VIRUS-L Digest Monday, 8 Aug 1994 Volume 7 : Issue 61 Today's Topics: Re: Good viruses/Bad viruses Re: Integrity Checking Few question regarding viruses Need Help on research paper! Good sources for virus information ANSI bombs Re: Good Viruses Need help on research paper Titles of Books (Humour) Re: Parity - B Virus on HPFS Partition (OS/2) TBAV 6.22's BUG?? (PC) Re: Junkie virus (PC) 4DOS 5.0f triggers TBAV 6.22? (PC) Yankee Doodle Virus? (PC) Help! - Does my PC have a virus? (PC) Re: F-Prot 2.12 won't scan C: with Lantastic (PC) Want info on "Stoned 4" (PC) "Horse" virus? (PC)(Anywhere else?) Re: Excelent virus program! (PC) Re: Anti-Virus for VINES Networks (PC) Re: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) Info on KANPANA-A virus please. (PC) Re: Types of viruses??? (PC) Re: Network virus protect (PC) SMEG.Queeg, SMEG.Pathogen virus writer caught (PC) Tamsui/Christmas-1694? (PC) Network virus protect (PC) NAV 3.0 update files (PC) Flash BIOS infector? (PC) TBAV621 THUNDERBYTE AV (PC) Re: New AV software (PC) Re: Killed the Monkey Virus (PC) Re: Modified Stoned???? (PC) Re: How to save a boot sector (PC) Re: Mosquito Viruses (PC) Re: Rosenthal Virus Simulator (PC) fp-213.zip - Version 2.13 of F-PROT virus scanner/cleaner (PC) IBM Computer Virus Information Center updates bull-213.zip - ASCII version of F-PROT 2.13 Update Bulletin (PC) Announcing a new FTP Site VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 20 Jul 94 19:04:53 -0400 From: matt%banksia@socs.uts.EDU.AU (Jas (Matthew K)) Subject: Re: Good viruses/Bad viruses Adam Jenkins (Adam.Jenkins@dbce.csiro.au) wrote: > Vesselin Bontchev writes: > Hmmm I've seen this argument before. The way I see it, the > confusion arises because in the early days of computing, hacking > meant using things that weren't known, and this often meant > breaking into systems etc. what the heck? i think even your interpretation of hacking is wrong. the word haking came from the word hack. i suggest you read Hackers by steven levy (?? so long since i read it) or the hackers dictionary. included here is the defenition of the word hack. Hack 1. n. Origionally, a quick job that produces what is needed, but not well. 2. n. An incredibly good, and prehaps very time- consuming, piece of work that produces exactly what is needed. 3. vt. To bear emotionally or physically. "I can't hack this heat!" 4. vt. To work on something (typically a program). In an immediate sense: "What are you doing?" "I'm hacking TECO." In a general (time-extended) sense: "What do you do around here?" "I hack TECO." More generally, "I hack foo" is roughly equivalent to "foo is my major interest (oe project)." "I hack solid-state physics". 5. vt. To pull a prank on. See sense 2 and hacker (sense 5). 6. vi. To interract with a computer in a playful and exploratory rather than goal-directed way. "Whatcha up to?" "Oh, just hacking". 7. n. Short for hacker. 8. see nethack your term "using things that weren't known" is rather vague and imprecise. a nickels worth of free advice; if you are going to correct people, make sure you do it in a precise, and accurate fashion. > In those days it seems people had > better perspective, and realised that hacking to get more > computer time or for the challenge was more a misdemeanour than a > federal offence. I still don't understand why a 14 year old > breaking into a bulletin board system is investigated by the same > law enforcement agencies that investigate drug cartels and > matters of national security. The blame should be as much on the > administrators not the hackers. [cut text] > Regards, > Adam > - -- > No fate but what we make | Adam Jenkins > | Phone: +61-3-252-6000 > Finger jenky@192.35.153.200 for PGP key | Email: adamj@mel.dbce.csiro.au life sux sometimes, dont it... - -- Matt (the other one) Don't murder a man who is about to commit suicide. -Machiavelli ------------------------------ Date: Wed, 20 Jul 94 19:06:33 -0400 From: matt%banksia@socs.uts.EDU.AU (Jas (Matthew K)) Subject: Re: Integrity Checking sikkid@axpvms.cc.utexas.edu wrote: > I saw a post a few days ago about the best and worst antivirus > programs... I noticed that Vesselin stated that TBAV's integrity > checker was "mediocre." I was just wondering why he said that, and > what makes for a good CRC checker... I know a lot about viruses, but > my knowledge of CRC calculation techniquesw is pretty limited... CRCs functions are a very simple linear function, so faking a CRC takes about as much effort as calculating the CRC in the first place. The mathematics behind it are quite simple, if you want a complete dissertation to it, you can find the mathematics in quite a few good FAQ files on CRCs from sci.crypt, or you can mail me for a copy if you cant find one. Bascially the long and short of it is, CRCs are easy to fake (given a few considerations). It is possible to do a few different kinds of CRCs to try and foil this, but for the most part they are easy to fake. > Regards, > sikkid hope this helped - -- Matt (the other one) Don't murder a man who is about to commit suicide. -Machiavelli And for you AARNet users... [insert dropped packets here] ------------------------------ Date: Wed, 20 Jul 94 22:37:07 -0400 From: haq@savage.umiacs.umd.edu () Subject: Few question regarding viruses I have few questions regarding to computer viruses: 1. Can program infector viruses propagate via data file? 2. Virus that uses encryption is know as polymorphic? 3. Is sealth virus uses enryption? 