VIRUS-L Digest Monday, 2 Sep 1996 Volume 9 : Issue 156 Today's Topics: re: DR.Solomon upgrades Re: Use of VIRUS-L VirusNET av program Re: What is the worst Virus? Re: Summary: Intel LanDesk Re: McAfee AV Re: Central Point MacTools Pro (MAC) Re: NTFS Questions (NT) Re: help with possible virus (WIN95) Re: Buying Anti Virus program for Win 95 (WIN95) Word.colors.B (WIN) Re: Recurrent Tentacles virus following disinfect (WIN) thunderbyte antivirus (PC) Re: Vacsina virus trouble (PC) Re: Can't use clean boot disk (PC) Re: Vesseling Bontchev's paper 'Vircing the InVircible' (PC) Re: Hare virus mini-FAQ (PC) Re: How to remove Mongolian Virus in MBR on D: drive? (PC) Re: Vesseling Bontchev's paper 'Vircing the InVircible' (PC) Re: Where can I find NAV for dos (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform--diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available at ftp://cs.ucr.edu/pub/virus-l. The current FAQ document is in a file called vlfaq200.txt. Administrative mail (e.g., comments or suggestions) should be sent to me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still be sent to Ken van Wyk at: krvw@mnsinc.com.) All submissions should be sent to: VIRUS-L@Lehigh.edu. Nick FitzGerald ---------------------------------------------------------------------- Date: Sun, 01 Sep 1996 12:51:00 -0700 From: Don.Edwards@ci.seattle.wa.us Subject: re: DR.Solomon upgrades X-Digest: Volume 9 : Issue 156 >Presently we make all our updates/upgrades available via the >regular postal service. This means they land slap-bang in the >middle of your desk where you can't ignore them. You obviously haven't seen my desk. :-) Or observed how unreliable some mail sorting operations are. I can automate an FTP download and software install. - -------------------------------------- Opinions expressed here do not necessarily represent those of the City of Seattle ------------------------------ Date: Sun, 01 Sep 1996 12:57:00 -0700 From: Don.Edwards@ci.seattle.wa.us Subject: Re: Use of VIRUS-L X-Digest: Volume 9 : Issue 156 Bill Lambdin says: >Are you willing for A-V developers, and agents for a program to >make preposterous claims about the effectiveness of said program >without permiting unbiased evaluators to report problems in said >programs? Bill, we don't need to go to that extreme. There is a very small group of individuals whose posts to this group *consistently* consist of false advertising, misleading and derogatory statements about other people's AV products, very bad advice, and personal attacks. (Pick one or more for any given post.) Replies to these people's posts can -- at best -- restore the discussion to where it would be had those posts not occurred. We would lose little or nothing if posts from those particular individuals were excluded. It would not be necessary to exclude replies, as there would be nothing to reply to -- except in the case of crosspostings from alt.comp.virus. - -------------------------------------- Opinions expressed here do not necessarily represent those of the City of Seattle ------------------------------ Date: Mon, 02 Sep 1996 04:25:20 +0000 (GMT) From: Ruben Hiciano Subject: VirusNET av program X-Digest: Volume 9 : Issue 156 Does anyone knows an av software called VirusNET. Is it good ? A friend of mine just bought a copy. It has a very nice interface but I want to know how effective it is before I buy a copy too. Thanks !! Ruben D. Hiciano C.,Jr. ============================================== "There's no knowledge that is not power" - MK3 ============================================== JPC 20241 PO Box 520666 Miami, FL 33152-0666 Tel.: (809) 578-0800 Fax.: (809) 578-7744 ==================== mailto:asistec@codetel.net.do ------------------------------ Date: Sat, 31 Aug 1996 16:16:31 -0500 From: "Duane A. Bielling" Subject: Re: What is the worst Virus? X-Digest: Volume 9 : Issue 156 In article <0001.01I8GOXIJ23WYW2YAT@csc.canterbury.ac.nz>, Bill lambdin wrote: >I recommend the following A-V programs that offer the ability to perform >integrity checking. > >F-Prot professional >Integrity Master >Thunderbyte A-V >Untouchable >Victor Charlie. > >There are several other A-V programs that offer integrity checking, but I >do not recommend them because of various scurity problems Question. What do you think of the IBM-AV, specifically the one for OS/2? There are just so many OS/2 AV packages to choose from. :^) ------------------------------ Date: Mon, 02 Sep 1996 06:54:34 +0000 (GMT) From: ccrayton@ix.netcom.com Subject: Re: Summary: Intel LanDesk X-Digest: Volume 9 : Issue 156 >>We have since switched to IBM 2.4x, soon to be 2.5x as Intel's