file it would prompt me for validation. Now it just >sits there and not do anything.What could be the problem? I >reinstalled it several times, and checked for all the options.... I think you ran into the same problem I had. After installing TBAV for the first time, everything worked fine until I tried to run Turbo Pascal. I got "checking" flashed on my screen a couple times, then the machine just sat there with a blank screen. I had to cold reboot. What seems to have fixed the problem: >From the main menu, I selected tbsetup, then flags menu, then reset flags manually. I then went back to the main menu, and selected quit and save. I then rebooted, and when I tried to run TP again, I got a dialoge box that said "RTM.EXE tried to go resident -- file not listed" (something like that) "remove from memory y/n?". I selected no, and TP came right up. It now comes up without any notices or problems. But just now when I checked TBAV, I find it's back to "use normal flags". So if someone more familiar with Thunderbyte is reading this, could you tell me if this is normal behavior? Or did I goof somewhere when I was trying all the options, and just get lucky? Kevin __ Kevin Murcray kmurcray@du.edu University of Denver Dept. of Physics & Astronomy Upper Atmospheric Research Group ------------------------------ Date: Fri, 19 Jul 1996 22:58:57 +0000 (GMT) From: Shane Coursen Subject: Re: Unknown Windows virus/need help finding/cleaning (WIN95) X-Digest: Volume 9 : Issue 119 In article <0015.01I770RBW8DWXZM9T6@csc.canterbury.ac.nz>, scryn@idirect.com says... >Just recently, I noticed some strange behaviour when I ran certain >programs in windows 95.. (moreso than the usual crashing :P). In certain >programs, I have noticed a strange graphic display in the program window >of small cubes (approx .5-1 cm in width/height/depth) moving in random >motion. This sounds like a possible video driver problem. Try either changing the monitor refresh rate or updating the video driver. This problem could also be caused by a low memory situation. There is also a screen saver that moves small cubes of the Windows desktop in random directions (but I'm sure we couldn't be talking about that.) Tho I'm not too familiar with Win95 screen handling, the measurement that you give - .5cm - sounds like the dimensions of a typical sprite. ...Jimmy, can you add anything here? >[snip] but instead found that fdisk.exe, sys.com, scandisk for >dos and windows, and norton antivirus's main executable had been >changed. The measured response would be: There are many non-viral explanations for this. The most common is that another AV/security program added an integrity "wrapper" to the file. The virus researcher response is: Now you're talking! Do you still have any of these files? If so, I would be more than happy to take a look at them. Please email me for instructions on how to (safely) transfer them across email. - - Shane Coursen scoursen@symantec.com http://www.symantec.com/avcenter Computer Virus Researcher Symantec AntiVirus Research Center ------------------------------ Date: Fri, 19 Jul 1996 23:24:42 +0000 (GMT) From: Shane Coursen Subject: Re: Autoprotect In Norton Antivirus (WIN95) X-Digest: Volume 9 : Issue 119 In article <0014.01I770RBW8DWXZM9T6@csc.canterbury.ac.nz>, kohys@pacific.net.sg says... >When I activate Norton antivirus auto-protect, the drive A is always on >when I exit to MSdos from Windows 95. If I remove auto-protect, the >symptom disappears. Can anyone help to resolve this? I want >auto-protect as well. Note that when exiting Win95 or rebooting the computer, AutoProtect will scan the boot record of whatever floppy happens to be in the drive. The light will go on for a few seconds, but will eventually turn off. Just to make sure I understand, the drive light A: goes on and stays on? It never turns off? If the answer to second question is yes, please let me know. Although I've never heard of this happening, anything is possible. In the mean time, if this problem is causing a loss of diskette drive access, you can disable the floppy drive check. To disable, start NAV, click on Options, AutoProtect, and then Advanced. At the bottom of the Advanced screen, you will see a check box allowing you to disable the diskette boot record check. - - Shane Coursen scoursen@symantec.com http://www.symantec.com/avcenter Computer Virus Researcher Symantec AntiVirus Research Center ------------------------------ Date: Fri, 19 Jul 1996 21:13:52 +0000 (GMT) From: Robert Michael Slade Subject: Fiel infectors and Windows (was: Virus Affecting Schedule+) (WIN) X-Digest: Volume 9 : Issue 119 Information (information.centre@treasury.govt.nz) wrote: : Has anyone seen a virus that gives the following error when entering : Schedule+ for Windows for Workgroups. : : Schedule+ will not run becasue someone has tampered with the program : files. Check your machine for viruses. : : Whatever it is it affects more than schedule+ but that is the most : noteable. It also seems to attack win95 exe as well as WFWG. The string Windows programs, because of their larger size and complexity, do more self checking than most DOS programs. The error message you cite is a fairly standard one. All that it indicates is that the program file has been changed, whether because of a virus or some other form of file corruption. Windows 95 programs would do the same thing. If many files have become corrupted, this is likely due to a file infecting, non-stealth virus, but there is no telling which one it might be. Get a good scanner (F-PROT, VET, AVP, Dr. Sol's) and check out your system. Oh, and boot from a "known clean" floppy, first. ====================== roberts@decus.ca rslade@vcn.bc.ca slade@freenet.victoria.bc.ca link to virus, book info at http://www.freenet.victoria.bc.ca/techrev/rms.html Author "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 (800-SPRINGER) ------------------------------ Date: Thu, 18 Jul 1996 15:55:33 -0400 (EDT) From: Karsten Ahlbeck <100554.2356@CompuServe.COM> Subject: Re:New Kind Of Viruses? (PC) X-Digest: Volume 9 : Issue 119 NoName wrote: >I once talked to a virus author I hope it isnt you thinking. >and he told me that he has an idea. Impressing >His idea is to make a BATCH file virus and to convert it to .COM >and this would make it completely unscanable by any virus scanners >including batch file heuristic scanners which is used to check >BATCH files for infection of a virus. I would like to ask if >this is possible. And can he really make a virus from a batch file. Nonsense. From a clean boot, viruses can always be found. Sometimes not even with a clean boot (for instance Integrity Master version 3, but I usually dont go into pushing this product :-)Not a unique or clever thought I would say. He should put some effort on something useful instead. I think he was showing off, trying to look like The Big Programmer. Anyway, no suggestions from me. Dont accept any files from him ;-) >please e-mail if you know the answers to these question Please email me his name. Yours Sincerely, Karsten Ahlbeck * The opinions expressed above may not be my own but entirely those of Karahldata, my employer * =========================================================== Karahldata Sverige - dataintegritet och antivirus (programvara + utbildning) Swedish Integrity Master agent =========================================================== ------------------------------ Date: Fri, 19 Jul 1996 04:10:15 +0000 (GMT) From: Totally Lost Subject: Re: Which AV strategy? (PC) X-Digest: Volume 9 : Issue 119 Kenneth Albanowski wrote: > On Sun, 14 Jul 1996, Totally Lost wrote: > > It doesn't take much work in an OS to close up 99.99% of the entry > > points that give rise to real worries of distruction that a malware > > virus/trojan could cause. > > How do you cut off the boot-sector entry point? As you are undoubtably aware, that is not an OS issue at all, but a bios issue. One of the lingering security holes present in PC's. While the PC industry strongly suggests setting the boot order from A:/C: to C:/A:, there are better fixes that can be implemented in the bios or in the hard drive master/secondary boot which involve use of digital certificates to validate that the object has not been tampered with or modified - a floppy boot record that fails this test would simply never be loaded by the bios. In the same way, there is no way to secure and 8088, 80188, 80286 or derivative system - regardless of the OS you run on it. If there is a weak foundation in any security domain, the levels above are compromised. If the base hardware is flawed, the OS and above don't stand a chance. If the OS is flawed, then any policies implemented above it are flawed too. > > Sadly most A-V products attempt to achieve the same goals of preventing > > unauthorized access to disk data ... which a sound OS design, even with > > a very high degreee of binary compatability with the MSDOS/WIN