VIRUS-L Digest Tuesday, 29 Mar 1994 Volume 7 : Issue 22 Today's Topics: Re: Intelligent Detection Re: A few truths Re: A few truths Re: A few truths re: A few truths Re: A few truths re: A few truths Intelligent detection Comm Viruses Re: A few truths Re: BUGSRES virus found (PC) Re: Joshua & Joshi (PC) Re: MS-DOS 6.x Anti-Virus (PC) Re: MS-DOS 6.x Anti-Virus (PC) Re: BUGSRES virus found (PC) Re: New Proto-T (Multi-Partite, resident .COM infector) (PC) Re: virusfree-ftp (PC) Re: Michelangelo (PC) Re: Shrink-wrapped virus? (PC) PGP Signed Files & F-Prot (PC) Re: BUGSRES virus found (PC) Re: virusfree-ftp (PC) Re: New Proto-T (Multi-Partite, resident .COM infector) (PC) Re: Michelangelo (PC) Re: New Proto-T (Multi-Partite, resident .COM infector) (PC) Re: BUGSRES virus found (PC) Re: MS-DOS 6.x Anti-Virus (PC) Re: Delete-Beeping virus (PC) Re: Is speed really important? (PC) Artificial Life Online CFP - Artificial Life Journal VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 24 Mar 94 17:39:52 -0500 From: panther!jaguar!cmeli@relay.iunet.it (Clyde Meli) Subject: Re: Intelligent Detection >> intelligence I mean capable of learning by example, using heuristics >It won't work. If you think about using, say, a Classifier System or a Genetic Algorithm, you'll run into a problem. You need a fitness function which given a piece of code/data can quantify how much of a virus it can be. >> in an intelligent manner, etc). In theory I have solved most of the >> problems that came up to make the program intelligent, but there is >:-). Really? I suspect that you'll encounter a few problems when >trying to implement your "theory" in practice. I agree with you. A particular sequence of bytes cannot be interpreted on its own (as is required by a fitness function for a GA) - it must be analysed in the context of the rest of the code. Otherwise, for example, the suspicious sequence might turn out to have been just data, but the fitness function will not know this. That's why it is impractical to use GA's and Classifier Systems to look for scan-strings. They would be sort-of 'blind'. Clyde Meli, B.Sc., Teaching Assistant, Dept. of Information Systems, University of Malta, Malta. Internet: cmeli@unimt.mt ------------------------------ Date: Thu, 24 Mar 94 17:39:41 -0500 From: panther!jaguar!cmeli@relay.iunet.it (Clyde Meli) Subject: Re: A few truths >Only today ( 15th-march-94 ), my counterpart in another one of the >companies sites called me up and said " we have just been hit by >Stoned on two platforms, have you got the stuff to dela with it". Whilst >the phyisical damage is not that great, there is the time-factor involved >which so far on this exercise is. > I just had to clean a 386 in the lab today. It was infected with Stoned.NoInt which has become quite common locally. I find it in our lab quite frequently, almost every week. It is a nuisance and a waste of time also. Usually a number of PC's are infected. Finding the culprit who places it there is difficult as a large number of students utilize the lab. There is currently no legislation in Malta regarding the creation of viruses and I think there won't be for quite some time. The computer virus is not an issue here as viruses are quite few in number here. What we have here are the same few viruses (Casino.b, Maltese_Amoeba and Stoned.NoInt) infecting again and again. Clyde Meli, B.Sc., Teaching Assistant, Dept. of Information Systems, University of Malta, Malta. Internet: cmeli@unimt.mt ------------------------------ Date: Thu, 24 Mar 94 19:59:39 -0500 From: gwhalin@ux4.cso.uiuc.edu () Subject: Re: A few truths >It isn't really technical, & you are missing the overall picture. >You name specific examples. >I can name specific counter-examples of viruses that cause not damage to the >system. >Example:A lot of innocous of Vienna variants. >Just like you can cite damaging viruses due to incompatibilities >I can name commercial products that cause damages to the system >due to the same causes. > >The idea here is the majority of viruses are not intended to cause >damage intentionally. If they do, well, they are not alone, commercial >products have the same unexpected effects. >Just try using a few newer products in older DOS systems. > >ktark@src4src.linet.org > I usually do not like to get involved in these debates, but this last statement so enthralled me that I felt it necessary to shoot off my big mouth. The previous poster states that the majority of viruses do not intend to cause damage intentionally. This may be true, but one must take into account that programming a virus is not what one would call a complex task. Any schmuck with a bit of knowledge of assembly can make a working file-infector. Now, it is a bit more of a task to program responsibly when it comes to memory manegment and such. So, it is safe to assume that the average Joe can make a working virus that is potentially dangerous in certain situations. And, unless this average Joe is a very good programmer, there is bound to be at least one case where his virus will cause unintentional harm. As to the statement made regarding commercial products also causing harm. There is one huge difference here. Commercial products are not sneaking around in the system. The common ignorant computer user is bound to be much more baffled by a sudden loss of data done by an unknown virus than by a commercial package. One other added bonus to commercial packages. . .In most cases, they have service reps that can offer possible suggestions to solve the problem. It would be nice, but I really do not think that many virus programmers are going to set up a tech line to help those that lost data due to the programmers "nonmalicious" virus. Later, Greg Whalin | Department of Computer Science gwhalin@uiuc.edu | University of Illinois Engineering - Urbana-Champaign - ------------------------------------------------------------------------------ "I am pretty stupid, dude!" ------------------------------ Date: Fri, 25 Mar 94 02:58:11 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: A few truths src4src!ktark@imageek.york.cuny.edu writes: >> - We have a machine that automatically executes and >> analyzes incoming viruses as the first step of "triage". >> It regularly has its hard disk wiped, CMOS corrupted, >> files erased, and so on. I