VIRUS-L Digest Tuesday, 22 Feb 1994 Volume 7 : Issue 12 Today's Topics: good viruses Re: "Good Viruses?" A few truths Computer Lab protections strategies Symantec RE: Something that looks like a new idea Re: Beneficial Viruses Re: Reviews/opinions of Norman's ARMOUR? (PC) VDS 3.0g Updated (PC) Help need to FTP boot sector virus (PC) Re: Virus in MBR, which cannot be found? (PC) AntiExe and NewBug the same? (PC) FIST 2 Virus (PC) Re: McAfee versus F-prot (PC) Writing to boot sector - AMI BIOS (PC) EROTICA virus (PC) ViruSafe and MtE-Infected Virus (PC) Stealth Bomber aka:Kevin Dean (PC) Re: Form. Should it be Hated and Feared?? (PC) FAQ? Norton & PKUNZIP (PC) Posible Virus (PC) Re: Parity Check Virus? (PC) Which ANTIVIRUS package to use????? (PC) Is it a virus or not! (PC) Re: Is speed really important? (PC) Announcing F-PROT 2.11 (PC) F-PROT mailer service (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 04 Feb 94 21:26:20 -0500 From: ktark@src4src.linet.org Subject: good viruses barnold@watson.ibm.com writes: [facts about virus writers deleted] >I differ; we have no real clue about the demographics of virus writers. YOU don't have a real clue. I do. I know more virus writers than anyone posting in this group, so I can speak from my own experience. >Small personal samples prove nothing, and it would be nearly impossible >to acquire good statistics. nearly impossible for you, not for me, those are more than small personal samples, the population of virus writers is quite small and it is not hard for anyone who is honest to get to know most of them since they have their own 'circle.' [other deleted] >(Warning, this is the biased point of view of a developer of an >anti-virus product, so you might want to ignore the paragraph that you >just read. :-) Of course. :) >>Mistake # 2 >>Curiosity? Temporary frustation? >>How about ridiculing pseudo-professional slick-marketed, poorly >>designed products that rip people off their money? >>(I am talking about AV software of course..) >>Writing viruses is not something you grow out of.. like your clothes >>or your hairstyle, as there is nothing to outgrow, as long as there is >>dishonest people making money off garbage software, there will be >>computer viruses. >These sorts of insults have kept a lot of people out of this discussion. Those are not insults, they are the truth, and yes, it hurts does not it? >Dishonesty and chicanery and shoddy overpriced products/services can be >found in most walks of life and professions. specially computer software. >One unique (in the software industry) problem anti-virus software has is >the very short development cycles, for products with wide distribution. [related deleted] I agree but, how does you point show that what I am saying is false? Simple: It is not false, it is the plain truth. ktark@src4src.linet.org ------------------------------ Date: Sat, 05 Feb 94 16:47:43 +0000 From: martin@cheam.demon.co.uk (Martin Veasey) Subject: Re: "Good Viruses?" > >There is NO SUCH > >THING AS A NON-DESTRUCTIVE VIRUS, PERIOD!!!!! If even the most benign virus > >gets out of the lab, it's a problem. > Yes, performance will be affected, but the system will retain all > functionality. I'm a real world user, paranoid to the point of listening to this conference, but no further. The only virus I've encountered was Form . basically harmless ... and the scanner picked up the floppy before infection anyway. Two points: For me, performance is part of functionality. Any virus therefore affects my work, if only in a small way. Any virus inserts itself on my hard disk without permission. I feel very strongly about that. I have a bunch of hard/software that occasionally clash with each other and TSRs that cannot live with each other. If this can't be sorted out by commercial software houses, I fear more problems from amateur-written viruses. > Let us add some more world perspective to this: > You have an economical and personal interest in making all computer viruses > appear as evil incarnate, you make a living out of this premise, whether > you like it or not. Viruses aren't evil incarnate ... but they should be eradicated. I can't change the world, but I will try to maintain a virus-free zone around my PCs. - -- Martin Veasey e-mail : martin@cheam.demon.co.uk ------------------------------ Date: Sun, 06 Feb 94 15:57:16 -0500 From: ktark@src4src.linet.org Subject: A few truths Unfortunately I cannot reply to all of those who have answered my posts. I will summarize my answers in this one post. 1-It can be shown from an statistical study of the known viruses that the great majority of viruses are