VIRUS-L Digest Wednesday, 25 May 1994 Volume 7 : Issue 36 Today's Topics: Re: Good Viruses vs. Bad Viruses Re: Good Viruses vs. Bad Viruses Re: The truth about good viruses Re: The truth about good viruses Re: Scanning ZIP files. Wanted: Infos on ARJ-Virus a virus newsletter worth it? Re: GOOD vs. BAD HUH? Viva Virus-L Re: The truth about good viruses Good anti-virus software recommedation needed CARO and EICAR Unix virus count (UNIX) Attack by MOnkey ... (PC) Help with Stoned Virus needed (PC) Needing info on NYB virus... (PC) outdated anti-virus software... (PC) Re: Satan Bug and Norman (PC) FORM and SPANISH Telecom - Do they have stealth capabilities ? (PC) Vet software (PC) re: help with boot sector virus (PC) Boot_437 virus (PC) Disks becoming unformatted (PC) Re: Smartscan beats virus in double quick time. (PC) Re: Scanners and detectors (PC) Re: VSUM??????? (PC) Re: HELP!! We need info about the NATAS virus! (PC) Public Domain Anti-Virus TSR????? (PC) Any Iper Info? (PC)< f-prot strange behavior (PC) risc.ua.edu available via Gopher AVP 2.0 update C (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 10 May 94 19:44:15 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Good Viruses vs. Bad Viruses A. Padgett Peterson wrote: [stuff deleted] >The fact that "intent is irrelvant" is meant to defuse a defense >(I didn't mean any harm...) by prima facie evidence of a reckless >disreguard for property e.g. allowing a virus to escape. > >IMHO, "intent" has nothing to do with it other than possibly determining >the severity of the punishment and not whether retribution is to be >extracted. Throughout history, the greatest crimes have been committed >with seemingly good intentions, so much so that I consider it to be a red >warning flag any time I hear someone expounding on "what is right" since it >is usually leading up to self-justification for some anti-social act. > >Facts are. Damage is. Intent is irrelevant except to determine how to >cure the illness (if it is worth the bother). I wonder whether you have really thought out your position on intent, especially WRT definitions of crimes. Carrying lock picking tools is a crime in Texas (and most if not all states in the US, and I believe probably in all countries as well) only if one does so with intent to commit a crime with them. Otherwise, locksmiths would have a bad time performing their jobs. Writing a virus is not per se an evil thing. I once started out to write a boot-sector infector which would only infect floppies, and only after asking permission. If an infected floppy was discovered, it would ask whether to disinfect. The purpose was to do research for my own edification. I never got around to it. Let me hasten to add that I am not of those who believe that there are "benevolent" viruses. I believe that there is nothing which viruses do which cannot be done by more normal and controllable means. I was infected with a variant of the Azusa virus. It cost me many hours to disinfect. First, there were no disinfectors for it at the time I found the virus. So I disassembled it and wrote my own disinfector. For experienced types, my disinfector is superior to CLEAN et. al. So I will keep it around. But I would not have written it except for the infection. Secondly, there were all the hours disinfecting hundreds of floppies. Thirdly, there were some files which I will _never_ recover. Both backups I had of each were damaged by the virus. Actually, many files were damaged that way, but only two were unrecoverable. One .ZIP was damaged in both backups, but in different places in each. So I restored two bad copies of it, and did a direct block copy from one to the other to fix one of them. Again much time wasted. I could lecture the _person_ who wrote that virus for a _several_ hours. Very fitting punishment, I think. So I still think that there should be different levels here. I think that writing a virus without malicious intent and letting it escape via negligence is a pretty mild crime compared to writing a virus and intentionally putting it out on the net as Morris did. Now when we get to CIVIL matters, THAT should be governed by how much DAMAGE was done. Just my opinion. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Tue, 10 May 94 20:01:00 -0400 From: klbarrus@flammulated.owlnet.rice.edu (Karl Lui Barrus) Subject: Re: Good Viruses vs. Bad Viruses > IMHO, "intent" has nothing to do with it other than possibly > determining the severity of the punishment and not whether retribution > is to be extracted. > Facts are. Damage is. Intent is irrelevant except to determine how > to cure the illness (if it is worth the bother). What about situations where software is "accidentally" malicious? I mean, I'm no pro-virus apologist, but the fact is I have personally lost more hours of work due to commercial software foulups than the one virus incident I was victim to. And what is tiring for me to read are posts which imply that viruses are the only software which causes harm. I mean, I recently read something about the KOH virus, and some heavily concocted apocolyptic stories about how KOH, while meaning to be a beneficial virus, can be malicious. The post implied (to me anyways) that the only software which can foul things up are viruses, that "life-critical" software can only be harmed by viruses, etc. This probably belongs on RISKS, but the fact is NO commercial software carries any sort of guarentee to its performance. Just read the license that comes with anything, and pay attention to the "if this software screws up, we assume no blame" (except of course it is worded in legalese). - -- Karl L. Barrus: klbarrus@owlnet.rice.edu keyID: 5AD633 hash: D1 59 9D 48 72 E9 19 D5 3D F3 93 7E 81 B5 CC 32 "One man's mnemonic is another man's cryptography" - my compilers prof discussing file naming in public directories ------------------------------ Date: Wed, 11 May 94 01:06:17 -0400 From: pjc@as03.bull.oz.au (Paul Carapetis) Subject: Re: The truth about good viruses Dr. Cohen writes in reply to Vesselin: > I don't deny that three are malicious virus writers, but I also don't > deny that there are benevolent ones. You know well that I deplore > people who launch malicious viruses, but on the othre hand, I admire > those who stand up for what's right and good with benevolent viruses. [...] > Then you agree that as responsible researchers, you and I should try to > help the public understand that there are good and bad viruses, but that > the ones that spread wildly and out of control are bad? I am pleased to > hear this. I now ask that you join me in my effort to inform the public > rather than try to maintain their ignorance. Tell them that there