VIRUS-L Digest Tuesday, 2 Aug 1994 Volume 7 : Issue 58 Today's Topics: archivers localize archive-files? Looking for Virus Scan Strings Is there a computer virus WWW home page anywhere? Re: How to count virus infections ? Re: Fred Cohen and computer viruses Re: Anonymous FTP Site Distributing Viruses? Re: Disabled viruses? Spot the Difference The spreed of computer viruses Re: books on virus' and their history? Re: Bad and good viruses... fingerable virusinfo, FAQ and good/beneficial viruses Good Virus?, here's a potential ironic example. Re: Anonymous FTP Site Distributing Viruses? Re: books on virus' and their history? Re: anti virus viruses Lenart?? (PC) Anti-Virus Software for MS LAN (PC) Re: Little Fishies? (pc) virus 1028 Bytes need help (PC) Help Win 32 Bit File Virus? (PC) Dr PANDA Utilities (PC) SBC virus? (PC) A/Rose (PC) Re: Matura (PC) Re: SMEG Junkie (PC) Virus: Forms (PC) generic virus question (PC) Vshield (PC) Virus scanner name/source?? (PC) Cascade virus (PC) Re: Best Anti-virus software (PC) Re: SMEG Virus Test (PC) Re: generic virus question (PC) Mosquito Viruses (PC) Virus Bulletin Abstract July 94 Two new ICARO sites VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 12 Jul 94 11:27:52 -0400 From: ruck@netcom.com (John R. Ruckstuhl) Subject: archivers localize archive-files? Does anyone else notice that archived packages differ from archive to archive? (Yes, I was in binary mode when ftp'ing). Does garbo add some redundant bits for integrity checking? If so, is that widely practiced among well-known archives? It might make integrity checking easier, but it defeats me when I ask someone for the checksum on their clean116.zip and it's different from mine. It might be better to keep file-signatures separate. [Moderator's note: I recall that garbo adds some (advertising?) information into the ZIP file header information. That would most certainly change the checksum. WARNING: IMHO, these are simple 16 bit checksums; the Internet intruder community regularly modifies* files such that the files return the original checksum information; do not place blind faith in these checksums - insist on a secure hash like MD5. Better yet, get the programs directly from the author/vendor, via a secure channel. *There is an intruder-written UNIX program called "fix", which does exactly this, and it has been observed in numerous Internet intrusions.] Regards, ruck 16-bit checksum; filesize; file location 04304 484704 oak.oakland.edu:/pub/msdos/virus/fp-212c.zip 48865 484970 garbo.uwasa.fi:/pc/virus/fp-212c.zip 49734 276384 ftp.mcafee.com:/pub/antivirus/clean116.zip 07310 276650 garbo.uwasa.fi:/pc/virus/clean116.zip 58926 255499 ftp.mcafee.com:/pub/antivirus/scanv116.zip 05783 255765 garbo.uwasa.fi:/pc/virus/scanv116.zip - -- John R. Ruckstuhl ruck@netcom.com ------------------------------ Date: Tue, 12 Jul 94 15:03:29 -0400 From: stevet@fujitsu.com (Steve Tamanaha) Subject: Looking for Virus Scan Strings Does anyone have any virus scan strings availible? If so, please e-mail them to jims@fsba.com Also looking for HTSCAN HTTROJAN.DAT update and the VSIG94xx.ZIP updates... please e-mail to jims@fsba.com uuencode ok... or provide ftp site. Thanx, jims@fsba.com ------------------------------ Date: Tue, 12 Jul 94 19:57:24 -0400 From: dave@lydia.bradley.edu (David Rybolt) Subject: Is there a computer virus WWW home page anywhere? I read the FAQ and searched the World Wide Web with no luck. Can anyone point me in the right direction if there is a right direction? Thanks. Dave. [Moderator's note: I don't know of any WWW home page for the VIRUS-L/comp.virus FAQ (and related info). Anyone interested in putting one up, please contact me at krvw@assist.ims.disa.mil.] ------------------------------ Date: Wed, 13 Jul 94 07:48:47 -0400 From: FWF%GISA.UUCP@GERMANY.EU.NET Subject: Re: How to count virus infections ? How to count virus infections? I am collecting informations about infections of viruses for statistical purposes. But I had a problem: How to count the infections correctly? Scenario 1: - ----------- A software company has a PC infected with a boot virus. On this PC they copied a demo program on 100 floppy disks and distributed them. After 3 weeks they detected the virus and informed all customers. This happened in the mean time: 50 customers did not use this demo floppy. 40 customers checked the demo floppy, detected the virus and cleaned it (without damage). 10 customers used this demo floppy with the following result: Customer total PCs infected PCs infected floppy disks Number (in addition) - ----------------------------------------------------------- 1 1 1 0 2 1 1 10 3 1 1 50 4 2 1 20 5 2 2 20 6 10 1 1 7 10 5 10 8 100 1 0 9 100 10 50 10 200 50 300 ---- ---- ---- total 427 73 461 Now the big question: How many infections? Possible answer 1: 1+50+40+10+73+461 = 635 Possible answer 2: 1+ 40+10+73+461 = 585 Possible answer 3: 1+ 10+73+461 = 545 Possible answer 4: 1+ 73 = 74 Possible answer 5: 1+ 10 = 11 Possible answer 6: ??? Scenario 2: - ----------- Instead a boot virus we have now a file virus and in the customer table an additional column of infected files. Is there a difference in counting with regard to scenario 1? Regards, Frank W. Felzmann e-mail: fwf@bsi.de - ---------------------------------------------------------------- BSI - Bundesamt fuer Sicherheit in der Informationstechnik, Bonn Voice +49-228-9582-248 / FAX +49-228-9582-400 GISA - German Information Security Agency - ---------------------------------------------------------------- ------------------------------ Date: Wed, 13 Jul 94 10:33:12 -0400 From: "Y. Radai" Subject: Re: Fred Cohen and computer viruses Vesselin wrote concerning Adleman's paper "An Abstract Theory of Computer Viruses": > But have you really understood it? I haven't - and several other > serious researchers I have asked have admitted that they