home *** CD-ROM | disk | FTP | other *** search
- To: VIRUS-L@LEHIGH.EDU
- Subject: VIRUS-L Digest V6 #151
- --------
- VIRUS-L Digest Tuesday, 30 Nov 1993 Volume 6 : Issue 151
-
- Today's Topics:
-
- Bleeding edge & scanners?
- Re: Liabilities
- Article available (General)
- general information on computer viruses
- Re: Draft Swiss AntiVirus regulation
- Re[2]: Liabilities
- Percentage of virus that infect boot sectors
- essex virus (PC)
- Generic boot virus? (PC)
- Re: VIRSTOP.EXE and 386max memory manager.... (PC)
- Re: IBM pc's and viruses (PC)
- Re: Stoned Dual-report with McAffee Scan (PC)
- Wrapper Virus? (PC)
- MS-DOS 6.2 is not a virus (it just acts that way) (PC)
- Re[2]: Sorry I need more RAM Memory (PC)
- Re SCAN memory requirements (PC)
- False +ve: SCAN thought that VET was infected with Invisible Man (PC)
- need help with possible virus (PC)
- Re: Why should a scanner HAVE to open a file? (PC)
- Re: Scanning below the DOS level (PC)
- Virstop & Boot sector infectors (PC)
- Re: Attention! False positives in SCAN 108 (PC)
- Re: Scanning below the DOS level (PC)
- F-PROT 2.10 now available (PC)
- 1.2 Getting Started (CVP)
- Quick reference antiviral review chart
- Administrative: Call for volunteers
-
- VIRUS-L is a moderated, digested mail forum for discussing computer
- virus issues; comp.virus is a gatewayed and non-digested USENET
- counterpart. Discussions are not limited to any one hardware/software
- platform - diversity is welcomed. Contributions should be relevant,
- concise, polite, etc. (The complete set of posting guidelines is
- available by FTP on CERT.org or upon request.) Please sign submissions
- with your real name; anonymous postings will not be accepted.
- Information on accessing anti-virus, documentation, and back-issue
- archives is distributed periodically on the list. A FAQ (Frequently
- Asked Questions) document and all of the back-issues are available by
- anonymous FTP on CERT.org (192.88.209.5).
-
- Administrative mail (e.g., comments, suggestions, beer recipes)
- should be sent to me at: krvw@ASSIST.IMS.DISA.MIL.
-
- All submissions should be sent to: VIRUS-L@Lehigh.edu.
-
- Ken van Wyk
-
- ----------------------------------------------------------------------
-
- Date: Mon, 22 Nov 93 09:48:50 -0500
- From: BRENNAN@hal.hahnemann.edu (A. Andrew Brennan)
- Subject: Bleeding edge & scanners?
-
- I've seen a recent rash of "Is this the newest version?" and "where
- else is this package available" messages on here ...
-
- Since it's beginning to look like a large number of anti-virus ppl
- are on the net (whatever gave me that idea? :^) - how about a possible
- solution to these that would keep the FAQs up-to-date, and the dates &
- CRCs for the most recent versions in "authorized" sites? With c.virus
- being a moderated list (and I'm not complaining or offering to replace
- the moderator - I'm lucky to keep up with the messages as is) any time
- a new release is "announced," there's a bit of lagtime between it's
- actual release and the announcement circulating.
-
- This morning I grabbed FP_210.zip (ftp://oak.oakland.edu/pub/msdos/ -
- virus/fp_210.zip) which has a Nov 21 (yesterday) date. Generally I don't
- worry about CRCs, secure archives - the whole shooting match. But - by
- the same factor - I am often a couple of weeks behind releases of F-Prot.
-
- I checked the newsgroup to see if there had been a release note - it
- hasn't come through yet. So - I'll probably end up sitting on this one
- until I see a note because I have no way to be sure that it's legit.
-
- Perhaps it's just a minor point, but it might be an overall answer to
- some of the "most recent" questions if the AV people could keep verbose
- archive listings in their .plan files ... or have a dummy account with a
- listing in it's .plan file. I suppose that this would be asking everyone
- to check the FAQ before asking "recent version" questions ... but we all
- do that already, don't we? :^)
-
- andrew. (brennan@hal.hahnemann.edu)
-
- ------------------------------
-
- Date: Mon, 22 Nov 93 10:53:40 -0500
- From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
- Subject: Re: Liabilities
-
- Karl Tarhk (ktark@src4src.linet.org) writes:
-
- > With all the respect this analogy is seriously flawed.
-
- Most analogies are, including yours, as I will show below.
-
- > Viruses are not living entities that can 'escape' unless helped by
- > humans with secondary intentions.
-
- While they are indeed not living organisms, they can very well
- "escape" against the will of the person who has them, if this person
- it not knowledgeable and/or no careful enough. I am certain that many
- readers of Virus-L/comp.virus can confrim that, based on their own
- experience. Heck, even I have once accidentally released a virus on my
- computer and the sucker succeeded to infect al lot of four files,
- before I figured out what's happening and was able to stop it.
-
- > Viruses are just inanimated pieces
- > of computer code.
-
- That doesn't prevent them from spreading rather well.
-
- > By attributing non existent powers to computer code
- > using such analogies is a dangerous thing.
-
- The main properties of computer viruses I was refering to were
- "spreading" and "causing damage". Is *this* what you are calling
- "non-existent properties"?
-
- > If you take a couple of
- > preventive measures no computer virus can escape like a 'tiger'.
-
- If you take the proper preventive measures, you can prevent even a
- tiger from escaping. You have completely missed my point. My point was
- that *if* the tiger (or the virus) escapes and causes damage, then you
- are liable for it.
-
- > Lets look at the following counter analogy:
-
- > I am a gun manufacturer and inventor. Should I be held liable for the
- > uses and misuses of such weapon, if I am not able to control who gets
- > it and who does not? Absolutely, positively NOT!
-
- Your analogy is flawed too. You are standing on US-centric positions.
- The world is wide and there are many countries in which owning,
- buying, or selling a weapon *is* illegal, regardless of whether you
- misuse it or not.
-
- (Please, folks, it is not my intention to start a gun/anti-gun
- flamewar here. I just want to point out that just because something is
- allowed in your country, you should not assume that it is also allowed
- everywhere else in the world. Also, unlike guns, computer viruses
- *are* able to spread and to cross national boundaries.)
-
- > The bottom of the line here is not whether to write viruses or not to
- > write viruses but who gets them.
-
- Nope. The bottom line is whether damage is caused. And spreading
- computer viruses *is* causing damage.
-
- > And we all know that there is a few CARO virus collections floating
- > around in the wrong places, so that should answer the question of who
- > is responsible or who is not.
-
- You all know? Then all your knowledge is wrong. :-) First of all,
- there is no such thing as a "CARO virus collection". It simply doesn't
- exist. Each CARO member is maintaining his own virus collection.
- Second, anybody can claim whatever they want (e.g. "I have the CARO
- virus collection", or "I wrote the K-4 virus", or "I know who killed
- JFK", or whatever). However, irresponsible claims tend to lower the
- reputation of the person who is making them.
-
- > The point to be made is, that regardless of how careful anyone is
- > distributing code , for each person the code given to, the
- > possibilities that the code will end up in the wrong hands is
- > increased at an exponential rate.
-
- Yes, I would agree with the above. That's why, the more limited the
- circle of people who get malicious code is, the better. This is one of
- the reasons why I am opposed to the virus exchange BBSes. It is just
- irresponsible to distribute malicious code without any control
- whatsoever on who will get it and what it will be used for.
-
- > >I don't think that virus creation should be forbidden per se. But I do
- > >think that if a virus is found somewhere where it is unwanted, the
- > >author of the virus should share the responsability, even if he has
- > >not introduced the virus into that system.
-
- > By the same token, the manufacturers of firecrackers should be held
- > liable when someone uses their product in a malicious way?
-
- > NO!
-
- If this "someone" manifactures firecrackers and distributes them to
- children, telling them "look how great it will be to put some fire on
- that building" - yes, such person should be held liable.
-
- Besides, there are many *useful* applications for firecrackers. I have
- yet to see *one* useful application of a computer virus (as most
- people understand it, not as Dr. Cohen undertsands it) that cannot be
- performed (often much better) by a non-viral program.
