home *** CD-ROM | disk | FTP | other *** search
- To: VIRUS-L@LEHIGH.EDU
- Subject: VIRUS-L Digest V6 #152
- --------
- VIRUS-L Digest Wednesday, 1 Dec 1993 Volume 6 : Issue 152
-
- Today's Topics:
-
- Virus Myths 10th Edition
- Re: Freeware distribution of anti-virus software
- Book information request.
- Re: Tales about viri
- Re: Virus at an atomic power station
- Re: Automated virus scan every n days ? (PC)
- WinSleuth? (PC)
- Re: Once a week batch file (PC)
- Re: Sorry, I need more RAM memory (PC)
- Automated Virus Scan Every n Days - Remindme.zip (PC)
- Re: Commercial Virus Scanners in the dark??? (PC)
- Re: Removing Boot Sector Virus from Floppies (PC)
- Form Virus + WinNT 3.1 (PC)
- Re: Commercial Virus Scanners in the dark??? (PC)
- Automated virus scanning (PC)
- Re: Full version of AVP 1.07 available (PC)
- Re: Horror of Horrors! (PC)
- Re: Problems with Anti-Tel (A-Vir) (PC)
- Re: Removing the Moctezuma virus (PC)
- WinNT + Dos 6.0 + Form VIRUS!! (PC)
- Strange Behavoiur of F-PROT, possible boot sector virus? (PC)
- Thunderbyte's reply about danger of TbClean (PC)
- 'D3' virus (PC).
- prevent programs (PC)
- Re: Save all you can (CVP)
- Getting Resources (CVP)
-
- VIRUS-L is a moderated, digested mail forum for discussing computer
- virus issues; comp.virus is a gatewayed and non-digested USENET
- counterpart. Discussions are not limited to any one hardware/software
- platform - diversity is welcomed. Contributions should be relevant,
- concise, polite, etc. (The complete set of posting guidelines is
- available by FTP on CERT.org or upon request.) Please sign submissions
- with your real name; anonymous postings will not be accepted.
- Information on accessing anti-virus, documentation, and back-issue
- archives is distributed periodically on the list. A FAQ (Frequently
- Asked Questions) document and all of the back-issues are available by
- anonymous FTP on CERT.org (192.88.209.5).
-
- Administrative mail (e.g., comments, suggestions, beer recipes)
- should be sent to me at: krvw@ASSIST.IMS.DISA.MIL.
-
- All submissions should be sent to: VIRUS-L@Lehigh.edu.
-
- Ken van Wyk
-
- ----------------------------------------------------------------------
-
- Date: Tue, 23 Nov 93 11:52:04 -0500
- From: "Mark J. Miller" <mjm@tardis.svsu.edu>
- Subject: Virus Myths 10th Edition
-
- I've recently uploaded the 10th edition (4-Oct-93) of Computer Virus Myths
- by Rob Rosenberger & Ross M. Greenburg to the SIMTEL 20 archives & its
- primary mirror at OAK.OAKLAND.EDU. This document explains some of the
- more common misconceptions about viruses & what they can/cannot do.
-
- The file at OAKLAND is pub/msdos/virus/mythsv10.zip (PKWARE 2.04g).
-
- The file was uploaded by permission of the authors.
-
- Mark J. Miller
- Instructional Computing Programmer/Analyst
- Saginaw Valley State University
- mjm@tardis.svsu.edu
-
- ------------------------------
-
- Date: Tue, 23 Nov 93 18:35:01 -0500
- From: "R. Wallace Hale" <halew@jupiter.sun.csd.unb.ca>
- Subject: Re: Freeware distribution of anti-virus software
-
- Kristian A. Bognaes (Norman Data Defense Systems) wrote:
-
- >I am a supporter of the freeware and shareware principles, and have
- >both written and supported applications on a "please support" basis.
-
- A friend in Gvarv frequently mentions both your firm and product,
- but I got the impression that there was little interest in the BBS
- and shareware world.
-
- >Still, I have a concern regarding this method of distribution when it
- >comes to anti-virus protection software: -
-
- It seems to be working quite well for Frisk et al...
-
- >I never made any money either, although the software is in use by many).
-
- Neither did I. <grin>
-
- R. Wallace Hale "Thinking is the hardest work there is,
- halew@nbnet.nb.ca which is the probable reason why so few
- BBS (506) 325-9002 engage in it." - Henry Ford
-
- ------------------------------
-
- Date: Wed, 24 Nov 93 05:00:23 -0500
- From: d.phillips@open.ac.uk (Dave Phillips)
- Subject: Book information request.
-
- I have been speaking with Kev HARRIS@lib.swbts.edu about info on viruses and
- how they work and I told him about a new book I have got hold of. He
- requested more info on it and suggested I post the info to the bulletin board.
-
- So heres the info.
-
- Book; The Survivors Guide To Computer Viruses
- Edited by Victoria Lammer
-
- isbn no 0-9522114-0-8
-
- Its a book that brings together core info from previous editions of "Virus
- Bulletin"
- Its the first edition release in september 93 and can be obtained from Virus
- Bulletin Ltd in the UK
-
- Email address for more info is VIRUSBTN@VAX.OX.AC.UK
-
- I,m reading the book at present and find the info inside to be interesting
- and informative. ( This is IMHO)
-
- Regards
-
- ------------------------------
-
- Date: Wed, 24 Nov 93 08:50:30 -0500
- From: ganino@jumbo.Read.TASC.COM (James S. Ganino)
- Subject: Re: Tales about viri
-
- >
- > Hi, this is JJ Merelo, from Granada, Spain. I gotta give a short talk
- > to non-techie users, and would like to add some spicy stories about
- > funny mistakes about viri/outright catastrophes caused by them/and any
- > other anecdote that may make some laughs (or some Oooohs) in a
- > conference.