response to >>a virus infection was very inadequate. IBM had people on site within hours >>of the first communication while Intel was 1/2 day in deciding to place >>their resources at our disposal. The Intel-Trend cleaning solution for our >>"major.6144" infestation was deletion of the infected files. Cleaning the >>file meant "to save the file we have to destroy it". No further comment. FWIW, My experience with LANDesk Manager has not been a good one. I upgraded my virus protect signature files and VPROTECT.EXE to the latest versions, that were updated to catch the Word Concept virus. I ran the program on a document that I know to be infected, and VSCAND.EXE reports no infections. That, and the inconsistancies in the product in general cause me to give it low marks. ------------------------------ Date: Mon, 02 Sep 1996 07:10:24 +0000 (GMT) From: Paul Harris Subject: Re: McAfee AV X-Digest: Volume 9 : Issue 156 Gene Wirchenko wrote: > I have read a number of posts that claim Bad Things about McAfee. >My employer uses McAfee as their AV of choice. Obvious conclusion. > > Throwing several pounds of fat on the fire, I blurt: > > What is this about false positives? > > Why is it so hard to connect to their site and get the AV? > > Quality of technical support? > > Anything else? <> I've been using McAfee AV since April of this year. The software has worked flawlessly, and in fact, has found several viruses on disks my clients have given me. It seems to be well-integrated into Win95. Now problem there. Support and company response, however, have been outrageously poor. I registered the product in April, and, after a whole series of faxes/e-mail messages had been totally ignored, I finally got an aknowledgement of my registration in early August. I was then assigned a personal user number, and - as I bought the one-year free upgrade offer - I recently downloaded a new version from their Web server. Though it works fine, I now get a message on booting that I have one month to evaluate this free evaluation copy. WHAT free evaluation copy? I've PAID for the bloody thing! I'm actually tired of trying to deal with them, and am thinking of deep-sixing the whole program and trying something like F-Prot. Well, you asked! Paul Harris ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ WORD WORKS TECHNICAL COMMUNICATIONS Design & Layout Digital Typesetting (604)384-3076 Editing & Writing (604)384-4402 (fax) 1013 Pendergast St. Victoria, BC V8V 2W8 Wordworks@IslandNet.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------ Date: Sun, 01 Sep 1996 22:23:07 -0500 From: Bill Stewart-Cole Subject: Re: Central Point MacTools Pro (MAC) X-Digest: Volume 9 : Issue 156 In article <0014.01I8WKZXOUZK1GG74R@csc.canterbury.ac.nz>, Cliff and Diana Morrison wrote: >Does anyone still rely on Central Point (now a division of Symantec) >MacTools Pro for anti-virus protection? Probably not, at least not if they take antiviral protection seriously. >I am unable to find a reasonably recent signature file at their BBS and >the Symantec Anti-Virus Research Center does not stock any update files >for this product. The problem is that Symantec has treated MacTools badly since they bought their way into monopoly status for mac utilities. IMHO MacTools is a better product than Norton Utilities in many ways, but Symantec simply does not support it. However, this does not mean it is useless as an antiviral. Because of the very slow rate of new system-level viruses appearing on the Mac, the latest available MacTools signatures do in fact catch all the existing system-level viruses. What is missing is any ability to find 'macro viruses' and the solution for those is to simply not use Word 6. That may sound flippant, but there ARE viable alternatives and it is a perfect solution. - - Bill Stewart-Cole ------------------------------ Date: Mon, 02 Sep 1996 06:56:55 +0000 (GMT) From: ccrayton@ix.netcom.com Subject: Re: NTFS Questions (NT) X-Digest: Volume 9 : Issue 156 Marc Blanchard wrote: >Someone can tell me if some BOOT or MBR DOS Viruses can destroy a NTFS >partition ? Yes. At the disk level, the only differece between FAT, NTFS, or HPFS and PC-Based Unix file systems is a single descriptor word. Destroy the master boot record, or the partition tables, and the partition is fried. ------------------------------ Date: Mon, 02 Sep 1996 02:33:06 -0400 From: Steven Hoke Subject: Re: help with possible virus (WIN95) X-Digest: Volume 9 : Issue 156 Charles Reese wrote: > I need some assistance in identifying a possible virus in my system. I > have a Micron (133Mhz Pentium) running Windows 95 that is showing 636K > *total* conventional memory. I was under the impression that I should > be reading 640K. Not necessarily. Many system BIOS's use 1 or 2K extra themselves, and some installed expansion cards that have their own BIOS, such as a drive controller (like you say below that you have installed) can also install their own BIOS and use some of that. Having less than 640K available is not an indication by itself of a virus. An indication of a virus would be if your system used 639K, and you suddenly noticed that it had just dropped to 637K, and you haven't changed anything in the system that would account for that. > I have run both Norton Antivirus and McAfee Virus Scan > and come up with nothing. I have rewritten the master boot record and > even formatted the drive and re-installed the OS to no avail. I am not > convinced I have a virus, but cannot explain the missing 4K of memory. > > I was wondering if it is possible that I somehow infected my bios with > a virus since it is a flash bios (Phoenix). No, there are no viruses that can infect a flash BIOS. >I am using an AHA-2940 Adaptec PCI SCSI-2 controller. Its probably a combination of the system BIOS using some of that, and the SCSI card installing its own BIOS. The previous model Micronics motherboard (M54Pi) and Phoenix BIOS that Micron used prior to your model (is yours the M54Hi?) did use 1K for extended BIOS support, and would report only 639K available. There are virus scanners that have a slightly higher detection rate that the scanners you used, such as F-Prot or FindVirus (the DOS scanner in DSAVTK), but if the versions you used are current, and they don't detect anything, its probably clean. - - - -==Steve==-- shoke@baldcom.net steven_hoke@msn.com ------------------------------ Date: Mon, 02 Sep 1996 05:08:34 +0000 (GMT) From: Yee Chuan Kai Subject: Re: Buying Anti Virus program for Win 95 (WIN95) X-Digest: Volume 9 : Issue 156 I think PC-cillin95 is quite good, it is easy to upgrade the new virus pattern - with just one click one a button through the Internet. It will remind you when to upgrade too. ------------------------------ Date: Sun, 01 Sep 1996 10:58:28 -0400 From: MValdez6 Subject: Word.colors.B (WIN) X-Digest: Volume 9 : Issue 156 Hello, I need some assistance trying to disinfect a word macro strain The virus name is "Word.Colors.B" Our Intel Lan detect can identify it however it cannot repair short of deleting. Any assistance by way of advice would be greatly appreciated. Thank You mv Mvaldez@aol.com ------------------------------ Date: Sun, 01 Sep 1996 22:25:21 +0000 (GMT) From: Duck Subject: Re: Recurrent Tentacles virus following disinfect (WIN) X-Digest: Volume 9 : Issue 156 "Sean C. Rogers" wrote: >1234 (1234@raffles.technet.sg) wrote: >: Information on this virus is welcomed. My system has been hit by this >: virus. Although with each scan Mcafee could detect and clean it, >: subsequent scan still reveal its presence. Most of my exe files in my >: windows sub-directory have been corrupted and had to be reinstalled. Help >: please. > >get f-prot it should fix it. Tentacle virus is not really that bad of a virus it only hits one dir and that is C:\win\*.exe and NO other files (at least that is what the one i had did) the eaziest way i found to get rid of it is to replace the infected files (they are usually bigger and take FOR EVER TO LOAD) and then in the C:\ dir there should be a hidden file something like tentacle.$$$ not for sure but i think that is the man part of the virus. to get rid of it all i did was re-boot and stay in dos replace the infected files and then deleted the file in C:\ and it never came back. Also u might want to know that the virus is in a crack for a program called DOGZ and only runs in windows ------------------------------ Date: Sun, 01 Sep 1996 11:07:15 -0800 (PST) From: Benjamin R McCay Subject: thunderbyte antivirus (PC) X-Digest: Volume 9 : Issue 156 I am currently using an unregistered copy of thunderbyte antivirus, and was considering registering it. I have a few questions first, though: 1. I read through the registration information, and couldn't really tell if updates are free or if they must be paid for. 2. If they are free, how long are they free before they must be paid for. 3. If they aren't free, how much are they, and for how long do you get them if they are paid for. TIA to anyone who can help answer these questions. ------------------------------ Date: Mon, 02 Sep 1996 14:59:55 +0000 (GMT) From: Howard Wood Subject: Re: Vacsina virus trouble (PC) X-Digest: Volume 9 : Issue 156 Bill lambdin wrote: >S S International pl writes > >>Vacsina is a COM