-
- > You are assuming something that can NOT be proven: Computer viruses
- > are inherently destructive.
-
- Not quite. All I am saying is that the computer viruses as we have
- seen them -can- and -are- destructive. I don't think that anybody
- thinks otherwise. If you do, you are seriously fooling yourself.
- Whether computer viruses are inherently destructive in theory is a
- different question and I will be glad to do some research in this
- direction, but we are not talking about the theory now. We are talking
- about the viruses that exist *now* and that destroy data *now*.
-
- > This is false; and, while a million of
- > you will argue that a good use for a computer virus is yet to be
- > found, there is yet to be proven that there isn't a good use for a
- > computer virus.
-
- > QED
-
- You seem to have missed you lessons of formal logic. Maybe you should
- have payed more attention at school. We are not arguing that it is
- proven that there isn't a good use for a virus. We are just saying
- that none has been found yet and all the currently created ones are
- destructive - some of them intentionally, some of them not.
-
- Regards,
- Vesselin
- - --
- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
- Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
- < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
- e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany
-
- ------------------------------
-
- Date: Mon, 22 Nov 93 11:18:38 -0500
- From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
- Subject: Article available (General)
-
- Hello, everybody!
-
- The November issue of "Virus News International" has published an
- excellent article - "A Reader's Guide to Reviews" by Sarah Tanner. It
- is a sarcastic set of rules that shows how to do incompetent reviewing
- of anti-virus products. Read it, you'll love it. Many of you will
- recognize several of those rules being actually used in published
- reviews... I am still laughing...
-
- With the kind permission of Paul Robinson, the editor-in-chief of
- "Virus News International", I received the article in electronical
- form and made it available for anonymous ftp. Feel free to download
- and distribute it, provided that the appropriate credits are given to
- VNI. The full reference of the article on our anonymous ftp site is
-
- ftp.informatik.uni-hamburg.de:/pub/virus/texts/revguide.zip
-
- Regards,
- Vesselin
- - --
- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
- Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
- < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
- e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany
-
- ------------------------------
-
- Date: Mon, 22 Nov 93 14:39:48 -0500
- From: U60780@UICVM.UIC.EDU
- Subject: general information on computer viruses
-
- We are computer illiterates at the University of Illinois at Chicago.
- We are doing a final assignment in our English class. Graduation is
- only three weeks away and we need help in order to get this assignment
- done on time. We need some general information on computer viruses
- and their effect on computers today. Please reply asap as we only
- have three class periods to finish this somewhat impossible
- assignment.
-
- ------------------------------
-
- Date: Mon, 22 Nov 93 19:24:58 -0500
- From: datadec@ucrengr.ucr.edu (kevin marcus)
- Subject: Re: Draft Swiss AntiVirus regulation
-
- Fernando Bonsembiante <fernando@ubik.satlink.net> wrote:
- >Viernes 05 de Noviembre de 1993, kevin marcus writes to All:
- >
- > km> I don't think that would be very funny.
- >
- > km> Have you ever heard of something called, "ethics" or "morals"? I don't
- > km> think that there would, "be no difference".
- >
- > I'm speaking in legal terms. You can't write a law speaking of ethics or
- >morals. As ethics and morals change from place to place, from time to time,
- >an from person to person, we should have something very clear do
- >differentiate between what is legal and what is not. So, if the law makes no
- >difference betwen virus writing and anti virus writing (both activities need
- >the knowledge, the analysis and the exchange of existing computer viruses),
- >you can say that one is 'moral' and the other isn't, but you will go to jail
- >anyway.
- >
-
- I have had the fotunate experience of not having taken any law classes,
- so this makes me seem much more like a "common sense citizen" - at
- least, that is how I think of myself.
-
- Why are there laws (in my country, at least), that say you can't take
- other people's property, or kill people? Maybe my... er, uh, religion,
- says this is okay. However, the rest fo society doesn't think so. They
- think that would be unethical. So they make laws. Laws, in this
- country, are supposed to be made by the people, to protect the people,
- for the people. And, laws DO change. Can you say, "repeal",
-
- Yes, laws do need to be defined well, and that is why we have this stuff
- called voting in this country - so we pick people that we think will make
- laws which represent our thoughts. If they don't, then we get someone
- else that does agree with us.
-
- > km> virus, and that to write a virus, no matter what you say it's
-
- for,
- > km> you have malicious intent. The current idea is to label the definition
- > km> of a virus as malignant programs, so that the intent can get ruled out.
- > km> (IMHO)
- >
- > Ok, but we must take care in that definition. We must arrive to a clear
- >definition to avoid future problems with the law. To quote a friend: what's
- >the difference between a computer virus and Stacker or Double Space? An
- >automathic compression program is changing our files without authorization.
- >We could talk about 'implicit authorization'. I don't say it would be
- >impossible to differentiate between a virus an a 'legal' program, but we must
- >be very careful when writting the law. Think about that: if some person finds
- >a commercial program that can be considered as 'malicious' acording to the
- >law's definition, perhaps something like Double Space or Pklite, that person
- >may think that it would be great to sue Microsoft or Pkware and get some
- >millions of dollars for free...
-
- I am not going to get into the what is a virus definition here, but
- the user is clearly benefitting from the use of Stacker or DOuble
- Space. They want to have it. They think it's a useful piece of software.
-
- By them willingly installing the software on their computer, they are
- saying, "I authorize this program to work on my computer". Now, they
- don't have so much control over a virus, do they? I'm not talkign about
- the scanty few which tell you they are infecting a file or what-not, but
- the general population of viruses - the 99% that don't do that.
-
- - --
- -- Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu
- CSLD Room Monitor, Thurs 10-12p, Sunday 5-10p (909)/787-2842.
- Computer Science, University of California, Riverside.
-
- ------------------------------
-
- Date: Mon, 22 Nov 93 22:40:55 -0500
- From: "Jimmy Kuo" <cjkuo@symantec.com>
- Subject: Re[2]: Liabilities
-
- ktark@src4src.linet.org (Karl Tarhk) writes:
- >Lets look at the following counter analogy:
-
- >I am a gun manufacturer and inventor. Should I be held liable for the
- >uses and misuses of such weapon, if I am not able to control who gets
- >it and who does not? Absolutely, positively NOT!
-
- Yes! If you are negligent. There are laws which will charge a parent with
- manslaughter if a child finds a gun that has not been properly secured and
- shoots someone. And if you want to still use this analogy, if I buy a
- gun (a program) but the firing mechanism blows up in my face (trojan/viral
- code), yes the gun manufacturer is liable.
-
- Someone asked me today what I thought of Nuke. My whole answer was "They
- don't understand the first amendment." I fully support the first amendment.
- But there's been a lot of case law which restricts its scope. Most Americans
- don't understand the first amendment. So Nuke is not unique.
-
- Jimmy Kuo cjkuo@symantec.com
- Norton AntiVirus Research
-
- ------------------------------
-
- Date: Tue, 23 Nov 93 06:10:17 -0500
- From: David Hanson <afrc-mis@augsburg-emh1.army.mil>
- Subject: Percentage of virus that infect boot sectors
-
- While discussing anti-viral strategies with a user the other day, the subject
- of backups (naturally) came up. Of course, a good backup strategy should be
- your first line of defense against virus problems.
-
- I noted that use of a tape backup can be especially effective against boot
- sector virus, as there is no boot sector on a tape to carry the infection
- into your backups (as opposed to a file infector).
-
- My question is, what percentage of known virus are boot sector infectors?
- What percentage of common (ie., "in the wild") virus are boot sector?
-
- Dave Hanson
-
- "Objects in the mirror are closer than they appear."
-
- ------------------------------
-
- Date: Sat, 20 Nov 93 20:11:43 -0500
- From: mosier@moose.uvm.edu (Mike Osier)
- Subject: essex virus (PC)
-
- Recently, there have been a number of infections of the Essex Virus here
- on campus...I've searched far and wide for more information on this virus
- only to find nothing on the net...I've even gone so far as to check the
- documentation of Scan and Central Point AV, as well as write McAfee's
- support line on the net (which didn't know anything about it, although the
- program detected it)...
