VIRUS-L Digest Tuesday, 10 May 1994 Volume 7 : Issue 33 Today's Topics: Good Viruses vs. Bad Viruses Re: Number of viruses on non-PC machines (Acorn Archimedes) GOOD vs. BAD HUH? Re: The truth about good viruses boot-437 (PC) Virus Nonformatting Floppies? (PC) Stone Virus (PC) false alarm (boot sector changed) by McAfee SCAN ??? (PC) NEWBUG[Genp] and AntiExe infection (PC) dsii242.zip - BIOS-level anti-virus with access control (PC) Virus software and tcp/ip (PC) Re: Need info on Coffee Shop / April Fools (PC) virus remover, Armor (PC) Canaries (PC) satanbug in sound files (PC) good virus protection (PC) HELP: Possible Virus with Windows (PC) Re: WARNING: Possible virus on anonymous FTP, garbo.uwasa.fi (PC) false alarm at garbo... Smartscan beats virus in double quick time. (PC) Scanners and detectors (PC) VSUM??????? (PC) Re: Monkey Curiosity (PC) HELP!! We need info about the NATAS virus! (PC) NEEDED: Info on possible Windows virus. (PC) bull-212.zip - F-PROT Professional Update Bulletin in ASCII Announcing HS v3.5, Anti-boot virus program (PC) New files on our ftp site (PC) New files available at CORSA.UCR.EDU McAfee VirusScan 2.00 and VIRUSCAN V114 uploaded to SimTel VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 29 Apr 94 11:29:00 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Good Viruses vs. Bad Viruses From: olpopeye@aol.com >>(See Vol 7 #24): >>WHMurray@DOCKMASTER.NCSC.MIL asserts: >>In fact, since the virus writer has so little control, his >>intent is irrelevant. >So little control?!?!?!?! You mean, these mental twirps are being >forced to write viruses at gunpoint?!?!?!? Poor fellows!! Probably should let Bill say something but what we seem to have here are two people arguing the same side of the question. The fact that "intent is irrelvant" is meant to defuse a defense (I didn't mean any harm...) by prima facie evidence of a reckless disreguard for property e.g. allowing a virus to escape. IMHO, "intent" has nothing to do with it other than possibly determining the severity of the punishment and not whether retribution is to be extracted. Throughout history, the greatest crimes have been committed with seemingly good intentions, so much so that I consider it to be a red warning flag any time I hear someone expounding on "what is right" since it is usually leading up to self-justification for some anti-social act. Facts are. Damage is. Intent is irrelevant except to determine how to cure the illness (if it is worth the bother). Padgett ------------------------------ Date: Fri, 29 Apr 94 11:35:52 -0400 From: aglover@acorn.co.uk (Alan Glover) Subject: Re: Number of viruses on non-PC machines (Acorn Archimedes) >> Acorn Archimedes: 84 (according to a recent article in VB) >56 (using the same source of information - the April issue). The higher figure includes all distinct strains, and the lower figure is the number of distinct viruses. In any case the figures are now something like 62/91. Alan ------------------------------ Date: Fri, 29 Apr 94 13:22:39 -0400 From: dm252@cleveland.freenet.edu (Keith A. Peer) Subject: GOOD vs. BAD HUH? I have seen this topic for to long now. How can their be a discussion reagrding this? What is a good virus going to do: Defragment my hard disk? Delete my old mail that I no longer want to read? Turn my PC on to wake me up in the morning? A virus by nature is what? It's intention is to produce copies of itself and attach these copies to your programs (without you knowing) and either display a message, play a tune, fill up your disk, destroy data etc... How can this be good? NOT POSSIBLE!!! Any program that functions to work without the owners approval is harmful. NO MATTER WHAT IT DOES!!!!! How can one say that this is a "good virus" and another not? There is NO such thing. ALL VIRUSES ARE BAD, TERRIBLE, DESTRUCTIVE, HOSTILE. Please end this discussion. Oh, if anone has a virus that can turn my PC on to wake me up let me know :-) Keith - -- Keith A. Peer -=> dm252@cleveland.freenet.edu +---------------+ Central Command Inc. | PGP Key | P.O. Box 856, Brunswick, Ohio 44212 | Available | 216-273-5743 [Anti-Viral Services / Consulting] +---------------+ ------------------------------ Date: Sun, 01 May 94 09:32:14 -0400 From: Subject: Re: The truth about good viruses Vesselin writes: > Subject: Re: The truth about good viruses > fc@Jupiter.SAIC.Com (fc@Jupiter.SAIC.Com) writes: > > > There ain't no such thing as a good virus > > (because) they all cause damage under some > > circumstances > > The same is true for any program - what does > > being a virus have to do with it? - Nothing > > The difference, as I am trying to explain to everybody, is that what > *we* call *real* viruses spread without authorization. None of the > "normal" programs do that. Also, what we call real viruses tends to > contain much more bugs per byte of code than the normal applications. > Sounds like a serious enough difference to me. Vesselin make a very good point. He is telling us that if you define viruses as being malicious, they are malicious, but my point is that this is not the widely published definition, it is not a sensible definition, and it is not a usable definition from a scientific point of view. > > > I've never met a virus I liked > > Bigotry was never a good excuse before, why use it > > as one now. > > Show me at least one person who wants to run a *real* virus on their > machine. Then I'll show you at least 100 others who wouldn't. From > your logic it follows that at least 99% of the people are bigots. Again, Vesselin makes a good point. His point is that because the community of antivirus researchers has gotten so much publicity and has dominated the media coverage, 99 percent of people have the misimpression that viruses are bad. But of course, in the US until 30 years ago or so, 99 percent of whites thought blacks were inferior. Again, a case of massive application of stereotypes propogated as fact. There's a word for this. It's called propaganda. 