VIRUS-L Digest Tuesday, 9 Aug 1994 Volume 7 : Issue 63 Today's Topics: Re: ARJ-, ZIP-viruses ? Easy to write trojans? On making money from viruses Re: Virus Simulators Virus Threats - MFs and Minis ?? RE: list of viruses RE: Is there a computer virus WWW home page anywhere? Re: Mosquito viruses Virus Prevention & CAD Virus warning (PC) FDISK and multiple Hard Drives (PC) Re: New Super-virus "Junkie" (PC) Michelangelo -> (phantom?) Teletype (PC) TBSCAN false alarm (PC) HELP: trying to find cure for a unknown virus (PC) do you recognise these symptoms (PC) How to remove Joshi. Read carefully. (PC) Jack the Ripper; will F-PROT's "vstop" prevent damage? (PC) Computer slow down/ rad disk A each c: access/ JUMPER? (PC) Natas virus (PC) Re: "AntiCMOS" virus cleaner? (PC) Re: "AntiCMOS" virus cleaner? (PC) NLM Scanner Query (PC) Filler Virus problem (PC) How can I retrive data from a virus infected hardrive? (PC) Re: Search for FTP site (PC) Strange messages. (PC) Re: Mosquito Viruses (PC) Re: Q/A about Norman Virus Control (PC) How bad is FORM? (PC) Re: Stealth.B Pain (PC) Re: SBC virus? (PC) Re: virus 1028 Bytes need help (PC) Re: Virus scanner name/source?? (PC) Virus Source code on CD ROM? (PC) "AntiCMOS" virus cleaner? (PC) TBAV for Windows (PC) Re: Virus: Forms (PC) UNDETECTED th-th VIRUS!!! (PC) fp-213a.zip - Version 2.13a of the F-PROT anti-virus program (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 25 Jul 94 21:11:04 +0200 From: Arjan_Van_Der_Werf@f7.n315.z9.virnet.bad.se (Arjan Van Der Werf) Subject: Re: ARJ-, ZIP-viruses ? >>>> Quoting Fridrik Skulason to All <<<< >>>> Subject: Re: ARJ-, ZIP-viruses ? <<<< FS> no...f-prot scans inside compressed executables (DIET/PKLITE/LZEXE), FS> but not inside archives. We are considering adding scanning of .ZIP FS> and .ARJ files, however... Hello Mr. F-prot (just kidding) That would be great, i now use Thdpro 10b for that purpose. By the way i think F-prot is great, i use it besides TBAV (which i have registered) just to be sure, because an extra scanner never hurts right? Greets, Arjan van der Werf The Netherlands. .. Go ahead...MAKE MY DOWNLOAD!!! ___ Blue Wave/QWK v2.12 - --- Maximus 2.01wb * Origin: DISCOVERY BBS * Apeldoorn/Holland * +31-55-431332 * (9:315/7) ------------------------------ Date: Tue, 02 Aug 94 01:22:52 -0400 From: ar314@freenet.carleton.ca (Eric Benoit) Subject: Easy to write trojans? You must realize how easy it is to actually make a trojan, I mean I don't make them, but anyone can, a simple one, in QuickBasic: ' This Virus Will not Do Anything If created IF LEFT$(DATE$,2)="08" THEN Goto Doit SHELL "THEGAME.EXE" END Doit: ' This vvv Is where you would put something bad, EG DELTREE or whatever SHELL " " PRINT PRINT "Sucker..." PRINT END You would compile and name this: RUN.EXE, and you can put it in a game package, game's name: THEGAME.EXE...It would go off any time in August.. Hope this is ok Mr. Moderator, just giving my two cents.. Cya - -- : Little Willy feeling bright, ar314@freenet.carleton.ca : Bought a stick of dynamite. eric.benoit@f539.n163.z1.fidonet.org : Curiosity seldom pays, ebenoit@ocean.pinetree.org : It rained Willy for seven days! RO=Read Only R/W=Read and Write ------------------------------ Date: Tue, 02 Aug 94 08:24:14 -0400 From: rreymond@VNET.IBM.COM Subject: On making money from viruses Hi, Vesselin wrote: >BTW, does anybody have a probable conjecture why the virus writers >that want to make money from their viruses come mostly from the USA? >Doren Rosenthal, Mark Ludwig, John Buchanan... There must be some >social reason, like for the widespread creation of sophisticated >viruses in the East European countries... Law kind? At present, if even I would write and sell some viruses, I cannot do it (legally speaking). Our (italian) law forbid to distribute for any reason viral code. BTW that has raised some time ago a question about how can I send and/or receive samples to/from other researchers/technicians. .............................................Bye| ..................................................Roberto - ----------------------------------------------------------------------- * All the above are my own opinions, not necessarily shared by IBM * *********************************************************************** Roberto Reymond