VIRUS-L Digest Thursday, 6 Jan 1994 Volume 7 : Issue 2 Today's Topics: Responsabilities. Lawyer and lawyerese Re: Liabilities Study on time spent tracking infections Treasury Department BBS "# Thank you!." ???? (UNIX) Re: stoned infection (PC) Jack the Ripper virus in England (PC) cpav anti-virus for netware 2.0 (PC) Re: "Perry" Virus found on PC with tnt-virusscan (PC) Re: Flip false +ve in DOS 6 VSafe by VET (PC) "RIPPER" information. (PC) List of viruses for NetWare 3.11? (PC) Quox found in Switzerland (PC) Trouble ???? something's inconsistant here.... (PC) Re: Help against Freddy Krueger ! (PC) Re: Satan bug on 500 user lan (PC) Re: I think I have a virus (PC) AVP v1.07b And Scan v109 (PC) McAfee Vshield and Windows (bad combination) (PC) New Virus? (PC) [Q] Cross-linked files => virus? (PC) [Q] Cross-linked files => virus? (PC) New Virus? (PC) Windows viruses? (PC) PS to "Help !! I have virus in my partition table..." (PC) Re: Running F-PROT 2.10 in DOS Window? (PC) Re: 'Anti-viral' Viruses (PC). 2.1 Assume you're wrong (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Sun, 19 Dec 93 15:05:52 -0500 From: src4src!ktark@imageek.york.cuny.edu (Karl Tarhk) Subject: Responsabilities. frisk@complex.is (Fridrik Skulason) writes >ktark@src4src.linet.org (Karl Tarhk) writes: >>I am a gun manufacturer and inventor. Should I be held liable for the >>uses and misuses of such weapon, if I am not able to control who gets >>it and who does not? Absolutely, positively NOT! >Well, that is your opinion - I know a few people that would disagree with you. >However - this analogy is no good, as the sale and distribution of weapons >is considered "acceptable" in most "civilized" societies. so what? a few 'civilized' societies considered slavery 'acceptable' just a few generations ago! To judge something on the basis of acceptance by 'civilized' societies is a poor excuse to deem something as right or wrong. >Assume instead that you have invented a new type of poiseon, nerve gas or >a biological virus - something that most people would agree that unauthorized >persons should not be playing around with or creating.. >Then, yes....I would say it was certainly your responsibility to make sure >it did not fall into the wrong hands, and if it did, then some people would >certainly like to hold you personally responsible. >>And we all know that there is a few CARO virus collections floating >We do ? Unfortuantely, there is no such thing as a "CARO virus collection". uh, well Patricia Hoffman seem to think there is a 'CARO virus collection'. I guess everyone has been reading the wrong things. :) >There are several different collections in existense - some of which happen >to be owned by a caro member. If you have any evidence any of those collections are "floating around in the wrong places", please prove that - or >consult a lawyer before you make claims like this again. (This does not mean Why would i need a lawyer for this? You and Mr. Bontchev have released more source codes to the wrong hands than most virus writers have ever written, and yes I CAN prove it!! The point is: You were just as irresponsible as the people you like to condemn. >that there have never been "leaks" from the research community to the >"underground"...but they seem (fortunately) to be a thing of the past). Well, those leaks are real and are more than just 'minor' in quantity. >>You are assuming something that can NOT be proven: Computer viruses >>are inherently destructive. This is false; >It is ? Please prove it. None of you have been able to prove otherwise! If it is not true then it is [fill the bank].. Or are you Mr. Skulason talking about modal logic or Lukasiewicz's three valued logic perhaps? :) >By my definition, a computer virus has to modify something in order to spread. >The modified object may no longer work properly 'MAY' is the key word here, To make a generalization on the inherent properties of a virus based of 'may and may nots' is a clear lack of good judgement. >- so even if the virus is >intended to be harmless, that is unfortunately never the case. NEVER the case? can you prove so? Can you show some objective statistics or studies done on the subject? or it all you own judgement and experience? ktark@src4src.linet.org ------------------------------ Date: Mon, 20 Dec 93 20:59:39 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Lawyer and lawyerese >From: src4src!ktark@imageek.york.cuny.edu (Karl Tarhk) >Have you ever heard of disclaimers? >That takes care of any implied secondary intentions you might want to >give to the manufacturer. >To complete my point: If the product has a proper disclaimer notice >the manufacturer cannot be held liable for the proper / improper use >of whatever the product is. >Computer viruses included. Not a lawyer but am just about sure that this is not true, certain things cannot be "disclaimered". I believe this has something to do with things like "expectation", "implied warranty", and "due care", at least in this