VIRUS-L Digest Thursday, 30 Jun 1994 Volume 7 : Issue 46 Today's Topics: Re: Disabled viruses? Re: Stop the Madness! :-) Re: Disabled viruses? Re: GOOD vs. BAD HUH? Re: Stop the Madness! :-) Re: The truth about good viruses Re: virus terrorists (?) books on virus' and their history? Re: Yet *another* damn Bitnet worm.. (IBM VM/CMS) antivirus programs for NT (WinNT) Re: Help with boot virus.... (PC) Re: Swiss Virus (PC) Re: 170x Virus (PC) Re: McAfee VirusScan 2.00 and VIRUSCAN V114 uploaded to SimTel (PC) Re: DOS 6.X Anti-Virus (PC) Re: Help with boot virus.... (PC) Re: false alarm (boot sector changed) by McAfee SCAN ??? (PC) Re: VSUM??????? (PC) Re: wow! i'm infected... (PC) Re: Good anti-virus software recommedation needed (PC) F-Prot 2.12 won't scan C: with Lantastic (PC) Re: Good anti-virus software recommedation needed (PC) Joshi (PC) Best Anti-virus software (PC) Killing the Monkey Virus (PC) Netware & Virstop (PC) Killing a Monkey virus attack (PC) Killing the Monkey Virus (PC) Symantec (PC) Stealth.B Pain (PC) U.B.S. _denies_ INFECTING DISKS WITH MICHANGELO. (PC) New Super-virus "Junkie" (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 09 Jun 94 07:33:12 -0400 From: buster@klaine.pp.fi (Kari Laine) Subject: Re: Disabled viruses? dasheiff+@pitt.edu (Richard M Dasheiff M.d.) writes: >From: dasheiff+@pitt.edu (Richard M Dasheiff M.d.) >Subject: Re: Disabled viruses? >Date: Tue, 7 Jun 1994 14:36:53 EDT >res@bfs.uwm.edu (Ralph Stockha >usen) writes: >>I would like to check out the functioning of my anti-virus setup. Are there >>any "disabled" viruses available that my program could detect, but would be >>safe have on a test floppy? It is good to verify the setup. I have too many times situations that an organisation thinks they have virus protection or backup system running, until . . But NO anti-virus vendor should be able/willing to supply you with a set ! Instead when we get that kind of queries we ask customer to visit our lab and bring the concept with him. Of course this is not the same as testing concept at the customer site but it anyhow helps to validate a good part of it. Many scanners support a test sample idea. You have a special file or boot sector which makes anti virus product react as it would be a virus. >>Thanks, >>Ralph >Doren Rosenthal has one, but I forgot her full email address >drosen@ .calstate.edu >her address is p.o. box 1650 > San Luis Obispo CA 93406 >also check out the following ftp sites: >oak.oakland.edu > pub/msdos/virus > vbait12.zip > virsimul.zip >garbo.uwasa.fi > pc/virus > virsim2c.zip >:-)rmd@med.pitt.edu Right problem here is that nothing of stuff mentioned above is REAL viruses. They are just files which some of the anti virus (dummest of them) give an FALSE ALARM. So if I understood right you want to test how effective your anti-virus protection sheme is NOT that you wanted to test how prone you sheme is to CAUSE FALSE ALARMS. This because those files listed are not viruses. It is hard to verify an anti-virus installation. If you are not expert of yourself get one. Don't trust only one scanner. Use checksumming as addional potection. Use memory resident scanners to catch them before they have change to contaminate your harddisk (network). Set up a workstation(s) to check incoming diskettes. Acquire several scanners for these sheep dip machines. If you like I am willing to comment by mail. Regards Kari Laine ------------------------------ Date: Thu, 09 Jun 94 07:44:42 -0400 From: buster@klaine.pp.fi (Kari Laine) Subject: Re: Stop the Madness! :-) "Brian H. Seborg" writes: >From: "Brian H. Seborg" >Subject: Stop the Madness! :-) >Date: Tue, 7 Jun 1994 14:36:53 EDT [snip] >Also, Fred seems to be making a claim that if a virus asks your >permission to spread that it is okay! This is idiotic! First, >consider this, for the virus to ask your permission to spread, it has >to be running on your PC without your permission! Vesselin, I can't >believe that you bought off on this lame distinction! :-) First let's make clear I think there is NOT good or beneficial computer viruses. I think that there won't be any in near future cause the whole idea is dum in the todays situation. If the computing ways and system's were totally changed maybe then there could be some use for this kind of a tactics of software "delivery" BUT I DOUBT IT VERY MUCH. Now then you say that it does not make any difference that virus asks users permission to run and if user answers NO it will kill itself (and most probably to host file also causing problems). I think this makes a hell of difference from legal point of view. >"..castles made of sand slip into the sea eventually..." > > -Jimi Hendrix You had some lenghty comments about how there could NOT be beneficial virus. I will try to read them when I have two days of the work :-) Anyway the whole idea of beneficial viruses should drop dead. Regards Kari Laine, buster@klaine.pp.fi ------------------------------ Date: Thu, 09 Jun 94 09:51:42 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Disabled viruses? Richard M Dasheiff M.d. (dasheiff+@pitt.edu) writes: > Doren Rosenthal has one, but I forgot her full email address First, I think that it is 'he', not 'she'. Second, his so-called "virus simulator" is *completely* useless for testing anti-virus software. The "simulated viruses" generated by it are not viruses at all - just collections of scan strings stollen from different scanners. If a scanner detects them, this is no guarantee that it will detect the live virus as well, and if a scanner does not detect it, this does not necessarily mean that it will not detect the real virus. In short - completely useless product, and a harmful one too, because it misleads the people. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 10:05:39 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: GOOD vs. BAD HUH? Todd Gilbert (tgilbert@salsa.abq.bdm.com) writes: > > replicate. Some "viruses" of that type *can* be useful. The real > > problem is one of misunderstanding - what almost everybody calls a > > computer virus conforms to your "definition", not to Dr. Cohen's, and > > many programs that conform to Dr. Cohen's definition are not > > understood as viruses by most other people. > > > > It all depends on the definition of the term "computer virus". > > > Given your use of quotes, I take it that you prefer Dr. Cohen's definition > to the widely accepted "definition". Actually, my use of quotes was intended to indicate that the quoted word is not quite the same that most people would understand when hearing it for the first time. Similar in the case with the word "definition" - I would hardle give such a scientific term to the general public's understanding of the term, which is based mostly on common sense; not on exact definitions. > Why? Does his (fairly sure this > person is male) writing it down and wanting to be THE AUTHORITY on > viruses make everything he says correct? Dr. Fred Cohen is indeed male and he *is* an authority on viruses. He predicted them ten years ago, he is the first to have a Ph.D. in this area, and he has proven