-
- An individual within the department found a way to remove the virus from
- HD's, but I'm unsure if this will remove it from floppies also...it was in
- the following batch file:
-
- FDISK /MBR
- SYS C:
-
- I know this works fine for the hard drive, but will it also work for
- infected floppies (of which I have several dozen to disinfect)...only a
- handful of the floppies are boot disks (therefore the "sys" command won't
- help out there)...
-
- I would also appreciate any other information about the virus (ie actual
- location of infection and method of infection [besides boot rec virus, etc)...
-
- please e-mail me at mosier@moose.uvm.edu as I do not subscribe to this
- list, as well as to save bandwidth...
-
- Thanks in advance
- Mike Osier
-
- - ----------------------------------------------------------------------
- Michael Osier = mosier@moose.uvm.edu = Og | It's these little things
- = mosier@lemming.uvm.edu | they can pull you under
- Biochemical Science | Live your life filled with
- University of Vermont | joy and wonder
- ACS counselor | -R.E.M.
- - ----------------------------------------------------------------------
-
- ------------------------------
-
- Date: 15 Nov 93 04:48:00 +0000
- From: syzhang@violet.ccit.arizona.edu (ZHANG, SHIYU)
- Subject: Generic boot virus? (PC)
-
- Hi, netters,
-
- Do you ever heard of a General Boot virus called [Genb]? SCAN108 can
- detect it but can not remove it (using CLEAN108). I tried F-PROT but
- it could only tell me that this was "a possible new stone virus".
-
- How to get rid of it? Sure I know I can format the disks, but, you know...
-
- Thanks.
-
- Shiyu
- syzhang@ccit.arizona.edu
-
- ------------------------------
-
- Date: Mon, 22 Nov 93 04:54:56 -0500
- From: oep@colargol.edb.tih.no (Oeyvind Pedersen)
- Subject: Re: VIRSTOP.EXE and 386max memory manager.... (PC)
-
- Min-Chin Hsiao (minchin@rumba.seas.upenn.edu) wrote:
- : Hi everyone,
-
- : What curious me was that why 6.01d handles it like a brisk but 7.0
- : would no? I know that there might be some significant changes... but it
- : really bugs me.... I might return the product unless someone can help me solve
- : the problem.....
- : Thanks very much in advance for any tips and advice you can give.
-
- I believe this is a bug in 7.0, because Qualitas has released a upgrade of
- 7.0 to 7.1 (a EXE-file called M700A.EXE). You will also have to load VIRSTOP
- before the 386MAX.SYS.
- I don't know if this M700A.EXE-file is available public, but I guess you can
- contact Qualitas if not.
-
- - - oep
-
- ------------------------------
-
- Date: Mon, 22 Nov 93 10:16:12 -0500
- From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
- Subject: Re: IBM pc's and viruses (PC)
-
- David M. Chess (chess@watson.ibm.com) writes:
-
- > To make a diskette that'll boot your machine with DOS, but with
- > the reference partition visible, make a disk copy of a reference
- > diskette (that is, a track-for-track copy), and replace the COMMAND.COM,
- > IBMBIO.COM, and IBMDOS.COM on the copy with the same-named files
- > from your favorite DOS machine. Then boot your Model 90 or
- > whatever from that diskette; you *should* find yourself in DOS,
-
- Hmm... From the above description, I get it that the code that tells
- the BIOS to "enable" the (normally hidden) reference partition is in
- the boot sector. The fact that it is possible at all via software,
- looks like a security hole to me. What would prevent a virus writer
- from implementing the same code in a, say, boot sector virus and make
- it infect the reference partition at boot time? And, as you said
- yourself, it is not trivial to disinfect it...
-
- What was the reason to introduce this reference partition at all?
-
- Regards,
- Vesselin
- - --
- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
- Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
- < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
- e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany
-
- ------------------------------
-
- Date: Mon, 22 Nov 93 11:00:49 -0500
- From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
- Subject: Re: Stoned Dual-report with McAffee Scan (PC)
-
- THE GAR (GLWARNER@samford.bitnet) writes:
-
- > Can anyone tell me why some machines would report being infected
- > with STONED twice on a single scan? I'm running Scan 108, and
- > when I scan some infected machines it reports that STONED has
- > been found in the partition table, then scans a minute more,
- > and reports the same thing again.
-
- Hm... SCAN indeed can report more than one virus when only a single
- one is present. However, I am not aware of any cases when it reports
- Stoned twice. The duplicate reports for SCAN 108 and boot sector
- viruses from my collection are:
-
- CARO virus name: Viruses reported by SCAN 108:
- ================ =============================
- BootEXE.452 BFD [BFD], Generic Boot [Genb]
- Joshi.B ExeBug1 [ExBg1], Generic Boot [Genb]
-
- The duplicate (and even triplicate) reports happen much more often
- with file viruses. This is a bug reported to McAfee Associates more
- than half a year ago, yet it has never been fixed. If there is enough
- interest, I can post the full list of multiple reports for file
- viruses.
-
- Regards,
- Vesselin
- - --
- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
- Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
- < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
- e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany
-
- ------------------------------
-
- Date: Mon, 22 Nov 93 11:18:59 -0500
- From: Brian.Garrett@nrl.navy.mil (Brian S. Garrett)
- Subject: Wrapper Virus? (PC)
-
- IBM AntiVirus/DOS,Version 1.03 has reported the following message on my
- machine.
-
- The following are probably infected:
- C:\BYTE\T.EXE Wrapper
- C:\BYTE\TIMESET.COM Wrapper
- C:\BYTE\TSREGSTR.COM Wrapper
- C:\NORMAN\AD.EXE (A) V516
-
- I have scanned using F-Prot v2.09f as well as Scan 9.20v109. Neither of
- these programs identify these files as being suspect. I have also looked
- for information using VSUM and can find no information on the Wrapper virus.
-
- Can someone provide me information on the wrapper virus?
- Is this just a false positive?
-
- Thanks.
-
- Brian S. Garrett
- ADP Security
- Naval Research Laboratory
- Washington, DC
-
- email: Brian.Garrett@nrl.navy.mil
-
-
- ------------------------------
-
- Date: Mon, 22 Nov 93 14:22:35 -0500
- From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
- Subject: MS-DOS 6.2 is not a virus (it just acts that way) (PC)
-
- Downloaded the upgrade for MS-DOS 6.2 from the MS bulletin board.
- Curiously enough the README states that the files are not to be
- posted on BBSs (right) and installed on my test machine. A few caveats:
-
- 1) Between the Del_Old_Dos.1 and the STEPUP directory (which must be on C if
- you use the defaults) and the new files, make sure you have at least
- 6-7 Mb free before you start. I saw no check for this.
-
- 2) Machine seemed to hang for a very long time at about the 81% mark
- (5% note in lower right of screen). At this point the new IO.SYS and
- MS-DOS.SYS files have been copied but the new COMMAND.COM is not yet
- present. If you abort here, I suspect the PC will not boot properly.
- Eventually it does continue but that particular sequence is very slow.
-
- 3) The installation found *something* wrong with mode.com and memmaker.exe
- & refused to update them (told the setup to continue anyway & would
- suggest this - see last two sentances in (2). (Both were originals dated
- 3-10-93)
-
- 4) If you have downloaded the "supplemental" files for DOS 6.0, these are not
- included and will probaby whine "incorrect version". Skilled use of
- Ben Capstricum's UNP (UNP312.zip) plus DEBUG (look for the string 30 cd 21
- and change the CMP AX,0006 that follows closely to CMP AX,1406) "fixed"
- this without using SETVER (no garentees at all 8*). Curiously while most
- DOS programs use Packed files, CHKDSK used PKLITE. The very annoying
- disclaimer about using SCANDISK instead can also be removed with DEBUG.
-
- 5) The NOVELL NETX332.EXE for MS-DOS 6.0 had the same problem - not liking
- the 6.20 version number. I just do not like SETVER - Note: of the
- multi-screen default SETVER load, NONE of the entries were what I use.
-
- 6) HIMEM.SYS now has a lengthy (10+ seconds on 286 with 4 Mb extended) check
- of extended memory but at least it tells you what it is doing.