99 percent of the community may well have fallen under the spell of this effort to bias people, but after they read the facts, perhaps they will begin to see the light as well. > > Anyone who claims to like viruses is trying > > to justify their past. > > . or doesn't know what he is talking about. > > > Did you > > know that many of us virus writers did good > > things with our viruses? > > How many of you? With how many viruses? What and how many good things? The reason you are unaware of these good viruses is that they don't spread wildly or out of control, they work well, and they are not usually identified under that name. Read my book It's Alive if you want examples. > > You too can > > feel good about youself if you will only apply > > these talents to the benefit of others > > But I, and many others do - we help the others to keep the real > viruses away from their machines. They seem to want it. We are not > forcing anybody to remove the viruses from their machine. As opposed > to that, many virus writers are going to big efforts to force people > who they even don't know to install their viruses on their machines. I don't deny that three are malicious virus writers, but I also don't deny that there are benevolent ones. You know well that I deplore people who launch malicious viruses, but on the othre hand, I admire those who stand up for what's right and good with benevolent viruses. > > All viruses are bad because they go where they > > are not authorized to go, overwriting data, or > > at least using othrewise available space and time. > > The definition of virus does not imply spreading > > without authority or overwriting other data. > > Gotcha! We are just talking about different things. I admit that what > fits into *your* definition of "computer virus" (and, as you have > admitted yourself, even DISKCOPY fits into it), *can* be useful, and > even often is. In fact, many anti-virus packages of existence today > are using virus-like (actually, worm-like) techniques to automatically > update themselves on all workstations connected to a LAN. That's not a > problem. I don't know why you think you have gotten me in some way. If you agree that there are benevolent viruses, why not just say so, and then explain which viruses you feel are malicious instead of creating a misleading definition of a thing called a Real Virus and then claiming that all viruses are bad? I don't think that it is some amazing admision that DISKCOPY can be a virus given the proper environment. In fact, as you well know, EVERY finite sequence of symbols is a virus in some environment. The fact that many antivirus packages use viruses in a beneficial way clearly demonstrates that you agree that there are benevolent viruses. Why not just say so up front and stop this foolishness once and for all. > > The problem, Dr. Cohen, is that we, the anti-virus researchers, are > talking about something completely different. We are talking about > *real* computer viruses, not about histories of the states of Turing > Machines. We are talking about those nasty little programs, written > usually by irresponsible adolescent kids, that try to sneak into our > computers against our will and often to destroy our data. *That* is > always bad, no matter what you are trying to tell me. I don't believe I have ever said that such programs were good. But you don't state that "nasty little programs written by irresponsible adolescent kids that try to sneak into our computers against our will and often destroy our data" are bad. You say computer viruses are bad, and as you well know, these are very different things. > > > If > > using otherwise unused space or time is inherently > > bad, then all programs are inherently bad, not just > > viruses, because all programs use time and space that > > would not otherwise be used. > > No, I disagree here. That's not enough. Who are you to decide what is > unused on my machine and who gave you the right to use it? It's *my* > machine. It's my right to decide whether to run your program on it or > not. If your program attempts to run without my authorisation, then I > consider this bad, even if it uses only recources left unused at that > particular time. Then you agree completely with my assertion that when you decide to run a virus on your machine to do a useful function, that is OK. Nobody ever made the claim (as far as I know) that viruses are programs that run without the authorization of the user. In fact, in the first and most famous paper on viruses, it was clearly demonstrated that viruses are not Trojan horses, and that they may indeed ask permission before replicating. So your point misses