home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The 640 MEG Shareware Studio 2
/
The 640 Meg Shareware Studio CD-ROM Volume II (Data Express)(1993).ISO
/
info
/
vl5_190.zip
/
VL5-190.TXT
Wrap
Internet Message Format
|
1992-12-01
|
32KB
From lehigh.edu!virus-l Mon Nov 30 22:10:29 1992
Date: Mon, 30 Nov 1992 15:46:02 -0500
Message-Id: <9211301938.AA03847@barnabas.cert.org>
Comment: Virus Discussion List
Originator: virus-l@lehigh.edu
Errors-To: krvw@cert.org
Reply-To: <virus-l@lehigh.edu>
Sender: virus-l@lehigh.edu
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <krvw@cert.org>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V5 #190
Status: R
VIRUS-L Digest Monday, 30 Nov 1992 Volume 5 : Issue 190
Today's Topics:
Re: MODE.COM vs. DAME virus (PC)
Re: HELP!! Ever hear of this virus before? (PC)
Stoned Virus Loss (PC)
Re: SCAN 95b doesn't find MtE in EXE files (PC)
Re: SCAN 95b doesn't find MtE in EXE files (PC)
Re: F-Prot Bug (?) fixed. Thanks! (PC)
Re: VSIGN - question. (PC)
Re: FDISK /MBR and FORM Virus (PC)
Re: Bug in F-Prot2.06a (PC)
Key press cleaner and recover (PC)
Re: FDISK /MBR and FORM Virus (PC)
Re: FDISK /MBR and FORM Virus (PC)
Re: Click, Click, Click when I typed help format (PC)
Re: Atari ST Viruses! & Questions on the "Batman" virus (Atari ST)
Re: Mr. Slade's listings
Evaluations of AV products (was: Mr. Slade's listings)
Re: What is this "AV BBS list" nonsense? (general)
Re: Mr. Slade's Listings
re: CHRISTMA Data (CVP)
Re: Mr. Slade's listings
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with
your real name. Send contributions to VIRUS-L@LEHIGH.EDU.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@CERT.ORG>.
Ken van Wyk
----------------------------------------------------------------------
Date: 25 Nov 92 03:37:50 +0000
From: tck@bend.ucsd.edu (Kevin Marcus)
Subject: Re: MODE.COM vs. DAME virus (PC)
woody@knapper.cactus.org (Woody Baker) writes:
>We got a positive indication of the DAME virus on an old compaq dos disk.
>mode.com is the only file identified. It appears to have a length of aboutt
>4k or so. Dame was not found in memory, just on this disk. Dumping the
>file with psa Dump utility, shows a batch of strings at offset c60..
>"The compaq...version 3.1" etc. The file ends at offset 1050. This is
>from a copy. That is, I copied the mode.com off to dame.vir on the hard
>disk. The info I see on Dame indicates that it is a stealth virus, and
>adds about 3K to the file. It appends it's self to the end of the file.
>I have a hard time believeing that mode was less than 1K long, when offset
>c60 has an obvious string that belongs there. I presume that this is a
>false positive? Any comments?
DAME, as reported by scan, means, "Dark Avenger Mutation Engine."
This is a tool that is used in virus construction, rather than a virus
itself. Try using a different scanner.
------------------------------
Date: 25 Nov 92 03:42:21 +0000
From: tck@bend.ucsd.edu (Kevin Marcus)
Subject: Re: HELP!! Ever hear of this virus before? (PC)
The lock up is a bug in the demo. The authors knew it, and they put an
option in the command line to run it one demo at a time. I believe the
format would be "unreal p1" through "unreal p9". Try this.
>>I have the dos version of 'ls'. Whenever I run 'dir' on the system disk,
>everything appears normal. However when I run 'ls' on the system disk,
>two bizarre files show up at the end of the listing. They have the form
>like: chnsyz27asu (not exactly that) but no '.' and they change
>every time I do the 'ls'.
>
>Now what the $#!@& did I catch????????? Anybody ever run into this???
This sounds like it might be a bug in "ls", also. You might want to
run chkdsk and look for some funny allocation errors, and see if there
are soem hidden files that maybe your version of ls is picking up that
a regular "dir" command would not.