API, can > > achieve with a near 100% success. > > How do you distinguish an authorized program accessing a file from an > un-authorized program? (Without extreme file typing information, which the > MSDOS/WIN API certainly could not support.) The point is that you cann't. Which is why A-V software attempting to do this are flawed by design as well. The solution is to use a file access paradym which has implict state external to the applications ... file permission controls. For multiuser server OS's this is a fundimental part of the system design implemented, in part by the filesystem, and mapped to other resources. Since the MSDOS API lacks ownership provisions, it must be implemented external to the API as administrative state. Merge(DOS on UNIX), Netware and NT do this transparently already and it works well. By enhancing the DOS filesystem to include permission controls, and two states - normal and administrative, then files could be marked execute-only and read-only to limit malware access to important file objects in the normal state. Access to administrative state could be restricted to a very limited number of console keyboard commands in the CLI/shell. The only visible side effect in the API would be an extra error return due to permission failure that already exists in the NT/Netware API. > Viruses don't have to subvert the OS. True ... but in a bottom to top secure design, they do have to subvert something. If the OS can not be subverted, as with UNIX, then attacks have to be directed above or below the OS security layer. Most firewalls run on a stripped down UNIX type system, with minimal utilities and applications ... because the base hardware and OS is secure, then they try very hard to make sure the remaining utilities are too, minimizing risks should a hacker find a way to get to a CLI/shell on the firewall. As a UNIX Systems Programmer and administrator for over 20 years the few problems in the security API that have surfaced over the years were due to in experienced systems programmers (AKA bugs) ... and promptly fixed, mostly as part of design reviews. Most of the security problems that people point to on UNIX are due to poorly designed network utilties done by students at Berkeley and other Universities, which exist in BSD and vendors which took the BSD code. Most major UNIX system vendors have bent over backwards fixing the problems. > How do you stop macro viruses with a sound OS design? You don't. As I have posted elsewhere, and including in this forum, the security domain extends into and includes any network accessable application. I strongly believe that Microsoft made a grave mistake in their implementation of macros in their Office Suite. Most of the functionality they implemented could have been implemented in much more secure ways ... by controlling the sandbox for document macros, and restricting certain macros features to macros that must live external to the document as linked objects. > > Just plain false. If any code segment can not take over hardware control > > of the system (denial of service attacks excluded), then the foundation > > for basic security controls is in place. > > How does this stop a macro virus? A sound OS design is a strong first step to minimize the number and type of attacks that a virus is capable of ... and the amount of damage. Without a strong protection domain protecting the base OS and applications, then malware can corrupt, damage, or distroy any file/application on the system - requiring a full system reload from backups, if they exist. With a strong protection domain, the malware by cause problems only with the users documents and data ... a much smaller set of data to restore. With a sounder macro design, along the lines of JAVA sandboxes, macro virus would not exist in the wild as they do today. In fact, they would not have the means to replicate, or cause damage at all. But if you choose to purchase security risks, such as Microsoft Office, then you also need to accept the damage they WILL allow. > > These OS features do a much better job at controlling/preventing the > > spread of a virus than the equiv TSR functions that A-V vendors are so > > proud of. > > Definitely. Unfortunately, everyone is using this incredibly old hack > called "MS-DOS". If you figure out some way of doing something about that, > I'm sure we'd all like to hear about it. Window's 95 was a big step forward, unfortunately they missed a few points. They clearly