-
- 7) As previously mentioned, no update to MSAV appeared to be performed
- (files still dated 3-10-93)
-
- 8) Like on a full instalation, DELOLDOS will remove the "old" DOS directory
- but does not remove the STEPUP directory - you'll have to do that manually.
-
- 9) Do not use DBLSPACE on this machine so have not tried as yet. SCANDISK is
- nice but take a coffee break.
-
- Warmly,
- Padgett
-
- ------------------------------
-
- Date: Mon, 22 Nov 93 21:43:52 -0500
- From: "Jimmy Kuo" <cjkuo@symantec.com>
- Subject: Re[2]: Sorry I need more RAM Memory (PC)
-
- Bryan Bross <bbross@umr.edu> wrote:
- >Ng Bee Yong (byng@solomon.technet.sg) wrote:
- >: Has anyone encounter the following error message from SCAN?
-
- >: Sorry, I need more RAM memory
- >: 390 kbytes should be enough
-
- >: Is it some kind of bug in SCAN? I am quite sure I have more than 500 kbytes
- >: of conventional memory before running SCAN. It happened when I scanned some
- >: standalone machines, and also when I tried to scan the network.
-
- >: Anyone knows the problem please enlighten me. Thks.
- >: The error occurs sometimes before checking of RAM for viruses, sometimes in
- >: the midst of scanning some files.
-
- >I had that problem for a while and it bugged me as well. I was running
- >386MAX v7.0 & VSAFE.exe from Norton. I didn't know which one of these was
- >causing the problem at the time, but now I am pretty sure it was vsafe.
- >Get rid the that piece of trash software, and use fprot's virstop or
- >something. I have not had any problems since I terminated vsafe, although
- >I am not running 386MAX right now either. Good Luck!
-
- Everyone deserves to be blasted sometime. But this is not our time.
-
- VSAFE is *not* a Norton product!
-
- VSAFE is from Central Point and all you have to do is listen to Vesselin
- regarding CPAV.
-
- Jimmy Kuo cjkuo@symantec.com
- Norton AntiVirus Research
-
- ------------------------------
-
- Date: Tue, 23 Nov 93 01:29:45 -0500
- From: "Roger Riordan" <riordan@tmxmelb.mhs.oz.au>
- Subject: Re SCAN memory requirements (PC)
-
- Ng Bee Yong (byng@solomon.technet.sg) wrote:
- : Has anyone encounter the following error message from SCAN?
-
- : Sorry, I need more RAM memory
- : 390 kbytes should be enough
-
- : Is it some kind of bug in SCAN? I am quite sure I have more than 500 kbytes
- : of conventional memory before running SCAN. It happened when I scanned some
- : standalone machines, and also when I tried to scan the network.
-
- Several people have written suggesting that this may be a bug in
- some versions of Scan, or an interaction with other software.
- However we also encountered the message, and have established
- that it is not a bug, but a normal feature of both Scan108 and
- Scan109 (Yes; the McAfee version, not the one with the new
- Ignorant virus, which I am told is widely available on Aussie
- BBS's).
-
- Have just done some tests with the help of a TSR called Grab,
- which does just that - it grabs a chunk of memory and sits on it,
- but does nothing else.
-
- Here is what we found with Scan109
-
- Available memory Result
-
- 393K Appeared to run normally till I scanned
- a dirty directory. On one pass it just
- stopped after maybe 200 files with no
- message. On the next it checked almost
- 400 files, then gave the message
-
- Sorry,I need more RAM memory.
- 390K bytes should be enough.
-
- 381K Announced "Scanning boot sector of drive
- E:", then gave the message and stopped
-
- 360K Message immediately after "Scan 9.20V109
- Copyright ..."
-
- 280K Immediately got message "Abnormal
- program termination."
-
- Incidentally Scan109 has almost established another milestone; it
- takes 9M 40 sec to scan a nearly full 360K floppy on an XT!
-
- By comparison VET 7.5 will do a normal scan, with no limitations
- whatever, if there is 260K available, and will do a partial scan
- (which will detect the 200 odd viruses which are at all common,
- and automatically repair infected files and boot sectors) if
- there is 140K available.
-
- Oh, and it checks the floppy on the XT in 21 secs.
-
- Cheers!
-
- Roger Riordan Author of the VET Anti-Viral Software.
- riordan.cybec@tmxmelb.mhs.oz.au
-
- CYBEC Pty Ltd. Tel: +613 521 0655
- PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727
-
- ------------------------------
-
- Date: Tue, 23 Nov 93 05:16:20 -0500
- From: A.APPLEYARD@fs1.mt.umist.ac.uk
- Subject: False +ve: SCAN thought that VET was infected with Invisible Man (PC)
-
- "S.Manifould" <STEVE@fs1.me.umist.ac.uk> wrote to pc-cluster-ops@umist.ac.uk
- on 22 Nov 93 16:35:52 GMT (Subject: virus hoax), and it was forwarded to me:
- Everyone, Just a quick note to tell you all about a virus problem I thought
- I had today (Mon 22 Nov) A student had left me a message that " All the 386
- and 486's have been infected with the Invisible Man virus [IMF]". He had run
- the lastest version of McAffee scan (9.19 V108) on the machines and it had
- reported the infection. However Vet 7.4 did not report any infection. Upon
- investigation it appears that VET_RES was causing the McAffee scan to report
- an infection. ie once VET_RES was removed from memory the McAffee scan didnt
- find anything. Cheers, Steve M.
-
- ------------------------------
-
- Date: Tue, 23 Nov 93 05:19:49 -0500
- From: kbruce@oasys.dt.navy.mil (Ken Bruce)
- Subject: need help with possible virus (PC)
-
- Greetings all,
- I have had a strange occurance happen to a new pc that I am setting
- up in a classroom. The pc came with Windows and Dos 6.0. Another group
- at my work has setup NCSA 2.3 for tcp/ip operation, and I was setting
- up our Novell access software. While editing one of the batch commands,
- MFE (my favorite editor) had experienced one of the keys to change.
- Specifically, the escape key began to print one of the upper ascii characters,
- I am not sure what the ascii number is. However, I couldn't do anything
- like save or abort, all I could do was reboot the PC. The pc rebooted
- OK and I could still access the tcp/ip and novell hosts OK. But when
- I try to go in to Windows, it fails. So I run my favorite file manager,
- XTgold and I see a strange file in the Windows directory. The file name
- begins with the strange character that my escape key turned into then
- the music symbol then press.ent (**press.ent). This file has read only
- and system attributes. I ran Norton disk doctor which showed my FAT
- was hosed up, then promptly locked up. I can't exactly remember what
- the NDD message was. I ran chkdsk which showed about 1100 crosslinked
- files. One of the files that is hosed is msdos.sys. My question is obviously
- have I experienced a virus, if so which one, and how do I clean it. The
- machine still boots up, however, I cant get rid of **press.ent and when
- I run XTgold, it shows subdirectories with the music symbol. I humbly
- await your advice.
-
- |-----------------------------------------------------------------------------|
- | kbruce@oasys.dt.navy.mil | Opinions expressed herein are not those |
- | Ken Bruce | of my employer. They are not even mine. |
- | David Taylor Model Basin | The devil made me do it. |
- | Code 3581 Customer Support | |
- | (301) 227-4030 Autovon 287-4030 | Chairman of the Bored. |
- |-----------------------------------------------------------------------------|
-
- ------------------------------
-
- Date: Tue, 23 Nov 93 07:50:18 -0500
- From: Eric_N._Florack.cru-mc@xerox.com
- Subject: Re: Why should a scanner HAVE to open a file? (PC)
-
- >>>I would think that this is not altogether correct, though I`d have to do
- some
- >work on it. In theory, DIR and FAT info should tell you where a file starts,
- >and you should also be able to use that information, and mathmatics, to move t
- o
- >a particular offset, to look for your string. I grant you, this would be
- >slow.... at least slower than opening the files.