------------------------------
Date: Wed, 25 Nov 92 03:15:27 -0500
From: errol@edstar.gse.ucsb.edu (Errol Simpson)
Subject: Stoned Virus Loss (PC)
I have a 486 pc 33 mhz MSDOS 5.0 with a 212 meg IDE harddrive.
The "Your PC is now Stoned" message was followed by complete los of
the drive Not even the Western Digital low level format utility nor
Diskmanager, Fdisk, Spinrite2.20, or Speedstor will access the drive
although all correctly read the Bios specifications for drive type.
The drive is not recognised as being present or as being accessible or
as responding in any fashion.
I have tried to get fixmbr24.zip via anon ftp from
esel.cosy.sbg.ac.at where my archie server shows it to be available
but I get access denied to the antivirus directory after successful
ftp anon login.
I don't think the drive is recoverable but anyone with any
ideas please contact me at the edstar address below. I would like to
get fixmbr for future disasters. I have lost about 6 months research
work ( the tape backup fails to restore correctly) so any help would
be gratefully received.
*************************************************************
* ERROL SIMPSON *Phone *
* Research / Analysis *(805) 893 4700 / 4762 *
* Systemwide Education Abroad *Fax (805) 893 2583 *
* University of California *BITNET *
* Hollister Research Building *ea05mail@ucsbvm.bitnet *
* 6550 Hollister Avenue *INTERNET *
* Goleta CA 93117 *6500erro@ucsbuxa.ucsb.edu *
* USA *errol@edstar.gse.ucsb.edu *
*************************************************************
------------------------------
Date: 25 Nov 92 09:30:31 +0000
From: frisk@complex.is (Fridrik Skulason)
Subject: Re: SCAN 95b doesn't find MtE in EXE files (PC)
Stefano_Turci@f108.n391.z9.virnet.bad.se (Stefano Turci) writes:
>May be I didn't explain it well, I didn't compress it with LZEXE, I
>just took a COM file with a length of XXX bytes and converted it to a
>EXE file with a length of XXX+32 bytes, simply adding a 32 bytes long
>header.
OK - maybe I should not have said "A new level of encryption", but rather that
you just disguised the MtE. I am sorry, but as I said there is no reasonable
way to handle all possible ways to disguise or encrypt viruses. Even if a
program detects a virus normally, it is always possible to hide it somehow.
>The fact is that F-prot misses all the converted infected files if the
>length of the body is greater than 5120 bytes.
I'm not surprised. I had not even realized it detected any of the converted
files at all. F-PROT finds MtE-infected files. Period. That's all I
promise. I make no promises regarding virus droppers - they may or may not
be found - depending what method was used to create them.
However, one very strange thing....according to your information, my
scanner reports the files it finds to be infected with "MtE (?)", but not
"MtE" - now...this usually means that it finds a MtE signature string -
taken from the decrypted virus engine, instead of using an algorithmic
approach. That implies that the converted files contain a non-encrypted MtE
engine. This also explains why some programs find it - as they probably just
scanned either the entire file, or a buffer larger than I use.
If the files had been encrypted before they were modified, I am fairly sure
that at least some of the programs that found the MtE would have missed it.
However, my final comment remains that there is nothing particularly
remarkable about this, nor is there anything I intend to do. I don't intend
to chase all possible ways of writing virus droppers - I just intend to write
(one of) the best program to find and disinfect virus-infected files.
- -frisk
------------------------------
Date: 25 Nov 92 09:46:03 +0000
From: frisk@complex.is (Fridrik Skulason)
Subject: Re: SCAN 95b doesn't find MtE in EXE files (PC)
Stefano_Turci@f108.n391.z9.virnet.bad.se (Stefano Turci) writes:
>If a copy of the virus remains cause your a-v detector could't find it
>you'll probably be infected again.
>That's why I think a-v programs should be able to detect also these
>forms.
You are of course free to think so - but the fact remains that this is
impossible. An AV program might be able to find most virus droppers
most of the time, but it will not find all of them all of the time.