suspect Stang may have >> been misquoted here, or a sentence about only running >The quote is as it appears on the magazine. >So we have Mr. Stang's words against yours. Not only against David Chess - me too. I have several machines that I use (and have used in the past) for virus infection, and they too have suffered from attacks of this type - I too have to regularly format the hard disks and reset the CMOS occasionally. Of course, the vast majority of viruses that I run on this machine (around 7 new ones per day, on the average), are not destructive like this, but if even only 5% of them are destructive - it still means 10 new destructive viruses per month....sounds destructive enough to me. >Mr. Stang has no affiliations with AV products at all, you do. Mr. Stang is indeed affiliated with a particular product - from Norman Data (previously Arcen Data - the Norwegian guys). He is good at marketing his product, but he is by no means a real "virus expert".... >I can name specific counter-examples of viruses that cause not damage to the >system. So what ? I agree that most viruses (and indeed most of the ones in the wild) are not intentionally destructive - one reason being that a really destructive virus usually cannot evade notice for very long, but there is still quite a lot of destructive ones available, thank you. - -frisk ------------------------------ Date: Fri, 25 Mar 94 05:13:37 -0500 From: rreymond@vnet.IBM.COM Subject: re: A few truths Hi all, Kohntark wrote: >The idea here is the majority of viruses are not intended to cause >damage intentionally. If they do, well, they are not alone, commercial >products have the same unexpected effects. >Just try using a few newer products in older DOS systems. Hmmm.... I think you are not considering another side of the prob. A commercial product is usually tested (level alfa and beta) before release. Those tests are done in the widest possible environment, just to avoid incompatibility and or system crash. It's the main interest of the developer to do so, 'cause it is not a good commercial image to sell products that, sooner or later, got the name to be buggy and lame. Obviously, it can happen that someone made an error or is too lazy to make extended tests, but this is very unlikely with a big software company. On the other hand, it's possible to find some incompatibili- ty due *NOT* to the products "per se", but to their interaction. Just for example, as you said, some actual progs on old DOS configurations, or some oldie sw on the last machine/system. Each part works, but together they shows some prob. But this is usually known, and documented. See the box of a lot of products: you can read that there are minimum requirement for use, and which kind. So, at least, I think there are very few progs that are so buggy that they can be compared to viruses. Even "in case of" it's often available some hotline service, or post-sell help or so on. You really aren't alone. And viruses? I cannot believe they're so beta tested (it's difficult to believe many virus writers have a lot of environment for test...), and that's why FORM, for examples, sometimes is *very* dangerous... Then, if a non intentionally damaging virus make some mess on my PC, I cannot call some hotline for that, isn't it ??? And, finally, the real prob: why I need a virus? Or, better, what task can be performed only from a virus, or so good that it cannot be made as well from a commercial/tested/assisted software ???? .............................................Bye| ..................................................Roberto - ----------------------------------------------------------------------- * All the above are my own opinions, not necessarily shared by IBM * *********************************************************************** Roberto Reymond IBM PSP - C.E.R.T. Semea Circonvall. Idroscalo RREYMOND@VNET.IBM.COM 20090 Segrate (MI) ITIBM99K@IBMMAIL.COM RREYMOND AT VNET MI SEG 526 Italy .........Phone +39.2.596.25244 Fax +39.2.596.29587.............. *********************************************************************** * " Another one bites the dust| " , Queen (The Game, 1980) * *********************************************************************** ------------------------------ Date: Fri, 25 Mar 94 07:25:09 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: A few truths src4src!ktark@imageek.york.cuny.edu (src4src!ktark@imageek.york.cuny.edu) writes: > Mr. Stang has no affiliations with AV products at all, you do. Wrong. Dr. David Stang *is* affiliated with an anti-virus product - Norman Data Defense. Try to get your facts straight the next time before flaming the others. > Who's word will I trust? David Chess is a world-wide known anti-virus researcher. He is one of those who fights viruses. According to several documents I have here, the person using the handle 'Kohntark' is the author of about half a dozen viruses. He is one of those who write the viruses causing damages to our computers and wasting our time. Who's word will we trust? > The answer in my eyes is pretty clear. So it is in mine. > > selected viruses may have been left out. While it's > > certainly possible to argue about the nature of "most" > > viruses, no one can deny that there are hundreds, and > > probably thousands, of intentionally destructive ones. > As there is an even larger quantity of viruses that are not > "intentionally destructive." You have completely missed the point. First, there is a huge amount of viruses that *are* intentionally destructive. Therefore to say that computer viruses are not harmful is ridicululous. Second, even those computer viruses that are not intentionally destructive are *not* harmless. They *do* cause damage - always. Sometimes it is damage caused by ignorance, because the wimp who has written the virus lacks some basic programming skills or elementary knowledge about the system. Most of the time it is damage caused because lots of people have wasted their time to get rid of the virus. > I can name specific counter-examples of viruses that cause not damage to the > system. > Example:A lot of innocous of Vienna variants. Excellent example, let's investigate it further. We just had a case of a blind lawyer whose computer has been infected of the Vienna.648.Reboot.A virus. As you should know, this