home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The World of Computer Software
/
World_Of_Computer_Software-02-387-Vol-3of3.iso
/
v
/
vl6-023.zip
/
VL6-023.TXT
< prev
Wrap
Internet Message Format
|
1993-02-11
|
31KB
Received: from fidoii.CC.Lehigh.EDU by abacus.hgs.se (5.65c/1.5)
id AA14462; Wed, 10 Feb 1993 18:25:58 +0100
Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA22829
(5.67a/IDA-1.5 for <mikael@abacus.hgs.se>); Wed, 10 Feb 1993 11:36:56 -0500
Date: Wed, 10 Feb 1993 11:36:56 -0500
Message-Id: <9302101546.AA07205@barnabas.cert.org>
Comment: Virus Discussion List
Originator: virus-l@lehigh.edu
Errors-To: krvw@cert.org
Reply-To: <virus-l@lehigh.edu>
Sender: virus-l@lehigh.edu
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <krvw@cert.org>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V6 #23
Status: RO
VIRUS-L Digest Wednesday, 10 Feb 1993 Volume 6 : Issue 23
Today's Topics:
Re: Internet Worm - the "Perp" (CVP)
Re: Mainframe viruses? [Sam Wilson:06/13]
Re: Checksums, CRCs, and other toys
Re:Wank [Rob Slade:v06 ?21]
Re: Viruses and Worms
Re: Sale of Viri
Re: undecidability
virus-definitions
Re: NAV questions (PC)
Virstop 2.07 in Icelandic (PC)
(false?) alarm on drx109.zip by Tbav 5.03 with Asig9301 !!! (PC)
Re: Dame virus (PC)
Re: NAV questions (PC)
Suggestion to the developers of resident scanners (PC)
Twelve Tricks (PC)
STONED, Scanv99/Clean 99 Questions/Concerns (PC)
Re: dame virus (pc)
SCAN100 and DOS3.3 (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with
your real name. Send contributions to VIRUS-L@LEHIGH.EDU.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@CERT.ORG>.
Ken van Wyk
----------------------------------------------------------------------
Date: Tue, 09 Feb 93 01:58:12 +0000
From: buhr@umanitoba.ca (Kevin Andrew Buhr)
Subject: Re: Internet Worm - the "Perp" (CVP)
rslade@sfu.ca writes:
| Robert Tappan Morris was a student at Cornell University when he
| wrote the Worm. He was a student of data security. The Worm is
| often referred to as a part of his research, although it was neither
^^^^^^^^^^^^^^^^^^^^^^^
| an assigned project, nor had it been discussed with his advisor.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This amusing non sequitur points out a common misconception. For some
reason, there is the implicit assumption made by people outside the
academic community--and, distressingly, my many people *inside* it--
that student research has to be assigned or authorised before the
student is permitted to use university facilities in its pursuit.
RTM might have done a lot of terrible things, and he might have gotten
exactly what he deserved, but his worm doesn't fail to classify as
valid academic research only because he didn't get permission from
professors or university administration.
A "university" that requires such permission can hardly call itself a
university. Any institution that treats students with that level of
contempt is better termed an "academic cattle drive".
Kevin <buhr@ccu.UManitoba.CA>
------------------------------
Date: 09 Feb 93 07:55:02 +0000
From: valdis@black-ice.cc.vt.edu (Valdis Kletnieks)
Subject: Re: Mainframe viruses? [Sam Wilson:06/13]
brunnstein@rz.informatik.uni-hamburg.dbp.de writes:
>Sam Wilson mentioned a "survey of 816 European and North America mainframe
>sites (with) ...35.5% .. disasters .. 60% of which had been due to viruses".
>
>Since about 10 years, I happen to supervise several large IBM mainframes for
>security and backup procedures, but I have NEVER seen, in several disasters
>due to bugs, inadequately installed or used programs, hacker attacks and few
>chain letter happenings, ***ANY real mainframe virus*** (I know of some tests
As the old saying about statistics goes, "Figures don't lie, but
liars can figure...". The problem is that 60% of the data *centers*
reported viruses. Now.. Let's look at this in detail (using our
site as an example)...
