VIRUS-L Digest Thursday, 2 Jun 1994 Volume 7 : Issue 38 Today's Topics: S&S International/Dr Solomon's on the move! Re: Disabled viruses? Re: Fred Cohen and computer viruses Re: GOOD vs. BAD HUH? Parity Boot B on OS/2 bootdrive (OS/2) Re: tbav620.zip - Thunderbyte anti-virus pgm (complete) v6.20 (PC) Gateway 2000 Europe preloaded virus report (PC) What about long partitions (PC) VIRUS: READIOSYS (PC) Re: Help! Need advice on Michael Angello virus. (PC) Re: antivirus products (PC) Re: ANSI bomb (PC) Re: help identifying a virus... (PC) Re: Help with Form Virus (PC) Re: Help:filler Virus (PC) Re: B1 (or NYB) Virus (PC) Re: Virus: Squisher Dropper (PC) Re: Stone virus - stone.stonheng (PC) Monkey (PC) ####-- THANKS --#### re Filler (PC) Re: Help:filler Virus (PC) FYI: New PC Virus alert (PC) Aragon Virus (PC) VIRSTOP 2.12 Freezes PC (PC) SCAN V115 gives false Budo (B2) alarm with IBM PC DOS 3.3 (PC) Re: Virus: Squisher Dropper (PC) Re: Virruses - Pathogen (PC) Re: Help re Genb (PC) Re: good virus protection (PC) Re: ANSI bomb (PC) May 1994 VB abstract VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 19 May 94 11:05:32 -0400 From: gcluley@nose.sands.co.uk Subject: S&S International/Dr Solomon's on the move! S&S International, developers of Dr Solomon's Anti-Virus Toolkit, are moving to new, larger premises. With over 110 employees and three different sites in Berkhamsted alone, we've found it's no longer possible to squeeze us all in. ============ As from 30 May, S&S International's address will be: S&S International PLC Alton House Business Park Gatehouse Way Aylesbury Bucks HP19 3XU Our telephone numbers are changing too: Tel: 0296 318700 Fax: 0296 318777 S&S International BBS: 0296 318810 ============= But please remember these numbers only come into effect from 30 May! All our email addresses will remain the same (so gcluley@sands.co.uk is okay, as is drsolly@sands.co.uk) Regards Graham - --- Graham Cluley gcluley@sands.co.uk Product Specialist S&S International, Berkley Court S&S International Mill Street, Berkhamsted, Herts Tel: +44 (0)442 877877 UK HP4 2HB ------------------------------ Date: Thu, 19 May 94 12:54:51 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Disabled viruses? Ralph Stockhausen (res@bfs.uwm.edu) writes: > I would like to check out the functioning of my anti-virus setup. ------------------------------ Date: Thu, 19 May 94 13:44:48 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Fred Cohen and computer viruses CELUSTP@cslab.felk.cvut.cz (CELUSTP@cslab.felk.cvut.cz) writes: > VB>The difference, as I am trying to explain to everybody, is that what > VB>*we* call *real* viruses spread without authorization. None of the > VB>"normal" programs do that. Also, what we call real viruses tends to > VB>contain much more bugs per byte of code than the normal applications. > VB>Sounds like a serious enough difference to me. > 1. Who are "we"? We, the users. We, the anti-virus researchers. > 2. What are "real viruses"? The ones that sneak around and infect people's computers without their knowledge and authorization. > 3. Does any statistical data exist about bugs per byte of code in computer > virus ("real" or not) code in comparison with bugs per byte of code in > "normal" application code? No, I am not aware of any, but 98.47% of all statistics are made up anyway. :-) Well, you can create some yourself. One of the buggiest commercial packages around - Microsoft Word for Windows - has about 8,000 bugs and occupies several megabytes (forgot how much). Most viruses I have seen are 200-4000 bytes long and about half a dozen bugs each. A (*very*) rough computation shows that the average virus has more bugs per byte than the buggiest commercial package. > 4. The spreading without authorization is not an essential characteristic of > computer virus by results of the Contest for the Best Virus Definition > (look at, for example, Vesselin Bontchev's definition of virus in > electronic magazine "Alive" No 0). In that definition Vesselin Bontchev was trying to make sense from a scientific point of view. Dr. Cohen's definition also makes sense from a scientific point of view. However, the average user doesn't give a dime for the scientific point of view and stands on practical reasoning. > 5. Consequently, one could conclude that "real viruses" are not computer > viruses. What they are? I lost you here. How exactly did you conclude the above from the premises listed? The most one can conclude is that the "real viruses" are not the benevolent viruses Dr. Cohen is talking about - which is exactly what I am trying to point out. > VB>Show me at least one person who wants to run a *real* virus on their > VB>machine. Then I'll show you at least 100 others who wouldn't. From > VB>your logic it follows that at least 99% of the people are bigots. > I have run several DOS viruses on different PC configurations performing > experiments. Performing experiments is a completely different thing. I also have about 4,300 viruses on my machine, but wouldn't like to run even a single one while I am using the machine for normal work. So, let me ask again - would you want a virus running on to computer you are using every day for work unrelated to virus experiments? > Oh, I got it. The "real virus" is nasty, little program, trying to sneak into > somebody's computer against his/her will with possibility to destroy data. Yep. > Very interesting definition of a computer virus. Of a *real* computer virus, not of computer virus in general. It is only a small subset of the term "computer virus" that Dr. Cohen is talking about. > I agree that it has nothing > to do with Dr Fred Cohen's definition of computer virus. His definition encompasses this kind of programs too, but is broader. > I guess the term "real virus" applies mostly to