virus *is* intentionally destructive - it overwrites the first 5 bytes of the COM files with a Far JMP to the address of the reboot routine in the BIOS. This happens with probability of 1/8. In our particular case, 30 files were infected, 4 others were irraparably damaged. Now, let's assume that it has been one of the "innocous" Vienna variants (can you list some, BTW?). Then the 4 files wouldn't have been destroyed. So, we have 30 infected files. One of them was WIN.COM, which is a bit special and wouldn't run. The person needed Windoze, because he used some special software which displayed texts in HUGE letters on the screen, so that he could see them. He called us for help. He's not from Hamburg, so one of us had to spend a whole day driving to his town and fixing the problem. The whole story wasted a whole day of one of us and a few days of a disabled person who couldn't do his work. A "harmless" virus, indeed! On the top of that, the company supplying the software had a policy that they won't do technical support for modified copies of their software - be it by a virus, a disinfector, or whatever. Therefore, they requested the whole system to be send to them, so that they could re-install the software themselves. Computing the cost of the whole operation is left as an exsercise to the reader. > Just like you can cite damaging viruses due to incompatibilities > I can name commercial products that cause damages to the system > due to the same causes. There are several major differences. First of all, commercial products are better tested than viruses. They are written by better programmers. They tend to have fewer bugs per bytes of code. Gee, I have one virus here, standard CARO name YB.2277, which calls itself YB-2 and claims to be written by... uh... Kohntark. The virus is supposed to be polymorphic, using TPE. It is indeed linked with TPE, but the programmer who calls himself "Kohntark" has forgotten to put a call to the polymorphic engine. As a result, the virus is not only not polymorphic - it is even not encrypted, carrying with itself two kilobytes of useless and unreferenced code. If one of my students writes such garbage, I would tell him that he is not able to program his way out of a paper bag. And you want us to rely on such people to write bug-free self-replicating code? No way! Second, the commercial products, even the allegedly buggy ones, do not spread by themselves. If I want to get rid of Word for Windows, I can simply delete it and it will not appear on my hard disk the next time I forget a diskette containing it in drive A: at boot time. Third, the commercial products, even the allegedly buggy ones, come with a manual, a trouble-shooting guide, an address of the company that has produced them, and a telephone number for a tech support hotline. When the virus writers begin to submit their "products" this way, I'll reconsider. At last we'll have some way to contact the producer, complain about the bugs, and ask for an update. Fourth, the commercial products get installed on my system only when *I* want them. There are several active steps I must do, in order to put the product on my system. At each step I know that I am installing a new (and possibly buggy) product. As opposed to that, the viruses are trying to sneak through my defenses, to pass unnoticed, and to infect my system against my will. They want to steal the control of my system from me. Anyone who doesn't see the difference needs new glasses. Fifth, the people who write commercial software stand behind their products. If you demonstrate that it is buggy and damaging, they often will admit it and at least say that they are sorry. As opposed to that, the virus writers use fake names as handles, forge e-mail, and brag in public forums about how their civil liberties are being harmed by the people who want to introduce some laws to nail the bastards who are causing so much trouble to them. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 25 Mar 94 20:27:46 +0000 From: martin@cheam.demon.co.uk (Martin Veasey) Subject: re: A few truths src4src!ktark@imageek.york.cuny.edu " " writes: > It isn't really technical, & you are missing the overall picture. > You name specific examples. > I can name specific counter-examples of viruses that cause not damage to the > system. > > The idea here is the majority of viruses are not intended to cause > damage intentionally. If they do, well, they are not alone, commercial > products have the same unexpected effects. > Just try using a few newer products in older DOS systems. What actually is the picture here ... ? Naming specific examples of harmful / non-harmful virus can take up hours of time. I would reiterate that no code has the "right" to live on my system and take up resources (HD, CPU time) without "permission". Commercial outlets that produce software with unexpected effects should also be castigated. I would never dream of defending virus writers because some viruses may be safe, some of the time. - -- Martin Veasey | INTERNET lives e-mail : martin@cheam.demon.co.uk | in Cheam, Surrey, England ------------------------------ Date: Sat, 26 Mar 94 23:37:49 -0500 From: fernando@ubik.satlink.net (Fernando Bonsembiante) Subject: Intelligent detection En un msg del Miercoles 16 de Marzo de 1994, Vesselin Bontchev le escribio a All: VB> Yes. :-) Seriously, it is a synthesis of disassembly and application VB> of common sense, backed up with a lot of experience in the anti-virus VB> field. It's true. Today I was thinking about that, about a standarized and easy-to-follow manual desinfection procedure for unknown viruses in unknown systems (I mean, with no pre-infection integrity checking). I arrived to the conclusion that it's impossible, even if the procedure is to be followed by a thinking person. It's definitely a matter of common sense and experience. Just think on polimorphic, multipartite, tunneling or FAT viruses... The other day a person in a company where I was doing a desinfection asked me 'which is the best virus protection program, one that doesn't needs actualization or specialized knowledge to operate?' I answered 'Just hire me as a permanent consultant, and I'll take care of viruses. There is no possible absolutely safe automated procedure'. Saludos, Fernando (fernando@ubik.satlink.net) If