the point. > > > I await your further attempts at demonstrating that all viruses are bad. > > That's not a problem; the problem is to agree what we are talking > about. As I said, I am ready to admit that what *you* call a virus can > be a useful program. I'll keep insisting that all viruses, according > to the general public's understanding of this term, are bad. Then you agree that as responsible researchers, you and I should try to help the public understand that there are good and bad viruses, but that the ones that spread wildly and out of control are bad? I am pleased to hear this. I now ask that you join me in my effort to inform the public rather than try to maintain their ignorance. Tell them that there are benevolent viruses. Tell them that researchers that say this are telling the truth and that those who deny it are wrong. Tell them that the researchers who say you should blackball these other legitimate researchers are presenting a morally bankrupt position. Join the legitimate researchers of the world who seek to understand and clarify the issues to the public. Believe that the public can handle the truth and try presenting it to them instead of promoting a lie because it is convenient. > Another problem, Dr. Cohen, is that you often tend to be too terse and > not to explain in details what you mean exactly - and do not express it > in a language understandable by the general public. This often makes > people not to understand you, or to misunderstand you. Is it surprising > then that people tend to flame you? :-) I plea no contest. The fact that I have written several books on the subject that are quite wordy and are available to the public aside, I will try to use more words in the future. Perhaps I should start now, but no, I will allow others to use the unused space instead. I would not want to be accused of being a *real virus* writer by using extra space after all. > There is also a third problem. A bunch of criminal-minded idiots are > not taking even the slightest effort to understand you, and are > intentionally misinterpretting your words, in order to find an excuse > for their anti-social behaviour - virus writing. This is also bad... > :-( It is truly sad that criminals use the words of the sincere to ply their trade, but such is life. I am certain that criminals also use other words to justify their actions as well, but that does not mean we should stop extolling the truth. > > On the same subject, Dr. Cohen, I would like to ask you: how many of > the viruses in my virus collection (there are about 4,300 of them) > will *you* be willing to run on *your* machine? I would be happy to run them all on my machine, but infortunately, ever since I started stating that there are benevolent viruses, nobody in the antivirus research community has been willing to send me copies of any of their viruses. Indeed, several of them have tried to keep me out of CARO and other such organizations (successfully I might add) dispite the fact that I implemented one of the most successful virus defenses available to date. It seems that money is more important than the truth in the group you are a member of. I look forward to your copies of 4,300 viruses, and I will happily have the people that now develop Integrity Toolkit anounce its (likely 100 pecent) success rate in Virus-L. > Looking forward to see your work. I don't doubt that it will be really > interesting and valuable, unlike that junky virus writing guide > published by Mark Ludwig. You must know that I would never do such a thing. > > Regards, > Vesselin Sincerely yours, FC ------------------------------ Date: Tue, 26 Apr 94 11:10:44 -0400 From: "Jeremy J. Blumenfeld" Subject: boot-437 (PC) Hello, A student came into our lab today returning from Albania with the boot-437 virus on his diskettes as reported by F-prot 2.11. Unfortunately, F-Prot reported that "This version of F-Prot cannot disinfect ..." Any help? jeremy blumenfeld jjb18@columbia.edu ------------------------------ Date: Tue, 26 Apr 94 14:38:50 -0400 From: amn1@cornell.edu (Alex Nemeth) Subject: Virus Nonformatting Floppies? (PC) Hi there, Strange as it may seem, is there a virus that causes just the floppy to become "unformated" and not affect the hard disk? I have 4 disks from 3 separate machines that "suddenly" became non-formated. I Get the same message from 3 different versions of NDD & Mace on each of these disks. THe message is, "This disk may not have been formated" & it's answer is "Only a low level format will correct the problem" According to the users, they were using the disks "just Yesterday". I followed up with f-prot 2.11 on all the machines these disks could have been in contact with and I was given a clean bill of health on each. I also gave each machine a full diagnostic on each componet, everything checks out ok. This doesn't seem to depend upon a spectific dos version. It's happened on a dos 3.3 (IBM dos), MSDOS 4.0 & MSDOS 5.0. As I'm writing this Disk, #5 just walked in the door. Same Symptoms. Same problem. Any Ideas? I'm redownloading the FAQ (my other copy is 2 yrs old) just in case I missed something. Thanks Alex ** Alex Nemeth : Senior Workstation Technician ** amn1@cornell.edu : Cad Technicial Specialist ** N2YEL (147.180) : College of Human Ecology/ ** NYSEMS CFR : Division of Nutritional