mathematically about everything interesting that can be proven about computer viruses. Of course, being an authority on the subject does not automatically make everything he says correct - I have caught him to be wrong at least twice. :-) Back to your question. I, as a scientist, tend to like exact and scientific definitions. I certainly prefer an exact definition to the general public's "common sense". However, I do understand that Dr. Cohen's definition, while very convenient in the mathematical sense, and allowing to prove several interesting theorems, is not good enough for common use - it is too broad and hard to understand. That's why I think that it is better to use a different term ("real computer viruses") to describe the general public's understanding of this malicious phenomenon. > If so, perhaps he should write a virus that contains his definition > and will spread the word to all computers and their users. I gather > he'd think _that_ was a good virus. If you *really* want to get some deeper understanding of the problems, I would suggest that you find Dr. Cohen's papers (most of them can be find in "Computers & Security") and try to understand them. They are definitely not easy to understand by a person without the appropriate mathematical background, which is why so many people do not understand what he is talking about. However, if you *do* understand them, you'll find out that, first, he is talking about something completely different, and second, he would never do (or even suggest) something like you described above. IMHO, Dr. Cohen's major fault is not using a simpler language to break this down to the people who don't have the qualification to understand his paper. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 10:55:25 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Stop the Madness! :-) Brian H. Seborg (bseborg@fdic.gov) writes: > Fred has his own anti-virus package on the market, but I would never > suggest that he was trying to get people to write "good" viruses so > there would be a greater need for his package! :-)). As Ross Nope. First, as far as I know, he does not support his package any more (too bad, because it is rather good, in the sense that it is secure, but it had a horrible user interface, which made it virtually unusable). Second, his package was not a scanner, but an integrity shell - therefore, its success was independent on how many viruses there are out there. > Greenberg so aptly pointed out, I'm sure Fred could enlighten us in a > paragraph so we wouldn't have to wait to buy his book for an answer! I also find it rather frustrating that Dr. Cohen is so reluctant to explain himself, especially in a simpler language. He *really* must not expect that anybody who is interested will be able to find and understand his papers and book and needs just a reference to them. > Also, Fred seems to be making a claim that if a virus asks your > permission to spread that it is okay! This is idiotic! First, > consider this, for the virus to ask your permission to spread, it has > to be running on your PC without your permission! Vesselin, I can't > believe that you bought off on this lame distinction! :-) You were either not paying attention, or have missed the article in which I treated this issue. My oppinion is that "ask for permission" is not sufficient as it leads to interruptions which may be unwanted and sometimes even damaging. (I have an example with a hospital computer running life-critical software that gets interrupted by a virus which asks whether it is OK to infect and waits for user input.) According to me, we should impose a stronger criterion. Just asking for permission is not good enough - a virus that claims to be beneficial must wait for the user to actively *invite* it to his/her machine - i.e., install it there, or install a program that invites the virus. > Another point, Fred, have you ever heard of version control? How > about change control? How would you affect these via a virus? Here's I have treated this question too, in an article that is supposed to appear in "Alive". Essentially, I am saying that a "beneficial virus" should contain a mechanism to pass critical messages (like "remove yourself" or "update yourself"), and those messages must be able to spread faster than the virus. In some sense, those messages will be "viruses" for the "computational environment" consisting of all existing copies of the virus, just like the virus is a virus in the "normal" computational environment (the one that the user uses). Again, this is not enough. Suppose that a system becomes dependent on the services that the "beneficial virus" provides. Then an attacker could attack such a system by sending a message to all copies of the virus to remove themselves (a denial of service attack). Therefore, the message passing mechanism must be cryptographically secure - probably using some kind of public key encryption and authentication. > myself from laughing!) throughout my corporation. This is the > infamous compression virus (hee, hee, sorry!) that will compress any > executable file it encounters. First, though, to be a "good" virus it I do not think that Dr. Cohen's "compression virus" is a good example of a beneficial virus. In fact, neither of his examples are convincing enough to me - everything that they do can be either dangerous and/or damaging, or can be performed better (or at least not worse) by a non-viral program. I think that I have a better example of a beneficial virus; see below. I also strongly suspect that all "beneficial viruses" must be "worms" (using Dr. Cohen's definition in both cases), but so far I have been unable to prove this. > the user allows the virus to infect (will it ask this same question > everytime it attempts to infect another file? Man, would this be > boring or what?) it will then ask, "Hey, this file is not compressed, > would you like me to compress it?" (would it ask this every time it > encountered a non-compressed executable, or would it be able to flip a > bit to store the fact that the question had already been asked and > answered in the negative? What if the next time I DID want it to See above. As I said: 1) The user must actively invite the virus - i.e., run a TSR, or set an environment variable (those are just inferior examples; in a real case public key encryption and authentication must be used, so that the virus authenticates itself to the system and the system authenticates itself to the virus). The default action for the virus (if no such invitation is found) must be NOT to infect the system. 