VIRUS-L Digest Friday, 5 Aug 1994 Volume 7 : Issue 60 Today's Topics: Viruses = Commercial Opportunity? A new m naming scheme for settling the good virus issue Re: anti virus viruses Re: Anonymous FTP Site Distributing Viruses? Ethernet Virus Risk? Re: Ignorance Re: Good Viruses Re: Ignorance On updating the FAQ Re: OS/2 Viruses? Are there a (OS/2) THUNDERBYTE AV 621 (PC) How to save a boot sector (PC) Re: Killing the Monkey Virus (PC) Why so many Leprosy viruses? (PC) AntiExe virus, Help!! (PC) junkie vir and freinds (PC) Re: How to save a boot sector (PC) Re: Boot sector virus ? (PC) VIRUSCAN 2.x gripes & grumbles (PC) Re: Junkie virus (PC) Re: vbait12.zip - Simple virus bait, detects COM infecting virus (PC) Re: Dr. Solomon's on the move! (PC) Re: MtE Virus info wanted (PC) Re: Dr. Solomon's on the move! (PC) Re: How to save a boot sector (PC) Re: How to save a boot sector (PC) FamM virus (PC) Seeking information on Anti.CMOS virus ... (PC) VIRU-SIM (PC) Re: How to save a boot sector (PC) Form Virus Mutation! Netware problem? (PC) Re: Dr Solomon's on the move! (PC) New virus? (PC) bull-213.zip - F-PROT 2.13 Update Bulletin in ASCII (PC) F-PROT 2.13 is out (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 18 Jul 94 14:03:53 -0400 From: iolo@mist.demon.co.uk (Iolo Davidson) Subject: Viruses = Commercial Opportunity? datadec@corsa.ucr.edu (Kevin Marcus) writes: > Vesselin Bontchev wrote: > > >Now, let's suppose that your product consists of a scanner alone, and > >you are about to enter the anti-virus business, with no prior > >experience in the field. Currently there are about 4,500 known viruses > >and averagely 2,000 new ones are produced every year. Let's suppose > >that it takes you averagely one hour to analyse a virus and modify > >your scanner in a way to be able to handle the virus properly. This > >means that you must spend 563 man-days only to be able to handle the > >currently known viruses. This is more than two years - and for those > >two years another 4,000 viruses (at least) will appear. > > 2,000 per year, eh? Gee, Pakistani Brain came out in ... 1986? That > means there should be more than 10,000. I think something is wrong here. Just your basic assumption. > While it might take and one for a *person* to analyse a virus, it is > quite possible to: > > 1) Use already existing information to your advantage. > There is a lot of information on the net, even some useful info in > VSUM that could be used to make this speed up. No, the kind of information you are talking about might help in writing a primitive brute force scanner, but these have not been up to the job for a couple of years now. Consulting VSUM will actually hurt you. You have to do your own research. > 2) Even for one person, I've always found it useful/helpful to have > more than one computer. More than one hard drive might be kinda useful > if you have only one computer. This allows you to have systems with > different versions of dos -- many viruses might only work with dos 3.3, > or 5.0 or... The anti-virus researchers I know have lots and lots of computers, even networks, set up for the various virus research tasks. I have five myself, just for fiddling around. The problem is not equipment, but personnel who can do the job. > 3) Do you really need to detect 4500 viruses to be a useful product? > There are many other products which don't detect nearly that many > which still sell *quite* well. The original query postulated 100 percent detection. All the answers said it was not possible, especially for a start-up product. If you want to talk about a lower detection rate, then you have to remember that the product will be competing with many other products that do detect nearly 100 percent. If you want to sell a product with inferior detection, you will need a very pretty user interface and a terrific marketing department. There are existing products which have these, too. > 4) While you will get opposite answers from just about everyone here, > consider: Viruses in the wild are considerably more important to detect/ > remove than viruses *not* in the wild. Those should be highest priority > (use Joe Wells' list, for example). There is at least one product which only tries to detect viruses that have been found in the wild. It isn't very successful in terms of sales. It is not any quicker to include new viruses in its detection capabilities either. Every producer of an anti-virus product sees in the wild viruses as a priority. And they certainly can't wait around for them to appear on a list. In such cases, they generally get their samples directly from someone who has had an outbreak, in the wild. You shouldn't assume that a research team capable of keeping up with *all* viruses is somehow unable to give priority to urgent ones. > The other 4300 or so viruses not in > the wild probably won't ever get there. Some of them certainly will. There is no way to be sure which, so sensible AV software looks for all of them. This is something that customers understand. > While I don't know if all, I'm sure that most viruses in the wild were > "new" to virus scanners, and so they didn't help anyone in the first > place, anwyays, and they required some update before they were able to > deal with the problem -- your product would also do this... All viruses were new once, whether in the wild or not. When a new one is released into the wild, A researcher may get a sample before the public, or before most of the public, but it still takes time to update the software. There are two levels to this; the regular update (monthly for the better products) and the urgent in the wild add-on driver. The regular update will help almost all your customers, few or none of whom will be affected by the first in the wild outbreak. I once turned out an add-on driver for a new virus in an hour and a half, from receiving the virus sample on our BBS to FAXing the driver to the affected premises in another country. This is for a product which aims at detecting all viruses. How would aiming to detect *only* in the wild viruses give you a faster reaction time than that? What you are saying above is that you would delay any work on a newly arrived virus sample until you were sure that it had been released in the wild. Also, you would not handle known viruses that had been around a long time until you heard that they had appeared in the wild. This will put you behind, not ahead, of the competition. > Plus, you'd benefit from smaller size, faster scans, and > a higher repair rate (since you could concentrate on repairs for > some of the nastily encrypted polymorphic viruses) You make it sound