don't > understand it either. Until I met Prof. Harold Highland on a > conference in Curacao a few weeks ago - and he told me that, according > to Len Adleman himself, this article has been some kind of elaborated > joke from the part of Prof. Adleman. He wanted to prove that one can > publish any kind of rubbish in a serious source, if a famous name is > attached to that rubbish. A very naughty joke with the anti-virus > research community, I must say... :-( I've spent lots of time > pondering on that paper... I found this to be an incredible story, so incredible that I asked Prof. Highland about it. It turns out to have been a complete mis- understanding. His explanation is that Vesselin and another person had been complaining that they could not understand Adleman's paper, and Highland remarked that many people cannot understand Fred Cohen's papers either. He added that Fred had once sent a paper to him which was insufficiently clear but which Fred jokingly said would probably get published anyway because of his reputation. The trouble is that Highland's remark was made in a noisy restaurant, and it's therefore understandable that his switch from Adleman to Cohen wasn't noticed by Vesselin. Whatever Vesselin understood, the important thing is that Highland has never seen Adleman's paper or talked with him about it and there- fore would never have made such a statement. Moreover, he does not believe that Adleman would ever do such a thing. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Thu, 14 Jul 94 04:18:43 -0400 From: cthompso@gpu.srv.ualberta.ca (The Master) Subject: Re: Anonymous FTP Site Distributing Viruses? Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) wrote: : Rick Schott (RSCHOTT@CMS.CC.WAYNE.EDU) writes: : > One of our system programmers saw and heard part of a news article on : > the Detroit NBC TV affilaiate last night (Th 06/02/94, 6 pm), about an : > anonymous FTP site that has virus samples. Unfortunately, he didn't : > get any further details. Does anyone have any details about this? I just picked up some interesting files from a pretty well-known anonymous ftp site. Included were several live viruses, as well as a virus-design program. Freedom of information, I guess... at least it makes my job easier (I am a CompSci student and viruses interest me). I'm *not* planning on distributing viruses so if you want any or want to know where I got them from, go away. I won't tell you. =) - -=Christopher Thompson=- ------------------------------ Date: 14 Jul 94 14:16:07 +0100 From: virusbtn@vax.oxford.ac.uk Subject: Re: Disabled viruses? frisk@complex.is (Fridrik Skulason) writes: > buster@klaine.pp.fi (Kari Laine) writes: > >>But NO anti-virus vendor should be able/willing to supply you with a >>set ! > > unfortunately not true....one vendor distributes a set of "viruses" for > "testing" .... carefully selected so that they detect them all, and the > competition detected few or none....conveniently ignoring minor issues > such as: . bits deleted ... > > If you change the sentence to "But NO respectable anti-virus vendor should > be able/willing to supply you with a set !", then I'll agree. > > - -frisk True. I would go even further. If a 'vendor' offers you a set of 'test' viruses in order to do your own comparative review, don't go near them with a barge pole - they are probably afraid you will believe the Comparative Review ratings you might read elsehwere :) Regards, Richard Ford Editor, Virus Bulletin. ------------------------------ Date: Thu, 14 Jul 94 15:12:02 -0400 From: iandoug@cybernet.za (Ian Douglas) Subject: Spot the Difference Re the debate about viruses and 'real viruses' and 'when is a virus a virus': Following feedback from messers Bontchev and Cohen to my previous postings on the subject, I went and did some Deep Thought..:-) For the purposes of this discussion I want to differentiate between two classes of replicating systems: Viruses: these are our common-or-garden viruses, like Stoned, Frodo, Dir-II. Other Replicating Systems (ORS): these are things like Fred's boot disk with autoexec.bat and diskcopy on;, or Vesselin's self-distributing-and-installing anti-virus software. The thing that differentiates viruses from ORS is that viruses employ some measure of fraud or deception: the victim ends up running code that he did not expect to. I know this is vague, but I can't think of a better way of expressing it ATM. Some examples: Stoned: victim thinks he is running his boot sector, but is running Stoned. Frodo: victim executes filename.exe, but actually runs code from Frodo first. Dir-II: victim executes filename.exe, but actually runs Dir-II first. Similarly for companion infectors. Now in the case of ORS, this does not happen - there is no deception. The user runs SuperScan, and it goes and installs itself all over. Or the user boots from a floppy, and it does exactly what he expects it to, no other unknown code is run. So the difference boils down to: does the code attempt to deceive the user or not? Now what about generation 0 / generation 1 viruses? For example, virus.com? These are a special case, and must be considered as installers; once installed, the resulting virus will practice deception... Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas InterNet: iandoug@cybernet.za P.O. Box 484 Lead, Follow, FidoNet: 5:7102/119 7532 Sanlamhof or get out of TopNet: 225:2048/1 South Africa the way. - ----------------------------------------------------------------------------- ------------------------------ Date: Fri, 15 Jul 94 05:25:52 -0400 From: Arnstein.Eidsmo@ntdh.no (Arnstein Eidsmo) Subject: The spreed of computer viruses Hi! I'm working on a research om the spreed of computer viruses in Norway. I wonder if anyone could help me with similar statistics from other countries. Thanks! Replay to Arnstein.Eidsmo@ntdh.no - ---------------------------------------------------------------------------- Arnstein Eidsmo Tlf: 74 16 66 11 - ln 333 Nord-Trondelag College Fax: 74 16 10 17 Postboks 145 E-mail: Arnstein.Eidsmo@ntdh.no 7701 STEINKJER - ---------------------------------------------------------------------------- ------------------------------ Date: Fri, 15 Jul 94 08:50:41 -0400 From: doug@umcc.umcc.umich.edu (Douglas Peterman) Subject: Re: books on virus' and their history? >: Hello all, I was wandering if anyone knew of a good book about viruses and >: their history. I heard of one a while back but could not recall the name. My >: point is not to build a virus, but to learn more about them, first ones, what >: certain ones do, etc. any help is appreciated. I wrote about a twenty page paper about two years ago, and some of the best sources I used were docs from various detection programs. If you can find old versions of scan/f-prot/etc. it is easy to spot trends in viri as well as study their effects. Also, VSUM is an interesting hypertext collection of information about assorted viruses. It includes what they do as well as when and where they originated. These software packages are all available from McAfee's anonymous ftp site ftp.mcafee.com. Perhaps the single most interesting source was a paper by Vesselin Bontchev on his experiences (in Bulgaria, if my memory serves me correct) that I came across on a BBS somewhere. It was fascinating. He wrote not only about the viruses, but also about their creators - touching on their mindset, etc. (I guess now is as good a time as any to say THANKS, Vesselin!) - -- *** Of all the things I've lost, I miss my mind the most... *** *** Doug Peterman - doug@umcc.umich.edu - dougpman@cyberspace.org *** ------------------------------ Date: Fri, 15 Jul 94 15:03:04 -0400 From: hauh@ismennt.is (Haukur Hreinsson) Subject: Re: Bad and good viruses... roger.ertesvaag@thcave.bbs.no (Roger Ertesvaag) writes: >* In a message to All on 06-28-94, Bradley said: >B> It's a virus that does what I said. It includes an uninstall option for >B> the hard drive. If you want to know more, I have the full KOH document >B> in my little personal FTP site: ftp.netcom.com:/pub/bradleym >B> Just read the KOH.readme to find the KOH directory, and DON'T take the >B> actual program out of the U.S. because it's export controlled. >A virus that's export controlled? You must be kidding! This is no joke. According to the ITAR regulations, taking this virus out of the US gets you 41 to 52 months in prison! Imagine now that somebody is in court, accused of violating the regulations by exporting KOH. I would like to see some discussions about the bizarre implications of this being a virus in this, bring the thread to life again. ------------------------------ Date: Fri, 15 Jul 94 15:43:15 -0400 From: perry@garfield.hacktic.nl (Perry Rovers) Subject: fingerable virusinfo, FAQ and good/beneficial viruses >VIRUS-L Digest Friday, 15 Jul 1994 Volume 7 : Issue 53 Addressing 3 items from this digest: - ----------------------------- FAQ in comp.virus/virus-l: - ----------------------------- >Date: Fri, 01 Jul 94 15:18:47 -0400 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) >Subject: Re: Types of viruses??? > >Mike Winkelman (mlwinkelman@dow.com) writes: > >> I was wondering if there is a faq for this group and >> where it might be? > >I'm surprised Ken has not answered this... The FAQ is posted here >monthly and the last posting of it was not so long time ago. It can Vesselin, the people that subscribe through the mailinglist/digest format (like myself) do not get the monthly faq. Maybe Mike gets the digest instead of comp.virus. The anti-viral archive postings do come through though. Perhaps it's a good idea (if it hasn't been done already) to mail the FAQ to a new subscriber to the digest or the mailinglist upon subscription as was done with the OS2-L list. Why would anyone want the digest when he/she can get comp.virus? The reason for me: I tend to read my mail and just browse through different groups. This way I can be sure to read all the stuff in here, even if its a little later than usual. - ----------------------------- fingerable virusinfo: - ----------------------------- >Date: Fri, 01 Jul 94 16:34:52 -0400 >From: Michael_D_Jones@ccm.hf.intel.com (Michael Jones) >Subject: Re: Why so many Leprosy viruses? (PC) > >benefit, but that doesn't make it reliable. What would be ideal, would be to >get information using something similar to "finger" where you could say: > >"finger virusname@whoever.wants.this.huge.project" > >What are you're ideas about this? I like the idea.. but there are a LOT of practical problems I fear. Think of the different naming schemes, the maintenance, the accuracy. No, I'm not volunteering.. there are far more knowledgeable and more resourceful people for such a thing. Maybe this is something for the CERT? - ----------------------------- good/beneficial viruses?: - ----------------------------- >Date: Fri, 01 Jul 94 13:02:55 -0400 >From: "AMERICAN EAGLE PUBLICATION INC." <0005847161@mcimail.com> >Subject: Good Viruses > >After reading the ongoing discussions about good viruses in virus-l, it would >seem that some people will never agree on anything related to this subject. You're right. Let me first make clear that as of yet I have never seen a beneficial virus and have to see one to believe they a) can exist, b) can perform a function impossible to other programs. >I would like to ask a question to some of the people who seem ready to attack >any and everyone who suggests a good virus is possible: What criteria would you >propose to qualify a virus as "good"? When is a virus beneficial? If it does useful things that no other program can do in a reliable, fast etc. way that doesn't hinder others I guess. The same goes for most other programs (the term 'useful' depends on the user). So