Here at Virginia Tech, the main computing center has a 3090, a 3084, a
4381, several high-end RS/6000 boxes, a Vax 8800, and probably 75 to
100 desktop systems in the NeXT/Mac II/RS6K-200/Decstation class on
programmer's desks. This is all in our main facility in the university
computing center, which is actually off-campus (it was cheaper/faster
to build a new building there). The computing center also maintains
several on-campus computer labs that are usually stocked with some
386-based clone.
Now - if one of our labs gets wiped out by a virus, this will be a
disaster (at least for the guy in Operations who gets to clean up). So
we're in the 35.5%. It was virus based. So we're in the 60%. And we
*do* have mainframes here. So we would qualify, even though the virus
literally never got within 2 miles of our mainframes.
Of course, if Wilson's survey *specifically* addressed mainframe-*based*
viruses, that's a different story. But I doubt that...
Valdis Kletnieks
Computer Systems Engineer
Virginia Tech
------------------------------
Date: 09 Feb 93 11:23:01 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Checksums, CRCs, and other toys
padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) writes:
> From: raph@panache.demon.co.uk (Raphael Mankin)
> >This means that every CRC can be calculated with very few instructions
> >per byte just by pre-computing a 256-entry table of 16- or 32-bit
> >values.
> Perhaps CRC is a poor choice of acronym since it has an explicit
> meaning (but I was replying to another posting). "Checksum" is
Padgett, while I agree with the rest of your remark, in the message
quoted by you, Mankin is speaking exactly about CRCs, not about
checksums in general.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: Tue, 09 Feb 93 06:53:48 -0500
From: brunnstein@rz.informatik.uni-hamburg.dbp.de
Subject: Re:Wank [Rob Slade:v06 ?21]
Comparing Rob Slade's report on Wank with the final report of
Th.Langstaff and E.Eugene Schultz from Lawrence Livermoore National
Laboratory with title: "Beyond Preliminary Analysis of the WANK and
OILZ Worms: A Case Study of Malicious Code" (and my own analysis of
WANK#1), I find several differences. Among others, the password
attacks were not essentially on "system" etc, and moreover, these
worked only correctly in the 2nd WANK version (called OILZ according
to some field in the code) which was an *essential* update of WANK
(not "vary few changes"). Due to some self-modifying part (this worms
were oligomorphic!), there was some confusion in the initial analysis
about different versions of Wank. Code analysis showed that there were
essentially 2 distinct authors (plus one for arranging final code),
with clearly differentiated tasks and skills. Finally, the most
interesting part of WANK (which affected significantly less systems
than Internet worm) was how Incident handling was done, rather than
the worm's functionality.
While I generally favour Robert Slade's short reports in Virus-L on
network incidents, I strongly suggest that trustful sources of
detailed information are mentioned for further reading. The
Anti-Malware community should have enough experience that myths spread
much faster and live longer than plain truth -:)
Klaus Brunnstein (U-Hamburg, February 9,1993)
------------------------------
Date: 09 Feb 93 11:58:44 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Viruses and Worms
padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) writes:
> True, both propagate but in different ways: a worm is a stand-alone,
> complete in itself and needing only to ensure regular scheduling using
> available common resources found within a computing environment. The
> processes a worm creates are also separate and distinct entities within
> that environment. Resources (e.g. compiler, linker) may need to
> be invoked to produce those entities, but will not be altered by it.
It is just a matter of definitions. The difference expressed above
disappears if you consider that the whole OS of a computer is nothing
more than a complex program and a wrom "attaches" itself to the
execution of this program.
Maybe it is better to put it this way:
1) What Dr. Cohen calls "viruses" is what most other people would call
"programs that are able to replicate themselves". They include worms,
DISKCOPY, etc.
2) What most other people call "viruses" are programs that attach
themselves to the execution of other programs. They are not worms -
worms are stand-alone programs, not attached to the execution of a
"hast" program.
> On the other hand, a process which copies itself onto a disk and modifies
> AUTOEXEC.BAT to execute it through a simple append operation would be a worm:
> nothing was *replaced*.
Sorry, there is a MS-DOS virus, called Dr_Watson, which does exactly
that. And we are still calling it a "virus".