-
- Well, how do you suppose DOS manages its filing system? If well-written,
- code to give read-only access to a DOS drive without using DOS is likely
- to be much *faster* than DOS. There's a lot less work to be done, and much
- less housekeeping -- no writes to worry about, for a start.<<
-
- Well, his point was that if I were to try and trace (in reverese) the ownership
- of each sector, it would result in a slower scan.... and he`s correct. However
- what he (and you, apparently) does not know is that my design (on paper) does
- not intend to do that. The only time the scanner I`m designing would bother to
- look up the ownership of the file is when it finds a string matching one in the
- virus table.
-
- The reason for this design is that you are also correct; scanning without going
- through DOS has the potential for going FASTER, (with certain provisos, of
- course) and, as suggested, also will not infect as it goes.
-
- >>Sure, it would be incompatible with all the not-straight-DOS implementations
- of DOS drives around (emulators, compressed drives, networks...). So, in
- those cases, use the regular DOS calls to talk to the filing system.<<
-
- Note my earlier response on being limited to standard solutions to non-standard
- problems, because of weird iron.
-
- ------------------------------
-
- Date: Tue, 23 Nov 93 09:49:58 -0500
- From: hstroem@ed.unit.no
- Subject: Re: Scanning below the DOS level (PC)
-
- David_Conrad@MTS.cc.Wayne.edu writes:
-
- > But one major reason for not scanning at the sector level, the most
- > important reason IMNSHO, hasn't been mentioned. Any scanner which did
- > this would lose compatibility with future DOS versions, or with other
- > environments (OS/2, Windows NT, UN*X DOS boxen) which emulate DOS. A
- > program which opens and reads a file via handles and standard calls will
- > be able to do so under DOS 8.21, even if it uses something like HPFS.
- > Any program which tries to redo DOS will get hopelessly confused and fail,
- > I hope gracefully, at worst it may fail catastrophically.
-
- > Of course, someone might reply that scanners are updated so frequently
- > that a new update would follow close on the heels of any major change in
- > the DOS filesystem, and a scanner could check the DOS version (but what of
- > SETVER?)
-
- There is no need to check for the DOS version. A program working at
- sector-level would most likely not work very well with OS/2 and
- Windows-NT. Since the low-level support on these platforms are not
- sufficient to do "safe" sector reading the same way you do in DOS. A
- different program would be needed for running under OS/2 and Windows-NT.
-
- But, talking about future DOS compatibility is something else. The
- type of filesystem (FAT/HPFS/NTFS/etc) is described in a one-byte
- field in the partition-table (contained in the HD's first sector). And
- as long as your program is able to read at sector-level, it should
- have no problems finding out what kind of file system it is dealing
- with, and use different routines for the different file systems.
-
- To handle the low-levels of HPFS and NTFS may not be as easy as
- handling the FAT filesystem. So programs like TBScan might have to
- tell the user that only FAT partitions may be scanned in a low-level
- manner.
-
- Sincerely,
- Henrik Stroem
- Stroem System Soft
-
- ------------------------------
-
- Date: Tue, 23 Nov 93 09:53:39 -0500
- From: Fabio Esquivel <FESQUIVE@ucrvm2.bitnet>
- Subject: Virstop & Boot sector infectors (PC)
-
- Hi gangs.
-
- I allways supposed that Virstop.EXE from the F-Prot package was capable
- of detecting diskettes infected with a boot sector virus, even a simple
- one: Stoned.
-
- VShield shows a message when I issue a DIR command over an infected disk,
- but Virstop does not say anything. F-Prot.EXE identifies it correctly.
-
- Is this a bug? Or a feature (just because boot sector viruses do not
- get active when a DIR command is issued)?
-
- To Vesselin: Regarding the question about Frisk's name on viruses...
- Check the description of Billboard 1.0 virus on VsumX310.
-
- DATA SEGMENT PARA PUBLIC
- name DB 'Fabio Esquivel' ; C:\> dir a:
- bitnet DB 'fesquive@ucrvm2.bitnet' ; Virus found in drive A:
- internet DB 'fesquive@ucrvm2.ucr.ac.cr' ; Install, Kill, Panic?_
- DATA ENDS
-
- ------------------------------
-
- Date: Tue, 23 Nov 93 09:57:26 -0500
- From: hstroem@ed.unit.no
- Subject: Re: Attention! False positives in SCAN 108 (PC)
-
- Vesselin writes,
-
- > 2) SCAN 108 reports the file HS.COM from the arhive hs32.zip as
- > containing the "TridenT [TridenT] Virus".
-
- > In our particular example, the program HS.COM is encrypted and
- > decrypts itself at runtime.
-
- Correction; HS.COM and HS.SYS decrypts their DATA AREAS at runtime.
-
- > Possible solutions.
- > a) Inform the author of HS and ask him to use a different decryption
- > routine.
-
- I've already fixed the problem. HS is currently at v3.5 and the decryption
- routine has been changed to avoid false positives from SCAN 106-109.
-
- HS v3.5 (or 3.6) will probably be available on the InterNet before christmas.
- I just want to verify that the new Int_10 MBR infector doesn't trick v3.5
- before I release it ;-)
-
- Sincerely,
- Henrik Stroem
- Stroem System Soft
-
- ------------------------------
-
- Date: Tue, 23 Nov 93 10:19:14 -0500
- From: hstroem@ed.unit.no
- Subject: Re: Scanning below the DOS level (PC)
-
- Vesselin writes:
-
- >> All this, to get past stealth viruses.
-
- >And even without a guarantee to succeed. Virus like Dir_II or Int13
- >will be still able to stealth the infection from the scanner.
-
- If you take the trouble to handle the low-levels of the FAT
- filesystem, you must of course also take the trouble to handle sector
- reading and writing in a similarly "secure" manner. This would be
- accomplished by calling the ROM BIOS handler for INT 13h directly, or
- by writing to the ports of the harddisk controller (good luck :-0). It
- will make things even more complicated, but it is nothing the average
- antivirus programmer can't handle (right? :-)).
-
- Henrik Stroem
- Stroem System soft
-
- ------------------------------
-
- Date: Sun, 21 Nov 93 11:03:01 -0500
- From: frisk@complex.is (Fridrik Skulason)
- Subject: F-PROT 2.10 now available (PC)
-
- I just uploaded F-PROT anti-virus, version 2.10 to my primary distribution
- site (oak.oakland.edu), and to garbo.uwasa.fi as well. The file should be
- available for download on Monday, November 22nd.
-
- This new version adds detection and identification (and in most cases
- disinfection) of a record number of new viruses - over 500 new ones
- since version 2.09f was released two months ago.
-
- - -----------------------------------------------------------------------------
-
- >From the NEW.210 file:
-
- Version 2.10 - major changes:
-
- We have re-designed the method F-PROT deals with new variants of
- known viruses. Previously it would always refuse to disinfect a
- virus, even if it was only slightly different from a variant it
- recognized. Now it will attempt to determine if the new variant
- is sufficiently similar to a known variant to attempt disinfection,
- using the same method as for the known one. We still would like to
- ask F-PROT users to send us samples of all viruses that are reported
- as new, modified or unknown variants.
-
- Version 2.10 - the following problems were found and corrected:
-
- 2.09 occasionally missed samples of the Tremor and Phoenix.2000 viruses -
- fixed now.
-
- When disinfecting certain viruses, such as Jerusalem from .COM files,
- F-PROT would not retain the date/time of the file, but instead set
- it to the current date/time. Fixed.
-
- If F-PROT was run twice in a row from interactive mode, and found some
- viruses on the first pass, it would occasionally claim the MBR was
- infected on the second pass.
-
- F-PROT would only search for user-defined patterns in boot sectors in
- "Quick" mode, not in "Secure" - it should have been the other way around.
-
- Version 2.09 could not reliably disinfect the "Monkey.B" virus - it was
- handled correctly on 360K diskettes, but just reported as new or modified
- variant of Stoned otherwise.
-
- Version 2.10 - minor improvements and changes:
-
- We have significantly increased the use of "exact" identification
- of viruses, where F-PROT uses a 32-bit checksum to distinguish
- between very similar variants. This is one of the explanations
- for the extremely large number of new variants listed below.
-
- Version 2.10 - new viruses:
-
- The following 58 viruses are now identified, but can not be removed as
- they overwrite or destroy infected files. Some of them were detected by
- earlier versions of F-PROT, but only reported as "New or modified
- variant of..."