it would have to fit the 'virus' definition to separate it from other programs. >be good is ignorant. There is no software that NEVER causes problems with other >software, at least not on PC's. And the closer to a systems level one gets, >the more it is true. On the other hand, buggy software isn't commercially >viable, and that could equally be applied to viruses as well. I think this is a fair point. Some people say there can be no good viruses because they always do something you don't want. The same goes for other software. I've seen Windows programs updating each others files so many times causing errors and stray files and whatever, to the point where I remove it completely. >Date: Fri, 01 Jul 94 16:36:55 -0400 >From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) >Subject: Fred should owe me a grand ? > >From: "Brian H. Seborg" >Subject: A virus definition... > >>"We define a computer 'virus' as a self-replicating program that can 'infect' >>other programs by modifying them or their environment such that a call to an >>'infected' program implies a call to a possibly evolved copy of the 'virus'." > >This is a very good definition though I would be tempted to say "possibly >evolved but functionally similar" to account for "real" virus behavior. So (having just read Neuromancer) what about the Hosaka in that book? (for those who don't know, the Hosaka is a program that seeks out information on demand, similar to the 'agent' type programs that recently have been getting some media attention). Suppose you have an agent that you send on a search for info, the program starts its search, finds something, lets one copy investigate it, replicates and sends the second copy on its way for more. To account for the 'environment modification' you can think of a program that sends updates of information as soon as there's a change. The problem side with this program is that it's bound to use resources somewhere so it has an adverse effect on the site where that's taking place. This idea has probably been brought up dozens of times, but there are people working on these kind of programs, and things like WWW Wanderer and WebCrawler could be their predecessors. Now, are they viruses or not? They are programs that modify their environment to let them know what's happening to the original program and they replicate. >To me, the difference between a worm and a virus is that the first >is a stand-alone process and the second is parasitic. The common point is >that both strive to become self-invoking as opposed to user-requested. For a 'real computer virus', yes. But the people advocating beneficial viruses are making a point of the fact that the user should either give permission or knowingly start the virus itself. Of course, you can have an agent program invoke itself when there's a question on your screen, but that would be one step toward the uncontrollable. Even the Hosaka in Neuromancer only does things when its master wants it to. >Given this postulate (it is impossible for a process to determine with >certainty that it may run or modify another program or process without >damage), how could there be a beneficial virus ? True, many programs need I'm tempted to say: How can there be a benefical program? What goes for a virusprocess goes for another program as well. Sure, there are differences and: >special massaging but the user usually knows what is going on. But the user is increasingly unaware of what's going on today. Especially with the programs you mention: > Windoze INSTALL programs may well be viruses (or at least trojans) under > this definition. And some people insist they are. The degree of let-me-do-the-job with these programs is quite high. Some even have these 'express' kind of installs that do everything for you, where some rather nice errors can occur if the program decides something for you and some other program doesn't like that. One last remark on this: just as 'the general public' (whatever it may be) views hackers as crackers, it views computerviruses as nastly little programs (not in the least caused by the media). I think it's futile to try to change that. It won't work. If there's ever going to be beneficial viruses, they will be called something else and Dr. Cohen will probably call them viruses. BTW why doesn't he make his papers available from jupiter.saic.com? It does accept anonymous ftp, but contains nothing. For people who'd like to read his articles but have a hard time locating them, that would be a nice thing. He can even advertise his book there :) Or perhaps someone else knows a better ftp or gopher or WWW server? Comments welcome, flames to sys$scratch. - -- Perry Rovers Home: Perry.Rovers@garfield.hacktic.nl Work: Perry.Rovers@kub.nl ------------------------------ Date: Wed, 06 Jul 94 19:35:30 +0200 From: Richard_Loerakker@f2.n3110.z9.virnet.bad.se (Richard Loerakker) Subject: Good Virus?, here's a potential ironic example. Yawn... Read this... > I've seen a few messages about the potential good > virus. Here's a potential > example that I throw out for analysis/opinion. > Ironically it's the VIR.DAT > file of NetShield. [blah blah blah] > Scenario: In a multiple server environment with > NetShield running on each > server, NetShield can be configured with "Cross Server > Updating Enabled". > With cross server updating enabled, if the VIR.DAT > file on the one server is > updated (by copying a new VIR.DAT file over the older > file), VIR.DAT will > then proceed to copy itself to all the other servers > and automatically > update the virus database on each server. One can > certainly argue that > VIR.DAT is a "good virus" because it reproduces itself > across the network to No, you are wrong. VIR.DAT doesn't copy itself, VShield does that task. How can you possible start VIR.DAT when it's only a data pattern file with ( possibly) some algorithms? It