- >
-
- For Oooohs, Aaaahs, and Laughs, I have found Pamela Kane's book,
- V.I.R.U.S Protection: Vital Information Resources Under Siege, to be a
- treasure trove. It is four years old, but it is still fun reading.
- If you wish, you can try to contact her directly; the latest e-mail
- address I have for her is pskane@dockmaster.ncsc.mil.
-
- - --
- James S. Ganino
- TASC
- 55 Walkers Brook Drive
- Reading, MA 01867
-
- ------------------------------
-
- Date: Wed, 24 Nov 93 14:37:17 +0000
- From: pdb@cdc.demon.co.uk (Peter Burnett)
- Subject: Re: Virus at an atomic power station
-
- A.APPLEYARD@fs1.mt.umist.ac.uk writes:
-
- > On Ceefax (text info transmitted via BBC TV 1 (a British TV channel) on
- >evening of Wed. 10 Nov 1993:-
-
- > VIRUS: A computer virus sparked a safety scare at Sizewell B nuclear power
- >station, the latest Computer Weekly says. A man was later sacked for
- >introducing unauthorized software.
-
- Well, the procedures that they have at SizeWell B Power Station
- failed as on ALL security gates at the station, there is a BIG blue
- sign saying that all PC based disks MUST be checked for virus's before
- being allowed onto the site and it provides a phone number that anyone
- can call for assistance. Most equipment is searched prior to allowance
- on the site ( I am a recent vistor as a contractor to the site ),
- allthough I must say, when I went onto the site, I had PC disks with
- me, but was never asked about them nor did I offer them up for
- site inspection either.
-
- In one respect, there own procedures and other things failed. Signs,
- personell and associated items DID not work. Whatever procedures you
- have, if they fail to be implemented, then the barriers are useless.
-
- Peter.
-
- - --
- +----------------------------------------------------------------+
- | Peter Burnett Post Design Services Software Support |
- +----------------------------------------------------------------+
-
- ------------------------------
-
- Date: Tue, 23 Nov 93 11:07:18 -0500
- From: fguidry@crl.com (Fran Guidry)
- Subject: Re: Automated virus scan every n days ? (PC)
-
- lubberland@unh.edu <k_ford@unhh.unh.edu> wrote:
- >conn0060@maroon.tc.umn.edu (Michael F Conners-1) writes...
- >>>FPROT on my system. What I am looking for is a program/autoexec code
- >>>that will execute F-PROT and SCAN only once on say Thursday and then ignore
-
- [ stuff deleted ]
-
- >>I am also looking for a way to do this. My e-mail address is
- >
- >No, no! Put it on the net, please!
- >
-
- Is this a FAQable item? I have a terrific program by Yossi Gil
- called EVERY.COM, which provides very powerful and testing for
- time periods. For instance, the program supports commands like
-
- every week run.exe
- every month run.exe
- every year run.exe
-
- as well as
-
- every thursday run.exe
-
- The doc gives no indication of licensing fees, so I'm
- assuming the program is freeware.
-
- I have just checked and the file is available on oak.oakland.edu
- in pub/msdos/batutl/every15.zip.
-
- Fran
-
- ------------------------------
-
- Date: Tue, 23 Nov 93 11:14:25 -0500
- From: Fabio Esquivel <FESQUIVE@ucrvm2.bitnet>
- Subject: WinSleuth? (PC)
-
- Does anybody have any experience with the Win Sleuth antivirus?
- Where is it from? Is it good?
-
- Someone here says it identifies the Kamikaze and OM-97 viruses in the
- same PC, though F-Prot just finds Kamikaze.
-
- Any answer will be greatly appreciated,
- DATA SEGMENT PARA PUBLIC
- name DB 'Fabio Esquivel' ; C:\> dir a:
- bitnet DB 'fesquive@ucrvm2.bitnet' ; Virus found in drive A:
- internet DB 'fesquive@ucrvm2.ucr.ac.cr' ; Install, Kill, Panic?_
- DATA ENDS
-
- ------------------------------
-
- Date: Tue, 23 Nov 93 13:00:34 -0500
- From: tdavis@shuttle.cc.umr.edu
- Subject: Re: Once a week batch file (PC)
-
- There have been several recent postings on the subject of running AV programs
- at boot on specific days. There have also been similar messages on CIS.
-
- Legare Coleman posted a batch file solution on CIS that works with the more
- recent DOS versions - those allowing CALL. (COMMAND /c does not work.)
-
- I have modified his solution to eliminate the need to prepare a second batch
- file in advance, and to have the code clean up completely after itself.
-
- Inclusion of these line in AUTOEXEC.BAT will CALL a batch file named
- AVBATCH.BAT at (every) bootup on every Tuesday. Users will need to supply the
- AVBATCH file. This code is easily modified for any day of the week, or
- specific fully qualified date.
-
- - -----------------------------cut here----------------------------------------
-
- echo set dow=%%3> current.bat
- echo. | date > getdate.bat
- call getdate
- del getdate.bat
- del current.bat
- if "%dow%" == "Tue" call avbatch
- set dow=
-
- - -----------------------------cut here----------------------------------------
-
- Things to watch out for:
- %%3> must be exactly as shown, with 2 '%'s and no space between '3'
- and '>'. If the day of the week is not the 4th item in the top line
- of the date display, adjust the '3' accordingly.