missed the value of a security domain restriction in the filesystem. From what I knew of MS-DOS back in the 2.something days, you could probably implement the security changes in about 150 pages of C code, and only break a few things, mostly malware and A-V products. Fixing the problems in Win95 is probably about the same level of effort. It would probably take a couple weekends for a small team to take the FreeBSD or Linux OS, along with the DOS emulator code, to strip it down to an 85% hack for a virus resistant DOS compatable implementation. Not that big a job ... making it run Win3.11 would take a little longer. Making it an 85% replacement for Win95 could probably be done in under two man years - again not the big an effort for a semester OS class as a team project. For an individual ... the risk of harassment from MS would be high if released - until it got widely used and supported. Sadly most of the people who would be interested in this type of project are having much more fun with FreeBSD or Linux. > > The means to replicate may still exist to a very minor degree for > > certain development users who produce and execute their won binaries - > > but in the same sense you could also completely limit access to trusted > > binaries for the typical office worker. Such actions would reduce > > viruses to an annoyance, from the huge threat they represent today. > > Ah, then secure OSs don't prevent viruses. Thank you. I never made that claim ... but in comparison to MS-DOS their ablity to replicate and cause damage, would as I claimed: "would simply disappear to miniscule proportions." The focus would then be on cleaning up applications like MS Office. While applications were hosted on an unsecure platform, they had no need or incentive to implement an unfounded security domain ... if the domain exists in the host hardware and OS, then it's much less effort to implement, and much more important to maintain in the application. Once the hardware, OS and applications support a sound security domain, it is clearly in the users hands to make the environment secure if they care about security at all. John Bass ------------------------------ Date: Fri, 19 Jul 1996 05:53:50 +0000 (GMT) From: Totally Lost Subject: Re: Which AV strategy? (PC) X-Digest: Volume 9 : Issue 119 Iolo Davidson writes: > In article <0011.01I7427PGTW6WHZC3A@csc.canterbury.ac.nz> > idletime@netcom.com "Totally Lost" writes: > > > In article <0024.01I715RHU6Y2WHZC3A@csc.canterbury.ac.nz>, > > George Wenzel wrote: > > > Viruses do not exist because of security holes - they exist because > > >somebody wrote a program that would replicate itself. This is possible on > > >pretty much all high-level OS's. > > > > Just plain false. If any code segment can not take over hardware control > > of the system (denial of service attacks excluded), then the foundation > > for basic security controls is in place. As a secondary control, if the > > filesystem normally disallows write access to selected binaries, in > > particular those which have administrative priv's and the primary > > applications, then the means of replication for a virus is largely > > blocked. > > Too rosy a view. Even in DOS, there are viruses called "slow > infectors" that wait for the right conditions to spread without > alerting access control packages or AV. Someone has to be able > to write system files and executables; you just wait for that guy > to come along before doing your infecting. You assume that a security OS would allow an arbitrary program to leave TSR's laying around which is able to grasp an administrative context and security domain ... with license to kill. In unix environments, back ground tasks spin off all the time, but are unable to exist past the users logout - and they clearly are not part of or able to get a handle on any administrative context. If such a breach existed they would not need to lurk. More importantly they are highly visible from a simple ps(1) listing. The only other access points are cron and at ... both of which are also visible, and turned off in many installations because of past flaws - as are certain .forward features. Lurking is significantly harder to do ... without some form of stealth, slow infectors have a difficult problem of avoiding early detection. In a stable production PC, the administrative context should only be entered a few times a year ... it's doubtful a lurker could hide that long without detection somewhere, and