the population of PC/DOS > viruses which appeared about three years after Fred Cohen performed his > experiments and gave his definition of computer virus. Not only PC-DOS. There are "real viruses" for other platforms as well - - Macintosh, Amiga, Atari ST, Acorn Archimedes, Unix, Commodere 64... > I am surprised that > after so long time there are still people who are not familiar with his work > in this field. Well, I am not. His works are published in specialized technical journals and use a language often not easily understandable by the general public. > So, briefly: [Long list of Dr. Cohen's achievements in this field deleted.] First, I know all this. Second, you know that I know it. Third, it is completely irrelevant to our discussion. We are discussing "real viruses" and whether beneficial viruses are possible; not Dr. Cohen's achievements (whih, I admit, are impressive). > It would be fair that the term "computer virus" is used with the meaning > which Fred Cohen gave to it in his definition. It would be a sign of respect > to his impressive scientific work in this field. It would be. It would be also fair, nice, etc. to use the term "hacker" for what it was intended to mean - a person who knows the system perfectly and is able to hack his/her way through any challenge. However, life is not fair :-) and almost everybody uses this word nowadays to mean those lifeless twits that enjoy cracking into other people's computers. > The other "beasts" could be > called "real viruses", "malicious software" or something else, why not? That's why I (Dr. Solomon, actually) proposed this term. > To quote Fred Cohen: "It takes one to know one." I can admit that is not so > easy to obtain Dr Cohen's published articles and books (especially not in my > part of the world), but it is not impossible either. The general public will prefer the easily obtainable source of information, instead of the "difficult but not impossible to obtain" one. That's why, most people learn about computer viruses from the media, instead from Dr. Cohen's articles and books. > The understanding > requires sometimes particular knowledge of mathematics. The general public doesn't have one, which is why they don't understand him. > From my experience, > I can say that Dr Cohen never refused to give an appropriate explanation when > it was necessary. His main fault is failing to state it in a way that is simple enough and does not require additional explanations. > VB>The real problems arise when some people (a) cannot see the difference > VB>between mathematics and real life and (b) don't see the need for > VB>morality and ethics. > This sounds to me like a call: "Burn the mathematicians! The people using and > understanding math are immoral and unethical. They should be exterminated, > because nothing good can be expected from them!...etc..." Ugh, maybe I need new glasses, but hard as I try, I can't see such a call in the paragraph that I wrote and you quoted. > The general problem might be problem of "closed minds". It happened many > times in history that original ideas were distorted and oversimplified to fit > the whims of mass. There are just as many examples of great ideas being misunderstood because their author has not bothered, or has been unable to explain them in a way understandable by the general public. > Brainwashing if applied often enough is a very effective > mean for manipulation of crowd by some individuals who got sufficient power. > Every new idea, coming in such an environment tends to be rejected and > condemned. The progressive scientists were often "endangered species" in any > field and time. They prosecuted and burnt people claiming that Earth is > turning around Sun, in the past, didn't they? I am tempted to quote the FAQ of a sceptics' newsgroup: Yes, they laughed at Gallileo, and they laughed at Einstein - but they also laughed at Coco the clown. > Anyway, I declare publicly that am proud to belong to the group of open > minded people (even if it will take me to burn at the stake) who think that > computer viruses can be beneficial and that using mathematics or connecting > Computer Science with other fields of science (biology, psychology, etc.) > could bring only progress. Well, everybody responds for themselves. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 20 May 94 17:54:38 -0400 From: vfr@netcom.com (vfr) Subject: Re: GOOD vs. BAD HUH? bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >tought is pretty trivial - all advances in science are >ethically-neutral; it is their usage that isn't. Many people feel that >use this reasoning to cover their illicit and unethical acts. i think that maybe we should first agree on a definition of 'ethical'. i do not know if i do or not agree that all advances of sciences (including computing technology) are 'ethically neutral'. i have seen arguments that support the opposing view, dependent on the definition of 'ethical'. i would be very interested to hear your arguements for why advances are ethically neutral. >Nope, all this can be done by a non-viral program. In order to make a >"good" virus economically effective, it must do something that is done >*better* by a replicating program than by a non-replicating one. the why? i may tend to agree, in my personal opinion, such things are more efficiently, in some cases, done by non replicating programs. but then, there is the definition of 'efficiently' :) why do you think it *must* be done better (define better please) by a replicating program in order to be "good" virus; and, why must this be the case to make it economically effective? >replicate. Some "viruses" of that type *can* be useful. The real >problem is one of misunderstanding - what almost everybody calls a >computer virus conforms to your "definition", not to Dr. Cohen's, and >many programs that conform to Dr. Cohen's definition are not >understood as viruses by most other people. it seems to me that recently there is a lot of interest in the concept of "good viruses". i have read dr. cohen's posts and think again, its a problem of definition. we hear the word 'virus' and then get frantic. 