From Fidoii.CC.Lehigh.EDU!lehigh.edu!virus-l Thu Sep 9 05:48:53 1993 remote from vhc Received: by vhc.se (1.65/waf) via UUCP; Thu, 09 Sep 93 15:52:44 1 for mikael Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2) id AA27426; Thu, 9 Sep 1993 15:52:43 +0200 Received: from Fidoii.CC.Lehigh.EDU ([127.0.0.1]) by Fidoii.CC.Lehigh.EDU with SMTP id <4112-3>; Thu, 9 Sep 1993 09:48:55 EDT Message-Id: <9309091349.AA09484@agarne.ims.disa.mil> Reply-To: virus-l@lehigh.edu Originator: virus-l@lehigh.edu Sender: virus-l@lehigh.edu Precedence: bulk From: VIRUS-L Moderator To: Multiple recipients of list Subject: VIRUS-L Digest V6 #120 X-Listprocessor-Version: 6.0a -- ListProcessor by Anastasios Kotsikonas X-Comment: Virus Discussion List Date: Thu, 9 Sep 1993 09:48:53 EDT VIRUS-L Digest Thursday, 9 Sep 1993 Volume 6 : Issue 120 Today's Topics: see you in Amsterdam :-) Re: Dark Avenger Update? Experiments with mutated viruses. (PC) Re: Any good anti-viral shareware out there (PC) Re: Lambdin's Accuracy Tests (PC) Re: Write protect ... (HELP!) (PC) Possible DOS/Windows virus... in the development stage? (!) (PC) EXEBUG (PC) Re: Floppy disk virus (PC) 1530 or SVC? Disinfection? (PC) posting re retaliator viruses (PC) CRUNCH21.COM (PC) Re: NukePox disinfector? (PC) "Moose" PC viruses (PC) virusses in .ARJ & .ZIP (PC) Re: Vshield v107 (PC) TBAVU605.ZIP/TBAVX605.ZIP - TBAV anti-virus v6.05 (optimized/upgrade) (PC) New files on risc (PC) DS II (PC) DiskSecure II updated (yes) (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 07 Sep 93 12:20:58 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: see you in Amsterdam :-) Well, I am off for the Virus Bulletin conference in Amsterdam, followed by my annual vacation, far away from any viruses. My staff here in Iceland will know how to get in touch with me if absolutely necessary, but don't expect any E-mail replies from me personally until I get back on the 22nd. - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Tue, 07 Sep 93 20:49:15 -0400 From: blah@netcom.com (baby copperfield) Subject: Re: Dark Avenger Update? 73044.2573@compuserve.com (William H. Lambdin) writes: >The latest thing that I have seen written by Dark Avenger was the Uruguay >virus, but that was several months ago i dont know where this information came from, bill, but according to everything i have read, uraguay came from Uraguay. dark avenger is/was from bulgaria :). that virus has been around since december 1992, and in my extended conversations with dav, it was -never- mentioned as one of his viruses. there are a lot of people who would like him to be writing and distributing viruses. monster virus writers make much better press than ones that quit or suspended 'operations' for whatever reason. i study the subculture relating to virus writers, and if someone has some documentable verifiable proof that this particular guy is at it again, i would really appreciate seeing it. it woudl be an important part of the work involved in developing case histories and a general overview of the 'culture' that exists around viruses. however, to date, all i have seen regarding this particular guy is a few imitators, some insertions of his name in test strings, and a few attempts to provoke him to some action or other made by persons who are part of the virus subculture. i know this is not your intent; maybe someone told you he wrote that virus. as far as i know, he's never been in uraguay, and more importantly, did not write that virus. at least, he has not stated he did, and he has been more than cooperative about his past actions. sara - -- SGordon@Dockmaster.ncsc.mil / vfr@netcom.com bbs: 219-273-2431 fidonet 1:227/190 / virnet 9:10/0 p.o. box 11417 south bend, in 46624 you are only coming thru in waves..your lips move but i cant hear what you say ------------------------------ Date: Tue, 07 Sep 93 12:20:25 -0400 From: "Sajid Rahim" Subject: Experiments with mutated viruses. (PC) To: virus-l@lehigh.edu From: sajid Date: 5 Sep 93 18:36:14 Subject: Experiments with mutated viruses. Priority: normal X-mailer: Pegasus Mail v2.3 (R5). Hello all, I have just finished carrying out experiments designed to test the detection ability of three products namely : i. Dr Solomons Toolkit ii. McAffee Scan v106 iii. F-prot v2.08d They were specifically chosen as available on internet in case of McAffee whilst Dr Solomons has been aggressively marketed in South Africa. I did not bother using the local product from CSIR which in