The main problem is not in the definition of the word "virus". The
main problem is that there are several things (BSIs, companion
viruses, file system infectors, AUTOEXEC.BAT infectors, etc.) which
look much more like worms but we are still calling them "viruses"...
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: 09 Feb 93 13:29:54 +0000
From: rikardur@rhi.hi.is (Rikhardur Egilsson)
Subject: Re: Sale of Viri
ercm20@festival.edinburgh.ac.uk (Sam Wilson) writes:
>>From the front page of 'Computing', a UK weekly trade paper (the one
>which gave us the recent article on supposed 'mainframe viruses'), 4
>February 1993:
>"Apache scalps virus cowboys
> "Police raided the homes of suspected computer virus authors across
>the country last week, arresting five poeple and seizing equipment.
> "The raids were carried out last Wednesdau by police in Manchester,
>Cumbria, Staffordshire and Devon and Cornwall.
> "Scotland Yard's computer crimes unit co-ordinated the raids under the
>codename Operation Apache.
> " A spokeswoman for the Greater Manchester Police said: 'The
>investigation began in the Mancheter area following the arrest of the
>self-styled president of the virus writing group in Salford last
>December.'
> "Police would not reveal the man's name, but said he had been released
>on bail.
> "Last week's raids led to the the arrest of a further two people in
>Manchester. Three other suspects were also arrested in Staffordshire,
>Cumbria and Cornwall.
> "PCs and floppy disks were seized in all the raids.
> "All those arrested have been released on police bail pending further
>investigations."
But the orginal question STILL remains: how are you going to find
the virus writers ?
The actions as described above kinda scare me.
There seems to be continous 'fright-propaganda' about viruses and the
idea is to let people think "viruswriter = criminal"
Let's say that someone leaked to the police that *I* was the one
responsible for the Michaelangelo outbreak.
Then let's say they find out that I hang out with a strange group Interested
in Assembly language programming and genereal computing 'hacking'.
If someone would ever look through my files and data they *WOULD*
find the sourcecode for MA, documented, and some other viruses.
Where could that leave me ?
The moral of the story is just that, no matter what data you find, you can
NEVER prove anything based on that data .
As widespread as Viruses have come it does not take a long time to create
the source for, let's say, 1704 bytes virus and comment it to the point
that there is no trace of the source-code-generator.
Even if they actualy found the real writer of MA and all the code and test-
versions he probably made, they couldn't do a thing unless of course they
had some other information on him/(her?).
I don't remember what group it was but someone posted a request resently
for virus-code.
In short 'hell broke loose' almost anyone reading the posting seemed to
belive he was going to use that code for evil purposes.
It seemes impossible for those interested, to get the code/data for viruses.
Of course that does not surprice me, as I know what most people think of
viruses and that there would always be someone to misuse that.
On the other hand it shouldn't be that strange that someone offered to sell
the code/data to whoomever is interested.
In short : do viruses realy have to be that 'taboo'
Informing people about them and how they work and even distribute simple
samples could be just as effective as the fright-propaganda.
The reason for I learned Assembly language was to be able to write
a virus. And so I did (I wrote a wariant of vienna).
Then Stealth-viruses came along and that tecnology excited me.
But as I learned more about them and how they work the 'miracle' tag
dropped off.
The idea of writing a virus doesn't excide me anymore. I wouldn't be doing
anything new. I got issue 1 of CVDQ and there virus there shows me that
poople have to spent anourmous time to make a virus that is going to
have a faint-change of surviving in the modern-world.
I guess that most of those who do write viruses and release them wouldn't
if they knew better. They probably think that they're adding new variants
to a pool of a couple of viruses and that a lottsa people are going to
see and inspect/admire there code.
We all know that the viruses are here to stay and noone can stop
there spread.
If we choose to follow the path we're on it's just a question of time
when viruses will outnumber the scanners to the point that they will
drown of the sheer mass-code.
I guess most of us can aggree on that,that will happen sooner or later
the question is just what path we want to take to that point.
Net-addr: rikardur@rhi.hi.is
Realname: Rikhardur Egilsson
Callsign: TF3RET
------------------------------
Date: Tue, 09 Feb 93 15:34:07 -0500
From: fc@turing.duq.edu (Fred Cohen)
Subject: Re: undecidability
Y. Radai writes:
> Secondly, although I address this reply to Fred Cohen, I think it
>will also serve as a reply to most of the comments on this subject
>made by Vesselin, Padgett and others.)