This is not simply because it is practically impossible - it is a
theoretical impossibility - the proof of that seems to be just a
simple variation of the proof of the unsolvability of the halting
problem.
>If you can't detect a copy of that virus, then it's possible to find
>files like those on the Bulletin Boards all around the world.
When such files appear and are found to be virus-infected, we can
easily add detection of each particular method of virus-dropper
generation method.
HOWEVER. AS I HAVE SAID BEFORE, AND WILL CONTINUE TO SAY - IT IS
SIMPLY NOT POSSIBLE TO WRITE A PROGRAM THAT WILL DETECT ALL VIRUS
DROPPERS - EVEN IF IT JUST DROPS KNOWN VIRUSES.
- -frisk
------------------------------
Date: 25 Nov 92 09:50:13 +0000
From: frisk@complex.is (Fridrik Skulason)
Subject: Re: F-Prot Bug (?) fixed. Thanks! (PC)
VXC15931@VAX1.Mankato.MSUS.EDU writes:
>I think I've found the problem on the F-Prot 2.06a I have reported
>earlier. Frisk told me that it could be a memory problem. So it is.
Yes - I admit that 2.06a is a bit memory-intensive. I am working on a
permanent solution to the problem, but that will not be until version
2.07 (after Christmas, I guess). I will probably release version
2.05b in the meantime, where I have reduced the memory requirements
slightly. I have to make a few other changes/improvements first,
though.
- -frisk
------------------------------
Date: 25 Nov 92 09:52:50 +0000
From: frisk@complex.is (Fridrik Skulason)
Subject: Re: VSIGN - question. (PC)
eres@trboun.bitnet (M.HAKKI ERES) writes:
>hi all.
>i've detected vsign virus with f-prot 2.05 in a 386 machine, but it
>can not disinfect it.
Disinfection of this virus was added in 2.06.
- -frisk
------------------------------
Date: 25 Nov 92 09:58:31 +0000
From: frisk@complex.is (Fridrik Skulason)
Subject: Re: FDISK /MBR and FORM Virus (PC)
gscobie@castle.edinburgh.ac.uk (G J Scobie) writes:
>Hi there,
>Thanks for all the info regarding FDISK /MBR. However, I attempted to
>disinfect a PS/2 Model 55 with the FORM virus using a coldboot from my
>DOS 5.0 disk created for such a purpose, ran FDISK /MBR and then ran
>F-PROT 2.05 and it still reported FORM as being present in the boot
>sector.
Which is exactly what should be expected - as FDISK /MBR just restores
the MBR, which FORM does not infect at all. In fact F-PROT reported
the boot sector to be infected, not the MBR.
> Using SYS.COM, then running F-PROT again showed the disk to
>be clean.
SYS restores the DOS boot sector, where the virus resides. To get rid
of FORM, either use SYS (not FDISK) or use F-PROT 2.06. 2.05 could
remove it from diskettes, but would sometimes refuse to disinfect hard
disks - that was fixed in 2.06.
- -frisk
------------------------------
Date: 25 Nov 92 10:01:36 +0000
From: frisk@complex.is (Fridrik Skulason)
Subject: Re: Bug in F-Prot2.06a (PC)
voorhis@aecom.yu.edu (Adrienne Voorhis) writes:
> I have also found that F-Prot2.06a will conk out on me when I try
>to look at virus information. The circumstances are somewhat complex,
>so it's hardly a pure example, but other people seem to be having a
>problem recreating it, so here it is:
I have found and fixed the problem. It turned out to be a simple
memory allocation problem, which only appears if you look at multiple
virus descriptions.....sorry folks. Expect an updated version soon.
- -frisk
------------------------------
Date: 25 Nov 92 14:19:58 +0000
From: beshir@csd4.csd.uwm.edu (Abubaker Ali Ibrahim)
Subject: Key press cleaner and recover (PC)
Is there any virus clean, for the keypress and to recover
files(programs). any soluation please send e-mail
ibrhaim
beshir@csd4.csd.uwm.edu
------------------------------
Date: Wed, 25 Nov 92 10:26:56 -0500
From: "David M. Chess" <chess@watson.ibm.com>
Subject: Re: FDISK /MBR and FORM Virus (PC)
>From: G J Scobie <gscobie@castle.edinburgh.ac.uk>
>
>Hi there,
>
>Thanks for all the info regarding FDISK /MBR. However, I attempted to
>disinfect a PS/2 Model 55 with the FORM virus using a coldboot from my
>DOS 5.0 disk created for such a purpose, ran FDISK /MBR...
