home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The World of Computer Software
/
World_Of_Computer_Software-02-385-Vol-1of3.iso
/
v
/
vl6-8.zip
/
VL6-8.TXT
< prev
Wrap
Internet Message Format
|
1993-01-14
|
34KB
From lehigh.edu!virus-l Thu Jan 14 10:45:31 1993 remote from uunet.ca
Received: from Fidoii.CC.Lehigh.EDU ([128.180.2.4]) by mail.uunet.ca with SMTP id <10456>; Thu, 14 Jan 1993 10:45:21 -0500
Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA12145
(5.67a/IDA-1.5 for <hombas!rudy.hehn%hombas@mail.uunet.ca>); Thu, 14 Jan 1993 10:18:03 -0500
Date: Thu, 14 Jan 1993 10:18:03 -0500
Message-Id: <9301141447.AA26749@barnabas.cert.org>
Comment: Virus Discussion List
Originator: virus-l@lehigh.edu
Errors-To: krvw@cert.org
Reply-To: <virus-l@lehigh.edu>
Sender: virus-l@lehigh.edu
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <krvw@cert.org>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V6 #8
VIRUS-L Digest Thursday, 14 Jan 1993 Volume 6 : Issue 8
Today's Topics:
Heuristic Scanners
Benign "viruses" (addendum)
Re: On the definition of viruses
Re: A-V virus
Re: Integrity Management
Sale of Viri
Re: On the definition of viruses
Re: os2-stuff (OS/2)
DOS Viruses under HPFS (OS/2)
Re: Untouchable (PC)
Wanted: info about Dos 5.0 virus (1578?) (PC)
re: Joshi Question (PC)
Re: PKZIP V2.04C (PC)
Re: Vshield vs Virstop (PC)
Brunswick Virus (PC)
how to get rid of the Naughty Hacker-1? (PC)
Problems with PCs (PC)
Re: Clash between FDISK/MBR and scanners (PC)
Re: Joshi Question (PC)
New way of opeing files??? (PC)
January LAT
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with
your real name. Send contributions to VIRUS-L@LEHIGH.EDU.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@CERT.ORG>.
Ken van Wyk
----------------------------------------------------------------------
Date: Mon, 11 Jan 93 16:18:49 +0000
From: antkow@sis.uucp (Chris Antkow)
Subject: Heuristic Scanners
Would someone please post information on heuristic scanning theories.
I'm looking to develop my own scanner and as such want to develop some
software that attempts to thwart these scanners.
I'm new to this, so any help would be greatly appreciated.
Also, does any know if Mark Washburn has a mailing address?
Thanx
------------------------------
Date: Tue, 12 Jan 93 07:34:46 -0500
From: "Tim Hare" <SS942TH@dot1.mail.ufl.edu>
Subject: Benign "viruses" (addendum)
As an addition to my earlier post about a protocol for adding benign
virus or wormlike programs to a system: the protocol could (probably
should) be modified to require transmittal of the program in source
form only - that way the target system would always have to compile
the program to install it, and a copy could be made of the source
before compilation so that if something did go awry, the source would
be there to examine. I mention making a copy because it would be
possible for the program, if malicious, to modify the copy that was
sent, but if sufficient care were taken, an automated process could
make a copy that would not be able to be found by the program once
compiled and running.
Tim
------------------------------
Date: Tue, 12 Jan 93 13:51:56 +0000
From: Albert-Lunde@nwu.edu (Albert Lunde)
Subject: Re: On the definition of viruses
fc@turing.duq.edu (Fred Cohen) writes:
>
> Computer viruses do not have to be malicious, they do not have
>to be Trojan horses, and they do not have to enter without the
>knowledge or consent of the user. Any definition that depends on
>these properties depends on peoples' opinions, skills, and knowledge,
>and are thus not "testable" in the scientific sense of the word. (See
>Popper and others for more details). [...]
Fred Cohen can point with justified pride to the mathematical theory
of viruses. At the same time, I think it is perfectly understandable
that people will use more relative, subjective critera based on a
perception of risk and intention. This is especially the case since
one of the consequences of the mathematical theory is a proof that a
general "unknown virus" detector is impossible!