easy. To me that says that you have never tried doing it. Repair is one of the most difficult things to do. Nonetheless, the anti-virus products that are the best at repair are also have the highest detection rates. Limiting competence in one area does not magically give you extra competence in another. > 5) How much can the process be automated? With Linux becoming more > popular on PC's, how much can DOSEMU benefit someone working with > viruses? I'll just leave this one open for your thoughts... :) As a research tool, someone is probably already using it if it is any good. Others are using other things that they prefer. You don't have to suggest tools for these people, they know about tools. As something to go in the product, no way. AV products have to work on standard DOS computers. > 6) How much longer do you think that there will be a market for AV > products? With OS's other than DOS gaining a larger user base, the > number of viruses for a particular OS would be nearly reset to zero. > People will only run programs in their DOS emulator before the > equivalent comes out for their new OS. The death of DOS has been heralded rather too many times. No one believes it anymore. But in terms of the original question, it is indeed a little late to try to get a foothold in the DOS AV market. > >Do you see now why this is not for newcomers? Only a company with a > >lot of experience and an already established product in the field will > >be able to keep up with the game. > > Maybe a lot of experience in ASM programming, but probably not a whole > bunch more. Don't kid yourself. AV products have to have Windows and Novell NLM versions to succeed now, in addition to DOS foreground and DOS TSR. At least one (Dr. Solomon's) has an OS/2 version. You have to be able to program on a lot of platforms, as well as understand esoteric assembler to do the virus research. This means a team of capable people. > >That hasn't been very wise from your part, because Flu-Shot wouldn't > >protect you from a boot sector virus like Michelangelo, and NAV is one > >of the worse anti-virus products around. > > Yeah, just because it has a smaller detection than, say, McAfee's SCAN, > let's say, it must be amongst the worst, eh? At least there couldn't > possibly be any other factors that go into an AV product's reviews, eh? Why would you choose a product that detected fewer viruses (including in the wild viruses as it happens) rather than one that detected more? Why would you expect a review of anti-virus software to ignore the relative detection rates? There are other factors, and they are covered in every review I have ever seen, but the main functionality of the product *has* to be important. - -- SHE KISSED SHE THOUGHT IT WAS THE HAIRBRUSH HER HUSBAND JAKE BY MISTAKE Burma Shave ------------------------------ Date: Mon, 18 Jul 94 14:08:24 -0400 From: MANAL@delphi.com Subject: A new m naming scheme for settling the good virus issue How about this one: Live program := a program that reproduces Virus := a bad live program bad := defined according to the morals and ethics of the individual FC ------------------------------ Date: Mon, 18 Jul 94 14:11:25 -0400 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: anti virus viruses Lars Friend (larsnerd@color.ithaca.ny.us) wrote: > Has anybody ever concidered that one could construct a virus that > tries to stamp out other viruses? How would it recognise all 4000+ viruses, and how to stamp them out, and still remain a managable size itself? Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas InterNet: iandoug@cybernet.za P.O. Box 484 Lead, Follow, FidoNet: 5:7102/119 7532 Sanlamhof or get out of TopNet: 225:2048/1 South Africa the way. - ----------------------------------------------------------------------------- ------------------------------ Date: Mon, 18 Jul 94 14:08:06 -0400 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: Anonymous FTP Site Distributing Viruses? Iolo Davidson (iolo@mist.demon.co.uk) wrote: [re closing down vX sites] > I have come to believe that this is (a) futile and (b) > counterproductive. > The only way to > destroy the market is to allow free distribution of viruses. Not sure I follow this.. I have seen the results of people getting access to things like VCL - where some twit uploads two variants of his creation to about 5 BBS's withing half an hour... If we consider the many variants of Vienna, Burger, Stoned, Jerusalem, etc, all of which have had their source code widely spread, it appears that spreading code only makes the problems worse. Or am I missing some insight that you have? Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas InterNet: iandoug@cybernet.za P.O. Box 484 Lead, Follow, FidoNet: 5:7102/119 7532 Sanlamhof or get out of TopNet: 225:2048/1 South Africa the way. PGP key available. - ----------------------------------------------------------------------------- ------------------------------ Date: Mon, 18 Jul 94 14:11:15 -0400 From: "Jeffrey Rice - Pomona College, California." Subject: Ethernet Virus Risk? This coming fall I'm going to have the ability to have an Ethernet connection to my school's network. However, our system is full of viruses, and I don't trust the programs they use. (Vsafe and MSAV) I've worked pretty hard to keep my system clean. What risks do I run of getting a virus through the Ethernet connection? I use F-Prot's Virstop and NAV 3.0, and I also have copies of Mcafee and AVP. Will Virstop or Vshield catch known viruses sent through my connection, and if not, why? What is the best protection that I can use at my end, since I can't get the admin. to use anything that works? Thanks, Jeff /-----------------------------------------------------------------------------\ | Jeffrey Rice | "The man who ...is not moved by concord of sweet | | Pomona College | sounds is fit for treasons, stratagems, and | | Claremont, California | spoils. Let no such man be trusted." -WS | \-----------------------------------------------------------------------------/ ------------------------------ Date: Mon, 18 Jul 94 14:08:45 -0400 From: "R. Wallace Hale" Subject: Re: Ignorance On Sun, 03 Jul 94 19:48:57 -0400 bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote: >> The infected file cannot be given to anyone (like the Software >> Bridge publishers, or anti-virus writers) because of confidential >> information in the file. So they disinfected it. Is he saying that a data file was infected? Or does Software Bridge (not familiar with it) retain imported data within itself? Or does the employer consider name and/or program serial number confidential in a branded