- 'current' must be the first word in the top line of the date display.
- If not, substitute whatever is there.
- 'echo.' is whatever is required to echo a CR to the pipe.
- The 'if' test must match the day name wanted, with no extraious
- spaces.
- The last line has no spaces following the '='.
-
- This works because the date text is written to a batch file, the first word of
- which is a valid command (because we made a batch file with that name). When
- GETDATE is called it jumps to CURRENT.BAT, passing it the rest of the top line
- of the date response as arguments. CURRENT.BAT then places the 3rd argument
- into the environment, where it can be retrieved when CURRENT.BAT terminates
- and the CALL returns.
-
- T.E.D. (tdavis@shuttle.cc.umr.edu)
-
- ------------------------------
-
- Date: Tue, 23 Nov 93 13:24:33 -0500
- From: mcafee@netcom.com (McAfee Associates)
- Subject: Re: Sorry, I need more RAM memory (PC)
-
- Good morning Bill,
-
- vfreak@aol.com writes:
- >From: byng@solomon.technet.sg (Ng Bee Yong)
- [...deleted...]
-
- >Yes: this is a known bug in Scan 108. It is caused by using the /A
-
- Wrong. This was a known bug in Version 107 and was fixed in Version
- 108. The current release is Version 109.
-
- >parameter to scan all files. This bug happens after scanning
- >approximately 1,000 files. Stop using the /A parameter, and tyhe bug
-
- The nature of the bug in Version 107 was that SCAN would allocate
- memory to uncompress PKLITE and LZEXE files in and then fail to deallocate
- the memory if SCAN did not scan a compressed file before changing to
- another directory. SCAN would then run out of buffer space to read other
- files into, report that it required more memory, and return to the DOS
- prompt.
-
- >will stop occuring.
- >
- >Bill lambdin
-
- Aryeh Goretsky
- McAfee Associates Technical Support
-
- - --
- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - -
- McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com
- 2710 Walsh Ave, 2nd Floor| FAX (408) 970-9727 | or try: support@mcafee.com
- Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714
- 95051-0963 USA | USR HST Courier DS | or GO MCAFEE
- Support for SENTRY/SCAN/VSHIELD/CLEAN/WSCAN/NETSHLD/TARGET/CONFIG MGR/PROVIEW
-
- ------------------------------
-
- Date: Tue, 23 Nov 93 13:58:58 -0500
- From: dbs4331@zeus.tamu.edu (Dan Sline)
- Subject: Automated Virus Scan Every n Days - Remindme.zip (PC)
-
- As I had mentioned earlier I have been developing a program to Scan
- every "N" days. The beta is available to anyone who would like me to send it
- to you in uuencoded format.
-
- The program is not restricted to scanning for viruses using one
- particular program. Instead, it can automate several other tasks for you (like
- backing up your system).
-
- If you would like a copy, or have an ftp site I could put the program
- on, please send me email (Sliner@tamu.edu), and I will send a copy to you.
-
- Thank you in advance,
-
- Dan Sline
-
- Bitnet: DBS4331@tamvenus sliner@drycas (secondary address)
- Internet: sliner@tamu.edu sliner@drycas.club.cc.cmu.edu
- Compuserve: 71161,1455
- voicenet: 409-693-8730
- mailnet: 304 Kyle College Station, TX 77840
- The opinions expressed above are my own, and are not those of my employer.
-
- ------------------------------
-
- Date: Tue, 23 Nov 93 14:26:31 -0500
- From: datadec@ucrengr.ucr.edu (kevin marcus)
- Subject: Re: Commercial Virus Scanners in the dark??? (PC)
-
- Vesselin Bontchev <bontchev@fbihh.informatik.uni-hamburg.de> wrote:
- >kevin marcus (datadec@ucrengr.ucr.edu) writes:
- >> >> I was a virus author, but decided that it was boring because, well,
- >> >
- >> >Agreed, it is.
- >
- >> Er...? How do you know if it is or isn't until you've done it?
- >
- >I am using my brains to figure it out. Don't you?
-
- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
- >> >stuff. I've heard that it has been so successful, that once it has
- >> >detected the decryption routine used by some anti-virus product to
- >> >decrypt its scan strings, which has caused false positives... :-)
- >
- >> I wouldn't call anything that gets false positives, "so successful".
- >
- >Maybe you shouldn't judge something that you don't know. But, of
-
- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
- Did I miss somethig here? Sometimes you are allowed to use your brain
- to figure out something, and other times you're not allowed to?
-
- If I use my brain here, I would say there is a contradiction.
-
- BTW, do you have more than one brain?
-
- - --
- -- Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu
- CSLD Room Monitor, Thurs 10-12p, Sunday 5-10p (909)/787-2842.
- Computer Science, University of California, Riverside.
-
- ------------------------------
-
- Date: Tue, 23 Nov 93 14:30:03 -0500
- From: datadec@ucrengr.ucr.edu (kevin marcus)
- Subject: Re: Removing Boot Sector Virus from Floppies (PC)
-
- Vesselin Bontchev <bontchev@fbihh.informatik.uni-hamburg.de> wrote:
- >kevin marcus (datadec@ucrengr.ucr.edu) writes:
- >
- >> >The operations mentioned above -do- access the boot sector. DOS needs
- >> >to read the BIOS Parameter Block from it, in order to figure out the
- >> >parameters of the floppy (size, location of the root directory, etc.).
