VIRUS-L Digest Friday, 20 May 1994 Volume 7 : Issue 35 Today's Topics: Need info on viruses Re: The virus Hyperbole Re[2]: The truth about good viruses Re: The truth about good viruses Re: GOOD vs. BAD HUH? Mainframe virus (IBM MVS) Virruses - Pathogen (PC) Virstop.exe and 386Max 7.0 (PC) French Virus (PC) Help re Genb (PC) Re: Win 3.11 + F-Prot 2.11 for Win = False Alarm?! (PC) Mushroom (PC) VIRSTOP 2.12 Freezes PC (PC) Suspicious boot sector (PC) Re: Scanning ZIP files (PC) Re: Please let me know N.O.B. (PC) Re: Virus Nonformatting Floppies? (PC) Re: NEWBUG[Genp] and AntiExe infection (PC) Re: Stone Virus (PC) Re: virus remover, Armor (PC) Re: false alarm (boot sector changed) by McAfee SCAN ??? (PC) Re: good virus protection (PC) Re: Canaries (PC) Re: NEWBUG[Genp] and AntiExe infection (PC) Re: VSUM??????? (PC) Re: Scanners and detectors (PC) Re: McAfee VirusScan 2.00 and VIRUSCAN V114 uploaded to SimTel (PC) Re: HELP!! We need info about the NATAS virus! (PC) Thunderbyte anti-virus v6.20 (update/optimized) (PC) Re: New files on our ftp site (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 04 May 94 17:10:47 -0600 From: KERBER@vax1.mankato.msus.edu Subject: Need info on viruses I am doning a project on computer viruses and I need some information. Can anyone help me? ------------------------------ Date: Tue, 10 May 94 10:50:19 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Re: The virus Hyperbole From: src4src!ktark@imageek.york.cuny.edu (Karl Tarhk) >Take the Following SYMANTEC advertisement that appeared in various >magazines such as INFOWORLD: TOAST >From Vesselin : >Don't they teach you basic logic in your country? Haven't you ever >heard that it is always difficult (and often impossible) to prove a >negative? *You* claim that there is such a thing as a good virus, >*you* prove it. It should be much easier. Having studied a bit of logic somwhere around the time that dinosaurs disappeared, IMHO there is a positive proof: "Viruses cause damage". Now I am not talking about something that fits Dr. Cohen's definition which may or may not be a virus depending on the day of the week or the phase of the moon but a program that causes change to other programs without bound. This debate seems to be over "something" that asks the user for permission before causing change and that criteria to me crosses the line from a virus in the popular sense and a "virus" in a mathematical sense and which has no accepted definition. In the popular sense, a virus is software that propagates without the user's full knowlege (true, you can say the same thing about most INSTALL and SETUP files but at least they were written by professionals (well even there things are vague - hard to say with a multi-billion dollar garage industry). However, I am sure that a good mathematician which I do not profess to be could properly express (and I suspect that CHAOS math would be a good starting point - at least it is popular at the moment) the concept that if 1) There exists a portion of the computer population on which a certain class of software will cause harm. 2) There exists a virus which contains that class of software which propagates without bound. 3) At some point the sets will overlap. Now if the software is deliberately malicious, the overlap will occur sooner and the set of the population on which harm may occur will approach the set of all computers of that type. The point has been raised that it is believed possible to write a virus that will not cause harm. To which and again IMHO and experience. In order to determine that a sequence will not cause harm, it is necessary for such a sequence to exist outside of the set of all code that will cause harm and *that* requires a negative proof. Further, since we are talking about propagating code it becomes more difficult. ( I would consider a set of NOPs to be harmless but even that may not be true - in one system I worked with a NOP vectored to microcode which performed an OR AX,AX - and that could cause a change in the flags). For the interested, there used to be a BUGS list that defined differences in the various CPUs such as the fact that if you PUSH SP it has a different effect on an 8088 than it does on an 80286. Novell TASKMGR seems to put an early Zenith 386 into SLOW mode. Yet viruses blythly change interrupt vectors, move the TOM, and overwrite memory areas. See (3) above. To me, the concept of a "good virus" is still an oxymoron. Warmly, Padgett ------------------------------ Date: Tue, 10 May 94 14:30:00 -0400 From: greenber@ramnet.com (Ross M. Greenberg) Subject: Re[2]: The truth about good viruses >Date: Sun, 01 May 94 09:32:14 -0400 >From: >Subject: Re: The truth about good viruses FC>...Vesselin make a very good point. He is telling us that if you define FC>viruses as being malicious, they are malicious, but my point is that FC>this is not the widely published definition, it is not a sensible FC>definition, and it is not a usable definition from a scientific point FC>of view. Like pornography, regardless of the definition, everybody knows what porn is when they see it. I think it safe to assume that everybody knows what a virus is when they see it, too. Maybe they get Windows confused with a virus, but aside from that, it seems to clear to all. Promoters of pornography like to explain away their smut by comparing it to some art form, or by defending it as some sort of freedom of speech issue. And that may, or may not, be true. But that's doesn't change it from being porn, anymore than trying to define the difference between "good" viruses and "bad" viruses change the definition of what a virus is. And that everybody knows what a virus is. VB> VB> Show me at least one person who wants to run a *real* virus on their VB> machine. Then I'll show you at least 100 others who wouldn't. From VB> your