IBM PSP - Computer Emergency Response Team Italy RREYMOND@VNET.IBM.COM Circonvall. Idroscalo RREYMOND at VNET 20090 Segrate (MI) ITIBM99K@IBMMAIL.COM MI SEG 526 Italy .........Phone +39.2.596.25244 Fax +39.2.596.29587.............. *********************************************************************** * " Another one bites the dust| " , Queen (The Game, 1980) * *********************************************************************** ------------------------------ Date: Tue, 02 Aug 94 10:25:19 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Virus Simulators iolo@mist.demon.co.uk (Iolo Davidson) writes: >publishers. "Virus Bulletin" unfortunately sometimes appears to snipe >at one particular well known anti-virus researcher and publisher Only in the editorial column, I think ...and I have no control over that. >I am technical editor and regular columnist in "SECURE Computing". - -frisk (the technical editor of the Virus Bulletin). ------------------------------ Date: Tue, 02 Aug 94 12:38:58 -0400 From: ax647@freenet.carleton.ca (Marcel St. Pierre) Subject: Virus Threats - MFs and Minis ?? I am looking for info on the threats to mainframes and minis. This includes trojans, virii (sp?), bombs and any other software based threats which can be encountered in those environments. The interaction between MFs, minis and PCs is of interest to me as well. I've downloaded the FAQs from this group and am generally looking for that type of info for starters. Thanks to all who reply, Marcel St. Pierre - -- ------------------------------ Date: Tue, 02 Aug 94 14:33:21 -0400 From: mandrake@netcom.com (Wakko Singer) Subject: RE: list of viruses Is there an FTP site that would have detailed info about the diffrent viruses and how they work (non-technical). I've seen the lists that say "Boot sector virus" but I'd like to know what makes each virus diffrent etc. - -- ================================================================ Lance "Singer" Druger | "Never challenge a guy who owns a catapult to a mandrake@netcom.com | snowball fight" ldruger@s1.csuhayward.edu| -Hagar the Horrible ================================================================= ------------------------------ Date: Tue, 02 Aug 94 18:38:14 -0400 From: Dennis.Clouse@ucop.edu (Dennis Clouse) Subject: RE: Is there a computer virus WWW home page anywhere? On Tue, 12 Jul 94 19:57:24, dave@lydia.bradley.edu (David Rybolt) asked if any anti-virus-related WWW home pages exist. If memory serves, you might want to try: IBM ALMADEN ,http://index.almaden.ibm.com/1virus/virus.70 which (I think) gets you to Watson High Integrity Research Lab and pointers to Purdue's CERT and CIAC alerts, virus descriptions, etc. ... perhaps David Chess could verify this (indeed I seem to recall that he was the one that mentioned it)? ------------------------------ Date: Tue, 02 Aug 94 22:37:05 -0400 From: bmonette@porpoise.oise.on.ca (Bernie Monette) Subject: Re: Mosquito viruses Date Wed. July 6, 1994 From: bmonette@porpoise.oise.on.ca (Bernie Monette) Subject: Mosquito Viruses Dennis Clouse (Dennis.Clouse@ucop.edu) writes: >We consider mosquitoes a threat...we eradicate them without >considering the guilt or innocence of *idividual* mosquitoes... >ditto the alleged 'beneficial or 'nondestructive' computer >virus. You argue precociously. However, it has been a common practise to use genetically altered insects, ergo beneficial, to eradicate or reduce the harm of the same species: locusts I think is one example. This method works and is environmentally safe. So why not try a similar tactics with computer viruses? *Viral* action performing necessary tasks on a computer. All we have to do is develop the programming skills to do so. Cheers, Bernie Monette ------------------------------ Date: Tue, 02 Aug 94 23:30:36 -0400 From: bsemtner@autodesk.com Subject: Virus Prevention & CAD This in part pertains to the Good vs Bad Virus "Discussion". In doing tech support we have on regular occasions have had drawings "lost"/destroyed by software which is try to help users keep out all virus attacks/infestations whether good or bad. As far as we can determine CAD drawings due their binary nature will at some time resemble a virus hence the user is saved from their work, much to their horror(count the dollars lost), by TSR