not meant to be destructive. Answers: Just because they are not meant to be destructive, does not mean they aren't, the real world is different, 'wake up and smell the coffee', theory and application do not correspond, etc. 2-Yes, I admit that a lot of viruses that are not meant to cause destruction do cause it due to system incompatibilities etc. But this feature is not exclusive to non malignant computer viruses, I can show anyone who wants to see examples of commercial computer software that cause destruction to data as bad as the worse destructive virus out there. The idea that associates computer viruses with instant destruction was created by the few who have interests in creating fear and ignorance in the users. An ignorant user is prone to buying a high priced, overrated, under-tested, buggy, commercial Anti-virus package. I will quote the following article that appeared in 'DISASTER PREVENTION' page 41, of PC TODAY, Issue PCT1 930315 (premier issue) - ------------------------------------------------------------------------------ "VIRUS - Viruses have been getting a lot of hype from the press lately, probably because their stealthy nature frightens people. But according to David Stang, a virus expert at the National Computer Security Association, odds are that the average business will never get hit by one. Stanh estimates that one in a thousand computers will acquire a virus in a given year. And, he adds, 'Very few of those are damaging to the system.' The really dangerous ones that maliciously eat away at your data are extremely rare, says Stang. Most viruses are rather malign, like the 'Stoned' virus, so-called because it makes infected computers say, Your PC is toned, legalize marijuana' when booting. " I have run thousands if smaple viruses on a machine, and I have never gotten wiped out,' Stang says, downplaying the reputation of viruses as computer killers. "In fact, I often run them on the same machine I work on. Viruses have been overrated as killing machines. We should not worry aboutlethal viruses anymore than we should worry about a safe falling on our head."" - ------------------------------------------------------------------------------ The rest of the article explains how viruses work and how most viruses are spread through unautorized copying of commercial software. Also the article quotes Stang singing the praises to F-PROT as the product he recommends, as it is offered through the NCSA BBS (202-364-0644) This is a proof from someone who has cleaned more systems from viruses than anyone posting in this group, against all of those who have been saying that my theoretical ideas do not work in reality. The virus threat is exagerated. Non malignant viruses are not more destructive than any other type of commercial software! ktark@src4src.linet.org ------------------------------ Date: Mon, 07 Feb 94 12:44:43 -0500 From: Subject: Computer Lab protections strategies All of the academic computer labs at Lincoln University fall under me and have been attacked by a virus (stoned monkey.) We are dealing with the problem, but I am curious to know what protection strategies are being used. We are going to place a number of 286 machines (one or tow) in each lab and require that all diskettes be scanned on those machines prior to use in the lab. We are also going to allow students and staff to scan diskettes on those machines at any time if they wish to check out their diskettes. Our labs in question have LAN's and we are looking into an anti-virus program such as Norton's to run on the LAN to protect that machines. Any other ideas??? - ------------------------------------------------------------------------ Gerry Howser INTERNET: howser@lua6.lu.edu Postmaster@lua6.lul.edu Monet01@umcvmb.missouri.edu (Alternate) VOICE: (314) 681-5400 FAX: (314) 681-5566 - ------------------------------------------------------------------------ ------------------------------ Date: Tue, 08 Feb 94 02:33:32 -0500 From: jboyle@uclink.berkeley.edu (John Michael Boyle) Subject: Symantec Does anyone know the new number for the Symantec BBS. I would greatly appreciate it. I do not check this group regularly so direct e-mail would be helpful. Thanks a lot. ------------------------------ Date: Tue, 08 Feb 94 10:08:10 -0500 From: "David M. Chess" Subject: RE: Something that looks like a new idea > From: william.d.bauserman@gte.sprint.com > Since this did come from an article and not IBM, I give IBM the > benefit of the doubt that the errors/misinterpretations are from the > reporter. We appreciate it! *8) The obvious technical slips were of course generated after the information