Science 607.255.1128 - Voice, 607.255.3794 - FAX G85 MVR Hall, Cornell University, Ithaca NY, 14853 ------------------------------ Date: Wed, 27 Apr 94 10:37:45 -0400 From: wongck@math.ohio-state.edu (Chi-Kun Wong) Subject: Stone Virus (PC) Hi; Recently, I discovered Stone Virus on one of my floppy disk, and I suspect that my system is also being infected. Can anyone tell me: What is a stone virus? How to detect it on my system? and How to remove it? Please email to me at wongck@math.ohio-state.edu Thanks in advance Jimmy Wong ------------------------------ Date: Wed, 27 Apr 94 10:37:57 -0400 From: Christian Fritze Subject: false alarm (boot sector changed) by McAfee SCAN ??? (PC) We are using McAfee antiviral products in our company. Some days ago i wanted to change the VSHIELD-Strategy by adding validation codes using SCAN.EXE c: /AF filename.crc After doing so SCAN.EXE c: /CF filename.crc reported the boot-sector was changed. Obviusly this seems to be a bug in SCAN (or a feature???) because until then we used VSHIELD with the options /cv /lh /chkhi /m and the validation codes were regularily added by SCAN /av including scanval.val. We never encountered any problems then... We are using OS/2-Bootmanager, VSHIELD113, SCAN113.9.24,MSDOS 5.0 german. Anyone out there who knows how to get around this problem? Thanks in advance... This mail will be sent to virus-l by a friend who is lucky enough to have a sysadmin who allows for international mail :-{ I can however *receive* mail from anywhere so you can reply to clamor@odin.dvz.fh-dortmund.de as well. Best regards Bodo Clamor ------------------------------ Date: Wed, 27 Apr 94 15:29:00 -0400 From: tds@ares.cs.wayne.edu (tds) Subject: NEWBUG[Genp] and AntiExe infection (PC) Any suggestions or assistance with the following problem is greatly appreciated. An IBM model 56 PS/2 has this strange infection. (4MB Ram, windows). F-prot(v211) reports the AntiExe infection in the master boot record on the fixed disk. VirusScan 113 reports a NewBug infection [Genp] in the partition table. How can I counter this dual infection? Will the FDISK command work and how to use the /MBR parameter? Thanks in advance for any insight to this problem. ------------------------------ Date: Mon, 25 Apr 94 10:41:00 +0200 From: Trevor_Learoyd@p11.f107.n441.z9.virnet.bad.se (Trevor Learoyd) Subject: dsii242.zip - BIOS-level anti-virus with access control (PC) Hi Padgett, On 06 Apr 1994 you wrote to All: APP> I have uploaded to the SimTel Software Repository APP> pub/msdos/antivirus/dsii242.zip BIOS-level anti-virus with APP> access control Do you or anyone else know of a *UK* VirNet or FidoNet source for your program? Thanks, Regards......Trevor - --- timEd 1.00 * Origin: Red Shifted from Index3 (9:441/107.11) ------------------------------ Date: Thu, 28 Apr 94 10:06:18 -0400 From: upsidedn@bu.edu (David Bronstein) Subject: Virus software and tcp/ip (PC) I recently loaded tcp/ip by ftp and my Detect/Plus virus spftware detected a virus. Does anyone know if this is a real virus or just a detected chabge by the virus software. P.S. I apologize for the crude nature of this post ut this is my first attempt over the net. Please respond via e-mail to upsidedn@aaacs.bu.edu ------------------------------ Date: Thu, 28 Apr 94 10:09:09 -0400 From: jkarhune@cc.helsinki.fi (Jarkko K Karhunen) Subject: Re: Need info on Coffee Shop / April Fools (PC) David Mitchell (mitchell@ncsa.uiuc.edu) wrote: : it was keyed for April Fool's Day, or Good Friday. Please ^^^^^^^^^^^ Last time I looked, Good Friday was on different date each year! - -- jarkko.karhunen@helsinki.fi My opinions are mine! jkarhune@babel.helsinki.fi Don't you dare try to mark them as "University Property"! ------------------------------ Date: Thu, 28 Apr 94 10:42:35 -0400 From: bzhai@mason1.gmu.edu (BIAO ZHAI) Subject: virus remover, Armor (PC) Could somebody tell me what the top 5 virus removal software are? Ever heard of Armor by Norman Data Defense Systems? Thanks in advance. - - Bob ------------------------------ Date: Thu, 28 Apr 94 13:42:29 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Canaries (PC) >From: fuzzy@nttsgw.yh.ntts.co.jp (Toru Fujii) >Subject: Is it possible to detect viruses this way? (PC) >Method is really simple. >1. Make an .EXE or .COM file which the only content is RET code or something > similar and very small (1 byte or so.) >2. Run this program and see change in its size. Wrote a program like this myself during the DATACRIME scare in 1989. Was a little .COM file that just checked itself for infection and screamed if different. Just to foil self-identifying viruses, I made it change its date/time signature each time it executed. Worked well for JERUSALEM and SUNDAY as well but had no chance against FRODO/4096 (1990) or any well written "stealth" virus. Same thing happened with "companion" viruses. So it is a good technique to use against most non-stealth program infectors (some won't infect a file less than xxx bytes long, others won't infect anything over yyyy bytes. Still others won't infect any file with certain characters in its name. As Dr. Fred would say "to CANARY, they would not be viruses"). Like any other single technique (save complete abstinence), it will be of only limited effectiveness and you would need "something else" to fill in the holes. Warmly, Padgett ------------------------------ Date: Thu, 28 Apr 94 16:02:54 -0400 From: WOLF@vaxb.acs.unt.edu Subject: satanbug in sound files (PC) I have sent the messaage below in reply to an earlier warning regarding MODEDxX.zip at oak.oakland.edu..... Greetings, the likelyhood of satanbug being in a sound file (.SAM) is virtually nil. The problem that causes this is the following: Satanbug is a polymorphic virus. Therefore, to scan for it, one must use an algorithmic approach in which one looks for certain commands that could constitute an encryptor with a large amount of effectively gibberish in the middle. F-Prot picked this up when you scanned *.