4. Can interrupt vector table can be modified by virus? Thanks in advance Lee ------------------------------ Date: Wed, 20 Jul 94 22:52:06 -0400 From: hqurba1@umbc.edu (Hamid) Subject: Need Help on research paper! I am doing a reseach paper on computer virus ethics issue, I was wondering where I can obtain best information. I have look in most of the book, but there is not much information in the books. If anyone know where I can otain information please email to the below address. Thanks in advance Hamid. hqurba1@gl.umbc.edu - -- ------------------------------ Date: Fri, 22 Jul 94 12:52:55 -0400 From: Michael_D_Jones@ccm.hf.intel.com (Michael Jones) Subject: Good sources for virus information Hi all, I'm wondering what would be good references for virus information? Explanations of the types of viruses, as well as Trojan Horses, worms, etc. What the different types do, how they do it. What a particular virus does, how it does it, how to clean it, etc. I would like to increase my knowledge of viruses and their methods, not to write them, I hate programming with a passion, but rather on how they work and how to get rid of them. Any reccommended books, FTPable sources, documents, programs, and/or databases would be greatly appreciated. TIA Michael D. Jones Intel Corp. ------------------------------ Date: Sat, 23 Jul 94 13:58:52 -0400 From: as316@freenet.carleton.ca (Michael McGuire) Subject: ANSI bombs I was wondering if anyone knew of a virus scanner/cleaner that can clean something called an "ANSI bomb"? I was told that they can't be found by most scanners, and I think there's one going around my area... Thanks.. ------------------------------ Date: Mon, 25 Jul 94 17:42:30 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Good Viruses AMERICAN EAGLE PUBLICATION INC. (0005847161@mcimail.com) writes: > After reading the ongoing discussions about good viruses in virus-l, it would > seem that some people will never agree on anything related to this subject. Very probably. > I would like to ask a question to some of the people who seem ready to attack > any and everyone who suggests a good virus is possible: What criteria would y > propose to qualify a virus as "good"? How about "not causing damage and doing something wanted by the user"? > At one end of the spectrum, I see people who say a virus is good if one can > imagine a hypothetical use for it. Ugh, I have yet see somebody making such a ridiculous claim. > At the other end of the spectrum, it seems > there are some who take the stand that no virus is good. Most people, that is. I, in particular, am saying that it depends on what is defined as a virus. > If you take the latter > position then there isn't any point discussing the matter because it's already > been decided as a postulate, an article of faith. First, why should this apply only if you take the latter position? I would say that this comment is just as valid if you take the former position. Second, what does "article of faith" mean? Most people consider computer viruses to be bad because they are causing damage. Now, you could say that believing that something that causes damage is bad is an article of faith, but I would call it "common sense" - seems more appropriate. > Are you hard-liners trying to deal with viruses by postulating that they are > bad, or is there SOME criteria which even you might use to agree that some > virus is truly good? I have collected a dozen of reasons why computer viruses are considered as bad. I have posted them here in the past, have them published in EDPACS, but probably the easiest way to get them (and get the latest version of them too), is from the last issue of "Alive", available from our ftp site: ftp.informatik.uni-hamburg.de:/pub/virus/texts/alive/alive11.zip Any virus that claims to be beneficial, must not contradict all the 12 conditions listed there. I have yet to see such a virus, BTW. Of course, this all leads us nowhere in our discussion, because you could still claim that those are "postulates", "articles of faith", etc., while I will continue to claim that they are pretty natural conditions, expressing a common sense. > I don't think it's reasonable to say that > such a virus should achieve a standard that is higher than what comparable > non-viral software should achieve. Yes, it *is* reasonable to pose such requirements. The non-viral software does not replicate by itself. The viral software does, and therefore more strident conditions for quality and control must be applied on it - because it has the potential to cause damage much more often and to a much greater extent. > If you do that, then you are really saying > there is no such thing as good software. How did you reach this conclusion from the above? All we are saying is that there is no such thing as good replicating software. :-) > For example, saying that a piece > of viral software must never cause problems with other software in order to > be good is ignorant. There is no software that NEVER causes problems with othe > software, at least not on PC's. The normal software does not replicate by itself. The normal software does not sneak in unauthorized on your machine. The normal software does not interrupt you constantly, asking "hey, may I install myself, please, please?". In short, even when normal software causes damage involuntarily, this damage tends to be much more restricted, than when the software causing it is self-replicating. Therefore, stricter controls and requirements must be applied in the latter case. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:34:20 -0400 From: nthomas@cis.ohio-state.edu (Noble_Thomas) Subject: Need help on research paper I am doing a research paper, on an article that appeared in the May 1993 issue of Spectrum. It was on computer viruses and epidemiology. Basically it talks about the spread of viruses. If anyone has any info post it in this newsgroup or email me at nthomas@dorsai.dorsai.org. - ------ Let's all kill our families Duncan Macleod Overthrow the government The Highlander Tear the temples down nthomas@dorsai.dorsai.org Walking the fine line between pagan and Christian - ------ ------------------------------ Date: Thu, 21 Jul 94 07:00:33 -0400 From: Stefano Toria Subject: Titles of Books (Humour) During my recent holiday on a Greek island I was sitting in a shop, next to a shelf loaded with books for swap. Two titles attracted my attention: "The Armageddon Game" by Mark Washburn and "The Satan Bug" (can't remember the author) Can one EVER go on holiday. :-) ------------------------------ Date: Mon, 25 Jul 94 17:41:46 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Parity - B Virus on HPFS Partition (OS/2) Thorsten Manegold (tnmanego@rrws1.wiwi.uni-regensburg.de) writes: > McAfee Virusscan f. OS/2 V 2.02 reports a Parity - B Virus of drive D: > on my System. I have 2 HD, which are partitioned as follows: > 1st HD > 1 MB Boot Manager > 50 MB OS/2 System; HPFS in ext. Part. assgn. D: > 170 MB Apps; HPFS in ext. Part. assgn. E: > 10 MB Service HPFS in ext. Part. assgn. F: > 2nd HD > 120 MB DOS FAT in primary Part. assgn. C: > Version 1.15 of Virusscan does not report it. Neither does Scan 2.00 > for DOS. So far there seem to be no symptoms of an Infection. So I It is could be a false positive. I don't recall right now whether Parity_Boot.B can infect the secondary hard disk, but if it can, it should be in its MBR and be detectable by most normal scanners. In any case, it would be quite unprobable that you have *only* your secondary disk infected. On the other hand, this virus is *very* widespread in Germany. It is also stealth, and on some computers it can survive a warm reboot. Therefore, make sure that you cold-boot froma clean system diskette before checking your hard disk. Also, try another scanner - F-Prot should detect this virus very well, and even remove it. > I'd like to check with > other Scanners, therefore could anybody tell me which are good and > where to get them? Try F-Prot 2.13, available from our ftp site (it is local for you): ftp.informatik.uni-hamburg.de:/pub/virus/progs/fp-213.zip > Furthermore if there really is a Virus, how do I > go about removing it? If there really is a virus and if it is really that virus, F-Prot should be able to remove it. If it is not, drop me a message and we'll see what we can do. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 20 Jul 94 05:28:29 -0400 From: ykchung@Winkie.Oz.nthu.edu.tw (is2a) Subject: TBAV 6.22's BUG?? (PC) Hello! Every Virus Researcher! I had gotten TBAV 6.22 from 130.161.156.11 last week. When I use it to scan my hard disk, a strange thing happened. In the Windows 3.1 Chinese Version, there is a file named win386.ps2, 852 bytes in legth, stays in \Windows\System. When I use TBSCAN *.* hr to scan the sub-directory, TBSCAN halts!!! It halts when the file win386.ps2 is scanned. Anyone could help me? :p Sincerely. Jimmy Chung - -- ------------------------------ Date: Wed, 20 Jul 94 09:48:40 -0400 From: moehlman@gelb.informatik.uni-bonn.de (Peter Moehlmann) Subject: Re: Junkie virus (PC) Hi ! No chance, no help to clean the infected files from this virus. does fprot 213 still works? Does clean XX still clean this files? HELP !!!!! Peter ------------------------------ Date: Wed, 20 Jul 94 09:50:16 -0400 From: mmedson@crl.com (Michael Edson) Subject: 4DOS 5.0f triggers TBAV 6.22? (PC) I just downloaded Thunderbyte 6.22 and ran a scan on my hard drive. All sorts of heuristic alarms went off when it scanned 4DOS 5.0f (4dos.com). Earlier versions of TBAV did not do this. Just to play things safe, I deleted 4dos.com, rebooted from a clean floppy, and downloaded a fresh copy of 4dos. Same alarms. The TBAV documentation shows that 4DOS 4.0a will trigger the alarms, but is silent as to my version. Have I done what it takes to be sure that this is a TBAV problem, and not a virus? - -- Michael Edson mmedson@crl.com ------------------------------ Date: Wed, 20 Jul 94 12:17:22 -0400 From: dwburger@rocky.ucdavis.edu Subject: Yankee Doodle Virus? (PC) I'm looking for information on a virus known as the "Yankee Doodle" virus. Does it exist? If so, can anyone lead me to a source for a scanner to detect it? Thanks in advance for any help. Dave ------------------------------ Date: Thu, 21 Jul 94 05:46:26 -0400 From: mark@tidos.tid.es (Mark Gemmell) Subject: Help! - Does my PC have a virus? (PC) My PC spontaneously reboots from Windows about once every 3 days. It always does it when I'm not typing or doing anything. I've ran the Microsoft Virus checker but I don't know if that is a reliable checker. Any help seriously appreciated (good virus checkers or symptoms to look for etc.) ...mark... mark@tid.es ------------------------------ Date: Thu, 21 Jul 94 06:05:55 -0400 From: udptech@uwa.edu.au (Denis Brown) Subject: Re: F-Prot 2.12 won't scan C: with Lantastic (PC) I've just assumed that F-Prot was network-unaware, 'cause I've always had similar results (LANtastic 2.x through to 5.0 at present). If you redirect drives to yourself (i.e. net use k: \\mypc\c-drive) then you can check k: as a network drive. It would be nice to be able to use f-prot in a more friendly fashion though, because its a great product. Denis ------------------------------ Date: Thu, 21 Jul 94 10:13:23 -0400 From: tomb@bedford.progress.COM (Tom Barringer) Subject: Want info on "Stoned 4" (PC) I work in a software retail store. A customer came in a few days ago reporting that Microsoft Antivirus was indicating that he had a virus named "Stoned 4", but that Norton, Central Point, and McAfee Scan were not detecting it. I suggested it was a false positive, but he insists that several of his files are being visibly corrupted and that new files of 77 bytes are being created. I gave him F-PROT 2.12, which also apparently did not detect a problem. (No, I didn't sell it to him, I _gave_ it to him. :) ) I've asked him to provide me with some disks in an attempt to recreate the problem (my machine is currently between operating systems, so a virus won't be a problem for me.) I see "Stoned.June_4th" and "Stoned.8" in virus lists but no "Stoned 4". Does anyone know anything about this? - -- Tom Barringer : Progress Software Corp. : The Tall Conspiracy is looking QA Development : 14 Oak Park : for members. Please see the tomb@progress.com : Bedford, MA 01730 : recruitment flyer posted on GEnie: T.Barringer : #include : the top of your refrigerator. HREF="ftp://ftp.progress.com/tomb/tomb.html" ------------------------------ Date: Thu, 21 Jul 94 14:27:17 -0400 From: Blaine.Delancey@lambada.oit.unc.edu (BlaineDeLancey) Subject: "Horse" virus? (PC)(Anywhere else?) Has anybody got information on the "Horse" virus? A friend of mine reported detecting it, I think with PC Tools Antivirus(?), and I thought I'd heard of it, but can find no mention in the various lists here. I can get more info if needed. Blaine - -- - -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Launchpad is an experimental internet BBS. The views of its users do not necessarily represent those of UNC-Chapel Hill, OIT, or the SysOps. - -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- ------------------------------ Date: Thu, 21 Jul 94 19:39:53 -0400 From: "E. Ashley Holgate" Subject: Re: Excelent virus program! (PC) Jon, I work on a Banyan network and have only had 3 virus's in the 2 1/2 years i have worked there and they were all found by MS-Anti virus. One day we are going to get caught with our pants down and not be able to recover. Does this work on a Net and if not how much RAM does it take to run as a TSR if it is. Ashley ------------------------------ Date: Thu, 21 Jul 94 19:41:23 -0400 From: "E. Ashley Holgate" Subject: Re: Anti-Virus for VINES Networks (PC) Julio, as i thought not to many people want to speak about Bnayan Vines. I am an administer of a 120 user single