-
- Abraxas (1171 and 1200)
- Atomic.480
- Burger (405.B and 8 "no-name" 560 byte variants)
- Civil War.444
- Knight
- Leprosy (350, 647 and Clinton)
- Milan.WWT.67.C
- Naught (712 and 865)
- Proto-T.Flagyll.371
- SillyOR (60, 66, 68, 69, 74, 76, 77, 88, 94, 97, 98, 99, 101,
- 102, 107, 109 and 112)
- Tack (411 and 477)
- Trivial (26.B, 27, 28, 29, 30.D, 30.E, 40.D, 40.E, 40.F, 42.C, 42.D,
- 43, 44.D, 45.D,and 102)
- VCL.527
- Viruz
- ZigZag
-
- The following 448 new viruses can now be detected and removed. Some of
- these viruses were detected by earlier versions, but are now identified
- accurately.
-
- 3y
- 4-days
- 4res
- _127
- _130
- _132
- _205
- _330
- _409
- _524
- _584
- _593
- _655
- _1417
- _1536
- _2878
- Abbas
- Alabama.C
- Ambulance.E
- Andro
- Andromeda
- Arcv.companion
- Armagedon.1079.D
- Atomic (Toxic, 166, 350 and 831)
- Attention.C
- Aurea
- Australian Parasite.272
- BadSector
- Best Wishes (1024.C and 1024.D)
- Black Jec (284, 323 and 235)
- Black Monday (1055.E, 1055.F, 1055.G and 1055.H)
- BloodRage
- Bootexe
- Bubonic
- Bupt.1279
- Cascade (691, 1701.G, 1701.H, 1701.J, 1701.K, 1701.L, 1704.L,
- 1704.N, 1704.O and 1704.P)
- Checksum.1253
- Chris
- Civil War III
- Clonewar (238, 546, 923.A and 923.B)
- Cobra
- Coib
- Comasp.633
- Coffeshop.1568
- Cybercide.2299
- Cybertech (501 and 503)
- Danish Tiny (163 and Kennedy.B)
- Dark Apocalypse
- Dark Avenger (1800.F, 1800.G, 1800.H, 1800.I, 1800.Rabid.B,
- 2000.Copy.C, 2000.DieYoung.B, 2100.DI.B, Jericho and Uriel)
- Dashel
- DataCrime (1168.B and 1280.B)
- DataLock (920.K1150 and 1740)
- Dbase.E
- Dejmi
- Destructor.B
- Devil's Dance (C and D)
- Digger.600
- Dos 7 (342, 376 and 419)
- Dosver
- Doteater (C, D and E)
- Dracula
- Du
- Dy
- Dzino
- Finnish.709.C
- Friday the 13th (540.C and 540.D)
- Frodo (F, G and H)
- Fumble.E
- Gemand
- Genc (502 and 1000)
- Goga
- Golgi (465 and 820)
- Granada
- Grog (Lor, 990 and 1641)
- Guppy.D
- Halloechen (B and C)
- Hates
- Headcrash.B
- Helloween (1227, 1384, 1447, 1839, 1888 and 2470)
- Hi.895
- Hidenowt
- HLLC (Even Beeper.C and Even Beeper.D)
- Infector (759 and 822.B)
- Intruder.1317
- Italian Boy
- IVP (540, Bubbles, Math, Silo and Wild Thing)
- Jackal
- Japanese_Christmas.600.E
- Jerusalem (664,1960,1829.Anarkia, 2223, Anticad.2900.Plastique.B,
- Anticad.2900.Plastique.C, Anticad.2900.Plastique.D,
- AntiCad.3012.C, AntiCad.3012.D, Fu Manchu.D, Sunday.G,
- Sunday.H, Sunday.I, Sunday.J, 1765, Groen Links.D,
- PSQR.B, Solano.Syslexia.B, Solano.Subliminal.B, Westwood.B
- and 31 "no-name" insignificant 1808 byte variants)
- Jest
- K-4 (687 and 737)
- Kemerovo.257.E
- Keypress (1215, 1232.D, 1232.E, 1232.G, 1232.H, 1232.I and 2728)
- Kernel
- Lapse (323, 366 and 375)
- Leningrad II
- Literak
- Little Girl.985
- Lockjaw (808 and Black Knight)
- Lock-up
- Loki.1234
- Lyceum.930
- M_jmp (122, 126 and 128)
- Magician
- Manuel (777, 814, 840, 858, 876, 937, 995, 1155 and 1388)
- Matura.1626
- Mel
- Merry Christmas
- MG (2.D and 3.C)
- Mgtu (269, 273.B and 273.C)
- Minimite
- Mirror.B
- MPS-OPC II.754
- Mr. G.314
- Mshark.378
- Multi.B
- Murphy (1277.B and Woodstock)
- Mutator (307 and 459)
- Never Mind
- Nina (B and C)
- No Bock.B
- No Frills.835
- November 17th (690, 800.A and 800.B)
- Npox (955, 1482, 1722 and 1723)
- Nygus (163, 227 and 295)
- Nympho
- OK
- Oropax (B and C)
- Osiris
- Override
- Parity.B
- Particle Man
- PC-Flu
- Phx
- Pit
- Pixel (277.B, 300, 343, 846, 847.Advert.B, 847.Advert.C and
- 847.Near_End.B)
- Pojer.1935 (only COM files - EXE files are not infected properly,
- the virus code is only appended)
- PS-MPC (331, 349, 420, 438, 478, 481, 513, 547, 564, 574, 578, 597,
- 615, 616, 1341, 2010, Alien.571, Alien.625, Arcv-9.745,
- Arcv-10, Deranged, Dos3, Ecu, Flex, Geschenk, Grease, Iron
- Hoof.459, Iron Hoof.462, Napolean, Nirvana, Nuke5, Page,
- Shiny, Skeleton, Soolution, Sorlec4, Sorlec5, Soup, T-rex,
- Toast, Toys and McWhale.1022)
- Quadratic.1283
- Radyum (698 and 707)
- Rape (2777.A and 2877.B)
- Rasek (1489, 1490 and 1492)
- Red Diavolyata (830.B and 830.C)
- Retribution
- Ripper
- Russian_Mirror.B
- Sata.612
- Saturday 14th.B
- Satyricon
- Screaming Fist.I.683
- Shake.B
- Shanghai
- SI-492.C
- SillyC (208 and 215)
- Sistor (1149 and 3009)
- Skew.445
- Slub
- Smoka
- Sofia-Term (837 and 887)
- Stardot.789.C
- Sterculius
- Spring
- Stimp
- Storm (1172 and 1218)
- Stupid.Sadam.Queit.B
- Sundevil
- Svc (1689.B, 1689.C and 3103.D)
- Sybille
- Sylvia (1321 and 1332.E)
- Syslock (Syslock.C and Syslock.D)
- Taiwan (708.B, 743.B and 752.B
- Testvirus-B (B and C)
- Thirty-three
- Tic.97
- Timid.302
- Tomato
- Totoro
- Traveler Jack (854, 979, 980 and 982)
- Unexe
- Uruk Hai.427
- Ussr-707.B
- Vacsina (634,TP.5.B and TP.16.B)
- Vbasic.D
- VCL (506, 507, 604, 951, Anti-Gif, ByeBye, Earthquake, Paranoramia,
- Poisoning, VF93, VPT and Ziploc)
- VFSI.B
- Vienna (566, 623.B, 627.B, 644.C, 648.J, 648.K, 648.O, 648.Reboot.B,
- 648.Reboot.C, 648.Reboot.D, 648.Q, 648.R, 648.S, 648.X, 758,
- Choinka.B, Choinka.C, W-13.534.H, W-13.534.I, W-13.534.J,
- 648.Abacus, Bush and IWG)
- Virdem (1336.Bustard.A, 1336.Bustard.B and 1336.Cheater)
- Wilbur (B and D)
- Wildy
- Willow.2013
- Wisconsin.B
- Wolfman.B
- Wvar
- Xph (1029 and 1100)
- Xtac
- Yankee Doodle.Login.2967
- Year 1992.B
- Youth.640.B
-
- The following 71 new viruses can now be detected but not yet removed.