executable? :) Am I missing something essential here? R. Wallace Hale "You can observe a lot just by halew@nbnet.nb.ca watching." BBS (506) 325-9002 - Lawrence Berra ------------------------------ Date: Mon, 18 Jul 94 16:38:32 -0400 From: padgett@141.240.2.145 (Padgett 0sirius) Subject: Re: Good Viruses "AMERICAN EAGLE PUBLICATION INC." <0005847161@mcimail.com> writes: >I would like to ask a question to some of the people who seem ready to attack >any and everyone who suggests a good virus is possible: What criteria would you >propose to qualify a virus as "good"? Sure: describe something that someone might want/need to do and which can only be done by self-propagating parasitic code (virus). Thusfar I have not been able to come up with anything that satisfies this criteria. KOH is often mentioned but what does it do that STACKER (tm) doesn't ? Online LAN updates are mentioned, but I came up with the notion independantly (cannot say if first) and have never needed a virus to accomplish this. Now the consideration remains that these good things *could* be done by a virus. True but if it can be done in a simpler manner by not using a virus, then IMHO it should because computers are complex instruments in which the total effect of any operation cannot be predicted (Turing) therefore, the fewer operations performed, the higher the reliability (of course this leads to the notion that NOP is the only "safe" instruction and even that depends on how it was microcoded). To simplify analysis, we can look at it this way: to be considered a "beneficial virus", a progam must be able to perform a useful task and I will not even limit this to uniqueness, merely that the beneficial task can be performed by the virus with fewer machine cycles than by any other process. Am planning to be in Vegas this weekend if you would like to discuss this further. Might warn you that one time I took a course in programming an industrial controller. One question was to write a program to perform a simple but repetitive task. The instructor said that passing was 12 or less instructions and that their programmers had done it in 10. I did it in 7. Warmly, Padgett A. Padgett Peterson, P.E. Cybernetic Psychophysicist We also walk dogs PGP 2.4 Public Key Available ------------------------------ Date: Mon, 18 Jul 94 12:46:25 -0800 From: a_rubin%%dsg4.dse.beckman.com@biivax.dp.beckman.com Subject: Re: Ignorance bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >Hello everybody, >Someone sent me the following message and asked me to reply to it in >public: >> What does one do, in principle, when: >> One does not want to shell out $395 for an obsolete Word Perfect 5.1 >> that one's wife's work requires files to be formatted in; >> One has one's wife use the default "word processor" that comes with >> Windows (Write), then uses the Software Bridge to translate it to WP format; >> Wife's work runs virus checker (and are naive to the point of not >> knowing which one), and gets a positive on a translated file; >> One does not find that virus on one's own machine using a checker >> that is able to find that virus (the infected file is only on >> floppies which did not test positive previously); >> Wife's work does not believe in false positives in virus software >> (being psychologists, they understand the concept of a false >> positive); >> Wife's work is paranoid of persons unknown, and so will not take >> any advice from one. Especially after one has given them a file >> with a virus in it; >> The infected file cannot be given to anyone (like the Software >> Bridge publishers, or anti-virus writers) because of confidential >> information in the file. So they disinfected it. >> What would you have them do? Which they? The couple? Work? >> Feel free to respond to this in public. This is not a hypothetical >> situation. >Well, I am at loss how to reply to this question. What would I have >them do? I am always ready to help - but if the user(s) do(es) not >want my help, or does not trust me, or whatever - then I cannot do >anything. My advice is - ignore them. Continue to work the way you are >used to. Find another job? Have you ever heard of _anyone_ recommending running virus checks on text (Word Perfect) files? I suppose it is _possible_ for there to be a virus that would cause WP to reproduce it in other files when printed, or that a WP text file could also be a valid executable (COM) which contains a virus, but it would be a very difficult job. - -- Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea 216-5888@mcimail.com 70707.453@compuserve.com arubin@pro-sol.cts.com (personal) ^---- new address My opinions are my own, and do not represent those of my employer. ------------------------------ Date: Mon, 18 Jul 94 14:05:17 -0400 From: iolo@mist.demon.co.uk (Iolo Davidson) Subject: On updating the FAQ > FWIW, I think we start making a joke of ourselves in this field, > when we have a FAQ dated November '92 !!! > > Any volunteers ? Any reasons why the FAQ should *not* be updated ? That is not the date it was last updated. That is the date when it was last read by anyone before posting their query here. [Moderator's note: There is currently a project underway to update the FAQ. With a bit of luck, and the cooperation of the people that have volunteered to help out, a new version will be available within our lifetimes. :-)] - -- THE BEARDED LADY A FAMOUS TRIED A JAR MOVIE STAR SHE'S NOW Burma Shave ------------------------------ Date: Mon, 18 Jul 94 14:12:35 -0400 From: 3dierks@rzdspc53.informatik.uni-hamburg.de (Joern Dierks) Subject: Re: OS/2 Viruses? Are there a (OS/2) Ian Douglas (iandoug@cybernet.za) wrote: > Bill Lambdin (bill.lambdin@pcohio.com) wrote: > > >From AMIR77@TAUNIVM.TAU.AC.IL To ALL on 06-21-94 > > A [I'd like to know if there are any OS/2 viruses? > > I know of one OS/2 virus. > > It was published in an issue of 40HEX. This virus is a stupid non > > resident direct infector. > > I have heard that there is another (resident) OS/2 infector, but I > > haven't seen this virus, and it may not exist. > It does. Published in another underground mag. > Aristotle told me that a writer sent him the source code for two other OS/2 > viruses, which he (Aristotle) had trouble understanding. > By deduction from a comment from him (under an alias) in FidoNet, there are > at least 4 such viruses. If anybody gets one (or more) of these new viruses (except 40Hex and Jiskefet) please mail a copy of the virus (or the sourcecode) to me for further analysis. Thanks in advance. Regards, Joern - ------------------------------------------------------------------------------ Joern