- >
- >> Er... While true, keep in mind that this is treated as data, and not
- >> code - it is not executed.
- >
- >I obviously know that, because I have emphasized it several times
- >here. Which part of my message lead you to believe that I don't?
-
- Well, I was pointing it out for two reasons --
-
- 1) Because the readers of virus-l/comp.virus don't know (they have to
- guess) who the self-appointed experts are, in comparison with the real
- virus researchers, so hearing it from more than one source would probably
- be a reassuring point for them.
-
- 2) I was just making it clear in that particular comment block -
- because it wasn't.
- The part up top there with the ">> >" in front of it.
-
- - --
- -- Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu
- CSLD Room Monitor, Thurs 10-12p, Sunday 5-10p (909)/787-2842.
- Computer Science, University of California, Riverside.
-
- ------------------------------
-
- Date: Tue, 23 Nov 93 18:41:56 -0500
- From: lestat@pearl.ctt.bellcore.com (David Gonzalez)
- Subject: Form Virus + WinNT 3.1 (PC)
-
- Hello:
- I have just discovered that our WinNT PC is infected
- with the Form virus. This is a Boot Sector virus and seems
- to run only under the MS-DOS setup, not the WinNT setup.
-
- How can I get rid of it? I know how to do it in a
- plain MS-DOS machine, but this one is running both options,
- it has the NT-Loader that asks whether I want MS-DOS or
- WinNT loaded.
- I assume that doing sys C: just won't do it....
-
- How can I create a new Recovery Disk, the current one
- is (as you may have guessed) infected by the Form virus...
-
- - --
- - ---------------------------------------------------
- David Gonzalez lestat@ctt.bellcore.com (Work)
- Bellcore dg4s@andrew.cmu.edu (Grad School)
- RRC 1-J214 lestat@rmece02.upr.clu.edu (UnderGrad School)
- 444 Hoes Lane
- Piscataway, NJ 08854
-
- ------------------------------
-
- Date: Tue, 23 Nov 93 18:48:59 -0500
- From: "R. Wallace Hale" <halew@jupiter.sun.csd.unb.ca>
- Subject: Re: Commercial Virus Scanners in the dark??? (PC)
-
- >> and one person (Rock Steady) developed a virus called "Varicella"
- >
- >However, TbScan was not able to detect the virus in the first place,
- >so few people would have the idea to run TbClean on an infected file -
-
- If I may quibble a bit, both versions 6.04 and 6.05 of TBScan
- detected the specimen of Varicella that I have, and the relevant
- versions of TBClean did allow the virus to become active...
-
- >However, I agree with you that that particular version of
- >TbClean was dangerously buggy. The bug has been fixed, however, since
- >a long time.
-
- Two months (or thereabouts) is a long time? <grin>
-
- R. Wallace Hale "Thinking is the hardest work there is,
- halew@nbnet.nb.ca which is the probable reason why so few
- BBS (506) 325-9002 engage in it." - Henry Ford
-
- ------------------------------
-
- Date: Tue, 23 Nov 93 20:32:06 -0500
- From: al026@yfn.ysu.edu (Joe Norton)
- Subject: Automated virus scanning (PC)
-
- I read a users message on here that wanted to execute a virus
- scanner once per week in his autoexec.bat file. I don't really
- recommend doing this since it's not as good as scanning after
- a clean floppy boot, but if you have many "WordPerfect Only" type
- people in a office that you manage it could be something that
- would get used, and a clean boot wouldn't be.
-
- Anyways..... I wrote such a program if anyone wants it.
- It takes a weekday as the first parameter, and any command you
- want to run after that. It runs the program once, and only once
- on the specified weekday even if you boot more than once on that
- day. It is less than 4k (done in Turbo Pascal) and freeware.
- If anyone wants it I can post or email a uuncoded copy to you.
-
- I can add more features and such if needed, but don't expect
- a Windoze version, etc....8-; I'd start to feel that I was
- writting "huge bloated code" if this got over 10k...
-
- ------------------------------
-
- Date: Wed, 24 Nov 93 11:23:31 -0500
- From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
- Subject: Re: Full version of AVP 1.07 available (PC)
-
- William Fang (int877w@lindblat.cc.monash.edu.au) writes:
-
- > I've downloaded the file, did a scan using scan 9.19 v108 and
- > f-prot 2.09f just to make sure I didn't bring any viruses with
- > the latest batch of downloads (no offence, I got a whole heap
- > of junk, not just your files ;-)
-
- You've had chance that you have not used the /A option, otherwise SCAN
- 108 would have reported a "virus" in one of the files in the
- package. This is a false positive, as I already explained in one of my
- previous articles.
-
- > Anyway, started the program on the Temp partition and it asked
- > for V_930915.-VB which I assumed was the database it was complaining
- > about. I renamed the V_931105.-VB file and it seemed to work.
- > Should I have V_930915.-VB or does renaming the new (? I guess) file
- > work. Or is there a switch I'm meant to be using to use the newer
- > database?
-
- Damn't! Stupid me... :-( That's entirely my fault, sorry for the
- confusion. I'll correct the archive on the ftp site at once.