2) There must be a way to turn off the prompting - the user must *both* be able to set the default action to "no, don't infect" (by removing the invitation or not installing it in the first place) and to "yes, keep infecting without asking". > would not get any benefit from it?). Also, I can see the user saying, > "Damn, how do I turn this stupid thing off!" after about the 10th time > the virus asks permission to do something! Therefore, there *must* be a way to "turn the stupid thing off" and it should be an easy way. > One more issue, how will you make sure the virus gets control in > memory? Will it infect command.com or one of the system areas so that > it makes sure to get control every-time? If this is the case, then > how many different "good" viruses can use this same paradigm before > you run out of space in command.com (I guess we could change it to > command.exe and then load it up with different special purpose viruses > and make it an even greater lumbering behemoth than it is now!) The answer to this depends on the particular environment and implementation. Ideally, there should be a "virus API" in the operating system, which provides documented ways to control and interact with the self-replicating programs. > Now, let's say you want to upgrade this virus. How are going to > enforce version control? In other words, you have a faster, better > compression algorithm, and you update the virus and now you want to > make sure it is in place throughout the corporation, how do you affect > this change? How do you even know the first version even made it to > all PCs? One more thing, not all PCs are network connected, how do > you get the virus and the upgrades to the laptops (this is a tough > enough issue for legitimate software)? See above my reply about the efficient message passing mechanism. It's particular implementation is left as an exercise to the reader. :-) I am only insisting that any virus that claims to be beneficial must contain such a mechanism. > Finally, how do you ensure that the virus does not leave your > corporate environment for parts unknown? (other people's PCs?) Even > if you had a method of doing this, how much would it cost and how big > would the virus be at this point? What if it did get out? It would Look, according to Dr. Cohen's definition of the term "virus", a disk operating system that is contained on a diskette and is able to do diskette copying, is a virus. How do you solve the above problem for it? What happens if it "gets out"? :-) > seem that you'd be legally liable for any damage it did, or trespass Liable for any damage, ha-ha... How often you have seen a software producer being responsible for any damage their product has done? Naw, they all come with a fine disclaimer, which essentially says "if this product does anything at all, it is not out fault". > at the least. But, I digress... Suffice it to say that the concept > of a "good" virus all sounds good theoretically, but when you give it > a "reality-check" the notion of "good" viruses beyond the confines of > a laboratory environment shows itself to be the ludicrous idea it is. > Maybe I've been spending too much time in the real world! :-) I guess OK, realitiy check time. Here is one example (I have used it several times), which *is* a virus according to Dr. Cohen's definition (a worm, actually), and which *is* used in the real life (I know of at least three products that are using it). Suppose your company has thousands of PCs, all connected together to a huge LAN. You are the owner of the company, or at least the person charged for virus protection of the LAN. You want to make sure that each PC is running the latest version of your favorite anti-virus program. Well, problem is, the scanner part of any anti-virus program needs constant updating, and updating thousands of PCs every month is a pain. That's why, you do the following. You install the latest copy of the anti-virus program on the server (this requires only one copy to be constantly updated, instead of thousands of them), and put a small program in the login script. At login time, i.e., whenever a user tries to log in from his/her workstation, this program checks whether the workstation is running the latest version of the anti-virus package. If this is not the case, the program offers the user to automatically update his/her copy from the server and then to reboot the PC (so that any resident scanners are reinstalled from the updated versions). If the user does not accept the offer, then access to the LAN is refused. Do you see any problems with the above scheme? I don't. You, as the owner of (or the person responsible for) the network, have the full right to refuse network access to a workstation that does not comply to the company's policy of running the latest version of the anti-virus package. Well, according to Dr. Cohen's definition, the anti-virus package, together with the login script and the parts that do the checking and the copying of the updated versions, is a virus - because it copies (possibly modified parts of) itself. Do you understand now what I mean when I am saying that what Dr. Cohen understands under the term "computer virus" and what the general public understands under this term, are completely different things? BTW, there are several anti-virus prodcuts that are actually using the above scheme - CPAV, Untouchable, Dr. Solomon's Anti-Virus ToolKit... Of course, they do not advertise it as a "beneficial virus", but as "Centralized Software Updating (tm)" or something like that. Which leads me to one of my other points - if you are going to create a beneficial virus, don't call it a "virus", because this term is already loaded with negative meaning. Just call it something else. Agent, vitamin, whatever. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 11:18:07 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: The truth about good viruses UCC DASD Administration (DASDCAT@UConnVM.UConn.Edu) writes: > I think this illustrates quite nicely the whole problem with beneficial > viruses. That being the lack of a trusted path. When I buy a software This *is* indeed one of the problems, but not the whole problem - there are others as well. Of course, this does not mean that the problem cannot be solved - merely that we should work into that direction. Yes, any virus that claims to be beneficial must provide a trusted path - it must authenticate itself to the system it infects, and the system must authenticate itself to the virus. IMHO, the best solution would be to use some kind of public key authentication. For instance, the company that produces the virus could publish some kind of public key for it; then the user could make available (to the virus) an invitation encrypted with this public key, and so on - the particular details of the protocol are left as an exercise to the cryptographically inclined reader. > you loose that element of verifiability. An unknown program running on my > computer is suspect, even if it says, Hi! I'm from the Government/Virus > Research Department/Mensa club, and I'm here to help you..... As the > saying goes, How do you know where it's been? Why unknown? It says "Hi! I am the SuperDuper beneficial virus made by BeneViral Software Inc. and here is my MD5 hash, signed with my secret key". You compute the MD5 hash yourself, verify the one in the virus using the published public key, check that the two values match and then you know that this is indeed a BeneViral Software's product. > If some people came to your house and said, You just go away for a few days. > We're going to clean your house for you, fix the roof and install a Jacuzzi > in the master bedroom. Trust us. We're Nice People. Maybe they're telling > the truth. But if they have no credentials, references or licenses, how > would you know? Would you hand over the keys to your house? Conclusion: beneficial viruses must carry credentials. See above for an example. > I don't think the most important question is whether beneficial viruses > exist. But how could you tell if you had the real thing? Digital signatures have been around for about 20 years already... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 12:01:26 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: virus terrorists (?) Todd Gilbert (tgilbert@salsa.abq.bdm.com) writes: > I won't repost it, but there's an article under bit.listserve.ethics-l > that you folks might find interesting. It appears to be a couple > guys from Eastern Europe threatening to release viruses unless > somebody offers them a good paying job. >From Roumania, as far as I recall. Also, from the tone of the message it didn't seem that they are very serious about their threats; it was merely an expression of the frustration the people there experience... And yes, there *are* a lot of things there (Eastern Europe) that cause frustration - I can tell you from personal experience... :-) This has caused a lot of people in Bulgaria, Russia, and other countries to write viruses. Of course, while being a reason, it is certainly not an excuse, and you shouldn't get the impression that everybody there is doing this. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 19:13:40 -0400 From: hankp@UTKVX.UTCC.UTK.EDU (REMOTE SUPERVISOR) Subject: books on virus' and their history? Hello all, I was wandering if anyone knew of a good book about viruses and their history. I heard of one a while back but could not recall the name. My point is not to build a virus, but to learn more about them, first ones, what certain ones do, etc. any help is appreciated. Hank Pike ------------------------------ Date: Fri, 10 Jun 94 14:43:50 -0400 From: Otto Stolz Subject: Re: Yet *another* damn Bitnet worm.. (IBM VM/CMS) These days, Valdis Kletnieks said: > It's called 'INV1 EXEC'. The apparent author is stuya36@saupm00. > > I'm sure we all know the drill. > Valdis Kletnieks > Computer Systems Engineer > Virginia Polytechnic Institute On Tue, 7 Jun 1994 10:25:15 EDT John Hammond said: > I forward this notice that was sent to NODMGT-L@MARIST about another > virus/worm discovered on Bitnet. I haven't seen this INV1 EXEC yet. Most probably, it's yet another one of these CHRISTMA-style chain letters. I'm forwarding this to VALERT-L to spread the word. (I hope, this goes faster than the chain letter...) Best wishes, Otto Stolz ------------------------------ Date: Fri, 10 Jun 94 20:04:15 -0400 From: shrichardson@rocky.ucdavis.edu Subject: antivirus programs for NT (WinNT) Does anyone know of Scanners or tsr protection programs for Windows NT? ------------------------------ Date: Thu, 09 Jun 94 08:16:33 -0400 From: buster@klaine.pp.fi (Kari Laine) Subject: Re: Help with boot virus.... (PC) angela@rahul.net (Angela Tsoi) writes: >From: angela@rahul.net (Angela Tsoi) >Subject: Help with boot virus.... (PC) >Date: Tue, 7 Jun 1994 14:36:53 EDT > I've been having a BIG problem w/ a virus in mu hard drive. It's a boot >sector virus. I try almost all of the scan problem and none of them could >detect it. SO i resorted to format my hard drive, at the end of the format it >said Possible Boot Virus: Do your want to continue? I said yes and it work >for about a week or so then it pop back up again. How can I get rid of it for >good? Help a poor unfortunate soul.. Any chance this could be FALSE cause by those "protection built in" new bioses. Why I am not suprised of this problems? Kari Laine, buster@klaine.pp.fi ------------------------------ Date: Thu, 09 Jun 94 12:03:31 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Swiss Virus (PC) INEICHEN Gerard(centre EAO) (ineichen@cui.unige.ch) writes: > A student has found a "swiss virus" that infects the boot record. It seems > to be a new variant of the virus. Mac Afee scan 114 lists it but i haven't > found more info. > Be carefull : it isn't the swiss phoenix nor the Swiss 143. It is the virus with a standard CARO name Swiss_Boot. Unfortunately, I have not analysed it yet. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 12:23:23 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: 170x Virus (PC) Mr NWS Soh (nwsoh1@hestia.cc.monash.edu.au) writes: > When I scan my hard disk recently using SCAN C: /m , using mcafee's > anti-virus program version 84. This is a *very* old an obsolete version of SCAN; I strongly suggest you to upgrade. The latest version I know of is 115B and version 116 will be probably out before this message gets published. > Message reads: Found 1701/1704 virus - version B [170x] active in memory > Found 1 file containing a virus. The virus is active in memory, but only one file is infected? Hm, there is a slight probability that it is a false positive... Nevertheless, boot from a clean, write-protected system diskette, and do the scan again. Now the virus shouldn't be in memory and the disinfector should be able to disinfect the infected file, if the virus is known to it. > Please help. I suppose reformatting the hard disk could get rid of the > virus but I do not wish to do so because of the huge number data and > programs in my 120Mb drive. Formatting the disk is never necessary. In the worst case, delete all infected files and restore them from clean backups or original copies. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 12:31:30 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: McAfee VirusScan 2.00 and VIRUSCAN V114 uploaded to SimTel (PC) Fridrik Skulason (frisk@complex.is) writes: > That is: it no longer reports multiple viruses in a single sample...however, > different samples of a single virus may occasionally be reported to be > infected with different viruses - a "first-generation" sample may be reported > to be infected with a different virus than the normally infected files. This is yet another confirmation of my suspicion that SCAN 2.00 is actually a very preliminary beta of an unfinished product. They told me once that they intend to do exact identification - obviously they have not managed to do even "good enough" identification... All preliminary tests show that SCAN 2.00 is actually *worse* than the old SCAN/CLEAN suite. My advice to anybody who relies on McAfee's anti-virus products is to wait and use the old version, until the new product becomes more stable and all the important features in it are implemented properly. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 12:37:12 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: DOS 6.X Anti-Virus (PC) Snp Doggy (snpdoggy@aol.com) writes: > I found DOS 6.x Anti-Virus is NOT very good... In fact, I think it is Agreed. In fact, the above expression ("not very good") is a rather mild one. It's an awful program, from the anti-virus point of view. > a waste of time...I collect viruses, I have over 100 including, > yankee doodle virus, aids, michealangelo , Richards, vmessiah, I'll permit myself to doubt the quality of your collection. In particular, I *know* that the thing you are calling "Richards" is NOT a virus, but a Trojan Horse. > and many, many others...Anti-Virus found only 10 out of 120 viruses I > had on floppy disks..50 of which it WAS supposed to FIND, but DID > NOT...when I tried F-Prot it found 75 and then I tried McAfee's and > it found 60 of 120...I'm not a sales person or anything, I'm actually While I agree with the classation (i.e., MSAV is the worst one, McAfee's it better, and F-Prot is even better), the above detection rates are way too low. This, together with the mistake I spotted above, makes me doubt about the quality of your collection and its usefulness for scanner tests. Have you tried to replicate each of the viruses yourself? Have you made sure that all of them are different and working viruses? Or are you just relying on what some scanner says? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 12:45:21 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help with boot virus.... (PC) Angela Tsoi (angela@rahul.net) writes: > I've been having a BIG problem w/ a virus in mu hard drive. It's a boot > sector virus. I try almost all of the scan problem and none of them could > detect it. SO i resorted to format my hard drive, at the end of the format it > said Possible Boot Virus: Do your want to continue? I said yes and it work > for about a week or so then it pop back up again. How can I get rid of it for > good? Help a poor unfortunate soul.. It is quite probable that you don't have a virus, but some kind of ANTI-virus software or (most probably) hardware/firmware on your machine. When you are trying to format a floppy, the formatting program does two things, which are considered highly "suspicious" by the anti-virus programs: first, it formats the floppy, and second, it writes to its boot sector. This explains the two messages you have seen. I advise you to enter the CMOS configuration program of your PC (on most machines this is done by pressing at boot time, but some machines may require a different combination of keypresses or a special "setup" diskette), and check for an item (usually the "Advanced steup" menu) that says "Boot sector protection" or "Virus protection", or "Chip Away Virus", or something like that. If it is enabled, then you know that it was causing the problem. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 12:49:29 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: false alarm (boot sector changed) by McAfee SCAN ??? (PC) Henrik Stroem (hstroem@ed.unit.no) writes: > Try my HS v3.58. Available by ftp from 141.210.10.117:/pub/msdos/virus > as the file hs-v358.zip. It is a bootsector integrity checker that > will detect all bootinfectors, and automatically remove them. It uses > no RAM, and executes in less than a second on most machines. I do have your HS v3.58 and it is on our ftp site. The only problem is that it refuses to run on my machine - something I have reported to you several times in the past. As far as I recall, the problem occured because the installation program was trying to trace in interrupt down to the BIOS - but my machine is running QEMM in stealth mode. You said that a future version of the program will fix the problem - any news since then? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 12:55:50 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: VSUM??????? (PC) Grettir Asmundarson (grettir@keflavik.wordperfect.com) writes: > What is the best alternative to VSUM? F-Prot has accurate virus > information built-in, but sometimes I'd like more information than is > available there. I've taken a look at both CVC and CMBASE, but I'm not > sure those are the answer either... Try Eugene Kaspersky's AntiVirus Pro. It has a very nice help system, with descriptions of hundreds of viruses, and even with demos of their sound and video effects. The package can be obtained from our anonymous ftp site: Site: ftp.informatik.uni-hamburg.de Dir: /pub/virus/progs Files: avp_200.zip, avp_200c.zip, pm940506.zip Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 13:04:23 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: wow! i'm infected... (PC) Jack Stefani (jstefani@silver.ucs.indiana.edu) writes: > after a long time of just not caring, i downloaded mcfee scan and ran Well, obviously you should have been caring... > it on my harddrive. after scanning it all, it reported back that it > found cansu(?) virus in my partition table. so now that i'm infected Yes, this is an olygomorphic MBR infector with a standard CARO name V-Sign. > 1.) after i found out that i was infected, i copied off to a floppy > some of my important stuff(all non-executables, source code, word > perfect documents etc...) is there anything i have to worry about? are Yes, there are many things to worry about: 1) Your hard disk is probably still infected. 2) You have infected the floppy disks to which you have copied your stuff. 3) Because your computer is still infected, you continue to spread the virus, running the risk to infect your friends' machines and so on. > executables the only things that can get infected. The "executables" are indeed the only thing that can get infected, but if you mean by this "the executable *files*", then you are wrong. This virus does NOT infect files, it infects MBRs of the hard disks and the boot sectors of the floppies. Even the blank, formatted floppies, or the floppies with only data files on them, can become infected and be infective. > 2.) scan said that my partition table was infected but it didn't tell > me what file did the infected. That's perfectly reasonable, because the virus is in the Master boot Sector (the one that contains the partition table) and not in any file. > how can i find out where i got the > virus from. You can't. > 3.) and of course, how do i get rid of it? i've just know downloaded > the clean program that scan talked about. i doubt if i'll run it > tonight though since the doc's for scan said that the removal of > partition table virus can screw up everything. Funny, I had the impression that CLEAN is able to remove this particular virus... OK, if it doesn't do the job, then better try some better disinfector. I would suggest F-Prot - one of the best ones. > 4.) where can i get info on my particular virus(cansu), what will > happen if i just leave it in? The virus is described in our Computer Virus Catalog. See the FAQ for information about how to get it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 14:14:42 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Good anti-virus software recommedation needed (PC) Joe Brown (S1083509@cedarville.edu) writes: [sorry about the long quote] > > Does anybody know if there is any anti-virus software that will > >detect the virus automatically ? What I mean is every two weeks I have > >to run my anti-virus software to do detection and it took a long time. > >It will be nice if there is an anti-virus software which will do the > >detection when there is disk operation etc etc. > > And can someone recommend me some good anti-virus software either > >in the shareware domain or in the market ? I am particularily looking > >for something that will work in a networked (both netware and > >TCP) environment. > You can try Norton Anti-Virus or Central Point Anti-Virus, both of these I > believe will do this. I wouldn't recommend *any* of those two packages. They are rather weak from the anti-virus point of view, and besides, none of them do everything that the original poster wants (e.g., working in a TCP/IP environment). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Thu, 09 Jun 94 14:45:58 -0400 From: "Michael Chui" Subject: F-Prot 2.12 won't scan C: with Lantastic (PC) Running on a Lantastic 4.2 server, F-Prot 2.12 reports an error reading C:\. Ironically, it seems perfectly capable of scanning drives on other servers, but it only reports an error when it is scanning the hard drive on which it is running. Any suggestions? Michael Chui mchui@cs.indiana.edu ------------------------------ Date: Thu, 09 Jun 94 19:49:38 -0400 From: hankp@UTKVX.UTCC.UTK.EDU (REMOTE SUPERVISOR) Subject: Re: Good anti-virus software recommedation needed (PC) S1083509@cedarville.edu (Joe Brown) writes... >jclee@netcom.com (Johnson C. Lee) writes: >>From: jclee@netcom.com (Johnson C. Lee) >>Subject: Good anti-virus software recommedation needed >>Date: Thu, 12 May 94 18:16:23 -0400 > >>Hi, >> Does anybody know if there is any anti-virus software that will >>detect the virus automatically ? What I mean is every two weeks I have >>to run my anti-virus software to do detection and it took a long time. >>It will be nice if there is an anti-virus software which will do the >>detection when there is disk operation etc etc. >> And can someone recommend me some good anti-virus software either >>in the shareware domain or in the market ? I am particularily looking >>for something that will work in a networked (both netware and >>TCP) environment. > >>Any info will be appreciated. > >>Thanks, > >>- -Johnson > >You can try Norton Anti-Virus or Central Point Anti-Virus, both of these I >believe will do this. > >- --Joe Brown >- --Anglo-Saxon American And Proud Of It >- --Tiny Toons Are Awesome >- -- >- --Cedarville College >- --Cedarville, Ohio >- --s1083509@cedarville.edu > Try F-Prot 2.12, it is as good or better than Norton and CPAV and it is available at oak.oakland.edu in /pub/msdos/virus. I used Norton for a long time (using the current release) and tried f-Prot and switched, now I use F-Prot instead. Hnak Pike ------------------------------ Date: Thu, 09 Jun 94 21:28:31 -0400 From: agray@ATHENA.MIT.EDU (Allan D Gray) Subject: Joshi (PC) For months I have been using a boot disk for my computer, because I am infected with a boot-sector virus. The anti-virus programs that I was using could identify the problem, but not fix it. I finally decided to get off my duff and tackle this problem. I found this group, got the FAQ, read it, downloaded new ani-virus software, etc. etc. F-prot says that this can cure this virus. When I run it is says that it has cured it. If I run it again, it finds "Joshi" and claims to cure it again.... The computer won't boot without a boot disk.... Does anyone know how to deal with this problem without reformatting my eintire HD??? If so, please let me know. ABG 4781agall@umbsky.cc.umb.edu Thanks! ------------------------------ Date: Fri, 10 Jun 94 06:30:48 -0400 From: ohe@allianse.no Subject: Best Anti-virus software (PC) Were trying to figure out the best Anit-virus software for both Netware server's (NLM's) and DOS/Windows workstation. We have been looking at Norton Antivirus v3.0, F-Prot, Norman Data Defences and Central Point. Does anybody have any kind of hints and tips, which one is the best and why ?? Thank you. ======================================================= ohe@allianse.no ------------------------------ Date: Fri, 10 Jun 94 10:36:48 -0400 From: dd.id=msmwhq01.tmollo01@eds.diamondnet.sprint.com (TC Molloy) Subject: Killing the Monkey Virus (PC) I would like to share an experience with the "Monkey" computer virus on June 3, 1994. A customer was directed to me concerning a problem. He couldn't read a DOS floppy diskette on his notebook PC and wanted to know if I could help him to recover his critical data. I put the disk in my PC and typed 'dir'. Immediately, the bells and whistles from my Anti-viral package went off. The "Monkey" virus was attempting to write to the boot sector of my hard disk and my anti-virus software package had frozen my machine waiting for me to respond with Proceed or Stop. My anti-virus package stops whenever anything attempts to write to the boot sector without permission. Of course, I said STOP..... The "Monkey" virus is an encrypted virus that can only be identified when it is in RAM. The "Monkey" virus re-writes the boot sector on the disk (floppy or hard). There are no viral signatures on the disk to identify and destroy. The user of an infected machine experiences problems reading floppy disks. When I attempted to boot his machine from floppy, the hard drive was not visible or identifiable (Drive not found). After recovering his diskette and killing the virus, the customer then informed me that he had ten associates with him who were probably infected too. I went back with him to test their machines and found them all infected. At the customer's home office, the notebooks go into a docking stations that is connected to a LAN. They use the LAN to pass files using Lotus Notes. I asked the customer to have the office machines tested and, sure enough, they too were all infected with the "Monkey" virus. A conversation with the LAN administrator indicated that the problem had only appeared within the last week. All the customer machines had an anti-viral package from Central Point or other vendors but they were NOT up-to-date on the latest virus definitions. A old copy of McAfee was run on an infected machine and it reported no infections. The encrypted "Monkey" virus file stores itself in the boot sector only, therefore, to eradicate the virus, the boot sector of the disk must be erased or the disk partition deleted. The DOS application 'FDISK' can do this but it also deletes all files on the entire disk (not good). When the "Monkey" virus infects a disk, it copies the original boot sector as a file to somewhere else on the disk. The boot sector can be rebuilt using Symantec's Norton Disk Doctor (NDD C: /REBUILT) which will delete the boot sector, find the original file and restore the machine. Also, the boot sector of all floppy disk were rebuilt using NDD. Retesting the machine with my anti-viral software confirmed that "Monkey" was no longer present. Having found the solution to getting the "Monkey" off their backs, the remaining machines hard disk's boot sectors were rebuilt. The boot sectors of all floppy disks was also rebuilt. The LAN administrator is in the process of updating or upgrading the anti-viral software to meet the current threats. - -- TC Molloy Internet email: dd.id=msmwhq01.tmollo01@eds.diamondnet.sprint.com ------------------------------ Date: Fri, 10 Jun 94 11:01:21 -0400 From: "Mark J. Miller" Subject: Netware & Virstop (PC) This isn't strictly a virus question, but I was hoping someone might have some suggestions. No rude ones please ;) We are getting faculty offices hooked to a Novell network & we want to install f-prot's virstop. I know how to do this, either in autoexec or using /rehook. But, the computers won't be connected to the network all the time. We're allowing faculty to choose when & how long to be connected to the network. Because we have many old computers, 8088s & 286s, we want to be able to unload the network software from memory when they disconnect to free up memory. But with virstop loaded the unload command doesn't unload the software. Does anyone know how to get around this? Will another anti-virus program do the trick? Any help will be gratefully appreciated. Thanks, Mark :-) ***************************************************************************** Mark J. Miller * The man who fights for his Instructional Computing Programmer/Analyst * ideals is the man who is Saginaw Valley State Universtiy * alive! Wickes 227, 517-790-5643 * mjm@tardis.svsu.edu * -- Miguel de Cervantes, 71053,1571@compuserve.com * author of Don Quixote ------------------------------ Date: Fri, 10 Jun 94 11:58:10 -0400 From: dd.id=msmwhq01.tmollo01@eds.diamondnet.sprint.com (TC Molloy) Subject: Killing a Monkey virus attack (PC) I would like to share an experience with the "Monkey" computer virus on June 3, 1994. A customer was directed to me concerning a problem. He couldn't read a DOS floppy diskette on his notebook PC and wanted to know if I could help him to recover his critical data. I put the disk in my PC and typed 'dir'. Immediately, the bells and whistles from my Anti-viral package went off. The "Monkey" virus was attempting to write to the boot sector of my hard disk and my anti-virus software package had frozen my machine waiting for me to respond with Proceed or Stop. My anti-virus package stops whenever anything attempts to write to the boot sector without permission. Of course, I said STOP.. The "Monkey" virus is an encrypted virus that can only be identified when it is in RAM. The "Monkey" virus re-writes the boot sector on the disk (floppy or hard). There are no viral signatures on the disk to identify and destroy. The user of an infected machine experiences problems reading floppy disks. When I attempted to boot his machine from a clean floppy, the hard disk drive was not visible or identifiable (Drive not found). After recovering his diskette and killing the virus, the customer then informed me that he had ten associates with him who were probably infected too. I went back with him to test their machines and found them all infected. At the customer's home office, the notebooks go into a docking stations that is connected to a LAN. They use the LAN to pass files using Lotus Notes. I asked the customer to have the office machines tested and, sure enough, they too were all infected with the "Monkey" virus. A conversation with the LAN administrator indicated that the problem had only appeared within the last week. All the customer machines had an anti-viral package from Central Point or other vendors but they were NOT up-to-date on the latest virus definitions. A old copy of McAfee was run on an infected machine and it reported no infections. The encrypted "Monkey" virus file stores itself in the boot sector only, therefore, to eradicate the virus, the boot sector of the disk must be erased or the disk partition deleted. The DOS application 'FDISK' can do this but it also deletes all files on the entire disk (not good). When the "Monkey" virus infects a disk, it copies the original boot sector as a file to somewhere else on the disk. The boot sector can be rebuilt using Symantec's Norton Disk Doctor (NDD C: /REBUILT) which will delete the boot sector, find the original file and restore the machine. Also, the floppy disk boot sectors were rebuilt using NDD to prevent re-infection. Retesting the machine with my anti-viral software confirmed that "Monkey" was no longer present. Having found the solution to getting the "Monkey" off their backs, the remaining machines hard disk boot sectors were rebuilt. The boot sectors of all floppy disks were also rebuilt. The LAN administrator is in the process of updating or upgrading the anti-viral software to meet the current threats. - -- TC Molloy Internet email: dd.id=msmwhq01.tmollo01@eds.diamondnet.sprint.com ------------------------------ Date: Fri, 10 Jun 94 16:11:44 -0400 From: dd.id=msmwhq01.tmollo01@eds.diamondnet.sprint.com (TC Molloy) Subject: Killing the Monkey Virus (PC) riordan@tmxmelb.mhs.oz.au (Jakub) wrote: > Jeff K Landauer writes: > > Well, Scan shows that I have this, but I can't get rid of it. It > reports that I need to boot from a floppy in order to clean the system, > but when I do that, I can't access my hard drive. I don't know what to > do. I downloaded just about all the virus software I could find to try > to fix this thing, but nothing looks like it will help. Am I screwed? > I look back on old posts, and the situation looks pretty bad. Thanks > for any help, I would like to share an experience with the "Monkey" computer virus on June 3, 1994. A customer was directed to me concerning a problem. He couldn't read a DOS floppy diskette on his notebook PC and wanted to know if I could help him to recover his critical data. I put the disk in my PC and typed 'dir'. Immediately, the bells and whistles from my Anti-viral package went off. The "Monkey" virus was attempting to write to the boot sector of my hard disk and my anti-virus software package had frozen my machine waiting for me to respond with Proceed or Stop. My anti-virus package stops whenever anything attempts to write to the boot sector without permission. Of course, I said STOP.. The "Monkey" virus is an encrypted virus that can only be identified when it is in RAM. The "Monkey" virus re-writes the boot sector on the disk (floppy or hard). There are no viral signatures on the disk to identify and destroy. The user of an infected machine experiences problems reading floppy disks. When I attempted to boot his machine from a clean floppy, the hard disk drive was not visible or identifiable (Drive not found). After recovering his diskette and killing the virus, the customer then informed me that he had ten associates with him who were probably infected too. I went back with him to test their machines and found them all infected. At the customer's home office, the notebooks go into a docking stations that is connected to a LAN. They use the LAN to pass files using Lotus Notes. I asked the customer to have the office machines tested and, sure enough, they too were all infected with the "Monkey" virus. A conversation with the LAN administrator indicated that the problem had only appeared within the last week. All the customer machines had an anti-viral package from Central Point or other vendors but they were NOT up-to-date on the latest virus definitions. A old copy