The FORM infects the operating system boot record, not the master boot
record. FDISK /MBR will be completely ineffective against the FORM.
If it's a DOS partition that's infected, the SYS command should
generally work, but there are lots of versions of SYS out there, and I
have heard (although I have not verified) that some of them will leave
the existing boot record alone if it "looks OK". Also, if you try to
SYS a hard disk after booting with one version of DOS, but the hard
disk previously had an earlier version of DOS on it, there may not be
room for the system files (it's always best to SYS with the same
version that was there before infection). Best is probably to use an
anti-virus program that knows how to specifically repair FORM-infected
partitions.
(NOTE: if an OS/2 machine with BootManager installed is booted from a
FORM-infected diskette, the virus will infect the Boot Manager
partition. The next time you use Boot Manager, it will overlay part
of the virus, and the next time you try to boot from the hard disk,
the system will probably hang. I don't know how good DOS anti-virus
programs are at detecting and repairing Boot Manager partitions in
these cases; IBM AntiVirus can do it.)
- - -- -
David M. Chess \
High Integrity Computing Lab \ The devil finds work for idle MIPS.
IBM Watson Research \
------------------------------
Date: Wed, 25 Nov 92 09:15:26 -0700
From: martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences)
Subject: Re: FDISK /MBR and FORM Virus (PC)
gscobie@castle.edinburgh.ac.uk (G J Scobie) writes:
>Thanks for all the info regarding FDISK /MBR. However, I attempted to
>disinfect a PS/2 Model 55 with the FORM virus using a coldboot from my
>DOS 5.0 disk created for such a purpose, ran FDISK /MBR and then ran
>F-PROT 2.05 and it still reported FORM as being present in the boot
>sector. Using SYS.COM, then running F-PROT again showed the disk to
>be clean. Unfortunately I don't have the kit - or indeed the time -
>to sit down and experiment as the machine had to be cleaned up as
>quickly as possible. Is this a case of 'ghosting' with a scan string
>still left on the disk though the virus is inactive?
The FORM virus is not like stoned and Michelangelo and the others,
in that it does not infect the main boot record, where the partition
table is. It infects the DOS boot sector; the boot sector of the
DOS partition. So FDISK /MBR, which rebuilds your main boot record,
doesn't touch the FORM virus. SYS.COM, though, rewrites the DOS
boot sector, as I recall, so it would probably remove the FORM virus,
but would not clean viruses like stoned and Michelangelo from a
hard disk.
It isn't a case of ghosting, no.
Sorry, I can't really help on the other questions you had.
Tim.
-------------------------------------------------------------
Tim Martin *
Spatial Information Systems * These opinions are my own:
University of Alberta * My employer has none!
martin@cs.ualberta.ca *
-------------------------------------------------------------
------------------------------
Date: Wed, 25 Nov 92 18:52:52 +0000
From: rslade@sfu.ca (Robert Slade)
Subject: Re: Click, Click, Click when I typed help format (PC)
danielh@hadar.fai.com (Danial Ho) writes:
>I experienced some weird behavior on my PC. When I typed "help
>format" or "format /?" on DOS 5.0, the screen will display
>
>CLICK:
Question: do you have a Dexxa mouse?
The Dexxa (and, I presume, other similar models) ships with a program
called "CLICK.EXE" which is a part of the software used to enable
mouse activity with programs that are not "rodent aware". The CLICK
program usually searches for a corresponding "menu" each time a
program starts up. The fact that it runs three times would seem to
indicate that three programs are being invoked by your command.
=============
Vancouver ROBERTS@decus.ca | Life is
Institute for Robert_Slade@sfu.ca | unpredictable:
Research into rslade@cue.bc.ca | eat dessert
User p1@CyberStore.ca | first.