country. Further civil actions need a *lot* less proof than criminal. Any real laywers care to comment ? Warmly, Padgett ------------------------------ Date: Tue, 21 Dec 93 06:00:19 -0500 From: Rob Subject: Re: Liabilities ktark@src4src.linet.org writes (and quotes): > >> Viruses are just inanimated pieces > >> of computer code. > > >That doesn't prevent them from spreading rather well. > > Shall we mention the percentage of the ones that DO NOT replicate at > all, i.e. cannot 'escape' in newer / exotic DOS systems?? I believe the use of the word 'cannot' in the context of viruses is as appropriate as 'never' in the rest of our daily lives. And what, if I might ask, is your point? That because some viruses don't escape, we shouldn't say that some (most?) of them do? > >> By attributing non existent powers to computer code > >> using such analogies is a dangerous thing. > > >The main properties of computer viruses I was refering to were > >"spreading" and "causing damage". Is *this* what you are calling > >".non-existent properties"? > > Wrong! > The real properties, mathematically speaking, are 'reproduction' of the > virus and 'modification' of the system. > Equating 'modifying' with 'causing damage' is wrong, in specific scientific > terms, (We are not discussing the ethics behind here.) I enjoy a good game of word play. But I never suffer from the the misconception that it is any way important. When you go to a boxing match, do you say to the loser that he fought well, and was unfortunate to have his face modified by his opponent? Any viral attack, even by a 'good' virus, causes damage. Read Stoll's book for a fairly lucid description of the loss of trust in your computer, or in the network, caused by 'hacking' in general, and the Internet worm in particular. When things act weird, people get worried. In my opinion this is justified. Computers should act in a deterministic way, and anyone who causes spurious behaviour in another person's computer is guilty of some sort of crime. I'm well aware that commercial software often exhibits such behaviour; that is only an argument for pillorying commercial software houses, not supporting the existence of viruses. > > These properties hardly equate to the properties of a lion!!!! > A lion is a predator by nature, a computer virus isn't. Though perhaps a virus writer is? > >> Lets look at the following counter analogy: > >> I am a gun manufacturer and inventor. Should I be held liable for the > >> uses and misuses of such weapon, if I am not able to control who gets > >> it and who does not? Absolutely, positively NOT! > > >Your analogy is flawed too. You are standing on US-centric positions. > >The world is wide and there are many countries in which owning, > >buying, or selling a weapon *is* illegal, regardless of whether you > >misuse it or not. > > How does this, make the manufacturers / inventors of guns etc. LIABLE > for the use of their products?? > The illegality of it has nothing to do with LIABILITY. > So, let the owning, buying, etc. of weapons be illegal.. so what? > Are the MAKERS of the guns LIABLE? > NO! The existence of guns in the world, except where used (depending on your vegan/vegetarian/omnivore stance) for hunting, cannot be supported by me. The manufacturers of weapons such as Magnums, Desert Storms, etc are entirely guilty in my eyes. Unless one worships at the temple of profit, can one support the sale of guns? Maybe an American will have something to say about that, since their Constitution enshrines the right to hold a firearm. Though this isn't my main point. Without the virus writer, a virus would not exist. Without a (currently known) means of transmission, the virus cannot escape. Is the vector of the virus, or the virus writer him(her)self more dangerous? Without the virus, the vector is not dangerous (in relation to this particular issue). Without the vector, the virus is still, potentially, dangerous. And a question to the 'No Liability' lobby - if you have a viral attack, and you know who the author of the virus code is, who do you blame? Or maybe you don't apportion blame? > > >(Please, folks, it is not my intention to start a gun/anti-gun > >flamewar here. I just want to point out that just because something is whoops! > >> The bottom of the line here is not whether to write viruses or not to > >> write viruses but who gets them. > > >Nope. The bottom line is whether damage is caused. And spreading > >computer viruses *is* causing damage. > > Yes, sure. > But it cannot be proven that the deed of writing viruses causes such > things. Terribly post-modern, but not very useful. Writing viruses is the sine qua non of the whole shooting match. > The ones that should be held liable are the ones that introduce viruses > in computer systems without authorization, (which is against the law > in many countries.) Should we lock up drug smugglers, or the barons who control them? Which does more good? Treat the cause, not the symptom. Like locking up prostitutes, or