not end up the object of a scanner search. John Bass ------------------------------ Date: Fri, 19 Jul 1996 01:21:10 -0600 From: George Wenzel Subject: Re: New Kind Of Viruses? (PC) X-Digest: Volume 9 : Issue 119 In article <0037.01I78O961T78XZM9T6@csc.canterbury.ac.nz>, amalsaad@jcs1.jcstate.edu says... >I once talked to a virus author and he told me that he has an idea. >His idea is to make a BATCH file virus and to convert it to .COM Not a new idea. >and this would make it completely unscanable by any virus scanners >including batch file heuristic scanners which is used to check >BATCH files for infection of a virus. I would like to ask if >this is possible. And can he really make a virus from a batch file. His idea isn't new, and his virus would not be unscannable. There is no such thing as a virus that cannot be detected. Regards, George Wenzel - - |\ zz _,,,--,,_ ,) George Wenzel /,`.-'`' -, ;-;;' |,4- ) )-,_ ) /\ U of A Karate Club Homepage: <---''(_/--' (_/-' http://www.ualberta.ca/~gwenzel/ ------------------------------ Date: Fri, 19 Jul 1996 01:21:30 -0600 From: George Wenzel Subject: Re: Zvi's tests of Findviru.exe (PC) X-Digest: Volume 9 : Issue 119 >I think virus-l is a place where users come to find out information >about viruses and anti-viruses. I do not think most of the users are >interested in watching anti-virus vendors at each other's throat (I >don't even think that anti-virus vendors SHOULD be at each other's >throat :-) ). Hear, hear! Alt.cmop.virus is the place for unfounded attacks. :-) >:suggestion on. > >How about: > (a) Any appends that say that a particular product is dreadful > should not be allowed. Even pointing out that the product > destroys data and is worse than >place-favorite-word-here< > should not be allowed. I agree with this. Although it's reasonably on-topic, it doesn't achieve anything. Regards, George Wenzel - - |\ zz _,,,--,,_ ,) George Wenzel /,`.-'`' -, ;-;;' |,4- ) )-,_ ) /\ U of A Karate Club Homepage: <---''(_/--' (_/-' http://www.ualberta.ca/~gwenzel/ ------------------------------ Date: Fri, 19 Jul 1996 06:41:24 +0000 (GMT) From: Puk Hock Hing Subject: Macro/Concept problems with TBAV and F-PROT (PC) X-Digest: Volume 9 : Issue 119 I am hoping to have some infomations on which are the best antivirus cleaner that can cleaned the above range of virus.Currently, the ones that I have ; mcafee viruscan , F-Prot2.23 can only scan the above virus but not clean it. I have detected quite a number of macro viruses lately and have relied heavily on opening documents like wvfix.doc and scanprot.doc to disinfect them. However, I find that sometimes it does not work well as after disinfecting, I still cannot save to any drives using "save as.." within msword. I am hoping that I can have some shareware/evaluation copy of other antivirus scan to try out. I have tried Thunderbyte7.03 shareware copy, FWIN3.1, but though it seems to say it has cleaned, the infected file still has the number of bytes as before and also I AM STILL NOT ABLE TO DO A "save as.." in msword. It always default me to a template directory... Any Advice ???? ------------------------------ Date: Fri, 19 Jul 1996 08:30:50 +0000 (GMT) From: Totally Lost Subject: Re: Which AV strategy? (PC) X-Digest: Volume 9 : Issue 119 ------------------------------ Date: Fri, 19 Jul 1996 10:45:56 +0000 (GMT) From: Oeyvind Pedersen Subject: Re: Zvi's tests of Findviru.exe (PC) X-Digest: Volume 9 : Issue 119 In article <0028.01I78O961T78XZM9T6@csc.canterbury.ac.nz>, DONNY@iris.co.il wrote: [snipped personal opinion and suggestion] :personal-opinion on. I don't think that this forum has a big problem with A-V vendors at each others throat, with one exception..... I think it is more a Ziv-problem, than anything else. But I agree with you, A-V vendors should keep their commercial ads somewhere else, and I feel that they more or less do now. (Maybe except for Graham constantly announcing his "independent" reviews on dr.sollys WWW) :personal-opinion off. -oep BTW: I forgot to tell you, F-PROT *is* the best antivirus around :-) ------------------------------ Date: Fri, 19 Jul 1996 11:36 +0000 From: Graham Cluley Subject: Re: McAfee VirusScan and WebScan? (PC) X-Digest: Volume 9 : Issue 119 In-Reply-To: <01I78O961T78XZM9T6@csc.canterbury.ac.nz> Jonathan Perkins writes: > A somewhat neophyte question for the resident anti-virus gurus--what > are the major differences between McAfee's VirusScan program and its > WebScan product? WebScan contains a tool that should protect you when you download viruses from the web. McAfee VirusScan includes tools that should protect you from viruses *whereever* they come from. > I have seen the VirusScan program come highly recommended in the > recent PC MAGAZINE tests for general detection abilities and > overall usability, Was this the PC Magazine review which said Dr Solomon's doesn't have an option to repair virus-infected files, when in fact it offers more reliable virus repair options than any of the other products tested? (Clearly they missed the big button marked "Repair" on the front end) > but from reviewing past posts, I realize that this is open to > some debate. What are its major faults compared to other leading > Windows anti-virus products? Please bear in mind that I am > looking for a decent mix between ease of use and comprehensive > detection and cleaning abilities, but put more stress on the > latter requirement. There are a number of competent independent comparative reviews to be found at http://www.drsolomon.com/avtk/reviews from the likes of Virus Bulletin, University of Tampere, etc. These tend to put a higher level of importance on detection and clean-up than on user interface etc. > Specifically, I am looking at acquiring Windows 3.1-based anti-virus > software (previously tried TBAV, but found it a bit too cryptic) capable > of detecting macro viruses, etc., so the VirusScan product looked good. > However, I am also increasingly receiving document files and binary > attachments via the Internet (99% word processor files), as well as > doing more WWW browsing via Netscape 2.0. In this connection, I > understand that McAfee also sells WebScan, which appeared to be some > sort of add-on to the basic VirusScan software. I've never really understood why someone would want to purchase an anti-virus *specifically* for the web, when most viruses are still coming via floppy disks (boot sector viruses). If you get something specifically for the web then you're also going to have to get something to protect you from your network, from your floppy disk drive, etc. What makes more sense in my mind is to have an anti-virus which can protect you from *whatever* direction the virus is coming. A decent VxD on-access scanner can do this. > What, exactly, is the relationship between the two? If one has the > VirusScan software, what is the need for the WebScan software, and > what are its principal advantages? Furthermore, what are WebScan's > direct competitors and how do they rate? I haven't tested McAfee WebScan or its competitors because I can't see why anyone would want one when a decent VxD on-access scanner is available. I guess the only reason they're sold is marketing. Recently there have been reports of a security loophole in these web-scanners which concerns downloading files via the right-mouse-button using NetScape. Apparently the NetScape helper application doesn't get invoked. The result: the webscanner checks downloaded files for viruses if you click with the left button, but not with the right! I think that's another good reason to use a VxD on-access scanner. Here at S&S we were going to release a web-scanner (Dr Solomon's WebGuard). I think we were doing it for marketing reasons (it would be cheaper than Dr Solomon's Anti-Virus Toolkit but would only scan for viruses when downloading from the web). When we came across this right-click loophole we decided it would be unethical to release the product with such a loophole. We also found this loophole was present with all web scanners used with NetScape. We won't be releasing a web-scanner until this loophole has been closed. You can read all about our decision, and the loophole found in all webscanners at http://www.drsolomon.com/company/press/webguard.html Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Fri, 19 Jul 1996 11:36 +0000 From: Graham Cluley Subject: Re: New Kind Of Viruses? (PC) X-Digest: Volume 9 : Issue 119 In-Reply-To: <01I78O961T78XZM9T6@csc.canterbury.ac.nz> amalsaad@jcs1.jcstate.edu writes: > I once talked to a virus author and he told me that he has an idea. > His idea is to make a BATCH file virus and to convert it to .COM It's been done. > and this would make it completely unscanable by any virus scanners No it wouldn't. > including batch file heuristic scanners which is used to check > BATCH files for infection of a virus. Anti-virus programs would be able to pick it up. > I