you think communication is all talk, you havent't been listening. (Ashleigh Brilliant) { Fernando Bonsembiante } { Guemes 160 dto 2 Tel: (54-1) 654-0459 } { Ramos Mejia (1704) Fidonet: 4:901/303 } { Republica Argentina Internet: fernando@ubik.satlink.net } ------------------------------ Date: Sat, 26 Mar 94 23:37:56 -0500 From: fernando@ubik.satlink.net (Fernando Bonsembiante) Subject: Comm Viruses En un msg del Lunes 14 de Marzo de 1994, Bruce Bowen le escribi" a All: BB> damages files or file systems, but one that makes crank calls over BB> attached modems, makes long distance calls, etc., possibly at times BB> when the owner is not home, or sleeping, or some other time when he or The Armagedon virus, from Greece, makes a long distance call, (if I remember well, in the middle of the night) but the dial codes it uses only works in Greece. Saludos, Fernando (fernando@ubik.satlink.net) If you think communication is all talk, you havent't been listening. (Ashleigh Brilliant) { Fernando Bonsembiante } { Guemes 160 dto 2 Tel: (54-1) 654-0459 } { Ramos Mejia (1704) Fidonet: 4:901/303 } { Republica Argentina Internet: fernando@ubik.satlink.net } ------------------------------ Date: Sun, 27 Mar 94 03:14:35 -0500 From: mcafee@netcom.com (McAfee Associates) Subject: Re: A few truths Hello Kohntark (?), writes: >"David M. Chess" writes > >>> "I have run thousands of sample viruses on a machine, and I have >>> never gotten wiped out,' Stang says, downplaying the reputation >>> of viruses as computer killers. > >>With all due respect to David Stang, I'd like to add a few >>contrary pieces of evidence from our own experience: > >> - We have a machine that automatically executes and >> analyzes incoming viruses as the first step of "triage". >> It regularly has its hard disk wiped, CMOS corrupted, >> files erased, and so on. I suspect Stang may have >> been misquoted here, or a sentence about only running > >The quote is as it appears on the magazine. >So we have Mr. Stang's words against yours. >Mr. Stang has no affiliations with AV products at all, you do. >Who's word will I trust? >The answer in my eyes is pretty clear. [...rest of message deleted...] I thought that Dr. David Stang was the U.S. agent for Norman Data Defense Systems, a company that makes computer security (antivirus) software. Regards, Aryeh Goretsky - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, 2nd Floor| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/VSHIELD/CLEAN/WSCAN/NETSHLD/TARGET/CONFIG MGR/PROVIEW ------------------------------ Date: Thu, 24 Mar 94 20:12:06 +0000 From: amn@ubik.demon.co.uk (Anthony Naggs) Subject: Re: BUGSRES virus found (PC) "jrezek1@vaxa.hofstra.edu"@vaxc.hofstra.edu writes: > > I have found a virus called BUGSRES on my PC with CPAV utility. I > would like to know if this is a computer virus or not. When i run the > latest version of NAV it says there is no virus. The computer seems > to be fine and CPAV sys this virus will effect all .SYS .EXE .COM > files. Could this be an error or should i be concerned. Please help > if you can. 'BUGSRES' is a joke program, it is not a virus. There are several versions: when run a portion stays in memory and at a later time 'bugs' suddenly appear on screen. Regards, - -- Anthony Naggs Paper mail: Hat 1: Software/Electronics Engineer PO Box 1080, Peacehaven, Hat 2: Computer Anti-Virus Researcher East Sussex BN10 8PZ PGP: public key available from keyservers Great Britain Email: amn@ubik.demon.co.uk Phone: +44 273 589701 ------------------------------ Date: Thu, 24 Mar 94 17:40:02 -0500 From: panther!jaguar!cmeli@relay.iunet.it (Clyde Meli) Subject: Re: Joshua & Joshi (PC) >Does anybody have a good anonymous FTP or other source for information >about the PC Johsua & Joshi virii. We have recently seen them along with >the widespread form virus. Try the Computer Virus Catalog - filename msdosvir.792, directory /pub/virus-l/docs/vtc. The ftp site is cert.sei.cmu.edu. You can find information on Joshi in that file. [Moderator's note: No, although the address cert.sei.cmu.edu works, it was long ago replaced by cert.org (IP number 192.88.209.5); please use the new name/number. Also, the version of VTC on cert.org might be out of date - Vesselin?] Regards, Clyde Meli, B.Sc., Teaching Assistant, Dept. of Information Systems, University of Malta, Malta. Internet: cmeli@unimt.mt ------------------------------ Date: Fri, 25 Mar 94 01:42:15 +0000 From: RichardE@keeper.demon.co.uk (Richard Ellison) Subject: Re: MS-DOS 6.x Anti-Virus (PC) slbray@deakin.edu.au "Sharyn Bray" writes: > Hi to all reading comp.virus, > > I was wondering whether anyone could offer > an opinion, comment, thought etc. regarding the effectiveness of the > Anti-Virus for Dos (and A-V for Windows) package now bundled with MS-DOS, > version 6.x, compared to other offerings (such as Scan, V-Prot, etc.) ? I would recommend that you do not use the so AV soft supplied with MS-DOS as it is not the best around (I am being diplomatic here). I suggest that you use something like F-PROT which is a very good and fast virus scanner (It is also shareware) or if you would like to buy then Thunderbyte Anti-virus is a very good choice. - -- Richard Ellison ------------------------------ Date: Thu, 24 Mar 94 23:44:26 -0500 From: "Jeffrey Rice - Pomona College, California." Subject: Re: MS-DOS 6.x Anti-Virus (PC) slbray@deakin.edu.au (Sharyn Bray) writes: > I was wondering whether anyone could offer >an opinion, comment, thought etc. regarding the effectiveness of the >Anti-Virus for Dos (and A-V for Windows) package now bundled with MS-DOS, >version 6.x, compared to other offerings (such as Scan, V-Prot, etc.) ? Well, Patricia Hoffman's VSumX lists MSAV as catching about 47% of the viruses. Not a very good rate. In my experience, this program is TOTALLY unreliable. In this same rating, F-Prot catches 97%, Scan 95%. The antivirus DOS comes with is worse than none at all; it makes you THINK you are protected, and stop thinking about infection, while really you are not protected at all. -Jeff Rice ------------------------------ Date: Fri, 25 Mar 94 02:59:57 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: BUGSRES virus found (PC) "jrezek1@vaxa.hofstra.edu"@vaxc.hofstra.edu writes: >I have found a virus called BUGSRES on my PC with CPAV utility. I >would like to know if this is a computer virus or not. It is not a virus. It is a common "Joke" program, that makes "bugs" crawl across your screen - quite harmless. Any decent scanner will either ignore it, or report it as a joke program. - -frisk ------------------------------ Date: Fri, 25 Mar 94 03:05:04 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: New Proto-T (Multi-Partite, resident .COM infector) (PC) hstroem@ed.unit.no (Henrik Stroem) writes: > F-Prot 2.11 identifies some samples of the virus as Proto-T.1053, > while other files are identified as "New or modified variant of Proto-T". > I've proposed the name Proto-T.MP for this new variant (Multi-Partite). The case is quite a bit more complicated - what we have is a program infected with two viruses - one a regular Proto-T variant, and another, which is totally unrelated. F-PROT identifies the Proto-T variant, when it is alone, or the second program that is infected, but when it is the first one, it will be reported as "New or modified variant of ...". This makes the description that was posted a bit misleading, but it really has to be separated into two parts. - -frisk ------------------------------ Date: Fri, 25 Mar 94 03:08:32 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: virusfree-ftp (PC) pdthomas@winternet.mpls.mn.us (Twins fan) writes: >Does anyone know of some ftp sites that the uploads are scanned for >viruses. All respectable ftp sites do scan their uploads - oak.oakland.edu, garbo.uwasa.fi and all their mirrors do so - using not only one, but several scanners. However, this will only detect files accidentally infected with "old" viruses - if somebody really wanted to upload infected program, he would probably create a brand new virus, not detectable with the scanners anyhow. - -frisk ------------------------------ Date: Fri, 25 Mar 94 03:12:02 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Michelangelo (PC) wdsst3@cislabs.pitt.edu (William D Sands) writes: >Michelangelo starts to do that for you anyway. I just seem to >remember that I have heard of people who have recovered at >least some of the files from a harddisk infected in this >manner. Maybe this should go in the FAQ....anyhow, the answer is "it depends".... If the machine was turned off quickly enough when the virus activated, then yes - it should be possible to recover everything. If the hard disk is big enough - a large number of head/sectors/tracks, then it might be possible to do a partial recovery. On a small hard disk, where the virus was allowed to run for a long time...just go ahead and reformat. - -frisk ------------------------------ Date: Fri, 25 Mar 94 03:19:04 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Shrink-wrapped virus? (PC) johnboyd@ocdis01.tinker.af.mil (John Boyd) writes: >> The manufacturer denies having sent a virus-infected product, and when >> we received a replacement floppy, it too was infected. Well, I just hope you write-protected the disk before you scanned it - otherwise they can claim it cot infected on your machine while scanning. I didn't see the original report (which virus was reported, by the way), so I don't know if this was a false alarm, but if that is not the case then they do indeed have a serious problem.... - -frisk ------------------------------ Date: Fri, 25 Mar 94 06:11:35 -0500 From: ian.hebert@homebase.com (Ian Hebert) Subject: PGP Signed Files & F-Prot (PC) Some time ago, frisk@complex.is (Fridrik Skulason) wrote: > I am aware of one hacked version of the VIRSTOP program, but not of F-PROT > itself. However, there have been a few cases where the documentation has > been changed without our permission - in one case even changing the > address to send payments to... Frisk, you already distribute your PGP public key with the shareware version of F-Prot. Why don't you include a PGP signature for the documentation, virus signature, and executable files? That would be the best way I can think of to allow users to assure themselves that they've got a legitimate copy.... Ian Hebert London, Ontario, Canada Internet: ian.hebert@homebase.com FidoNet: 1:2401/114 PGP 2.3a Public Key Available on Request RIMENet: ->5500 OBSERVATORY * RM 1.3 * Eval Day 34 * ------------------------------ Date: Fri, 25 Mar 94 07:23:09 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: BUGSRES virus found (PC) jrezek1@vaxa.hofstra.edu (@vaxc.hofstra.edu) writes: > I have found a virus called BUGSRES on my PC with CPAV utility. I There is no such virus. Throw away CPAV and get a better anti-virus program. > would like to know if this is a computer virus or not. When i run the It is not. > to be fine and CPAV sys this virus will effect all .SYS .EXE .COM CPAV is wrong; get rid of it. BugRes is the name of a joke program which displays a few bugs eating the characters of your screen, when you press Alt-B. It's not a virus, it does not replicate, it does not infect any files, and it is almost certainly NOT on your system. CPAV is wrong. Throw it away. > files. Could this be an error or should i be concerned. Please help > if you can. It is an error - on the part of CPAV. Get rid of it and use some real anti-virus product. If you insist on using a scanner, take a look at F-Prot. If you prefer an integrity checker - take a look at Integrity Master. Both products are rather cheaper than CPAV (F-Prot is even free for individual use) and *much* better than it. There are many other excellent anti-virus products of the above two categories - some of them shareware, some of them commercial. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 25 Mar 94 07:42:37 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: virusfree-ftp (PC) Twins fan (pdthomas@winternet.mpls.mn.us) writes: > Does anyone know of some ftp sites that the uploads are scanned for > viruses. I am looking for a virus disinfectant or scanner but it would > seem most obvious to me that someone would stick a virus in a > disinfectant or a scanning program. I am also interested in sites that > people know of that scan uploads. Most well-known public ftp sites like Simtel20, Garbo, Wuarchive, Oak, etc. (including ours ) examine carefully the software they make available for download. It is not only checked for viruses - it is also checked for obvious bugs or copyright violations. Furthermore, all anonymous uploads are carefully logged, so that a malicious uploader can be traced, if necessary. There have been very few cases of a virus being distributed in a product from the ftp sites. In fact, I know of only two such cases. One was a version of Telemate, which contained a variant of the Butterfy virus. In the other case, two students intentionally attempted to spread a new Macintosh virus. They were traced, found, sued, and prosecuted. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 25 Mar 94 07:44:38 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: New Proto-T (Multi-Partite, resident .COM infector) (PC) Henrik Stroem (hstroem@ed.unit.no) writes: > New variant of Proto-T [snip] > MBR installation check by the virus itself: MBR[0],E8h -> JNE INFECT [snip] > F-Prot 2.11 identifies some samples of the virus as Proto-T.1053, > while other files are identified as "New or modified variant of Proto-T". > I've proposed the name Proto-T.MP for this new variant (Multi-Partite). Sorry, Henrik, but you are wrong. The sample you have is actually infected by *two* viruses. One of them is a known one - Proto-T.LockJaw (which F-Prot calls Proto-T.1053). It infects COM files on execution by appending itself to them. The second virus is a new one - we decided to call it BootCOM, although is contains a string "Max". It is a very short (347 bytes) multi-partite virus, infecting MBRs on installation and COM files on execution. It is completely unrelated to the Proto-T family. However, since it infects COM files on the same conditions as the Proto-T variant, it "masks" the latter, and F-Prot fails to see its scan strings for this virus at the appropriate offsets. That's why it reports the combination of the two viruses as a new variant. > Since no other antivirus program is able to disinfect this new variant, > I've written a small disinfection program to deal with the problem. Meanwhile at least two programs have been updated to be able to detect and disinfect the virus. One of them is VET 7.621 from Cybec. The other is AntiVirus Professional - a shareware program from Eugene Kaspersky; available from our ftp site. The program itself was not updated, instead an external database has been created, which makes the program able to deal with this virus. I am expecting a new version of the program (2.0, much improved) to arrive in a few days. Among other things, it is supposed to have the abilities to deal with this virus built-in. If somebody has *urgent* need to get rid of this particular virus, download the current version of the program and contact me for the database update. Please don't do this only "to be safe", because a new version of the program will be available in a few days. Do it only if your system is infected and you want to remove the virus. > AVP 1.07 called this virus ComTSR, but could not disinfect. "ComTSR" is not a particular virus, as far as I understand. AVP's heuristics have analysed the file and are reporting that it seems to be infected by an unknown (to AVP) virus, which is memory resident and can infect COM files. If you add the database update, it will name the virus correctly and will be able to disinfect it. Just out of curiosity, the author of AVP produced a database entry to detect and remove this virus in less than 24 hours. It can be done by anybody who has the Pro version of the scanner (available from our ftp site), who learns its virus definition language, and who can understand the virus well enough to describe how to detect and disinfect it. > Does anyone know if any of the previous variants infects the MBR? None of the Prot-T variants infect the MBR. Neither does the variant in the file you have. The MBR/COM infector in the file you have is completely unrelated to the Proto-T family. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 25 Mar 94 07:53:21 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Michelangelo (PC) William D Sands (wdsst3@cislabs.pitt.edu) writes: > at the moment. A friend of mine had his harddrive infected > with the Michelangelo virus last week. I have plenty of > software with which to disinfect his harddrive and floppy > discs, but my question is: Is there any way to recover any of > the data which was present on the harddrive, or is the only Recovering a Michelangelo-destroyed disk is a very troublesome task. No software exists to do it automatically - and none can exist. Sometimes a data recovery exeprt will be able to recover large parts of the disk - depending on the particular conditions. It is probably going to cost more than re-entering the information and it is almost impossible to recover *all* of the destroyed information. A much better solution is to restore from backups. What, you don't have any? Well, now you know that all those security experts telling you to make regular backups have been right. :-) > alternative to reformat the harddisk (since I guess > Michelangelo starts to do that for you anyway. I just seem to No. The destruction caused by Michelangelo has nothing to do with disk formatting. It just overwrites the first 17 sectors of the first 256 tracks of the disk with garbage (usually - with zeroes). > remember that I have heard of people who have recovered at > least some of the files from a harddisk infected in this > manner. In some cases it is possible, but as I said, it has to be done by an expert, and is likely to be a costly operation with uncertain success. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 25 Mar 94 11:17:18 -0500 From: hstroem@ed.unit.no (Henrik Stroem) Subject: Re: New Proto-T (Multi-Partite, resident .COM infector) (PC) Henrik Stroem writes: > New variant of Proto-T > > The virus infects the MBR of the first harddisk, then goes resident >and hooks INT 21h. It has an INT 21/4B handler, which infects .COM files. >Certain .COM files are not infected, because of a primitive letter check >routine. Well, this turned out to be two viruses in one file. The first virus was Proto-T.LockJaw, identified by F-Prot as Proto-T.1053. The other virus was not detected by F-Prot at all, and was the reason that some files was identifies as a new variant of Proto-T. [Snip] > The virus seems to have a variable infective size. Proto-T.LockJaw has infective length 1053 bytes, and the new virus has a infective length of only 347 bytes. This makes it the shortest multi-partite virus in the world (Wow :-)). > F-Prot 2.11 identifies some samples of the virus as Proto-T.1053, > while other files are identified as "New or modified variant of Proto-T". Because of this, F-Prot cannot disinfect either of the viruses ;-( I've made a disinfector for these two viruses, no matter in what combination they've infected a file. It also tries to disable the viruses in memory, so it might even work without booting from a floppy, but this is of course not recommended. Anyway, I don't know of any scanner that detects the new multi-partite, resident COM and MBR infector of only 347 bytes. Heuristics will catch it though, with both F-Prot and TBScan. Vesselin suggested the name BootCOM for this new small multi-partite virus. [Snip] > I've called the disinfection program DISINF v1.0 since it is my > first file-disinfector. It is available from me by E-Mail if > requested. > It is now 1.10 and much improved. E.g., the MBR is disinfected if needed. > The disinfection program is Copyrighted Freeware, meaning that it is > free, but should be distributed in its complete unmodified form. > > Does anyone know if any of the previous variants infects the MBR? The answer is no, I've found out. Proto-T is a fileinfector only. Henrik Stroem (Author of HS Anti-Boot Virus) Stroem System Soft (March 25th, 1994) ------------------------------ Date: Fri, 25 Mar 94 11:37:33 -0500 From: trent@rock.concert.net (C Glenn Jordan -- Virex-PC Development Team) Subject: Re: BUGSRES virus found (PC) <"jrezek1@vaxa.hofstra.edu"@vaxc.hofstra.edu> wrote: >I have found a virus called BUGSRES on my PC with CPAV utility. I >would like to know if this is a computer virus or not. When i run the >latest version of NAV it says there is no virus. The computer seems >to be fine and CPAV sys this virus will effect all .SYS .EXE .COM >files. Could this be an error or should i be concerned. Please help >if you can. > Sigh. The BUGSRES program is an old joke program that goes resident when intentionally run. Afterwards, when the user hits -B a bunch of ugly text-mode spiders will appear and erase the contents of your text screen. Hitting any key will restore the screen. Hitting -B will eat it again. I'm running it now in a DOS window and its sort of cute. It will NOT "effect all .SYS .EXE .COM files". It is not a virus. It is not a Trojan. It is a good example of something that could have been the payload of a virus but the author was not possessed of a twisted mind such that he wanted others to run his cute program whether they desired to or not. The sample I have is BUGRES.COM, 5248 bytes long and written back in 1986. C. Glenn Jordan - Virex for the PC Development ------------------------------ Date: Fri, 25 Mar 94 21:26:50 -0500 From: amichiel@rodan.syr.edu (Allen J Michielsen) Subject: Re: MS-DOS 6.x Anti-Virus (PC) slbray@deakin.edu.au (Sharyn Bray) writes: > I was wondering whether anyone could offer >an opinion, comment, thought etc. regarding the effectiveness of the >Anti-Virus for Dos (and A-V for Windows) package now bundled with MS-DOS, >version 6.x, compared to other offerings (such as Scan, V-Prot, etc.) ? We recently had a outbreak of a older virus. It was listed in the virus list for the Microsoft bundled program. however, it didn't identify the infected disks or systems. Other reported the same problem with one shipped with Value Points from IBM. al ------------------------------ Date: Sun, 27 Mar 94 03:19:46 -0500 From: mcafee@netcom.com (McAfee Associates) Subject: Re: Delete-Beeping virus (PC) Hello, clawsona@yvax.byu.edu writes: >I have a suspicion that I have been infected by a virus, but am having some >trouble in confirming this. > >>From time to time when deleting a sub-directory, I will hear two "warning >beeps" - sounds similar to those made by anti-virus programs to alert a user >to the presence of a virus - but otherwise the PC behaves normally. [...rest of message deleted...] By any chance are you running any deletion-tracking programs (i.e., memory- resident programs used to keep track of deleted files so they can be unerased at a later date)? If so, that could be the cause of your PC's beeping. Regards, Aryeh Goretsky Technical Support - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, 2nd Floor| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/VSHIELD/CLEAN/WSCAN/NETSHLD/TARGET/CONFIG MGR/PROVIEW ------------------------------ Date: Sun, 27 Mar 94 12:58:41 -0500 From: src4src!ktark@imageek.york.cuny.edu (Karl Tarhk) Subject: Re: Is speed really important? (PC) >TbScan has only 8 microprocessor instructions in the crucial inner loop. [etc. etc. deleted] Short of engaging everyone in a "my scanner is faster, my scanner is better, we sell more copies than you" war let me bring a bucket of cold water to the matter. I tested 100 different generations of the DSME (dark slayer mutation engine, taiwan) available in most Virus Exchange BBSs around the world; against F-prot 2.11 and TBSCAN 6.10. Other AV packages were not tested (Why bother?) Results: - ----------------------------------------------------------------------------- F-prot 2.11 Normal mode => No viruses or suspicious files/boot sectors found Tbscan 6.10 Heuristics level 1 => 55 files infected by DSME. F-prot 2.11 /analyse mode => No viruses or suspicious files/boot sectors found Tbscan 6.10 Heuristics level 2 => 55 files infected by DSME. - ----------------------------------------------------------------------------- It is pretty obvious Frisk hasn't gotten around detecting DSME yet... (soon?) It bothers me that we find this kind of bragging while TBSCAN flies by 45 infected files. How good is the fastest scanner if it is not accurate? Does the end user want speed or reliability? A wise decision would be to compromise some speed for more reliability. This adolescent bragging reminds me much of the bragging that goes on in the virus-writing underworld... Ktark@src4src.linet.org ------------------------------ Date: Fri, 25 Mar 94 14:20:46 -0500 From: cgl@santafe.edu (Chris G. Langton) Subject: Artificial Life Online ANNOUNCING: ARTIFICIAL LIFE ONLINE The Artificial Life Online WWW-Server and BBS Service Sponsored by MIT Press and The Santa Fe Institute alife.santafe.edu The Artificial Life Online/BBS is