left us; the reporter is (for instance) just using "data files" as a synonym for "files", without realizing that he's injected new (and erroneous) meaning. And I doubt that anyone here made the "one byte ahead" comment; we may, of course, have pointed out that contrary to some previous predictions computer viruses have not yet brought down western civilization! Your other points are mostly quite valid; making a system like this a reality will involve solving some hard problems about integrity, trust, adjustment of heuristics, false positives, and so on. If it was simple, someone would have done it long ago! But as networks become faster, more powerful, and more pervasive, it is our opinion that something like this will be vital: if a new virus that gets past the defenses can spread faster than humans can analyze it and distribute information about it, we'll clearly need some sort of -automated- detection, analysis, and information distribution. Of course computers in one company would not be set up to blindly trust "erase all files that look like " messages coming from the outside! But less drastic messages, coming from more trusted sources, offer a means to speed up and automate some things that may need to be fast and automatic not tooooo long from now. (I'd reply in more detail, but I have a cracked elbow, and my one-handed typing speed is nothing wonderful. Ice is hard stuff!) - - -- - "At 11, more dramatic testimony from David M. Chess Marla Maples Trump in the trial of High Integrity Computing Lab the man accused of stealing her IBM Watson Research shoes." -- Actual TV phonemes ------------------------------ Date: Tue, 08 Feb 94 13:23:36 -0500 From: lev@nssdca.gsfc.nasa.gov (Brian S. Lev) Subject: Re: Beneficial Viruses guillory@blkbox.COM (George Guillory) writes... [deletia] >"Zarr said the new system has several other security features. For >one, it includes a mechanism for quickly spreading a lock out virus >throughout the computerized system should a keypad be lost or stolen, >Zarr said." Sounds like another case of the press calling any software that blocks access and/or deactivates things a "virus"... B-( ------------------------------ Date: Fri, 04 Feb 94 13:42:04 -0500 From: hstroem@ed.unit.no Subject: Re: Reviews/opinions of Norman's ARMOUR? (PC) Richard Hosker writes: >Norman Data Defense's ARMOUR was recently recommended to me as a "good >antiviral package". I'd be interested in objective comments and informed I thought ARMOUR was just a small part of the NDDS's Antivirus package. A small program designed to catch viruses by behaviour instead of using scanning or integrity-checking. It comes with the NDDS package as a device- driver named NVC.SYS (correct me if I am wrong). And is probably sold as a standalone AV-utility with the name ARMOUR.SYS (or maybe NVC.SYS). >opinions, pro or con, regarding ARMOUR, and any pointers to published >reviews of the package. How does ARMOUR stack up against, say, F-PROT or >the McAfee suite for variety of virii As it is a behaviour blocker it will not be able to detect as many viruses as a recent version of FSI's F-PROT or McAfee's Scan. But it should not be compared to a scanner at all, since it is not a scanner itself. > recognized and removed I am not sure about its ability to remove viruses, but would expect it to be nonexistent, since it is a tool for detecting viruses in general. > , scanning If we are talking about the same product, it does not use scanning at all. NDDS are selling a scanner as a part of their package, but this has nothing to do with ARMOUR. >speed, frequency of update releases, No idea. > ease of use by non-expert users, If it works on your system, you will have few problems, and it will be very easy to use. At least until you find a virus. Then you will probably need another program to identify and remove the virus. But I am not 100% sure about this. >general reliability of disinfection routines, Don't know about this, but would expect it to be unable to disinfect most viruses it detects. Much of the point is probably to stop a virus-infection before it get spread on your machine, so only the infection-source will need disinfection or replacement. How much you can rely on ARMOUR to stop any virus infection, I don't know. But behaviour blockers in general is not a very secure solution. An advanced new virus could easily bypass it, but it will probably be very effective against stupid new ones (e.g., variants of old viruses). > lack of false positives, etc.? The first time I tried it (Jan. 1994) I experienced a false positive with it. I used a file named NVC.SYS, dated 01.06.94, and