would like to ask if this is possible. And can he really make > a virus from a batch file. It's possible to make a virus from a batch file (even without converting it to a COM). However, it wouldn't present any particular difficulties to anti-virus products. > please e-mail if you know the answers to these question If you speak to this "virus author" again you might suggest he checks out the computer crime laws at http://www.ibmpcug.co.uk/~drsolly before he does anything silly which he might regret. Regards Graham - -- Graham Cluley CompuServe: GO DRSOLOMON Senior Technology Consultant, UK Support: support@uk.drsolomon.com Dr Solomon's Anti-Virus Toolkit. US Support: support@us.drsolomon.com Email: gcluley@uk.drsolomon.com UK Tel: +44 (0)1296 318700 Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 Evaluation version of Dr Solomon's FindVirus available on our website! ------------------------------ Date: Fri, 19 Jul 1996 10:54:28 -0400 From: a000 Subject: Re: F-Prot comments (PC) X-Digest: Volume 9 : Issue 119 Calvin Hayden x2254 (tijc02!cgh018@uunet.uu.net) wrote: : A co worker indicated that he had read a couple of bad reviews on : the net about fprot and supposed bogus scanning. He mentioned that : what he read indicated that fprot in some cases only printed file names : and never really scanned them. Anyone else out there heard this or : have any info on it? I am surfing now trying to see for myself. I can comment on this. A "review" of F-PROT Professional was done by Doren Rosenthal, for Computer Shopper. During the course of the article, Doren found that there was a case where F-PROT Professional was not scanning certain networked drives. This was a very fortunate find, and fortunately no users were affected. The review failed to note that the bug had been fixed, despite the review was published long after the problem had been fixed. It also failed to note that not one customer was affected by this problem, and that even if anyone had the problem, they would have still been protected fully if they were using the product as instructed in the documentation. I am not sure why Doren took this slant on things but I also don't agree with his testing methods, and a lot of his other things. I hope this answers your questions about the problem. Rather, the non-problem :). Sarah Gordon Command Software Systems - - i work for Command Software Systems. we are the F-PROT Professional people. these are my own thoughts. they are not representative of my Employer, my University, my Government or my Husband. Maybe they should be. But they aren't! if they are, i'll mention it clearly. else assume i speak for myself!!!!!!!!!! ------------------------------ Date: Fri, 19 Jul 1996 09:44:01 -0700 From: Harry Subject: Re: How good is McAfee (PC) X-Digest: Volume 9 : Issue 119 I'll throw in my 2 cents ........ We just wrote a check to Command Software for their FPROT products. We FOUND OUT about this company and its AV products because MCAFEE technical support aint worth a %^&***! I could ramble on and on. Let it suffice to say that in my opinion, McAfee has one of the worse technical support staffs I had to (not able to) deal with in over 14 years of PC work. On the other hand, the KEY reason I made the decision to go with FPROT was how responsive Commandcom's Technical Support Staff has been. I say visit their web site, call them up and give it a try. www.commandcom.com Harry Abramowski, Systems Analyst Futuredontics,Inc. ------------------------------ Date: Fri, 19 Jul 1996 21:33:23 +0000 (GMT) From: Robert Michael Slade Subject: Re: New Kind Of Viruses? (PC) X-Digest: Volume 9 : Issue 119 amalsaad@jcs1.jcstate.edu wrote: : I once talked to a virus author and he told me that he has an idea. Astounding! Alert the media! This is an unprecedented ocurrence in the history of ... oh, sorry, that wasn't just a comment? : His idea is to make a BATCH file virus and to convert it to .COM OK, there are two possible meanings here. Do you (or did "he") mean: a) use a batch lnaguage "compiler" to make a .COM out of it, or b) just rename it to .COM? : and this would make it completely unscanable by any virus scanners Sorry, no, but thank you for playing "Guess My Undetectable Virus" and better luck next time. In the case of a), as soon as the virus becomes prevalent it will be detected and added to scanner databases in the same manner as any other. In the case of b), I have never seen a really functional batch virus, and if