needs a program that copies it. If you want to look at that, you can also list some Lan-Manager programs in the benificial virus corner, because some have the possibility to autoinstall newer versions of programs on the different workstations. You can even consider Stacker a beneficial virus, with it's Stacker Lite, or let me even put it this way then. A stacked computer system has got 2 autoexec.bat and 2 config.sys files, and one will get automatically updated if the other changes. Does make that stacker a benificial virus. If you use doublespace (poor guy), it puts a hidden .bin file (which is actually a device driver) on the disk that you format with the / S command. Does that make Doublespace a virus. I think i've proven my point. The things that you name aren't viruses and viruses can't be benificial, because in such a small program you can cope with all rarities that every system can have. Greetings, Richard Loerakker - --- GEcho 1.01+ * Origin: RiLo @VRCH (2:281/552.6) ------------------------------ Date: Mon, 18 Jul 94 14:02:26 -0400 From: ian@bvsd.k12.co.us (Ian S. Nelson) Subject: Re: Anonymous FTP Site Distributing Viruses? Iolo Davidson writes: >I have come to believe that this is (a) futile and (b) >counterproductive. >Trying to kill the market for viruses by restricting the supply just >drives up the price. Hence the collection now being marketed on CDROM. >If the price is attractive enough, it will become an additional >motivation for writing new viruses (ie CDROM V.2). The only way to >destroy the market is to allow free distribution of viruses. I would >not want to be involved in such distribution myself, though. Let the >crazies do it. I must agree with this. It's the same principal that is behind piracy. You restrict access to stuff and it becomes much more elite people do more to get it. I've always noticed that when a pirated file gets uplaoded to a bbs, the BBS advert. inside always brags about the number of users it has and has a number like 1-505-GUESS-IT or something. VX boards require original uplaods to get download privilage and try to be jsut as elite. This is only produces more viruses. If every little punk who wants on to Joe Bob's VX board is patching jerusalem or isreali so that is is a new variant, the number of viruses explodes as it has. I don't see why it is so taboo any more. DOS comes with AV software (it sucks but it'll catch just about anything you're going to encounter) and keeping it hushhush just makes it more interesting to the little kids who will go and get involved. A few years ago phrack was a pretty underground magazine, now it is common and in a way respected by a lot of people. The foundation of it is the same, the history behind it is the same, but it's more acceptable. When you have as many people looking out for you as we do now (all major bbses scan, ftp sites scan, a good deal of downloaders scan) the only out breaks are going to be intentional attacks which are rare and already happen. - -- Ian S. Nelson I speak for only myself. Finger for my PGP key. ------------------------------ Date: Mon, 18 Jul 94 14:06:38 -0400 From: Roger Hackney Subject: Re: books on virus' and their history? To the person asking for books on computer viruses, try: "A SHORT COURSE ON COMPUTER VIRUSES" 2nd Edition by DR. Cohen (a leading athority on viruses) Distributed by WILEY. This is a recent book and will tell you everything you ever wanted to know about viruses. ------------------------------ Date: Mon, 18 Jul 94 14:04:35 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: anti virus viruses larsnerd@color.ithaca.ny.us (Lars Friend) writes: > Has anybody ever concidered that one could construct a virus that >tries to stamp out other viruses? There are a few that try to do this....In my opinion this is just one of the things that can be done with a virus, but why bother ? ... doing it with a non-virus program is just as efficient, and much less likely to cause problems. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Tue, 12 Jul 94 18:03:03 +0000 From: vkelson@bronze.ucs.indiana.edu (victor allan kelson) Subject: Lenart?? (PC) I have recentyl found the Lenart virus on several machine which I commonly use. What is it? What does it do? How is it transmitted? Does anyone else have experience with it? It was found and removed by Central Point PC Tools for Windows (not necessarily a plug, but I like it). We have found that post-cleaning, floppies are unreadable. It apparently attaches to the boot sector. Any recommendations?? Please reply here or to me at vkelson@indiana.edu. THANKS! Vic Kelson ------------------------------ Date: Tue, 12 Jul 94 18:13:27 -0400 From: /PN=JAMES.FOSTER/OU=AEDC1/@smtpgate.arnold.af.mil Subject: Anti-Virus Software for MS LAN (PC) I would like some information on AV-Software that will run on a Microsoft LAN 2.2b network. Currently, we are using F-Prot to check individual PC's when problems arise. We have experimented with running F-Prot from the command line at our LAN logon script to check workstations every time they sign on to the network but ran into memory problems. We are currently considering a keyboard buffering utility to run F-Prot after the MS Lan logon script has finished. Virstop is also under consideration. We have talked with Command Software about the package they sell that enables F-Prot to run on a Novell network. Their (end)-product sounds good, but will not be compatible with our MS Lan network. We are very happy with the F-Prot package, but need the LAN protection. Does anyone have information on the Symantec package (or for that matter) any AV-Software that will run on MS Lan? Thanks, James Foster (615) 454-4474 fosterjm@hap.arnold.af.mil ------------------------------ Date: Tue, 12 Jul 94 22:10:45 -0400 From: johnnyrock@delphi.com Subject: Re: Little Fishies? (pc) I think it's the