'not another of those viruses!'. what i see you saying above, and correct me please if i am wrong, is that you agree there can be good viruses, depending on the definition of virus. if the definition is solely that it must be capable of replicating, then are you saying such a virus is possible? >It all depends on the definition of the term "computer virus". yep, thats what i thought. so, given the definition, can you please answer the questions i asked earlier in this message? thanks! - -- /* gather in close now, sing to each other sing to the night, you don't sing alone pray for peace, ache for peace here's to the day.....remember */ ------------------------------ Date: Fri, 20 May 94 08:20:43 -0400 From: jan@myhost.subdomain.domain (Jan H. Bergesen) Subject: Parity Boot B on OS/2 bootdrive (OS/2) I've somehow managed to get the virus Parity Boot B on my OS/2 boot partition this is drive d: formatted with HPFS. I know one can use fdisk/m under DOS, but what do I do under OS/2??? If anybody knows, PLIIZE let me know Jan - Helge Bergesen. ------------------------------ Date: Thu, 19 May 94 03:26:36 -0400 From: sikkid@bga.com (Banther) Subject: Re: tbav620.zip - Thunderbyte anti-virus pgm (complete) v6.20 (PC) Piet de Bondt (bondt@dutiws.TWI.TUDelft.NL) wrote: : a signature, heuristic and CRC scanner. It detects known, unknown and : future viruses. TbScanX is the resident version of TbScan. TbClean is ^^^^^^^^^^^^^^ What's a future virus? :) Regards, sikkid ------------------------------ Date: Thu, 19 May 94 05:34:16 -0400 From: chl@dmu.ac.uk (Conrad Longmore) Subject: Gateway 2000 Europe preloaded virus report (PC) PC Week has reported that Gateway 2000 has accidentally shipped some machines with the Smeg polymorphic virus. According to the report, Gateway have recalled some of the machines that were shipped. Smeg is reported to be a polymorphic virus written in the UK by the virus write called the Black Baron. The report indicates that the virus can be picked up by the June update of Sophos Sweep. I followed this up with Gateway 2000 who denied the reports that the machines had been recalled, and said that any customers who are affected will be informed by the company. - -- // Conrad Longmore / Email: chl@dmu.ac.uk / Polhill Avenue // // Bedford College / Phone: +44 (0)234 347309 / Bedford MK41 9EA // //------------------/ Or try: +44 (0)234 349889 /------------------// // c/o De Montfort / Mobile: +44 (0)374 747631 / Use finger for // ------------------------------ Date: Thu, 19 May 94 07:05:55 -0400 From: we34329@vub.ac.be (DE KERPEL SVEN) Subject: What about long partitions (PC) A virus (flip) messed with my HD now It claims that i have now long partitions (116MB) is reduced to 33MB (the max for normal partitions. FDISK reports 116MB Norton Disk Doctor and DOS say 33MB Need help. Wher does DOS starts knowing of and stores info about the long partitions. Thanx, Sven De Kerpel we34329@is1.vub.ac.be ------------------------------ Date: Thu, 19 May 94 11:24:27 -0400 From: thinker@helios.acm.rpi.edu (wintermute) Subject: VIRUS: READIOSYS (PC) I was just informed of the existence of a new virus(?) called READIOSYS.. anyone have any information on it? I am also told that Trend/Intel have a toool called PCcilin(sp?) than can locate/identify/remove this virus..again, any info on the subject would be appreciated..I would prefer email responses, but will continue to read this group as well..I can summarize my findings if there is interest thnx, vishal. - -- Vishal Apte | aptev@rpi.edu | If you dont know HyperDesk Corp. | thinker@helios.acm.rpi.edu | where you are, a Westboro, MA 01581 | vishal_apte@hyperdesk.com | map won't help.. ------------------------------ Date: Thu, 19 May 94 12:17:11 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help! Need advice on Michael Angello virus. (PC) Robert Feehan (rfeehan@bud.peinet.pe.ca) writes: > I need information on the Micheal Angello virus. Last week when my PC was This virus is better known as "Michelangelo" and it's standard CARO virus name is Stoned.Michelangelo.A. Read the FAQ for information about how to ask such questions. The FAQ lists several sources for information about viruses. In particular, this virus is described in our Computer Virus Catalog. The FAQ tells you where to get it from. The FAQ also contains other useful information. Are you getting the hint already? :-) > My problem is this: > 1. Is the machine ok now that they removed it or should the hard disk be > reformatted? If they have removed the virus correctly - then the machine should be OK and you don't have to reformat the disk. > 2. I have a bunch of infected floppies that I need the data off. A) can > they be safely cleaned or should they be destroyed? Yes, they can be disinfected, without destroying the data. Several of the available scanner will be able to do so. I would suggest F-Prot, but there are many others which will do the job. In the worst case, you can copy the *files* (use COPY or XCOPY, *not* DISKCOPY) to clean diskettes and format the infected ones. The virus is in the boot sector - not in the files. > B) I tried the latest > Mcaffee (2.0) but it would not remove the virus, can other programs remove > it from the floppies? Now, that's curious! Is the new version of SCAN *so* bad? I haven't had the time to test it yet... At least CLEAN 114 should be able to do the job - if it is indeed the Michelangelo virus that you have and not some other variant. > 3. How does this virus spread? When you attempt to boot from an infected floppy (the boot doesn't have to be successful, i.e. a blank or a data-only floppy is also infectable and infective), the virus infects the hard disk. If you boot from an infected hard disk, it will install itself in memory and will infect any 5.25" diskette accessed in drive A:. 