VIRUS-L Digest Monday, 28 Mar 1994 Volume 7 : Issue 20 Today's Topics: Re: Intelligent detection Questions about Wildlist Antivirus Products Database Re: Good Vs. Bad Viruses "Harmless Viruses" Re: strange virus message (PC) Re: DOS 6.X Anti-Virus (PC) Re: FORM problems (PC) Thoughts on FORM infections...(PC) Re: FORM problems (PC) Re: FORM problems (solution) (PC) Re: Clean 111 & Mich. (PC) Re: vds comments (PC) Re: vds comments (PC) Re: Need info on Halloween virus (PC) Re: Michaelangelo (PC) Re: HEEEEEELP ME NOW!!!! : Filler Virus (PC) re: Form virus (PC) Re: Invalid COMMAND.COM from A/V Prog. (PC) Monkey, an easier way (PC) Re: HEEEEEELP ME NOW!!!! : Filler Virus (PC) Re: New viruses (PC) Re: Tecnical Concepts of Viral Defense (MBR/DBR infectors) (PC) Boot Records (PC) Re: New viruses (PC) Compatibility: F-prot 211 and Nav 3.0 (PC) Re: Clean 111 & Mich. (PC) boot sector virus named newbug (name from mcafee scan) (PC) Re: MICHELANGELO crashes 1994 (PC) Thanks for all comments re best antivirus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 16 Mar 94 09:57:03 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Intelligent detection Istvan Szucs (iszucs@stwing.resnet.upenn.edu) writes: > University of Pennsylvania. I am currently working on a project, to > implement an intelligent virus detector program on the PC. (By > intelligence I mean capable of learning by example, using heuristics It won't work. > in an intelligent manner, etc). In theory I have solved most of the > problems that came up to make the program intelligent, but there is :-). Really? I suspect that you'll encounter a few problems when trying to implement your "theory" in practice. > one issue I haven't been able to settle to my satisfaction: extracting > signatures automatically. Just this sentence of yours is enough to determine your lack of experience in the anti-virus field and to conclude that you are likely to fail. First of all, the term "signatures" is incorrect and misleading. It makes people think that each virus has a "signature" - something unique that distinguishes it just like the human signature is unique for every human. Unfortunately, it is not so in practice. For many viruses an almost unlimited (well, finite, but huge) number of byte sequences can be selected that will detect the virus. For other viruses only one or a few such sequences exist. Yet for some others no such sequence exists. That's why most anti-virus experts prefer to use the term "scan string". It is more appropriate, because it means that this is just a string (a byte sequence) used by a scanner to scan for a virus. Second, looking for viruses based on scan strings is only one line of anti-virus defense, and a pretty weak one at that. Third, there are viruses for which no scan string can be found that matches all replicants of the virus. Read the section of the FAQ for this newsgroup that explains what a polymorphic virus is. The existence of such viruses makes looking for scan strings obsolete as a single defense against viruses, be it automatic or manual. It simply doesn't work. > I am wondering if anybody attempted to solve this question > automatically. Yes, many. I am aware of at least two products which use this approach. One of them is Victor Charlie, which heavily relies on it. Another one is TbScan, the registered version of which allows automatic scan string extraction from the new viruses. In none of the above cases the method works reliably enough to be used as a single (or even as main) defense against viruses. It simply doesn't work against polymorphic viruses. > I think it would even be helpful if someone could tell > me how it is oone manually. From the books and articles I have read so > far it seems to be a synthesis of disassembly and black magic. Is that > true? Yes. :-) Seriously, it is a synthesis of disassembly and application of common sense, backed up with a lot of experience in the anti-virus field. There are different ways that scan strings can be picked manually, depending on what goals exactly you want to achieve. Note that some of those goals are contradictory, i.e., you can't satisfy them all. 1) Detect as many variants of the virus as possible. The scanner that does this best is F-Prot. Obviously, Frisk is very good at selecting the sequence of bytes in the virus that is unlikely to change in the future, yet still reliably detects the virus. You should ask him for advice if you are interested in achieving this. 2) Distinguish between the signifficantly different viruses as precisely as possible. This is my approach, so I can tell you how to do it. Use *two* scan strings, together with their offsets from the beginning of the virus. As the first scan string, use the part of the virus code that repairs the infected file at runtime and transfers control to it. As a second scan string, use the part of the virus code that writes the virus to the infected files. In the first case, make sure that you include the instructions which fetch the saved original bytes of the infected file from the place where the virus has saved them. In the second case, make sure that you include the instructions which contain the length of the virus. This approach attempts to ensure that on disinfection you will not damage the file by disinfecting the wrong variant. Disadvantages - often even a minor variant of the virus will not be detected by this method and you will need a new set of scan string, resulting to a potential huge number of strings (there are abpout 4,300 known IBM PC viruses). 3) Cause as few false positives as possible. The guys at IBM have some authomatic approach of measuring whether a scan string is likely to cause false positives, but I have yet to see it described in a paper. The best person to contact is probably David Chess. 