it claimed the test-machine to be infected by a boot-infector. It gave me three possible options, whereof one was to disable the virus in memory, then continue booting. When I tried this, it crashed. Also, after coldbooting, I realized that the CMOS Data Area got wiped in the process ;-( Armour might be a useful antivirus utility when used together with other antivirus tools, like a scanner, a scanning TSR and maybe some kind of integrity checking. But behaviour blockers in general, was abandoned by most antivirus experts 2-3 years ago. There are two reasons why a behaviour blocker is a bad idea: 1) It is hard to avoid false positives 2) It is hard to avoid false negatives 1) can be explained like this: Many programs behave much like viruses, and will therefore be flagged as such. To avoid this, one could register the exceptions in a database, but then if one of the exceptions gets infected the infection will not be flagged as a virus ;-( 2) can be explained like this: Behaviour blocker checks for general virus specific behaviour. Some viruses don't do anything "virus-specific", but acts just like a normal program, and will thus not be flagged as virus (a false negative). Other viruses eployes new techniques not checked by the behaviour blocker. And last but not least, some virus techniques CANNOT be stopped, or detected upon execution. Conclusion: Because of a general high number of false positives and negatives it is not a good idea to use/write a behaviour blocker. Scanning and integrity checking boosts higher detection rates, and causes fewer false positives. It is very much like the discussion on antivirus - -viruses: It CAN be done, but other techniques can always do it BETTER. Sincerely, Henrik Stroem Stroem System soft ------------------------------ Date: Fri, 04 Feb 94 15:15:35 -0500 From: tyetiser@umbc.edu (Mr. Tarkan Yetiser) Subject: VDS 3.0g Updated (PC) Hello everyone, The new VDS (Virus Detection System) 3.0g Shareware Edition is available on Simtel-20 and some of its mirrors; the file name is VDS30G.ZIP. This release of the package is intended to allow potential customers to evaluate the suitability of the product to their needs. It is a fully functional copy that lacks a few features of the Pro version (see the docs for details). Most of the package is re-written to address some of the compatibility issues that emerged within the last year. VDS is now Windows 3.x and DoubleSpace(TM) compatible, and it offers better network support. VDS 3.0g includes a fast virus scanner, a robust integrity checker with anti-stealth capability, a generic virus remover, external signature support, emergency diskette preparation, a very versatile decoy launcher, a low-level disk recovery tool, readable documentation, excellent Netware support (not just compatible), automatic and semi-automatic installation (with de-install feature), and a redesigned object-oriented (seriously) user interface. VDS 3.0 emphasizes integrity checking, but also provides known virus scanning. Its catalog-based integrity database supports both DOS drives and Novell volumes. Newly-added installation program simplifies protecting workstations by offering complete electronic distribution and configuration options. Once in place, VDS can perform periodic (user-definable) integrity checks and scans without further user intervention. System requirements: IBM PC compatible computer Hard disk (for integrity checker) with 1024K free space 384K of memory available Optional 192K extended memory for large catalogs MS/PC-DOS 3.0 or later If you are looking for a comprehensive and up-to-date anti-virus package, we invite you to try VDS. It's only an FTP away! Let us know what you think. Regards, Tarkan Yetiser tyetiser@umbc8.umbc.edu VDS Advanced Research Group P.O. Box 9393 Baltimore, MD 21228, U.S.A. ------------------------------ Date: Fri, 04 Feb 94 17:55:29 -0500 From: Jonah.C.Wittkamper@williams.edu (Jonah Wittkamper) Subject: Help need to FTP boot sector virus (PC) I need to upload an IBM boot sector virus into my unix account. I have been told that I need to use Norton Utilities in order to write the boot sector to a file, unfortunately I do not own a copy. So I ask, is there another way to write the boot sector to a file? Is there a ShareWare Utility that I can FTP that will allow me to do this? Please send any responses you have to: 97jcw@williams.edu Thanks, Jonah Wittkamper ------------------------------ Date: Fri, 04 Feb 94 17:17:51 +0000 From: cotton@vms.ucc.okstate.edu (Greg Cotton) Subject: Re: Virus in MBR, which cannot be found? (PC) jej@cc.jyu.fi (Jukka E Jarvinen) writes: >I