-
- The name of the file (V_931105.-VB) is correct - this is the latest
- update (that's why the 'b' in the name of the archive) and it
- indicates the date it has been created (in yymmdd format). No, there
- is no switch to indicate which database of virus detection information
- to use. However, the name of the database to be used is kept in the
- file -V.SET. It is a text file and you can use a text editor to edit
- it and put there V_931105.-VB, instead of V_930915.-VB (which is its
- current contents).
-
- Once more, sorry for the confusion. Just in case somebody is
- interested, here is how it has happened. I received the package by
- snail-mail and the update by e-mail. The update archive contained a
- correct -V.SET file, but obviously I have messed something up while
- merging the two archives.
-
- > I've done a quick look through the manual, but didn't stumble
- > across on anything on the name of the database, just how to do
- > fancy stuff using the pro version, and as a non-programmer, had
- > no idea what it was about.
-
- If you are using the "regular" version (-V.EXE), then the only
- solution is to edit the file -V.SET manually. I guess, that's a
- misfeature that has to be corrected. However, if you are using the
- "professional" version (-VPRO.EXE), you can press F4 from the main
- menu. This brings a submenu, called "Base Set" and you can use it to
- add or remove virus definition databases that will be used by the
- program. You can also edit those databases, unless they are locked
- (the ones that come with the package -are- locked, in order to prevent
- misuse). The result is that the file -V.SET is updated. Just delete
- the old database name and add the new one.
-
- Regards,
- Vesselin
- - --
- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
- Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
- < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
- e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany
-
- ------------------------------
-
- Date: Wed, 24 Nov 93 11:40:28 -0500
- From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
- Subject: Re: Horror of Horrors! (PC)
-
- kevin marcus (datadec@ucrengr.ucr.edu) writes:
-
- > NAV 3.0 is quiet unlike 2.1, (or less), so if you have had bad experiences
- > with NAV int he past, you should not anymore (unless you have a processor
- > under an 80286... :().
-
- I wouldn't say so. I have very serious problems to make NAV 3.0 run
- from a batch file and produce a sensible report.
-
- First of all, it is not possible any more to redirect its standard
- output - because it simply does not write to stdout any more.
-
- Second, I had a very annoying problem of NAV stopping after every
- infection found and waiting me to press <Enter>. Setting Tools /
- Options / Scanner / Advanced / Immediate Notification to OFF takes
- care of the problem - but only when you run the program
- interactively. For some reasons, it doesn't work from the command
- line. That is, the program still stops, regardless that you have
- saved that particular option in its OFF status. Eventually, Jimmy
- advised me to set Tools / Options / Alerts / Remove Alert Dialog /
- After 0 seconds. Now the notification window disappears
- automatically, but it still appears (when the program is run from
- the command line), slowing down significantly the scanning process
- of a heavily infected system (or a virus collection).
-
- BTW, the above description gives some impression of how clumsy is to
- change a single option. Worse, it is not possible to change those
- options from the command line. You have to start the program
- interactively, change the options, exit the program (they get saved
- automatically), and then run the program from the command line with
- the option settings required for that particular case.
-
- At last, I was unable to produce a report file automatically. There is
- a /report option, but it doesn't seem to do anything at all. There is
- no way to make the program create a report file while it is working.
- The most one can do is to run the program, then when it finishes -
- examine the activities log (interactively, from the menus), and select
- to print part of it in a file. Clumsy, and inappropriate for automatic
- preprocessing of the results. I tend to call such programs "not
- suitable for testing".
-
- Regards,
- Vesselin
- - --
- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
- Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
- < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
- e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany
-
- ------------------------------
-
- Date: Wed, 24 Nov 93 12:07:34 -0500
- From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
- Subject: Re: Problems with Anti-Tel (A-Vir) (PC)
-
- Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) writes:
-
- > 4) The virus is a DOS Boot Sector Infector, so in order to remove it,
- > it is enough to SYS the infected volume. Beware, however, that the
- > virus is stealth and you must make sure that it is not present in
- > memory when you are trying to remove it. The only certain way to
- > ensure this is to cold-boot from a write-protected uninfected system
- > diskette. Since you will do SYS, you must make sure that the diskette
- > contains the same version of the operating system as the volume you
- > intend to SYS.
-
- Ignore the above, it's completely wrong. This virus is an MBR
- infector, not a DBS infector. It can be removed with FDISK /MBR, but
- NOT with SYS. Sorry if my incorrect advice has caused any confusion
- and thanks to the person who spotted the mistake and e-mailed me. Too
- bad, it seems that I cannot keep in mind even the basic properties of
- the boot sector viruses... :-(( Probably there are too many of them
- already...
-
- Regards,
- Vesselin
- - --
- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
- Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
- < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
- e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany
-
- ------------------------------
-
- Date: Wed, 24 Nov 93 12:28:08 -0500
- From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
- Subject: Re: Removing the Moctezuma virus (PC)
-
- manas (SANYALM@CNSVAX.UWEC.EDU) writes:
-
- > I was trying to get rid of the Moctezuma virus. The virus infected just the
- > three .exe files on the disk.
- > It was not deteted by VPCScan V2.2.
-
- Version 2.2 is obsolete. The latest one is 2.91. It is able to detect
- the virus reliably. However, when I ran it in removal mode (-br), it
- said that the virus is removed, but didn't actually touch anything.
- Maybe the registered version doesn't have this problem.
-
- > CLEAN 9.17 V106 couldn't remove it.
-
- Neither can CLEAN 9.20 V109.
-
- > I used Norton AntiVirus V2.2 and that wouldn't remove it either.