whale virus by SCISM. ------------------------------ Date: Wed, 13 Jul 94 06:49:26 -0400 From: moehlman@gelb.informatik.uni-bonn.de (Peter Moehlmann) Subject: virus 1028 Bytes need help (PC) Hi ! URGEND ! I have this virus which is 1028 Bytes long and appends at command.com and other com/exe-files at my c:-partition. Which program can I use to destroy it. scan 2.0 and central point anti-virus did'nt help. only the 2nd one found it and tried to repair it, but when I boot one or twicee the virus is still at command.com command.com is now 510039 Bytes large. if I boot without config.sys and autoexec.bat ones or twice it's still appends. so I think it ca't be in any tsr. But where it is? Peter Please respond as soon as possible.I can't work with my pc!! ------------------------------ Date: Wed, 13 Jul 94 07:00:19 -0400 From: brucemcc@ids.net Subject: Help Win 32 Bit File Virus? (PC) ! Help We have been getting an error message when starting Windows 3.1 about not being able to start 32 Bit File Access. This machine has been running for 8 months without this message. It has now jumped to another machine through a bootable diskette. Please E-Mail or Post if you have any info. Thanks Bruce McCabe brucemcc@ids.net ------------------------------ Date: Wed, 13 Jul 94 18:17:43 -0400 From: ashcroft@insane.apana.org.au (Rod Ashcroft) Subject: Dr PANDA Utilities (PC) pardon my ignorance but I'm trying to get some feedback on an anti-viral suite called Dr Panda Utilities, from Panda Systems. These utilties are provided on disk with a book titled PC Security and Virus Protection Handbook, by Pamela Kane. Not knowing a lot about viruses, it's hard to evaluate what is being written in this publication. Has anyone used these utilities extensively, are they effective, how do they compare with other anti-viral programs? Also, what sort of standing does Pamela Kane have in the world of virus detection and standing. There would seem to be a large degree of difference of opinion (to put it mildly) between her and John McAfee reflected in her writings. She comes down on McAfee quite heavily - is she justified in doing so? Any help would be greatly appreciated. Many thanks, Rod Ashcroft ------------------------------ Date: Thu, 14 Jul 94 17:37:30 +0000 From: mhsalmon@descartes.uwaterloo.ca (Mark Salmoni) Subject: SBC virus? (PC) Keywords: I have a virus call SBC that has infected all my .com files I have disinfected all my files but it will not leave my command.com files and If I delete those files my system will be non functional If any one can help me with my problem it would be greately appreciated ------------------------------ Date: Thu, 14 Jul 94 14:43:32 -0400 From: ncaf@ncaf.cais.com (Nathan Caffo) Subject: A/Rose (PC) Sorry to post this silly question. But... So when I posted this there wasn't a FAQ available so I thought I'd just ask if anyone has heard of a virus called A/ROSE. It's possible that its just an extension from some application I'm not familiar with, but I've gone back over things I've installed over the past month and can't seem to find it on any of my disks. Any help via e-mail would be appreciated. ------------------------------ Date: Fri, 15 Jul 94 09:18:55 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Matura (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >If this is indeed one of the Matura viruses, F-Prot 2.12c should be >able to reliably detect and disinfect it. "Matura92" is probably Matura.1626, and yes...we can remove it. - -frisk ------------------------------ Date: Fri, 15 Jul 94 09:23:28 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: SMEG Junkie (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >version 2.12c. It detects and disinfects reliably both viruses - >Junkie and the two SMEG viruses. There are a few problems, however. >First, in my tests F-Prot says "Possibly a new or modified version of >Junkie" when examining a Junkie-infected boot sector. Fixed in 2.13, which I will probably release later today. >means that it won't be able to remove it from the boot sector. Also, a >third SMEG virus appeared recently, using an improved polymorphic >engine. F-Prot can detect some replicants, but not all and cannot >disinfect them. Right....this will probably be taken care of in 2.13a.... - -frisk ------------------------------ Date: Fri, 15 Jul 94 13:16:26 -0400 From: mike.murphy@atlwin.com (Mike Murphy) Subject: Virus: Forms (PC) I have been hearing rumors of some Super-Monster virus called FORMS. I am not sure what this thing does, but a friend of mine who works with main-frames is scared to death of this thing. Does anybody have any FAQ's on this or have any reasonable knowledge of what this thing does? All assistance would be greatly appreciated, not only to me but to the public as well. Thanks...Murfster - --- CMPQwk #1.4. UNREGISTERED EVALUATION COPY - ---- +---------------------------------------------------------------------+ | The Atlanta Windows BBS (404)516-0048 9 high-speed USR nodes | | Largest Win-specific BBS in the SouthEast- CDROMs, RIME, INTERNET | +---------------------------------------------------------------------+ ------------------------------ Date: Fri, 15 Jul 94 14:16:54 -0400 From: Iolo Davidson Subject: generic virus question (PC) > TC Molloy recently posted about a problem with the > Monkey virus that caught my attention. He said in part: > > > I put the disk in my PC and typed 'dir'. Immediately, the bells and > > whistles from my Anti-viral package went off. The "Monkey" virus was > > attempting to write to the boot sector of my hard disk and my anti-virus > > software package had frozen my machine waiting for me to respond with > > Proceed or Stop. My anti-virus package stops whenever anything attempts to > > write to the boot sector without permission. Of course, I said STOP.. > > How would a virus like this get activated? TC