protection. Hence in LEC T/S Australia we recommend no TSR virus protection. Is anyone willing to make recommendations on these occurences as some sites do require TSR protection and do use CAD. NOTE: This doesn't affect all drawings but it is difficult to tell what will be affected and why as the drawing is lost hence no analysis can be performed. It doesn't appear to trigger non TSR scanners probably due to the fact most people only scan .exe & .com files. Bernie Semtner LEC Technical Support Autodesk Australia bsemtner@autodesk.com These opinions are my own do not necessarilary represent those of my employer or the orginization as a whole. They are based on day to day findings/dealing as opposed to formal policy. ------------------------------ Date: Thu, 28 Jul 94 07:58:11 -0400 From: Norman Data Defense Systems A/S Subject: Virus warning (PC) We have discovered an infected file which has been spread on Usenet in the group 'alt.binaries.pictures.erotica'. The virus is called Chaos4/ kohntark 697, and is a com/exe infector. No current scanners seem to be able to detect it yet. A detector/disinfector routine is available in the file 'virus-warning.zip', which has been uploaded to several sites (wuarchive.wustl.edu, ftp.funet.fi, ftp.informatik.uni-hamburg.de etc.) Sincerely, Kristian A. Bognaes Norman Data Defense Systems ------------------------------ Date: Thu, 28 Jul 94 23:04:25 -0400 From: joenj1@aol.com (JoeNJ1) Subject: FDISK and multiple Hard Drives (PC) Is there a method to use the undocumented DOS command FDISK /MBR to restore the Master Boot Record on Multiple Hard Drives? A customer had a MBR infector on his machine which had a hard drive, and a Hard Card as the D: drive. FDISK /MBR was able to restore the boot record on his C: drive, but we are concerned if the virus had infected his D: drive. The virus scanner used had reported a variant of the Stoned Virus which could not be removed via disinfection methods. An alternate method, such as the use of Norton Utilities would also be acceptable. Thanks! ------------------------------ Date: Thu, 28 Jul 94 23:16:56 -0400 From: joenj1@aol.com (JoeNJ1) Subject: Re: New Super-virus "Junkie" (PC) nhirsch@panix.com (Norman Hirsch) writes: >Does anyone have information on the "JUNKIE" virus..... The Junkie virus can be detected and removed by the latest version of F-PROT, according to the documentation. F-PROT has always been very reliable. You would want F-PROT 2.13. You could try the following anonymous ftp site oak.oakland.edu, under the directory /pub/msdos/virus, along with other sites dedicated to virus issues/software. ------------------------------ Date: Fri, 29 Jul 94 01:50:06 -0400 From: cgordon@vpnet.chi.il.us (gordon hlavenka) Subject: Michelangelo -> (phantom?) Teletype (PC) Well, I dug out a pretty well-established Michelangelo infestation. The original complaint was "My B: drive doesn't work". This evolved into "My floppy drive has a virus". The problem was only a week old. So I went and took a look at this poor "infected" floppy drive. Sure enough, every floppy I put in the B: drive produced a beep and a message saying that Michelangelo was in the boot sector. Until I put in one of _my_ disks... The A: drive is 3.5", the B: drive is 5.25". EVERY 5.25 disk (1000's!) in the place was infected with Michelangelo! How could this happen in only a week? Easy: it couldn't. What _did_ happen a week ago was that the computer which was complaining got PCTOOLS (and hence CPS Vsafe) installed. So it was only now complaining about the infection which had been present for probably over a year. There are four computers here, only one had Michelangelo on the hard drive (and a 5.25" A: drive :-) the other three were clean. (BTW, the one with PCTOOLS was not the infected one.) Cleaned the hard drive with McAffee 117; no problem. But, as I went through about 2 dozen floppies, I found a few which (after having Michelangelo cleaned) now popped positive for Teletype - -- but only on Vsafe. IOW, if you try to pull up a directory of this disk you get a complaint from Vsafe saying that Teletype is present. Running Scan 117 elicits more complaints from Vsafe (which is still resident) but Scan itself reports the disk is clean. This problem is repeatable, and present on 3 out of 24 or so 360K floppies