Security Canada V7K 2G6 |
------------------------------
Date: Wed, 25 Nov 92 13:55:54 +0100
From: Lars J|dal <protonen@daimi.aau.dk>
Subject: Re: Atari ST Viruses! & Questions on the "Batman" virus (Atari ST)
AMN@vms.brighton.ac.uk (Anthony Naggs) writes:
>Trantor The Last Stormtrooper, <S12609@prime-a.plymouth.ac.uk> asks:
[...]
>> There is a virus on the ST called the "Batman" virus which according
>> to ST Format (UK computer mag) does not have an executable bootsector
>> yet the virus still manages to enter the system at boot up!
>>
>> How does the "Batman" virus boot without an executable bootsector?
>Perhaps it loads as an accessory, by modifying the start up script (sorry,
>I can't remember what it is called - equivalent to AUTOEXEC.BAT for MS-DOS).
I don't think this is the case. According to the documentation in the
German anti-virus program Virendetektor (which can be ftp'ed from
atari.archive.umich.edu) this virus uses an undocumented feature of
TOS to run. Don't ask me for details - I know nothing of this myself,
I'm just trying to give some useful information. And even if you could
find somebody who knows how it works (like an anti-virus researcher) I
guess that person would not like to tell anybody how.
>Hope you like this demonstration of my ignorance,
>Anthony Naggs
>Software/Electronics Engineer P O Box 1080, Peacehaven
>(and virus researcher) East Sussex BN10 8PZ
>Phone: +44 273 589701 Great Britain
>Email: (c/o Univ of Brighton) amn@vms.brighton.ac.uk or xa329@city.ac.uk
And now I have added a demonstration of mine.
+--------------------------------------------------------------------------+
| Lars J|dal | Q: What's the difference between a quantum |
| email: protonen@daimi.aau.dk| mechanic and an auto mechanic? |
| | A: A quantum mechanic can get his car into |
| University of Aarhus | the garage without opening the door. |
| Denmark | -- David Kra |
+--------------------------------------------------------------------------+
------------------------------
Date: Tue, 24 Nov 92 19:24:01 -0500
From: mechalas@mentor.cc.purdue.edu (John Mechalas)
Subject: Re: Mr. Slade's listings
fc@turing.duq.edu (Fred Cohen) writes:
>I am constantly amazed that ASP has not yet made Mr. Slade's lists.
>We have been in the antivirus business since 1986, and yet the list
>has hundreds of products/services/research groups/BBSs/etc. that have
>been in existence for far less time, and with a very broad range of
>different expertise. I simply cannot believe that Mr. Slade is not
>aware of the existence of ASP.
>
> And then we have the hundreds of bug reports and fixes posted
>about various products on Virus-L. Why is this? Don't these companies
>deal with their customers over the phone? Or is it just PR to keep
>their names in front of the Virus-L public all the time?
>
> I wish Virus-L's moderator would make a defined policy about
>what goes on V-L and stick to it. I could use the daily plug for my
>products and services too, and yet we don't see all that much PR from
>many of the companies that have products, only a small number that seem
>to be in the Virus-L elite.
Those products also happen to be the most popular and most
widely-used. I think infomration about SCAN, FPROT, CPAV, Nortan AV,
Solomon, and so forth is extremely important when they seem to make up
the vast majority of anti-virus products installed on home and
business PC's.
> By the way, Today, ASP created over 1500 new viruses (using our
>automated program evolution system), and NONE of the scanners listed as
>the best around detected ANY OF THEM! That means that the current
>detection rate of the best scanners in the world is only 50\%, and in
>another few days, we could knock their detection rates down to under 10\%
>without much effort! When will we start to see analysis based on the
>likelihood of getting a virus not detected by a particular scanner?
New viruses? Meaning brand-new viruses? What does this prove? We
already know that a scanner is no good at detecting a virus if it
doesn't have a signature for it. And hueristics is still
experimental. A couple of the hueristical scanning platforms even
flat-out tell you that they are expeimental and shouldn't be relied
upon as a sole means of defense.