1.44 Mb 3.5" floppies are also infectable, but they will become unreadable (by DOS) after infection. They will be infective, however. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 19 May 94 12:33:18 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: antivirus products (PC) Christopher W Outtrim (cs90cwo@brunel.ac.uk) writes: > Does anybody know the status of the following antivirus products. I am [snip] > project6 SAFE Thunderbyte Antivirus > Untouchable Virusbuster Vaccine > Virex VirucidePlus Bootx > Antivirus(fink enterprises) PC-cillin > Chasseur II Control Room Central Point Antivirus > Fcheck Fprot Hyper access/5 > AntivirusPlus(Techmar) Immunizer > Viruscan suit of programs VET antiviral > Virusafe Vkiller Watchdog7 Thunderbyte Antivirus - shareware, actively supported, latest version 6.20. Untouchable - commercial, latest version I have seen was 30.01, the company that used to sell it was aquired by Symantec. Status - unknown. VirusBuster - commercial, sold by Leprechaun Software. Virex - shareware, latest version 2.93, distributed by Datawatch, actively supported. PC-Cillin - commercial, sold my Trend Microdevices. Central Point Antivirus - commercial, sold my Central Point Software, which was aquired by Symantec. Status - unknown. F-Check - a program from an obsolete version of the package F-Prot. F-Prot - shareware, actively supported, latest version 2.12. Viruscan suit of programs - shareware, actively supported, distributed by McAfee, latest version 114 and 2.00. VET - commercial, sold by Cybec Pty Ltd, latest version I have seen was 7.632. Virusafe - commercial, I *think* it was the product sold by EliaShim, the current status is unknown to me. I do not know about the other products. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 19 May 94 12:38:48 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: ANSI bomb (PC) Richard M Dasheiff M.d. (dasheiff+@pitt.edu) writes: > I just read an article by Brett Glass in the May 2, 1994 INFOWORLD about > ANSI bombs. It's a sequence of characters imbedded in a text file which can > be interpreted by ansi.sys to do something unexpected, like redefining > the keyboard to replace the enter key with deltree c:\*.* /y True. > Does this qualify as a virus? No. A virus must be able to replicate. An ANSI bomb isn't. > Has anyone seen one? Yes. > Are they, or will they be common? No and no. They do not spread and are trivial to protect against, so they are not a serious threat. > He spoke of a defense against it with a program by PKware called PKSFANSI > Is that s/w, and if so, what ftp site? It is shareware and used to be included with the PKZIP distribution. However, with the new version of PKZIP (2.04), you get it only when you register your copy of the program. There are several other ways to prevent ANSI bombs: 1) Do not run an ANSI driver. 2) Run an ANSI driver that does not allow, or can be configured not to allow, keyboard reprogramming. NNANSI and ZANSI are two examples of such. 3) Modify your ANSI driver and change the sequence that reprograms the keyboard to something else. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 19 May 94 12:42:34 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: help identifying a virus... (PC) Randy Clarke (rcc@lgc.com) writes: > table virus. McAfee's scan v113 reported that it was called 'Nyr [Genp]'... > A perusal of the virus list didn't show a listing for 'Nyr' and I was There is no virus in our virus collection that SCAN 113 reports like that. However, there is one, which is reported as NYB. You used the name 'Nyr' twice in your message, so it is unlikely to be a mistake, but please check again - could it be 'NYB' instead? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 19 May 94 12:45:13 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help with Form Virus (PC) CMSHERGE@UGA.cc.uga.edu (CMSHERGE@UGA.cc.uga.edu) writes: > I have some problems caused by the Form virus on some of my disks (DOS). > An anti-virus program detected the Form virus and cleaned the disk from it. > I tried to read the disk and everything seemed to be ok. Now, a few days > later I tried to read the disk again and the computer can't see the disk > at all. > Any ideas what could have happened? Two possibilities. Either your floppy has become corrupted by something completely unrelated to Form (or to any other virus, for that matter), or it has been infected by a different virus. The latter is more probable if it is a 3.5" 1.44 Mb floppy. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 19 May 94 12:51:02 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help:filler Virus (PC) TONGA M SILIVA (STUPIDLY WISE) (SILIVA_T@usp.ac.fj) writes: > Virus: Filler [Filler] > Has anyone come across with the above virus. If you have you may be > able to help me out. It is an obscure boot sector virus of Hungarian origin, that is not widespread at all. However, in your case you are not infected by it; do not worry. > I have this virus detected on my PC for about a month now. I'm using > MSDOS6.0 and used a McAfee Scan virus prg to scan my disks. The funny I almost stopped reading your message after this line. The problem is so common, that I have to answer questions about it several time each week. In short, it is not a virus. It is a false positive (read the FAQ if you don't know what this term means). SCAN detects in memory the scan string that the memory-resident component of MSAV uses to detect the