Looking at Mac viruses (with which I am more familiar), the majority
do not appear to have been written to do deliberate harm. However,
they all also contain bugs and undesirable side-effects which cause
them to be harmful. It is the pragmatic difficulties of writing
self-replicating code which remains both functional and controlled in
unknown environments that makes me (and others) skeptical of the
usefulness of "benevolent" viruses. (And I am *not* speaking of backup
programs.)
The information necessary to write a virus is available to any
compentent programmer -- it does not take a genius. At the same time
most anti-virus workers are concerned with broadcasting the details of
viruses. I would not attribute this to a desire for censorship but to
the pragmatic observation that "copy-cat" viruses are a serious
problem and that it may be a good idea not to lower the threshold of
effort needed to create a virus.
Until mathematical theory provides a means for apprehending the
writers of viruses, some folk will have to get their hands dirty...
;) ;)
- --
Albert Lunde Albert-Lunde@nwu.edu
------------------------------
Date: Tue, 12 Jan 93 11:49:29 -0500
From: fc@turing.duq.edu (Fred Cohen)
Subject: Re: A-V virus
Ron Whittle writes:
>On Tue, 22 Dec 92, Suzana wrote:
>
>S> Suppose that we have an A-V product which in regular intervals or
>S> randomly send a virus in system. Virus (fast infector) infects only
>S> programs which checksum doesn't correspond to previously calculated
>S> values. ...
>
>This looks interesting, but you might run into performance problems
>as the 'good virus' looks for non-infected programs. Also, if you
>had a stealth virus that was already active in memory, when your
>virus infects a file, it might overwrite part of the program code (or
>the stealth virus, depending on infection method), causing you to
>lose the program.
>
>Wouldn't this program be easier as a TSR? That way it wouldn't have
>to infect the files, and only needs to check programs that you
>actually execute.
Interesting question - which is more efficient? This is exactly the
reason we should prefer viruses in some applications and not in others.
By bringing up this issue, are you implying that if viruses do it better
we should use them?
>
>S> There is slight similarity in this
>S> idea with reaction of human immunity system. Anyone has ethical
>S> problem with her/his own immunity system ?
>
>Actually, yes. Since my immunity system makes periodic attempts to
>kill me, in the name of protecting me, I do have a problem with it.
>You see, I am one of those unfortunate people who are allergic to
>bees. Each time I am stung, my immune system makes a faster and
>harsher response, and one day this will kill me if I do not get
>medical help. Is it possible that the A-V virus might (accidentally)
>act in the same way?
That's right - any time we design an automated system, there are risks
that the automation may do something undesired. This is true of all
automation - viral or otherwise - so it's not a valid reason for ruling
out viruses as a useful technology. Rather, we must consider the risks
against the gains on a case by case basis.
How should we react to your allergy? Should we remove your
immune system because it can kill you? That's the position you take if
you say we should not have a viral immune system if it has the potential
of killing the host. Should we kill all bees to protect you? This would
kill certain flowers, which in turn could impact other elements of the
environment, and eventually, it might kill everyone! Should we allow you
to die some day to protect the rest of the world's population? Or
perhaps - we should do research to figure out how to make your immune
system better! That's what the people who advocate viral immune systems
in computers propose - and frankly, it sounds better to me than a lot of
(but not all) the alternatives I can think of for virus defense.
Y. Radai and V Bontichev discuss keys and checksums:
I think that an alternative to off-line checksums is access
control. This has worked in IT for several years, and defeats all of the
other attacks against the crypto-checksum I am aware of. Obviously, we
can bypass the access controls in a normal DOS environment, but that
doesn't invalidate the concept.
Tim Hare writes:
>Perhaps I am a bit naive, not being a virus researcher, but could the
>problems related to benign virus-like (i.e. self-replicating) programs
>be solved by implementing a protocol to control the installation of
>self replicating programs?
Yes - Tim - this works quite well. A similar system has been operating
effectively for several years without a problem. Perhaps you are a
better virus researcher than many of the others we hear from - you aren't
as context bound.
Arthur L. Rubin writes about my definition of viruses:
>Actually, that definition isn't useful. If the "environment" includes
>a user typing "copy", then any file is a virus.
I disagree strongly. You are right that under my definition, if
the environment is such that all programs are always copied, then all
sequences of symbols are viruses. I published this result in 1985 in
some detail, and showed a Turing machine example where all sequences are
viruses. You are not right that just because one user copies one
program one time, it makes the copied program a virus. The reason is
that the copied program won't necessarily copy itself when you run the
copy. That is the reason we have the `ad infinitum' at the end of the
linguistic version of the definition. To qualify as a virus, given a
proper environment, the program must ALWAYS reproduce.