> Example: (taken from Jon David's original example several years
>ago - with modifications)
>
> Virus 123 represents 0.12\% of reported incidents
> Product X detects Virus 123
> => Product X gets 0.12\%age point toward a 100\% rating
> of REAL WORLD EFFICACY!
>
> If you want a second (and far less important) rating scale, you
>might include a rating of detection against the CARO list (or some such
>other thing) with weightings associated with the age of a virus in the
>CARO list. Hence you get worse ratings for not detecting older viruses
>which are more likely to have spread further.
>
> And then we have the problem of fair evaluations. I don't see
>how it is unfair to report any evaluation as long as you provide the
>details about the testing methods used to determine the results and let
>others respond to them. Perhaps V-L should ONLY publish ratings under
>the proviso that the details of the tests are provided with them!
I agree...though so far I haven't seen anyone post test results
without also posting the test details as well. One good example would
be the recent MtE tests.
> Well, that's my view of it all. I figure I'll get plenty of
>grief for having posted it (if it indeed gets posted), so don't bother to
>complain directly to me - this is the sort of discussion we should have
>on Virus-L in front of the whole world.
I'd say you'd get more grief for your tone, rather than your content.
- --
John Mechalas | If you think my opinions are Purdue's, then
mechalas@mentor.cc.purdue.edu | you vastly overestimate my importance.
Purdue University Computing Center | Help put a ban on censorship :)
General Consulting | #include disclaimer.h
------------------------------
Date: Tue, 24 Nov 92 20:03:19 -0500
From: tyetiser@umbc5.umbc.edu (Mr. Tarkan Yetiser)
Subject: Evaluations of AV products (was: Mr. Slade's listings)
Hello everyone,
fc@turing.duq.edu (Fred Cohen) writes:
> And then we have the hundreds of bug reports and fixes posted
>about various products on Virus-L. Why is this? Don't these companies
>deal with their customers over the phone? Or is it just PR to keep
>their names in front of the Virus-L public all the time?
I second that. Virus-L is turning into nothing more than a support
BBS for a few products. It is sad.
> I wish Virus-L's moderator would make a defined policy about
>what goes on V-L and stick to it. I could use the daily plug for my
Maybe Santa will grant your wish this season :-) I doubt Ken will
:-))
> By the way, Today, ASP created over 1500 new viruses (using our
>automated program evolution system), and NONE of the scanners listed as
>the best around detected ANY OF THEM! That means that the current
Tell us more about this "evolution system". Do these cretures have the
capability to spread? They must, otherwise they would not be viruses...
>without much effort! When will we start to see analysis based on the
>likelihood of getting a virus not detected by a particular scanner?
I don't see much use for this analysis yet. The likelihood of average
user getting a virus is increasing; however, I would wager that the virus
that he might get is probably one of the common ones. And the popular
scanners pick them off easily.
> If you want a second (and far less important) rating scale, you
>might include a rating of detection against the CARO list (or some such
>other thing) with weightings associated with the age of a virus in the
>CARO list. Hence you get worse ratings for not detecting older viruses
>which are more likely to have spread further.
I don't agree that you can simply associate a weight based on the age of
a particular virus. Your assumption about a virus being able to spread far
since it is old is too strong. I think statistics based on actual infection
reports should serve as a basis for assigning weightings of this sort.
> And then we have the problem of fair evaluations. I don't see
>how it is unfair to report any evaluation as long as you provide the
>details about the testing methods used to determine the results and let
>others respond to them. Perhaps V-L should ONLY publish ratings under
>the proviso that the details of the tests are provided with them!
Amen, brother! Posting so-called "reviews" without presenting any
appropriate criteria is useless. The comments simply have no context
in such reviews. They usually end up being a user-interface
evaluation. What a joke! Some of the "reviewers" do not even conduct
"live" tests. They are doing zoo testing even when evaluating
integrity-based products. I think this is only an indication of the
lack of understanding or technical ignorance on the reviewer's part.
No wonder McAfee pays for some reviews. :-)
Padgett has been crying out loud for an independent testing
facility for a long time. Maybe he has been right all along; we do
need such a service to conduct proper evaluations and tell the whole
story.