How come I get an engraved invitation?
..
I must admit that I am now totally lost. I don't understand
what you are trying to communicate. Is it a proposed english language
definition of a virus and a pseudo-proof that detection is hard without
requiring infinite tapes? Is it 3 different proposed definitions and
three pseudo-proofs, one for each definition? Is it the concept of
conditional `infection'? Are you using a different concept than the
common one for the term undecidability? Perhaps we should consider
things piecewise - one definition per article - one point at a time. It
just gets too confusing to deal with so many variations at once. You
ask for my comment on a non-conclusive proof (designated by the phrase
`for all practical purposes') - but there is no such thing as far as I
can tell. Either it is a proof or it is not. If it is a proof, it is
conclusive, otherwise, it is not - that's what a proof is!
You say you are trying to convince people with insufficient
background that virus detection is `undecidable'. But without enough
background, the term itself is meaningless. Maybe you are going after
the wrong thing. Perhaps you should simply try to show them that it is
hard with a simple example. That usually works for me. See my short
course book for how I usually do it if you are interested.
__________________________________________________________________________
US+412-422-4134 Protection Experts US+907-344-5164
FAX US+412-422-4135 -OR- 907-344-3069 24 hours - 7 days
__________________________________________________________________________
------------------------------
Date: Wed, 10 Feb 93 07:00:27 -0500
From: KARGRA@GBA930.ZAMG.AC.AT
Subject: virus-definitions
Hi,
in my previous posting "+- viruses" I did not try to give another definition.
I was and am still missing the point wether a piece of software is necessary
for a user to do what he wants or not. If we add this question to the last
definition of Vesselin, then Diskcopy will not show up as virus, as it is
necessary to use this program to copy a floppy.
Alfred
################################################################################
Alfred Jilka #This place intentionally left blank. This place inteti
Geologic Survey, Austria #onally left blank. This place intentionally left blank
KARGRA@GBA930.ZAMG.AC.AT #. This place intentionally left blank. This place inte
################################################################################
------------------------------
Date: Tue, 09 Feb 93 01:14:37 +0000
From: oep@colargol.edb.tih.no (oep)
Subject: Re: NAV questions (PC)
Richard M. Flood (rflood@cis.umassd.edu) wrote:
: balog@eniac.seas.upenn.edu (Eric J Balog) writes:
: >2) Last week, someone posted a message comparing the effectiveness of
: >several anti-virus programs. Can anyone tell me how NAV rates as
: >compared to other anti-virus programs?
: programs rate. As far as I know Macafee SCAN gets a score of 90% and
: NAV gets a score of 65%, this is just from memory but you can find out
: yourself by ftping vsumx###.zip ( the numbers are the most current
: version I think it is 212 ) from most of the better ftp sites.
As far as I know, there is a close link between the authors of SCAN and
VSUM, and i wouldn't trust the test as a purely independent test.
I did *not* say that I trust NAV either....
- - oep
------------------------------
Date: Tue, 09 Feb 93 04:16:53 +0000
From: jdh@medicine.newcastle.edu.au (John Hendriks)
Subject: Virstop 2.07 in Icelandic (PC)
We have just downloaded the latest version of f-prot (2.07). Of course
all is well as far a scan is concerned. At least I can understand the
reports. When loading virstop though and testing with f-test the
diagnostics are incomprehensible. Is there an English version of
virstop?
- ---------------------------------------------------------------
John Hendriks | Intenet : jdh@medicine.newcastle.edu
Faculty of Medicine |
University of Newcastle |
NSW 2308 |
Australia |
- ---------------------------------------------------------------
------------------------------
Date: 09 Feb 93 10:25:17 +0100
From: robk@win.tue.nl (Rob Knubben)
Subject: (false?) alarm on drx109.zip by Tbav 5.03 with Asig9301 !!! (PC)
Hello,
Yesterday I downloaded ASIG9301.ZIP; some additional virus-signatures
for TbScan 5.03. I checked my hard-disk and got a virus-alarm!!!