This brings up the issue of `partial viruses' which only
replicate under particular conditions. In brief, the conditions may be
considered part of the environment, and thus in certain environments,
the program is a virus, and in others it is not. But this is not
unusual at all, since all sequences are viruses in some environments,
and no sequence is a virus in some environments. A virus under DOS is
not necessarily a virus under Unix, and a virus that requires a Windows
environment isn't a virus in systems that don't include the Windows
environment. That's why we need different virus scanners for Unix than
for DOS. It is also one reason that general purpose virus detection is
undecidable: we have to consider a potentially infinite number of
different languages that can interpret information, not just the binary
form used by the hardware.
A side effect of the definition is that in order to discuss
viruses, we also must discuss environments. For example, the
Christma.Exec virus spread largely because of a corporate culture where
people send their friends fancy Christmas cards via computer mail. If
it weren't for the culture, the program might not have replicated. The
same is true of the Internet virus. The environment that allowed this
virus to spread included a debugging option that allowed unlimited
privileges without any authentication. If the environment did not
include that circumstance, the Internet virus would not have replicated,
and it would therefore not have been a virus. That's why we talk about
DOS viruses as opposed to MAC viruses, Windows viruses, etc.
__________________________________________________________________________
Protection Experts - Your Experts in Information Protection
8:30AM-2PM Eastern 2PM-7:30PM Eastern
412-422-4134 907-344-5164
24 Hour FAX Service 412-422-4135 OR 907-344-3069
__________________________________________________________________________
------------------------------
Date: 12 Jan 93 18:23:36 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Integrity Management
RADAI@vms.huji.ac.il (Y. Radai) writes:
> Well, I think that comes from using a particular (table-driven) *im-
> plementation* of CRC, and is not an essential feature of CRC as it
> is defined.
Yes, but you can define some kind of initial value for any
implementation of the algorithm... For instance, you could prepend
N-bit key to the file before computing CRC-N. Not secure, I know. See
below.
> Also, while I agree that in this implementation
> INITIAL_VALUE could be considered as a seed, I doubt that varying this
> value adds any security, since CRC can be made key-dependent in a
> very natural way (by varying the generator) and since, in a certain
> sense, it is then provably secure (subject to certain reasonable
> assumptions).
It doesn't add any security - this is BTW exactly what I stated in my
initial message - that for CRC-type algorithms it is not enough to use
a different seed - you need to change the generator each time.
BTW, it would be interesting to see an analysis of the table-driven
checksum algorithm presented by Padgett Peterson and Ross Greenberg...
> But why is it necessary to do something with keyless algorithms at
> all? There is an alternative to varying a seed (or artificially
> introducing a key) in a keyless algorithm, and that is to use an
> algorithm which is key-dependent by its very design (such as the MAA
> of ISO 8731-2 or ANSI X9.9, if one wants a cryptographic algorithm).
Yes, of course, I agree that one way to fix the keyless algorithms is
to use key-dependent algoritms... :-) I was just talking about what to
do, if you want to use a keyless algorithm... ANSI X9.9 is derived
from DES, right? I just thought that MD4 is fater than DES and still
cryptographically strong, so one could use it, if s/he wants to use a
cryptographically strong algorithm at all...
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: 13 Jan 93 07:52:48 +0000
From: alby@access.digex.com (Albatross)
Subject: Sale of Viri
Is there any law in the USA the prohibits the Sale of Virus
software to the Public? Or any type of distrubution of such software
with the sole intent to create business revenew?
------------------------------
Date: 13 Jan 93 10:53:23 +0000
From: duck@nuustak.csir.co.za (Paul Ducklin)
Subject: Re: On the definition of viruses
Fred Cohen spake:
>> The mathematical definition first published in 1985 is
>>testable, and appears to properly differentiate viruses from
>>non-viruses. Perhaps someone else wishes to do a better job, but
>>let's not make definitions that are senseless.
Now, now. There are many examples of definitions that would be
"senseless" to Fred Cohen, but probably work really well for most of
the rest of the world. In South Africa, for instance, there exists a
fundamental road law which may be paraphrased as "Drive on the left".