are > benevolent viruses. This discussion has been going, on and off, for many years now and will continue for many more. I have resisted entering the discussion to date as I believe such discussions tend to be long-winded and accomplish little if anything when carried out over the net, but after reading Dr. Cohen's comments above, I felt the need to join the fray. I have yet to be convinced that _any_ virus can be _known_ to be benevolent. No matter how talented a programmer wrote it, no matter how honourable its design intentions, no matter how well it worked when it was first released, how can the integrity of said virus be confirmed by the time it infects your (or my) machine? Wouldn't a known "benevolent" virus be the perfect target for one of the twisted minds that create the "malicious" variety? I can just see it... Message displayed on screen: "Hi! I'm a benevolent virus." "Do you want me to defrag your disk?" Typed reply: "Yes please!" Action: formatting, formatting... No thank you very much! I want full control over everything that is run on my system, and a virus must already be running in order to ask permission to infect, so how can I be sure it has not already taken any action? Blueskies from down-under, Paul | Paul Carapetis, Software Advisor (Unix, DOS, C)| Phone: 61 3 2464944 | | Software Development Services | Fax: 61 3 2464445 | | Bull HN Information Systems Australia P/L ---------------------------------| | Internet: pjc@as03.bull.oz.au | There are only two experiences | | #define STD_DISCLAIMER _my_opinion_only | in life: successes and lessons! | ------------------------------ Date: Wed, 11 May 94 07:06:47 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: The truth about good viruses fc@Jupiter.SAIC.Com (fc@Jupiter.SAIC.Com) writes: > Vesselin make a very good point. He is telling us that if you define > viruses as being malicious, they are malicious, but my point is that > this is not the widely published definition, it is not a sensible > definition, and it is not a usable definition from a scientific point > of view. Agreed. What I (and several others; the original term has been proposed by Dr. Alan Solomon) call "real viruses" is not an exact definition, it is not a scientific term at all, and can't be found in any serious scientific paper about computer viruses. In short, it's useless from the scientific point of view. However, I keep insisting that the term expresses the *understanding* of the general public of the term "computer virus". Yes, it's too bad that the general public does not consist of mathematicians who talk between themselves using only exact definitions and formulae. But that's life! Fact is that for most people the term "computer viruses" means those nasty little programs that invade their computers without authorisation, that often destroy data, and that always waste a lot of time and efforts. You can't hope to change those people's view, so let's try to at least adapt to it and make a clear difference between the two things - the "theoretical computer viruses" (which conform to your nice and exact definition) and the "real computer viruses" (the kind of messy thing loosely coverd by that inexact understanding of the general public). I hope that you won't deny that those are two different, but broad categories, and that it is useful (at least for practical reasons) to be able to distinguish which of them one is talking about. That's the only reason why I (Dr. Solomon, actually) introduced the term "real computer viruses". > > Show me at least one person who wants to run a *real* virus on their > > machine. Then I'll show you at least 100 others who wouldn't. From > > your logic it follows that at least 99% of the people are bigots. > Again, Vesselin makes a good point. His point is that because the > community of antivirus researchers has gotten so much publicity and > has dominated the media coverage, 99 percent of people have the > misimpression that viruses are bad. Ugh, no, I didn't say that. First of all, I do not agree that it is because of the anti-virus researchers. According to me, it is mainly because of the malicious virus writers - it is *them* who have created the bad reputation of the term "computer virus" - so bad, that we need a different term now, in order to distinguish from what you are calling like that. Yes, and the media is guilty for it too. Too bad that every article in the popular press about computer viruses didn't have a footnote saying "but please note that the viruses we are talking about here are only a small subset of the programs covered by the mathematical definition of the term and that some other programs of that kind may be beneficial". Uhm, coming to think about it, it doesn't read very well in a New York Times article entitled "Bank Loses $10 Million Due to Computer Viruses. Are We All Doomed?". :-) But then, what can we do about it? I, for one, do not like the fact that the media has twisted the noble word "hacker" to mean "a twit with no life who enjoys breaking into other people's computers". However, what can I, and the other few thousands *real* hackers do about it? Can we change the oppinion of the rest of the world? Nope. We have to learn to live with it and go on. Just the same with computer viruses. I might not like the fact that the general public has been told that "computer viruses" are only those nasty little programs that cause them troubles, but this is how it is, and we have to learn ti live with it. > There's a word for this. It's called propaganda. Having lived for 30 years in a country where the propaganda was one of the means to keep the population under control, I would call it like that. For me, "propaganda" is intentionally distorting the facts and controlling the public oppinion. I don't think that the phenomenon you are talking about is an intentional process. I would call it just "public oppinion". > The reason you are unaware of these good viruses is that they don't > spread wildly or out of control, they work well, and they are not > usually identified under that name. Well, maybe that the ticket! Since the term "computer virus" is already loaded with negative sense in the view of the public oppinion, maybe you should use a different term when you are talking about "useful replicating programs". > Read my book It's Alive if you > want examples. Could you please provide some more information about how to get it? > I don't deny that three are malicious virus writers, but I also don't > deny that there are benevolent ones. You know well that I deplore > people who launch malicious viruses, but on the othre hand, I admire > those who stand up for what's right and good with benevolent