4) Make the life of the automatic scan string extractor as easy as possible. For this purpose, just pick the first few (e.g., up to 16) bytes from the entry point of the infected files, make sure that those bytes are always the same among the infected files, and call this a scan string. Needless to say, this method is easy, but extremely unreliable and troublesome, as it is likely to cause false positives, not to be able to distinguish between different viruses and so on. > I would be also appreciate if someone would be willing to assist me > with the project in a more general sense. I would be happy to exchange I am afraid that I cannot help you more than telling you that your idea will not work and not to waste your time with it. Unless, of course, your goal is to determine how suitable the AI approaches are for handling the virus problem. I wish you fun while learning how unsuitable they are. :-) In general, your idea is only valuable as implementing it in a multi-line virus protection scheme. As a line that is not reliable, not likely to work, but which sometimes works and doesn't hurt. I'm not sure, however, whether it is worth the time and the efforts needed to implement it properly. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 16 Mar 94 09:58:58 -0500 From: Garry J Scobie Ext 3360 Subject: Questions about Wildlist Hi there, I've been collating the number of virus infections here at Edinburgh University for my annual virus review and have been checking the back issues of virus-l. I reported the XPEH4.4752 virus to S & S International earlier last year who also contributed to the Wildlist published here in Dec 93. I also reported Brain (believe it or not :-) at the same time. However, these do not appear to have been noted. However, my main point is I drew a complete blank when asking for details of this virus on this forum last year. S & S have phoned me back several times to explain the problems of providing info on all specimens they receive and are working on it. From my own efforts at disassembly the virus in question appears similar to that described in the hamburg catalog number 792. I notice from the Wild List that something called Yankee Doodle.XPEH.4928 is listed. Can anyone explain the naming conventions that are being used here? Is the XPEH4 as identified by Solomons findviru the same? Are they all related to yankee doodle? Also from the wild list I see kampana.3700:boot and kampana.galicia:boot but both have aliases of Telecom and Drug. Any differences between these two? Finally is there any real difference between stoned.standard and stoned.wd3. This isn't mentioned in the wild list but the wd3 variant has been picked up here. I'm using findviru 6.53 drivers 10/02/94. Cheers Garry Scobie LAN Support Officer Edinburgh University Computing Services. Scotland. e-mail: g.j.scobie@ed.ac.uk ------------------------------ Date: Wed, 16 Mar 94 11:54:20 -0500 From: dm252@cleveland.freenet.edu (Keith A. Peer) Subject: Antivirus Products Database I have found that one of the greatest problems facing anyone trying to protect themselves against viruses is find out what is available and how to get it. So I have taken it upon myself to compile a virus information database. This will be distributed FREE of charge to universities, companies, and individuals (basically anyone who wants it). Any help is greatly appreciated. If you know of a company but don't know all of the information send me what ever and I will track the rest down. If you are the author of a antivirus product this will give you some FREE advertising! I will post the list as soon as I get some responses, and I will also e-mail the list to everyone who has sent me information. Thanks in advance for any help. 1.) Contact (Person) 2.) Company Name 3.) Address 4.) City, State, Zip 5.) Country 6.) Phone number (with area code or country code) 7.) E-Mail address 9.) Products 10.) General description of products or services 11.) Anything else you want to add Please E-MAIL to -> dm252@cleveland.freenet.edu - -- Keith A. Peer +---------------+ Cleveland Freenet -=> dm252 | PGP Key | Internet -=> dm252@cleveland.freenet.edu | Available | Interests -=> Antiviral Software and Hardware +---------------+ ------------------------------ Date: Wed, 16 Mar 94 17:04:22 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Re: Good Vs. Bad Viruses >From: olpopeye@aol.com >"Michaelangelo mentality" aside, viruses and their mentally deficient >"intelligence-challenged" creators will be with us until the Constitution >is changed to allow impaling, or hanging/drawing & quartering. Never happen. The first would be considered "littering", the second "cruelty to animals" (the horses, not the virus writers). Padgett ------------------------------ Date: Wed, 16 Mar 94 17:28:39 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: "Harmless Viruses" I have said before and will say again "there ain't no such thing as a harmless virus" (TANSTAAHV - pronounced tahn-stahv). Consided two oft mentioned STONED and MICHELANGELO (well - on any day except March 6th). Either one is essentially harmless except for stealing memory. However, get infected by *both* and you could have a major problem particularly if certain "disinfectants" are used (FDISK/MBR is too dumb so works). Also there are other combinations that should be avoided such as Jerusalem and Novell 3.11 print redirectors. Like drugs, many viruses have combinational effects that are best heard about happening on the other side of the country and not at home. For that reason, it is essential to know that an infection has occurred and to remove it as soon as possible else multiples can happen. TANSTAAHV Padgett ------------------------------ Date: Wed, 16 Mar 94 09:56:03 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: strange virus message (PC) W. Tilstra (tilstra@dns.nhl.nl) writes: > situation: PC-LAN (DEC microVAX, VMS 6.0, Pathworks for DOS 4.1-2) > virusscanner F-PROT 2.11 > User1 wants to execute on her PC the file FLEX.EXE (Dataflex); this file > is on the server. She gets the next message: > infected with SPMf0MBNB4PMP4bTJ6 virus. There is no such virus and F-Prot is not supposed to output such a message. It looks like some kind of bug or incompatibility to me. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 16 Mar 94 09:57:54 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: DOS 6.X Anti-Virus (PC) Sharyn Bray (slbray@deakin.edu.au) writes: > I was wondering whether anyone could offer > an opinion, comment, thought etc. regarding the effectiveness of the > Anti-Virus for Dos (and A-V for Windows) package now bundled with MS-DOS, > version 6.x, compared to other offerings (such as Scan, V-Prot, etc.) ? There is no such thing as "the" antivirus package that comes with DOS 6.x. Because there are *two* (even three) packages, which are rather different. The package that comes with MS-DOS 6.0 and 6.2 is a restricted version of CPAV and is even worse than CPAV itself. (Amazing, I never thought that this is possible. To produce something worse than CPAV, I mean.) The package that comes with PC-DOS 6.1 (note the different name; it comes from IBM, not from Microsoft), is a version (full, I think, but I am not sure) of IBM Antivirus/DOS and IBM Antivirus/Windows. It is a reasonably good anti-virus package and can be relied upon, although I wouldn't say that it is the best one available. At last, the package that comes with Novell DOS 7, is the scanner-only part of the product that used to be known as Untouchable. As a scanner, it is reasonably good. Too bad that they didn't include the integrity checker, which is the best one in its class that I have ever seen. How can they be compared with the other offerings? Well, MSAV is *much* worse than SCAN. The other two products have lower detection rate than SCAN, but are better in some other aspects, like virus identification, for which SCAN is essentially useless, and virus removal, for which CLEAN is often dangerous. I am not aware of a product named V-Prot. However, if you mean F-Prot, it is clearly supperior to *any* of the scanners mentioned above. However, it includes only an on-demand and a resident scanner, while some of the other packages include other capabilities like monitoring, integrity checking, and so on. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 16 Mar 94 09:57:36 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: FORM problems (PC) Gretchen King Ryan, Development (GRYAN@SCUACC.SCU.EDU) writes: > Briefly, we can't seem to get rid of Form in our office and lately it > appears to be getting more virulent. Is this possible? Vsafe and No. Form is just a very widespread virus and you have to remove it from all infected floppies - even the blank or data-only ones - otherwise it will keep reinfecting your hard disks. > Norton's don't always catch it. Lately, they can't repair it! Hm. First of all, VSafe is a resident scanner/monitor; it cannot repair *any* viruses. You should try the CPAV.EXE part of the package. Second, while both CPAV and NAV are among the worst virus scanners around, I had the impression that *both* are able to reliably detect and remove the Form virus. It is possible that you have a new variant of the virus. Since none of the packages you are using is able to perform exact identification, they are essentially useless in identifying the infection and often dangerous when used for disinfection. I would suggest the following: 1) First, get a real scanner. F-Prot. It is free for individual use, will be able to identify whether what you have is really the Form virus, will be able to remove it, or will tell you whether this is a new variant. 2) Second, install some kind of boot sector virus protection on the hard disks of all of your computers. Padgett's DiskSecure II and Henrik Stroem's HS are two excellent choices. Unfortunately, I have the impression that they don't co-exist well together, so you'll have to select between one of them. I like more the concept of HS (DS modifies your MBR and I don't like that), however, I was unable to make it work on my machine. DS is freeware, HS is free for non-commercial use. 3) Third, check if your computers have the new AMI BIOSes, which allow them to be set up to attempt to boot from the hard disk first, instead of from the floppy. If this is possible, configure them to always boot from the hard disk. The will keep the virus from reinfecting an already clean machine, because all infections by this virus happens when the computer attempts (not necessarily successfully) to boot from an infected diskette forgotten in the floppy drive. > In my opinion > this virus should be taken quite seriously. *All* virus infections must be taken quite seriously. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 16 Mar 94 09:58:18 -0500 From: David Hanson Subject: Thoughts on FORM infections...(PC) I've seen several postings about Form and how hard it is to get rid of. So, here are some thoughts from my experience. Leaving aside the particulars of how to remove Form from a disk, there is another important consideration that is often ignored. Form is spread from computer to computer on the boot sector of floppy disks. The hard drive becomes infected -only- when you attempt to boot from an infected floppy (bootable *or* non-bootable). Once the hard drive is infected, it infects -every- diskette you access on that machine, whether you try to boot from the diskette or not. OK. So you are unfortunate enough to (ususally accidentally) attempt to boot from an infected diskette. Your hard drive becomes infected, and until you realize you're infected, -all- diskettes your machine comes in contact with become infected. If the infection remains undetected for a long time, or if you work in an environment where you come into contact with a lot of diskettes, then there are a *lot* of infected diskettes out there. Then, somehow, you realize your machine is infected. You disinfect your hard drive. Fine, but there are (possibly many) infected diskettes floating around. It's safe to assume that -every single- diskette that your machine has had contact with is infected. So, the important consideration is that until you are *absolutely sure* that you have checked and/or disinfected *every* diskette that has come into contact with your machine (not always possible!), then you are at risk for reinfection. That one infected disk will sit there until you think the problem is solved. Then one day you accidently leave it in a:, reboot and your hard drive gets reinfected. If you are in an environment with many people, hard drives, and floppies, the