Er, although this depends on which window of the car you look out of
[and the law does *not* specify], it's very much a sensible, working
definition of how to orient your car when driving. OK, the definition
would be unviable in the USA, but you can't have everything...
>> So what is a computer virus? In simple terms, it is a sequence
>>of instructions that, when interpreted in an appropriate environment,
>>"replicates" in that at least one relica also "replicates", etc., ad
>>infinitum.
Arthur Rubin replied:
>Actually, that definition isn't useful. If the "environment" includes
>a user typing "copy", then any file is a virus. (Word Perfect, on the
>other hand, qualifies as a Trojan Horse under almost any definitions,
>because it busily modifies files without being asked. MOST of those
>files are in the WP directory, but....)
..and hit the nail on the head. See Alan Solomon's article in a
recent Computers and Security in which he "overloads" Fred Cohen's
definition by defining a Real Virus [usefully], and then by specifying
that the word "virus" will be used to denote "Real Virus". All is
*not* lost.
Paul Ducklin
- --
- --..--..--..--..--..--..--..--..--..--..--..--..--..--..--..--..--..--..--
Paul Ducklin duck@nuustak.csir.co.za
CSIR Computer Virus Research Lab * Box 395 * Pretoria * 0001 S Africa
------------------------------
Date: Mon, 11 Jan 93 15:57:59 -0500
From: "David M. Chess" <chess@watson.ibm.com>
Subject: Re: os2-stuff (OS/2)
>From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
>could infect them by mistake. How are the DLL and DRV files loaded in
>OS/2? If they are not loaded using any INT 21h/AX=4Bxxh function, then
>it is rather unlikely that any of the currently known viruses will
>infect them...
No, no OS/2 call does an INT 21 at all; that's one of the main
reasons that no DOS virus runs in native OS/2. Operating system
calls in OS/2 are done using Protect Mode constructs like call
gates (I forget the details again!), not using INTs. DC
------------------------------
Date: Wed, 13 Jan 93 15:18:04 +0000
From: antkow@sis.uucp (Chris Antkow)
Subject: DOS Viruses under HPFS (OS/2)
Being a virus researcher myself, I find it sometimes suicidal to test
out and disassemble new stealth and polymorphic class viruses on my
DOS based PC. I'm deathly paranoid that it's going to escape on one of
my floppies and infect the rest of my house... Even though I know my
ASM a bit better than the average Joe, who knows what might happen.
As a result, I'm looking to find an environment suitable for testing
viruses. I was considering OS/2, however I do have one question.
If you are testing a virus in a DOS window and it "goes off" so to
speak (If it has a destructive nature...), will it trash the entire
system, or just mess up the DOS window (Theory states that it should
only mess up the DOS window... But can someone vouch for this?)
I've been using Flushot + to "monitor" the progress of viruses under
testing, however, I'm finding alot more viruses now that are hostile
to AV programs.
Any input would be greatly appreciated...
Chris
antkow@eclipse.sheridanc.on.ca
------------------------------
Date: Mon, 11 Jan 93 09:00:54 -0500
From: Y. Radai <RADAI@vms.huji.ac.il>
Subject: Re: Untouchable (PC)
Bill Lambdin writes:
> YR> UTSCAN has the ability to examine archives and compressed executa-
> YR> bles (recursively), includes one of the better MtE detectors ...
>
> Untouchable does well at scanning archives, abd files compressed with
> PKlite, LZEXE, Diet, and maybe others.
>
> However; I performed some tests with PKlite 1.15 recently. McAfee's Scan
> was able to detect the virus inside the file compressed with PKlite 1.15.
> Untouchable wasn't able to scan inside the file.
This was due to a bug in UTScan. I'm told it will be fixed in Version
27.
> YR> I was referring to Ver. 26 of UTScan.
>
> I am using version 25.10 of UTScan.
> When was 26 released?
UTScan (like the rest of the Untouchable package) is, as you probably
know, developed in Israel. Israeli subscribers automatically get
updates at the beginning of each even-numbered month, so we have had
Ver. 26 for over a month now. I have no idea when updates reach the
U.S. market, but I presume there's a delay of a week or more.