Dierks Virus Test Center Universitaet Hamburg - FB Informatik Vogt-Koelln-Strasse 20 22527 Hamburg e-Mail: 3dierks@fbihh.informatik.uni-hamburg.de - ------------------------------------------------------------------------------ ------------------------------ Date: Mon, 18 Jul 94 14:04:06 -0400 From: patrick.noyens@cis-infoserv.be Subject: THUNDERBYTE AV 621 (PC) It seems that TBSCAN vers. 621 (TBAV621) wrong heuristic description gives in the log file and at the action menu. For example get I the heuristic flag 'C', what normaly missing ANTI-VIR.DAT files indicates, while the files do have their ANTI-VIR.DAT setups. (created bij TBSETUP). Furthermore get I a lot of 'h' heuristic flags which shoud only appear for hidden or system files, but they DO ALSO APPEAR for normal files...... The strange thing about these problems is that they do not show up during the scanning proces (correct heur. flags are then given), so it seems that there is something wrong with the tbscan.lng file. During scanning of not exec. the system hangs a few times (ex. WIN386.ps2). Has anyone this problem seen on his systems ?? I would appreciate any info about this. Warmly Patrick Noyens (Patrick.Noyens@boardwatch.com) ------------------------------ Date: Mon, 18 Jul 94 14:05:05 -0400 From: iolo@mist.demon.co.uk (Iolo Davidson) Subject: How to save a boot sector (PC) > How can you save a boot sector on to disk. (if you suspect a virus > and want to upload it to the anti-virus companies system for them > to inspect it?) Most disk sector editors have a facility to save a sector to a file. Some AV software does, too. Why don't you ask the support desk for the AV Software company to whom you intend to send the sample how they handle this? - -- THE BEARDED LADY A FAMOUS TRIED A JAR MOVIE STAR SHE'S NOW Burma Shave ------------------------------ Date: Mon, 18 Jul 94 14:03:42 -0400 From: beng@dorsai.dorsai.org (Ben Ng) Subject: Re: Killing the Monkey Virus (PC) Curly (hzf30@mfg.amdahl.com) wrote: : I was under the impression that there are no viruses, currently known, that : can infect a system by merely using the "dir" command. If so, then your anti- : virus package merely stated it had found the "Monkey" virus on the diskette. : The virus, however, was not active in memory, and therefore couldn't have been : "attempting to write to the boot sector" of your hard disk. : Can someone with real knowledge confirm or deny? Surely, though I cannot be sure my knowledge is real. I had cleaned out several PS/2 Model 60's + a couple of ibm compatibles that had the monkey virus. From what I've experienced, this is what the monkey virus does (And please correct me if I'm wrong) A. Infects host system thru a floppy boot or virus dropper. B. redirects (stealth) partition table to another spot. Both reads and writes. I don't know where exactly. C. infects all non-write protected diskettes, instant monkey carriers. D. the partition table is moved, in place of it is the monkey virus, any 'clean' boot from a diskette will have no access to the Hard drive. E. Don't know whether it will trash the hd after x boots or date but a quick look into the code should answer that.. In order to clean out the system..manually..you need to restore the partition table..overwriting the monkey virus..which can be a chore. First..while on the infected system..load up a diskeditor and copy the partition table to a file or an empty sector far away from other data. Then with a write-protected clean disk with a diskeditor, boot up and rewrite the partition table back over track 0, side 0, sector 1. Comments? - -- Ben Ng beng@dorsai.dorsai.org New York City ------------------------------ Date: Mon, 18 Jul 94 14:04:54 -0400 From: iolo@mist.demon.co.uk (Iolo Davidson) Subject: Why so many Leprosy viruses? (PC) tracker@netcom.com (Craig) writes: > Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) wrote: > > : Take anything you read in Patricia Hoffman's VSUM with a large grain > : of salt. It's more like a truck of salt, actually. VSUM is the biggest > : peiece of disinformation, incorrect, incomplete, and plain wrong > : things about computer viruses ever put together. > > The format and ease of use of VSUM is nice. I fail to see why Pat > continues to publish disinformation, when it could be of great use to > people if it had accurate info. Being accurate takes a lot of work. Most of those who are capable of this work are already running flat out to keep their software upgraded to detect new viruses, and cannot take time to catalogue all the new ones in detail. Few people with the ability required are free to spend the time. > Without people like yourself, and other very knowledeagle > people on comp.virus, many wouldn't know about VSUM being so bad. Unfortunately, many people still don't know. It would help if various people who distribute misinformation, however well meaningly, would stop doing so. An absence of information is preferable to wrong information. - -- THE BEARDED LADY A FAMOUS TRIED A JAR MOVIE STAR SHE'S NOW Burma Shave ------------------------------ Date: Mon, 18 Jul 94 14:06:27 -0400 From: choud_gs@jhunix.hcf.jhu.edu (G Sayeed Choudhury) Subject: AntiExe virus, Help!! (PC) I have an ANTIEXE virus on my computer. I used F-PROT version 2.12c (shareware) which detected it but can not disinfect it. Any advice on how to proceed (course of action, approrpriate software, etc.). thanks in advance. Sayeed choud_gs@jhunix.hcf.jhu.edu ------------------------------ Date: Mon, 18 Jul 94 14:06:06 -0400 From: moehlman@athene.informatik.uni-bonn.de (Peter Moehlmann) Subject: junkie vir and freinds (PC) Hi ! Help before I make suicide. I have f-prot to diinfect my comp from junkie but it doesn t find all . there are some variety. Any progs which will kill this prog? Share or pay ware. I can t make boot disk because it willa lso infect the disk. ican\t disinfect my master boot sec because i tried fdisk /mbr and so f-prot cant restore it. help !!!!! how can i delete ths masterbs.? any adress or search string? how can I contact mcaffe or f-prot? this dammend virus .I could not work for one week. Peter ------------------------------ Date: Mon, 18 Jul 94 14:07:06 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: How to save a boot sector (PC) Steve Tamanaha wrote: )How can you save a boot sector on to disk. (if you suspect a virus )and want to upload it to the anti-virus companies system for them )to inspect it?) )Thanx, )jims@fsba.com ) If you want the boot sector off of a floppy, run debug with the floppy in the A drive C>debug boot.sec -l 100 0 0 1 -rcx (number displayed) 200 -w (message about 200 bytes being written) -q C> You now have a file named BOOT.SEC on your C drive. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Mon, 18 Jul 94 14:07:17 -0400 From: jay@hamlet.umd.edu (Jay Elvove) Subject: Re: Boot sector virus ? (PC) Fridrik Skulason (frisk@complex.is) wrote: : berek@xmission.com (Berek Halfhand) writes: : Well, this is not the official CARO name of any boot sector virus, so : there is not much I can do to help. However, in my collection I have : one sample named LENART.BOO - which is an image of the AntiCMOS.A : virus,,,perhaps...just perhaps....theLennaert2 is then the AntiCMOS.B : virus. : It might help if we know which scanner calls it by this name... I can answer this. It's Central Point's product. F-PROT calls it AntiCMOS.B, just as you suggest. McAfee's SCAN v116 & their beta product do not call it anything. They do not see it. - -- Jay Elvove jay@umd5.umd.edu c/o Academic Software Comp. Sci. Center, Univ. of Md., College Park ------------------------------ Date: Mon, 18 Jul 94 14:10:44 -0400 From: jhurwit@netcom.com (Jeffrey Hurwit) Subject: VIRUSCAN 2.x gripes & grumbles (PC) Dare I even write this? I see almost no discussion of McAfee's VIRUSCAN on either group I'm posting this to. I have to say, having tried the new generation of VIRUSCAN, the previous one was better. For one thing, the new version is incredibly bloated. The executables in the previous version were compressed with PKLITE, which shrunk them quite a bit. The executables in 2.x are excellent candidates for similar compression, showing well over 50% reduction in the zip archives they come in (most executables average only 25% - 40% with PKZIP -ex). SCAN.EXE and VSHIELD.EXE can't be compressed, or they'll fail their self-checks and exit. The data files, which are now separate from the executables, take up even more room. The essential files for SCAN and VSHIELD take up perhaps several hundred Kbytes more than the old SCAN, VSHIELD, and CLEAN did. The docs claim that the new SCAN is faster, and indeed it is. It scans both memory and files much faster than the old SCAN. Unfortunately, it takes longer to load the (external) data files. If you're scanning an entire hard drive, there is a net gain, but not if you're only scanning a diskette or a few files. SCAN 202 seems to load the data files faster than SCAN 200. The new VIRUSCAN also seems to lack some useful and essential features that the old one had. SCAN 2.x no longer has the /MANY option, for scanning several diskettes. SCAN now has to load, do its self-check, etc., for *each* diskette to be checked, making this operation lengthy and tedious. The old SCAN also used to check "under" PKLITE and LZEXE compression, to see if compressed executables were infected *before* they were compressed. This was documented as a serious feature in the text files. Nothing is mentioned about this feature in the docs for SCAN 2.x. Can anyone say for sure if SCAN and/or VSHIELD will catch an executable that was infected and then compressed? There also seems to be a bug in VSHIELD, at least on my system. I have an old 8088 laptop, with no hard drive (two 720K 3.5" diskette drives only). VSHIELD seems to load and load its data file ok, but there's trouble after that. At least vers. 202 counts memory correctly (vers. 200 reported over 1,000K, when I have only 640K). But then it tries to check my master boot record (I don't have one, on a floppy). Finally, the last thing it does is say it's checking VSHIELD.EXE, then stops right there, locking up my system in the process. (At least a soft reboot brings it back-- I don't have to turn the power off.) The old VSHIELD worked fine on my system, last time I tried it. I hope these comments prove useful to someone, at least to the developers at McAfee. In the mean time, I'm still looking around at other virus scanners... Jeff ------------------------------ Date: Mon, 18 Jul 94 14:11:06 -0400 From: moehlman@athene.informatik.uni-bonn.de (Peter Moehlmann) Subject: Re: Junkie virus (PC) Hi ! Here is one of the victims. Where can I get the progs ivscan/b ivb and ivscan ? or resqdisk ? will all variations be killed ? thanx for information. i will try it with fdisk /mbr. ------------------------------ Date: Mon, 18 Jul 94 14:13:37 -0400 From: robertk@stack.urc.tue.nl (Robert Klep) Subject: Re: vbait12.zip - Simple virus bait, detects COM infecting virus (PC) Steve Tamanaha (stevet@fujitsu.com) wrote: : dasheiff+@pitt.edu (Richard M Dasheiff M.d.) writes: : >frisk@complex.is (Fridrik Skulason) writes: : >]]SimTel/msdos/virus/ : >]]vbait12.zip Simple virus bait, detects COM infecting virus : >] : >]"Detects COM infecting viruses"...hmm... Is it able to detect infection : >]by stealth viruses ? If not, I would say a redesign was required. : My best guess would be that this program operates by being a "bait" and reporting : any modifications made to itself by a virus or whatever using a checksum : method. : - -jims@fsba.com If I remember right, the VBAIT COM-file is very small (only a few hunderd bytes max). I wonder if that's really realistic, because LOT'S of COM-infectors (not all of them) check for file-sizes, and small files don't get infected. Now I don't know exactly about the size, but I would fill the file with junk up till it's about 20/30k...that's an 'ideal' size for it to get infected... robertk ------------------------------ Date: Mon, 18 Jul 94 14:08:57 -0400 From: "R. Wallace Hale" Subject: Re: Dr. Solomon's on the move! (PC) On Sun, 03 Jul 94 19:57:41 -0400 buster@klaine.pp.fi (Kari Laine) wrote: >First it is commercial product and not like a shareware. And it seems >many people discussing here are not the ones using paid av-software :-) Yet there's frequent mention of NAV and CPAV.... >But yeah I would like to see little more posting about how to best use >Toolkit and what improvements it would need and of course the problems >also. I'm very much in favor of that! R. Wallace Hale "You can observe a lot just by halew@nbnet.nb.ca watching." BBS (506) 325-9002 - Lawrence Berra ------------------------------ Date: Mon, 18 Jul 94 14:11:43 -0400 From: elis@teleport.com (Eli Shapira) Subject: Re: MtE Virus info wanted (PC) Wow.... A person needed help with a false alarm and you are using the opertunity to bash myself, the most awarded Anti-Virus product in the industry and the company I am working for. You did "forget" to mention that you are working closely with BRM which is working with Symantec - author of Norton Anti-Virus. One more thing - Central Point and Symentec have merged and are now operating as one company. So I am actually a Symentec employee for some time now. This