viruses. I don't have a problem with you. I have a problem with those who are using your words to masquerade their unethical (and often illegal) activities as "legitimate virus research". And I would feel much better if you would be more careful not to use words that can be easily used that way. > I don't know why you think you have gotten me in some way. If you agree > that there are benevolent viruses, why not just say so, and then explain > which viruses you feel are malicious instead of creating a misleading > definition of a thing called a Real Virus and then claiming that all > viruses are bad? I agree that there are benevolent viruses ACCORDING TO YOUR DEFINITION of the term "computer virus". I still insist that we need a way to distinguish between what you call "computer virus" and what the general public understands under this term. I think that using the term "real computer virus" for the latter is a pretty good idea; you are welcome to come up with better ones. Once this distinguishement is made, I do not claim that "all viruses are bad" - I only claim that "all real viruses are bad". > I don't think that it is some amazing admision that DISKCOPY can be a > virus given the proper environment. Not amazing; I used it just as an example to demostrate to the readers how much your understanding (based on a mathematical defintion) of the term "computer virus" can differ from the understanding of the general public (based usually on common sense). > In fact, as you well know, EVERY > finite sequence of symbols is a virus in some environment. Yes, I know it - you taught me that. However, I also know that while theoretically true, it is completely useless from a practical point of view. Tell me, how will it help telling Joe User that every sequence of symbols in his computer (all of them are finite) can be a virus in some environment? What will you achieve by telling him this, other than confusing him and satisfying your feeling for exactness of the expression? > The fact > that many antivirus packages use viruses in a beneficial way clearly > demonstrates that you agree that there are benevolent viruses. Why not > just say so up front and stop this foolishness once and for all. I agree - according to your understanding of the term "computer virus". If you review some of my articles here in the past, you will see that I have always tried to explain the readers that there is a difference between what you and they call "computer virus" and that what you call like that can be beneficial - it's only very different from what they call "computer virus". > I don't believe I have ever said that such programs were good. But you > don't state that "nasty little programs written by irresponsible > adolescent kids that try to sneak into our computers against our will > and often destroy our data" are bad. You say computer viruses are > bad, and as you well know, these are very different things. Well, the first term is a bit too long for everyday use, don't you think so? Even "real computer virus" is a bit longish. Heck, even "computer virus" is too inconvenient sometimes, so in a public forum devoted to that subject, I often use just "virus" and elaborate only when there is a danger of misunderstanding. In particular, I see a danger of misunderstanding and need to elaborate beyond "computer virus" only when somebody brings up the concept of "beneficial viruses", that's why I am emphasizing the difference only in those cases. > Then you agree completely with my assertion that when you decide to run > a virus on your machine to do a useful function, that is OK. Yes, I do. And yes, the word "decide" is the right word to use; for instance "agree" is not strong enough, IMHO. > Nobody > ever made the claim (as far as I know) that viruses are programs that > run without the authorization of the user. Welcome to the real world. Read a few postings even here, by people who are clearly not virus experts. People who represent the general public. You will discover that most of them understand a computer virus as "something that came when I didn't want it". > In fact, in the first and > most famous paper on viruses, it was clearly demonstrated that viruses > are not Trojan horses, and that they may indeed ask permission before > replicating. Dr. Cohen, I am sorry to disappoint you, but relatively very few people have read the paper you are talking about. It's too technical for most. Most people prefer their morning newspaper as a source of information. Several years ago, I made a similar mistake. I wrote an article in a popular computer magazine, explaining why computer viruses cannot be a serious threat, because it is trivial to spot them. What I didn't take into account was that not every computer user is the kind of hacker that knows by heart the internals of their computers... > Then you agree that as responsible researchers, you and I should try to > help the public understand that there are good and bad viruses, but that > the ones that spread wildly and out of control are bad? I feel more urgent the need to explain first that the viruses you are talking about are something completely different from what the general public usually understands under this term. Once the difference is made clear and understood, *then* we could discuss whether that other thing can be beneficial (and yes, I agree with you that it can be). > I now ask that you join me in my effort to inform the public > rather than try to maintain their ignorance. Surprise, surprise, I have been doing this already, for quite some time. Every time someone begins to wonder "Is that Dr. Cohen crazy to talk about beneficial viruses?", I am trying to explain them that what Dr. Cohen calls a virus, and what the general public understands under this term are two very different things. > Tell them that there are > benevolent viruses. I feel more important to first explain that what you call a virus is *different* from what they do. Only then they will be ready to accept the concept that that other thing can be benevolent. > Join the > legitimate researchers of the world who seek to understand and clarify > the issues to the public. I hope to have been part of those since the beginning. :-) > Believe that the public can handle the truth > and try presenting it to them instead of promoting a lie because it is > convenient. I don't believe that the public can handle the truth , but I am trying to promote that I believe is the truth nevertheless... > > Another problem, Dr. Cohen, is that you often tend to be too terse and > > not to explain in details what you mean exactly - and do not express it > > in a language understandable by the general public. This