TbScan reported that the file DIRX.EXE from DRX109.ZIP was infected by
the Necropolis virus. Today I downloaed DRX109.ZIP from
ftp.terra.stack.urc.tue.nl (a simtel mirror), and the original
DIRX.EXE from DRX109.ZIP was infected as well.
Is this just a false alarm by TbScan ? (The Second in 2 weeks ...) Or
do I really have a virus in my PC? (On my 20Mb disc only DIRX was
infected).
Please send any answers directly to robkn@blade.stack.urc.tue.nl and
put them on the net as well...
Thanks,
Rob Knubben
------------------------------
Date: 09 Feb 93 11:25:07 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Dame virus (PC)
cssiow@iastate.edu (Ching S Siow) writes:
> I would like to find out more about this "DAME Virus". My network has
> 3 files infected with this virus and would appreciate some help in
> cleaning it out. I have tried netscan and inoculan, both of which
> failed to discover the virus.
So how do you know that 3 files are infected by it? Who told you so?
Which scanner? Which version? Please, read the FAQ to learn what
information has to be supplied in questions like the above...
To my knowledge, mainly McAfee's SCAN calls the MtE-based viruses
"DAME". It is not -a- virus, it is a tool for building very
polymorphic viruses. In your case you probably have a false positive -
only 3 infected files doesn't sound much like any of the known
MtE-based viruses...
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: 09 Feb 93 11:39:05 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: NAV questions (PC)
balog@eniac.seas.upenn.edu (Eric J Balog) writes:
> 1) I have NAV 2.0 (included w/ NDW 2.0), and I just downloaded
> nav20a10.exe from dorm.rutgers.edu. Does my version of NAV now check
> for all of the viruses that NAV 2.1 checks for? (mine checks for 451
> viruses/1159 strains)
The version that we have here (2.1 with updates of December 1992)
claims to check for more than 1,400 strains, so obviously still need
to upgrade...
> 2) Last week, someone posted a message comparing the effectiveness of
> several anti-virus programs. Can anyone tell me how NAV rates as
> compared to other anti-virus programs?
When tested on our virus collection, NAV detects roughly 70-80% of
them, which agrees with its claims (1,400 is about 73% of 1,900 - the
number of different viruses in our collection). Unfortunately, I am
not able to provide a more exact number, because NAV lacks some
features that would be useless to its users but would greatly
facilitate the testing. In particular, it does not put the names of
the files is doesn't consider to be infected in its report file and is
unable to apply its algorithm for boot sector scanning to files
containing images of boot sectors.
For comparison - McAfee's SCAN gets about 90% and FindVirus and F-Prot
get about 95-98%.
Note: some people argue that such numbers do not make much sense,
because what really has to be tested is how well a scanner detects the
viruses that are in the wild. I am unable to provide such testing and
I disagree with this belief, for several reasons. Will describe them, if
there is enough interest.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: 09 Feb 93 12:14:04 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Suggestion to the developers of resident scanners (PC)
Hello, everybody!
My colleague in front of me is working on an old 12 MHz AT, with no
ex{te|pa}nded memory and a slow hard disk. He's using Dr. Solomon's
resident scanner GUARD. In order to keep memory requirements low,
GUARD is swapping the virus signatures to the disk. This makes the
system -horribly- slow, so my colleague considers removing the
protection. There are versions of GUARD that swap to EMS, XMS, or to a
RAM disk, but this doesn't help him, 'coz he has none of these...
I understand that Frisk also intends to make a version of VirStop that
keeps the virus signatures on the disk and loads them when necessary.
This means VirStop will become almost unusable on the system I am
talking about too... What do you want, not everybody has a '486... :-)
One solution is to have an option that forces the resident scanner to
keep the virus signatures in memory. This is fast, but could take a
lot of memory as the number of viruses increases...
In the same time, more resident scanners provide the possibility to
scan executable files not only when they are about to be executed, but
also when they are copied. Of course, if enabled, this slows down the
system additionally.
I would like to propose to the developers of resident scanners to
provide the following mode:
1) Scan the file when it is executed ONLY if it resides on a floppy.
2) Scan a file with executable extension on CLOSE, if this file has
been WRITTEN TO -and- if it resides on the hard disk ONLY.