Filler virus. Fastest solution: remove the line from your AUTOEXEC.BAT file that starts the program VSAFE. It's a rather useless program anyway. Long term solution: get rid of MSAV. Or of SCAN. Or both, and get something better. > thingis the scan program only detects this virus from the scan.exe > command from my autoexec.bat file. If I scan my hard disk from a write > protected diskette and from a write protected scan diskette it cannot > detect this virus. Even if the scan c: d: /chkhi command from my > autoexec.bat file displays message virus found - Filler [filler].... , > then I used by diskettes to clean out the virus it displays message > that there is no virus found. In short, SCAN finds the virus only in *memory* but not on the disk(s). > I find this very frustrating, and I It is frustrating, indeed. Blame Central Point Software (the producers of MSAV) for keeping their scan strings unencrypted in memory. Blame Microsoft for packaging such an inferior anti-virus product with their operating system. Blame McAfee for looking for the Filler virus at places where this virus cannot be. > So far it has not > done any damage, yet. The problem has wasted your time - isn't that damaging enough? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 19 May 94 12:58:55 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: B1 (or NYB) Virus (PC) Mike Albrecht (ALBRECHT@WSUVM1.CSC.WSU.EDU) writes: > F-Prot discovered what it identified as the B1 virus on a machine. It > was unable to disinfect and I could find no documentation on this > virus. I downloaded a copy of McAfee Scan and Clean V114. Scan > identified the virus as NYB [Genp] and was able to clean. I also Yes, this is one and the same virus. F-Prot uses the standard CARO name for it. > noticed that just scanning an infected diskette either with F-Prot > or Scan, caused the virus to appear in memory though it wasn't active. The reason is because after each scanner accesses an infected floppy, a copy of the infected boot sector is left in the DOS buffers. It is not active, and there is no way for this virus to be active there, so both scanners are wrong by reporting it in memory. > I've cleaned the hard drive(s) involved but was unable > to clean the diskettes -- just copied off the files and reformatted > the diskettes. Yes, this is a valid approach. BTW, wasn't "clean a: [genb]" able to clean the diskettes? Another approach is to use SYS A:. > Is this a fairly new virus? Yes, it is relatively new. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 19 May 94 13:04:27 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus: Squisher Dropper (PC) Per Nestande (s316@ii.uib.no) writes: > I found a virus called Squisher Dropper in two files on my hard disc. > Except from infecting EXE files, does anybody know what it does? Please read the FAQ for information about how to ask such questions. In particular, which program reported those files as infected by this virus? What version? > (I have checked in VSUM (updated 31. Jan. 94) and found one called Squisher > and one called Dropper, but none called Squisher Dropper.) There is no virus called Dropper, regardless of what VSUM might say. Usually SCAN calls "Dropper" a program (a COM file usually) which installs a boot sector virus on drive A:. In your particular case, the scanner (particularly if it was F-Prot) meant that this is a dropper for the Squisher virus. A dropper is a program that releases a virus, but which is not naturally infected by this virus. In a sense, it is a kind of Trojan Horse, the payload of which is to release a particular virus - Squisher in this case. However, having in mind that Squisher is not widespread, and has some features that make it hard to detect, I would suspect that in your case you have a false positive. Not completely certain, though. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 19 May 94 13:10:00 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Stone virus - stone.stonheng (PC) news spool owner (news@undergrad.math.uwaterloo.ca) writes: > McAfee's v2 reports that I have the stone virus (stone.stonheng) > How do I kill it? Is there a vacine? Assuming that SCAN 2.00 is right (haven't tested it, so I'm not completely sure), you can remove this virus by booting from a write protected system diskette containing DOS version 5.0 or higher, making sure that you still can access the hard disk (DIR C:), and executing the command FDISK/MBR. This will remove the virus from the first hard disk. You can disinfect the infected floppies by copying the files elsewhere, formatting the floppies, and copying the files back. > When I use the /clean option it is reported that there is no > remover for the virus. I steadily get the impression that McAfee's release of SCAN 2.00 has been a bit preliminary. Too many things seem to be missing from the product. > Does this mean a hard drive format is > in order? This is never necessary. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 19 May 94 19:07:28 -0400 From: riordan@tmxmelb.mhs.oz.au (Jakub) Subject: Monkey (PC) Jeff K Landauer writes: > Well, Scan shows that I have this, but I can't get rid of it. It > reports that I need to boot from a floppy in order to clean the system, > but when I do that, I can't access my hard drive. I don't know what to > do. I downloaded just about all the virus software I could find to try > to fix this thing, but nothing looks like it will help. Am I screwed? > I look back on old posts, and the situation looks pretty bad. Thanks > for any help, > > - Jeff The Monkey virus (both variants: 1 and 2) is a boot sector virus that doesn't save the partition information inside the infected Master Boot Record. The original MBR is encrypted and hidden in: cylider 0, head 0, sector 3. If you boot from the infected disk virus