does not change the fact that Norton Anti-Virus version 2.1 had more false alarms than any other Anti-Virus on MTE viruses. It is recommeneded that users with version 2.1 will upgrade to 3.0. Mr. Radai - you never had anything good to say about CPAV or MSAV, fortunatly for Central Point - Million of users disagree with you. Central Point Anti-Virus won Two PC Magazine Editor choice, Two Software Digest awards and One Windows Sources magazine award. Central Point never had to release a maintenance release for Central Point Anti-Virus since the day the product was announced. Eli Shapira "Y. Radai" writes: >Subject: Re: MtE Virus info wanted (PC) >Date: Fri, 15 Jul 1994 12:08:06 EDT > Jeff Lewis had asked: >>>I would appreciate information on "MtE" which I "found" on my >>>machine with Norton Antivirus 2.1. .... > Eli Shapira replies: >> Very likely that it is a false alarm. Norton v2.1 had a few of them..... >I could understand such a comment if it came from anyone *other* than >Eli Shapira!! > For those readers who may be wondering why I say this, the author of >the above reply is the same Eli Shapira who is the main author of the >Central Point and MS-DOS 6 Anti-Virus software (CPAV/MSAV/VSafe), and >no AV software in history has been responsible for more false alarms >than his software!! > The main problem is that the scan patterns in CPAV/MSAV/VSafe *are >left in memory in unencrypted form*, and these trigger other anti- >viral programs which scan memory, i.e. if such programs are activated >after CPAV/MSAV/VSafe, such patterns cause the other programs to give >"ghost positives", i.e. to report that a virus has been found in >memory. (A few years ago Shapira and Co. apparently made some effort >to solve this problem. However, unless there has been some tremendous >improvement since the last time I checked, scan patterns which contain >*wildcards* still remain unencrypted.) No other widely used scanner >fails to take some measure to prevent such false alarms. The lack of >consideration toward other anti-virus products has created so many >problems that F-PROT displays the following message if it finds VSafe >to be active in memory: "Warning! The MSAV/CPAV program is currently >resident ...." > An interesting type of false alarm not connected with the above is >that when MSAV with Version 1.1 of the DOS Anti-Virus Update is >activated on the Sydex product CopyQM, MSAV erroneously reports that >CopyQM contains the "Virus Cruncher" virus. Why? Simply because both >CopyQM and the Cruncher virus use the compression software DIET. >(Sydex reports that Central Point Software ignored its complaints >until the matter was turned over to Sydex's attorney.) > Sounds to me like a case of the pot calling the kettle black .... > Y. Radai > Hebrew Univ. of Jerusalem, Israel > RADAI@HUJIVMS.BITNET > RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Mon, 18 Jul 94 14:08:51 -0400 From: "R. Wallace Hale" Subject: Re: Dr. Solomon's on the move! (PC) On Fri, 01 Jul 94 15:25:39 -0400 bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) wrote: >> I've regarded Toolkit as one of the best AV products available and wonder > >The AVTK has one of the best *scanners* available. This does not >necessarily mean that it is one of the best products overall - an >anti-virus product has other components too. Quite right, and a point I tend to overlook. Perhaps I place undue importance on scanner quality but my primary concern is intercepting nasty things before they can get into critical systems. R. Wallace Hale "You can observe a lot just by halew@nbnet.nb.ca watching." BBS (506) 325-9002 - Lawrence Berra ------------------------------ Date: Mon, 18 Jul 94 14:10:55 -0400 From: tsaiwn@csie.nctu.edu.tw (Wen-Nung Tsai) Subject: Re: How to save a boot sector (PC) Steve Tamanaha (stevet@fujitsu.com) wrote: : How can you save a boot sector on to disk. (if you suspect a virus : and want to upload it to the anti-virus companies system for them : to inspect it?) : Thanx, : jims@fsba.com Assume you are talking about the MBR on a hard disk drive. (1)Start up the computer with a clean diskette (and has debug program) (2)Type the following: debug a:virus.bot a1000 (tell debug we want to Add instructions starting 1000h) mov ax,0201 (Read-one sector) mov bx,0100 (buffer starting from 100h) mov cx,1 (track 0, sector 1) mov dx,80 (head 0, first hard drive) (81 for second hard drive) int 13 (for disk I/O request) int 3 (break to debug command mode) (hit return to back to command mode) g=1000 (execute this small program) rbx (tell debug that we want to change BX register) 0 (set the BX register to 0000) rcx 200 (set CX to 200h for the length of MBR is 200h=512 bytes) w (write cs:100h - cs:2ffh into file A:virus.bot) q (quit to DOS) Now the MBR is saved in the file A:virus.bot... Hope this help. - -- - -------------------------------------------- Wen-Nung Tsai INTERNET: tsaiwn@csie.nctu.edu.tw Dep. of CSIE National Chiao Tung University HsinChu, Taiwan, R.O.C. ------------------------------ Date: Mon, 18 Jul 94 14:11:33 -0400 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: How to save a boot sector (PC) Steve Tamanaha (stevet@fujitsu.com) wrote: > How can you save a boot sector on to disk. (if you suspect a virus > and want to upload it to the anti-virus companies system for them > to inspect it?) Various ways... 1. Use Teledisk to grab an image of the whole disk 2. Use Norton (or similar) to write the boot sector to a file 3. Use TbUtil from TBAV to write boot sector to a file 4. Think the program FdFormat 1.8 also had a utility to grab boot sectors from floppies - -- - ----------------------------------------------------------------------------- Ian Douglas InterNet: iandoug@cybernet.za P.O. Box 484 Lead, Follow, FidoNet: 5:7102/119 7532 Sanlamhof or get out of TopNet: 225:2048/1 South Africa the way. - ----------------------------------------------------------------------------- ------------------------------ Date: Mon, 18 Jul 94 16:02:19 -0400 From: rubinmh@nextwork.rose-hulman.edu Subject: FamM virus (PC) Hey, does anyone out there know anything at all about the FamM virus or how to get rid of it? I found it using the clean-up and scan shareware programs put out by McAfee, but it seems to be a memory resident virus, and I think it has infected most of my hard drive, any help would be appreciated! ------------------------------ Date: Mon, 18 Jul 94 16:49:33 -0400 From: bt00@Lehigh.EDU (Binod Taterway) Subject: Seeking information on Anti.CMOS virus ... (PC) Dear virus experts, Here at Lehigh, we have found one occurence of Anti.CMOS virus. F-PROT identifies it as Anti.CMOS, but