of McAfee was run on an infected machine and it reported no infections. The encrypted "Monkey" virus file stores itself in the boot sector only, therefore, to eradicate the virus, the boot sector of the disk must be erased or the disk partition deleted. The DOS application 'FDISK' can do this but it also deletes all files on the entire disk (not good). When the "Monkey" virus infects a disk, it copies the original boot sector as a file to somewhere else on the disk. The boot sector can be rebuilt using Symantec's Norton Disk Doctor (NDD C: /REBUILT) which will delete the boot sector, find the original file and restore the machine. Also, the floppy disk boot sectors were rebuilt using NDD to prevent re-infection. Retesting the machine with my anti-viral software confirmed that "Monkey" was no longer present. Having found the solution to getting the "Monkey" off their backs, the remaining machines hard disk boot sectors were rebuilt. The boot sectors of all floppy disks were also rebuilt. The LAN administrator is in the process of updating or upgrading the anti-viral software to meet the current threats. - -- TC Molloy Internet email: dd.id=msmwhq01.tmollo01@eds.diamondnet.sprint.com ------------------------------ Date: Sat, 11 Jun 94 01:53:09 -0400 From: tluten@news.delphi.com (TLUTEN@DELPHI.COM) Subject: Symantec (PC) Dr. Bontchev's remarks on AV software caught my eye. Symantec owns all of Norton, thus Norton AV. It bought Central Point, and thus owns its AV package. It bought Certus, and used the technology to upgrade Norton AV. It apparently (per Bontchev) bought yet another company that produces (or produced) an AV product. what *are* they up to? Tom Luten TLUTEN@DELPHI.COM ------------------------------ Date: Sun, 12 Jun 94 23:17:02 -0400 From: "Rudy A Davis" Subject: Stealth.B Pain (PC) Hello, I have had the stealth.B virus on and off again for the past 6 months. Central Point Anti-Virus version 1.5 does not even recognize this virus. Norton Anti-Virus 3.0 recognizes it but requires a RESCUE disk. I am trying my RESCUE disk but it appears that my RESCUE disk is also now infected. Questions: 1) What are the dangers of operating indefinitely with this virus ? (I have seen no ill-effects other than notification of existence thru NORTON AV v3.0) 2) Anyone have any suggestions about an Anti-Virus program which will take care of this virus dynamically without having to re-install DOS ? 3) Where is a published listing of people who write viruses so that I may wish bad things toward them by name ? Thanks and regards, RAD ------------------------------ Date: Sat, 11 Jun 94 16:25:36 -0400 From: Mike Ramey Subject: U.B.S. _denies_ INFECTING DISKS WITH MICHANGELO. (PC) I just had a long talk with the on-duty supervisor of the University Book Store Computer Department. He reports that they received a complaint of a virus-infected disk yesterday, but the customer did not present the disk for inspection. In response to the complaint, they checked all their DOS/PC computers using Central Point Anti-Virus (CPAV) and Norton Anti-Virus (NAV). They found no infection on any of their computers. On Monday, I will talk to the manager of the Computer Department, and post any additional information to: lanadmin@u, qna@cac, virus-l@lehigh.edu. CAC/HELP: Do we have a local (uwash.) or regional (pnw.) newsgroup for virus info? I suggest it may be worth creating one -- preferably 'pnw.' because if there is a virus in Portland, it may be in Seattle next week. Also note that VIRUS-L and comp.virus messages are posted only about once a week. While we certainly don't want to disseminate false reports, we also need to alert each other to real virus outbreaks. Your comments please. -- Mike Ramey, University of Washington, Seattle WA 98195. - ---------- Forwarded message ---------- Date: Fri, 10 Jun 1994 17:15:12 -0700 (PDT) From: Michael R. "Majik" Fountain To: LAN Administrators Group Subject: BOOKSTORE INFECTING DISKS WITH MICHANGELO The U Bookstore is infecting disks with Michangelo. They have it on one of their demo computers and are formatting floppies with it. \|/ /|\MAJIK ------------------------------ Date: Thu, 09 Jun 94 12:41:11 -0400 From: Michael_D_Jones@ccm.hf.intel.com (Michael Jones) Subject: New Super-virus "Junkie" (PC) Does anyone have any specific information on the "Junkie" virus? I got the following fax yesterday from someone. Do any other scanners detect and/or clean this. I don't buy their solution for cleaning it. ***Begin included article ****Another Super-Virus Discovered 06/02/94 BRIER, WASHINGTON, U.S.A., 1994 JUN 2 (NB) -- A super-virus that can create havoc on your computer system has been accidentally discovered while a sales representative was demonstrating an anti-virus program to a customer. Called "Junkie," the virus was discovered in Ann Arbor, Michigan, while a Reflex Inc. rep was demonstrating the merits of that company's Disknet anti-virus software. "Junkie" reportedly has software engineers concerned for several reasons: It is encrypted, making it difficult to be spotted; it is polymorphic, meaning it changes each time it replicates; and it infects both the drive's boot sector and executable files on the Reflex engineers are studying the characteristics of "Junkie" in an effort to see what other effects it may have on a computer. The source of the virus is still uncertain, but it was discovered on pre-installed, shrink-wrapped software. The PC manufacturer that pre-installed the software was not identified, but Reflex spokesperson Bob Reed told Newsbytes that it appears that was not the source of the infection. "The system was installed for a month before it ("Junkie") showed up." said Reed. Reflex engineers say "Junkie" is spread by infecting the boot sector, the portion of the hard disk that contains the startup instructions for a computer. It can reportedly also infect the boot sector of a floppy drive and even make an anti-viral program a carrier. "Junkie can make anti-virus toolkits spread viruses. Scanners open files to search for viruses, in turn opening the door for Junkie to use the scanner itself as a means of spreading the virus," according Reed said the Ann Arbor incident is the only time so far "Junkie" is known to have surfaced. he said there are no visable warnings of the virus. He stresses the need for having a current backup of your computer data. "The only known cure is re-formatting the hard disk," sys Reed. That gets rid of "Junkie." Users are cautioned not to make a backup copy of the drive that is suspect, since the backup will also be contaminated. Most anti-virus programs scan for known viruses, but cannot always detect a new and different problem such as "Junkie." That makes it necessary to continually update anit-virus programs, with a resultant added cost in time and money to make sure your computer system is virus-free. (Jim Mallory/19940602/Press contact: Lucy Stokstad, Reed, Revell-Pechar, 206-4624777; Reader contact: Reflex Inc., 800-673-3539) ***End included article ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 46] *****************************************