knows how to find the proper Partition Table and therefore can access the hard disk. When you boot from a clean floppy the system cannot find the valid partition information and cannot access the disk. In the case of any memory resident viruses (Monkey is on of them) every good anti-viral program will advise you to boot from a system floppy and then try to clean the system. Every good a-v program should be able to run from a diskette, detect the virus and clean it too. VET 7.62 (and later) can access the hard disk and clean Monkey after booting from clean system floppy without any problems. Even though, one of our customers complained yesterday that he had expected to not being asked to reboot from a floppy and to get rid of Monkey anyway. Impossible?..NO!!! The current version of VET can find Monkey (1 & 2) in memory and then can disable it in memory in order to clean infected hard disk. It means that now you can run VET even on the infected sytem to detect and clean Monkey without rebooting from the clean floppy (although it should happen only if you don't have any system diskette around ;-]). Jeff, if you still have problem with Monkey, don't format your hard disk (FORMAT won't help anyway ;-)) send us a message and try VET. If you like playing with your PC and know something more about BIOS/DOS sytems there is another way of cleaning Monkey. You need to start from infected disk, read Master Boot Record (if virus is active in memory it will give you the original one), restart from clean diskette and put back clean MBR. It requires a few tools and some knowledge + a little bit of good luck;-) Regards, Jakub Kaminski riordan.cybec@tmxmelb.mhs.oz.au (Jakub) CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Thu, 19 May 94 23:40:05 -0400 From: "TONGA M SILIVA (STUPIDLY WISE)" Subject: ####-- THANKS --#### re Filler (PC) I would like to thank the following people for helping me out with FILLER VIRUS (1) Lucas : kelloogg@netcom.COM Although I cannot send a message to him (message kept bouncing back!!!) (2) Perry Rovers : Perry.Rovers@garfield.hacktic.NC (3) Federico Torregiani : MC4553@mclink.IT (4) Gert.Steenssens : gsteens@wins.uia.ac.BE Thanks Mates Tonga M Siliva e-mail : siliva_t@kula.usp.ac.fj Post : The University of the South Pacific P.O. Box 1168, Suva, Fiji. ------------------------------ Date: Fri, 20 May 94 08:41:37 -0400 From: jmurphy@pts.mot.com (Jeff Murphy X8627 P7769) Subject: Re: Help:filler Virus (PC) "TONGA M SILIVA (STUPIDLY WISE)" writes: > Virus: Filler [Filler] > ====================== > > Has anyone come across with the above virus. If you have you may be > able to help me out. > > I have this virus detected on my PC for about a month now. I'm using > MSDOS6.0 and used a McAfee Scan virus prg to scan my disks. The funny > thingis the scan program only detects this virus from the scan.exe > command from my autoexec.bat file. If I scan my hard disk from a write > protected diskette and from a write protected scan diskette it cannot > detect this virus. Even if the scan c: d: /chkhi command from my > autoexec.bat file displays message virus found - Filler [filler].... , > then I used by diskettes to clean out the virus it displays message > that there is no virus found. I find this very frustrating, and I > keep redoing other methods and I'm about to give up. So far it has not > done any damage, yet. > > I even used the MSAV (virus prg) from the MSDOS6.0, it cannot detect > this. > > command I used in my autoexec.bat file for scanning is: > > scan c: d: d: /chkhi /bell > > and the clean command I've used is : > > clean c: [Filler] > > and the McAfee virus version I am using is: > > version 112. > > Please could anyone out there help me. > > T. Siliva > siliva_t@usp.ac.fj > University of the South Pacific > Fiji Islands. > I am having similar problems with my home computer. I am using McAfee's scanner version 113, but I have only been able to detect the [Filler] virus one time. I have experienced about six EXE file corruptions that cause the computer to lock up whenever I run the corrupted programs. I have used VSAFE.EXE in DOS 6.2, and this at least tells me when files are being modified, and they appear to be modified frequently, although they still appear to work. Does anyone have any idea of how I can clean this virus if I cannot detect it a second time? =========================================================================== Jeff Murphy Georgia "Put your nose to the Boynton Beach, FL Institute of grindstone... It will gt7848b@prism.gatech.edu Technology sharpen your buggers" =========================================================================== ------------------------------ Date: Fri, 20 May 94 09:04:07 -0400 From: sweeneyp@pspdpc89.wal.ab.com Subject: FYI: New PC Virus alert (PC) The following is an alert I received today. Please distribute as widely as possible. ---------------------------------------------------------------------- from Compuserve 4/28/94 : FIRM WARNS OF INTERNET VIRUS CD-ROM manufacturer Chinon America, Inc. says computer vandals have illegally put its name on a virus-ridden file and released it on the Internet. Chinon warns NOT to download the file called CD-IT.ZIP, saying it will corrupt the hard disk. In a statement from Torrance, CA., Chinon says "The program, allegedly a shareware PC utility that will convert an ordinary CD-ROM drive into a CD-Recordable (CD-R) device, which is technically impossible, instead destroys the files on the PC hard drive. The program also immediately crashes the CPU, forces the user to reboot and stays in memory. The virus has proven thus far to be undetectable by traditional virus checkers." Chinon says that the CD-IT.ZIP file 'promises to enable read/write to your CD-ROM drive' and lists the program as being authored by Joseph