*, as its algorithms were not perfect. I have had a similar mishap with TBSCAN regarding the satan bug virus virus, where agian a music file (although this was from a different format I believe) was scanned as infected. It is a false alarm. I'd recommend reposting to Virus-L and anyone else you contacted presenting this information to them. Cheers, Wolf ------------------------------ Date: Thu, 28 Apr 94 16:04:55 -0400 From: hank@UTKVX.UTCC.UTK.EDU (Hank Pike) Subject: good virus protection (PC) Hello, Could somebody list some of the pros and cons of the different virus packages? Norton, F-prot, any others that are out there. I know very little, right now I use norton and/or MS DOS antivirus (basically norton right?) please email me or post here. Thanks. Hank Pike ------------------------------ Date: Fri, 29 Apr 94 09:40:45 -0400 From: amarks@nella30.cc.monash.edu.au (Andy Marks) Subject: HELP: Possible Virus with Windows (PC) Hi All, In the last month of so, both my home and school PC have been giving me considerable problems when running Windows. Windows seems to think C: is A: when trying to Run or New from the File menu and also cannot change the screen setup as it cannot locate the program group .grp files on C: (because it is looking at A:). Strangely enough, File Manager seems to recognize the drives OK. This sounds suspiciously like a virus, but I've just run version 114 of Mcafee Scan on my hard disk with nothing found. Apart from Windows, my PC is working fine!!! Has anyone had problems like this before? PS. THe problems started to appear about the same time as I first installed 4DOS (a COMMAND.COM replacement), but they remain even when using COMMAND.COM as a shell. Help!!!! - -- Andrew Marks amarks@nellads.cc.monash.edu.au Masters by Research (Software Development) Monash University, Victoria GCS -d+(?) p/-p+ c+(++) l u(+) e++ m+(--) s+/(s++) !n h* f?(!) !g w+ t- r@ y++ ENTJ ... and proud of it! "Plant you now - dig you later" The Ghost (3RRR) ------------------------------ Date: Fri, 29 Apr 94 09:45:16 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: WARNING: Possible virus on anonymous FTP, garbo.uwasa.fi (PC) MCHLG@CUNYVM.CUNY.EDU (MCHLG@CUNYVM.CUNY.EDU) writes: > ************** VIRUS ALERT ***** VIRUS ALERT *************** Calm down, calm down. And remember - the first rule when you suspect a virus infection is: DON'T PANIC! > system. anyhow, I HAVE DISCOVERED A NASTY LITTLE CRITTER IN A FILE > FROM THE FTP SITE GARBO.UWASA.FI You mean: you have discovered what you believe is a virus. Don't worry; it almost certainly isn't. And this case is yet another example why scanners should not be trusted blindly, or why viruses should be identified exactly, or... > The filename you should be looking > for is MODED301.ZIP In this zip file, the file: HALLBRAS.SAM IS > INFECTED WITH THE SATANBUG VIRUS. First, you didn't tell us the exact directory where the archive is in. I wanted to verify your report but couldn't, because Garbo is a huge ftp site and looking for a file in its many directories is nearly impossible, if you don't have at least some ideas where this file might be. Second, this particular virus does not infect non-executable files, which already makes the report suspicious. > I found using Frisk's F-prot ver. > 2.09d. > DO NOT USE F-PROT VER 2.11 TO SCAN THIS FILE, I TRIED DOING THIS AND > THE ZIP FILE CAME UP CLEAN. No need to shout, we read you loud and clear. Try thinking instead. Let's see, version 2.11 is supposed to be better than version 2.09d. Version 2.09d detects a virus in one file, while version 2.11 doesn't detect a virus in the same file. Where is the improvement? Could it be that version 2.09d was simply *wrong*, caused false positives, and Frisk has fixed the problem in version 2.11? Hmm? Oh, yes, if you are not familiar with the term "false positive", I recommend the FAQ - read question C5. > now, Frisk, can u explain why ver 2.09d > caught this bug but 2.11 doesn't? I'd really like to know. as you are Frisk certainly can; I can only repeat my recommendation to read the FAQ. > reading this, a more detailed analysis is being done. for the time Well? Ten days since you have submitted the message - what did the more detailed analysis show? > being AVOID THIS FILE, BECAUSE MOST LIKELY THE EXECUTABLE FILE IS > INFECTED TOO, ALTHOUGH I HAVEN'T CONFIRMED THIS YET. I am ready to bet that it isn't and that you will not succeed to confirm it. > I should also point out that while F-prot ver. 2.09d was able to > identify the presence of the satanbug virus, it was unable to remove > it. I am afraid that (a) version 2.09d of F-Prot doesn't identify (I mean, exactly) the Satan_Bug virus at all and (b) there is no virus in the file you are talking about. > Frisk, any suggetsions on how to deal with this little (or not so Version 2.12 of F-Prot reliably detects and removes this virus from the infected files - just checked. It calls it S-Bug.A. > PLEASE NOTE: THAT THE APPROPRIATE PEOPLE WILL BE INFORMED OF THIS > SITUATION. I will be posting updates to this information as soon as > they are availible to me. The appropriate way to do it is not to rush and post a panic message in a public forum, but: 1) Confirm the infection yourself, if you can. That is, try to replicate the virus. 