often makes > > people not to understand you, or to misunderstand you. Is it surprising > > then that people tend to flame you? :-) > I plea no contest. The fact that I have written several books on the > subject that are quite wordy and are available to the public aside, I > will try to use more words in the future. The number of words is not that important - try using simpler words instead. Simple and clear words, understandable by everyone, not just by a bunch of mathematicians. > It is truly sad that criminals use the words of the sincere to ply their > trade, but such is life. I am certain that criminals also use other > words to justify their actions as well, but that does not mean we should > stop extolling the truth. Certainly not, but just as certainly it will help if you try to use words that are less easy to misinterpret, in order to justify unethical behaviour. > I would be happy to run them all on my machine, but infortunately, ever > since I started stating that there are benevolent viruses, nobody in the > antivirus research community has been willing to send me copies of any > of their viruses. Uhm, didn't I give you many of them when we met in Edinburgh? > Indeed, several of them have tried to keep me out of > CARO and other such organizations (successfully I might add) dispite the > fact that I implemented one of the most successful virus defenses > available to date. It seems that money is more important than the truth > in the group you are a member of. Nope, the group are are talking about is not a profit organization, so money doesn't play that much importance in it. In fact, several of the members of this group work for bitterly competing companies and often those companies don't like much some of the sharing of information that goes into this group. No, the reason some of use objected to your membership is the fact that (because of your not always careful enough choice of words when talking to the general public) you have created for yourself some bad popularity and that it could throw a shadow to the group. Of course, this is my understanding and interpretation; I don't speak for the group - nobody does, actually. > I look forward to your copies of > 4,300 viruses, and I will happily have the people that now develop > Integrity Toolkit anounce its (likely 100 pecent) success rate in Virus-L. 100% it won't score - I think that I demonstrated you in New York that it is helpless against slow viruses and a few other attacks. Other than that, your product indeed provides a very strong line of defense. Now, if only somebody could write a good user interface for it (and a good documentation), in order to make it usable... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 11 May 94 10:09:44 -0400 From: Otto Stolz Subject: Re: Scanning ZIP files. On Sat, 16 Apr 94 19:10:10 -0400 you said: > when you scan a ZIP file will the virus scanner pick > up a virus if there was one on the EXE program that was in the ZIP > file This depends on the scanner you use. Generally speaking, this feature is not essential, as you always can extract the files from the archive to scan them. There are even programs available to extract the files and apply the scanner of your choice to them (cf. the VIRUS-L log files for details). On the other hand, it is essential for a scanner to scan inside compressed, self-extracting programs (such as PKLITE, LZEXE, and ...) as any virus that has infected a program, even before it was compressed, will be active when the program is run. If a scanner does not reverse the compression, it will only see those viruses that have infected the program after compression. Best wishes, Otto Stolz ------------------------------ Date: Wed, 11 May 94 21:49:50 -0400 From: pi@europe.pha.oche.de (P. Immond) Subject: Wanted: Infos on ARJ-Virus Hello, I'm looking for infos on ARJ-Virus. Can it really infect an ARJ with Securtiy envelope? Gru_, Peter AACHEN/GERMANY: EUROPE.pha.oche.de +49-241-922444 V32b/V42b 19.2 X75 + FAX AVN AntiVirus-Network Host & Archive MyBOX 0.9e: Z3.8 * JANUS2 * QM * GSMAIL HUERTH/GERMANY: FREEPORT.pha.oche.de +49-2233-66968 V32b/V42b ZyX 19.2 + FAX ------------------------------ Date: Wed, 11 May 94 21:55:34 -0400 From: tbbs@crl.com (Mark E. Bishop) Subject: a virus newsletter worth it? I originally wrote THE VIRUS INFORMER for a couple years and it was distributed widely among the FIDO nationwide ciruit. It was a free issue that was widely circulated. I have since quit that publication but many have asked for it back. TO YOU EXPERTS and VIRUS conscious end-users, would you be willing to pay for such a publication? I need to poll you folks. Thank you. ------------------------------ Date: Thu, 12 May 94 07:18:50 -0400 From: bradleym@netcom.com (Bradley) Subject: Re: GOOD vs. BAD HUH? Keith A. Peer (dm252@cleveland.freenet.edu) wrote: > I have seen this topic for to long now. How can their be a > discussion reagrding this? What is a good virus going to do: > Defragment my hard disk? Delete my old mail that I no longer > want to read? Turn my PC on to wake me up in the morning? How about KOH? Also the Potassium Hydroxide virus. It will encrypt your HD for you using the IDEA algorythm. And it includes an option for removal from your HD as well as a couple other options. > A virus by nature is what? It's intention is to produce copies > of itself and attach these copies to your programs (without you > knowing) and either display a message, play a tune, fill up your > disk, destroy data etc... How can this be good? NOT POSSIBLE!!! Well... they don't all infect files. Don't forset the boot sector viruses. And CPAV will also modify your files for you, under the guise of protecting you. Besides, only a small amount of viruses have malicious code. > Any program that functions to work without the owners approval is > harmful. NO MATTER WHAT IT DOES!!!!! Well, yes. But do you REALLY know what those new programs you just got are doing when they install themselves? Most don't tell you, and only a couple have an uninstall. > How can one say that this is a "good virus" and another not? > There is NO such thing. ALL VIRUSES ARE BAD, TERRIBLE, > DESTRUCTIVE, HOSTILE. One can say whatever one pleases. One can say that there is A good computer virus, the same as another one can say "ALL VIRUSES ARE BAD, TERRIBLE...". Personally, I have multiple programs to ensure that I don't get randomly infected with a virus. Also, I take procautions against malicious activities. This is because one never knows what others might want to do. > Please end this discussion. I'm done. > Oh, if anone has a virus that can turn my PC on to wake me up > let me know :-) I just leave mine on 24/7. And