infector, not a boot sector virus. [If you run an EXE >>file, it converts it to a COM, although the extension doesn't change; the >>second time this file is run, it infects it; the conversion adds around >>132 bytes, but is not, in itself, infectious]. It's not a polymorphic >>virus either. > >Correct me if I am incorrect about this. But isn't Vacsina a sub family of >Vienna, and also non resident? Vacsina is Resident COM/EXE infector Vienna is a NON-RESIDENT COM infector. Howard Wood - Editor of The Scanner The Scanner - SCNR@aol.com or http://diversicomm.com/scanner ------------------------------ Date: Mon, 02 Sep 1996 14:59:58 +0000 (GMT) From: Howard Wood Subject: Re: Can't use clean boot disk (PC) X-Digest: Volume 9 : Issue 156 Don Rising wrote: >I have a Western Digital 540 drive which was originally set up at a time >when DOS could only support about 515 Megs. The drive came with Ontrack >software which does a dynamic drive overlay to get the full 540. > >My understanding is that I cannot repartition this with the current DOS >6.22 capability to read large partitions without losing the information on >the hard drive. > >When I make a boot disk and use it, and attempt read drive C:, I get the >message > >"invalid drive specification." When you make a boot disk for a DDO drive make the disk bootable, the add XBIOS.OVL and DMDRVR.BIN to disk as well. Now, make a config.sys file with the following in it: Device=a:dmdrvr.bin The disk is now a valid bootdisk for a DDO disk. Add the AV program to it or Boot with this disk then insert the AV disk to scan the system with. Howard Wood - Editor of The Scanner The Scanner - SCNR@aol.com or http://diversicomm.com/scanner ------------------------------ Date: Sun, 01 Sep 1996 13:31:12 -0600 From: George Wenzel Subject: Re: Vesseling Bontchev's paper 'Vircing the InVircible' (PC) X-Digest: Volume 9 : Issue 156 In article <0008.01I8ZJQVTYRG1GG74R@csc.canterbury.ac.nz>, rcc@comsecltd.com says... >Bill Lambdin wrote in Virus-l v.9n153. >I'm sorry, Bill, but I have a hard time accepting the usefulness of your >recommendations since you were recently banned from the National Computer >Security Association's NCSA Forums (Anti-Virus Vendor and Security Forum) >on CompuServe. Bill's status on CompuServe has nothing to do with his capabilities as an evaluator of anti-virus software. His tests are well done and he provides all the information necessary to replicate his tests. >Based on communications with Dr. Mich Kabay, Director of Education at the >NCSA, it appears that you were banned from their forums because your >recommendations were based on incompetent evaluations of the products you >made "recommendations" about. Members of the NCSA Forums also expressed >concerns about your apparent fixation against InVircible. What Mr. Casas doesn't mention is that he is an InVircible vendor. I consider it highly likely that the "members of the NCSA forums" which complained were mostly InVircible producers/supporters/vendors. >In my opinion, the moderator of this group who, I believe, is aware of >these facts, should take this into consideration when you submit posts >here. One has to wonder why he apparently does not? Nick has already responded to these points. I will point out, as Nick did, that Robert Casas sent a detailed letter to Nick informing him of Bill's status on Compuserve, likely with the intention of getting Bill banned here. This has nothing to do with Bill's competence in evaluating anti-virus software - it has to do with the fact that Bill does not recommend InVircible as either a scanner or a generic product. It seems that the producers/vendors of InVircible are more focused on censoring those who do not support their product, than to improve their product so that more people support it. I am highly skeptical of the ethics that drive those people. >It appears he is more lax in his criteria for assessing the value of >information than the NCSA and I suppose readers of this newsgroup should >consider this when judging the worth of the information they read, here. What Mr. Casas means to say is that the information here is balanced and all sides are represented. Mr. Casas would consider this forum to have considerably more worth if critics of InVircible were banned. >I hope you will learn how to improve the competence of your product >evaluations before posting any further "recommendations". If you consider Bill's evaluations to be incompetent, why don't you post the reasons why you consider them to be incompetent? If his tests are so incompetent, why is it that all the reputable anti- virus evaluators worldwide (including Virus Bulletin) have agreed with his results? Regards, George Wenzel - - ("`-''-/").