-
- There is no such version of NAV. The existing ones are 1.0, 2.0, 2.1,
- and 3.0. Version 2.1 (with the latest updates of the virus
- definitions) is able to disinfect only the COM files. I was not able
- to make version 3.0 to do reliably even that.
-
- > What can I use to get rid of the virus without having to delete the files?
-
- I tested some other programs. Here are the results:
-
- F-Prot 2.10 - disinfects only COM files
- FindVirus 6.51 - doesn't disinfect anything
- AntiVir IV - disinfects only COM files
- CPAV 2.1 - doesn't disinfect anything
- IBM Antivirus/DOS 1.03 - doesn't disinfect anything
- AntiVirus Pro 1.07b - DISINFECTS EVERYTHING
- PCVP 1.23 - deletes everything
- UTScan 29.04 - doesn't disinfect anything and crashes
- VET 7.50 - doesn't disinfect anything
-
- Conclusion: Get AVP 1.07b from our ftp site (beware, it's more than a
- meg). It will be able to repair the infected files.
-
- Regards,
- Vesselin
- - --
- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
- Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
- < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
- e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany
-
- ------------------------------
-
- Date: Wed, 24 Nov 93 17:05:15 -0500
- From: lestat@pearl.ctt.bellcore.com (David Gonzalez)
- Subject: WinNT + Dos 6.0 + Form VIRUS!! (PC)
-
- Hello:
- I am having a bit of a problem with a boot sector
- virus called Form.
- It has managed to contaminate the Boot sector of
- my PC. Up to this morning, I was still able to boot WinNT
- and Dos, but now, it seems that the boot loader has
- been damaged since the machine just locks up.
-
- Unfortunately, I scaned the NT recovery disk and
- it also has the virus :-(.
- Now, I know how to remove the virus, and all that
- stuff, the part I don't know is how to avoid damaging the
- NT Loader.
- Just in case:
- Dos 6.0, WinNT 3.1 (without patches), McAffee Clean V108,
- Scan V109. Virus: Form, seems to be the "Canadian" variant
- according to data from the Vsum 310.
-
- - --
- - ---------------------------------------------------
- David Gonzalez lestat@ctt.bellcore.com (Work)
- Bellcore dg4s@andrew.cmu.edu (Grad School)
- RRC 1-J214 lestat@rmece02.upr.clu.edu (UnderGrad School)
- 444 Hoes Lane
- Piscataway, NJ 08854
-
- ------------------------------
-
- Date: Thu, 25 Nov 93 15:54:45 -0500
- From: eastwood@unbsj.ca (Eric Eastwood)
- Subject: Strange Behavoiur of F-PROT, possible boot sector virus? (PC)
-
- Hi,
- I am having a small problem with a possible virus on out campus (more
- specifically in out engineering PC lab). The problem is isolating the virus
- (?). The order of events are something like this:
-
- 1) 09:00 Get a report of a virus in the engineering PC lab. The lab is
- closed to all access until we can isolate the problem.
-
- 2) 09:30 Have the virus located on one machine in lab and get reports
- from F-PROT 2.09f saying that is the "TELECOM virus" is in
- memory. Only if you boot the machine using the hard drive and
- letting autoexec.bat be run. (loadhigh, mouse, doskey, msav
- and mode only programs in autoexec.bat). If autoexec not run
- virus not seen.
-
- 3) 10:00 Find virus on about half of the machines in the lab using F-
- PROT after booting the machines with a full pass of the
- autoexec.bat.
-
- 4) 10:15 Discover that only F-PROT will find the virus, MSAV and SCAN
- do not find the virus.
-
- 5) 11:00 Get virus to infect a disk with f-prot on the disk. The disk
- will consistently give a hit for the "TELECOM" virus. Cannot
- tell where the virus is because we do not have a duplicate and
- no file sizes or dates were changed.
-
- 6) 11:45 Try to get virus to infect another disk that we have made in
- our offices as a duplicate of a master disk. The virus will
- not attack the disk, even though it is still reported in
- memory. We also start to low level format each if the drives
- in the lab (20 machines in all)
-
- 7) 13:15 After trying for over hour an to get virus to act
- consistently, virus seems to disappear from the infected
- F-Prot disk even though it is write protected.
-
- 8) 13:45 Get the original disk that was used to do the scanning and
- find that it has been modified by Central Point Anti-Virus to
- have external self checking code. All disks scanned with this
- disk give gibberish lines such as follows when scanning the
- boot sector:
- Rn NCI brnmnirrrnrrrt,arrai-ars]/nha t virus-infected right now (Y/N) ?
-
- 9) 14:20 Gather all disk used to try to disinfect the lab. Boot and
- scan each disk, all report clean. The one machine in the lab
- that we have not reformatted still reports the TELECOM virus
- when msav is run.
-
- 10) 15:00 For the sake of our collective sanity, we stop trying to find
- the virus to sit back and reflect on what has happened.
-
- 11) 16:00 Show disk that virus had looked like it had left to the person
- who had initially isolated the virus. And the virus was back
- with more gibberish than before. And will not give a hit for
- TELECOM virus.
-
- As part of trying to figure out what happened I decided to write this
- note and try to see if any of you have any suggestions as to what we could do
- next?
- Have we been chasing a non-virus conflict between MSAV and F-PROT?
- Is there any other way to rid ourselves of this virus besides
- reformatting all of the hard drives on campus?