which had been cleaned of Michelangelo. The rest of the disks come up clean according to both Vsafe and Mcaffee 117. Is this a false positive for Teletype? Is Teletype maybe present on all those disks we thought were now clean? Should we remove Vsafe while running McAffee Scan? If so, why does Scan find Michelangelo with Vsafe installed but not Teletype? Feel free to post -- I read this group -- but please reply by email also as my site does not receive some groups (comp.virus is one of the worst) reliably. - -- - ---------------------------------------------------- Gordon S. Hlavenka cgordon@vpnet.chi.il.us Proud father of Daniel Scott born August 9, 1993 ------------------------------ Date: Fri, 29 Jul 94 13:29:44 -0400 From: stevet@fujitsu.com (Steve Tamanaha) Subject: TBSCAN false alarm (PC) If anyone has problems with the VIRSCAN updates and TBSCAN (i.e. EXEPACK Virus, PKLITE Virus, etc.) try removing COMPRSCA.DAT... that file is only for HTSCAN. - -jims@fsba.com ------------------------------ Date: Fri, 29 Jul 94 15:48:24 -0400 From: jwt55187@uxa.cso.uiuc.edu (Jeffrey W. Thompson) Subject: HELP: trying to find cure for a unknown virus (PC) I am looking for anyone who has knowledge of a virus that fits the following description and if there is a cure for it. When windows is booted or rather started up the system hangs. If the system.ini file is tried to be written over the system hangs. If any .ini file is attempted to be edited the system hangs. Does anyone know of a virus that acts in this fashion? Or if there is a cure. Help is desperatly needed as it is infecting several machines. Please email me any responses. Sincerely, Jeff Thompson jwt55187@uxa.cso.uiuc.edu ------------------------------ Date: Sun, 31 Jul 94 18:22:28 -0400 From: catgirl@netcom.com (The Cat's Meow) Subject: do you recognise these symptoms (PC) Hi there. I think ythe PC I am using may be infected with a virus that isnt recognised by the Norton Virus checker (the only anti-virus software we have). OK, here are the specifics. System: LMA 386 Running: DOS 5.00 Symptoms : When the user was in WordPerfect, he saved and then printed a file. The file saved onto floppy (B drive), and then failed to print. At this point, after the print request was made, all keys produced nothing but a click, and no echo to the screen. All keypresses failed, until I tried ALT-N (It might have been, I was hitting key combinations pretty fast), where the screen cleared, and printed '666' at the top of the screen. This sounds very much like a virus, but my software cant detect it. Any ideas on what it is, how to remove it? Replies by email please, and I will summarise on here, if I get a solution Thanx ------------------------------ Date: Sun, 31 Jul 94 18:22:35 -0400 From: "Dr. Te\7th" Subject: How to remove Joshi. Read carefully. (PC) =09There is a computer lab on campus that has no virus protection on th= eir computers whatsoever. Unfortunately, use of this lab is required for a= class I'm taking (the class is taught in the lab) Recently, before conciousl= y realizing that they had no viris checking on their computers, I brought= my work disk home and did some work. =09After one or two incidents where accesses were taking way too long, = I checked for a virus with McAffree (sp) Associates virus scan, and found= two copies of the Joshi/Drop virus on my hard disk. No matter how many tim= es I reboot and clean from a clean, write-protected floppy, a powerdown/reboot/rescan always shows that there are still two instances= of Joshi on my computer. =09I've heard that this virus is just a prank and that on one date or another it will do something wierd, then remove itself from my computer= . If this is the case, what date is that? =09Otherwise, how the hell can I get this thing off my computer? Worki= ng in the computer labs here on campus, I've never had this much trouble r= emoving Joshi with the same virus cleaner. I can't see why it is such a proble= m now. =09 rOn - -- ............../\/\/\/\/\................ The usual disclaimers = ............./\......./\................ apply anywhere you can = .../\/\/\.../\......../\.../\./\/\/\.... find a sticky spot. ../\..../\./\........./\../\/\....../\.. - RonB@cc.usu.edu ./\..../\../\......../\../\......../\... "Where the 'stuff of life' i= /\/\/\/\.../\......./\../\......../\.... raining out of the skies... = /\...../\.../\/\/\/\/\../\......../\..... - Dr. Carl Sagan. NOTICE: The above disclamer translates as following: Any ideas/requests/desires/fetishes/opinions/flames/code/brainstorms/me= ntal hernium (sp?)/and kinky mathematical, geological, or algorithmic concep= ts are not the fault nor the concern of my employer. He knew nothing about th= em when he hired me. =3D] ------------------------------ Date: Mon, 01 Aug 94 12:49:01 -0400 From: Tom Neuhauser Subject: Jack the Ripper; will F-PROT's "vstop" prevent damage? (PC) Someone mentioned that F-PROT v12.c will remove Jack the Ripper but warned that files might still be damaged. But I'd like to know if F-PROT's "vstop" will prevent damage by stopping the action of Jack the Ripper? Or will "vstop" halt the virus after some damage has been done? Regards, Tom -------------------------------------------------------------------- Tom Neuhauser, UW-Stevens Point, WI | "I may be chasing an untamed 715-346-3058 tneuhaus@worf.uwsp.edu | ornithoid without cause." -----------------------------------------------------> Lt. Data, STN ------------------------------ Date: Mon, 01 Aug 94 12:57:38 -0400 From: cx801@cleveland.Freenet.Edu (Sebastien Chamboredon) Subject: Computer slow down/ rad disk A each c: access/ JUMPER? (PC) Hello, How can I remove JUMPER (FRENCH_BOOT) virus? Each time there is a file access, the computer is very slow (it's looking on the disk A). Is it Jumper? Thanks, SC - -- ------------------------------ Date: Mon, 01 Aug 94 15:52:21 -0400 From: elpiner@beast.cs.hh.ab.com Subject: Natas virus (PC) Can anyone provide information on the natas virus? thank you phil ------------------------------ Date: Mon, 01 Aug 94 16:44:48 -0400 From: sandoz@ismennt.is (Einar Sverrir Sandoz) Subject: Re: "AntiCMOS" virus cleaner? (PC) tweaver@cs.UMD.EDU (Tom Weaver) writes: >The University of Md (including the dept I work in, botany) has had an >outbreak of a virus identified as "AntiCMOS" by fp-212, and "lenart" by >CPAV. CPAV claims to clean it - does anyone know anything about the virus >and if other packages can clean it off (I don't wanna by CPAV just for >this)? It seems pretty nasty... >Tom Weaver > I got this (my 1st) virus while on the IRC and had no other means than remove the battery for a while. Einar. ------------------------------ Date: Mon, 01 Aug 94 16:50:40 -0400 From: sandoz@ismennt.is (Einar Sverrir Sandoz) Subject: Re: "AntiCMOS" virus cleaner? (PC) Newsgroups: comp.virus Subject: Re: "AntiCMOS" virus cleaner? (PC) tweaver@cs.UMD.EDU (Tom Weaver) writes: >The University of Md (including the dept I work in, botany) has had an >outbreak of a virus identified as "AntiCMOS" by fp-212, and "lenart" by >CPAV. CPAV claims to clean it - does anyone know anything about the virus >and if other packages can clean it off (I don't wanna by CPAV just for >this)? It seems pretty nasty... >Tom Weaver > I got this (my 1st) virus while on the IRC and had no other means than remove the battery for a while. Einar. ------------------------------ Date: Mon, 01 Aug 94 18:06:33 -0400 From: Iolo Davidson Subject: NLM Scanner Query (PC) hazen@phoenix.cs.uga.edu "Mark" writes: > We're trying to decide what would be the best all-around Novell NLM to > license for our campus to manage active virus scanning. We're testing > both Central Point's NLM, as well as Net-Prot (F-Prot's offering). Try Dr. Solomon's Anti-Virus Toolkit for Netware, too. Recent tests in Virus Bulletin indicates it has a better detection rate than Net-Prot (99.1% on standard test set, 100% on in-the-wild test set and 96.2% on polymorphic test set, as opposed to 89.5%, 78.9%, and 0.4% for Net-Prot). I haven't seen an equivalent test for CPAV's NLM, but the DOS version is not well regarded. > We require > the following features: > > -Active scanning of all executables run from or stored on > the network machine Yes, on-access scanning of files stored on both network and workstation disks, including floppies, both files and boot sectors. I assume this is what you mean by "active". > -Daily scheduled scan of the network machine Yes. > -Automatic removal of questionable materials to a safe > directory Yes, also automatic disinfection or deletion. > What we'd -like- is: > > -Daily scans of all user machines during login, maybe more > than daily for those who log in frequntly. Yes. > -Passive scans of files and the system; i.e. when the system > has a low load, maybe background scanning of all files or > archives The scheduler can scan at set times, dunno about triggering a scan by load level. Not sure what you mean exactly by "passive". The NLM scanner works in the background. > -Bells and whistles Lots. Disclaimer: I wrote part of Dr. Solomon's Netware toolkit, but am no longer employed by this company. - -- I'VE READ NOW THAT I SHAVE THESE SIGNS I'M GLAD I DID SINCE JUST A KID Burma Shave ------------------------------ Date: Mon, 01 Aug 94 18:23:39 -0400 From: Iolo Davidson Subject: Filler Virus problem (PC) Matias_Piccione@south-america.notes.pw.com writes: > I restarted mi PC, and run Scan 115 a couple of times, but again the > following message was displayed: > > "Scan detected Filler virus resident in memory. Please turn off your > computer and re-boot from a clean write protected diskette to > evaluate the hard disk damage" If it only reports the virus the second time you run it, it is probably finding search strings it left in memory the first time you ran it. That is, it is probably finding its own database of virus recognition code. - -- I'VE READ NOW THAT I SHAVE THESE SIGNS I'M GLAD I DID SINCE JUST A KID Burma Shave ------------------------------ Date: Mon, 01 Aug 94 20:54:27 -0400 From: pengatay@nevada.edu (PENG ANN TAY) Subject: How can I retrive data from a virus infected hardrive? (PC) I have a problem with my hardrive after being infected by monkey. The error of invalid media type after the virus being clear. Would anyone help me to find a solution for it. I will be appreciated for it. I need to retrieve some information from the it. Thanks! Please send me some informatin, I e-mail address: pengatay@nevada.edu ------------------------------ Date: Tue, 02 Aug 94 07:21:32 -0400 From: gcluley@sands.co.uk Subject: Re: Search for FTP site (PC) pnd2@ukc.ac.uk (Premkumar N Devadson) wrote: >Hi there n-surfers >was just wondering if there is a site available for scanners >from Dr. Solomons'... Hi Prem Dr Solomon's Anti-Virus Toolkit is a commercial anti-virus package developed by S&S International, and is thus not freely available via ftp. We do provide the latest driver files to registered customers on CIX (the UK equivalent to CompuServe), and on our company BBS. However, it is important to also update the executable engine (FINDVIRU.EXE) as well as the driver files - otherwise you might be missing some viruses. If you're not already a registered customer you can contact our Sales team on +44 (0)296 318700. Regards Graham - --- Graham Cluley [gcluley@sands.co.uk] Product Specialist, S&S International PLC, Alton House, Dr Solomon's Anti-Virus Toolkit Gatehouse Way, Aylesbury, Bucks S&S International PLC +44 (0)296 318700 ------------------------------ Date: Tue, 02 Aug 94 08:51:53 -0400 From: mudge@titan.ucs.umass.edu (Miskatonic Gryn) Subject: Strange messages. (PC) A friend of mine has had an odd problem with his computer. After installing a program, I believe it was a virus-checker of all things, the C prompt on his 486 was altered to 'Bom-Squad!C:\>', or something along those lines. Having not seen this in person, this is the most information I can give, save for the fact that the colors on the screen were altered as well. This is not a constant problem for him, and I believe has only happened once. Any information would be greatly appreciated. - - M. Gryn ------------------------------ Date: Tue, 02 Aug 94 08:54:13 -0400 From: David_Conrad@MTS.cc.Wayne.edu Subject: Re: Mosquito Viruses (PC) bmonette@porpoise.oise.on.ca (Bernie Monette) writes: >Dennis Clouse (Dennis.Clouse@ucop.edu) writes: >>We consider mosquitoes a threat...we eradicate them without >>considering the guilt or innocence of *idividual* mosquitoes... >>ditto the alleged 'beneficial or 'nondestructive' computer >>virus. > > ...it has been a common practise > to use genetically altered insects, ergo beneficial, to eradicate > or reduce the harm of the same species: locusts I think is one > example. This method works and is environmentally safe. So why > not try a similar tactics with computer viruses? > Because insects