Btw, starting from Ver. 27 (or maybe 28), the version number will no
longer reflect the date of the scan patterns. This will be reflected
in updates to a file called VIR-INFO (which replaces the file BRM.VRB)
[hope I got that right].
Y. Radai
Hebrew Univ. of Jerusalem, Israel
RADAI@HUJIVMS.BITNET
RADAI@VMS.HUJI.AC.IL
------------------------------
Date: 11 Jan 93 20:44:05 +0000
From: lvandyke@balboa.eng.uci.edu (Lee Van Dyke)
Subject: Wanted: info about Dos 5.0 virus (1578?) (PC)
I have just been informed of a virus in command.com (47,845 4-9-91) of
Dos 5.0. Can anyone give me info on this?
Lee
- --
Lee Van Dyke
lvandyke@balboa.eng.uci.edu,
UUCP: infotec!Infotec.COM!lee@sunkist.West.Sun.COM
------------------------------
Date: Mon, 11 Jan 93 16:22:02 -0500
From: "David M. Chess" <chess@watson.ibm.com>
Subject: re: Joshi Question (PC)
>From: rind@enterprise.bih (David Rind)
>Does Joshi trap attempts at warm reboots?
Yep! When it sees a three-key reboot, it attempts to simulate a
reboot, while remaining in memory. The simulation isn't always
sucsessful, and this is therefore yet another way that the Joshi can
cause systems to behave differently/badly.
- - -- -
David M. Chess / Invest for the Nanotech Era:
High Integrity Computing Lab / Buy Atoms!
IBM Watson Research
------------------------------
Date: Tue, 12 Jan 93 00:15:20 +0000
From: btf57346@uxa.cso.uiuc.edu (Byron "Bohr" Faber)
Subject: Re: PKZIP V2.04C (PC)
pd@nwavbbs.demon.co.uk (Peter Duffield) writes:
>I picked the following post up in comp.archives.msdos.announce and thought
>it may be of interest to this group...
>- --------------------------------- cut here -----------------------------
>From: PKWare.Inc@mixcom.mixcom.com (PKWare.Inc)
>Subject: PKZIP 2.04c RELEASED (NO VIRUS)
>Reply-To: PKWare.Inc@mixcom.com
>Date: Thu, 7 Jan 1993 09:38:18 GMT
> PKZIP 2.04c is now released and on the PKWARE BBS (414-354-8670)
> Some reports have come in the certain version of Norton Anti-Virus
> are reporting PKZIP 2.04 to have the Maltese Amoeba virus.
> THESE REPORTS ARE FALSE! If the version of Norton is upgraded to
> a newer version the false reports cease.
> The correct files size,date and time should be:
> PKZ204C.EXE 188818 12-28-92 2:04
> SIZE DATE TIME
> If you have any further questions, please feel free to contact
> me here at pkware.inc@mixcom.com
> Mark Gresbach
> PKWARE, Inc.
>- --
>PKWARE.Inc@mixcom.com Voice (414)354-8699 Authors of PKZIP, PKLITE
>9025 N. Deerwood Dr. BBS (414)354-8670 PKZFIND, PKZOOM, and the
>Brown Deer, WI 53223 USA FAX (414)354-8559 Data Compression Library
Just a note: With all the talk going around that pkzip204c is NOT
infected with a virus, I'm not suprised somebody has really infected a
copy and uped it.
You might be able to fool a few to many people. I think that the "anti-
virus" community should be carefull of what they are telling people.
Byron
- --
Please Note: Some Quantum Physics Theories Suggest that When the Reader
Is Not Directly Observing This Message, It May Cease to Exist
or Will Exist Only in a Vague and Undetermined State.
Internet: btf57346@uxa.cso.uiuc.edu & btf57346@sumter.cso.uiuc.edu
------------------------------
Date: Tue, 12 Jan 93 11:08:17 -0600
From: ST29701@vm.cc.latech.edu
Subject: Re: Vshield vs Virstop (PC)
VSHIELD with the /CF option to check for a file validation information
will not catch a file infecting virus like INTRUDER (very generic)
untill after it has infected. I would have hoped it could chatch it
while the infection was trying to occure.