my view was a very limited product when compared to the three mentioned above. Samples of used were restricted to multi-partite viruses which included DAVs as well as stealth. The viruses were firstly disassembled to the target assembler TASM v2.0. The disassembled sources were then modified in the following manner : Non-Encrypting Viruses ---------------------- Modification : The potential string combination were slightly altered ie. Reset virus's omega sign display. This was done without any slightest idea as to what the detection string might be to pervent any biasing. Some codes pieces were removed (a couple of bytes only). Encrypting Viruses ------------------ Modification : The encrypting keys of the viruses were modified to different values than those utilised by the existing virus. The samples were then assembled into binary code. All the anti-virus products were then utilised to see how well their detection systems were. Here surprises emerged. Toolkit failed to recognise any one of the mutated code. Scan was able to work for non-encrypted codes whilst fprot was able to detect all. At the conclusion, I was horrified to think of the potential disaster waiting to emerge for those using Dr Solomons. Finally I wish to file a disclaimer that all these experiments were carried out without any biase to any of the three products. Hope that this info is of any use to users out there. Sincerely Sajid - -- - ------------------------------------------------------------ Sajid Rahim internet : sajid@oris.ru.ac.za S.R.L fidonet : 5:7105/4.5 P.O. Box 5890,MMabatho,Bophuthatswana. ============================================================ ------------------------------ Date: Tue, 07 Sep 93 12:22:42 -0400 From: bondt@dutiws.TWI.TUDelft.NL (Piet de Bondt) Subject: Re: Any good anti-viral shareware out there (PC) >dk010b@uhura.cc.rochester.edu wrote: >: I'm looking for a good anti-viral program that is available as >: shareware. If you know af a good one (and how I can easily get it) or >: if you have one you wouldn't mind sharing I'd really appreciate it. > >Shareware, is not free-ware it means try before you buy. Try >Mcafee.com ftp site the best for me. > >Michael >Try ThunderByte Anti-Virus v6.04. Better everything then Mcafee. You can get >the latest copy via modem at ThunderByte USA. Number is 1-302-732-6399. > >Ttul Thunderbyte Anti Virus Software is downloaded at a *very* regular base by me, directly from the author's Thunderbyte BBS in Holland ! It is then placed on ftp.twi.tudelft.nl in dir /pub/msdos/virus/tbscan Then it is uploaded to oak.oakland.edu (& simtel20), garbo.uwasa.fi and nic.funet.fi We also mirror mcafee.com (McAfee software) mail me (bondt@ftp.twi.tudelft.nl) for info, or to be added to the TBAV list (keeps you informed on TBAV software) ------------------------------ Date: Tue, 07 Sep 93 19:21:45 -0400 From: vfreak@aol.com Subject: Re: Lambdin's Accuracy Tests (PC) >I've noticed your "accuracy" tests for a long time and hoped that they >would eventually improve without my having to comment on them, but I >can't pass over this in silence any more. The question is how such a >comparison can be fair when you don't use the latest version of each >scanner. For example, despite the date "June 93", the fact is that I use the latest version that I can get of each scanner. I have been awaiting a newer version of UTscan for months, but it hasn't arrived, so downloading the signature update from Fifth Generation BBS is the best that I can do at the present time. Since the June 1993 signatures are three months old I will be removing UTscan from the September release. >But is it fair to penalize a product in the eyes of the readers simply >because no one at that company has read your invitation? Or if for I am not penalizing any company. I have contacts at Fifth Generation Systems, and at BRM in Israel the developers of Untouchable, and several others. It's not my fault that the new releases haven't arrived as promised, so I updated the signatures to make UTScan as current as possible. >example, is "ZOO" supposed to suggest a kind of "zoo" populated by vi- >ruses? (Or could it mean that the infected files are contained within >a ZOO-type archive which the scanner is supposed to be able to un- >pack?) And you might explain precisely what "SIGS" means. I post LAT into 16 virus related conferences, and for most of them the marjin is 75 columns wide, and to get it to fit inside the marjins, I have to use shorthand. ZOO is short hand for my virus collections SIGS is short Hand for SIGnatureS. There haven't been many people that have asked me to explain the short hand. Three people now in the last year. Bill ------------------------------ Date: Wed, 08 Sep 93 01:21:16 -0400 From: latim912@crow.csrv.uidaho.edu (Jerry E. Latimer) Subject: Re: Write protect ... (HELP!) (PC) Martin_blas Perez Pinilla (mtppepim@lg.ehu.es) wrote: : berces@ludens.elte.hu writes: : > My computer (IBM386+110Mb harddisk[C+D part.]