chance of reinfection is almost certain. On newer machines, there is usually a CMOS Setup option to disable boot from floppy. If you have that option on your machine, you should use it. If you - -really need- to boot from floppy (ie. suspected infection), you can always go into setup and enable it temporarily, then disable it. I know I'm beginning to ramble, so I guess my main point about fighting FORM (and other BS infectors) is to search for -all- infected floppies with a fanatic fervor. And disable your boot from floppy. Good Luck! Dave Hanson afrc-mis@augsburg-emh1.army.mil ------------------------------ Date: Wed, 16 Mar 94 09:58:39 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: FORM problems (PC) Gretchen King Ryan, Development (GRYAN@SCUACC.SCU.EDU) writes: > Briefly, we can't seem to get rid of Form in our office and lately it > appears to be getting more virulent. Is this possible? Vsafe and No. Form is just a very widespread virus and you have to remove it from all infected floppies - even the blank or data-only ones - otherwise it will keep reinfecting your hard disks. > Norton's don't always catch it. Lately, they can't repair it! Hm. First of all, VSafe is a resident scanner/monitor; it cannot repair *any* viruses. You should try the CPAV.EXE part of the package. Second, while both CPAV and NAV are among the worst virus scanners around, I had the impression that *both* are able to reliably detect and remove the Form virus. It is possible that you have a new variant of the virus. Since none of the packages you are using is able to perform exact identification, they are essentially useless in identifying the infection and often dangerous when used for disinfection. I would suggest the following: 1) First, get a real scanner. F-Prot. It is free for individual use, will be able to identify whether what you have is really the Form virus, will be able to remove it, or will tell you whether this is a new variant. 2) Second, install some kind of boot sector virus protection on the hard disks of all of your computers. Padgett's DiskSecure II and Henrik Stroem's HS are two excellent choices. Unfortunately, I have the impression that they don't co-exist well together, so you'll have to select between one of them. I like more the concept of HS (DS modifies your MBR and I don't like that), however, I was unable to make it work on my machine. DS is freeware, HS is free for non-commercial use. 3) Third, check if your computers have the new AMI BIOSes, which allow them to be set up to attempt to boot from the hard disk first, instead of from the floppy. If this is possible, configure them to always boot from the hard disk. The will keep the virus from reinfecting an already clean machine, because all infections by this virus happens when the computer attempts (not necessarily successfully) to boot from an infected diskette forgotten in the floppy drive. > In my opinion > this virus should be taken quite seriously. *All* virus infections must be taken quite seriously. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 16 Mar 94 10:00:46 -0500 From: THE BANDIT IS BACK Subject: Re: FORM problems (solution) (PC) "Gretchen King Ryan, Development" writes: > II am > a new internet user and am still quite confused about getting around. > Briefly, we can't seem to get rid of Form in our office and lately it > appears to be getting more virulent. Is this possible? Vsafe and > Norton's don't always catch it. Lately, they can't repair it! > We have lost a heck of a lot of data on floppies. In my opinion > this virus should be taken quite seriously.X-News: scuacc virus-l:659 If you can get a copy of F-Prot V2.11 this should help you. I have never had any problems with it and there is plenty of Form around here. If you mail FRISK@COMPLEX.IS you can get it from them although they will charge for it useing it in a company/institute etc. Good luck. - -- THE BANDIT +--------------------------------+ +--------------------------------+ / // // /=====, //////// /|/ +----------------------------+ /| / /// // // // // / / / the opinions expressed / / | / // // // /=====" // /-/ /+---herein-are-not-nor-do---/ /--+ / // /// // // / / // they reflect those of DIT / / / / // // // // // / / +----------------------------+ / / +--------------------------------+ +--------------------------------+ / | The BANDIT MCSCS1NPT@DCT.AC.UK| | This Space | / | MCSCS1NPT@ZIPPY.DCT.AC.UK |/| For Rent |/ +--------------------------------+ +--------------------------------+ ------------------------------ Date: Wed, 16 Mar 94 15:39:36 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Clean 111 & Mich. (PC) jhs@gall.rdt.monash.edu.au (jhs@gall.rdt.monash.edu.au) writes: > >was acting up, adn would not boot off of any of the 6 backup copies > >that I tried. Clean should have enough brains to be able to > If you know how viruses work, you SHOULD have enough brains to > realize, that there IS ONLY ONE WAY to do this, and I guess that 10 > years of expierience in the area, they know what they are doing. No need to flame him; he is perfectly right and you are wrong, in several ways. He is perfectly right to expect that if a virus removal utiltiy claims to have found a particular virus, and to have removed it, the result should not be a screwed up hard disk. First of all, there could be two possibilities for the screw-up. One of them is that it has not been Michelangelo, but some similar (yet still different) variant. In this case CLEAN is *wrong* for not identifying the virus exactly and attempting the disinfection of the wrong variant. My advise to the original poster - use a better disinfector the next time. One that can identify "your" virus exactly - - like F-Prot, for instance - and which will not attempt to remove the virus if it is not perfectly sure what to do. Or use some backup utilities that save a copy of the original boot sectors and restore them if modified. As a last resort - use FDISK/MBR, but first make sure that your hard disk is accessible. The second possibility is that CLEAN's algorithm for Michelangelo removal has some bug - CLEAN is full of bugs and I have myself discovered