clearing out squatters, the problem still exists, you've just changed the players. > > >I don't think that virus creation should be forbidden per se. But I do > > >think that if a virus is found somewhere where it is unwanted, the > > >author of the virus should share the responsability, even if he has > > >not introduced the virus into that system. > >> By the same token, the manufacturers of firecrackers should be held > >> liable when someone uses their product in a malicious way? > > >> NO! > > >If this "someone" manifactures firecrackers and distributes them to > >children, telling them "look how great it will be to put some fire on > >that building" - yes, such person should be held liable. > > Agree. > But this is an specific case where the manufacturer is taking another > role not implied by the act of being just a manufacturer. > Sure you can find a million specific examples, but in general terms > if we refer to a manufacturer in the broad sense of the word the answer > is still :NO! Change the product to Nuclear bombs, say. Is the manufacturer still innocent? Or make the product soldiers; is the government innocent? Crack, tanks, child pornography, bugging devices. Just a few products where the manufacturer, IMHO, is guilty for the results. Maybe not liable, in your legalistic sense of the word. Just guilty in a very real sense. Forget broad, we're talking about virus writers. Are they pure as the driven snow, or are they a bunch of idiots, with a severely warped sense of 'right' and 'wrong'? > Have you ever heard of disclaimers? > That takes care of any implied secondary intentions you might want to > give to the manufacturer. > To complete my point: If the product has a proper disclaimer notice > the manufacturer cannot be held liable for the proper / improper use > of whatever the product is. > Computer viruses included. Good call my friend. Virus writers - get in touch with your lawyers, and let's see if we can knock up a good disclaimer. I'd like to see the wording on that. 'Any use of this soldier for killing members of alien races is not the responsibility of this army. We disclaim everything we can.' Sorry Mrs German, you're son was killed, but noone's responsible. What a load of cack. Good for malefactor's consciences, but meaningless to any sane member of the human race. > >Besides, there are many *useful* applications for firecrackers. I have > >yet to see *one* useful application of a computer virus (as most > >people understand it, not as Dr. Cohen undertsands it) that cannot be > >performed (often much better) by a non-viral program. > > Well, I predicted you reply, :) and I stated below in the original > posting: > > "While a million of you will argue that a good use for a computer virus is > yet to be found, there is yet to be proven that there isn't a good use for > a computer virus." .. "that cannot be performed (often much better) by a non-viral program?" > >> You are assuming something that can NOT be proven: Computer viruses > >> are inherently destructive. > > >Not quite. All I am saying is that the computer viruses as we have > >seen them -can- and -are- destructive. I don't think that anybody > >thinks otherwise. If you do, you are seriously fooling yourself. > > Agree, but a new generation of 'good' viruses will come along, such as Cruncher > and KOH (whether they work or not is another story), then you will not > be able to make such statement. > > >Whether computer viruses are inherently destructive in theory is a > >different question and I will be glad to do some research in this > >direction, but we are not talking about the theory now. We are talking > >about the viruses that exist *now* and that destroy data *now*. > > What about the viruses that don't destroy data? > I will say that more than 60% (approximately) of all known viruses don't > carry any destructive or malicious code. > > Are they destructive? See above. A noisy fan in my car may not be destructive in any quantitative sense, but it sure annoys me. Maybe most viruses are just 'noise'; IMHO we shouldn't have to put up with it, and we should strive to punish those who cause it. It's antisocial, maybe not pathological, but certainly antisocial. > If they cause damage accidentally, is besides the point, as there is plenty ermm, not quite. We install commercial software of our own volition, looking carefully at the licence agreement, guarantees, reputation, independent reviews etc. Viruses tend to get dumped on us from above (or below). > of commercial software (Example: MS DOS's original Chkdsk.exe) that causes > unwanted destruction, so if you apply your thinking to commercial software > you could say that there is software that exists *now* that destroys your > data *now*. The benefits of DOS (ie it lets you use the box on your desk for something more exciting than watching it display 'Please insert boot disk') outweigh the problems (such as CHKDSK, such as supporting a modern day empire with all the social graces of Genghis