-
- _1403
- _1798
- Arcv (916, Friends.839, Jo.911, Scroll and Slime)
- Arusiek.817.B
- Atas II.1268
- Barrotes.1303
- Bobo
- Calc
- Civil War.552
- Close
- Darkray
- Digger (1000 and 1512)
- Dir-II (G, J and L)
- Du
- Dwi
- Error Inc
- Fairz
- Honey
- Inoc
- IVP (Mandela and Swank)
- Jerusalem.Zerotime.Australian.B
- Little Red
- Malmsey.806
- Marzia
- Mayak
- Mr D (A and B)
- Multichild.110
- Mutator.780
- Mystic
- Necro-fear
- November 17th.1007
- Number of the Beast (B.2 and E.2)
- Phalcon.Emo
- Predator (1072, 1137, 1148, 1195 and 2448)
- Proto-T.1053
- Rape.1885
- S-bug.Fruit-Fly
- Sarov
- Screaming Fist (II.650, II.652 and II.724)
- Screen+1.1654
- Seat
- Serene
- Shoo (2803 and 2824)
- Skater (699, 977 and 1021)
- Soupy (1001 and 1072)
- Student
- Suriv 1. Xuxa.1405
- SVC.2936
- Svm
- Velvet
- Yankee Doodle.2189
- Zherkov.2435
-
- The following 3 viruses which were detected by earlier versions can
- now be removed.
-
- HLL (3680 and Antiline)
- Loren
-
- ------------------------------
-
- Date: Sat, 20 Nov 93 18:10:22 -0500
- From: "Rob Slade" <roberts@decus.ca>
- Subject: 1.2 Getting Started (CVP)
-
- BEGPAN4.CVP 931015
-
- 1.2 - Getting Started
-
- You likely have more resources than you realize. First of all, your
- own observations. If you can keep cool, and not panic, you can
- probably note and recall more than you think. Don't consider this
- as a potential loss of your accounts receivable, look at it as a
- detective story. Look for the clues.
-
- Get some paper and a writing implement. (Pen, pencil, sharp piece
- of coal: in this situation, who's fussy?) You will want to be as
- accurate and detailed as possible. Most crimes aren't solved by
- "Elementary, my dear Watson," cerebrations, but by "Just the facts,
- ma'am," deliberations. Start writing now. What type of computer is
- it? What operating system? What version of the operating system?
- What happened? (In detail.)
-
- Now start to inventory your resources. First, you want anything
- that can tell you about this machine. Do you have invoices with
- details of the machine such as the operating system and version?
- Invoices for the software? Was a file created for this machine?
- Have you got a file listing from the last time anything was added to
- it? What *was* the last thing added to it? Have you got a file
- listing from when it was first set up? Have you got a recent
- backup? (You do? Fortunate mortal!)
-
- Next, look for software that can tell you things about the present
- state of the machine. You do have some. There is a fair amount the
- operating system itself can tell you. How much disk space is left?
- Has that changed a lot? Memory is a *very* important factor. The
- Mac system info will tell you what programs are using how much
- memory. The MS-DOS CHKDSK program will tell you not only about the
- disk space and other interesting things, but also about the "total
- memory," which can sometimes pinpoint specific viral programs. If
- you have MS-DOS 5 or higher, MEM/C can give you a *lot* of
- information. Even if you can't use it, people you call on for help
- might be able to.
-
- Do you have utility or disk tool programs? These can also give you
- valuable information. Both commercial and shareware utilities can
- help here. If the computer is still working reasonably well, look
- at the memory statistics. Look at the files. Are there a lot of
- hidden files? Are there a lot of new files? Are there a lot of
- files with very close "creation dates"? Look at the disk boot
- sector, and the master boot record. There should be some common
- system messages there. If you don't see them, or see some odd
- messages, that's an indication, too.
-
- Are you writing all this down? Or, if the printer is still working,
- printing the screen to save all the data? (Starting to feel less
- panicked? Yes, you usually feel better when you have something to
- do.)
-
- copyright Robert M. Slade, 1993 BEGPAN4.CVP 931015
- Permission granted to distribute with unedited copies of the Digest
- ======================
- DECUS Canada Communications, Desktop, Education and Security group newsletters
- Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733
- DECUS Symposium '94, Vancouver, BC, Mar 1-3, 1994, contact: rulag@decus.ca
-
- ------------------------------
-
- Date: Sat, 20 Nov 93 18:17:19 -0500
- From: "Rob Slade" <roberts@decus.ca>
- Subject: Quick reference antiviral review chart
-
- QUICKREF.RVW 931114
-
- Quick reference antiviral review chart
-
- This listing is intended to give a quick overview guide to the comparative
- features and effectiveness of the many different antiviral products. If the
- version numbers are out of date, please send updated copies for review to Rob
- Slade at the address given at the end of this list.
-
- Product Ver Type UI Doc Ease Ovrl Price Comments
- SDRIMOE CG 1-4 I U 1-4
- | | | | | | | |
- Amiga
-
- BootX (discontined)5.23 SDRM G free
- amiga.physik.unizh.ch, ux1.cso.uiuc.edu
- or wuarchive.wustl.edu /mirrors2/amiga.physik.unizh.ch/util/virus
-
- Computer Virus Cat.9308 info 4 4 Free
- CARO, cert
-
- LDV 1.73
-
- VirusChecker 6.26 free
- amiga.physik.unizh.ch, ux1.cso.uiuc.edu or wuarchive.wustl.edu
-
- VirusX (outdated?)
- s.tibbett on BIX
-
- VirusZ 3.06
-
- Virus Tracker 2.45
-
- ZeroVirus
-
-
- Atari
-
- Chasseur II D ATCHSSR2.RVW
- atari.archive.umich.edu
-
- FCHECK 25 I ATFCHECK.RVW
- atari.archive.umich.edu
-
- Protect6 DR ATPROTCT.RVW
- atari.archive.umich.edu or larserio@ifi.uio.no
-
- Sagrotan 4.12 S ATSAGRTN.RVW
- atari.archive.umich.edu
-
- VIRUSDIE S ATVIRDIE.RVW
- atari.archive.umich.edu
-
- Computer Virus Cat.9308 info 4 4 Free
- CARO, cert
-
- VKILLER 3.84 SD ATVKILLR.RVW
- woodside@ttidca.com or atari.archive.umich.edu /atari/Utilities/Virus
-
-
- Mac
-
- Advanced Security (see MS-DOS)
-
- Computer Virus Cat.9308 info 4 4 Free
- CARO, cert
-
- Disinfectant 3.3 SDR Free
- nwu, sumex-aim.stanford.edu, mac.archive.umich.edu
-
- Gatekeeper 1.2.9 R MO Free
- Chris Johnson
-
- Rival
- Microseeds Publishing
-
- SAM 3.0.8SD M $99
- Symantec/Norton
-
- Virex 4.1 (see MS-DOS, product not by same author)
-
- VirusDetective 5.10.5
- Jeff Shulman
-
-
- MS-DOS
-
- Advanced Security I OE C 2 2 3 1 PCADVGRV.RVW
- Advanced Gravis (no longer supported)
-
- AntiViral ToolKit 1.07B S IM $20
- CARO, eugene@kamis.msk.su
-
- Antivirus (IRIS) SDR M C 2 2 4 2 $49 PCANTIVR.RVW
- Fink Enterprises
-
- Antivirus-Plus SDR M C 2 2 4 2 $99 PCANTIVP.RVW
- Trend Micro
-
- Anti-Virus Toolkit 6.0? SDRIMO CG 3 2 3 4 PCDSAVT.RVW
- S&S International Ltd., sands@cix.compulink.co.uk, perComp Verlag, Ontrack
-
- Central Point Anti-virusSDRI O G 3 2 2 2 not coexist with others
- Central Point PCCPAV.RVW
-
- Certus LAN 2.0 SD I O CG 2 1 3 2 PCCERTUS.RVW
- Certus (no longer supported? cf Norton AntiVirus)
-
- Computer Virus Cat.9308 info 4 4 Free
- CARO, cert
-
- Control Room I G 2 4 4 2 PCCTRLRM.RVW
- Borland
-
- Data Physician + 3.1A SDRIM C 2 2 2 2 PCDATPHS.RVW
- Digital Dispatch
-
- DISKSECURE 2.32A IM C 2 3 3 4 BSIs only
- risc, urvax, eugene cf also FixMBR, FixUTIL PCDSKSEC.RVW
- SafeMBR, CHKSMBR, CHKMEM, CHKBOOT in FixUtil etc. are free
-
- Eliminator 1.17 SDR C 3 2 3 2 PCELMNTR.RVW
- Thecia
-
- F-PROT 2.09F SDR CG 3 3 3 4 home - free, bus. - $1/CPU
- frisk@complex.is, risc, urvax, eugene, garbo PCFPROT.RVW
-
- Hoffman Summary 310 info G 3 3 $35
- risc, urvax, eugene
-
- HTScan 2.0 S C 2 3 3 3 Free (non-comm.)