bought a new hard disk drive, Seagate 340 MB IDE. I got it in an >opened package and there was DOS installed. I deleted the partitions >and made new ones. When quitting FDISK in the middle of the screen blinked: > BootSector Write !!! > Possible VIRUS: Continue (Y/N)?" >I answered Y. >I made same operations once more and I got the same text. >Also FDISK /MBR gives the same. >McAfee's SCAN 109 and F-PROT 2.10 cannot find any virus. >What's the problem and how can I fix it? You may, in fact, NOT have a virus. Read the text carefully. It says Boot sector write. Now, since you said you reformatted the HD, I can only assume you had no memory resident virus protection program running (i.e. Vshield, NAV, etc.), so this sounds like hardware virus protection. It is probably alterable via your CMOS setup. Of course you should expect a warning from things like FDISK, and FDISK /mbr since these are, in fact, writing to the boot sector. So, get scan v111 (I think it's newest right now) and if it doesn't find anything, then I would begin to think that it's just your motherboard being cautious. L8r. Greg ------------------------------ Date: Fri, 04 Feb 94 16:09:34 -0500 From: lin@rs4.tcs.tulane.edu (Jonah Lin) Subject: AntiExe and NewBug the same? (PC) I've ran across a virus that is identified by F-prot 2.10 as AntiExe,a boot sector virus, but when I checked it out with Scan v111 it reported it as being a NewBug (Genb) virus. Which identification is correct? or are they different names for the same virus? I've also came across NewBug (Genp),but it's still identified by F-PROT as AntiExe. Based on this,which program would disinfect the virus better? ------------------------------ Date: Fri, 04 Feb 94 16:09:44 -0500 From: hj5@prism.gatech.edu (JOHNSON P.E., HARRIS T) Subject: FIST 2 Virus (PC) One of our field office DOS machines became infected with the FIST 2 virus (I think). Central Point Anti-Virus indicated this is the infection. The symptoms included corrupted files and directories, invalid drive specification, etc. No other virus detection incl. DOS 6.2 found the virus which made me suspicious but on the currupted machine command.com for DOS_6.2 grew from 54K bytes to 55K bytes. Also by sequentualy inspecting EVERY disk than came into that office for the past 3-months we did find a WP_5.2 document with some very suspicious code appended to the end of the document. Without trying to disassemble the code, I think this was the source. Does anyone know anything about this virus? What does it do? Where does it reside? Can it be cleaned from a machine without reformatting? Has other scan software begun to find it? Is reformatting sufficient to clean it? Now the big question, can it be detected and cleaned from a rather large FOXPRO database? 11 months of management information is in what may be an infected file. While we have backups, if we can't find it we don't know which backups are infected. Thanks for any input you may have. - -- Harris Johnson, PE - Economic Development Institute, Georgia Tech Atlanta Georgia, 30332 voice: 404-836-6665 uucp: ...!{decvax,hplabs,ncar,purdue,rutgers}!gatech!prism!hj5 Internet: hj5@prism.gatech.edu ------------------------------ Date: Sat, 05 Feb 94 23:56:21 -0500 From: thomst@netcom.com (Thom Stark) Subject: Re: McAfee versus F-prot (PC) Joel Johnson (jlj@cs1.bradley.edu) wrote: : I would like to know if there are significant differences between : McAfeee and F-Prot antiviral software. Currently Looking into site : license and want to know is F-Prot considered as through as McAfee and : will it catch as many virus's. Any input on this would be : appreciated. Thank you. : jlj@cs1.bradley.edu : - -- : jlj@cs1.bradley.edu or jlj@camelot.bradley.edu Joel, the McAfee stand-alone scanner is excellent and is frequently updated. So is F-Prot. Both have about the same detection rate. As NLMs for a NetWare fileserver, there is an order-of-magnitude difference in their burden on the fileserver utilization--Net-Prot wins by a VERY wide margin--the McAfee should ONLY be used on a fast 486 or Pentium machine, and NEVER, NEVER turn on 'on-access' scanning for all files..your fileserver will crawl like a slug on drugs.. Hope this is useful. ------------------------------ Date: Sun, 06 Feb 94 01:03:24 -0500 From: ksaj@pcscav.com (Karsten Johansson) Subject: Writing to boot sector - AMI BIOS (PC) Jukka, the message you recieved is from the AMI BIOS. It is a protection scheme which warns you every time an INT 13h is used to write in the boot area. It isn't implemented very well, especially since they don't tell you what is producing this message... A simple (c)19xx American Megatrends at the bottom of the screen would be less intrusive, for sure. I had a call not too long ago about this very problem. The poor fellow had reformatted his drive repeatedly, and then even from a friends disk, which also seemed to have this "virus". By the way: Run the BIOS SETUP program (where you press at the boot up). In the advanced setting section, the last option is "Virus Protect" or "Boot Sector Protection" or something like that. Turn it off and you won't see that message again. karsten johansson - - --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ksaj@pcscav.com (Karsten Johansson) PC Scavenger Computer Security, Toronto CANADA bus. (416)463-8384 v32/v42bis (416)PRI-VATE ------------------------------ Date: 07 Feb 94 15:27:39 +1200 From: lesuma_i@usp.ac.fj (I.I.Lesuma) Subject: EROTICA virus (PC) Hi, A friend of mine discovered a virus in her machine(bootsector) and wasn't able o get rid of it even after using SCAN109(Mcafee) and CPAV. VIRUS NAME: " EROTICA " MESSAGE: ` Come Honey I Need Action ' Maybe this virus was created by someone from China becoz putting together the first letters from the message simply says CHINA. Please Help! ------------------------------ Date: Mon, 07 Feb 94 12:05:35 -0500 From: glenn.davidson@acadiau.ca (Glenn E. Davidson) Subject: ViruSafe and MtE-Infected Virus (PC) I would like to add this virus's signature to my VirusSafe program. Does anyone else use this program and know what the signature is? I am using ViruSafe ver 4.5. Thanks. - --------------------------------------------------------------------------- Glenn Davidson, Consultant/Programmer | Acadia University Computer Centre | Wolfville, N.S. | E-Mail: GLENN@ADMIN.ACADIAU.CA | - --------------------------------------------------------------------------- ------------------------------ Date: Tue, 08 Feb 94 11:12:58 -0500 From: "Phillip A. Mitchem" Subject: Stealth Bomber aka:Kevin Dean (PC) I'm looking for the email address for Kevin Dean. He is the creator of the Stealth Bomber version 2.2 (formerly CRCSET). I would like to ask him if his code has been ported to a window based application if it has not I would like to write it in either visual basic or in turbo-pascal for windows. Any infomation would be a help. The Stealth Bomber is a crc virus checker program. Thank you, Phillip Mitchem 6126 WinView Dr. ForestPark, Georgia 30050 USA internet email: usgpamx@gsusgi2.gsu.edu P.O. Box 105 Gay, Georgia 30218 USA Amicus usque ad aras. ------------------------------ Date: Tue, 08 Feb 94 11:54:20 -0500 From: fguidry@crl.com (Fran Guidry) Subject: Re: Form. Should it be Hated and Feared?? (PC) David Good wrote: >Recently, we received a batch of disks from Motorola that were >infected by PC Form virus. > >Since these are not bootable disks, I was not overly concerned that >the safety and security of the computing world may be in jeopardy. > >Then I started thinking... What happens if I leave a Form infected >non-bootable disk in the drive and reset the pc?? Will it be released, >so that it may hatch some insidious plot on my HD?? Yes indeed, that is exactly what will happen. The "Non-System Disk" message that you get when you boot a "non-bootable" disk is in fact a program that loads from the floppy. A "data" floppy without the operating system will readily infect your system if you leave it in the boot drive and reset your system. > Is there any other >way it can creep into my machine other then booting off the floppy?? No. >Should I be treating this virus with more respect??? Inquiring minds >WANT to know. Yes, you should. You can safely copy the data files to new floppies, then reformat or destroy and discard the infected ones. >*** *** >**Anything is possible if you don't know what you are talking about** >*** *** Have you been talking to my management again? Fran ------------------------------ Date: Tue, 08 Feb 94 16:48:25 +0000 From: wbg@festival.ed.ac.uk (W Geake) Subject: FAQ? Norton & PKUNZIP (PC) We/ve been having fun with an apparently infected copy of PKUNZIP.EXE. Norton Anti Virus detects a variant of Maltese Amoeba, but Dr Solomon and F-Prot don't, despite the latter listing Maltese Amoeba in its library. I seem to remember, may be a year ago, a thread in which Norton was described as producing a few false positives - was it with PKUNZIP.EXE? The file size is 28806 bytes, and it's dated 28-12-92. I deduce that this is not the safe, official release 2.04g or 1.10 as the size and date are wrong, so I won't use it, but is it really infected? On the other hand, is this a Norton bug or do I get Norton instead of Dr Solomon or