Khan's horde from the east). The benefits of 'harmless' viruses is nil. The problems don't have to be too great to swing the balance against them. > Let's face it, software uncompatibilities and data destruction are not > exclusive to viruses.. on the contrary I have seen -some- viruses that have > less compatibility problems than a lot of commercial products, (AntiViral > ones included.) So lambast software suppliers. Don't laud the lowest stratum of the computing world. And don't make excuses for them. I've gone on (and I mean that most sincerely) at great length. Please forgive me - it won't happen again. Robert Rainthorpe Novell System Administrator / Systems Programmer University of Greenwich, England. As ever, all views expressed are my own, not my employer's. ------------------------------ Date: Tue, 21 Dec 93 08:19:25 -0500 From: "Couvillion, Michael - Capt" Subject: Study on time spent tracking infections I am trying to gather information on the amount of time spent tracking down false positives vs time saved by actually catching the offending virus. Has someone else gathered similar data before? Can I get a copy? Any responses can be sent to mcouvill@407po1.usafe.af.mil. ------------------------------ Date: Tue, 21 Dec 93 22:24:27 -0500 From: Allen Taylor Subject: Treasury Department BBS I have downloaded and read the last six months of this digest and found occasional references to a Department of Treasury BBS that apparently allowed access to "live" virus code. Can anyone direct me to other issues of this digest that might contain more details concerning this. I am interested in the "name" of the BBS, any contact points and the "alleged" damage[s] inflicted upon the telecomputing community. Thank you. - ---------------------- | allentaylor.delphi.com - -------------------------- ------------------------------ Date: Fri, 17 Dec 93 17:51:45 +0100 From: "pinto@pinon.ccu.uniovi.es"@etsiig.uniovi.es Subject: "# Thank you!." ???? (UNIX) # Thank you!. This is the message that came out in a terminal window while I was working in the OpenWindows enviroment in a Sun SPARCstation 10 with the root privilegies. Actually, it happen after executing the cp command. I am very worried, because I think this can be caused by a virus. If anyone knows anything about this "# Thank you!." message I would be very thankfull. ------------------------------ Date: Wed, 22 Dec 93 10:24:16 -0500 From: D.R.Worrall@lut.ac.uk Subject: Re: stoned infection (PC) Hi everyone, I hope someone out there can help me. My computer (386SX running DOS 3.3) is apparently infected with the Stoned virus (TBAV, McAffee) or a new variant of Stoned (F-prot). None of these programs detect any infected files on the hard disk. Does the fact that all three identify the infection indicate that it is not a false positive? Assuming this is a real infection, how do I go about disinfecting my machine? Any advice will be greatly appreciated, either by e-mail or reply to the net. Thanks in advance Dave ------------------------------ Date: Wed, 22 Dec 93 11:24:49 -0500 From: A.APPLEYARD@fs1.mt.umist.ac.uk Subject: Jack the Ripper virus in England (PC) Adam Shaun Nealis wrote to pc-comms@jnt.ac.uk (Subject: RIPPER VIRUS ALERT/WARNING) and it came to me:- > Here at LBS [= London Business School] over the last 2 weeks, we have been eradicating a relatively new virus called (Jack_The_)Ripper. The virus got through our defences. Apparently it is confined mostly to the UK at present. It is also known to the virus newsgroups. As far as we know, it lives in the boot sector of floppies and hard disk partition tables, and infects four DOS files :- FORMAT.COM, SYS.COM, MORE.COM, UNFORMAT.COM . We think it tries to appear innocuous until the sixteenth reboot, when it will reformat your hard drive. At the moment, we are only aware of these anti-virus packages which will detect and/or disinfect effectively: F-PROT, Dr Solomon's Anti-V Toolkit Our procedure at present for detection/prevention is something like. 1. Run F-Prot in full screen mode and clean master boot sector. 2. Run Cleanpar from Dr Solomon Toolkit to repair partition. 3. Make sure autoexec.bat loads Guard and Findviru. 4. Use Dr Solomon's CLEANBOO to clean floppies. NB CPAV does not detect Ripper at present. __________________________________________________________________________ /mailnet: adam@lbs.lon.ac.uk \ |snailnet: Adam S. Nealis, Computer Services Dept., London Business School,| | Sussex Place, Regent's Park, LONDON NW1 4SA | |voicenet: (+44) 071-262-5050 x3352 Fax: (+44) 071-724-7875 Telex: 27461 | \__________________________________________________________________________/ ------------------------------ Date: Mon, 20 Dec 93 18:47:35 -0500 From: gs6206@csc.albany.edu (Gene Shackman) Subject: cpav anti-virus for netware 2.0 (PC) Hi All, Has anyone used Central Point Anti-Virus for Netware 2.0? Or does anyone know where I can find a review of anti-virus programs for the network? We use Novell 3.11, bye the way. For pc's, we