logic it follows that at least 99% of the people are bigots. FC>Again, Vesselin makes a good point. His point is that because the FC>community of antivirus researchers has gotten so much publicity and FC>has dominated the media coverage, 99 percent of people have the FC>misimpression that viruses are bad.... No, they have the impression that getting stuff which destroys the data on their hard disk is bad. Or something which denies them the usage of their own computer is bad. Given a choice, I'll side with the 99% that seem to think that having some code on their machine which they didn't want in the first place is a bad thing. The other 1% seem to be virus writers or defenders who want to somehow justify their actions as more than just vandalism. See the above mention of how pornographers consider their own work. FC> But of course, in the US until 30 FC>years ago or so, 99 percent of whites thought blacks were inferior. Whoa! That one came straight out of the sun. I didn't see it coming! Of course, it has no relavance at all to the topic, but it does make for nice imagery. You did forget to bring up Nazis, though, and no comparison can be complete with Nazis. FC>Again, a case of massive application of stereotypes propogated as FC>fact. There's a word for this. It's called propaganda. No, better to call it racism. Or, perhaps, prejudice. FC>The reason you are unaware of these good viruses is that they don't FC>spread wildly or out of control, they work well, and they are not FC>usually identified under that name. Read my book It's Alive if you FC>want examples. Fred, I take it you could probably choose to describe the entire universe of viruses which you consider to have done "good" in a paragraph or two at most. Perhaps you'll do that, or allow people to post excerpts from your book which describes the multitude of good viruses -- unless you intend to keep all in suspense until they buy your book. How much for just those pages and to whom do I send a check for that amount? FC>I don't deny that three are malicious virus writers, but I also don't FC>deny that there are benevolent ones. You know well that I deplore FC>people who launch malicious viruses, but on the othre hand, I admire FC>those who stand up for what's right and good with benevolent viruses. If these virus writers are so sure that the code is so benevolent (I note you did not use the world "beneficial" -- lacking in harm does not make a virus a "good" virus, it might simply be a rare viurs which lacks bugs and carries no payload) why aren't they here, awaiting the hearty slap on the back of congratulations which you seem to think they deserve? Or at least defending themselves? FC> Nobody FC> ever made the claim (as far as I know) that viruses are programs that FC> run without the authorization of the user.... Again, people know viruses when they see them. FC> In fact, in the first and FC>most famous paper on viruses, it was clearly demonstrated that viruses FC>are not Trojan horses, and that they may indeed ask permission before FC>replicating. So your point misses the point. I have a pretty complete library of papers on computer viruses and can't find one therein which either seriously discusses this or should be taken seriously. Illuminate me, please? This doesn't imply that a virus can't be written which does ask permission before spreading, of course. So what? FC>Then you agree that as responsible researchers, you and I should try to FC>help the public understand that there are good and bad viruses, but FC>that the ones that spread wildly and out of control are bad? Sorry, but there are other researchers in the world, too. And some of them, like me, might consider that there has only been one "researcher" speaking of "good" viruses and hold that there ain't no such thing as a "good virus". I do note that a number of virus writers are constantly seeking for someone -- almost anyone -- to validate their "work" as anything other than vandalism and poorly written vandalism at that. Perhaps there is a small audience who might agree with you. I wouldn't consider them responsible researchers, however. FC> I am pleased to FC> hear this. I now ask that you join me in my effort to inform the FC> public rather than try to maintain their ignorance. Tell them that FC> there are benevolent viruses. Tell them that researchers that say FC> this are telling the truth and that those who deny it are wrong. Gosh, I couldn't possible agree with this. I am certain that Vess won't either. I don't know of any benevolent viruses -- that is, one's which never do and never can cause any harm. They must be covered in your book, I suppose. FC> Tell them that FC> the researchers who say you should blackball these other legitimate FC> researchers are presenting a morally bankrupt position. As opposed to those who create contests for virus writers? I see. FC> Join the FC>legitimate researchers of the world who seek to understand and clarify FC>the issues to the public. Excuse me, but exactly who are you representing here? I know a bunch of virus researchers, and they each consider themselves quite legitimate. Ross M. Greenberg ------------------------------ Date: Tue, 10 May 94 15:15:56 -0400 From: rferris@magnus.acs.ohio-state.edu (Rebecca R Ferris) Subject: Re: The truth about good viruses wrote: >Vesselin writes: >> >> Show me at least one person who wants to run a *real* virus on their >> machine. Then I'll show you at least 100 others who wouldn't. From >> your logic it follows that at least 99% of the people are bigots. > >Again, Vesselin makes a good point. His point is that because the >community of antivirus researchers has gotten so much publicity and >has dominated the media coverage, 99 percent of people have the >misimpression that viruses are bad. But of course, in the US until 30 >years ago