___..--''"`-._ George Wenzel `6_ 6 ) `-. ( ).`-.__.`) (_Y_.)' ._ ) `._ `.``-..-' Student of Wado Kai Karate _..`--'_..-_/ /--'_.' ,' U of A Karate Club (il),-'' (li),' ((!.-' http://www.ualberta.ca/~gwenzel/ ------------------------------ Date: Sun, 01 Sep 1996 10:10:27 +0100 From: James MacDonald Subject: Re: Hare virus mini-FAQ (PC) X-Digest: Volume 9 : Issue 156 In article <0028.01I8WKZXOUZK1GG74R@csc.canterbury.ac.nz>, Zvi Netiv writes >Booting clean won't help accessing a hard drive that had its MBR infected >with Hare as the partition table data is zeroed by the virus. Booting clean in itself won't help. But if you have something such as Norton Rescue or another system imager, this can be used to restore the MBR beautifully (providing you weren't Hared when you run the imager) > >AV software that I tried (Dr. Solomon's FindVirus 7.62 and 7.63, and >F-Prot 2.24a - both recognize Hare) were able to tell that the MBR was >infected by Hare but couldn't recover the MBR from. Dr. Solomon's AVTK will recover the MBR form. Use the CleanPart utility, which will remove the virus from the MBR. Then use FINDVIRU to clean your COM and EXE files. >The MBR of a Hare infected hard drive can be recovered by any version of >ResQdisk, from 1994. Presuming when you ResQdisked you were clean. If not, I doubt your claim would be true. Also, if you have modified the partition tables since ResQdisking, the recovery will not be full. ------------------------------ Date: Sun, 01 Sep 1996 09:41:09 +0100 From: James MacDonald Subject: Re: How to remove Mongolian Virus in MBR on D: drive? (PC) X-Digest: Volume 9 : Issue 156 In article <0045.01I8WKZXOUZK1GG74R@csc.canterbury.ac.nz>, William Tan writes >My PC was badly infected by Mongolian Virus recently. I manage to remove >it from my C drive, but I was not able to remove it from D: drive's MBR. > >I have reformatted D: drive, I even deleted the partition and reformatted >again, but the it is still there after formatting. I have also tried >using FDISK /, Scan D: /Boot, and TBUTIL, but these command just will >not able to remove Mongolian Virus from the MBR of the D: drive. Nothing will remove Mongolian from the MBR of drive D:, simply because there is only ONE MBR, and that is neither on C: or D: as it is OS independent. Mongolian has infected the BOOT SECTOR of drive D: and you should take steps to remove it. Use DSAV, F-PROT or NAV to remove it. - DSAV Evaluation - F-PROT 2.24a (be sure you get A and not 2.24) >Please advise. Thousands thanks in advance. How about a thousand pounds? :) ------------------------------ Date: Sat, 31 Aug 1996 23:13:25 +0000 (GMT) From: Iolo Davidson Subject: Re: Vesseling Bontchev's paper 'Vircing the InVircible' (PC) X-Digest: Volume 9 : Issue 156 In article <0009.01I8ZJQVTYRG1GG74R@csc.canterbury.ac.nz> n.fitzgerald@csc.canterbury.ac.nz "Nick FitzGerald" writes: > Robert is free to feel that I > am "lax" in my criteria for approving posts--hell several people do and > recently some of them have been telling me to stop posting messages from > Zvi because they find his "style" offensive. That is, in fact, one of the > grounds for not approving posts and it is a tricky one to get the balance > right between possibly offending a few readers occasionally and allowing > posters (who are often dealing with strongly emotive topics) reasonable > freedom of expression. Lax as I may be in some readers' eyes in my > policing of the "civility" guideline, I don't see I am being lax for > otherwise allowing people to post messages that fall entirely within the > guidelines of the group. I would rather have the "lax" approach, even if it means putting up with Netiv (whose posts do himself more damage than anyone else anyhow). But above all, if we get one side, we must also get the other. - - FIRE! FIRE! JUST GRAB KEEP COOL YOUR PANTS AND BE BRAVE Burma-Shave ------------------------------ Date: 29 Aug 96 22:35:48 From: James Bingham Subject: Re: Where can I find NAV for dos (PC) X-Digest: Volume 9 : Issue 156 -=> Quoting Bkanish@fireball.blast.ne to All @{echomail}*4 <=- Bk> Hello, all. Someone on this list mentioned that nav is free for the Bk> dos platform. Where can I d/l it? You can grab it from the Symantac Home page at www.symantac.com Good Luck! James. ... I call things as I see them; If I didn't see them, I make them up! ___ Blue Wave/QWK v2.12 - - | Fidonet: James Bingham 1:2424/2406 | Internet: James.Bingham@pconline.gryn.org ------------------------------ End of VIRUS-L Digest [Volume 9 Issue 156] ******************************************