server network. We have cc:Mail and use Word 2.0 and 6.0 and Excel. I am not of much help on your question but wanted to touch base with you to see if there are any jobs down your way? I lived in If you have time give me a call. 1-800-723-4223 x224 or leave me an E-Mail ------------------------------ Date: Thu, 21 Jul 94 21:00:48 -0400 From: matt%banksia@socs.uts.EDU.AU (Jas (Matthew K)) Subject: Re: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) Olivier Montanuy (montanuy@lsun75.cnet) wrote: > Motivation: > VALIDATE.COM and VALIDATE.EXE are currently used to authentify the > files contained in McAfee shareware packages, so as to prevent any > insertion of virus or trojans while they stay on public BBS or FTP > servers. They are inadequate and may be misleading. > ******** This is a warning for users of McAfee shareware packages ******** > I have a method to cheat *both* these programs: as an exemple, > I included in this post an uuencoded .ZIP archive containing two files: > * one is TV.COM (Tiny View, a public domain file viewer, author???) > * the other one is TV_SPOIL.COM. A copy of TV.COM in which I inserted > a trojan horse (err...well, you'll see what I mean if you have a look > at the file content :-) > VALIDATE.COM and VALIDATE.EXE should report the same checksum and length. > ( on my PC at least :-) > I won't publish the source code or the executable of my cheating program, > and I will not discuss details of the cheating method, except with > McAfee associates or trusted comp.virus contributors (if they care :-) > > Technical note: > VALIDATE.COM performs a double 16-bit CRC and VALIDATE.EXE a 32-bit > (and somehow unorthodox) CRC. The cheating method use only simple polynom > arithmetic. The main program routine is 10 line of C code, and could be > reduced to a hundred byte of machine code (but who would bother?) > Temporary counter measure: > > I don't have a replacement of VALIDATE.COM and VALIDATE.EXE. > Anyway, it should be sufficient to authentify only the length of > the files in the compressed package (using 'pkunzip -l'). > As a matter of fact I seriously doubt it is feasible to modify > a file without affecting either the normal file length, or the > compressed file lenght, or the compression method. > Olivier Montanuy > Telecom Paris, France > montanuy@inf.enst.fr > Included files: > (uudecode and pkunzip this) > [Moderator's note: ...with all due caution.] CRCs (for the most part (at least non cryptogarphic ones)) are linear functions. so therefore faking them is *VERY* easy. One way to use CRCs for haueristic cheking (CRCs are very fast which is why they are used) is to use more than one CRC hash value (is this the correct term for it?) or to use other methods as well as the CRCs (aka crypto CRCs or use a non standard CRC method (such as Fletchers Sum) which is just as fast). there is a CRC faq floating around somewhere, and Dr Frobbs has delt with the issue a few times, as far as not releasing the code that fakes the CRCs, i think you're wasting your time, anyone who has a college level understanding of maths and the CRC faq should be able to figure out mathematically how to fake a CRC, and even without this knowledge any programmer worth his salt could play around with a CRC code generator (such as VALIDATE.EXE and VALIDATE.COM), and find a way to fake them. to find out about CRCs crypto methods, you only need to read a few simple books on crypto and have a moderate understanding of polynomial and integer maths. - -- Matt (the other one) Don't murder a man who is about to commit suicide. -Machiavelli ------------------------------ Date: Fri, 22 Jul 94 06:11:37 -0400 From: cca07@cc.keele.ac.uk (Tim) Subject: Info on KANPANA-A virus please. (PC) Hi all, We've had some run ins with this boot sector virus. Could somebody please mail me some information on how it is spread and what effects it has on a PC system, running MSDOS. thanks in advance, Tim + ------------------ + ------------------------------------------------ + | Tim Simmonds | email : cca07@keele.ac.uk | | Computer Centre, + ------------------------------------------------ + | Keele University, Keele, Staffordshire, England, United Kingdom. | + --------------------------------------------------------------------- + | Definition : Expert [ex-spurt] - a has-been and a drip under pressure.| + --------------------------------------------------------------------- + | Time flies like an arrow but fruit flies like a bannana ! | + --------------------------------------------------------------------- + ------------------------------ Date: Fri, 22 Jul 94 07:01:57 -0400 From: Henrik Stroem Subject: Re: Types of viruses??? (PC) Iolo Davidson writes: > Every formatted PC floppy contains an executable. Nope. "Every" is a bit too strong a word. Every PC floppy formatted by a "normal" format program contains an executable. I have however seen floppies containing zeroes where there usually is code, and with the data area intact. But I don't think I've ever seen a program that makes such diskettes. Most floppies start with a short jump, but it is not required in order to use the floppy for storage. Even more important: There is no need for an executable to be present on a formatted floppy disk for a virus to infect it. The virus don't usually check whether the first sector contains code, but just puts itself in place, so it gets executed if the floppy is booted from. Sincerely, Henrik Stroem Stroem System Soft ------------------------------ Date: Fri, 22 Jul 94 17:01:40 -0400 From: hex@cix.compulink.co.uk ("Robert Schifreen") Subject: Re: Network virus protect (PC) Intel's product works as an NLM so that, if an infected file is copied across the LAN, the operation is stopped and the operator is alerted. Dr Solomon, and McAfee, and others, have similar products. It's better to use a program like this on a LAN, rather than siply running stand-alone scanners on the workstations. Doing both, of course, is even better. R. ------------------------------ Date: Fri, 22 Jul 94 20:35:09 -0400 From: panther!jaguar!cmeli@relay.iunet.it (Clyde Meli) Subject: SMEG.Queeg, SMEG.Pathogen virus writer caught (PC) The following is taken from a Maltese newspaper, The Times of Friday, July 22, 1994. The report is provided from Reuters. TITLE: Computer Virus Author Caught British police said they had caught a man alleged to have written three damaging computer viruses and they appealed for victims