then I have a clock program play a "rooster crow". :) Regards, Bradley - --- bradleym@netcom.com finger for PGP public key Hayward, CA ------------------------------ Date: Thu, 12 May 94 11:39:53 -0400 From: Corporate Information Security Group - 223-8732 Subject: Viva Virus-L The issues of VIRUS-L are vital to my anti-virus efforts. Much of my understanding of viruses comes directly from the pages. I use the FAQ as a tutorial for others. The issue (different meaning) of GOOD VIRUS - BAD VIRUS is a very unhelpful distraction. Who cares? Let the GOOD VIRUS people play with their mental blocks, and let us kill virii, good and bad. Wordsmithing about "VURUS" definitions is a luxury for the people with more time on their hands than is good for them. When you are directly trying to exclude viruses from thousands of PCs, and trying to educate and motivate the users to exclude the viruses, you are (I am) too busy for sophistry. Cheers, Phil ------------------------------ Date: Thu, 12 May 94 16:01:05 -0400 From: tgilbert@salsa.abq.bdm.com (Todd Gilbert) Subject: Re: The truth about good viruses wrote: > Then you agree completely with my assertion that when you decide to run > a virus on your machine to do a useful function, that is OK. Nobody > ever made the claim (as far as I know) that viruses are programs that > run without the authorization of the user. In fact, in the first and > most famous paper on viruses, it was clearly demonstrated that viruses > are not Trojan horses, and that they may indeed ask permission before > replicating. So your point misses the point. > Excuse me? What do you mean nobody ever made that claim. That is, before coming to this group, the _only_ way I've ever heard a virus described. Yes, there are other criteria as well, but stealth execution is always one of them. You complain that the person you are arguing with is using propoganda to give viruses a bad name. I would like to point out that the term virus was around long before the computer version of the phrase was coined. Is there a good biological virus? Want to argue that one? I suggest that rather than whining that you & your work are misunderstood you simply change the name of what you are talking about. Call them widgets or something like that. There's _plenty_ of good words with positive conotations you could use. As far as your argument about the "first and most famous paper", don't you think that's a little dated. I doubt the owners manual for the model A Ford has much bearing on todays models. As a more relevent example: the original definition of AIDS from the CDC said nothing about the HIV virus (and not just because they hadn't found the virus yet). regards Todd - -- tgilbert@salsa.abq.bdm.com The owls are not what they seem or " @nacho.abq.bdm.com And neither are the penguins ------------------------------ Date: Thu, 12 May 94 18:16:23 -0400 From: jclee@netcom.com (Johnson C. Lee) Subject: Good anti-virus software recommedation needed Hi, Does anybody know if there is any anti-virus software that will detect the virus automatically ? What I mean is every two weeks I have to run my anti-virus software to do detection and it took a long time. It will be nice if there is an anti-virus software which will do the detection when there is disk operation etc etc. And can someone recommend me some good anti-virus software either in the shareware domain or in the market ? I am particularily looking for something that will work in a networked (both netware and TCP) environment. Any info will be appreciated. Thanks, - -Johnson ------------------------------ Date: Thu, 12 May 94 23:53:10 -0400 From: dm252@cleveland.freenet.edu (Keith A. Peer) Subject: CARO and EICAR I am trying to find out about 2 organizations that I heard are PC Security/Virus related but I do not know where or how to contact them. The organizations are "CARO" and "EICAR". Any help is greatly appreciated. Thanks Keith A. Peer Please E-Mail any help to my mail box - -- Keith A. Peer -=> dm252@cleveland.freenet.edu +---------------+ Central Command Inc. | PGP Key | P.O. Box 856, Brunswick, Ohio 44212 | Available | 216-273-5743 [Anti-Viral Services / Consulting] +---------------+ ------------------------------ Date: Tue, 10 May 94 22:22:49 -0400 From: radatti@cyber.com (Pete Radatti) Subject: Unix virus count (UNIX) Posting on virus counts for Unix should be corrected. I do not count the Internet Worm as a virus. My count for Unix viruses are 3 plus the Internet worm. By your way of counting that makes 4. The viruses are: 1 - The AT&T Attack Virus (AKA Usenix) 2 - The LS Virus 3 - The Chapter 13 Virus There is also a compiler virus which I don't think was ever in the wild and Doctor Cohen's research viruses on Unix. Pete Radatti radatti@cyber.com ------------------------------ Date: Tue, 10 May 94 22:02:45 +0000 From: lubkt@Lehigh.EDU (Binod Taterway) Subject: Attack by MOnkey ... (PC) Fellow readers, Here at Lehigh Univ. we have a lab full of computers that are infected with Monkey virus. We have been able to remove the virus using Norton Disk Doctor, but no sooner do we clean it, it gets reinfected because of infected diskettes students insert. We are using F-PROT 2.12 to look for the virus. Is there a memory resident program that one can use to prevent reinfection from diskettes. I noticed that after doing the DIR on an infected diskette, the virus becomes memory resident but does not infect the hard disk. I have looked at Patricia Huffman's summary on MONKEY, but the description does not tell how (at what point) infection takes place. Much obliged for your comments. Thank you. - -- _____________________________________________________ ________| Binod Taterway | Lehigh University |_______ \ | Sr. User Consultant | 194 Computing Center #8B | / \ | (215) 758-3984 | bt00@lehigh.EDU | / / |_____________________________________________________| \ /__________) (_________\ ------------------------------ Date: Tue, 10 May 94 20:37:33 -0400 From: JWE107@PSUVM.PSU.EDU Subject: Help with Stoned Virus needed (PC) I hope this is alright to ask this newsgroup. I need some help. I just discovered that two of our computers have been infected with a virus namely the Stoned.Empire.Monkey.A virus. Every summer the staff reformats the hard drives in the computer lab to clean them of all the junk which students put on them. This year we are in the process of updating the network cards also. I figured I would clean, format, and install the new cards for each PC all in shot. When I got to the second PC to which I was going to go through this process, things started to not work. After much grief I discoverd that the hard disk had the above virus and that a couple of