McAfee's VIRSCAN calls it GENB (generic boot sector virus). Neither has been able to remove it. Both complain that they cannot remove the virus successfully. I have looked in VSUM to get some information on this virus, but no luck. I called CERT to get rapid response; instead the help desk asked me quadrazillion questions and responded to none. I would like to gain some information on this virus. From the floppy, I was able to remove it by copying files, reformatting the disk, and copying back the files. I cannot do the same on hard disk. I would appreciate any help. Thanks in advance. Binod bt00@Lehigh.EDU - -Binod - ------------------------ Binod Taterway Sr. User Consultant, LUCC bt00@Lehigh.EDU ------------------------------ Date: Mon, 18 Jul 94 17:34:50 -0400 From: stevet@fujitsu.com (Steve Tamanaha) Subject: VIRU-SIM (PC) I am looking for the program VIRU-SIM as mentioned in a VIRUS-L message (Thu, 16 Jun 88). The message gives the National BBS society bbs # as 988-4004, which is the Mcafee Homebase bbs; the sysop said he hasn't heard of any such program. If anyone has this file please send it uuencoded by email to jims@fsba.com - -jims@fsba.com ------------------------------ Date: Mon, 18 Jul 94 21:10:54 -0400 From: YKChung@Winkie.Oz.nthu.edu.tw (is2a) Subject: Re: How to save a boot sector (PC) Steve Tamanaha (stevet@fujitsu.com) wrote: > How can you save a boot sector on to disk. (if you suspect a virus > and want to upload it to the anti-virus companies system for them > to inspect it?) > Thanx, > jims@fsba.com You may try Norton Utilities' Disk Editor(DE.EXE) In fact, many AV products have such functions. - -- ------------------------------ Date: Tue, 19 Jul 94 02:37:54 -0400 From: billt@pipeline.com (Bill Taub) Subject: Form Virus Mutation! Netware problem? (PC) Hello... I work for a network/computer system integrator. One of our clients has had a problem with what CPAV, MSAV, and Intel's Landesk Vprotect/Lprotect 2.0 considers "Form" virus. Several of the CNE's involved with the clean-up suspect it is an altered form of FORM virus, or a new virus that matches the pattern search. The strange thing is that we have isolated the rout of infection- it is distributed by the network (Netware 3.12, recently upgraded from 3.11) file-servers (Tricord model 400 - two of them). The infected machines range in usages from dos-apps to windows. The infected floppies found were not bootable, yet Form is supposed to be a boot-sector virus. (there were no COMMAND.COM nor IO.SYS on these disks. Some machines ran fine (baring a few memory problems) except for an audible key-click from the PC speaker. This was not described in any listing for FORM that we encountered. Here is another strange thing: Intel's NLM was running on the file servers, yet the virus either spread undetected (possibly in a dormant form), or was sitting in these machines for some while (several months) waiting to become activated (by date? another trigger?). Another strange item (I don't know if it is relevent): On some of the Everex PCs, when they were cleaned, the BIOS setting regarding On-Board Floppy and Hard disk controllers were disabled. They had to manually be enabled. Go Figure. Lastly, we found a virus called Generic_408 (not sure about number) on another machine. CPAV doesn't do this one... but INTEL took care of it. This was probably an isolated occurance (as INTEL found it on no other machines.) We managed to 'capture' the two viruses on floppies to be sent to Intel... I was on the phone with them earlier last week regarding a specific virus... they explained to me that if I came across anything new, send it to them so that they can implement it's pattern and cure into their product (nice people... BTW). We plan to send them these disks ASAP. IF ANYONE HAS HAD A RECENT EXPERIENCE WITH FORM VIRUS PLEASE CONTACT ME VIA E-MAIL. ANY SUGGESTIONS OR FOLLOW UPS WILL BE GREATLY APPRECIATED. I WILL POST ANY INFORMATION INTEL BRINGS ME. -Bill ------------------------------ Date: Tue, 19 Jul 94 08:31:12 -0400 From: hamrag@cix.compulink.co.uk (Humbug Software) Subject: Re: Dr Solomon's on the move! (PC) Iolo Davidson (iolo@mist.demon.co.uk) writes: > This is simply because those involved with the Dr. Solomon's Toolkit > don't take part in this group. Certainly some of us read this conference. It's just that we're so busy developing the product that we don't often have as many opportunities as we would like to participate. > I expect there would be more participation from S&S personnel if they > didn't have to bypass a broken mailer. This has mostly been fixed. [FX: Touch wood] > I can't post to this group using > the write or follow facilities- or rather I can, but the message just > disappears. I have to address mail to the moderator by hand if I want > it to get through. Yup, the same with me Iolo. It's an irritation, but not disastrous. Certainly when people have comments and questions regarding Dr Solomon's Anti-Virus Toolkit I (or someone else here at S&S) try and make a response. I imagine, however, that not all of us can compete with Vesselin in sheer amount we post each week. I also don't think people would appreciate me posting messages saying "Alan Solomon is the greatest" every couple of the days, continually plugging our software product to the point of overkill. Maybe in the future S&S International will employ someone to continually monitor CIX, Compuserve, FidoNet, Usenet, as well as our own BBSes.. but until then we'll just keep chipping in when we feel it is appropriate. Regards Graham - --- Graham Cluley : S&S International Ltd Product Specialist, : Alton House, Gatehouse Way Dr Solomon's Anti-Virus Toolkit : Aylesbury, Herts, UK email: gcluley@sands.co.uk : Tel: +44 (0)296 318700 ------------------------------ Date: Wed, 20 Jul 94 04:26:39 -0400 From: dws@ras.phy.cam.ac.uk (David Sawford) Subject: New virus? (PC) I was running a program last night when the computer locked up with a beep and said something like "Greetings to hackers around the world" in about 3 different languages. I can't say exactly what it said as it was only on the screen for a few seconds before the machine re-booted. I have tried F-Prot 212c (all levels of detection) and Scan V116, but they report the disk as being clean. Is this a known virus? Dave. ------------------------------ Date: Mon, 18 Jul 94 14:13:51 -0400 From: Mikko Hypponen Subject: bull-213.zip - F-PROT 2.13 Update Bulletin in ASCII (PC) I have uploaded to: ftp://informatik.uni-hamburg.de/pub/virus/texts/bulletin/bull-213.zip ftp://oak.oakland.edu/pub/msdos/virus/bull-213.zip ftp://ftp.datafellows.fi/pub/df/bull-213.zip