that one of the earlier versions trashes Michelangelo infected 1.2 Mb floppies (this bug was fixed later). If this is the case, then again CLEAN is wrong; not the user whose hard disk was trashed. Second, you are wrong in claiming that there is only one way to do it, assuming that the "one way" is CLEAN's way. Somebody else posted that it is impossible to identify the viruses in memory and to deactivate them - he is wrong too; this is perfectly possible, only not easy, that's why almost nobody bothers to do it. Third, it is a surprize to me that McAfee claim "10 years experience" in the field, especially having in mind that "the field" is about 8 years old. :-) I remember very well when McAfee seriously entered the anti-virus business - it was around the DataCrime scare, although, of course, he might have written virus detectors some months ago. Last, I have seen enough bugs and design flaws in McAfee's products to take the claim that "of course they know what they are doing" with a grain of salt. > That virus effects the boot partition and acts upon the FAT table. Wrong. This particular virus infects the MBR of the hard disks and the DBS of the floppies. It doesn't touch the bootable partition or the FAT, except when its payload activates and it begins to overwrite the disk. > DO NOT SCREAM ON UTILITIES WHICH HELP YOU IF YOU HAVE STUFFED UP! However, he is perfectly right to scream on utitlities that have *failed* to help him. After all, that's their purpose, no? They have to help, or they are useless. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 16 Mar 94 15:45:19 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: vds comments (PC) Fridrik Skulason (frisk@complex.is) writes: > >The default .ini file contains QUICK_VERIFY = yes, which makes VDS > >fail to find fairly significant changes to a test .exe file, including > >changing several bytes, changing the date, etc. > Those changes "significant", but they are not virus-like - without > having seen the program, I suspect it would catch all changes made my a virus > infection - different entry points & changes to program size for example Umm, I tend to disagree. A good integrity checker must be able to checksum the *whole* file. It is OK if it has a fast-and-insecure mode, in which it checks only things that are *likely* to be caused by a virus and even if it does this by default. It is definitely *not* OK, however, if it doesn't have the capability to verify the integrity of the whole file. As an example, consider the Omud virus. It sometimes overwrites a random part of the file, without pointing the entry point to itself. The file size doesn't change, the entry point doesn't change. An integrity checker which tries to be too smart will not notice anything - - yet if the virus part in the file receives control during the normal execution of the infected program, it will be able to run and infect properly. There are other examples, which are relatively easier to handle - like the Emmie and LeapFrog viruses, which do not modify the file entry point, but the place where this entry point points to. True, they also modify the file size, but it is trivial to combine this strategy with something like Darth Vader or any other cavity virus does. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 16 Mar 94 15:52:19 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: vds comments (PC) Jon Freivald (jaf@jaflrn.morse.net) writes: Hi, Jon! How was your report accepted by your supperiors? > I'm in the unfortunate position of being required by higher > headquarters to use this product. I have written a "talking paper" > which has been submitted. If anyone is interested in getting a copy The paper is fine, but is not completely relevant to this discussion. What you have been forced to use (and what is reviewed in your paper) is a stripped-down, brain-damaged version of the product, consisting mainly of the scanner - which, I have to admit, is real crap (sorry, Tarkan). The shareware version of the product which is on the ftp sites contains also an integrity checker, which, unlike the scanner, is reasonably good. It's main drawback is its inability to run on some unusual environments, like compressed disks, encrypted partitions, (maybe SCSI drives? dunno, don't have one to test), and so on. > If there's enough interest, I can e-mail it to someone to post on an > ftp site. Any volunteers? Available from our ftp site in both .DVI and PostScript format: ftp.informatik.uni-hamburg.de:/pub/virus/texts/viruses/vds_rep.zip Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 16 Mar 94 15:54:31 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Need info on Halloween virus (PC) Fridrik Skulason (frisk@complex.is) writes: > Well, Helloween is really a whole family of viruses...at least 14 different > ones, with are 1063, 1182, 1227, 1228, 1288,1376, 1384, 1401, 1430, 1447, > 1684, 1839,1888 and 2470 bytes long. There are some structural similarities, Hmm, haven't seen that 1063 and 1228-byte variants, but I have 4 different variants which are 1376 bytes long. Guess that makes 17 different variants... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 16 Mar 94 16:04:52 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Michaelangelo (PC) phillip corporon (corporon@wizard.cse.nd.edu) writes: > Is there a cure for a hard drive that has been infected with the > Michaelangelo virus? Yes, most self-respecting disinfectors are able to handle this virus properly. > Is the FDISK /MBR command a possible solution? For this particular virus - yes, it is. But you still need some means to disinfect all your infected floppies, or a re-infection will almost certainly occur. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 16 Mar 94 16:11:55 -0500 From: "Steve Bonds (007" Subject: Re: HEEEEEELP ME NOW!!!! : Filler Virus (PC) ukjent (Ukjent person) wrote: >My scan112 reports a Filler virus in upper memory. Then I boot from a >clean, writeprotected disk and run clean112, but it doesn't remove the >virus. I've read that it formats part/all of disk!! One strong possibility is that you are running MSAV. Remove MSAV and install a real antivirus program and your Filler problems should disappear. (If you are looking for a program, I recommend F-prot ) -- Steve Bonds - -- 000 000 7777 | sbonds@jarthur.claremont.edu and Steve_Bonds@hmc.edu 0 0 0 0 7 |----------------------------------------------------------- 0 0 0 0 7 | Childhood is short... [Calvin & Hobbes] 000 000 7 | ...but immaturity is forever. ------------------------------ Date: Wed, 16 Mar 94 16:15:29 -0500 From: "David M. Chess" Subject: re: Form virus (PC) >From: jeff.chilton@thor.ece.uc.edu (Jeff Chilton) >Did a disassembly on it and found it only activates on the 24th of >each month. When it does it messes around with the disk drive and >makes a mess of things. Either you were looking at a variant, or that's not quite right. The FORM activates on the 18th of the month (the return from INT 1A function 04 is in BCD, so when it compares to hex 18, it's really looking for the (decimal) eighteenth of the month). All it does different on that day is install a little keyboard interrupt handler that clicks the speaker as you type. (On every 18th of the month, support lines get lots of puzzled calls from users with noisy keyboards.) The FORM has no intentionally destructive payload, but it does assume that all bootable partitions are FAT formatted, and it can therefore mess up HPFS, Boot Manager, Linux, and so on. Cleaning up and protecting any single machine should be simple; any good anti-virus program should do it fine (I recommend IBMAV, hehe!). Protecting a whole organization is harder; there are always diskettes that people forget to scan, machine that people forget to install the antivirus on, and so on. - - -- - David M. Chess Objects In Mirror High Integrity Computing Lab Are Closer Than They Appear IBM Watson Research ------------------------------ Date: Wed, 16 Mar 94 16:15:42 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Invalid COMMAND.COM from A/V Prog. (PC) John E. Lundgren (jlundgr@eis.calstate.edu) writes: > So I ran F-PROT 211 on the bootable floppy, using the scan all files option. > It said that the command.old (the one that gave me the problem) had been > inoculated by Central Point Anti Virus, or maybe it was Vsafe. It is CPAV, not VSafe. Yes, F-Prot is right. > I'm guessing that CPAV is adding a checksum or something to the end of > command.com when it is run. Apparently this changes the size of the You are guessing correctly, only it is not a simple checksum. It is a piece of code, which is attached to the file much like a virus would have attached itself to it (however, this code doesn't have the ability to replicate itself). At runtime, when this code receives control, it checks whether the file is modified and if it is, tries to restore it. Needless to say, this often doesn't work. > file, but not the date or time. I'm also speculating that MS-DOS 6.0 is > doing a self-check on the command.com, and possibly other program files, No, that's not true - otherwise it would detect viruses too - which it doesn't. More likely, the code is not attached properly to the command interpretter. Some buggy viruses cause this problem too. > complains. I thought that programs like CPAV created a file in the > directory with checksum info, and didn't touch the program files. That's a different part of CPAV - the part that activates when you check the option to create checksums (or smartchecks, or whatever they call them this Wednesday). The piece of code attached to the file in your case is caused when running CPAV in "immunization" mode. Run it in "deimmunization" mode and it should be able to restore the file to its original state. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 16 Mar 94 16:20:58 -0500 From: "David M. Chess" Subject: Monkey, an easier way (PC) >From: Brian Seborg > Since your disk-editor is likely >to use the same interrupt that Monkey has hooked, you will get a >decrypted copy of the partition table (unfortunately, you will also >get the infected MBR too, but we'll fix this next). No, you won't! The Monkey returns a copy of not only the original partition table, but also the orignial MBR code; it's fully stealthed in that sense. So the FDISK /MBR that you recommend after that isn't necessary (it's generally harmless, but it's not necessary). For someone with a certain amount of technical skill, this is a fine way to clean up the virus (trick it into giving you a copy of the real MBR, reboot without virus, install real MBR). In general, though, the average user is probably safer running some reputable anti-virus program... DC ------------------------------ Date: Wed, 16 Mar 94 16:24:52 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: HEEEEEELP ME NOW!!!! : Filler Virus (PC) ukjent (Ukjent person) (ukjent%slhk@nac.no) writes: > My scan112 reports a Filler virus in upper memory. Then I boot from a > clean, writeprotected disk and run clean112, but it doesn't remove the > virus. I've read that it formats part/all of disk!! > How do I remove it??? Check your AUTOEXEC.BAT file. There should be a line there, which starts a program named VSAFE. Remove that line and the problem will most probably go away. This ought to be in the FAQ. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 16 Mar 94 16:25:05 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: New viruses (PC) Greg Merideth (meritech@delphi.com) writes: > Isn't it possible that it is going to get rather difficult in the near > future to make a virus that cannot be detected? Uh, no, quite the opposite. With the increasing numbers of new viruses produced, it is quite likely that there will be more and more viruses which the existing scanners cannot handle in a particular moment. On the other hand, with the new developments in virus writing many new technologies are developped, which allow more sophisticated viruses to be written - viruses that would escape many, if not all, of the current lines of virus protection. Any particular virus can be detected in one way or another, but it becomes increasingly likely that at a given moment, the anti-virus protection of a particular machine will not be able to detect the particular virus that has attacked it. > If a virus accesses the disk, theres a checksum, if it seaches for a > com file, theres a checksum, overwrites a boot partition, theres a > checksum, there's not much left to do. Ugh, what are you talking about? What checksums? There is one in the EXE headers, but nobody bothers to use it, not even DOS. Or are you talking about checksum-based anti-virus software, i.e. about integrity checkers? Have in mind that there are several rather effective ways to attack them too; see my paper on this subject. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 16 Mar 94 17:02:33 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Tecnical Concepts of Viral Defense (MBR/DBR infectors) (PC) A. Padgett Peterson (padgett@tccslr.dnet.mmc.com) writes: > When resident it needs only 300 bytes of RAM so there should be no > objections there. It write-protects the low level mutables that > viruses attack - if someone tries to change the fixed disk label an > error message will occur. If the user manages to change the label > anyway, on the next boot an error message will appear and it will be > set back to the original *before* the DBR code executes again. Uhm, sorry, but I tend to consider the above more as an annoyance than as a protection. Can't your program make some more intelligent decisions and raise an alert only when the changes are *important*? Same with the write protection - if the image that is being written to differs from the already existing one only in the volume label field, your program should allow the write to occur, IMHO. > Further, my programs are designed to be compatable with other > antivirals and their TSRs - even CPAV/MSAV. The only problem noted is I would just like to see your program more compatible with HS (and to see HS working on my machine, but that's a different story). > True, there are some multiple boot systems that DS II cannot be used > with - COHERANT for one but I suspect that these are in the minority > and DS II makes a *lot* of checks before installation. Why exactly Coherent? Do the more popular boot managers (OS/2, Windows NT, Linux) cause problems? > But still low-level infections are obviously a major problem. Where > did I go wrong ? Ummm, lessee... You didn't design a huge, slow, but flashy user interface that slows down your product and makes it not able to run on an XT but allows the user to control it with a mouse? You didn't spend $$$ marketting the product (instead of developping it)? You didn't claim that it is *the* solution against the virus problem and that it detects 5000 viruses more than the competition? Well, I guess that's what you did wrong... :-) Instead of doing the above (and pricing the product about $200), you have produced a small, reliable utility, which solves reasonably well one particular aspect of the virus problem, and have offered it for free. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 16 Mar 94 17:13:12 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Boot Records (PC) Otto Stolz writes: > An even better defence would be an integrity checker to compare the > boot sectors to a copy of their original contents; however this will > give a false positive when a user has given a new label to the disk. Well I have found that if DOS is not allowed to change the Boot Sector in the first place (as with my DiskSecure), it just creates an old-style null label program and is happy. True it will generate an error (as it should) when it tries to update the BS but no harm is done (have found out about a lot of programs that try to write where they shouldn't that way - of course you need a "real-time" integrity monitor to tell 8*). Warmly, Padgett ps v2.41 is now able to *restore* changed boot records as well as MBRs. ------------------------------ Date: Thu, 17 Mar 94 00:31:17 -0500 From: datadec@ucrengr.ucr.edu (Kevin Marcus) Subject: Re: New viruses (PC) Greg Merideth wrote: >Isn't it possible that it is going to get rather difficult in the near >future to make a virus that cannot be detected? > >If a virus accesses the disk, theres a checksum, if it seaches for a >com file, theres a checksum, overwrites a boot partition, theres a >checksum, there's not much left to do. Well, .EXEs have a checksum, tell me how often that is used by a program. Nonetheless, I think that the number of viruses, especially the number of viruses newly appearing in the future will diminish significantly in the future. Like 95% or so of all the known viruses only propagate in DOS. Sure, you could open up a DOS window in say, os/half and get one to propagate, but eventually, nobody will be opening DOS windows. How often do you see people turn around to use a CP/M machine? What about 5 years ago? 10 years ago you might have seen a few, bu they quickly died out. I hear the next version of DOS will not even support .COM files, and more likely than not, after that, DOS will die... say, 2 or 3 years. Virus writers will have to move onto different platforms which are much more difficult to deal with/infect. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu CSLD Room Monitor, Tues, Thurs 9-12p, Sat 11a-2p (909)/787-2842. Computer Science Dept., University of California, Riverside. .oOo.oOo.oOo. Thieves Suck. Don't steal. .oOo.oOo.oOo. ------------------------------ Date: Thu, 17 Mar 94 02:13:42 -0500 From: "Jeffrey Rice - Pomona College, California." Subject: Compatibility: F-prot 211 and Nav 3.0 (PC) Does anyone know about compatibility between F-prot and Nav 3.0? I would like to set both memory resident; F-prot for its excellent protection against known viruses, and NAV to monitor virus-like activities. However, I seem to get crashes with the two programs. Any ideas why, or if there is a way around it? Also, on another note, I have heard that it is best to keep at least two scanning programs around, and I agree with this. But wouldn't also keeping two programs that scan using different methods be even better? If so, how can a user tell what mathod a scanner uses? I have NAV 3.0, F-Prot 211, and Clean 112. I assume these do use different method;is this assumption true? Jeffrey Rice Pomona