typed dir on his > machine which wasn't booted off of the customer's infected disk. > wouldn't something have had to execute code that was infected, > or was it the tsr of his anti-virus program that automatically > scanned the disk and caught the culprit before it could do any > damnage or was even accesed. I would say it was the TSR, if the sequence you quote was what actually happened. Several TSRs will scan a floppy for boot sector viruses the first time it is accessed, and give you a warning. A DIR would be all it took to get the warning, but the virus itself would not be executed by a DIR. Of course, it is possible that the sequence you quote is *not* what actually happened. The report that the virus was attempting to write to the hard disk is not consistent with just doing a DIR. - -- SHE KISSED SHE THOUGHT IT WAS THE HAIRBRUSH HER HUSBAND JAKE BY MISTAKE Burma Shave ------------------------------ Date: Sun, 10 Jul 94 16:35:00 +0200 From: Paul_Browning@f0.n462.z9.virnet.bad.se (Paul Browning) Subject: Vshield (PC) Does anybody have any idea why Microsofts Vsafe is giving me false alarms - there is one exe file that I have that when I try to run it - Vsafe Reports that the file is infected with the Cook 7392 virus - I then scan it with msav and mcafee v.116 and both of them say that it is virus free but - vsafe still won't let me load the file unless I disable Vsafe - does anyone know why I am getting these false alarms? - --- FMail/386 0.98 * Origin: Ultimate BBS - Vancouver, BC, Canada - (604) 224-1657 (9:111/110) ------------------------------ Date: 15 Jul 94 16:59:51 -0400 From: un032314@wvnvms.wvnet.edu (JEFF BURES) Subject: Virus scanner name/source?? (PC) I used to use a shareware virus scanner written by a guy in Iceland or Greenland. I can't remember the name. Does anyone remember the name, and know of a FTP site, or the email address of the author? Thanks, Jeff Bures ------------------------------ Date: Mon, 18 Jul 94 14:02:51 -0400 From: gbbrooks@cs.buffalo.edu (G Brandon Brooks) Subject: Cascade virus (PC) Hi! Recently a computer at my work was infected with the CASCADE virus. It hasn't done any harm so far as far as we can tell. We're getting rid of it, but I was wondering what exactly does this virus DO? Or HAS it done 'something' that we're unaware of? ;) Thanks, Brandon! ------------------------------ Date: Mon, 18 Jul 94 14:02:41 -0400 From: umchu023@cc.umanitoba.ca (Andy Hon Wai Chu) Subject: Re: Best Anti-virus software (PC) csx134@cck.coventry.ac.uk (Philip Sherlock) writes: > wrote: >>Were trying to figure out the best Anit-virus software for both >>Netware server's (NLM's) and DOS/Windows workstation. >> >>etc. >Yes, use F-Prot. I have been using it now for two years and it has kept >the network and all 50 workstations clear, as well as about another 60 >stand alone machines in an educational environment. Updates are regular. >What more can I say? I agree, F-Prot is definitely ONE OF THE BEST, but if you are not using F-Prot Profession, then I will suggest you use a supplement AV which will do file integrity checking. (it is a effective way to prevent unknown virus.) Keep going F-Prot, keep going Fridrik Skulason... :) Andy Chu - -- Andy Hon Wai Chu email: umchu023@ccu.umanitoba.ca from: University of Manitoba, Canada ------------------------------ Date: Mon, 18 Jul 94 14:04:44 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: SMEG Virus Test (PC) 93647758S@sgcl1.unisg.ch (Luca Sambucci) writes: >> VIRUS TEST Nr. 002 >> -= SMEG Viruses =- There is a problem which does not seem to be addressed in the test. Sometimes an infection by those viruses ... Queeg in particular....seems to create a corrupted file ... when it is run, it does not decrypt correctly, and will most probably crash the machine. By my definition those samples are not viruses, and I strongly suspect that the reason all the programs missed some Queeg "samples" is that they wre files of this type. - -frisk ------------------------------ Date: Mon, 18 Jul 94 14:03:27 -0400 From: mcafee@netcom.com (McAfee Associates) Subject: Re: generic virus question (PC) Hello Mr. Smith, sjs@crl.com (Steve Smith) writes: >Please excuse my ignorace on the subject, but I'm trying to understand >viruses. TC Molloy recently posted about a problem with the >Monkey virus that caught my attention. He said in part: >> I put the disk in my PC and typed 'dir'. Immediately, the bells and >> whistles from my Anti-viral package went off. The "Monkey" virus was >> attempting to write to the boot sector of my hard disk and my anti-virus >> software package had frozen my machine waiting for me to respond with >> Proceed or Stop. My anti-virus package stops whenever anything attempts to >> write to the boot sector without permission. Of course, I said STOP.. >How would a virus like this get activated? TC typed dir on his >machine which wasn't booted off of the customer's infected disk. >wouldn't something have had to execute code that was infected, >or was it the tsr of his anti-virus program that automatically >scanned the disk and caught the culprit before it could do any >damnage or was even accesed. > >Thanks >Steve Smith >sjs@crl.com > >- - -- >TC Molloy >Internet email: dd.id=msmwhq01.tmollo01@eds.diamondnet.sprint.com > It is also possible that the message from the anti-virus package is inaccurate. When reviewing the messages to go into VirusScan Version 2.X, we spent a long time reviewing the messages in the VIRUSCAN Version 11X series and made many changes. Come to think of it, I doubt any "old" messages escaped unchanged. :-) Some of the changes were quite small, such as displaying "Master Boot Record" instead of "Partition Table"(1) while others were more of a challenge, such as explaining what to do when a virus is found in memory. Remember, people with varying levels of computer experience use anti-virus software, so you have to provide the simplest message possible, but no simpler. (Apologies to the late A. Einstein.) As a rule, anti-virus messages should: 1. CLEARLY identify that a problem has occurred. 