the disks which I was using also had the Stone virus. All the diskettes were disinfected with F-PROT 2.11 Then I rebooted the infected PC with a clean bootable diskette and then proceeded to disinfect the hard disk. While running F-PROT I received a error which went something like this * hard disk error or fatal hard disk error, I forget exactly which one, but before the error occurred, F-PROT disinfected the hard disk. I then proceeded to format the hard drive and received an Invalid drive specification error. I the process of removing the virus was the hard disk damaged. I don't know anything about viruses, but have found out that the Stoned.Empire.Monkey. A virus is a boot and resident virus. Do I have to low level format the drive to regain the boot sector information? I just reaching in the dark here, my trouble shooting capabilities are limited. I would appreciate anyone who could help or point me in the right direction for help. Many thanks, Joe ------------------------------ Date: Wed, 11 May 94 01:14:01 -0400 From: rcc@lgc.com (Randy Clarke) Subject: Needing info on NYB virus... (PC) Help!!! I found out just recently that my home PC has come down with (according to scan) the NYB virus. A quick perusal of the docs didn't reveal any info on NYB nor did any of the docs I downloaded. Is NYB a specific virus, or just a general type of virus? Any info or pointer to info would be greatly appreciated. Thanks, Randy ------------------------------ Date: Wed, 11 May 94 03:57:10 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: outdated anti-virus software... (PC) I hope this message makes it to comp.virus/Virus-L - as far as I can see, comp.virus is totally dead - there has not been a single message there this month - at least not here in Europe. I guess the Virus-L -> comp.virus gateway is broken again. Anyhow... I just received the following message: > A collegue has used your program FPROT.EXE obtained from FTP.VIRGINIA.EDU on > 05-10-94 as /PUB/PC/FPROT.EXE. On execution the process indicated version > 2.02 dated Jan. 1992 was an old version and a later version had been > developed..... I have mailed the person(s) in charge of this particular machine, but if anybody encounters other archive sites offering such old versions, I would appreciate being notified. The reason is rather obviopus...some types of anti-virus software, scanners in particular, become outdated in a few months, and using a 2-year old scanner is just plain silly...it would only detect around 25% of today's viruses (and by the way their number is above 4300). - -frisk ------------------------------ Date: Wed, 11 May 94 08:41:09 -0400 From: Norman Data Defense Systems A/S Subject: Re: Satan Bug and Norman (PC) In Virusl no. 33 regarding the possible virus on 'garbo.uwasa.fi', Mr. Vesselin Bontchev states that the virus scanner from Norman Data Defense Systems is not one of the scanners that can detect the Satan_Bug virus. We at Norman find this statement strange. It is correct, as Mr. Bontchev states, that our scanner (NVC) does not check .SYS-files for the virus. This may me called a weakness, and it has been changed in the latest version. However, Satan_Bug does not infect a SYS-file unless a process attempts to 'load-and-execute' the file. This does not happen to .SYS-files unless they are not renamed .EXE-files. Any renamed EXE-file will be at risk because the virus looks for the EXE-header. Renamed COM-files will not be infected. Likewise, device-drivers will not be at risk. At the time when we claimed to be the only ones to detect the Satan_Bug virus, we were. This was in July, 1993, and we have had support for Satan_Bug since then. We detect 100% of the samples and variants of the virus that we have here, and have not experienced any false alarms. It is possible (although not likely) that Mr. Bontchev has a sample of Satan_Bug that is unknown to us. We have dealt with 3 versions of the virus, version A, B and one called 'fruitfly'. No misses in detecting any of them so far. In our own comparisons, none of the other scanners tested (shareware versions, fresh off the net) achieved a 100% detection rate on our set of samples. Could you, Mr. Bontchev, please verify your allegation that NVC does not detect Satan_Bug? A clarification is definitely called for! Sincerely, Kristian A. Bognaes Norman Data Defense Systems norman@norman.no ------------------------------ Date: Wed, 11 May 94 10:51:54 -0400 From: a.coombe@east-anglia.ac.uk (Alan Coombe) Subject: FORM and SPANISH Telecom - Do they have stealth capabilities ? (PC) We run diskless PC's on a Novell server. We have a Ram drive. Does anyone know if these viruses have stealth capabilities, whereby they can survive a RESET (Either RESET button or CTRL+ALT+DEL) Alan Coombe ------------------------------ Date: Wed, 11 May 94 16:29:57 -0400 From: jag@univel.telescan.com ("John Guynn") Subject: Vet software (PC) Is Vet commercial or shareware? If it's shareware where can I ftp it from? I looked in the FAQ but it didn't mention anything specific about any anti-virus software (as far as commercial or shareware and locations). John Guynn Network Admin Telescan Inc. jag@telescan.com ------------------------------ Date: 11 May 94 17:57:41 -0400 From: Roger Thompson <70451.3621@CompuServe.COM> Subject: re: help with boot sector virus (PC) TO: VIRUS-L Moderator >INTERNET:virus-l@assist.ims.disa.mil Jay Elvove writes:- > We have recently discovered what looks to be a boot-sector virus, but > none of our scanners can identify it other than to say that it looks > suspicious. I've peered into the diskette's boot sector and here's > what I've found in the way of human-readable text: > I am Li Xibin! > Does anyone have any idea what this might be? Thanks in advance. > Jay Elvove jay@umd5.umd.edu > c/o Academic Software > Comp. Sci. Center, Univ. of Md., College Park You have what we call AntiCmos.Launch. It is a single sector MBR infector with just two significant features. The first is that it *overwrites* the MBR on the hard drive, and the DBR on the floppy drive, rather than *moving* the MBR or DBR. What this means to a user is that in order to clean a hard drive, you must use a program capable of rebuilding the MBR. If you are running any anti-virus software which was well enough designed to take a backup copy of your system areas during installation, you should have no problem removing it. If not, the easiest way (providing you are running Dos 5.0 or higher) is:- (1) Back up any data to which you have an emotional attachment (naturally). (2) Boot the system from a known, clean, Dos Boot Disk. (3) Run FDisk /MBR For your floppies, copy any important data off and reformat them. The