2) Inform the moderator of the ftp site you have downloaded the supposedly infected file from. 3) Inform the author of the scanner that seems to cause the problem. This could be skipped if your experience shows that the author mostly ignores the reported problems, unless they are made public, but I definitely don't think that Frisk is in this category. As a conclusion I would like to express my amusement about how blindly people trust a virus-like message from an anti-virus program. The case you are reporting is not a typical one. Usually people use *two* scanners, one of which causes a false positive. Then they contact the producer of the scanner which (correctly) does not report any virus and ask them why their product is unable to find the infection. :-) As somebody has said, it is very difficult to catch a black cat in a dark room, especially if the cat is not there. :-)) On a serious note, the Satan_Bug virus is a rather polymorphic one, which explains why a scanner can give a false positive on it, or not detect it reliably. In particular, there is a product called Norman Data Defense, which at the time was marketed as "the only scanner that can detect the Satan_Bug virus". Well, there certainly are scanners which are able to detect this virus, but Norman Data Defense is *not* one of them. The version that I have fails to look for this virus in SYS files. :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 29 Apr 94 09:45:52 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: false alarm at garbo... > [Moderator's note: This was in the virus-l queue when I returned from > several days of business travel; to date, I've received no independent > confirmation of this report, so treat it carefully!] Well, you could have asked me.... :-) > for is MODED301.ZIP In this zip file, the file: HALLBRAS.SAM IS > INFECTED WITH THE SATANBUG VIRUS. I found using Frisk's F-prot ver. > 2.09d. This file is *NOT* infected. Version 2.09 is old and out-of date. The S-bug (Satanbug) virus is somewhat difficult to detect, and version 2.09 did indeed generate a few false alarms. They were fixed in version 2.10, which was released last December. The current version (2.12) also provides disifection of this virus. PLEASE: BEFORE STARTING TO YELL ABOUT A POSSIBLE VIRUS INFECTION, MAKE SURE YOU ARE USING AN UP-TO-DATE SCANNER. Using a program that started complaining several months ago that it was too old is just plain silly. - -frisk ------------------------------ Date: Fri, 29 Apr 94 12:43:43 +0000 From: kgm@aber.ac.uk (kgm) Subject: Smartscan beats virus in double quick time. (PC) *** Stoned Variant *** At Aberystwyth, we have been visited by an apparently new variant of that old "Stoned" virus. Someone appears to have hacked it about with the intention of stopping virus scanners recognising it. BUT, they were a little short of the mark. Recent versions of F-Prot may label it "Manitoba", similarly SCAN sometimes finds it as [GenB]. We were using Visionsoft's Smartscan, which failed to find it. Norton's NDD reported corrupt boot sectors on several floppies Friday, 22 April. We dispatched express a sample disc to Visionsoft on Saturday morning and by 11.15am Monday 25 April we received the necessary patch to the virus program. We are now able to detect and clean the virus from floppies. This is an example of the standard of their service. The company is British and an unlimited site licence would now cost #345 and there is an annual fee of about #98 for monthly, postal updates on floppy. Tel: (UK) 0274 610503 We have used it for 3 years and find it reliable, it is not prone to false positives and runs well over a network. It has the feature that when a virus is detected, one can set the software to hang-up the micro, preventing further use and therefore reducing the spread of the infection. Alasdair MacKenzie, Microcomputer Officer, University of Wales, Aberystwyth ------------------------------ Date: Fri, 29 Apr 94 16:35:26 -0400 From: ST29701@vm.cc.latech.edu Subject: Scanners and detectors (PC) What are the top 5 or 10 best virus scanners? I mean best a detecting viruses on the IBM PC, NOT which has the best user interface or something. I know that from month to month 1 scanner or another will be a little better than another, but in general what are the best?. Comercial and Sharware, Comercial only, Shareware only. Also how what are the best heuristic scanners out now? I'd love to see responses from several different researchers since detection rates very widely. Alan ------------------------------ Date: Fri, 29 Apr 94 16:37:24 -0400 From: ST29701@vm.cc.latech.edu Subject: VSUM??????? (PC) I remember hearing sometime back that VSUM was not very accurate