------------------------------
Date: Tue, 12 Jan 93 16:06:51 +0000
From: Dirk.Dussart@cs.kuleuven.ac.be (Dirk Dussart)
Subject: Brunswick Virus (PC)
Hi Netlanders,
I'm posting this for a friend of mine of hasn't got net access. My
friend is let's say a regular user and has recently found a virus on
his hard disk of his IBMPC. With the use of a virus-detector he found
out that it was the BRUNSWICK VIRUS. Does anybody know about a good
viruskiller which can deal with this virus ?
Dirk Dussart.
Newyear's wish: A "computer" virusfree net !!!!
Why do viruses exist anyway ? Can't we computer users
or programmers stop anoying eachother
with those stupid virus programs.
------------------------------
Date: Tue, 12 Jan 93 16:32:48 -0500
From: cournoye@ere.umontreal.ca (Cournoyer Louis-Georges)
Subject: how to get rid of the Naughty Hacker-1? (PC)
Norton anti-virus as reported the presence in my computer's memory of
the virus Naughty Hacker-1. The Nav program says to boot with a disk
which has the same system, which in this case is ms-dos 3.3. That i
have done...
however, doing so, the nav program is not able to recognize the virus...
What should i do?
Another funny thing is happening: if i take the ainsi.sys out of my
config.sys file, the nav isn't able to find the virus...
I would really appreciate if someone could help me concerning this
virus.. what can he do to my computer? how can i get rid of it?...
Thank you in advance...
cournoye@mistral.ere.umontreal.ca
PS excuse my english writing, it is not my habitual language.
------------------------------
Date: Wed, 13 Jan 93 07:41:24 +0000
From: pmm34393@uxa.cso.uiuc.edu (Dr. Vincent Vaugn)
Subject: Problems with PCs (PC)
I am having massive virus problems, and I hope someone here might be
able to help me out. After having some problems with my computer:
sharing violations on the hard drive, and overflow errors, I decided
to do a virus check. I got Scan v.99, but found that every time I
downloaded it and tried to run it, I got a "damaged file" error. I
tried my roommates computer, and was able to download scan and run it
with no problems. I assumed I had some sort of virus, so I read the
scan info and tried to run scan off of a write-protected disk. Sure
enough, a disk access was attempted and I hit fail to try and continue
running scan. This seemed to work, but scan did not find any viruses
in memory or on my hard drive. I was screwing around on my roomates
computer and was transferring some of his files to one of my disks. I
ran scan again, and THIS time it told me that I had the "filler" virus
in memory and to run Clean on my roommates HD. However, I did not have
Clean, so I re-booted off a clean floppy that he had and I ran Scan
again. However, this time no problems were found. Yet, I started
getting the same errors on his computer that I had on mine. I got
Clean, but I did not have any success trying to get rid of the virus:
Scan won't find anything anymore and Clean is damaged even when I boot
off a clean floppy that has no autoexec or config.sys. I think both
our computers are infected, but I can't find a trace of the virus. We
both run stacker--does this make a difference? If anyone could provide
me with any info regarding the "filler" virus or of any better virus
killers out there I would greatly appreciate it -- I spent 3 hours
tonight screwing around on 2 computers and have had NO success.
Thanks, and please reply by e-mail if possible.... --
Send e-mail to: pmm34393@uxa.cso.uiuc.edu
------------------------------
Date: 13 Jan 93 10:28:54 +0000
From: duck@nuustak.csir.co.za (Paul Ducklin)
Subject: Re: Clash between FDISK/MBR and scanners (PC)
Thus spake padgett@tccslr.dnet.mmc.com (A. Padgett Peterson):
>ps It is my understanding (David ?) that OS/2 uses selection through a
> replacement of the DBR (OBR ?) *not* the MBR and requires a more complex
> approach e.g. You boot. If the wrong OS comes up, you instruct a program
> to replace the DBR with the correct one then you boot again. Hopefully
> this time the correct OS comes up. Only IBM...
I think the idea in OS/2 is to allow the *same partition* to be
bootable into OS/2 or DOS. Clearly, changing the MBR won't help. I
have some code which lets me do the same kind of
same-partition-various-OSes with MS-DOS 3.30 and DR-DOS 6.0, which I
like to swap between. Rewriting the DBR is required...