or so, 99 percent of whites thought blacks were inferior. > >> > The definition of virus does not imply spreading >> > without authority or overwriting other data. >> >> Gotcha! We are just talking about different things. I admit that what >> fits into *your* definition of "computer virus" (and, as you have >> admitted yourself, even DISKCOPY fits into it), *can* be useful, and >> even often is. In fact, many anti-virus packages of existence today >> are using virus-like (actually, worm-like) techniques to automatically >> update themselves on all workstations connected to a LAN. That's not a >> problem. > >I don't know why you think you have gotten me in some way. If you agree >that there are benevolent viruses, why not just say so, and then explain >which viruses you feel are malicious instead of creating a misleading >definition of a thing called a Real Virus and then claiming that all >viruses are bad? > >I don't think that it is some amazing admision that DISKCOPY can be a >virus given the proper environment. In fact, as you well know, EVERY >finite sequence of symbols is a virus in some environment. The fact >that many antivirus packages use viruses in a beneficial way clearly >demonstrates that you agree that there are benevolent viruses. Why not >just say so up front and stop this foolishness once and for all. > >Then you agree completely with my assertion that when you decide to run >a virus on your machine to do a useful function, that is OK. Nobody >ever made the claim (as far as I know) that viruses are programs that >run without the authorization of the user. In fact, in the first and >most famous paper on viruses, it was clearly demonstrated that viruses >are not Trojan horses, and that they may indeed ask permission before >replicating. So your point misses the point. > >> That's not a problem; the problem is to agree what we are talking >> about. As I said, I am ready to admit that what *you* call a virus can >> be a useful program. I'll keep insisting that all viruses, according >> to the general public's understanding of this term, are bad. As a member of the general public, I've watched this debate with great interest and would like to pipe in with my whole- hearted support of Vesselin's arguments. According to Merriam- Webster's Collegiate Dictionary, 10th Ed., a virus is "a computer program usu.hidden within another seemingly innocuous program that produces copies of itself and inserts them into other programs and that usu. performs a malicious action (as destroying data). I am assuming that Dr. Cohen is a programmer, and admit that in his profession, "virus" may refer to something different, as in the method that a program works or does its job. But what he seems determined to ignore is that those of us who are merely users of computers do not recognize this definition. Furthermore, we do not have the time or interest in becoming literate in the details of computer programming, so we are not likely to refer to any detailed tome about the nature of viruses, good or bad. Basically, what we consider a virus is basically what Webster's defines as a virus: any program that gets on our computer, no matter what its intent, without our permission. We want to turn on our computers, do our work, and not have any unexpected events occur that will require us to stop and wonder and worry whether we are going to lose our data. Of course, this sometimes happens with the software that we buy and load ourselves, but we at least know the software is there, and if we can't solve the problem with the support materials that come with it, we can call the customer service people or talk to other users of the software. If we experience a similar problem with a virus (that is, virus according to Webster and the general public's understanding), we don't have any support, no one to tell us whether the virus can hurt us, or if it is compatible with our particular program versions. It comes down to very simple issues. To the public, a virus is a program that makes its way onto a computer without the owner's permission. The general public is not going to adopt a programmer's definition of "virus" unless the general public decides to enroll in computer programming. Based on the above statements, you may conclude that the general public considers all viruses bad because, whether they actually damage their computers or not, they force the user to stop work and try to decipher the cause of an event (good or bad), and then try to identify whether there is a potential for harm (intended or unintended)by the virus, and then try to remove the virus. And since viruses do not tend to have customer service support, this is likely to take more time and energy than solving a problem caused by software that the user knows is on the computer, and that the user can easily find support for. - -- becky rferris@magnus.acs.ohio-state.edu _____________________________________________________ "That frog is not my plate!" -- Bess Lowell ------------------------------ Date: Tue, 10 May 94 17:21:47 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: GOOD vs. BAD HUH? Keith A. Peer (dm252@cleveland.freenet.edu) writes: > How can their be a > discussion reagrding this? Well, people are discussing all kinds of things; why not this one? The tought is pretty trivial - all advances in science are ethically-neutral; it is their usage that isn't. Many people feel that if there is an obvious bad usage of computer viruses, there should also be a good one. Some are trying to find it, others are trying to use this reasoning to cover their illicit and unethical acts. > What is a good virus going to do: > Defragment my hard disk? Delete my old mail that I no longer > want to read? Turn my PC on to wake me up in the morning? Nope, all this can be done by a non-viral program. In order