-
- K. Eric Eastwood, UNBSJ COmputing Services
- KEE@UNSBJ.CA
- ***
- K. Eric Eastwood, Systems Analyst, Computing Services - kee@unbsj.ca
- University of New Brunswick Saint John, P.O. Box 5050 - ph: (506) 648-5551
- Saint John, New Brunswick, Canada E2L 4L5 - fax:(506) 648-5528
-
- ------------------------------
-
- Date: Fri, 26 Nov 93 05:02:46 -0500
- From: bondt@dutiws.twi.tudelft.nl (Piet de Bondt)
- Subject: Thunderbyte's reply about danger of TbClean (PC)
-
- Hi all,
-
- Here is the *official* answer from Frans Veldman (author of TBAV) about the
- danger of using TbClean (esp. the heuristic cleaning) and the so called
- 'dangerous' virus "Varicella".
- These is no danger (at least not since the release of 6.02 or so)
- and there never really was !!
-
- > the _terrible_ bug, was with the TBCLEAN.EXE utility, this program which is
-
- Very exaggarated! See below.
-
- > and one person (Rock Steady) developed a virus called "Varicella" this
- > virus did exactly the above! meaning if I gave you a file (anyfile)
- > infected with the Varicella virus, and if you tried to clean this virus
- > infected file with tbclean, what would actual happen is that tbclean
- > will report "that this file is not infected by a virus" but what
- > _actually_ happen was that the virus escaped the controlled environment
- > that tbclean setup to try to disinfect the file, and the virus will go
- > resident and hook interrupts 21h,13h,8h,1ch. and it will allocate memory
- > under the TOM, and fool tbclean in reporting that no virus is in the
- > file, and tbclean will exit normally!
-
- > whereby, infact the varicella virus went resident and is now infecting
- > the system. and to advice you, the varicella virus is fairly a stealth
- > virus that disinfects files on the file, when opened and reinfects them
- > when closed, and it hides its virus length very well! such a virus can
- > easily get out of control on a huge level. all because we trusted
- > heuristic scanning!
-
- Heuristic scanning? Heuristic cleaning you mean! There is absolutely nothing
- dangerous with heuristic *scanning*.
-
- > because tbclean, actually tries to remove viruses from the infect file
- > by executing the virus, with the help of the int 1 & 3. makes this
-
- TbClean will normally use the Anti-Vir.Dat records, which do not pose any
- risk at all. Heuristic cleaning will only be performed as a last resort,
- if all other means to clean a file failed, mainly because the user
- neglected to use TbSetup. If you apply our tools correctly, there is and
- has never been any danger.
-
- > method very dangerous to use! as shown to you by mr. rock steady of
- > Nuke.
-
- If you don't like it, simply disable the heuristic cleaning feature of
- TbClean.
-
- > so before you think "heuristic" is the best method of
- > scanning/cleaning think again! the rate of false positives is WAY TOO
- > HIGH! and remember that the average computer user is not a geniusssis
-
- ??? How do you mean 'Too high'? According to what standard? The default
- heuristic mode of TbScan does not cause any false alarm.
-
- > heuritics may have a future, but not for a while, not till it is
- > perfected!
-
- Heuristic is already perfect. It detects about 90% of the new viruses.
- This means that 9 out of 10 completely new viruses are detected before
- we, the authors of TBAV, even have seen the virus.
-
- Anyway, to your information, the Varicella virus isn't able to escape from
- TbClean anymore since the last four releases.
-
- - --
-
- Thunderbye,
- Frans Veldman
-
- <*** PGP 2.3 public key available on request ***>
- - --
-
- Piet de Bondt E-mail: bondt@dutiws.twi.tudelft.nl
- ===================================================================
- FTP-Admin for MSDOS Anti-virus software at: ftp.twi.tudelft.nl
-
- ------------------------------
-
- Date: Fri, 26 Nov 93 07:44:46 -0500
- From: P.Lucas@mail.nerc-swindon.ac.uk
- Subject: 'D3' virus (PC).
-
- Does anyone have any information on what S&S [Alan Solomon]
- describe as the 'D3' virus?
- Its a boot-sector infector that apparently has no payload
- and is not stealthed. It hooks int13.
-
- Any additional info on its behaviour , or what its
- called by others, would be of interest.
-
- - -Peter J.M. Lucas NERC Computer Services Swindon England.
- pjml@swmis.nsw.ac.uk pjml@uk.ac.nsw.swmis g6wbj@gb7sdn.gbr.eu
- Why does Reality have to be in the public domain?
-
- ------------------------------
-
- Date: Tue, 23 Nov 93 12:02:20 -0500
- From: "Mark J. Miller" <mjm@tardis.svsu.edu>
- Subject: prevent programs (PC)
-
- Has anyone heard of a program that will allow you to specify that
- only certain programs can be run under MS-DOS?
-
- McAfee has VSHIELD, but I think it's kind of expensive.
-
- Also, I saw mention of a "Virus Bulletin". Can someone please tell
- me how to get copies of this? Thanks.
-
- Mark J. Miller
- Instructional Computing Programmer/Analyst
- Saginaw Valley State University
- mjm@tardis.svsu.edu
-
- ------------------------------
-
- Date: Wed, 24 Nov 93 13:39:18 -0500
- From: Ellen Carrico <ecarrico@spl.lib.wa.us>
- Subject: Re: Save all you can (CVP)
-
- > From: "Rob Slade" <roberts@decus.ca>
- > BEGPAN3.CVP 931015
- > OK. Maybe we don't yet know what is wrong, but if the computer is
- > still running, we can start some salvage operations. Let's do a
- > backup.