The advantage is:
1) By scanning files that are written to, you also catch viruses when
they are unpacked from archives, not just when they are copied.
2) If your system is virus-free, then you can catch a virus only if
you execute something from a floppy, or if you copy something infected
to your hard disk and execute it afterwards. The above methods catches
the virus in both cases.
3) When you execute files from the hard disk (the usual situation),
there is no overhead for scanning. Thus, the performance of the system
is less affected.
4) When you copy files between different directories of the hard disk,
there is no scanning overhead.
5) When you copy files from the hard disk to floppies, there is no
scanning overhead, which is a plus, because floppy disk access is slow
anyway...
Of course, I am not saying that this must be the only mode. Users
should be able to always scan on execution and/or copying, if they
want so. The behavior proposed by me should be provided as an option
- - a rather useful option, IMHO.
Any comments from the producers of resident scanners?
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: 09 Feb 93 11:46:16 +0000
From: REEDA@ibm3090.bham.ac.uk
Subject: Twelve Tricks (PC)
Norton anti-virus detected Twelve-Tricks virus on one of our PCs but
f-prot 2.06a reported the PC as clean. Is this virus one that the
current f-prot misses or have we found a NAV false +ve?
A.Reed@bham.ac.uk
------------------------------
Date: 09 Feb 93 17:10:39 -0700
From: CASTILLO@nauvax.ucc.nau.edu
Subject: STONED, Scanv99/Clean 99 Questions/Concerns (PC)
Over the past several days our school has been dealing with the
Stoned virus. We've come up with some questions about what might
be going on:
1) When Untouchable is used, it says that No-Int has been found but
that it cannot fix it.
2) When McAfee's Scan v99 is used, it finds the Stoned virus,
and the Clean can clean it. HOWEVER, when scanning AGAIN for the
virus, we find it in memory. This is after having booted from a
write-protected virus free floppy disk. Further tests apparently
show that Stoned can load into memory by a simple read on an
infected disk. The documentation I've read via FTP land say that that
is impossible. Some people have suggested that Scan is not correct.
Questions: Why doesn't Untouchable work right? CAN the Stoned virus
load into memory by a simple read from an infected floppy?? Is there
a strain of stoned that can do this?
Thanks for any help/suggestions.
Ulysses.
_____
Ulysses Castillo (aka Belgarion) Trr, lbh zhfg or n irel phevbhf crefba!
Castillo@nauvax.ucc.nau.edu
"And be assured, I am with you always, to the end of Time.", Matt. 28:20
------------------------------
Date: Wed, 10 Feb 93 01:42:36 +0000
From: worley@a.cs.okstate.edu (WORLEY LAWRENCE JA)
Subject: Re: dame virus (pc)
A friend of mine has a 486 that recently crashed. After booting on a
clean disk, I ran ScanV100 on it, and found that it had the Stoned
virus. I cleaned it off, and ran scan again, only to find that it now
had Michaelangelo virus. I ran clean again, this time with [Mich],
and it reported that the virus had been cleaned off. However, after
cleaning, ScanV100 still reported it was in the partition table, and
the drive will still not boot. Both floppies in the computer are
write protected and are virus-free. I have now run Clean c: [Mich]
approx. 30 times, each time, it says it cleaned the drive, and then
after rebooting, Scan still reports the virus is there. Any ideas?
Thanks-
Jason Worley
------------------------------
Date: Wed, 10 Feb 93 07:33:07 -0800
From: An-Ly Yao <anlyyao@igc.apc.org>
Subject: SCAN100 and DOS3.3 (PC)
SCAN 100 detected an 1575 virus on an 286 AT with DOS 3.30. The virus
was detected during memory scan after any kind of TSR program was
installed residently. I then found, that COMMAND.COM was 4 bytes longer,
than the original COMMAND.COM: 86h,05h,86h,05h, if I remember correctly.
(or was it 05h,86h,...?). Anyway, that shouldn't be dangerous. I reloaded
COMMAND.COM from that PC's original DOS 3.30 disk, and no viruses were
reported.
Goetz Kluge
anlyyao@igc.apc.org
Seoul, Korea, 1993/02/11
------------------------------
End of VIRUS-L Digest [Volume 6 Issue 23]
*****************************************