2. EXPLAIN the nature of the problem. and 3. RECOMMEND a course of action to the user. There are probably a few other things as well that I'm neglecting, but then again, they should also be CONCISE. :-) Regards, Aryeh Goretsky McAfee Associates Technical Support - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, 2nd Floor| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/VSHIELD/CLEAN/WSCAN/NETSHLD/TARGET/CONFIG MGR/PROVIEW ------------------------------ Date: Mon, 18 Jul 94 14:05:35 -0400 From: iolo@mist.demon.co.uk (Iolo Davidson) Subject: Mosquito Viruses (PC) bmonette@porpoise.oise.on.ca (Bernie Monette) writes: > Dennis Clouse (Dennis.Clouse@ucop.edu) writes: > > >We consider mosquitoes a threat...we eradicate them without > >considering the guilt or innocence of *idividual* mosquitoes... > >ditto the alleged 'beneficial or 'nondestructive' computer > >virus. > > You argue precociously. However, it has been a common practise > to use genetically altered insects, ergo beneficial, to eradicate > or reduce the harm of the same species: locusts I think is one > example. This method works and is environmentally safe. So why > not try a similar tactics with computer viruses? *Viral* action > performing necessary tasks on a computer. All we have to do is > develop the programming skills to do so. No, programming skills are not the problem. There are two very good reasons not to do what you suggest. 1) There is no point. You do not need a virus to perform necessary tasks. Normal programs do anything that is required. 2) No one in the real world wants any virus loose on their computer(s), regardless of any theoretical arguments for possible "beneficial" viruses. This subject has been done to death already. - -- THE BEARDED LADY A FAMOUS TRIED A JAR MOVIE STAR SHE'S NOW Burma Shave ------------------------------ Date: 14 Jul 94 14:19:46 +0100 From: virusbtn@vax.oxford.ac.uk Subject: Virus Bulletin Abstract July 94 FYI: Further information direct from me via Email. Regards, Richard Ford Editor, Virus Bulletin Virus Bulletin Abstract - July 1994 1. EDITORIAL: Fire The latest virus scare prompts the editor to ask whether the world will listen when the panic is 'for real'. 2. VIRUS PREVALENCE TABLE 3. NEWS Junkie Mail. Another virus alert, this time from a US company. What is the Junkie virus, and what does it do? VB Conference '94 on Track. The fourth annual VB conference: final details. The Big Chill. Details of the Chill virus uploaded to ZiffNet. 4. IBM PC VIRUSES (UPDATE) A list of new viruses reported to VB. 5. FEATURE: The Ludwig Collection. The contents of 'The Collection', Mark Ludwig's CD-ROM full of viruses available from American Eagle, are examined. 7. VIRUS ANALYSES Stealth.B: Invisible Fire. Analysis of the Stealth.B virus, currently in the wild in the USA. Argyle: Viruses and the i386. Argyle is a new virus which uses 386-specific code in order to hide its presence in memory. 8. COMPARATIVE REVIEW The Review, Reviewed. Keith Jackson discusses the difficulties involved in writing a review which is objective at the same time as fair. VB Scanner Review: July '94. Twenty-seven products are tested and rated according to how well they perform in virus detection. 9. PRODUCT REVIEW: Norton on NetWare. This month's NLM review takes on Symantec's latest offering. 10. REVIEW: Virus: Prevention, Detection, Recovery. A review of a new training video, aimed at general staff. 11. END NOTES AND NEWS: What's happening in the virus world? ------------------------------ Date: Fri, 15 Jul 94 12:44:47 +0100 From: Luca Sambucci <93647758S@sgcl1.unisg.ch> Subject: Two new ICARO sites - -----BEGIN PGP SIGNED MESSAGE----- I am pleased to inform you that now ICARO has two new official distribution sites, a ftp-site in Italy, and a Bulletin Board Service in Sweden: FTP-SITE: ITALY: - ftp.dsi.unimi.it:pub/security/docs/icaro BULLETIN BOARD SERVICE (BBS): SWEDEN: - Virus Help Centre ++46-26 275710 (1200 - 14400 baud HST/DS) FidoNet: 2:205/204 VirNet: 9:461/101 ++46-26 275715 (1200 - 14400 baud V32) FidoNet: 2:205/234 VirNet: 9:461/111 A complete list of all ICARO's official distribution sites is available at our sites (file SITES.ZIP ) or at request via e-mail directly from me. Every Sysop or ftp-administrator who wishes to become an official I.C.A.R.O. distribution site can contact me via electronic mail. Internet: luca.sambucci@ntgate.unisg.ch FidoNet: Luca Sambucci 2:335/348.6 Best Regards, Luca Sambucci =**********************************************************************= ___________ Luca Sambucci ____________ | | | | | __ | | | | | Postfach 2006 | | | | | | | | 9001 - St. Gallen | | | | | | | | Switzerland | ___| |___ | | | | | || || | | | | ||___ ___|| | | | | Internet: luca.sambucci@ntgate.unisg.ch | | | | | | | | Fido Net: Luca Sambucci 2:335/348.6 | | | | | | | | Caesar Net: Luca Sambucci 175:391/1.7 | |__| | |___|___|___| |____________| * PGP public key available on the public key servers * =----------------------------------------------------------------------= The first thought of God was an angel. The first word of God was a man. Kahlil Gibran =----------------------------------------------------------------------= =**********************************************************************= - -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLiUS2+ZQNzkHaA4JAQEm2wP/bLLGq+41sFDEkylj19MG4Sn1Jkdw2L4A pabFM2xMtCa8jWshPwleNvhKQJ8oOXcnyEwLf49bLF7V+T0TRRdrKWqwY1vqy4uD aooszLdgi1yTF9qHhpfAyIZSdAWqfkx4EwblBfC2gU81EEQvXMdJa06Axfy8Sal5 gEli1x95ek4= =jgJf - -----END PGP SIGNATURE----- ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 58] *****************************************