Regards,
Tarkan Yetiser
VDS Advanced Research Group
P.O. Box 9393
Baltimore, MD 21228, U.S.A.
tyetiser@umbc5.umbc.edu
------------------------------
Date: 25 Nov 92 03:27:46 +0000
From: tck@bend.ucsd.edu (Kevin Marcus)
Subject: Re: What is this "AV BBS list" nonsense? (general)
Well, you can remove my BBS from the list; "The Programmer's
Paradise", which was in 619 - I took it down when I went to school.
You can replace it with "The Raging Main", at 619-281-0855. (v.32bis)
------------------------------
Date: Wed, 25 Nov 92 15:14:50 +0700
From: frisk@complex.is (Fridrik Skulason)
Subject: Re: Mr. Slade's Listings
fc@turing.duq.edu (Fred Cohen) writes:
> By the way, Today, ASP created over 1500 new viruses (using our
>automated program evolution system), and NONE of the scanners listed as
>the best around detected ANY OF THEM!
So what ? Scanners (by definition) are not guaranteed to detect totally new
viruses. Even a producer of scanners such as myself admits that. Detection
of totally new viruses is a job for other types of programs - such as your
own integrity software.
I know you realize that the different types of anti-virus software all have
their uses - after all, you asked me once about bundling F-PROT with your
package. However, as I I do not wish to be associated with a virus writing
company, I am not interested in such a deal.
I don't approve of virus writing, virus writing competitions or anything which
indicates that there is a positive side to computer viruses, and my personal
opinion is that you might just have managed to kill your chances of being
accepted as a CARO member.
- -frisk
------------------------------
Date: Wed, 25 Nov 92 13:03:02 -0500
From: "David M. Chess" <chess@watson.ibm.com>
Subject: re: CHRISTMA Data (CVP)
I don't think your credibility is in shreds at all, Robert. What a
modest feller! *8) I just noted one small thing that I thought might
not be right. The fact that VNET wasn't shut down is just a minor
error in your excellant series; don't lose any sleep over it!
> Bridget, for example, states that CHRISTMA did not clean itself up.
> She must know, since she had to clean up the remaining files.
Hm, interesting. I just dug out my (carefully controlled) sample of
CHRISTMA. The last line is "ERASE CHRISTMAS EXEC". So if run from
the A disk, in an environment that doesn't mind extra letters in
filenames, it will erase itself when it's done, I think. It's
possible that Bridget was dealing with a different version of the
program? Or that her users were interrupting it before it had a
chance to finish (relatively easy to do in CMS). But I think you're
basically right on that one...
- - -- -
David M. Chess 50,000 lemmings
High Integrity Computing Lab can't be wrong!
IBM Watson Research
------------------------------
Date: Wed, 25 Nov 92 18:09:00 +0000
From: rslade@sfu.ca (Robert Slade)
Subject: Re: Mr. Slade's listings
fc@turing.duq.edu (Fred Cohen) writes:
>I am constantly amazed that ASP has not yet made Mr. Slade's lists.
>We have been in the antivirus business since 1986, and yet the list
>has hundreds of products/services/research groups/BBSs/etc. that have
>been in existence for far less time, and with a very broad range of
>different expertise. I simply cannot believe that Mr. Slade is not
>aware of the existence of ASP.
Ah, but Mr. Slade *is* aware of ASP! If you will check the
CONTACTS.LST file, you will see it listed at PO Box 81720, Pittsburgh,
which address was obtained from Dr. Fred Cohen.
The reason that the antiviral produced by ASP has never been reviewed,
is simply that, even after email to Dr. Fred Cohen, and letters to ASP
at that address, nothing has been received (other than the above
address). This makes evaluation a tad difficult. :-)
However, rest assured that, should it arrive, it would be given
priority treatment.
==============
Vancouver ROBERTS@decus.ca | "Don't buy a
Institute for Robert_Slade@sfu.ca | computer."
Research into rslade@cue.bc.ca | Jeff Richards'
User p1@CyberStore.ca | First Law of
Security Canada V7K 2G6 | Data Security
------------------------------
End of VIRUS-L Digest [Volume 5 Issue 190]
******************************************