second feature is that it has an interesting sound effect (btw this seems like it is never executed) which we have extracted and placed in a demonstration program called Launch.exe. It is available for public download from our BBS on 1-404-9718886. We have now had reports of this virus from several parts of the US and Singapore. Regards Roger Thompson Thompson Network Software Developer of The Doctor Anti Virus Software and Network Security Organizer Roger@thomnet.com PO Box 669306, Marietta, Ga, 30067, USA. Tel: 1 404 9718900 Fax: 1 404 9718828 BBS: 1 404 9718886 ------------------------------ Date: 11 May 94 17:58:33 -0400 From: Roger Thompson <70451.3621@CompuServe.COM> Subject: Boot_437 virus (PC) TO: INTERNET:virus-l@assist.ims.disa.mil Jeremy Blumenfeld writes... > Date: Tue, 26 Apr 94 11:10:44 -0400 > From: "Jeremy J. Blumenfeld" > Subject: boot-437 (PC) > Hello, > A student came into our lab today returning from Albania with the > boot-437 virus on his diskettes as reported by F-prot 2.11. > Unfortunately, F-Prot reported that "This version of F-Prot cannot > disinfect ..." Any help? > jeremy blumenfeld > jjb18@columbia.edu According to my notes Boot_437 infects the DBR on the hard drive, and can therefore be removed by (1) backing up your data, (2) booting clean and (3) SYSing the c: drive. Regards Roger Thompson Thompson Network Software Developer of The Doctor Anti Virus Software and Network Security Organizer Roger@thomnet.com PO Box 669306, Marietta, Ga, 30067, USA. Tel: 1 404 9718900 Fax: 1 404 9718828 BBS: 1 404 9718886 ------------------------------ Date: 11 May 94 17:59:10 -0400 From: Roger Thompson <70451.3621@CompuServe.COM> Subject: Disks becoming unformatted (PC) TO: INTERNET:virus-l@assist.ims.disa.mil Alex Nemeth writes... > Strange as it may seem, is there a virus that causes just the floppy > to become "unformated" and not affect the hard disk? Well, the New York Boot or B1 virus has a bug that causes a General failure reading drive... message to occur when a user is *formatting* a disk, although I have not yet seen it corrupt a pre-virus-formatted disk. Regards Roger Thompson Thompson Network Software Developer of The Doctor Anti Virus Software and Network Security Organizer RogerRoger@thomnet.com PO Box 669306, Marietta, Ga, 30067, USA. Tel: 1 404 9718900 Fax: 1 404 9718828 BBS: 1 404 9718886 ------------------------------ Date: Thu, 12 May 94 09:04:31 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Smartscan beats virus in double quick time. (PC) kgm@aber.ac.uk (kgm) writes: >We were using Visionsoft's Smartscan, which failed to find it. Norton's NDD >reported corrupt boot sectors on several floppies Friday, 22 April. We >dispatched express a sample disc to Visionsoft on Saturday morning and >by 11.15am Monday 25 April we received the necessary patch to the virus >program. We are now able to detect and clean the virus from floppies. It is fine if a company is able to respond quickly....most anti-virus companies try to do that. It is better if the scanner is able to find the virus in the first place, and in this case they *should* IMHO have been able to find it.....after all, Stoned.Manitoba has been around for more than a year. - -frisk ------------------------------ Date: Thu, 12 May 94 09:17:58 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Scanners and detectors (PC) ST29701@vm.cc.latech.edu writes: >What are the top 5 or 10 best virus scanners? I mean best a detecting >viruses on the IBM PC, NOT which has the best user interface or something. > >I know that from month to month 1 scanner or another will be a little better >than another, but in general what are the best?. I will not attempt to answer this question - after all, I am obviously biased, being the author of one of the scanners in question.....however, I would like to say something about why this question is a bit difficult to answer. To attempt to do so you need a large collection of viruses to test the scanners on, right ? Currently there axist probably around 5000 different PC viruses. Nobody (and that certainly includes myself) has a copy of all of them - the largest virus collections that exist today contain around 4500 different viruses. Most of the anti-virus companies and researchers exchange viruses to some degree, but there will always be causes of some collection having viruses not found in others. Any comparative test done using a collection that some anti-virus companies have access to or contribute viruses to will obviously be biased in favour of those companies....and unfortunately there is no totally unbiased party that collects viruses and compares scanners. There are some that are a lot less biased than others, but all the comparisons you see are inaccurate in this way. - -frisk ------------------------------ Date: Thu, 12 May 94 09:33:11 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: VSUM??????? (PC) ST29701@vm.cc.latech.edu writes: >I remember hearing sometime back that VSUM was not very accurate at all. Most of the information is hopelessly inaccurate. >Has it improved? No...well....maybe slightly - Vesselin told me he had found one accurate entry some time ago. >What sort of problems does it have, and what is usually accurate. Here are some fragments from my favourite inaccurate entry: > > Virus Name: RAM Virus > Symptoms: .COM & .EXE growth; black box; programs deleted on Fri 13th; > TSR; system slowdown > Origin: Europe > Eff Length: 3,517 Bytes (.COM) & 1,808 - 1,822 Bytes (.EXE > Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector > > > General Comments: > The RAM Virus was received from Europe in May, 1991. The RAM Virus > is based on the Jerusalem virus. Like the Jerusalem viruses, it is > a memory resident infector of .COM, .EXE, and overlay files. It > will also infect COMMAND.COM. > > How the RAM Virus infects .COM programs is the major difference > between this virus and other Jerusalem-based viruses. The RAM > Virus, when infecting .COM programs, places a copy of itself at > the beginning of the .COM program and another copy at the end. > The file length increase on .COM programs, other than COMMAND.COM, > will be 3,517 bytes. COMMAND.COM will only have an infection at > the end of the program, and a file length increase of 1,704 bytes. Now, what is wrong with this entry ? Quite simple - the "RAM virus" simply does not exist. When I got a sample of the virus this analysis was based on, it just turneded out to be infected with two old and well-known viruses - standard variants of Jerusalem.1808 and Cascade.1704. Any moderately competent virus researcher would have been able to determine that fact immediately. I pointed this errour out to Patty