F-Prot? In some confusion, Bill. ------------------------------ Date: Tue, 08 Feb 94 16:04:46 -0500 From: U56371@uicvm.uic.edu Subject: Posible Virus (PC) Today when i went to use my Printer a cuious thing happened. When i turned on my printer on, it started printing a letter as soon as it came online. What it was printing was a letter by a supposed person, John Dickinson to and Arthor DeAuthor. Obviously a prank of somesort. I checked for a virus with CPAV and also looked for several strings from the letter with Grep.com, and found no trace of it. has anyone else seen this before? BTW the date on the letter was 1984, and it has a reference to 8088's THANKS, JOSEPH WOHRSTEIN U56371@UICVM.UIC.EDU ------------------------------ Date: Tue, 08 Feb 94 18:55:34 -0500 From: mmedson@crl.com (Michael Edson) Subject: Re: Parity Check Virus? (PC) Marlon Brownlee writes: >I am working with three colleagues, we all have different laptops. Over the >past month, we have all begun to get a "parity check" error when we press the >"caps lock" key while running an application, such as Microsoft Excel. It just >seems too coincidental that four people at the same site should fall prey to the >same affliction in such a short time period....we have shared floppy disks in >the past, that seems to be how it has spread....just today, a colleage not >working with us directly also experienced the same problem, shortly after >sharing a floppy disk with us..... > >any ideas? we have checked all our machines and disks with Central Point >Anti-Virus to no avail - it doesn't find any signs of a virus. There is a parity check virus -- it's a partition table virus. I had it (indeed I got it from a Dell support rep who came by to replace a drive and infected my system). I have a vague recollection that Central Point AntiVirus (which I no longer use) did not detect it, but that SCAN and F-PROT (which I now use did). McAfee's CLEAN can clean it. I'f ftp one of those checkers if I were you and scan with them. And then erase CPAV and use them exclusively. ------------------------------ Date: Tue, 08 Feb 94 22:16:14 -0500 From: Dave Spitz Subject: Which ANTIVIRUS package to use????? (PC) Here is the situation: Current virus package site licence expires end of March Currently have in excess of 3000 pcs, from 8088 to 486DX2/66. Currently running DOS ver 3.3+ to DOS 6.2. Currently running Windows 3.1. Currently have 5 - 8 Novell servers (3.11) with approx 300 users. Currently running 2 Banyan servers (ver unknown, users unknown). Expect 2 -4 additional Novell 3.12 servers 50 - 100 users each My boss, god bless his soul, said Dave, we need to write an EPR for an antivirus package. The one we use is to expensive, and I saw same questionable reviews on it. Give me some choices, and I need it yesterday! God bless his soul. So, fellow antivirus hounds, how 'bout helping me out. I sure would appreciate it if some of you could help me narrow down the possibilities. We need a site licence that will cover all the above; PC DOS, WIDOWS, NOVEL NLM(VLM), BANYAN ???. One very critical requirement is memory. With all the drivers loaded in to memory, and all the TSRs and whatnot, we need a program the uses very little memory. Another important requirement is command line operations. We don't want glitzy graphic displays. For the most part we want all users to be protected with out their knowing it! Last we want the best for the least, and my boss wants it now! God bless his soul! Seriously, any help, suggestions, recommedations you care to make will be appreciated. Please email me directly, as I don't always have the chance to read the digest sent to me. If any one wants, I will summerize and post the results as soon as time permits TIA Dave Spitz VOICE: 1-414-297-7698 Computing Services FAX: 1-414-297-8313 M.A.T.C., Milwaukee, WI. Internet: SPITZ_DAVE@MUSIC.LIB.MATC.EDU "Everything was fine 'till they put hard drives in PCs" ------------------------------ Date: Tue, 08 Feb 94 22:57:10 -0500 From: torban@csuvax1.murdoch.edu.au (Torban Bennett) Subject: Is it a virus or not! (PC) Hello World, Just had a machine spit itself, and my new McAfee scan (v111) didn't find anything, but some of the files have HiJaak 2 written in them. Is this a virus, or has the crash and Nortons conspired to throw me right off. I just installed QPro for Windows when the machine went haywire blowing away my CMOS setup. This then tried to write to disk and resulted in a lot of data loss. I fixed up the cmos (No easy thing on a portable with software CMOS setup programs that have been destroyed) and got the machine working again, but had lots of cross