+MS-DOS 5.0+Stacker 2.0 : > version) displays at each disk operation on C that: : > : > "Write protect error writing drive C : > Abort, Retry, Fail?" : I think that Stacker is the guilty. This problem was discussed last : year in V5#167 of VIRUS-L. This follows the verbatim copy of a message : of OB77665@IBMH1.ORL.MMC.COM: : Subject: Stacker problems (PC) : : The last few months I've observed a lot of discussion on : the automatic write protection of stacker drives as a result : of allocation errors. : I had this unfortunate experience this weekend as a result : I dialed into the stacker BBS which was listed in the manual. : They have several nice utilities and text files that you can d/l : for troubles and updates. : Below I have included the text file I d/l on how to get out of : the write-protected problem. [complicated instructions deleted] There is a much easier method. On the uncompressed drive, simply use the MS-DOS attribute command to turn-off the read-only flag of the Stacker volume file. Email me if you need more info, because this topic has nothing to do with viruses. // -------------------------------------------------------------------------- // Name: Jerry E. Latimer ( latim912@crow.csrv.uidaho.edu ) // #include "cutequot.h" //--------------------------------------------------------------------------- ------------------------------ Date: Wed, 08 Sep 93 01:58:05 -0400 From: sjsmith@cs.UMD.EDU (Stephen Joseph Smith) Subject: Possible DOS/Windows virus... in the development stage? (!) (PC) Preface: I know next to nothing about viruses. This is not an actual virus report. This is a report of a letter received at my place of employment that made me suspicious. If anyone else has received a letter like this, please post or email. If anyone has any idea what to do about the letter, please post or email. I'm a grad student in computer science at the University of Maryland at College Park. On the side I work for Great Game Products in Bethesda, Maryland doing C programming under DOS. Recently Tom Throop, president and founder of GGP, received a strange unsolicited letter from someone wanting information on names, dates and times, and sizes of executable files included in all of GGP's software products. Figuring that it is better to be safe than sorry, I told Tom not to give out any information until he knew more about how it was going to be used. The vagueness and unprofessionality of the letter and the abnormal request for information about executables have made me worry about the possibility of someone out there trying to write a virus or viruses and masking them as software products from unsuspecting small software companies who just answered a survey. If I'm just being too paranoid, I apologize. But if not, please let me know what you think I should do. Thanks. The letter from "Cheyenne Software" and Tom's reply are enclosed. - - Stephen - --------------------------------------------------------------------------- Dear Tom Throop: I need information on all of your software products. I need all of them to be for DOS and/or Windows. For this I would need to know what version you have come out with (ex: 1.0, 2.0) and for the versions I would need to know what the executable name is, the size of the file, the date and time of the file. If possible can you give me as many different maintenance versions as you can. The reason for me requesting this information is because I am doing a database project for Cheyenne Software which will be used to check for illegal copies of your product. It also will be used for copy protection. This will benefit you by when we find an illegal copy we will make them either buy it or get rid of it. Please send that to Stephanie LaMarca at Cheyenne Software. The fax number is (516) 484-1853. Please fax me back as soon as possible. If you need to contact me by phone my number is (516) 629-4424. Thank you. And if you would like to contact me by mail it would be 3 Expressway Plaza, Roslyn Heights, NY 11577. Sincerely, Stephanie LaMarca - --------------------------------------------------------------------------- 8/21/93 Stephanie - We may be able to help you with your project, but I would like to know a little more about the project: 1. What is your purose, and what funds are you putting up or receiving from contributors or a client? 