to make a "good" virus economically effective, it must do something that is done *better* by a replicating program than by a non-replicating one. the trick is to find those things (there aren't many of them) and to make sure that in the same time no bad things are done. A pretty difficult task, if you ask me. > A virus by nature is what? It's intention is to produce copies > of itself and attach these copies to your programs (without you > knowing) and either display a message, play a tune, fill up your > disk, destroy data etc... How can this be good? NOT POSSIBLE!!! Well... it depends. It depends on the definition. If you define a computer virus as the above (and most people do), then indeed, it is impossible to create a good virus. There are other possible definitions (e.g., Dr. Cohen's), which include *only* the property to replicate. Some "viruses" of that type *can* be useful. The real problem is one of misunderstanding - what almost everybody calls a computer virus conforms to your "definition", not to Dr. Cohen's, and many programs that conform to Dr. Cohen's definition are not understood as viruses by most other people. The following might help you: it is not possible to define the term "computer virus" as something that does bad things and then find a good usage for it. Instead, you should look into the programs that do good things *only*, and then see whether some of them can have viral properties, while still preserving the "good only" properties. > Any program that functions to work without the owners approval is > harmful. NO MATTER WHAT IT DOES!!!!! Very true. Therefore: a virus that claims to be good MUST NOT work without the owner's approval. Even "approval" is not strong enough - I maintain that it is not enough if the user of the "good" virus merely accepts the virus in their systems. Instead, they should actively invite the virus - otherwise the virus must not even attempt to infect those systems. > How can one say that this is a "good virus" and another not? Simple, a "good virus" is a program which (a) does only good things and (b) is a virus. The tricky part is to find one. :-) > There is NO such thing. ALL VIRUSES ARE BAD, TERRIBLE, > DESTRUCTIVE, HOSTILE. It all depends on the definition of the term "computer virus". Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Apr 94 14:43:00 +0200 From: Philippe_Cheve@f111.n331.z9.virnet.bad.se (Philippe Cheve) Subject: Mainframe virus (IBM MVS) Hello ! I would like to know if it possible to infect a mainframe. Where are running MVS ESA, JES3 under IBM 3090 & ES9000 and we have some many days strange problem with application module and somebody in company are thinking that our system could have been infected by Virus. Where i can find information about this kind of Virus ? Regards, PhiL. - --- GEcho 1.02+ * Origin: VIRNET * HERMES CENTER BBS * +33-1-69007672/7867 (9:331/111) ------------------------------ Date: Mon, 09 May 94 10:28:44 -0400 From: braymanr@news.delphi.com (BRAYMANR@DELPHI.COM) Subject: Virruses - Pathogen (PC) Can anyone give me the specs on the Pathogen virus. I am studying it and collecting information eventually so that I might write a virus disinfectant. Thanks, World's going to hell in a bucket, but at least I'm enjoying the ride -Grateful Dead ------------------------------ Date: Mon, 09 May 94 21:12:20 -0400 From: juan@fiu.edu (Juan Carlos Perez) Subject: Virstop.exe and 386Max 7.0 (PC) I apologize for the question if it is not appropiate, but I would like to know if upcoming versions of F-Prot will solve the problem of VIRSTOP.EXE not working with 386MAX v7.0. Thanks...:) ------------------------------ Date: Tue, 10 May 94 04:20:06 -0400 From: Paul Jarvis Subject: French Virus (PC) Hi, Our college has recently been hit by something which FPROT identifies as the "French" virus. When I checked this news group I found no articles at all, for at least the last week. Is there a problem with our feed? Also can you tell me anything about this virus. Thanks Paul (pj@doc.ic.ac.uk) ------------------------------ Date: Tue, 10 May 94 06:57:26 -0400 From: 142893@pc-lab.fbk.eur.nl (C.A.W. Coopmans) Subject: Help re Genb (PC) Can anyone outthere help me with a virus with the scan code: [Genb] It's a boot-virus and my scanner (scanv.112) just detects it but can't fix it (damn..). Maybe an update of the scanner would help ? many thanks, Oscar... ------------------------------ Date: Tue, 10 May 94 09:57:13 -0400 From: Mikko Hypponen Subject: Re: Win 3.11 + F-Prot 2.11 for Win = False Alarm?! (PC) jwalker@freeport.uwasa.fi (Oskari Westerholm) writes: > Everything was fine until I installed Windows 3.11 > in my 386/25 and run F-Prot. It said it had found > Vienna-virus in the memory. Well, most of all this sounds like a ghost positive or a false positive caused by another anti-virus product. Were you by any chance using the MSAV product supplied with MS-DOS 6 when you encountered these problems? There are no known false-positive problems with F-PROT Professional's Windows-version - it uses the same scanning engine as the DOS (and OS/2) versions. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi PGP 2.3a public key available, check the keyservs ------------------------------ Date: Tue, 10 May 94 10:24:07 -0400 From: P.Lucas@mail.nerc-swindon.ac.uk Subject: Mushroom (PC) Thom Odell ( guest06@mtholyoke.edu ) wrote:- > I am wondering if an audio program called mush.com and it's associated > file mushroom.ovl is som sort of virus? > I aquired a Grid 286 laptop recently with these files in c:\util along > side Norton Commander files. > > when executed, it "sings" an unintelligible song using PC speaker, which > on this laptop is a piezio transducer so I cannot understand what it > "says". Naturally I am unwilling to put it on my desktop to find out... Its not a virus, its a sampled advertising jingle for 'Magic Mushroom' air-freshener. From the accent of the [female] voice-over, I suspect it is of Australian/New Zealand origin; certainly not British or American. Peter J.M. Lucas NERC Computer Services Swindon England pjml@swmis.nsw.ac.uk or pjml@uk.ac.nsw.swmis or g6wbj@gb7sdn.gbr.eu - -----------Montmorency's Snuff; Nasal Pleasure at its Finest!