at all. Has it improved? What sort of problems does it have, and what is usually accurate. Alan ------------------------------ Date: Fri, 29 Apr 94 19:37:58 -0400 From: buchholz@ese.ogi.edu (Don Buchholz) Subject: Re: Monkey Curiosity (PC) > I just encountered Monkey on a client's PC. I can't find much on > Monkey except that it's a stealth virus. What am I dealing with? Any > cautions? Thanks! > For detailed info on Monkey and a KILLMONK program, download ftp://mcafee.com/pub/antivirus/killmnk3.zip. It elaborates on the Vesselin's good, but terse, description. - - Don Buchholz, Systems Manager (... and recent Monkey-slayer) - - Oregon Graduate Institute, Dept of Environmental Sciences and Engineering (buchholz@ese.ogi.edu) ------------------------------ Date: Sun, 01 May 94 09:28:58 -0400 From: CMEELBOO@vmtecqro.qro.itesm.mx (Elite of the Network) Subject: HELP!! We need info about the NATAS virus! (PC) OK, This is the problem. Several computers here are infected by the NATAS virus. We need info about this virus since SCAN and several other antivirus programs cant remove it or even detect the virus... The only antivirus with NATAS detection is F-Prot 2.12 but i cant clean it too. We also need to know what does this virus do beside loosing 9216 bytes when a disk is accessed and being a boot virus. This virus works like a device driver or something, since the missing bytes are not showed like bad blocks or used blocks, they are just missing!!! Any help or information is welcome. Thanks. ============================================================================== Carlos Meelboom R. cmeelboo@vmtecqr2.qro.itesm.mx ------------------------------ Date: Sun, 01 May 94 09:29:55 -0400 From: amarks@nella30.cc.monash.edu.au (Andy Marks) Subject: NEEDED: Info on possible Windows virus. (PC) Hi All, Does anyone know of a virus that causes Windows (Microsoft) to confuse disk drives ... everytime I run Windows, A: is mistaken for C: which means I cannot change my program groups because the .GRP files cannot be located (on A:) ... this sounds like a virus to me, but a new copy of Mcafee SCAN failed to detect anything. HELP!!! - -- Andrew Marks amarks@nellads.cc.monash.edu.au Masters by Research (Software Development) Monash University, Victoria GCS -d+(?) p/-p+ c+(++) l u(+) e++ m+(--) s+/(s++) !n h* f?(!) !g w+ t- r@ y++ ENTJ ... and proud of it! "Plant you now - dig you later" The Ghost (3RRR) ------------------------------ Date: Wed, 27 Apr 94 11:12:48 -0400 From: Mikko Hypponen Subject: bull-212.zip - F-PROT Professional Update Bulletin in ASCII I have uploaded to oak.oakland.edu, pub/msdos/virus: bull-212.zip ASCII-version of the F-PROT Professional 2.12 Update Bulletin. -------------------------------------------------------------- F-PROT Update Bulletins contain information about the current virus situation globally. Every time a new version of F-PROT Professional is published, it is accompanied with a new Update Bulletin. Bulletins are published on paper in A5 format. Update Bulletins are published by Data Fellows Ltd of Helsinki, Finland. Data Fellows Ltd is the publisher of F-PROT Professional Anti-Virus Program in Scandinavia, Asia, Africa and most of Europe. They can be reached via e-mail at f-prot@datafellows.fi Articles in this issue of the Update Bulletin: New ideas in the field of anti-virus utilities New viruses in the wild - Quox - Danish_Tiny.476 - Misis - Dinamo - Finnish_Sprayer Two new Macintosh viruses discovered Virus Bulletin 1994 Conference is coming Malware floating in BBSs Common Questions and answers Feature: Polymorphic Generators Ethics in Anti-Virus Toolkit marketing Changes in F-PROT's DOS version Changes in F-PROT's Windows version Changes in both DOS and Windows versions New viruses detected by F-PROT Professional 2.12 Back issues are available from ftp.informatik.uni-hamburge.de, /pub/virus/texts/bulletin. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi PGP 2.3a public key available, check the keyservs ------------------------------ Date: Sat, 16 Apr 94 00:23:36 +0200 From: Don_Waybright@f0.n104.z9.virnet.bad.se (Don Waybright) Subject: Announcing HS v3.5, Anti-boot virus program (PC) In a message hstroem@hood.ed.unit.no to All it was said: heun> *** Announcing HS v3.5, Anti-boot virus program *** heun> This is a major upgrade. The previous version released on heun> the Internet was v3.2 (a year ago). Viruses like the heun> russian Strange using hardware stealth, and heun> Stoned.Empire.INT_10.A and B using a new un-named stealth heun> technique, has made it necessary to implement some new lines heun> of defense. Does anyone here in the states have this yet? I would like to FReq it and take a look at this intertesting "puppy"... Rds, - -=Don=- .. Richmond's 1st Satellite Connection - --- timEd-B11 * Origin: G.R.C. BBS <804-737-3932> (9:104/0) ------------------------------ Date: Fri, 29 Apr 94 09:46:40 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: New files on our ftp site (PC) Hello, everybody! Several new files were made available on our ftp site, so I decided to post a message about it. Just to remind to everybody, the name of our ftp site is ftp.informatik.uni-hamburg.de and the IP address is 134.100.4.42. 