to contact them. A member of the London-based police computer crime unit said a man from the port town of Plymouth, southwest England, had been charged and released on bail awaiting trial in November. The viruses, Queeg, named after a character in a television science fiction series, Pathogen and Germ, destroy data on a computer's hard disk and can disable the external disk drive, meaning victims have to take their computer apart to fix it. Once triggered, the viruses display a message on the computer screen: "Smoke me a kipper, I'll be back for breakfast... Unfortunately some of your data won't." The computer unit officer said the viruses, which industry specialists have called the nastiest they had seen, used codings designed to avoid detection by standard anti-virus programs. Police are investigating how far the viruses, first detected in February, have spread and how much damage they have done. (Reuter) ------------------------------ Date: Fri, 22 Jul 94 22:34:02 -0400 From: kenney@netcom.com (Kevin Kenney) Subject: Tamsui/Christmas-1694? (PC) Ran into the virus F-Prot 2.13 calls Tamsui and can disinfect, and that Nav 3.0 with 7/94 definitions (30a09) calls Christmas-1694 (the correct file size increase) and can't disinfect. VirHunt 4.0D did not detect this virus. I don't see references to this in the MSDOSVIR files or VSUMX 4.01 Can somebody send some background data? The virus does contain the plaintext string 'Merry Christmas and happy new year! Written from Tamsui Oxford college' Thanks in advance, KpK ========================= KILL THE PARANOIDS A Public Service Message, making paranoids happier, All standard disclaimers: apply! by letting them know that they are right. :o -> :> kenney@netcom.com ------------------------------ Date: Sat, 23 Jul 94 05:31:46 -0400 From: ola@dragon.vhc.se (Ola Larsson) Subject: Network virus protect (PC) > Newsgroups: comp.virus > From: jjb18@columbia.edu (Jeremy J. Blumenfeld) > Sender: virus-l@lehigh.edu > Date: Fri, 15 Jul 1994 05:42:15 EDT > Hello, > We are going to be installing Novell 3.12 in a computer lab of about > 80 computers in the upcoming weeks. We are concerned about viruses > spreading through the network. Anybody have info on programs to use? > In the past we have used F-Prot with a fairly good record on > stand-alone machines, but I am not sure what additional dangers there > are now that we will be on a LAN. > One product recommended was Intel's Landesk Virus Protect v2.1. > Anyone have info/experience with this? > posts or email I would suggest that you look at McAfee Netshield instead of using Intel's Landesk Virus Protect! Why? Well it's a very good program and McAfee's knowledge about Virii is Very good and they are almost market leader in this market so ... B'speak'n't'ya', Ola Larsson - Team OS/2, EMEA DAP Dragons Nest PCBoard // PCBoard File & Info Net World HQ 249:249/100 Fidonet: 2:205/212 Virnet: 9:461/112 & 9:99/461 Internet: ola@dragon.vhc.se . Windws is ine for bckgroun comunicaions - Bll Gats, 192 - --- ------------------------------ Date: Sat, 23 Jul 94 08:57:07 -0400 From: indy@netcom.com (Indiana Jones) Subject: NAV 3.0 update files (PC) Does anyone know of a FTP site with NAV 3.0 update files that were written AFTER May '94? I thought that rzsun2.informatik.uni-hamburg.de was supposed to carry all of Symantec's anti-virus upgrades, but it looks like no one carries an update more current than nav30may.zip. :( Any assistance would be GREATLY appreciated! Thanks, Indy J. ------------------------------ Date: Fri, 22 Jul 94 16:21:47 -0800 From: "kent norman" Subject: Flash BIOS infector? (PC) Are there any viruses that infect a flash BIOS? If the disk used to write (flash) a new BIOS was infected, could it embed itself into the new BIOS? If embedded in the new BIOS, it seems it would be impossible to remove since any new flashes would be after the computer loaded the bad BIOS and before reading the floppy with the new BIOS code. Thanks Kent Norman ------------------------------ Date: Fri, 15 Jul 94 17:53:51 +0200 From: Patrick_Noyens@f0.n462.z9.virnet.bad.se (Patrick Noyens) Subject: TBAV621 THUNDERBYTE AV (PC) The new release from ThunderByte AV, TBAV621.zip seems to give wrong heuristic discriptions, they do not match wich the heuristic flags which or shown during the scanning process. So for exemple complains the log-file about missing ANTI- VIR.DAT signatures (heuristic flag C) while these are there (created by tbsetup). Furthermore gives the heuristic scanning the flag 'h', what means that the files are hidden or system files for normal files which or not hidden nor systems files. The strange thing about this is that these ' wrong discriptions' only appear in the log file and not during the scanning proccess. Has anyone seen the same problems ?? I am using this product already for serveral years, but I have never seen such garbage on my screen before !!! Warmly Patrick Noyens - --- FLAME v1.1 * Origin: CIS-InFoServ (Tm) Belgium -= VFC & ISDN Mailers =- (9:321/701) ------------------------------ Date: Mon, 25 Jul 94 17:41:59 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: New AV software (PC) Steve Tamanaha (stevet@fujitsu.com) writes: > Windows files are "uninfectable" because normally when they get infected, it > causes windows to crash and you notice the virus. This is not universally true. There are several Windows-specific viruses, which understand the NewEXE format and infect the Windows applications properly. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:42:12 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Killed the Monkey Virus (PC) Jeremy J. Blumenfeld (jjb18@columbia.edu) writes: > > Monkey virus removal > > > Some Discussion Deleted. > > 1) Boot from a clean diskette > Quick question: Does this need to be the exact same version of DOS > which the Hard drive was formatted with? It depends. It depends on what are you going to do next. In the case of Monkey, the best next move is to run a virus-specific remover, so all you need is to boot a DOS version that can access your hard disk (e.g., DOS versions below 3.31 won't access partitions larger than 32 Mb, but even this is not very important in this case, because this particular virus is not in the DOS partitions, and several scanners will be able to detect and remove it, even if DOS is unable to access the partitions). If you intend to do FDISK/MBR, all you need is a DOS version 5.0 or above, regardless of which DOS version your hard disk is formatted with. If you intend to do a SYS C: (in order to remove a boot sector virus, as opposed to a master boot sector virus for which the FDISK/MBR trick is used), then you *must* boot from exactly the same DOS version as the one your hard disk is formatted with. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:42:05 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Modified Stoned???? (PC) Ing. Carlos R. Guevara L. Tel. 36-1311 ext 221 (cguevara@ns.usma.pa) writes: > We have recently suffered a flooding of [Stoned] Virus messages > on our computers. We are running many kinds of Anti-virus programs > but mainly Mcafee's version 116. Scan shows the [Stoned] virus > present in high memory when booting from many hard disks, yet > when you but with a clean disk and run scan nothing is found neither > in the boot sector nor on a file. SCAN does miserable job when it comes to virus identification. The above message could mean any of the following: 1) You have some virus which might be a Stoned variant. 2) You have some virus which might be completely unrelated to Stoned. 3) You are running another scanner (probably a memory-resident one) which does not encrypt its scan strings, thus causing a ghost false positive to SCAN. 4) You could have some kind of security system, (e.g., asking for passwords), which, for some reason, conflicts with SCAN and the latter just happens to find in it the scan string that it uses to detect the Stoned viruses. 5) Something else. > The only other sign that we have a virus (a very obvious sign) is > that every so often a message window appears on the screen interrupting > whatever activity was going on.....The message says. > Roger Espejo > Mensaje 1.12 > Lima - Peru. Hm... Could be a virus, or a joke, or something else. Check the contents of your CONFIG.SYS and AUTOEXEC.BAT files. Rename those files to something else and reboot your machine. Does the message still appear? > I've tried searching the disk sector by sector for the strings > on the message (Using DiskEditor) but can't find a thing. It could be encrypted. Also, search the files referenced in CONFIG.SYS and AUTOEXEC.BAT for the same message. > No anti-virus program has been able to find the trace of the > virus in the disk. If it is a virus, then it is a new one, so the above is not surprising. > I've tried reformatting the disk and nothing. I have narrowed it > down to being in the boot sector but can't find it in there. Try booting from a clean floppy with DOS 5.0 or above, make sure that you can still access the hard disk (e.g., "DIR C:"), and run FDISK/MBR. Then boot from a clean floppy with the same operating system as the one installed on your hard disk, and run SYS C:. This should take care of anything present in the boot sectors. > I will try tomorrow to infect a few floppies to see what changes > occur to the boot sector. Then try erasing it from the sector. Well? What happened? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:41:53 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: How to save a boot sector (PC) Steve Tamanaha (stevet@fujitsu.com) writes: > How can you save a boot sector on to disk. (if you suspect a virus > and want to upload it to the anti-virus companies system for them > to inspect it?) For instance, you could use Norton's Disk Editor - from the Norton Utitlties package. Assuming that you have a relatively new version, select the drive containing the infected floppy, press Alt-B to read the boot sector, then Alt-W to save it in a file. If the infected disk is a hard disk, you should also use Alt-A and then Alt-W to save the partition table in a file. If you don't have this product, and if you have a real need to save the boot sector to a file, drop me a message and I'll guide you through the process of doing it with DEBUG. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:42:23 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Mosquito Viruses (PC) Bernie Monette (bmonette@porpoise.oise.on.ca) writes: > You argue precociously. However, it has been a common practise > to use genetically altered insects, ergo beneficial, to eradicate > or reduce the harm of the same species: locusts I think is one > example. This method works and is environmentally safe. So why > not try a similar tactics with computer viruses? *Viral* action > performing necessary tasks on a computer. All we have to do is > develop the programming skills to do so. Because the current infection techniques, even if they do nothing else but spread the virus, are still harmful. There *are* replication techniques which are not, if used with the due care; see some other articles from me posted here, in which I am describing the usage of worm-like mechanisms for automatic distribution and update of anti-virus software. Indeed, after careful examination, most people wouldn't call such programs "viruses". Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:42:37 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Rosenthal Virus Simulator (PC) Doren Rosenthal (as194@cleveland.Freenet.Edu) writes: > First I'm surprised the moderator/sensor posted your message. My > own experience at attempts to participate in open technical > discussions on virus-l having been censored were quite > dissapointing. That is why I've not only (attempted) posting this > message on virus-l, but to you directly as well. > [Moderator's note: Why are you surprised that I approved Dr. Cohen's > posting? Although lengthy, his opinions were well formed and civil. > There's no restriction against posting controversial opinions! I > generally only reject unrelated (to the topic of viruses) submissions, > virus code (source or binary), and uncivil postings.] One additional restriction that Ken has not mentioned above, is that requests and offers for viruses (e.g., virus exhcange) are also rejected. I believe that *this* was the reason why your articles were suppressed in the past. I hope that they will be again, if you attempt to advertise your viruses there. I see that Mark Ludwig is posting too. I have nothing agains him taking part of the discussions, but hope that he will not attempt to advertise his CD-ROM with viruses, virus-writing book, or virus-writing newsletter, because it is my understanding that this forum is *not* for such things. > It is certainly possible to write a virus which serves a useful > function, but doesn't violate