one could be made to work it would simply make scanner developers add .BAT files to those being checked. : including batch file heuristic scanners which is used to check : BATCH files for infection of a virus. I would like to ask if Sorry, I'm not sure what you are saying here at all. Heuristic scanners check for patterns of suspicious, rather than specific, code and are not restricted to use with batch files. : this is possible. And can he really make a virus from a batch file. If you are reporting this idea accurately, then I can assure you that, no, he probably can't make any virus at all. ====================== roberts@decus.ca rslade@vcn.bc.ca slade@freenet.victoria.bc.ca link to virus, book info at http://www.freenet.victoria.bc.ca/techrev/rms.html Author "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 (800-SPRINGER) ------------------------------ Date: Sat, 20 Jul 1996 10:28:44 +0800 (SST) From: Lim Boon Hua Subject: buten message at bootup -- virus? (PC) X-Digest: Volume 9 : Issue 119 my system hangs with the word BUTEN displayed after the bios screen, occassionally. i tried scanning using scan v227 and fprot 223 and both report negative. upon further observation, the system will also hang if i repeatedly hit the f6 key during the bootstrap routine after displaying the word BEN. someone suggested that it was a conflict between the mb and the cpu. could it be possible ?? right now, i am using a cyrix cpu 133+ and an asustek board. could this be a virus ?? pls advise. thank you. ------------------------------ Date: Fri, 19 Jul 1996 19:02:26 +0000 (GMT) From: "Alan B. Bourassa" Subject: Re: McAfee VirusScan and WebScan? (PC) X-Digest: Volume 9 : Issue 119 Very good question and I had to call McAfee myself: Here is the answer: The Virus Scan software looks at files when you OPEN or EXECUTE them. This really protects you even from internet downloads as you do not get infected until you un-ZIP the download or execute it. Therefore you are really covered with VirusScan. WebScan does one extra (level of protection?) it checks the file right after the download as either an EXE or ZIP without you having executed or unzipped it. BUT, even then when you execute or unzip it yourself your protected with VirusScan. Therefor the question is do you really need WebScan or is it a good marketing ploy for McAfee to generate additional revenues. Regards, abb@concentric.net ------------------------------ Date: Fri, 19 Jul 1996 21:46:29 -0800 From: Richard Hennick Subject: Re: How good is McAfee (PC) X-Digest: Volume 9 : Issue 119 In article <0035.01I7ASA9LU12XZM9T6@csc.canterbury.ac.nz>, ks@pmddata.no (Harry Healer) writes: > On 18 Jul 1996 14:38:38 -0000, Fridrik Skulason > wrote: > >The PC Worlds test was utter garbage anyhow....like most (all?) > anti-virus > >tests done by "popular" magazines. > > Sure, that's what you all say, > > you who makes or sell virus scanners that comes out bad in tests. > > Of course, YOUR scanner is the best. Actually Harry, if you hang around here a little longer, I'm sure you will see that there is only ONE producer of AV products who continually boosts his own stuff here, and systematically tries to put down the competition. And it certainly isn't Mr. Skulason, who actually gives his product away to non-commercial users. The degree of respect ("friendship" might be too strong a word), and even co-operation, between the authors of various AV products in this newsgroup is a really fascinating and inspiring phenomenon; in many ways it's a lot more significant than the content of any particular post, and IMHO also a tribute to the much-neglected and -abused potential of Usenet. Here, there appears to be a mutual recognition of dedicated experts working more or less in parallel towards a common goal, which of course is continually receding too. I think it helps a lot that this is a moderated newsgroup, with a dedicated and hardworking moderator. As I said, there's one outstanding exception to that general spirit of co-operation. Sooner or later (it took me a little while to catch on), you too will realize who it is. - - it's so easy to slip it's so easy to fall | "easy to slip" l. george and let your memory drift and do nothing at all | little feat/sailin' shoes all the love that you missed all the people that you can't recall * do they really exist at all? | richard@mindlink.net ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 119] ******************************************