Paul Ducklin
- --
- --..--..--..--..--..--..--..--..--..--..--..--..--..--..--..--..--..--..--
Paul Ducklin duck@nuustak.csir.co.za
CSIR Computer Virus Research Lab * Box 395 * Pretoria * 0001 S Africa
------------------------------
Date: 13 Jan 93 10:25:12 +0000
From: duck@nuustak.csir.co.za (Paul Ducklin)
Subject: Re: Joshi Question (PC)
Thus spake bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev):
>This has created the myth that some viruses are able to survive a warm
>reboot. They cannot, or at least they cannot do this unnoticeably on
>most computers, but nevertheless you are always advised to cold-boot
>when you suspect a virus in memory...
A further excellent reason for using the Big Red Switch is to be found
in a virus such as Anticad -- here, the virus has certain phases of
operation in which a warm boot will trigger the virus' destructive
code.
The thing to remember is that Crtl-Alt-Del is merely a trappable
trigger for a "warm boot" [ie: one in which no memory check is
performed]. Any program can take over C-A-D as a hotkey for itself
[eg: SmartDrive, I gather, which does so to ensure it flushes its
write cache before allowing the reboot..], so *any* keyboard-based
reboot trigger should be assumed dangerous when you suspect a virus in
memory. Hit the button instead..
Paul Ducklin
- --
- --..--..--..--..--..--..--..--..--..--..--..--..--..--..--..--..--..--..--
Paul Ducklin duck@nuustak.csir.co.za
CSIR Computer Virus Research Lab * Box 395 * Pretoria * 0001 S Africa
------------------------------
Date: Wed, 13 Jan 93 15:23:24 +0000
From: antkow@sis.uucp (Chris Antkow)
Subject: New way of opeing files??? (PC)
Apparently, there is a new way of opening files which some AV
Utilities don't catch. I've heard that the NuKE group is starting to
use function AX,6C00h/INT 21h to open files... Can anyone confirm the
use of this function and are there any AV programs that trap this
function?
Chris
antkow@eclipse.sheridanc.on.ca
------------------------------
Date: 12 Jan 93 14:20:00 +0000
From: bill.lambdin%acc1bbs@ssr.com (Bill Lambdin)
Subject: January LAT
Here is the January release of LAT (Lambdin's Accuracy Tests).
Bill
- --------------------------------------------------------------------------
LAT 9301
Product Total Detected Ratio Flags
+--------------------------------------------------------+
| Virus Net 2.06B | 715 | 709 | 99.2% | C |
| F-Prot 2.06a | 715 | 708 | 99.0% | S |
| VIRx 2.6 | 715 | 705 | 98.6% | S |
| | | | | |
| Scan 99 | 715 | 697 | 97.5% | S |
| Integrity Master 1.31d | 693 | 665 | 96.0% | DGS |
| UT Scan 1.13 | 693 | 662 | 95.5% | CDG |
| | | | | |
| PC Scan | 715 | 660 | 92.3% | |
| WIN-Rx 1.0 | 715 | 586 | 81.9% | S |
| Virucide 2.37 | 693 | 529 | 76.3% | CD |
+--------------------------------------------------------+
C- Commercial software
D- This product does not scan for boot sector viruses
inside droppers. I tried to be fair.
G- Generic Virus detector. The other utilities with
this product may detect viruses that this scanner
misses, so don't judge this product too harshly
because the scanner isn't as effective as you would
like.
S- Share Ware or Free Ware procuct.
I removed I.M.S.I Virus Cure 2.24, CPAV 1.1, and Thunder
Byte Anti-virus from my tests because new releases are
available, and haven't received updates yet.
I had hoped to test Search & Destroy From Fifth Generation
Systems, but I haven't received it yet.
========================================================================
I have tested the following generic products, and
recommend them.
Victor Charlie (Bangkok Security Associates)
PC-Rx (Trend Micro Devices)
Untouchable (Fifth Generation Systems)
Integrity Master (Stiller Research)
PC-cillin (Trend Micro Devices)
========================================================================
I would like to thank most of these companies for
providing me with evaluation copies of their
software to test.
========================================================================
These tests were performed on a 33 MHZ 486
Bill Lambdin
P.O. Box 577
East Bernstadt, Ky. 40729
[Moderator's note: Bill, would you please post a summary of your test
procedures and reasons for recommending or not recommending particular
products?]
- ---
* WinQwk 2.0 a#383 * PLASTIQUE activates Sep 20 - Dec 31
------------------------------
End of VIRUS-L Digest [Volume 6 Issue 8]
****************************************