also use f-prot, and are happy with that. Thanks in advance! Gene Shackman Network Manager SUNY-Albany Albany NY gs6206@thor.albany.edu ------------------------------ Date: Tue, 21 Dec 93 03:36:17 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: "Perry" Virus found on PC with tnt-virusscan (PC) r31d1412@rz.unibw-muenchen.de (Elmar Kreiss) writes: >Hi, >is there anybody here something about the "Perry-Virus"? There is NO SUCH THING as the Perry virus. The Perry program is a program that is used to add code to other programs to make them ask for a password when run, or to stop operating after a fixed date. Any scanner which identifies the Perry program, or programs that have been modified in this way as virus-infected is just plain WRONG! - -frisk ------------------------------ Date: Tue, 21 Dec 93 06:13:59 -0500 From: Martin_blas Perez Pinilla Subject: Re: Flip false +ve in DOS 6 VSafe by VET (PC) A.APPLEYARD@fs1.mt.umist.ac.uk wrote: >[stuff about Flip false positive deleted] >which remains memory-resident. The only recent change I'd made was to activate >Dos 6 VSafe, & this appears to be the problem, producing a spurious message by >VET. With VSafe loaded, I get the Vet virus message; without it all is well. >Has anyone else hit this problem? I'm pretty sure of the diagnosis but it Everybody that uses the craps bundled with MS-DOS 6 and a true antivirus has false positives. Throw away the craps and use the true antivirus. Regards, - -mb M.B. Perez Pinilla | mtppepim@lg.ehu.es | Write 10^6 times: Departamento de Matematicas | "I'll never waste bandwidth" Universidad del Pais Vasco | SPAIN ------------------------------ Date: Tue, 21 Dec 93 10:55:36 -0500 From: ajacobson@bpa.arizona.edu Subject: "RIPPER" information. (PC) I have just found the "RIPPER" virus with F-PROT 2.10. I can find no information on it yet. Any information on this infection would be helpful. Ajacobson@bpa.arizona.edu ------------------------------ Date: Tue, 21 Dec 93 13:36:49 -0500 From: callison@hellcat.ecn.uoknor.edu (James P. Callison) Subject: List of viruses for NetWare 3.11? (PC) My network is having mysterious problems, and I suspect that there may be a virus involved. (There was a virus that SCAN and F-Prot both recognized as STONED, but it displayed none of the listed characteristics of STONED.) Neither F-Prot nor the Intel LAN virus scanner detected any virii on the network, but I have had some...odd file corruption. The boot images for my boot-ROM'd PCs have all truncated "login " to "i", and, just over the weekend, directories have started losing letters off their names (f'rinstance, "F-PROT" has become "ROT" and "NEW" has become "EW"). I'm also checking out the possibility that there've been hardware errors, but, so far, nothing has failed the diagnostics... BTW--the network is NetWare 3.11 (50 user) 8/9/91 If anyone has any ideas, let me know. Thanks! James James P. Callison Microcomputer Coordinator, U of Oklahoma Law Center Callison@midway.ecn.uoknor.edu /\ Callison@aardvark.ucs.uoknor.edu DISCLAIMER: I'm not an engineer, but I play one at work... The forecast calls for Thunder...'89 T-Bird SC #28, Davey Allison #7, Alan Kulwicki 1993 IROC Champion 1992 Winston Cup Champion You rode the Thunder, Now, may the Thunderbird carry you home... "It's a hell of a thing, killing a man. You take away all he has and all he's ever gonna have." --Will Munny, "Unforgiven" ------------------------------ Date: 21 Dec 93 18:41:19 +0700 From: infocenter@urz.unibas.ch Subject: Quox found in Switzerland (PC) I recognized and isolated a virus on my home PC (486sx-25). F-PROT 2.10c identifies it as Quox McAfee's Scan 109 " MBR (Genp) Hell knows where I got this sucker from. It almost drove me crazy before I identified it as an virus at all. Somehow the programmer should get a hand (in form of a fist) for this piece of code. Since I had some real shitty troubles with my machine in the last time, I would be very glad if somebody could send me informations about the behaviour of Quox, so I can find out which of my problems can be related to this virus. What I found out so far: Symptoms: At the C:\> promt type DIR A: The floppy drive sounds as if there is a misalignment or so. It scratches about 3 to 4 times on the floppy before it shows the dir. If your floppy (I only tried 1.44s) is NOT writeprotected, Quox will modify the boot sector during this scratching. Floppies that are modified by Quox can be read from an infected system, but will _NOT_ be recognized by a clean system by the above procedure (DIR A:), but will be recognized on an infected system. But take care: despite the last sentence, you can _BOOT_ this disk on the system that was clean till now !!! Lucky guy, you have one more infected system. Removing Quox: Boot on the infected system with a clean writeprotected disk which contains FDISK and use the undocumented switch FDISK /MBR. I did it on a system DOS 6.0 this way. It should also work with DOS 5.0, but I did not try it. Didi ****************************************************************************** * Universitas Basiliensis InfoCenter * * ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ * * Dr. Dieter Glatz Tel +41 61 267 22 76 * * Universitaetsrechenzentrum FAX +41 61 267 22 82 * * Klingelbergstrasse 70 * * CH-4056 Basel infocenter@urz.unibas.ch * * Switzerland glatz@urz.unibas.ch * ****************************************************************************** ------------------------------ Date: Tue, 21 Dec 93 13:38:48 -0500 From: umennis0@ccu.umanitoba.ca (Sean Douglas Ennis) Subject: Trouble ???? something's inconsistant here.... (PC) OK, I'm looking for some help here... Here's what I'm running on ms-dos 3.30 (on an 8086 - yes I know through it out, but...thats not an option). I seem to have an inconsistancey with my machine... When I run CHKDSK, I get information say that I have 3 hidden files, taking up 57544 bytes.... Now here's what are the only things that I can find that are hidden (which I should find hidden anyways, ofcourse). IO.SYS and MSDOS.SYS and totaling in size 52485 bytes..... This looks VERY suspicious to me, since I KNOW there are no other hidden files around... Does anyone have any suggestions...the virus checker I do have doesn't seem to be able to find anything, but I don't think it checks the directory lists, and if its in there.......(and hidden..). Sean - -- "O" is a big fish in Hawaii. "Homomonukunukuaguk" is a little one. "Chargoggagoggmanchaugagoggchaubunagunggamaug" is a lake in Massachusetts. - ------------------------------------------------------------------------------ umennis0@cc.umanitoba.ca ------------------------------ Date: Tue, 21 Dec 93 18:20:02 +0300 From: eugene Subject: Re: Help against Freddy Krueger ! (PC) >> Can anyone help me on a anti-virus that removes Freddy Krueger. > AntiVirus Pro - correctly disinfects COM files and damages EXE files. It is 'b' update of AVP 1.07, it corrupts EXE infected by Freddy :-( The last update ('c') disinfects COM and EXE without errors. Regards, Eugene - --- - -- Eugene Kaspersky, KAMI Group, Moscow, Russia - -- eugene@kamis.msk.su +7 (095)278-9949 ------------------------------ Date: Tue, 21 Dec 93 17:16:38 -0500 From: mikehan@kaiwan.com (Mike Hanewinckel) Subject: Re: Satan bug on 500 user lan (PC) William and Delinda Johnson (wej-ddj@wyvern.wyvern.com) wrote: : The satan bug has infected our 500 user lan. Scanning software does not see : the bug in all cases. McAfee 109 and F-PROT were tried without sucess. A : combination of check date and McAfee appears to catch all the infected files : but we do not know for sure. : We are cleaning our machines using the above combination of software but : need a scanning package which will catch all files which contain the satan : bug. I am looking for ideas for cleaning and restoring our lan and any : products guranteed to detect all infected files. : Any comments and ideas are welcome. Well, since the Satanbug is a stealth type of virus, it can hide its presence from virus checkers if it can get into memory before the checker. You MUST be sure that you boot from a clean, write protected, floppy boot disk before running the virus checker. Do NOT boot from the hard drive or the virus can get into memory. Of course you must have had the insight to create a write protected boot disk with your av software on it. Also, after looking at the source code for the satanbug virus, I see that it has routines for circumnventing the innoulcation routines of programs like CPAV and SCAN. It is also a polymorphic virus, so you will need a virus checker that can handle generic viruses. I recommend ThunderByte. Mike Hanewinckel ------------------------------ Date: Tue, 21 Dec 93 17:23:24 -0500 From: mikehan@kaiwan.com (Mike Hanewinckel) Subject: Re: I think I have a virus (PC) Acsys Inc. (acsys@crl.com) wrote: : My machine is acting funny, the mouse works on and off, and the floppy disk : drives don't detect a disk change. When I do a mem /P I get a "blem wit" : as one of the loaded programs. : I had a virus that acted simalar a year ago called the michoangelo or : something like that which I exterminated. but this one seems to evade : scanning programs. : Anyone have any help? The mouse problem sounds like a shorted cable. The floppy problem sounds like a bad disk cache that doesnt recognize changed disks. I would have to say probably not a virus, until you mention that thing with MEM. Download a copy of MacAfee's PROVIEW. THen look in memory under programs and see what this blem wit thting is all about. Mike Hanewinckel ------------------------------ Date: Tue, 21 Dec 93 22:22:42 -0500 From: aniello@remus.rutgers.edu (Vin Aniello) Subject: AVP v1.07b And Scan v109 (PC) It looks like Virus-Scan is still picking up a false positive in the AVP v1.07b files. Here is what it found: SCAN 9.20 V109 Copyright 1989-93 by McAfee Associates. (408) 988-3832 Scanning for known viruses. Drive C: has no volume label. Scanning C:\virus\avp\-V.DEM Found the Abraxas5 [OW] Virus Directory C:\virus\avp contains 17 files. Found 1 file containing a virus. V/ (aniello@remus.rutgers.edu) ------------------------------ Date: Sat, 18 Dec 93 18:34:00 +0200 From: Eyal_Shoabi@f106.n9721.z9.virnet.bad.se (Eyal Shoabi) Subject: McAfee Vshield and Windows (bad combination) (PC) Hello Tim! 10 Nov 93 18:40, Tim Bouwer wrote to All: TB> I have several (3) DOS windows in my startup group. They start TB> up minimised. TB> If I have vshield loaded when I start up windows at least two of : : TB> I have a 386DX 33Mhz with 8Mb ram, this happens with DOS5 and TB> DOS6. TB> Any confirmation/denials/suggestions would be appreciated. Just don't use DOS TSR that sends alarms while in Windows. It's a known problem and happens with all DOS TSRs. Eyal - --- FMail 0.96+ * Origin: I've parked my HD and got a ticket! (9:9721/106) ------------------------------ Date: Sat, 18 Dec 93 18:38:01 +0200 From: Eyal_Shoabi@f106.n9721.z9.virnet.bad.se (Eyal Shoabi) Subject: New Virus? (PC) Hello Corey! 09 Nov 93 22:47, Corey Lawson wrote to All: CL> Umm...Write-protect can't be overridden with clever DOS system CL> calls, can it? True. If you had write protect label on your floppy, it can't be. Eyal - --- FMail 0.96+ * Origin: Eyal's Point - VirNet Israel. (9:9721/106) ------------------------------ Date: Sat, 18 Dec 93 18:43:02 +0200 From: Eyal_Shoabi@f106.n9721.z9.virnet.bad.se (Eyal Shoabi) Subject: [Q] Cross-linked files => virus? (PC) Hello W! 10 Nov 93 19:20, W Geake wrote to All: WG> I've been trying to sort out a PC with LOTS of cross-linked WG> fiels, using utilities such as BNorton Disk Doctor, CHKDSK, etc. WG> I got rid of them all, and left the PC to it's user's tender WG> care. He used it for a couple of days and the cross-linking has WG> returned. Sounds like DIR-2 virus. but you said you've checked with F-Prot so can't be. Maybe a new virus or maybe you use Doble-Space from MS-DOS 6.00 (It happend to me a lot when I used DoubleSpace if you can format the HD like I did maybe you' ll get rid of the problem) Eyal - --- FMail 0.96+ * Origin: Eyal's Point - VirNet Israel. (9:9721/106) ------------------------------ Date: Sat, 18 Dec 93 18:49:03 +0200 From: Eyal_Shoabi@f106.n9721.z9.virnet.bad.se (Eyal Shoabi) Subject: [Q] Cross-linked files => virus? (PC) Hello Amir! 24 Nov 93 12:20, Amir Netiv wrote to W Geake: AN> Best you can do is send a sample (of a floppy formatted with the AN> /s option on the suspiciouse machine, and copy several AN> problematic files from the disk into it) to one of the virus AN> researchers you know, for analysis. I had once Cross-Link problems, I had to format my HD in order to get rid of it, if the problem comes again can I do what you said and send the disk to you? Eyal - --- FMail 0.96+ * Origin: Eyal's Point - VirNet Israel. (9:9721/106) ------------------------------ Date: Sat, 18 Dec 93 18:57:04 +0200 From: Eyal_Shoabi@f106.n9721.z9.virnet.bad.se (Eyal Shoabi) Subject: New Virus? (PC) Hello Amir! 24 Nov 93 12:26, Amir Netiv wrote to Malte Eppert: >>> Umm...Write-protect can't be overridden with clever DOS >>> system calls, can it? AN> Malte answered: >> If you mean floppy wp and your drive's intact, you're right. AN> Could you shed some light on that? because as far as I know AN> today's floppy drives (old IBM style drive exclouded) cannot AN> write on a write-protected floppy!!! Thats exactly what he said.. Eyal - --- FMail 0.96+ * Origin: I've parked my HD and got a ticket! (9:9721/106) ------------------------------ Date: Tue, 21 Dec 93 20:01:00 +0200 From: Fred_Janssen@f1.n9931.z9.virnet.bad.se (Fred Janssen) Subject: Windows viruses? (PC) > What is the name of that one? The names that I was > given are: > Winvir and Twitch. To my knowledge, Winvir is the correct one. Fred - --- * Origin: Fred's Place (9:9931/1) ------------------------------ Date: Fri, 10 Dec 93 22:22:00 +0200 From: Rinse_Balk@f7.n316.z9.virnet.bad.se (Rinse Balk) Subject: PS to "Help !! I have virus in my partition table..." (PC) Hello JONAH! 20 Nov 93 19:56, JONAH C WITTKAMPER wrote to All: JCW> @REPLYA DDR Jonah.C.Wittkamper@williams.edu JCW> @REPLYT O 9:462/121.0 Internet Gateway JCW> From: Jonah.C.Wittkamper@williams.edu (JONAH C WITTKAMPER) JCW> Please send any responses you might have to 97jcw@williams.edu JCW> If you didn't read the last message: JCW> I have a virus in my partition table of my COMPAQ 386SL. Scan has JCW> detected it and I don't believe clean can effectively clean it, because JCW> my computer was showing viral symptons days before scan was finally able JCW> to detect it. Help please. What should I do. 97jcw@williams.edu Try TBscan .. By te way, in Tbscan is an option to immumize (or what they call it) your partition table (!) JCW> -+- OD 0.0.1 JCW> + Origin: C.C.C. (9:462/121.0@VirNet) Greetz, Rinse - --- FMail 0.96 * Origin: All Or Nothing BBS * SA&SU 10:00-20:00 * BEL * 05126-2412 (9:316/7) ------------------------------ Date: Mon, 20 Dec 93 20:05:05 +0200 From: John_Tardy@f4.n9931.z9.virnet.bad.se (John Tardy) Subject: Re: Running F-PROT 2.10 in DOS Window? (PC) Quoting BOB CONN to All BC> I want to know if F-PROT 2.10 is as effective running in a BC> DOS Window (Windows 3.1). I have created a PIF to run a BC> batch file which calls F-PROT. I am just checking a BC> floppy disk(s). I do not want to exit Windows nor do BC> I trust MS virus software as much as F-PROT. BC> Thanks! BC> Bob Conn BC> Lan Admin. BC> Penn State School of HRRM I strongly recommend you not to scan from a dos-box or .PIF file command, because a stealth virus could be hiding from booting. You haven't got a virus free Windows boot disk, so I suggest you to do the following: Make a secure virus free floppy (format a: /s should do it from an uninfected system) and copy F-Prot to it. Make the disk write protected and use this, instead of starting from windows. If you don't, you have a big chance that you will infect your harddisk all over... Greetz, JT/T - --- GEcho 1.01+ * Origin: Virus Research Centre Holland (9:9931/4.0) ------------------------------ Date: Mon, 20 Dec 93 20:09:06 +0200 From: John_Tardy@f4.n9931.z9.virnet.bad.se (John Tardy) Subject: Re: 'Anti-viral' Viruses (PC). Quoting csc2u2bn'Anti-viral' Viruses (PC).un.leeds.ac.uk to All cs> I'm working on a final year research project investigating 'useful' cs> computer viruses. The project aims to assess the feasibility of cs> incorporating simple anti-virus tools into virus code. I've seen cs> mention of such viruses once or twice on this newsgroup and cs> wondered if anybody has any information or ideas that they think cs> I might find useful. cs> I am aware of the moral implications underlying such viruses. The problem is that if you want to make a virus as secure as possible, you have to make many, many checks, and it will be about 20Kb. If you apply this to every executable program, you will waste much harddisk space. A nice example of a "useful" virus is Cruncher2, but it's not as secure as a stacker-like program has got to be, but all run-time compressors can't be thrusted, anyway... Greetz, JT/T - --- GEcho 1.01+ * Origin: Virus Research Centre Holland (9:9931/4.0) ------------------------------ Date: Mon, 20 Dec 93 02:30:19 -0500 From: "Rob Slade" Subject: 2.1 Assume you're wrong (CVP) BEGPAN8.CVP 931104 2.1 Assume You're Wrong These days, almost every computer problem has people yelling, "Virus!" In fact, while viral programs are a constant and growing risk, computers have the most marvelous array of bugs, glitches, failures and just plain bizarre happenings. There is every chance that you *don't* have a virus. So, it is probably time to start looking at the possibility. Go to various people and describe the problem. What may be a completely new quirk to you may be old hat to someone else. Some (very few) examples from a (very long) list of possibilities: - - a power surge or spike can make the monitor flash and/or go blank. Depending upon how the computer fails, various noises may result. This is very common in buildings with older electrical wiring and elevators, or other large electric motors. Computers vary greatly in their tolerance for this. One may fry, while the next in line doesn't notice. - - BIOS machines (usually those running MS-DOS), can sometimes not "notice" the fact that a Shift, Control or Alt key has been released. This may seem to make the keyboard, and computer, act in a very strange manner. Susceptibility to this varies by computer, keyboard and program. - - we frequently receive queries about the "blem wit" virus, which appears in memory on computers running on a Novell LAN. The Novell driver has text reading, "problem with" in the location that DOS expects to find an identifying name. - - floppy disks can go bad. Suddenly, and without warning. For various reasons. You need not have done anything wrong. There are also factors such as the infamous "critical error handler bug," which means that very innocent actions on your part can be damaging. Funny, they've never fixed that. These examples are by no means meant as a troubleshooting guide. They are merely to show that some very odd things can happen around computers. Unfortunately, a book of telephone directory size would likely be insufficient to cover all the bases. Still, try to find out what you can. Swap out keyboards and monitors to check hardware. Note any changes or upgrades recently to the system or programs. Check other machines that have the same history. If you can call in someone to check, it's probably a good idea. If you are pretty sure that it is *not* a normal bug or hardware failure, then go on. copyright Robert M. Slade, 1993 BEGPAN8.CVP 931104 ============= Vancouver ROBERTS@decus.ca | "Remember, by the Institute for Robert_Slade@sfu.ca | rules of the game, I Research into rslade@cue.bc.ca | *must* lie. *Now* do User p1@CyberStore.ca | you believe me?" Security Canada V7K 2G6 | Margaret Atwood ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 2] ****************************************