- > [stuff deleted]
- > What? Copy each individual file for Windows and all your Windows
- > apps? No. Don't bother with the programs. If it turns out that a
- > bunch of your programs are infected, the best thing to do, anyways,
- > bunch of your programs are infected, the best thing to do, anyways,
- > is erase and re-install them. Besides, the programs aren't the
- > valuable parts. How much did that really extravagant database
- > program cost you, anyway? $500? Even if you don't have the
- > original disks toinstall it again, you can run down to the store
-
- If you have a legal copy, you *should* have the disks, shouldn't you?
-
- > If you are on a network, backing up can be as simple as copying all
- > your data onto the server. This is especially so if the server is a
- As a former system/network admin I have to say there is NOTHING simple
- about having users back their data up to a server. Often servers (DOS,
- OS/2 and Unix are the ones I'm familiar with) are carefully partitioned to
- make certain that *all* users have proper access and space availability.
- If someone suddenly decides to dump about 30-60 Mb of data and programs (I
- don't have any faith at all that people won't decide to back up their
- program files "just in case") onto a server which is already at maximum
- usage it can cause all kinds of nightmares for the administrator. In
- addition, a simple request to the adminstrator will often result in extra
- help in handling the backup. Trust me, there is a reason for system
- operators and admins to limit use and access. Come to think of it, I'm sure
- *I* spent alot more time being yelled AT than yelling at someone else. Oh,
- and one final point, your admin should *definitely* be told if your
- workstation is infected as part of your system security.
-
- > different type of machine (eg. you are working on a PC or Mac, and
- > the server is a VAX). Don't worry if the system operators yell at
- > youfor exceeding quota: this is an emergency, and they are always
- > yelling at somebody, anyway.
-
- YOUR emergency isn't necessarily anyone else's emergency ... ;-)
-
- > Of course, the best solution is to back up both ways. Redundant
- > backup, it's called. Poor choice of words. If something crashes, a
- > backup is *never* redundant.
-
- You're right that you can never have too many good backups. However,
- before you back up onto a server you need to check the policy that has
- been set by your company/school/administrator. Otherwise, you might find
- that the data you thought you had carefully and securely backed up onto
- the server was deleted by your adminstrator.
-
- > copyright Robert M. Slade, 1993 BEGPAN3.CVP 931015
-
- > Vancouver ROBERTS@decus.ca | Lotteries are a tax
- > Institute for Robert_Slade@sfu.ca | on the arithmetically
- > Research into rslade@cue.bc.ca | impaired.
- > User p1@CyberStore.ca |
- > Security Canada V7K 2G6 |
-
- Ellen Carrico ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Microcomputer Coordinator "A motorcyle is a tool for turning the Machine
- Automated Services Age back on itself, for removing shackles. It
- Seattle Public Library won't fix everything that's wrong with the world,
- (206)386-4168 but, hey, ... it's definitely a move in the right
- ecarrico@spl.lib.wa.us direction." --Paul Pascarella
-
- ------------------------------
-
- Date: Fri, 26 Nov 93 11:52:04 -0500
- From: "Rob Slade" <roberts@decus.ca>
- Subject: Getting Resources (CVP)
-
- BEGPAN5.CVP 931103
-
- Getting Resources
-
- There are probably a number of things around you that you can use
- either to diagnose the problem or to aid in recovery. We've looked
- at some of the basic information, resources and history that might
- help. Now, let's look for some tools which might be less obvious.
-
- Another computer is a big help, particularly if you are pretty sure
- it hasn't been infected or affected. If you have several, that can
- be a real big help. Another computer can be used to examine
- (carefully) floppy disks and files from the infected machine, to try
- and determine what is being infected, and how. If you don't have a
- "clean system disk", that pre-requisite for any virus disinfection,
- you can make one from the other computer.
-
- You may be able to confirm or deny a virus infection with the other
- machines. If you suspect a virus simply on the basis that
- "something weird is happening," then you probably don't have a virus
- at all. Computers do many strange and wonderful things, only very
- few of them at the behest of viral programs. In any event,
- "swapping out" bits and pieces of the computers may identify some
- malfunctioning hardware. You still have a problem, but at least it
- is an isolated and identifiable one.
-
- Along with whatever system and utility software you can find, get
- several blank, formatted disks. Make some of them system disks.
- Copy a range of programs on to them, of different types and sizes.
- These disks and files you will want to use as bait. (If the
- infected computer uses different types and sizes of disks, get
- examples of all the various formats.) Record the file sizes and
- dates of the "bait" files, as well as the "free space" remaining on
- the disk. (Viral programs may use various means to hide the fact
- that a file has grown. Few, however, bother to try to hide the fact
- that disk space has shrunk.) Take a look at the boot sectors of the
- disks so that you will be able to notice any changes if they are
- changed.
-
- Get a pot of coffee. Get a few friends, even if computer
- illiterate, for the moral support and the extra eyes. (Observations
- are key.) Get some lunch. Get some perspective. Don't Panic.
-
- copyright Robert M. Slade, 1993 BEGPAN5.CVP 931103
-
- =============
- Vancouver ROBERTS@decus.ca | Life is
- Institute for Robert_Slade@sfu.ca | unpredictable:
- Research into rslade@cue.bc.ca | eat dessert
- User p1@CyberStore.ca | first.
- Security Canada V7K 2G6 |
-
- ------------------------------
-
- End of VIRUS-L Digest [Volume 6 Issue 152]
- ******************************************
-