intended to be a central information collection and distribution site on the Internet for any and all aspects of the Artificial Life endeavor. The system is sponsored by MIT Press and the Santa Fe Institute. The Alife Online service combines the functionalities of a WWW server, a Gopher server, an FTP site, an interactive bulletin-board-system, and Usenet News. Directions for accessing Alife Online and the ALBBS in these different modes are included below. A special feature is a collection of 40 or so local newsgroups dedicated to a wide variety of topics in Artificial Life. Many of the files and resources here are available to everybody via Gopher and WWW. However, to access the full range of BBS services, it is necessary to come in using telnet and to create a local account. This will allow you to participate in the local Alife newsgroup discussions, and to set up personal information files such as a plan, project, HTML personal home page, etc. To access Alife Online via World-Wide-Web (WWW): Use the URL http://alife.santafe.edu/ For best results we suggest using a client capable of handling color graphics and forms, such as Mosaic. A character-based (ASCII) client called "lynx" is also available -- but will not support graphics. To access the Alife Online BBS (ALBBS) via telnet: telnet to "alife.santafe.edu" and login as "bbs". You will find yourself in a specially constructed UNIX shell within which either BBS menu commands or UNIX commands can be used to browse around in the system. To set up a local account, telnet to "alife.santafe.edu" login as "bbs," and run the "account" program. These accounts will initially be provided free of charge, but we will eventually have to charge a nominal fee in order to cover operating expenses (on the order of $15-$25 per year). Subscribers to the Artificial Life Journal from MIT Press will have this fee waived. Once you have an account on alife.santafe.edu, you can telnet to "alife.santafe.edu" and login as yourself. You do not have to create an account to use the ALBBS via telnet - you can simply login as "bbs" and browse through the system using the BBS commands. To access the www features in the context of a character based client, telnet to alife.santafe.edu and login to the BBS as "lynx". To access Artificial Life Online using Gopher: Connect to alife.santafe.edu (standard gopher port 70). To access Artificial Life Online via FTP: ftp to alife.santafe.edu, login as "anonymous" and type your login@homesite as the password. Everything interesting is in the "pub" directory. Feedback: Please let us know if you have any suggestions or questions about the Alife Online/BBS system. Send Email to: feedback@alife.santafe.edu ------------------------------ Date: Fri, 25 Mar 94 14:34:39 -0500 From: cgl@santafe.edu (Chris G. Langton) Subject: CFP - Artificial Life Journal CALL FOR PAPERS A R T I F I C I A L L I F E MIT Press Premiering in April with double Fall/Winter 1993 issue Edited by Christopher G. Langton Santa Fe Institute We are soliciting contributed papers reporting research on the synthesis of biological phenomena in hardware, software, and wetware. Artificial Life, a new quarterly from The MIT Press, is the first unifying forum for the dissemination of scientific and engineering research in the field of Artificial Life. It reports on synthetic biological work being carried out in any media, from the familiar "wetware" of organic chemistry, through the inorganic "hardware" of mobile robots, all the way to the virtual "software" residing inside computers. Topics range from the origin of life, through self- reproduction, evolution, growth and development, animal behavior.... and so forth, on to the dynamics of whole ecosystems. Artificial Life will be an essential resource for scientists, academics, and students researching artificial life, biology, evolution, robotics, artificial intelligence, neural networks, genetic algorithms, ecosystems and the origin of life. The initial 3 issues of Volume 1 consist of a special set of overview articles, written by members of the Editorial Board, giving detailed reviews of distinct sub-disciplines within Artificial Life. Taken together, these articles constitute the most thorough and in-depth presentation of the theory and practice of Artificial Life provided to date; describing promising research directions, reviews of important open problems, and suggestions for new methodological approaches. - ----------------------------------------------- Selected Articles from Volume 1, Numbers 1 - 3 - ----------------------------------------------- Kristian Lindgren and Mats Nordahl Cooperation and Community Structure in Artificial Ecosystems Peter Schuster Extended Molecular Evolutionary Biology Przemyslaw Prusinkiewicz Visual Models of Morphogenesis Luc Steels The Artificial Life Roots of Artificial Intelligence Pattie Maes Autonomous Agents and AL Tom Ray An Evolutionary Approach to Synthetic Biology Stephanie Forrest and Melanie Mitchell Genetic Algorithms and Artificial Life Daniel Dennett Artificial Life as Philosophy Stevan Harnad Levels of Functional Equivalence in Reverse Bioengineering - ------------------------------------------------------ Quarterly: Volume 1 forthcoming, fall/winter/spring/summer 96 pages per issue 7x10, illustrated, ISSN 1064-5462 Yearly Rates: $45 Individual; $125 Institution, $25 Student For Submission Information To order Subscriptions please contact: please contact: Christopher G. Langton Circulation Department Santa Fe Institute MIT Press Journals 1660 Old Pecos Trail 55 Hayward Street Santa Fe, NM 87501 U.S.A. Cambridge, MA 02142 U.S.A. TEL: 505-984-8800 TEL: 617-253-2889 FAX: 505-982-0565 FAX: 617-258-6779 cgl@santafe.edu journals-orders@mit.edu - ----------------------------------------------------------------- Information about the Artificial Life Journal, and much more, is available over the Internet from the Artificial Life Online & BBS services, which are available via WWW, telnet, Gopher, and ftp. Try these access methods: Alife Online WWW server: http://alife.santafe.edu/ Alife Online BBS: telnet alife.santafe.edu Alife Online Gopher server: gopher alife.santafe.edu Alife Online FTP server: ftp alife.santafe.edu ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 22] *****************************************