1) Some of you who have downloaded the scanner AVScan might have noticed that it says that it is "registered to Vesselin Bontchev". This was a mistake from the part of the producer of the scanner - he gave me the wrong file for distribution. I have removed it from the ftp site and have replaced it with a newer version of the scanner that has been issued meanwhile: 1.51. The directory where the archive is in is /pub/virus/progs and the archive name is avscn151.zip. 2) I have received directly from Eugene Kaspersky an update for the program AntiVirus Pro. The update upgrades it to version 2.00b and is free for the the registered users. You will need both the archive containing the main version of the product (avp_200.zip) and the archive with the update (avp20_b.zip), although once you unpack the update, you can remove the database with virus definitions that comes with the main version (the V_*.-VB file). Both archives are available in the directory /pub/virus/progs. Since a lot of people seem to need this product (it has excellent disinfection capabilities and detection rate), and since our ftp site is rather slow, I would appreciate if the moderators of the major ftp archives that carry anti-virus stuff agree to distribute this product. 3) As usual, there are new versions of the regularly updated scanners, like F-Prot (version 2.12), TBAV (version 6.12) and so on. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 29 Apr 94 17:36:26 -0400 From: datadec@ucrengr.ucr.edu (Kevin Marcus) Subject: New files available at CORSA.UCR.EDU The following files have been placed for anonymous ftp from corsa.ucr.edu: /pub/anti-virus-tools/fp-212.zip -- Frisks AntiVirus Package. /pub/anti-virus-tools/scanv114.zip -- McAfee's AntiVirus Package. /pub/anti-virus-tools/cleanv114.zip -- McAfee's AntiVirus Cleaning Package. /pub/anti-virus-tools/vsumx303.zip -- Patty Hoffman's VSUM Virus Database. And, in case you forgot, the virus-l archives are also available from corsa.ucr.edu If you have any submissions, questions, comments, mail datadec@cs.ucr.edu - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Fri, 29 Apr 94 19:09:18 -0400 From: aryeh@mcafee.com (McAfee Associates) Subject: McAfee VirusScan 2.00 and VIRUSCAN V114 uploaded to SimTel I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ scn-200.zip VirusScan 2.0 for DOS, new version of SCAN.EXE vsh-200.zip VShield 2.0, new version of VSHIELD.EXE clean114.zip CLEAN-UP 9.25V114 virus remover for PC's/LAN's scanv114.zip VIRUSCAN 9.25V114 virus scanner for PC's/LAN's vshld114.zip VSHIELD 5.59114 TSR virus prevention program wscan114.zip Windows version of VIRUSCAN V114 These replace: clean113.zip, scanv113.zip, vshld113.zip and wscan113.zip BRAND NEW: VERSION 2.00 OF VIRUSSCAN AND VSHIELD PROGRAMS Version 2.00 is the next generation of McAfee's antivirus software. VirusScan for DOS is the new version of our virus scanner and offers many improvements over the previous VIRUSCAN V11x such as: o faster operation; o more precise identification of viruses and corrupted files; o integrated virus clean-up; and o requires less memory to run VShield is the new version of our memory-resident (TSR) virus preventor. Features include: o Automatically detects and loads into XMS, EMS, and/or upper memory before using a byte of conventional (base 640Kb) memory; and o significantly improved speed under Windows. The programs display a new license message that appears after running, however, it does not state anything different from the previous version of our antivirus software. VirusScan is still free for use by SysOp's who run publicly-accessible bulletin board systems that do not charge any fee for access to the VirusScan programs on their system. While we are enhancing the speed and memory usage of our new antivirus software as well as adding new features over the next few months we will continue to release and provide support for the "old" VIRUSCAN series while users migrate to the new version. Appendix B of the VirusScan documentation contains a chart of the differences in options between the old and new programs. * * * VERSION 114 SERIES WHAT'S NEW Version 114 of the VIRUSCAN series (SCAN for DOS, Windows, and OS/2; CLEAN for DOS and OS/2, VSHIELD, and NETSHIELD) add detection of 115 new viruses and 95 variants of existing viruses from the previous update, bringing the total number of known viruses detected to 1,909, or counting variants, 2,885 viruses. VSHIELD A problem with detecting the Stealth Boot virus using the /ACCESS or /BOOT switches while VSHIELD was using expanded memory (EMS) was fixed. VALIDATE Values for V114 CLEAN-UP 9.25V114 (CLEAN.EXE) S:197,456 D:04-17-94 M1: 930E M2: 1183 VSHIELD 5.59114 (VSHIELD.EXE) S:52,785 D:04-21-94 M1: A6A8 M2: 11D5 VIRUSCAN SCAN 9.25V114 (SCAN.EXE) S:164,330 D:04-17-94 M1: FEC9 M2: 1947 SCAN FOR WINDOWS 114 (WINSTALL.EXE) S:19,606 D:04-17-94 M1: F5B1 M2: 031B SCAN FOR WINDOWS 114 (WINSTALL.EXE) S:19,606 D:04-17-94 M1: F5B1 M2: 031B SCAN FOR WINDOWS 114 (WSCAN114.EXE) S:76,868 D:04-17-94 M1: E6B5 M2: 00E8 Regards, Aryeh Goretsky McAfee Associates Technical Support - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: aryeh@mcafee.COM 2710 Walsh Ave, Suite 200| FAX (408) 970-9727 | IP# 192.187.128.1 Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | America Online: McAfee ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 33] *****************************************