College ------------------------------ Date: Thu, 17 Mar 94 03:26:48 -0500 From: mcafee@netcom.com (McAfee Associates) Subject: Re: Clean 111 & Mich. (PC) Hello Mr. Baker, woody@knapper.cactus.org writes: >I just got hit with Michealangelo. My system is a dos 3.3 system with >a 240 meg hard disk. I have a primary and a secondary partion. The >secondary partition is split into volumes d: e: f: g: h: i: j: k:. I >took clean111 and attempted to clean Mich off. There are two problems >with clean111 in this situation. One is a stupid procedural problem >to wit: When clean is scanning ram, and encounters Mich. active in >memory, it quits, requiring you to boot off a floppy. My floppy drive This is neither a bug or a procederal problem, but rather the correct response to a serious condition, that of finding a computer virus in the system memory. This means that a virus program is executing on your PC and that while present it can interfere with attempts to detect and remove it, not just with the operation of your PC. >was acting up, adn would not boot off of any of the 6 backup copies >that I tried. Clean should have enough brains to be able to >inactivate Mich in memory, or at least know that once it cleaned it >and you rebooted, that the active in memory portion would no longer be >a threat. But No, it can't do that. We used to deactivate viruses when they were found in memory. We stopped after receiving complaints from users about their systems crashing when a virus could not be disabled correctly. With the almost unlimited numbers of PC configurations in use, it is impossible to test for compatibility with each operating environment. Therefore it is quite logical to warn the user that a computer virus has been found in the memory of his (her) computer system and to power down the system and boot from a virus-free copy of the operating system on diskette before continuing. >The other and much more serious problem, is that after I cleaned the >disk heads, and managed to format a floppy with a system on it, and >rebooted off of that, it cleaned the hard disk. BUT it killed the dos >extended partion. Drives d - K had nothing on them. norton showed >only 1 partition (the primary one). THIS IS TOTALY UNACCEPTABLE >BEHAVIOR. CLEAN SHOULD BE ABLE TO DO THIS WITHOUT CLOBBERING THE >EXTENDED PARTITION TABLE. I spent an hour, working out what I thought This is quite regrettable. I have advised our programmers of this and we will be looking into this to see if we can duplicate it. A test of CLEAN-UP on against the Michelangelo on a PC with extended partitions (DOS 6.2, 1.8Gb drive formatted with Adaptec's AFDISK utility) was unable to duplicate this, so the problem does not appear to occur with all drives which have extended partitioning. However, until we have tried this on a system similiar to yours (DOS 3.3, and DOS FDISK, I assume) I can not say for sure what happened. Regards, Aryeh Goretsky McAfee Associates Technical Support - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, 2nd Floor| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/VSHIELD/CLEAN/WSCAN/NETSHLD/TARGET/CONFIG MGR/PROVIEW ------------------------------ Date: Thu, 17 Mar 94 04:46:20 -0500 From: Marion Neubauer Subject: boot sector virus named newbug (name from mcafee scan) (PC) a person from my departement brought a pc with suspicious harddisk to the dealer. the dealer found a virus called newbug (name from scan v112). we scaned all other pcs and floppies and did not found any virus at all. maybe someone take a floppy away, but i wanna know if it is possible that scan and f-prot (i tried it with both) did not recognize the virus under some circumstances? thanks for help marion neubauer ------------------------------ Date: Thu, 17 Mar 94 06:45:32 -0500 From: FWF@GISA.GERMANY.EU.NET Subject: Re: MICHELANGELO crashes 1994 (PC) We collect for statistical purposes the MICHELANGELO crashes also of this year. The figures of the last years (collected calls at the BSI/GISA hotline +49-0228-9582-444): 1992: 1300 occurences before the 6th of March 150 crashes 1993: 50 crashes Seems not so impressing, but you can multiply this figures without any problems at least by 10: A very humble valuation is that for every victim who informs us there are at least 9 other victims who don't inform us. If you have informations about MICHELANGELO occurences and/or crashes please send e-mail to me. Regards Frank W. Felzmann - ---------------------------------------------------------------- Bundesamt fuer Sicherheit in der Informationstechnik, Bonn - ---------------------------------------------------------------- G German I Information <> Voice +49-228-9582-248 S Security <> FAX +49-228-9582-400 A Agency - ---------------------------------------------------------------- "It's a Snark!" ... Then the ominous words, "It's a Vir---" - ---------------------------------------------------------------- ------------------------------ Date: Thu, 17 Mar 94 09:06:09 -0500 From: Dave Spitz Subject: Thanks for all comments re best antivirus (PC) I want to thank all of you who responded to my inquiry regard the best antiviral software to use, including the 5 or 6 vendors who faxed me information. (Yes folks the vendors actually do read the email on this list). As it looks right now, we are attempting to stay with McAfee Associates for our antiviral software. F-Prot is a very close second, and depending upon circumstances F-Prot my be the final choice. It is also possible that our purchasing department my decide that we need to send out bids to many vendors. If this is the case then I can't say who or what software we'll use. For those who want to know, based upon all the responses I got, F-Prot and McAfee were pretty much neck and neck. I'd say that out of 100 responses, 60-75% recomended one of those to. Once again, thanks for all your responses. Dave Spitz VOICE: 1-414-297-7698 Computing Services FAX: 1-414-297-8313 M.A.T.C., Milwaukee, WI. Internet: SPITZ_DAVE@MUSIC.LIB.MATC.EDU "Everything was fine 'till they put hard drives in PCs" ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 20] *****************************************