ftp://garbo.uwasa.fi/pc/virus/bull-213.zip BULL-213: F-PROT Professional 2.13 Update Bulletin in ASCII ----------------------------------------------------------- F-PROT Update Bulletins contain information about the current virus situation globally. Every time a new version of F-PROT Professional is published, it is accompanied with a new Update Bulletin. Bulletins are published on paper in A5 format. Update Bulletins are published by Data Fellows Ltd of Helsinki, Finland. Data Fellows Ltd is the publisher of F-PROT Professional Anti-Virus Program in Scandinavia, Asia, Africa and most of Europe. They can be reached via e-mail at f-prot@datafellows.fi Articles in this issue of the Update Bulletin --------------------------------------------- Microsoft chooses F-PROT Professional News in Short - Electronic Support Services - A Virus Instruction Guide Published in France - Onwards the Evolution New Viruses In the Wild - Jumper - Junkie - SMEG - J&M A Closer Look at the Global Virus Situation - Virus Situation in South Africa - Virus situation in Japan Creating a Virus Prevention Strategy with F-PROT Professional Feature: False Alarms Dark Side of the Moon: What Motivates Virus Writers F-PROT support informs: Common Questions and Answers Changes in F-PROT Professional 2.13 Uploaded by a member of the F-PROT Professional Support Team. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi PGP public key available, check the keyservs ------------------------------ Date: Mon, 18 Jul 94 14:12:45 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: F-PROT 2.13 is out (PC) Version 2.13 - major changes: Boot sector virus disinfection was improved. Viruses that do not preserve the original boot sector can now be removed by overwriting them with "generic" code. The same method is available for viruses where virus-specific disinfection has not been implemented yet. Version 2.13 - the following problems were found and corrected: Some minor false alarms were fixed: "..possibly a new variant of Wisconsin" in SURPRISE.COM. "..possibly a new variant of Pit" in BLOCKCUR.COM "..possibly a new variant of Civil_Defense" in CSP.SYS and PALETTE.COM F-PROT did not find all instances of the Natas and Freddy viruses - that was fixed, and disinfection of Natas added as well. Version 2.13 - minor improvements and changes: When instructed to scan a single hard disk partition, for example by given the command "F-PROT C:", the scanner will now also scan the boot sectors of other hard disk partitions. The reason for this change is that in the case of a boot-virus infected DoubleSpace partition, the virus is located on a drive the user may not even be aware exists. When searching for user-defined patterns, F-PROT will now report all patterns it finds in any file, instead of just the first one. A new return code was added (see COMMAND.DOC) - Errorlevel 8 means that some suspicious files were found, but no infections. Version 2.13 - new viruses: The following 51 viruses are now identified, but can not be removed as they overwrite or destroy infected files. Some of them were detected by earlier versions of F-PROT, but only reported as "New or modified variant of..." Bad_Brains (554.A, 554.B and 570) Budo.B Burger (505.K, 505.L, 505.M, 505.N, 512.B, 560.AO, 560.AP, 560.AQ, 560.AR, 560.AS and 560.AT) Fasolo.176 Faulkner Grog (Aver_Torto, Bruchetto, Delirious, Hop and Il_Mostro) HLLO (3816, Gov, Novademo.C, Orion, and Shadowgard) Jasmine Leprosy (Anarchy.469, Sandra, Seneca.381, Seneca.483, Tazmanian.1973, Tazmanian.2197, Tazmanian.2209 and Tazmanian.2276) Lockjaw (Flagyll.316, Flagyll.369) Mayhem Morrison Orchid.120 Taiwan.752.C Trivial.Infernal VCL (356, 418 509, 541, Cockroach and Jam) Vienna (526 and 561.B) The following 181 new viruses can now be detected and removed. Many of these viruses were detected by earlier versions, but are now identified accurately. _339 _571 _641 AntiCMOS.B Arale Ash.449 Australian_Parasite (118.A, 122.A, 213, 217, 221, 229, 482, 588, 591, 726, 784, 1024, 1050 and 1179) Better_World.E Cascade (1701.Q, 17701.R, 1704.T and 1704.U) Chaos_Year.2005 Chill Creeper.472 Curse_IV Dark_Avenger (1800.Satan and Shyster) Diamond.1050 Doom_II.1249 Ear (Ear.B and Ear.C) Espacio (8444, 8458, 8491 and 8498) Father_Mac Fax_Free (1024.Abstract, 1024.F, 1024.G, 1024.H, 1536.Mecojoni.A, 1536.Mecojoni.B, 1536.Mecojoni.C, 1536.Darkover.A, 1536.Darkover.B, 1536.Darkover.C, 1536.Pinniz.E, and 2766) Freddy_Soft Frodo.Fish_6.E Fumble.867.F Genesis (501 and 504) Genvir.1440 Grog (Danzerino, Enmity_2_1, Joe_Anthro and Joemetafora) Helloween.1063 HLL.7940 Icelandic.655 Infector (847.A and 847.B) Ionkin.212 IVP (April and Dread) Jerusalem (1506, 1808.Execute, 1808.Frere.I, 1808.Standard.AO, AntiCad.2454, AntiCad.26256, Pipi.1536, PSQR.Satan, Smile, Solano.Dyslexia.Satan, Sunday.Nai-Tai, Sunday.Satan, Sunday_II.B and Tarapa.B) Jest.2464 Jihuu.686 Julia.1027 Junkie Keeper.Lemming Khizhnjak.642 Lesson_I.306 Lockjaw (493 and 894) Lyceum.1950 Maaike (164, 250 and 757) Marzia (L and M) Max Mayberry (402, 409, 475, 496, 502, 609, 687, 732, 747, 758, 799 and 828) MP1024 November_17th.864 Nympho.230 Old_Yankee (1961.B and 1961.C) Oxana.1719 Phalcon.Cloud.1110 PHB.4461 Phunnie Pixel (739, 846.B, 851 and 1268) Polifemo Proto-T.Ritzen.1098 PS-MPC (212, 606.D, Arcv-1.731, Small_ARCV.B, G2.573.C, G2.Dread, Pikninny, Powermen.717, Powermen.718, Ranger.423, Screen_Save, Tim.405 and Tim.500) Quadratic.986 RedStar Screaminf_Fist.927 SillyCR.397 SMEG (Pathogen and Queeg) SNA Stardot.1100 Storm.1219 Storyteller Suriv_2.I Taiwan_Over (2770 and 2944) Tankard.542 Totoro (B and C) Trakia.570 Traveling_Jack.1008 Trident.914 VCL (355, 514, 534, 604, 660, 2750, 3243, Blue_Moon, Dial.671, Diarrhea.1221, Heevahava.516, Mimic.4863, Pro-Choice and Reptoid) VCS.Standard.Bad_Poem Vic.399 Vienna (608.B, Violator.707 and Violator.779 Virdem.1336.Killer.C VS.2790 Wave.454 Wildfire Xak The following 26 new viruses are now detected but can not yet be removed. _484 Alien ARCV.255 Australian_Parasite.440 Mike Moonlite MzBoot Number_of_the_Beast (BG and Y) PS-MPC.Page.780 Rape (1182 and 2887) Rubbit (681, 1018, 2060.A, 2060.B, 3811, 3839.A and 3839.B) Screen+1 (919 and 1624) Shoo.2824.B Skater.664 Skynet Svc.3241 Variable_Worm.C The following 7 viruses which were detected by earlier versions can now be removed. Bravo Gippo (Bumpy, Epidemic and Stunning) LZR Reverse (A and B) The following viruses have been renamed, in order to make F-PROT follow the CARO naming standard as closely as possible. Cossiga -> Grazie ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 60] *****************************************