2. If the funds are coming from a client, who is he, and what is his objective? 3. You say that upon finding an illegal copy, "we will make them either buy it or get rid of it". This is admirable, indeed, but by whose authority will you act? What mechanism exists for enforcement? 4. Is there existing publicity on the project? Sincerely, Tom Throop ------------------------------ Date: Tue, 07 Sep 93 14:33:16 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: EXEBUG (PC) >From: craa77@vaxa.strath.ac.uk >Subject: Exebug1 problems......... aaaggghhhh!! (PC) > It seems to be active in the memory and McAffee (sp) scan/clean > tells me to switch off the machine and boot from a floppy and > run scan and clean from there. The problem is however, when I > do this the hard drive is no longer accessible (which makes it > rather difficult to clean :-) Well I guess you have not tried my FixMBR from FixUtil5. The point is that just because DOS cannot find the hard disk that it is not there, only that the partition table in the MBR or the DBR has become lost/corrupted. In this case FDISK/MBR will not work & FDISK/STATUS wll report odd things. Somehow I have to wonder about the diagnosis though as I do not recall EXEBUG fouling up the P-Table, just the CMOS floppy parameter. The EXEBUG is rather strange in that it tries to prevent floppy booting by telling the CMOS that drive A: is not there (by zeroing offset 10h - see my CMOS.LST in the latest version of Ralf Brown's Interrupt List). This is surmounted by re-selecting the floppy in the BIOS SETUP and immediately booting from floppy. Good luck, Padgett ps DiskSecure II is hardened against droppers & will flag any attempt (plug). ------------------------------ Date: Wed, 08 Sep 93 10:49:20 -0400 From: gary@sci34hub.sci.com (Gary Heston) Subject: Re: Floppy disk virus (PC) s9018166@pewter.spectrum.cs.unsw.OZ.AU (Elisa Aquino) writes: >I don't know how to fix my computer because i think it is infected by >virus. Doesn't sound like it. You might benefit from a book on hardware maintenance of personal computers. Assuming any strange problems to be a virus is usually a mistake. >1. Drive A just can read first disk. Even u put second disk , directory > will show the same as first disk. >2. After I read drive B , then drive A is reset to read first disk but > it is the same after puting another disk. It sounds like your A drive has a bad disc-change sensor. Try pulling the drive out and cleaning any lint or dust from it (compressed air works well), then reconnect and try it. Or, move your B drive to the A drive position and try it. The sensor is usually a mechanical switch, so look for something along where the back of the disc rests (when in the drive) that is stuck or broken. >I even reformat the hard disk, still the same. Then I low level format the >hard disk, also the same. Unless you know it's a virus, don't format your hard drive. It's almost never necessary, anyway. - -- Gary Heston SCI Systems, Inc. gary@sci34hub.sci.com site admin The Chairman of the Board and the CFO speak for SCI. I'm neither. # It's a bad year for NASCAR. #7 Allan Kulwicki, #28 Davey Allison, RIP # # Where was Dale Ernhart at 3:00PM CDT on July 12? # ------------------------------ Date: Wed, 08 Sep 93 12:06:21 -0400 From: Fabio Esquivel Subject: 1530 or SVC? Disinfection? (PC) *HELP* Here I am again with another virus: Yesterday I found an EXE file infected with a virus reported like this: - - CPAV for Windows 1.0 does not find anything (which is normal 8^); - - F-Prot 2.09d called it a "New or modified variant of SVC"; - - Scan 104 called it "1530" with the ID 1530|; - - Scan 107 called it "June1530" with the ID J1530| (which does not appear in the VirList.TXT file). Searching in VSumX307 I found a mention on the CB-1530, but I'm not sure if it is the same virus, mainly because F-Prot thinks it may be a new variant of SVC, -because of this, F-Prot does not make any attempt to disinfect the strain-. Clean 107 says it is not possible to disinfect the file safely and suggests to overwrite it. I found this virus on a 3.5 floppy disk; this disk is an