linked chains and so on. When I ran Nortons Disk Doctor It recovered the lost data to files (160 of them) which nearly all contain the words "HiJaak 2" and "Awesome" in them at the begining. Is this just Nortons work or a new virus. The McAffe Doc's don't mention a HiJaak viruse, and dosn't pick up anything as a virus but then with the amount of work Nortons had to do It could simply have killed it off. Any suggestions as to what went wrong (virus or user error) would be very much appreciated. Corey - -- Corey Banks, Computer Systems Officer Department of Agriculture email: torban@murdoch.edu.au ------------------------------ Date: Wed, 09 Feb 94 00:15:25 -0500 From: datadec@ucrengr.ucr.edu (kevin marcus) Subject: Re: Is speed really important? (PC) Keith A. Peer wrote: >I have read and heard about how fast some antiviral scanners are. My >question is with all of this so called speed is it possible to be >missing some infections? Are some scanners not scanning the entire >file to increase speed? Being that some viruses can enter a file in >the front, middle or end and in some cases anywhere how can a scanner >that does not scan the entire file find all infections? F-Prot and >ThunderByte are very fast scanners compare to McAfee. Does McAfee scan >the entire file while F-Prot and Thunderbyte don't? I mean really >isn't the quality of the scanner really what's important and not that >it can scan a hard disk in "X" seconds? Well, it depends of course, on he scanner. Most real AV products aren't "scanners" but more like intelligent searchers. While it is possible for some viruses, say, Darth Vader, to infect a file in the middle, the actual execution of the virus must be done at some time. Various programs trace up to the program's begining of execution (which can be easily obtained), and then check from there. Viruses like Commander Bomber pose serious scanning problems. McAfee scans entire files for this virus (though it only infects .COM files.) This slows it down quite a bit. I am not too sure how the other products detect this. Another is just the method that they use to scan -- TBSCAN, for example, uses a really fast 'scanning' engine. And, once again, these are not usually just a big blob of constant data, like, "B8 34 12 90" or somthing stupid like that, but can have actual pseudo-intelligent 'scanning' methods, so maybe it skips over certain sections of the code or can predict things. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu CSLD Room Monitor, Tues, Thurs 9-12p, Sat 11a-2p (909)/787-2842. Computer Science Dept., University of California, Riverside. .oOo.oOo.oOo. Thieves Suck. Don't steal. .oOo.oOo.oOo. ------------------------------ Date: Tue, 08 Feb 94 18:08:00 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Announcing F-PROT 2.11 (PC) Announcing F-PROT 2.11 This version adds detection/identification of more than 450 new viruses, compared to 2.10. It identifies 3173 different viruses and also detects viruses belonging to 183 other families, giving a total of 3356. Disinfection: F-PROT can disinfect 2644 (78.8%) of those viruses, but another 279 (8.3%) cannot be removed at all, as they overwrite or destroy the victim. This leaves 433 (12.9%) viruses that this version cannot disinfect, but that number will hopefully be reduced in the future. Identification: This version identifies 1015 (30.2%) viruses exactly, meaning that it should detect even single-bit changes in the virus code. It does not attempt to identify viruses belonging to 183 (5.5%) families, but should be able to identify the remaining 2158 (64.3%) viruses with sufficient accuracy to avoid corrupting them when disinfecting, because of a mis-identification. - -frisk ------------------------------ Date: Tue, 08 Feb 94 18:10:02 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: F-PROT mailer service (PC) We have now installed an e-mail update service for users without FTP access, that would like to obtain the latest version of the F-PROT shareware product directly from the source. To use this service, you send an E-mail message to f-prot@complex.is This is an experimental service and currently only the following commands are offered: send-to: email-address (required) send-as: form (optional) The commands must be located at the start of the line, and whitespace is not allowed at the end of those lines. 'email-address' must be a valid E-mail address of the recipient. 'form' must be one of: 'uue' or 'xxe' and shows how the file should be encoded. It defaults to 'uue'. - -frisk ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 12] *****************************************