anyone's copyright or system > integrity. Even if this were true, it wouldn't be sufficient to call such a virus "beneficial" or even "harmless". > I have written such a useful virus and have made it > publicly available as shareware (see VIRSIM2C.ZIP) for over a And I thought that this is not a place for virus advertisements... Anyway, as I have explained to you many times, your viruses (there are two of them, actually) are not harmless. You are distributing malicious code to your users. You are distributing the MtE - attached to your viruses - and by doing this you are a shame for all shareware producers. Also, it is trivial for any hacker to modify your viruses in a way to suit his needs, and even possibly to include intentionally destructive functions. Therefore, you are providing to the maliciously inclined people easy means to transport their malicious code. I certainly wouldn't call such actions "commendable". In the beginning I was ready to give you the benefit of the doubt - having in mind your "simulated viruses", I was ready to think that your actions are caused by simple incompetence. However, since then I (and several others) have explained you multiple times how harmful your actions are, and you are still persisting with them. Therefore, I must conclude that you are doing it intentionally and with malicious intents in mind. That is, you are a virus writer and distributor. > year now with very positive response from its users. This is irrelevant. First of all, most users to not have the technical knowledge to correctly asses the damaging potential of your product. Second, I am certain that there are people who give a "positive response" to those who run virus exchange BBSes too. There are enough people around who enjoy causing mindless damage, and people like you and Mark Ludwig are just helping them. > The virus I'm referring to is part of my complete Virus Simulator > package and is described in the documentation file as the MtE > supplement. First, the so-called Virus Simulator package is a misnomer, because the "simulated" viruses generated by it are not viruses at all - just collections of scan strings, stollen from other people's scanners. So, a better name for it would be "Generator of Random Scan String Containers" - but this doesn't sound as sexy. Second, the real MtE viruses you are talking about are present (fortunately) only in the registered version, so at least not that many people get access to them. But this also means that you are selling viruses, which is ethically wrong. > The Virus Simulator MtE supplement not only requires the users > permission before infecting a file, but it will only infect > programs that the copyright holder (me) has supplied and > authorized. It discourages tampering, and verifies its own > integrity and that of its host program before infecting it. In simple words: any hacker worth his salt, can modify the virus, removing all "safeguards" just in a matter of minutes, using DEBUG. Then he can easily add his own damaging routines, or (not so easily) extract the polymorphic engine and use it in his own viruses. > Virus Simulator continues to be quite popular for the purpose it > was designed and its users continually report that the MtE > supplement performs a very useful function that they appreciate. Many users "appreciate" Mark Ludwig's book and CD-ROM with viruses, but this of course does not mean that they are good things. And neither is your package. Please, stop advertising it here. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 25 Jul 94 17:31:30 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: fp-213.zip - Version 2.13 of F-PROT virus scanner/cleaner (PC) I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ fp-213.zip Version 2.13 of F-PROT virus scanner/cleaner Version 2.13 - major changes: Boot sector virus disinfection was improved. Viruses that do not preserve the original boot sector can now be removed by overwriting them with "generic" code. The same method is available for viruses where virus-specific disinfection has not been implemented yet. Version 2.13 - the following problems were found and corrected: Some minor false alarms were fixed: "..possibly a new variant of Wisconsin" in SURPRISE.COM. "..possibly a new variant of Pit" in BLOCKCUR.COM "..possibly a new variant of Civil_Defense" in CSP.SYS and PALETTE.COM F-PROT did not find all instances of the Natas and Freddy viruses - that was fixed, and disinfection of Natas added as well. Version 2.13 - minor improvements and changes: When instructed to scan a single hard disk partition, for example by given the command "F-PROT C:", the scanner will now also scan the boot sectors of other hard disk partitions. The reason for this change is that in the case of a boot-virus infected DoubleSpace partition, the virus is located on a drive the user may not even be aware exists. When searching for user-defined patterns, F-PROT will now report all patterns it finds in any file, instead of just the first one. A new return code was added (see COMMAND.DOC) - Errorlevel 8 means that some suspicious files were found, but no infections. Version 2.13 - new viruses: The following 51 viruses are now identified, but can not be removed as they overwrite or destroy infected files. Some of them were detected by earlier versions of F-PROT, but only reported as "New or modified variant of..." Bad_Brains (554.A, 554.B and 570) Budo.B Burger (505.K, 505.L, 505.M, 505.N, 512.B, 560.AO, 560.AP, 560.AQ, 560.AR, 560.AS and 560.AT) Fasolo.176 Faulkner Grog (Aver_Torto, Bruchetto, Delirious, Hop and Il_Mostro) HLLO (3816, Gov, Novademo.C, Orion, and Shadowgard) Jasmine Leprosy (Anarchy.469, Sandra, Seneca.381, Seneca.483, Tazmanian.1973, Tazmanian.2197, Tazmanian.2209 and Tazmanian.2276) Lockjaw (Flagyll.316, Flagyll.369) Mayhem Morrison Orchid.120 Taiwan.752.C Trivial.Infernal VCL (356, 418 509, 541, Cockroach and Jam) Vienna (526 and 561.B) The following 181 new viruses can now be detected and removed. Many of these viruses were detected by earlier versions, but are now identified accurately. _339 _571 _641 AntiCMOS.B Arale Ash.449 Australian_Parasite (118.A, 122.A, 213, 217, 221, 229, 482, 588, 591, 726, 784, 1024, 1050 and 1179) Better_World.E Cascade (1701.Q, 17701.R, 1704.T and 1704.U) Chaos_Year.2005 Chill Creeper.472 Curse_IV Dark_Avenger (1800.Satan and Shyster) Diamond.1050 Doom_II.1249 Ear (Ear.B and Ear.C) Espacio (8444, 8458, 8491 