ORIGINAL diskette from IBM containing the installation software for PCSupport. I checked out other ORIGINAL diskettes with the same software and they are not infected, so I suspect that this floppy was infected in a workstation during the installation process (the file infected is INSTALL.EXE), because the protection tab was closed, which allows write operations to the floppy disk. I fear that this virus is VERY propagated throughout the network: we are experiencing problems since 2 weeks ago (workstation hangs, unexpected machine boots, one or two lines of screen deleted when trying to login into the token ring...). What can I do? The network cannot be shut down: it must be working 24 hours a day. We are losing time and money with those several workstations that refuse to login into the network. The most recent copies of the BEST worldwide antivirus softwares (FProt and ViruScan, of course) refuse to disinfect this virus... Should I send it to Fridrik and Aryeh and wait for good news? Should I reinstall ALL the software in EVERY workstation from the non-infected original IBM disks (very time-consuming)? Thanks for any help, DATA SEGMENT PARA PUBLIC name DB 'Fabio Esquivel' ; C:\> dir a: bitnet DB 'fesquive@ucrvm2.bitnet' ; Virus found in drive A: internet DB 'fesquive@ucrvm2.ucr.ac.cr' ; Install, Kill, Panic?_ DATA ENDS ------------------------------ Date: Wed, 08 Sep 93 12:13:15 -0400 From: fltline@aol.com Subject: posting re retaliator viruses (PC) "William H. Lambdin" <73044.2573@compuserve.com> writes: Posted: Thu, 26 Aug 93 14:23:02 -0400 :Does anyone have experience with retaliator viruses? :I have read several messages about them, and would appreciate some info. :It the information is of a sensitive nature, please respond via E-Mail. I had a discussion with a tech from McAfee, in the America OnLine Virus area (McAfee message board) about this same subject. He stated that he had no knowledge of any viruses that attack anti-viral software. When I presented the following chart to him, he changed his story somewhat: Virus Name Action - ----------------- --------- Encroacher Will search for and delete the following CPAV files: CHKLIST.CPS files CPAV.EXE - the CPAV main program VSAFE.COM - the resident sentry program Groove (Same as above) Peach Searches for and destroys all CHKLIST.CPS files in every directory before infection takes place (thereby disabling CPAV) Tremor Will disable (aka Turn off) the Microsoft memory resident virus identifier (VSAFE) LOKJAW-ZWEI Will search for CPAV, F-Prot, McAfee's Scan, McAfee's Clean and delete them PC WEEVIL A Mutation Engine Variant which will, like Tremor, disables Microsoft Anti-Virus Hope this has been of some help to you. Sam Pitawala E-mail: Fltline@AOL.com ------------------------------ Date: Wed, 08 Sep 93 13:17:03 -0400 From: vfreak@aol.com Subject: CRUNCH21.COM (PC) Steven Hoke uploaded CRUNCH21.COM to the Metaverse BBS last night and requested that I forward it to the A-V developers.. F-Prot 2.09 detects CRUNCH21 as possibly a Diet compressed Coffeeshop dropper. F-Prot reports the same for the second generation too. I ran the file on my test machine, and it requested permission before going resident. I answered no on the first run just to check. It will not go resident without an affirmative responce. After running the file for the second time on my test machine, I gave it permission to go resident, then ran my bait files. My 10K bait files were reduced to 4K, and at first I had thought that it was an overwriting virus. I ran the bait files again, and they still ran properly. They were not overwritten, just compressed, so it's not easy to tell the size of this thing. Since this requests permission, it shouldn't really be called a virus. I am open to suggestions on what this type of program should be called. This thing attaches to .COM and .EXE files, but ignores COMMAND.COM. I am sending the first and second generation of this to David Chess, Fridrik Skulason, and Wolfgang Stiller. Bill Lambdin ------------------------------ Date: Wed, 08 Sep 93 17:13:24 +0300 From: eugene@kamis.msk.su (Eugene V. Kaspersky) Subject: Re: NukePox disinfector? (PC) > Does anyone have/know of a disinfector for NPox (NukePox) 2.2? F-Prot Previous versions of NukePox (2.0 and 2.1) cure the infected files on opening. For removing the virus you should open the infected files by DOS function OPEN (under active TSR virus, of course), and the virus will remove itself. How to open