S. Shriner, couriered by HDA, and copyrighted by Chinon Products. Saying that it has no division by that name, Chinon management speculates that the vandals picked its company name 'to make it seem that the software was being endorsed by a well known and reputable CD-ROM manufacturer.' Chinon is urging people with information that could lead to the arrest and prosecution of those associated with the CD-IT program to call the company at 310-533-0274. ------------------------------ Date: Fri, 20 May 94 11:21:19 -0400 From: litta@esl2.NoSubdomain.NoDomain (Littlewood A) Subject: Aragon Virus (PC) After downloading McAfee's latest version of scan113 and running it on my system (486DX 33 4M ram 170 HD ), there was no virus found etc msg. Next I tested high memory with the flag /chkhi, after which scan return that it had in fact found the "Aragon" virus and informed me to reboot from a clean disk and rerun scan (also from a new clean disk). Following these instruction and rerunning scan to check high memory still returned the same msg. As I was runnuing dblspace at the time and had heard that this could sometimes be mistaked for a virus, I decided to remove it. Again no change in the error msg. Next I disabled the HD in the CMOS seting and tried again. Still no luck. Finally created a new boot block from disk which checks integratety yet again know change. If anyone can offer some help it would be most appreciated. The "Aragon" virus copies the boot block before writing itself onto it. Thus any checking made to it will be routed to the copy of the original boot block. Could it be possible that some hardware could look like the virus ? - -- _____ Aidan Littlewood Replies to :- litta@essex.ac.uk ------------------------------ Date: Fri, 20 May 94 11:46:34 -0400 From: Grant Getz Subject: VIRSTOP 2.12 Freezes PC (PC) On Fri, 20 May 1994 08:24:18 -0700 Grant Getz wrote: > From: Grant Getz > Date: Fri, 20 May 1994 08:24:18 -0700 > Subject: > To: Grant Getz > > ---------------------------- > > Date: Tue, 10 May 94 10:24:37 -0400 > From: ralf@meaddata.com (Ralf Grisard) > Subject: VIRSTOP 2.12 Freezes PC (PC) > > I just downloaded F-Prot 2.12. When I run VIRSTOP from the MS-DOS prompt, > it seems to load OK, giving me a message that it has been installed. But > then regardless of what it is, the next command I enter freezes the PC, > and I have to reboot to unfreeze it. > > I'm running MS-DOS6.2 with 386Max on a Dell 486/50 with 8 megs of RAM. > Among other things, I'm connected to a Banyan network, but I'm running > VIRSTOP after connecting to the network, as per the VIRSTOP doc. F-Prot > itself runs fine -- it's only VIRSTOP that I'm having a problem with. > Any ideas? (Helpful ones only, please :-) > > > I have nearly the same setup as you (i.e. MS-DOS6.2 with EMM386 on a Gateway 2000 486/50 with 16 megs of RAM, running VINES 5.52(5)) and have no problem with VIRSTOP 2.12. Make sure that your loading VIRSTOP even after POSTLOGIN. I assume your telling 396MAX to exclude your communication card address range from use. If your already doing these then I'd suspect 386MAX. Hope this helps. > > - -- > Ralf Grisard ralf@meaddata.com !uunet!meaddata!ralf > Mead Data Central, Technical Communications, P.O. Box 933, Dayton, OH 45401 > (513)865-7314 > "Due to budget cuts, the light at the end of the tunnel has been turned > off." > - - R. Grant Getz INTERNET - Grant.Getz @ ASU.EDU Support Systems Analyst BITNET - Grant.Getz @ ASU Information Technology Arizona State University BOX 870101 PHONE - (602) 965-5663 Tempe, AZ 85287-0101 FAX - (602) 965-8698 ------------------------------ Date: Fri, 20 May 94 11:52:36 -0400 From: csvcjld@nomvst.lsumc.edu Subject: SCAN V115 gives false Budo (B2) alarm with IBM PC DOS 3.3 (PC) McAfee's beta test scanv115.zip from /pub/msdos/virus on oak.oakland.edu indicates that my machine running IBM PC DOS 3.3 has the Budo (B2) virus in COMMAND.COM. However, it reports the same thing about COMMAND.COM on the permanently write protected installation diskette. I suspect this is a false alarm. ------------------------------ Date: Fri, 20 May 94 12:53:11 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Virus: Squisher Dropper (PC) s316@ii.uib.no (Per Nestande) writes: >I found a virus called Squisher Dropper in two files on my hard disc. what program identifies it as such ? Did you consider the possibility of a false alarm ? "Dropper" means a program that is not infected in a normal way, but when run, it will release the virus. For example, if one compresses a Jerusalem- infected feile with PKlite, one gets (obviously) a "Jerusalem Dropper". - -frisk ------------------------------ Date: Fri, 20 May 94 17:15:41 -0400 From: datadec@ucrengr.ucr.edu (Kevin Marcus) Subject: Re: Virruses - Pathogen (PC) In article <0007.9405201334.AA05756@bull-run.ims.disa.mil>, BRAYMANR@DELPHI.COM wrote: >Can anyone give me the specs on the Pathogen virus. I am studying it >and collecting information eventually so that I might write a virus >disinfectant. Well, I have not personally gotten around to analyzing this virus, but from what I have seen/heard: It uses a polymorphic engine called, "SMEG", and I believe there are currently two viruses out there using the engine. It is supposed to be a lot more nasty than, for example, MtE, throwing in bogus calls to dos, like "get version number" and similar "real program like" code segments. Apparently, it was generated with the purpose of causing false positives. The best information you would be able to collect would be from a complete disassembly of the virus such that you could first identify the virus (without false id's, of course), and then figure out a way to decrypt the virus, as it encrypts the original bytes of the file which were infected. Both of those are probably not the most simple thing to do. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Fri, 20 May 94 17:19:46 -0400 From: datadec@ucrengr.ucr.edu (Kevin Marcus) Subject: Re: Help re Genb (PC) In article <0010.9405201334.AA05756@bull-run.ims.disa.mil>, C.A.W. Coopmans <142893@pc-lab.fbk.eur.nl> wrote: > Can anyone outthere help me with a virus with the scan code: > > [Genb] > > It's a boot-virus and my scanner (scanv.112) just detects it but > can't fix it (damn..). Maybe an update of the scanner would help ? This is SCAN's generic boot infector id. Basically SCAN is telling you that it thinks you have got a virus, but it doesn't know which one it is. This represents a somewhat serious problem; if you don't know what virus you have, you probably can't get rid of it. While CLEAN usually does a bit more checking before trying to disinfect, most likely, it is something clean can't handle. You should try another software package, or one that performs more exact identification, such as NAV 3.0 or F-Prot. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Fri, 20 May 94 17:38:08 -0400 From: datadec@ucrengr.ucr.edu (Kevin Marcus) Subject: Re: good virus protection (PC) In article <0022.9405201334.AA05756@bull-run.ims.disa.mil>, Vesselin Bontchev wrote: > >> little, right now I use norton and/or MS DOS antivirus (basically >> norton right?) > >No. Microsoft Anti-Virus (MSAV) is basically Central Point Anti-Virus >(stripped down severly), not Norton Anti-Virus. I hate to disappoint >you, but you are currently using two of the worst (from the anti-virus >point of view) anti-virus packages on the market. Just curious on your idea: Let's say that virus scanner A detects 1000 viruses. However, of these 1000 viruses, they are all mostly available from virus BBS's, and not a single one has been found in the wild, ever. It is capable of removing each one perfectly. Now, comes along scanner B. Scanner B only detects 50 viruses. However, these viruses have all been found in the wild, there are no others that have ever been found in the wild which it doesn't detect [to date], and it is capable of removing each one perfectly. To your end consumer, which one is best? The point: If someone claims a product has poor identification and poor disinfection, does that necessarily mean that their product is no good? Absolutely not! The types and kinds of viruses detected are what matters. Additionally, scanner B will benefit from having faster scan speeds, and less false positives (most likely). In the event there should be a new virus created that is thrown into the wild, neither scanner will be helpful. The only time when Scanner A is more valuable is when a currently existing virus is thrown into the wild. So, the question: Who has some statistics on how many viruses have gone from "just another virus" to a "in the wild virus?" - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Fri, 20 May 94 22:25:33 -0400 From: gg@superdec.uni.uiuc.edu (gg) Subject: Re: ANSI bomb (PC) dasheiff+@pitt.edu (Richard M Dasheiff M.d.) writes: >I just read an article by Brett Glass in the May 2, 1994 INFOWORLD about >ANSI bombs. It's a sequence of characters imbedded in a text file which can >be interpreted by ansi.sys to do something unexpected, like redefining >the keyboard to replace the enter key with deltree c:\*.* /y >Does this qualify as a virus? Nope. There have been no replicating ANSI file virii as of yet. >Has anyone seen one? Are they, or will they be common? No. They'll be easy to spot as a volcano on an island if and when they actually exist (I'm sure somebody will makeone sometime or other, it'll probably go extinct almost immediately...) >He spoke of a defense against it with a program by PKware called PKSFANSI >Is that s/w, and if so, what ftp site? Yes. It's S/W, and it should probably be in the SimTel collection. - -- /~~~\ gg@superdec.uni.uiuc.edu /~~~\ ( gg ) cross your eyes and align the ( gg ) \___/ the two symbols. \___/ ------------------------------ Date: 19 May 94 09:42:23 +0100 From: virusbtn@vax.oxford.ac.uk Subject: May 1994 VB abstract FYI... VB ABSTRACT - MAY 1994 1. EDITORIAL: Do Not Trust the Horse, Trojans... A Melbourne (Aus) company, Ipex, recently shipped software loaded with a trojan. How can one ensure that software is free of such malicious code? 2. VIRUS PREVALENCE TABLE NEWS: a) Symantec Acquires Central Point. A report on the takeover in April 1994. b) The HDZap Trojan. Further reporting on the trojanised software shipped by Ipex. c) Nordic Naughtiness. Data Fellows and Safeco OY (both in Finland) are currently involved in legal skirmishes over alleged hacking of a Safeco BBS by a former Data Fellows employee. d) Virus Exchange - No Thank You. An apology to the Milan- based BBS Euphoria for implying links between them and the computer underground. 3. IBM PC VIRUSES (UPDATE): A list of new viruses reported to VB. 4. INSIGHT: Tipping the Scales. Dr Peter Tippett's views on viruses and the world of anti-virus research. 5. VIRUS ANALYSES: 1. Pathogenic Killer. Disassembly of the Pathogen virus. 2. AMSE - A Rite of Passage? AMSE virus disassembly. 3. The Pink Panther. Kaspersky's view of Pink Panther (aka MTZ) 6. FEATURE: The Thin Blue Line. New Scotland Yard's computer crime investigation course at Bramshill is proving a success on all fronts. This article outlines the procedures. 7. PRODUCT REVIEWS: 1. Norman Virus Control. From Norman Data Defense. 2. AVTK for NetWare. From S&S International. 8. CONFERENCE REPORT: IVPS '94 - Alive and Well in the USA. A report on the annual conference of the NCSA. 9. END NOTES AND NEWS: The monthly roundup of news 'tidbits'. Regards, Dicky Ford ! Tel. +44 (0)235 555139 Editor, Virus Bulletin ! Fax +44 (0)235 559935 ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 38] *****************************************