and 8498) Father_Mac Fax_Free (1024.Abstract, 1024.F, 1024.G, 1024.H, 1536.Mecojoni.A, 1536.Mecojoni.B, 1536.Mecojoni.C, 1536.Darkover.A, 1536.Darkover.B, 1536.Darkover.C, 1536.Pinniz.E, and 2766) Freddy_Soft Frodo.Fish_6.E Fumble.867.F Genesis (501 and 504) Genvir.1440 Grog (Danzerino, Enmity_2_1, Joe_Anthro and Joemetafora) Helloween.1063 HLL.7940 Icelandic.655 Infector (847.A and 847.B) Ionkin.212 IVP (April and Dread) Jerusalem (1506, 1808.Execute, 1808.Frere.I, 1808.Standard.AO, AntiCad.2454, AntiCad.26256, Pipi.1536, PSQR.Satan, Smile, Solano.Dyslexia.Satan, Sunday.Nai-Tai, Sunday.Satan, Sunday_II.B and Tarapa.B) Jest.2464 Jihuu.686 Julia.1027 Junkie Keeper.Lemming Khizhnjak.642 Lesson_I.306 Lockjaw (493 and 894) Lyceum.1950 Maaike (164, 250 and 757) Marzia (L and M) Max Mayberry (402, 409, 475, 496, 502, 609, 687, 732, 747, 758, 799 and 828) MP1024 November_17th.864 Nympho.230 Old_Yankee (1961.B and 1961.C) Oxana.1719 Phalcon.Cloud.1110 PHB.4461 Phunnie Pixel (739, 846.B, 851 and 1268) Polifemo Proto-T.Ritzen.1098 PS-MPC (212, 606.D, Arcv-1.731, Small_ARCV.B, G2.573.C, G2.Dread, Pikninny, Powermen.717, Powermen.718, Ranger.423, Screen_Save, Tim.405 and Tim.500) Quadratic.986 RedStar Screaminf_Fist.927 SillyCR.397 SMEG (Pathogen and Queeg) SNA Stardot.1100 Storm.1219 Storyteller Suriv_2.I Taiwan_Over (2770 and 2944) Tankard.542 Totoro (B and C) Trakia.570 Traveling_Jack.1008 Trident.914 VCL (355, 514, 534, 604, 660, 2750, 3243, Blue_Moon, Dial.671, Diarrhea.1221, Heevahava.516, Mimic.4863, Pro-Choice and Reptoid) VCS.Standard.Bad_Poem Vic.399 Vienna (608.B, Violator.707 and Violator.779 Virdem.1336.Killer.C VS.2790 Wave.454 Wildfire Xak The following 26 new viruses are now detected but can not yet be removed. _484 Alien ARCV.255 Australian_Parasite.440 Mike Moonlite MzBoot Number_of_the_Beast (BG and Y) PS-MPC.Page.780 Rape (1182 and 2887) Rubbit (681, 1018, 2060.A, 2060.B, 3811, 3839.A and 3839.B) Screen+1 (919 and 1624) Shoo.2824.B Skater.664 Skynet Svc.3241 Variable_Worm.C The following 7 viruses which were detected by earlier versions can now be removed. Bravo Gippo (Bumpy, Epidemic and Stunning) LZR Reverse (A and B) The following viruses have been renamed, in order to make F-PROT follow the CARO naming standard as closely as possible. Cossiga -> Grazie Uploaded by the author. Fridrik Skulason frisk@complex.is ------------------------------ Date: Thu, 21 Jul 94 14:16:54 -0400 From: "David M. Chess" Subject: IBM Computer Virus Information Center updates Vesselin Bontchev mentioned a paper by Jeff Kephart that he was interested in (Jeff will be responding to Vess' specific questions). I thought this'd be a good time to mention that the paper, and other interesting stuff, is available on our gopher server to gopher and www users; the URL for the menu with the papers in it is (probably) gopher://index.almaden.ibm.com:70/1VIRUS/MENUS/VIRPAP.70 the paper citation is J. O. Kephart, "A Biologically Inspired Immune System for Computers", to appear in Artificial Life IV, R. Brooks and P. Maes, eds., MIT Press, 1994. and the root of the IBM Computer Virus Information Center is gopher://index.almaden.ibm.com:70/1VIRUS/VIRUS.70 We have a few papers (we've just gotten IEEE permission to post some more, so Watch That Space), descriptions of 100+ viruses, Joe Wells' WildList, our own ten-most-common lists for various months, press releases about IBMAV and anti-virus technology, and so on. All gophers and spiders are welcome! *8) - - -- - David M. Chess | Don't forget: some of us High Integrity Computing Lab | *like* tape hiss! IBM Watson Research | ------------------------------ Date: Mon, 25 Jul 94 17:32:55 -0400 From: Mikko.Hypponen@wavu.elma.fi (Mikko Hypponen) Subject: bull-213.zip - ASCII version of F-PROT 2.13 Update Bulletin (PC) I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus bull-213.zip ASCII-version of F-PROT 2.13 Update Bulletin ASCII-version of the F-PROT Professional 2.13 Update Bulletin. F-PROT Update Bulletins contain information about the current virus situation globally. Every time a new version of F-PROT Professional is published, it is accompanied with a new Update Bulletin. Bulletins are published on paper in A5 format. Update Bulletins are published by Data Fellows Ltd of Helsinki, Finland. Data Fellows Ltd is the publisher of F-PROT Professional Anti-Virus Program in Scandinavia, Asia, Africa and most of Europe. They can be reached via e-mail at f-prot@datafellows.fi Articles in this issue of the Update Bulletin ============================================= Microsoft chooses F-PROT Professional News in Short - Electronic Support Services - A Virus Instruction Guide Published in France - Onwards the Evolution New Viruses In the Wild - Jumper - Junkie - SMEG - J&M A Closer Look at the Global Virus Situation - Virus Situation in South Africa - Virus situation in Japan Creating a Virus Prevention Strategy with F-PROT Professional Feature: False Alarms Dark Side of the Moon: What Motivates Virus Writers F-PROT support informs: Common Questions and Answers Changes in F-PROT Professional 2.13 Uploaded by a member of the F-PROT Professional Support Team. Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi PGP public key available, check the keyservs ------------------------------ Date: Wed, 20 Jul 94 18:05:48 -0400 From: mikael@vhc.se (Mikael Larsson) Subject: Announcing a new FTP Site Hello! I just wanted to inform you all of a new site, well, the site is not new but the antivirus-section of the site is. The machine is named: ftp.sunet.se Machine IP number : 130.238.127.3 Main Antivirus DIR : /pub/pc/Antivirus Current user limit is 110 users at a time, soon the machine will be replaced and will handle up to 400 users at a time You can find mcafee files, virus-l, icaro files, docfiles etc. Most of the popular files. I am managing the antivirus section, so please email me at this adress if you want to ask something or so. MiL, mikael@vhc.se Virus Help Centre - --- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Virus Help Centre Phone : +46-26 275740 Internet: mikael@vhc.se Box 244 Fax : +46-26 275720 Minicall: 0746-393334 S-811 23 Sandviken BBS #1: +46-26 275710 FidoNet : 2:205/204, 2:205/234 Sweden BBS #2: +46-26 275715 Auth. McAfee Associates Agent - - send mail to pgpmil@vhc.se for automated reply with my public pgp key - ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 61] *****************************************