--------------- ------------------------------ Date: Tue, 10 May 94 10:24:37 -0400 From: ralf@meaddata.com (Ralf Grisard) Subject: VIRSTOP 2.12 Freezes PC (PC) I just downloaded F-Prot 2.12. When I run VIRSTOP from the MS-DOS prompt, it seems to load OK, giving me a message that it has been installed. But then regardless of what it is, the next command I enter freezes the PC, and I have to reboot to unfreeze it. I'm running MS-DOS6.2 with 386Max on a Dell 486/50 with 8 megs of RAM. Among other things, I'm connected to a Banyan network, but I'm running VIRSTOP after connecting to the network, as per the VIRSTOP doc. F-Prot itself runs fine -- it's only VIRSTOP that I'm having a problem with. Any ideas? (Helpful ones only, please :-) - -- Ralf Grisard ralf@meaddata.com !uunet!meaddata!ralf Mead Data Central, Technical Communications, P.O. Box 933, Dayton, OH 45401 (513)865-7314 "Due to budget cuts, the light at the end of the tunnel has been turned off." ------------------------------ Date: Tue, 10 May 94 11:43:09 -0400 From: "David M. Chess" Subject: Suspicious boot sector (PC) >From: jay@hamlet.umd.edu (Jay Elvove) >the way of human-readable text: > I am Li Xibin! >Does anyone have any idea what this might be? Thanks in advance. That string occurs in a relatively new variant of the AntiCMOS virus; the variant is behaviorally identical to AntiCMOS, except that instead of sometimes altering system CMOS, it will sometimes hang the machine while playing an annoying little siren noise out the speaker. Like AntiCMOS, the virus doesn't save the original MBR anywhere when it infects. To clean up an infected hard disk, boot from a clean DOS 5+ floppy, make sure that your hard disk partitions are visible and correct, and then use "FDISK /MBR" to replace the MBR code. To clean up an infected floppy, I'd suggest just copying files off and FORMAT /U ing it. IBMAV should detect this virus as a probable AntiCMOS infection. - - -- - David M. Chess | Don't anthropomorphize computers. High Integrity Computing Lab | They don't like it. IBM Watson Research | -- Stefan Chakerian ------------------------------ Date: Tue, 10 May 94 15:39:19 -0400 From: "Jimmy Kuo" Subject: Re: Scanning ZIP files (PC) Eric T. Duda asks: >Does anyone know, when you scan a ZIP file will the virus scanner pick >up a virus if there was one on the EXE program that was in the ZIP >file. Can someone send me some info on this or post it. NAV 3.0 can scan inside ZIP files. Jimmy Kuo cjkuo@symantec.com Norton AntiVirus Research ------------------------------ Date: Tue, 10 May 94 15:36:54 -0400 From: "Jimmy Kuo" Subject: Re: Please let me know N.O.B. (PC) Shozo Endoh reports: >Please let me know about "Number of Beast" . >Ifound this virus on my PC by Norton anti-virus. >Only one excutable file in a floppy disk was infected. >Does this virus infect to disk area where the original boot sector is stored? >But, there in no "Number of Beast T" in I/O or Boot sector. >I can't undestand this situation. This was a NAV 3.0 false id which was fixed immediately with the first update (NOV 93). Jimmy Kuo cjkuo@symantec.com Norton AntiVirus Research ------------------------------ Date: Tue, 10 May 94 16:15:24 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus Nonformatting Floppies? (PC) Alex Nemeth (amn1@cornell.edu) writes: > Strange as it may seem, is there a virus that causes just the floppy to > become "unformated" and not affect the hard disk? Not exactly, but some viruses can cause a similarly-looking effect sometimes. You see, in some cases (depending on the particular floppy disk size, floppy disk drive, BIOS, etc.), DOS uses the BIOS Parameter Block (BPB, a small data area in the boot sector) to determine the geometry of the floppy. If the boot sector gets infected (and thus overwritten) by a virus which does not preserve the BPB, DOS may stop recognizing the floppy as formatted. A typical example is when Michelangelo infects a 1.44 Mb floppy. This is NOT your case, because most scanners can detect Michelangelo, but is might (note: might) be a similarly working new virus. > I followed up with f-prot 2.11 on all the machines these disks could have > been in contact with and I was given a clean bill of health on each. This only means that they are not infected by a virus known to F-Prot 2.11. F-Prot has probably the highest detection rate around, but this unfortunately does not guarantee that there are no viruses on those computers. You could use also some heuristic methods: they F-Prot in heuristic mode (f-prot c: /nofiles /analyse), try TbScan, and try Padgett's ChkBoot (from the FixUtilities package). > This doesn't seem to depend upon a spectific dos version. It's happened on > a dos 3.3 (IBM dos), MSDOS 4.0 & MSDOS 5.0. Does it depend on the diskette size? Are the only diskettes that are corrupted this way 1.44 Mb? When I am thinking about it, I can figure one non-viral reason for your problems. You see, the PS/2 machines do not use the mechanical indicator on the floppy (one of the holes, the one that is symmetric to the write-protect hole) that indicates that the 3.5" floppy is 720 Kb or 1.44 Mb. If you have a 720 Kb floppy and access it on a PS/2 machine, the latter will try to access it as a 1.44 Mb floppy and may corrupt it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 10 May 94 16:28:47 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: NEWBUG[Genp] and AntiExe infection (PC) tds (tds@ares.cs.wayne.edu) writes: > F-prot(v211) reports the AntiExe infection in the master boot record > on the fixed disk. VirusScan 113 reports a NewBug infection [Genp] in > the partition table. It is one and the same virus. What VirusScan 113 calls "NewBug [Genp]" and what F-Prot 2.11 calls "AntiEXE" is one and the same virus - the one with standard CARO virus name "AntiEXE.A". > How can I counter this dual infection? It isn't one. Also, F-Prot 2.12 is able to remove it. > Will the > FDISK command work Yes. > and how to use the /MBR parameter? Cold boot from a write-protected uninfected DOS 5.0 (or higher version) system diskette. Do a DIR C: and check that you can still "see" the hard disk. If you can't, STOP HERE. If you can, execute the command FDISK/MBR. That's all. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 10 May 94 16:17:41 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Stone Virus (PC) Chi-Kun Wong (wongck@math.ohio-state.edu) writes: > Can anyone tell me: > What is a stone virus? FAQ, question C4. > How to detect it on my system? and FAQ, question C9. > How to remove it? FAQ, question C3. The rest of the FAQ is helpfull too, as are the pointers to other sources in it. Is the hint clear enough? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 10 May 94 16:35:16 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: virus remover, Armor (PC) BIAO ZHAI (bzhai@mason1.gmu.edu) writes: > Could somebody tell me what the top 5 virus removal software are? F-prot, AntiVirus Pro, FindVirus, AntiVir IV - not necessarily in this order. I don't know which fifth program to put together with them. Please note that I am replying to your question about virus *removal* software; I can easily thing of several other programs which are very good at virus *detection*. > Ever heard of Armor by Norman Data Defense Systems? Thanks in advance. I know the company but am not familiar with a product under this name. What I have seen is their Norman Virus Control - it is an on-demand scanner, a resident scanner, a behaviour blocker, and a decoy program. The scanner is nothing particular (about 75% detection rate), the behaviour blocker is trivial to bypass, the rest I cannot test easily. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 10 May 94 16:24:31 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: false alarm (boot sector changed) by McAfee SCAN ??? (PC) Christian Fritze (fritze@amadeus.statistik.uni-dortmund.de) writes: > SCAN.EXE c: /AF filename.crc > After doing so > SCAN.EXE c: /CF filename.crc > reported the boot-sector was changed. [snip] > We are using OS/2-Bootmanager, VSHIELD113, SCAN113.9.24,MSDOS 5.0 german. I am not an expert in the way SCAN computes its checksums for the boot sector, or in OS/2, but I suspect that the BootManager is the problem. I'll appreciate if more OS/2-competent people than me comment on this question, but I think that the BootManager modifies the MBR each time you decide to change the bootable operating system. In general, there are several things in the popular operating systems (SETVER for MS-DOS, BootManager for OS/2, etc.) that make the life rather difficult for the integrity checkers. The solution is to make the integrity checkers aware of those problems. I seem to recall that Integrity Master can handle this problem, but I might be mistaken; I have no easy way to check. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 10 May 94 17:03:42 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: good virus protection (PC) Hank Pike (hank@UTKVX.UTCC.UTK.EDU) writes: > Could somebody list some of the pros and cons of the different virus > packages? Norton, F-prot, any others that are out there. I know very Norton: pretty good user interface (only the reporting part is badly screwed up), poor scanner, poor disinfector, good behaviour blocker (good for its class; this is a proverbially weak class of virus protection programs), mediocre integrity checker. F-Prot: excellent scanner (probably the best one), excellent disinfector (one of the best), reasonably good user interface, quite good resident scanner, non-existent behaviour blocker, non-exitent integrity checker (it exists in the commercial version, but is nothing particular). SCAN: good enough scanner, laughable disinfector, ridiculous integrity checker, good enough resident scanner, command-line user interface, non-existent behaviour blocker. CPAV: extremely poor scanner, very nice user interface, extremely poor integrity checker, extremely poor behaviour blocker, very bad resident scanner. FindVirus: excellent scanner, very good disinfector, excellent resident scanner, non-exitent behaviour blocker, extremely bad integrity checker. AntiVirus Pro: excellent scanner (one of the best), excellent disinfector (probably the best; it's just so difficult to test this class of programs), very good user interface, reasonably good behaviour blocker, mediocre integrity checker, non-existent resident scanner. TBAV: excelent scanner, rather good resident scanner, mediocre integrity checker, poor disinfector, acceptable behaviour blocker, good user interface. Integrity Master: resonably good integrity checker, reasonably good scanner, non-existent resident scanner, non-existent behaviour blocker, very good user interface. Untouchable: very good scanner, excellent integrity checker (probably the best), nice user interface, good resident scanner, moderately good disinfector, non-existent behaviour blocker. What else? Oh, yes, disclaimer: I don't have hard data to support the above, except about the scanners. The above comments are based mostly on my feelings when playing with the particular product. Also, sorry if I have missed anybody's favorite product. > little, right now I use norton and/or MS DOS antivirus (basically > norton right?) No. Microsoft Anti-Virus (MSAV) is basically Central Point Anti-Virus (stripped down severly), not Norton Anti-Virus. I hate to disappoint you, but you are currently using two of the worst (from the anti-virus point of view) anti-virus packages on the market. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 10 May 94 16:42:55 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Canaries (PC) A. Padgett Peterson (padgett@tccslr.dnet.mmc.com) writes: Appologies to the net and to Padgett in particular, but I am accessing this forum as a newsgroup (comp.virus) and not as a digest (Virus-L), and there have been some problems with comp.virus recently, so I have missed several messages, including the one Padgett is replying to. So, I will have to use his quotes of the original message, in order to reply to it. > >From: fuzzy@nttsgw.yh.ntts.co.jp (Toru Fujii) > >Subject: Is it possible to detect viruses this way? (PC) > >Method is really simple. And really inefficient. > >1. Make an .EXE or .COM file which the only content is RET code or something > > similar and very small (1 byte or so.) Many viruses will refuse to infect files that are too small. > >2. Run this program and see change in its size. Many problems with this approach. First, as Padgett already explained, it won't catch stealth and even semi-stealth viruses (because you are looking only at the file size). Second, it will not catch cavity viruses like Lehigh or Darth Vader, which do not modify the size of the infected files. Third, it will not catch boot and master boot sector viruses. Fourth, it relies on a virus being already active in the system. Most users would prefer if the virus is detected and stopped *before* it has the chance to execute on the system. Fifth, it will not catch non-resident viruses. Sixth, it will not catch viruses which do not infect on program execution (but, for instance, on FindFirst/FindNext, OpenFile, etc.). Having all of the above in mind, it is still possible to exploit the good sides of your idea. For instance, one could use this method, combined with anti-stealth techniques to access the file, to check whether there are any unknown viruses active in memory. It won't always work, but it doesn't hurt, and every virus caught by it is a bonus. The key part is to remember not to rely on it alone. Several anti-virus programs use this method (among other things); VDS is one of them. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 10 May 94 17:01:36 -0400 From: padgett@tccslr.dnet.orl.mmc.com (padgett peterson) Subject: Re: NEWBUG[Genp] and AntiExe infection (PC) >From: tds@ares.cs.wayne.edu (tds) >Subject: NEWBUG[Genp] and AntiExe infection (PC) >An IBM model 56 PS/2 has this strange infection. (4MB Ram, windows). >F-prot(v211) reports the AntiExe infection in the master boot record >on the fixed disk. VirusScan 113 reports a NewBug infection [Genp] in >the partition table. How can I counter this dual infection? Will the >FDISK command work and how to use the /MBR parameter? Well, in the first place you only have one MBR so it is unlikely that you have two different infections, more likely the different scanners use different names (Frisk follows the CARO naming pretty closely, McAfee does not). One givaway is the [GENP] or GENeric Partition table infection. Most likely if you boot from a clean floppy and run FDISK/MBR, your problem will be solved. With all of the new versions of a-v products out, I'd like to mention that my FreeWare DSII is still v2.42 since no revisions are necessary for new viruses, only if I improve something. (DS v1.15 went for almost three years before DS II was released) and still handles all of the low level infections I've seen or have been able to postulate. Warmly, Padgett ------------------------------ Date: Tue, 10 May 94 17:27:38 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: VSUM??????? (PC) ST29701@vm.cc.latech.edu (ST29701@vm.cc.latech.edu) writes: > I remember hearing sometime back that VSUM was not very accurate at all. Mildly put, yes. > Has it improved? Nope. Has just increased in volume. :-) > What sort of problems does it have, and what is usually accurate. Uh... difficult to say. I've had hard time finding even one virus description that was entirely accurate. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 10 May 94 17:25:37 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Scanners and detectors (PC) ST29701@vm.cc.latech.edu (ST29701@vm.cc.latech.edu) writes: > What are the top 5 or 10 best virus scanners? I mean best a detecting > viruses on the IBM PC, NOT which has the best user interface or something. AntiVirus Pro (shareware), F-Prot (freeware/shareware), TbScan (shareware), FindVirus (commercial), VScan (commercial) - maybe not necessarily in this order. > Also how what are the best heuristic scanners out now? There are only two that are reasonably good - F-Prot and TbScan. There are a few others that employ heuristics, but their quality is far behind. One exception is Padgett's ChkBoot - it's an excellent heuristic analyser, but works only for boot sectors. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 10 May 94 17:40:40 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: McAfee VirusScan 2.00 and VIRUSCAN V114 uploaded to SimTel (PC) McAfee Associates (aryeh@mcafee.com) writes: > scn-200.zip VirusScan 2.0 for DOS, new version of SCAN.EXE A few first impressions: 1) Badly chosen default options: the default is NOT to scan the subdirectories of the specified directory and to scan ALL files, not just the executable ones. 2) The ability to scan multiple floppies without leaving the scanner is gone. Why? 3) The /APPEND option doesn't work. When the scanner was still in "public beta test", I reported to McAfee that the /HISTORY option doesn work - it was simply ignored. Obviously, they've done a last-minute fix and have replaced it with the /APPEND option (which is supposed to do the same), but haven't bothered to test it. As a result, the /APPEND option does not append to an existing report file - - instead it turns off the capability to stop the scanning by pressing Ctrl-Break. 