- (also VSIG 9303)
- risc, urvax, eugene, garbo
-
- HyperACCESS/5 S C 2 1 2 2 PCHA5.RVW, term program
- Higraeve with scanner
-
- IBM Antivirus/DOS 1.03 SRDI CG 2 2 2 3 $35 PCIBMAV.RVW
- local IBM rep
-
- Integrity Master 2.11 S I CG 3 3 3 $35 PCIM.RVW
- risc, urvax, eugene
-
- LANProtect 1.1 S CG 1 2 2 2
- Intel
-
- Mace Vaccine 3.0 M G 1 3 2 1 PCMACE.RVW
- Fifth Generation
-
- Norton AntiVirus SDRI G 2 3 2 3 $130 PCNRTNAV.RVW
- Symantec/Norton
-
- PC-Cillin 2.95L SDRIM G 3 3 3 2 $139 PCCILL2N.RVW
- Trend Micro
-
- SafeWord Virus-Safe1.12 I C 2 3 4 3 PCSAFWRD.RVW
- Enigma Logic
-
- Thunderbyte Utility6.08 SDRIMOE C 2 2 3 3 $29 PCTBSCAN.RVW
- risc, urvax, eugene, garbo
-
- VACCINE (WWS) 5.00 SD IMO C 2 1 2 2 PCWWSVCN.RVW
- The Davidsohn Group
-
- VACCINE (Sophos) 9111 S I CG 2 2 2 3 PCSOPHOS.RVW
-
- Untouchable 1.1 SDRIM CG 2 2 2 2 PCUNTUCH.RVW
- Fifth Generation Systems
-
- VDS 2.10T I CG 2 2 3 2 PCVDS.RVW
- risc, urvax, eugene
-
- VET 7.0? SDRIM C PCVET (in process)
- Cybec
-
- Victor Charlie 5.0 IM C 3 2 3 3 $99 PCVC.RVW
- Delta Base Enterprises
-
- Virex-PC 2.91 SDRIM G 4 2 4 4 $49 PCVIREX.RVW
- Datawatch (VIRx now assumed under this product)
-
- ViruCide 2.41 SD G 3 4 3 3 $49 PCVIRCID.RVW
- Parsons Technology
-
- Virus0Buster 3.75 SDRIMO CG 3 3 3 4 PCVRBSTR.RVW
- Leprechaun Software (70451.3621@compuserve.com)
-
- VIRUSCAN Suite 108 SDRIM C 2 2 2 3 ~$25/module
- risc, urvax, SIMTEL, garbo, mcafee.com PCSCAN.RVW
-
- VirusSafe LAN 4.01 SDRI O CG 2 2 3 2 PCVIRSAF.RVW
- EliaShim Micro
-
- VIRx (see Virex-PC)
-
- Vi-Spy 10.0 SDR M CG 2 2 3 3 $150 PCVISPY.RVW
- RG Software Systems
-
-
- OS/2
-
- HyperACCESS/5 S C 2 1 2 2 PCHA5.RVW, term program
- Higraeve with scanner
-
- IBM Antivirus/OS/2 1.03 SRDI CG 2 2 2 3 $35 PCIBMAV.RVW
- local IBM rep
-
- SCAN/OS/2 Suite 108 SDRIM C 2 2 2 3 ~$35/module
- risc, urvax, SIMTEL, garbo, mcafee.com
-
-
- UNIX
-
- Computer Virus Cat.9308 info 4 4 Free
- CARO, cert
-
- Tripwire I Free
- ftp.cs.purdue.edu pub/spaf/COAST/Tripwire
-
-
- | | | | | | | |
-
- Key:
-
- Type - S=scanner, D=disinfection (restoration of state), R=resident,
- I=integrity checking, M=activity monitor, O=operation restricting,
- E=encryption
-
- UI - user interface - C=command line, G=menu or GUI
-
- The following are based on a 1=poor - 4=excellent scale
- Doc - documentation
- Ease - I=installation, U=use
- Ovrl - overall rating for general use
-
- Sites:
-
- CARO - ftp.informatik.uni-hamburg.de (134.100.4.42)
- cert - cert.org (192.88.209.5)
- eugene - eugene.utmb.edu (129.109.9.21)
- garbo - garbo.uwasa.fi (128.214.87.1)
- nwu - ftp.acns.nwu.edu (129.105.113.52)
- risc - risc.ua.edu (130.160.4.7)
- simtel - wsmr-simtel20.army.mil
- urvax - urvax.urich.edu (141.166.36.6)
-
- For others see Jim Wright's postings.
- For more detailed reviews see /pub/virus-l/docs/reviews at cert
- For general virus info see VIRUSFAQ.TXT at cert
-
- Please send updated versions of antivirals to Rob Slade at 3118 Baird Road,
- North Vancouver, BC, Canada, V7K 2G6. Please note that all shipments from
- outside of Canada should state very clearly that the material is for evaluation
- and has no commercial value. In addition, it is advisable to declare a media
- cost of $1 per disk and an "intellectual property" value of $1 per item such
- that the total does not exceed $15. Neither Rob Slade nor V.I.R.U.S. take any
- responsibility for shipments delayed or refused at Customs for failure to
- follow these directions.
-
- copyright Robert M. Slade, 1992, 1993 QUICKREF.RVW 931114
-
- ==============
- Vancouver ROBERTS@decus.ca | "It says 'Hit any
- Institute for Robert_Slade@sfu.ca | key to continue.'
- Research into rslade@cue.bc.ca | I can't find the
- User p1@CyberStore.ca | 'Any' key on my
- Security Canada V7K 2G6 | keyboard."
-
- ------------------------------
-
- Date: Mon, 29 Nov 93 09:43:26 -0500
- From: "Kenneth R. van Wyk" <krvw@assist.ims.disa.mil>
- Subject: Administrative: Call for volunteers
-
- VIRUS-L/comp.virus readers:
-
- As you're all aware, there are several ongoing activities that are
- made available to this group, such as the Frequently Asked Questions
- (FAQ) list, the archive site maintenance, etc. Most of these are
- "background tasks" that people have volunteered to work on over the
- years. I'm personally finding less and less time to devote to these
- things, so I'd like to solicit volunteers to spearhead a couple of
- these things.
-
- Specifically, I'm looking for volunteers to do each of the following:
-
- - - Update and maintain the FAQ sheet.
- - - Coordinate and post product reviews.
- - - Maintain an anonymous FTP area containing the VIRUS-L/comp.virus
- archives (i.e., back issues, documents, reviews).
-
- If anyone would like to take on any or all of these tasks, please let
- me know. Unfortunately, all that I can offer in return is my
- gratitude, and due credit on all of the work. I can also guarantee
- that you'll meet plenty of interesting people.
-
- Thanks,
-
- Ken
-
- Kenneth R. van Wyk
- Chief, Operations
- Automated System Security Incident Support Team (ASSIST)
- Center for Information Systems Security (CISS)
- Defense Information Systems Agency (DISA)
- Moderator, VIRUS-L/comp.virus
- krvw@ASSIST.IMS.DISA.MIL
-
- ASSIST Hotline: +1 703 756 7974
- ASSIST e-mail: assist@assist.ims.disa.mil
-
- ------------------------------
-
- End of VIRUS-L Digest [Volume 6 Issue 151]
- ******************************************
-