two years ago, but just as with all other errors I found and reported in VSUM, it was never corrected. My personal opinion of VSUM is that it is too incredibly useless and inaccurate to be of any use whatsoever to anybody. - -frisk ------------------------------ Date: Thu, 12 May 94 09:37:13 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: HELP!! We need info about the NATAS virus! (PC) CMEELBOO@vmtecqro.qro.itesm.mx (Elite of the Network) writes: >or even detect the virus... The only antivirus with NATAS detection is >F-Prot 2.12 but i cant clean it too. Beware! F-prot attempts to detect Natas, but my detection is not accurate - it will miss some samples. I am working on this, but currently I addvise against using it exclusively. The problem is that this virus is polymorphic and rather difficult to detect. By the way, the author of the virus (he also wrote SatanBug), is known to the authorities. - -frisk ------------------------------ Date: Thu, 12 May 94 15:08:41 -0400 From: glenn.davidson@acadiau.ca (Glenn E. Davidson) Subject: Public Domain Anti-Virus TSR????? (PC) Does such a thing exist. I doubt it but I thought I should ask anyway. E-mail me directly since it appears news group isn't used very often. - --------------------------------------------------------------------------- Glenn Davidson, Consultant/Programmer | Acadia University Computer Centre | Wolfville, N.S. | E-Mail: GLENN@ADMIN.ACADIAU.CA | - --------------------------------------------------------------------------- ------------------------------ Date: Thu, 12 May 94 19:05:57 -0400 From: jer@netcom.com (Jerry Billette) Subject: Any Iper Info? (PC) Our computers were recently infected with the stoned and michaelangelo 2 viruses. While we were disinfecting our systems using NAV 3.0 we came across multiple .exe files that contained the iper virus. The best information that we could come up with is that the iper virus infects com files. So, my questions are 1) does this virus do any damage besides replicate and 2) why did it only show up in .exe files and not any .com files? BTW, we run Novell 3.11 networks. TIA, jerry ------------------------------ Date: Thu, 12 May 94 22:01:23 -0400 From: qianqian@tucson.princeton.edu (Qian Qian) Subject: f-prot strange behavior (PC) All this happened after I restore something from a disk given by my friend. I used to run f-prot without any problem. I just run f-prot to check my harddisk and came up something strange which I think probably has something to do with virus. In the upper window some message shows: Error reading C:\WP51\INSTALL.EXE after which suddenly the same message shows up for rest of the files on the disk. At the end it says no suspicious virus is detected. But I knew it is not all right. I then reboot the machine from a clean floppy disk and run f-prot from a clean protected floppy. The result was almost same. I did several times. In one occasion, it did say that a variant of Como virus was detected. But when I tried to disinfect the infected file, the same error reading phenomenon occurred again. The machine is 386sx16 with 4M RAM running DOS6.0. Any suggestion about what I should do? I need inputs from net wisdoms. Thanks ahead! - -- - -------------------------------------------------------------------------- Simplicity is the Beauty of Physics. | PPL, P.O.Box 451 ---Qian Qian | Princeton, NJ 08540 - -------------------------------------------------------------------------- ------------------------------ Date: Thu, 12 May 94 22:36:46 -0400 From: James Ford Subject: risc.ua.edu available via Gopher risc.ua.edu now has a Gopher+ server sitting on top of the anonymous FTP section. You can now use your Gopher client to access available files (assuming your Gopher client supports it). Mosaic users can use the URL gopher://risc.ua.edu (I believe thats the right syntax) for retrieving files. Below is a listing of files available on risc in the pub/ibm-antivirus section. This list (pub/ibm-antivirus/0files.index) is updated every night. Comments/suggestions welcome. - -- jf - ----------------------------------------------------------------------- Listing of risc.ua.edu for Thu May 12 12:07:31 CDT 1994 /pub/ibm-antivirus - ------------------ cache cvc792ms.zip nav21upd.zip vchk23b.zip 0files.index cvcindex.zip nav30upd.zip vdetect.zip 0fprot.note dir2clr.zip nsh152a.zip vds210t.zip 0mcafee.note ds231b.zip secur235.zip virlab15.zip 20a10.zip fixutil5.zip sentry02.zip virpres.zip Mirrors/ fp-211.zip@ stealth.zip virsimul.zip Valert-l.readme fp-212.zip tbav612.zip virstop.zip Virus-l.faq fshld15.zip tbavu612.zip virusck.zip Virus-l.readme fsp_184.zip tbavx612.zip virusgrd.zip aavirus.zip gs.zip tbsg601a.zip virx293.zip allmsg.zip hack1192.zip trapdisk.zip vkill10.zip avp_107b.zip hs35.zip unvir902.zip vshell10.zip avs_e224.zip htscan20.zip uxencode.pas vsig9305.zip bbug.zip i-m151.zip v-faq.zip vstop54.zip bootid.zip innoc5.zip vacbrain.zip vtac48.zip catchm18.zip killmnk3.zip vaccine.zip vtec30a.zip ccc91.zip langv106.zip vaccinea.zip wcv201.zip chk.zip m-disk.zip validat3.zip wp-hdisk.zip chkint.zip msg_9_12.zip vc300ega.zip ztec61b.zip cvc792am.zip mtetests.zip vc300lte.zip cvc792ma.zip mythsv10.zip vcheck11.zip /pub/ibm-antivirus/Mirrors/complex.is - ------------------------------------- drinfo.exe fp-212.zip vsumx401.zip xxdecode.c xxencode.c /pub/ibm-antivirus/Mirrors/mcafee/antivirus - ------------------------------------------- 00-Index killmnk3.zip oscan114.zip strtl2.exe wscan114.zip 3nsh160.zip langv106.zip scanv114.zip strtli.exe 4nsh160.zip ocln114.zip scn-200.zip vsh-200.zip clean114.zip osc-200.zip sentry02.zip vshld114.zip /pub/ibm-antivirus/Mirrors/mcafee/utility - ----------------------------------------- Index mcf100.zip target15.zip wpv102a.zip ccp11.zip pv12.zip tcm100b.zip /pub/ibm-antivirus/Mirrors/mcafee/vsum - -------------------------------------- Index vsumx403.zip ------------------------------ Date: Wed, 11 May 94 13:27:10 +0400 From: eugene Subject: AVP 2.0 update C (PC) Hello! Update C for Antiviral Toolkit Pro (AVP) ver. 2.0 is available on anonymous ftp site: ftp.informatik.uni-hamburg.de:/pub/virus/progs/avp_200c.zip You can use an ftp-by-email server to download it: ftpmail@doc.ic.ac.uk ftpmail@Pa.dec.com ftpmail@cs.uow.edu.au It will be available on BBS in few days: Virus Help Centre BBS: Line #1 +46-26-275710 USR DS Modem 2:205/204 Line #2 +46-26-275715 V32 Modem 2:205/234 Note: please read "KERNEL.EXE" in README.DOC as "KERNEL.-VB". Regards, Eugene - --- - -- Eugene Kaspersky, KAMI Group, Moscow, Russia - -- eugene@kamis.msk.su +7 (095)278-9949 ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 36] *****************************************