4) The scanner is still lacking some elementary features that would make testing it easy. For instance, it does not have an option to list in the report file all files that are being scanned - it lists only the ones it considers infected. Suppose that I am testing the scanner against 10,000 replicants of a TPE-related virus and the final count tells me that a virus has been detected in 9,999 files. How do I know which one was missed? How do the people at McAfee test the detection rate of theri own product? How do they determine which viruses of their collection it is NOT able to detect? Or do they do such tests at all? 5) One old bug in the SCAN serries is finally fixed - the multiple detections. SCAN 2.00 no more reports more than one virus when only a single virus is present in the file. 6) There are a few other improvements, like combining the scanner and the disinfector in a single program, separating the virus information from the scanning engine, and so on. 7) The documentation that came with the beta version used to talk about exact virus identification. I was rather pessimistic that this can be easily implemented. No surprise, any mention of exact identification has been removed from the documentation that comes with SCAN 2.00, and the scanner itself is unable to identify the viruses it detects exactly. However, the identification is still much better than the non-existent one in the old SCAN serries. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 10 May 94 17:49:58 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: HELP!! We need info about the NATAS virus! (PC) Elite of the Network (CMEELBOO@vmtecqro.qro.itesm.mx) writes: > Several computers here are infected by the NATAS virus. We need info about > this virus since SCAN and several other antivirus programs cant remove it > or even detect the virus... The only antivirus with NATAS detection is > F-Prot 2.12 but i cant clean it too. Actually, it is worse. F-prot 2.12 not only cannot disinfect the virus - - it cannot even *detect* it *reliably* (i.e., it misses replicants). My advice is: get AntiVirus Pro 2.00c. It can both detect and disinfect this virus reliably. > We also need to know what does this virus do beside loosing 9216 bytes when > a disk is accessed and being a boot virus. This virus works like a device > driver or something, since the missing bytes are not showed like bad blocks > or used blocks, they are just missing!!! It is a memory resident, multi-partite, stealth, polymorphic, tunnelling, fast infector. It attempts to "escape" from TbClean and format the hard disk, but this doesn't work with the newest versions of TbClean. Other than that, the virus does nothing in particular. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 10 May 94 00:28:18 -0400 From: bondt@dutiws.TWI.TUDelft.NL (Piet de Bondt) Subject: Thunderbyte anti-virus v6.20 (update/optimized) (PC) I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ tbavu620.zip Thunderbyte anti-virus pgm, upgrade 6.12->6.20 tbavx620.zip TBAV anti-virus - processor optimized versions The Thunderbyte Anti-Virus utilities are ShareWare. There are four security modules (TbScan, TbScanX, TbClean, TbMon) included. This modules are programmed in assembler and there for very fast! TbScan is a signature, heuristic and CRC scanner. It detects known, unknown and future viruses. TbScanX is the resident version of TbScan. TbClean is the first heuristic cleaner in the world. Even an infected file with an unknown virus can be cleaned. TbMon consists of three resident programs (TbMem, TbFile, TbDisk) which monitors your system against unknown viruses. From version 6.09 a Windows interface is included. Replaces: SimTel/msdos/virus/ tbavu612.zip and older tbavu612.zip and older TBAV is uploaded by its authors to anon-ftp site ftp.twi.tudelft.nl in dir /pub/msdos/virus/tbav) and from there distributed to SimTel, garbo.uwasa.fi, nic.funet.fi and from there to their mirror-sites. Piet de Bondt E-mail: bondt@dutiws.twi.tudelft.nl ========================================================================== FTP-Admin for MSDOS Anti-virus software at: ftp.twi.tudelft.nl ------------------------------ Date: Tue, 10 May 94 17:06:10 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: New files on our ftp site (PC) Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) writes: > Several new files were made available on our ftp site, so I decided to > post a message about it. Just to remind to everybody, the name of our > ftp site is ftp.informatik.uni-hamburg.de and the IP address is > 134.100.4.42. Sigh... The scanner are updated to quickly, that a message posted to Virus-L/comp.virus that announces them becomes old sooner than it appears. :-( > has been issued meanwhile: 1.51. The directory where the archive is in > is /pub/virus/progs and the archive name is avscn151.zip. Meanwhile version 1.52 has been made available. Full path is /pub/virus/progs/avscn152.zip. > 2) I have received directly from Eugene Kaspersky an update for the > program AntiVirus Pro. The update upgrades it to version 2.00b and is Meanwhile a 'c' update has been received. It replaces the 'b' update. Full path is /pub/virus/progs/avp_200c.zip. Note that you also need the archive avp_200.zip, which contains the main package. > 3) As usual, there are new versions of the regularly updated scanners, > like F-Prot (version 2.12), TBAV (version 6.12) and so on. Version 6.20 of TBAV just arrived today. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 35] *****************************************