these files? Try execute "copy . nul", or scan all files by antiviral. But these viruses infect the files again on closing, be careful! So, you should open and close the infected file, and let the virus remove itself from the file on opening and stop the infection on closing. To stop the infection you should (your own TSR program should) intercept INT 2Fh and check the functions 1220h and 1216h, these functions are called by the virus on infection. My a-v monitor does it. The second way: the old version of NukePox save the original 1Bh (27) bytes of the file beginning at the file end. If new version is of the save standard, you should move last 27 bytes of the infected file to its beginning and cut the file at its 'entry point'. To automatize that task you can use my toolkit which you can download from ftp.informatik.uni-hamburg.de:/pub/virus/progs/avp_106b.zip The last way: send the infected sample to a-v researchers and wait for updates. Regards, Eugene - -- - -- Eugene Kaspersky, KAMI Group, Moscow, Russia - -- eugene@kamis.msk.su +7 (095)939-4066 ------------------------------ Date: Wed, 08 Sep 93 15:37:35 -0400 From: "Lars Renman" Subject: "Moose" PC viruses (PC) I sent a message to VALERT-L regarding these viruses on August 15, 1993. I now know a little more about the bastards: 1) It is probably at least four (or more) very similiar strains, all carrying the readable text string "Moose" in the code appended to infected files. Various version? numbers "30", "31", "32" - some of them with a space before the number - also in readable format follow the "Moose" text. 2) Different strains attack .EXE and .COM files. There are also instances of .SYS files being converted to .COM file format, in the latter case with the readable text string "This, and much more, from the Moose crashing corp" in the code. 3) Some files have been infected by two strains ("Moose31" and "Moose32"). 4) All of the common virus scanning programs can successfully be taught to look for the "Moose" signature. 5) Some files have also had parts of Central Points CPAV.EXE file appended to them. 6) I have taken the trouble to disassemble all of the strains I have found. They are rather clumsily written and they all seem to do the same thing: i) look for an uninfected file in the current directory. If not found, go to the overlying directory and try again (repeated until the root is reached). ii) infect the uninfected file (if found) iii) randomly change one byte in the program running by calculating a random address using IN AL,40h a three times, but only if a first reading gives a value below 10 hex. The random value also comes from the last reading. iv) restore the initial directory v) return to normal execution (which sometimes will fail if the random destruction part worked) To be frank, I don't understand what has happened in the cases when CPAV.EXE code has been added to the programs. 6) There is probably no memory-residency, boot sector or partition sector infection involved. My previously reported fears of stealth properties are probably not true - Solomon's PEEKA program behaves strangely also on non-infected PCs of the same make (Acer 486/33), so it is most probably an incompatibility problem. There have been no other sightings of the virus reported at this university campus (Alerts have been sent to all system managers). I have, however, managed to track down students from this department who have had their PCs at home infected, so the things are on the loose ! I have had a few requests for samples - so far I haven't had the time to do anything about this. For those with an urgent interest: I have sent samples on diskettes to frisk@complex.is and McAfee's Swedish representative. /Lars Renman Lars Renman AMK, CTH/GU, Gothenburg, Sweden tel. +46 31 772 2782 fax. +46 31 772 2785 ------------------------------ Date: Thu, 09 Sep 93 02:35:21 -0400 From: uttsbbs!timothy.lam@uunet.UU.NET (Timothy Lam) Subject: virusses in .ARJ & .ZIP (PC) Well, suppose you use McAfee VIRUSCAN..... Adding an option /a like... SCAN /a C: Will cause the scanner to scan all the files, including the ZIPS...... But the bad thing is that since the files inside the archive are re-coded, those scan would not be able to found out if there is a virus in there.... What you can do for the next step is to D/L a file used to do the procedure like UNZIP->SCAN->ZIP and so you can fully check if your user uploaded any viruses.... Hope that helps! Timothy Lam - Internet : lam@nebbs.nersc.gov - ---- +------------------------------------------------------------------------+ | The Transfer Station BBS (510) 837-4610 & 837-5591 (V.32bis both lines)| | Danville, California, USA. 1.5 GIG Files & FREE public Internet Access | +------------------------------------------------------------------------+ ------------------------------ Date: Thu, 09 Sep 93 04:02:23 -0400 From: mcafee@netcom.com (McAfee Associates) Subject: Re: Vshield v107 (PC) Hello Mr. Rivera, You write: >I was just trying to get Vshield to loadhi under MSDOS 6.0/QEMM 7.01 >combo and while it worked fine before, now it refuses to loadhi. This was a minor bug (buglet?) introduced in Version 107* of VSHIELD when some debugging code was accidentally left in the program. If the "DOS =" statement in your CONFIG.SYS file did not mention loading DOS into a UMB with either a "DOS=HIGH,UMB" or "DOS=UMB" switch, then VSHIELD would not recognize that the Upper Memory Area was present and as a result would not load high into an Upper Memory Block. Replacing your "DOS =" statement with "DOS=HIGH,UMB" will allow it to successfully load high. This will be fixed in V108, which should be available within the next two weeks. >I guess there is some incompatibility between the 2 programs. >There's a lot of upper memory available and I have tried many >different combinations using Vshield's options and still have the >problem. Can any1 help me out on this one? Thanks! Please feel free to contact me if you have any further problems. Regards, Aryeh Goretsky Technical Support PS: For those wondering, V107 was released on August 25 but was not placed on our Internet site because of a problem that VIRUSCAN had with scanning PKLITE compressed files. A new release, V108, is currently in beta-test which incorporates a fix for this problem. - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, 2nd Floor| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/VSHIELD/CLEAN/WSCAN/NETSHLD/TARGET/CONFIG MGR/PROVIEW ------------------------------ Date: Tue, 07 Sep 93 13:42:44 -0400 From: bondt@dutiws.TWI.TUDelft.NL (Piet de Bondt) Subject: TBAVU605.ZIP/TBAVX605.ZIP - TBAV anti-virus v6.05 (optimized/upgrade) (PC) I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu: pd1: TBAVU605.ZIP Thunderbyte anti-virus pgm, upgrade 6.04->6.05 TBAVX605.ZIP TBAV anti-virus - processor optimized versions Replaces: tbavx604.zip tbavu602.zip Greetings, Piet de Bondt E-mail: bondt@dutiws.twi.tudelft.nl =================================================================== FTP-Admin for the MSDOS Anti-virus software, ftp@ftp.twi.tudelft.nl ------------------------------ Date: Tue, 07 Sep 93 13:58:40 -0400 From: James Ford Subject: New files on risc (PC) The following files have been placed on risc.ua.edu (130.160.4.7) in the directory /pub/ibm-antivirus for anonymous FTP: _filename_ _size_ _date_ _v1_ _v2_ TBAV605.ZIP 241,192 9-1-1993 2096 0313 TBAVU605.ZIP 85,094 9-1-1993 BDA2 1EB3 TBAVX605.ZIP 83,831 9-1-1993 D2A1 13AA TBAV605 replaces TBAV604 (it is mainly a small upgrade with some fixes, and of course with updated virus signatures; see whatsnew.605). TBAVU605 contains only the files modified in this release. TBAVX605 replaces TBAVX604 (this only has processor optimized versions of the program for registered users). ------------------------------ Date: Wed, 08 Sep 93 15:54:31 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: DS II (PC) Turns out that my lack of sleep and the last minute accomodation of real IBM-PC ATs (not XTs) with BIOS dated 01/04/84 caused a bug to creep into one of the rarely used peripheral files. This is fixed in DS231b.ZIP just uploaded to URVAX.URICH.EDU. Warmly, Padgett ------------------------------ Date: Wed, 08 Sep 93 19:45:51 -0400 From: HAYES@urvax.urich.edu Subject: DiskSecure II updated (yes) (PC) Hi gang. Just received from A. Padgett Peterson an update for his DiskSecure II. DS2BYP wasn not usable with an AT using DOS 3.31. Now this is corrected. As usual: - ---------- Site: urvax.urich.edu, [141.166.36.6] (VAX/VMS using Multinet) Directory: [anonymous.msdos.antivirus] FTP to urvax.urich.edu with username anonymous and your email address as password. You are in the [anonymous] directory when you connect. cd msdos.antivirus, and remember to use binary mode for the zip files. - ---------- The file is, obviously, DS231B.ZIP. Best, Claude. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 120] ******************************************