reproduce sexually, whereas computer viruses reproduce asexually. The genetically altered insects which are released are sterile, and they work because the insects which try to reproduce with them waste their efforts, and this controls the population of insects. This only limits the population, it cannot by itself wipe out a species of insect, since some of the fertile ones in the wild always manage to find some of the other fertile ones. It is wholly inapplicable to computer viruses which, as I mentioned above, reproduce asexually. But I suspect that you were referring not to using modified versions of existing viruses, but rather to creating totally new viruses that seek out and destroy existing viruses. This is not a new idea. There are, in fact, certain viruses currently in the wild which do this. But it has never been shown that this manner of seeking out viruses is any more effective than the conventional anti-virus software. On the other hand, there are many difficult problems associated with this approach. David R. Conrad David_Conrad@mts.cc.wayne.edu ab411@detroit.freenet.org P.S. As a challenge to all you virus researchers out there, design a species of virus which would reproduce sexually. Each instance should have a 'gender', and it should take two to tango, and a fascinating option would be to have different features and the features possessed by any one instance would depend on the features its parents had. ------------------------------ Date: Tue, 02 Aug 94 10:21:13 -0400 From: Norman Data Defense Systems A/S Subject: Re: Q/A about Norman Virus Control (PC) After reading Mr. Bontchevs reply to Mr. Guffey, I find it appropriate to make a few comments: >Guffey, Steven W. (sguffey@pafosu1.hq.af.mil) writes: > > Has anyone used/evaluated this product? > >Yes, I have. However, the copy given to us by Norman suddenly stopped >working with a message "This DEMO version has expired". Since we do >not evaluate crippleware, test results for it will not be included in >the comparative scanner tests that we are about to publish. I could >share with you my overall impressions of the product, however. I mean, >the one I got while it still worked. Mr. Bontchev: I think I made it clear that the version I handed to you at CeBit was a limited demo version. If you want a complete package for comparative testing, we will be happy to express-mail you one. > If so, what did you think of it? > >A moderately useful product. Contains a scanner, resident scanner, We don't have a resident scanner. We think behaviour blocking is the way to go as far as resident routines are concerned. >behaviour blocker, and boot sector restoring program. Does not contain >an integrity checker, unless you classify the boot sector restoring >program in this category. We do have three routines included in the package, which will detect self-infection and boot-sector infection by integrity checks. They're called 'Canary'. > > They claim to be able to detect 99%+ viruses. Has anyone been able to test > this claim? > >Rubbish. Their detection rate is about 75%. Better than NAV 3.0 but >worse than McAfee's SCAN. I suspect the 99% figure comes from our latest NCSA certification test. We detected more than 99% of the April-collection of the National Computer Security Association, which gave NVC ver. 3.42 a certification. The test results can be verified by calling NCSA at (717) 258 1816. The outcome of such tests are of course dependent on which virus collection is being used. However, 75% is quite wrong. Please refer to the latest Virus Bulletin for a more objective test. >Also, they used to claim to be TOAST - "The Only Anti-virus Software That >detects Statan Bug". Too bad that they can't substantiate their claims. How would you like us to prove it? At the time we made the claim, none of the better known current scanners would detect Satan Bug. I can get you the exact date and the name of the other products that we tested if that helps. >There might be programs that detect this virus reliably, but this one is not >one of them. Talking about unsubstantiated claims... I don't think we have missed one yet. >The virus infects also device drivers, but the scanner does not look for it >there. I will have to give you that one. One of our earliest versions that had support for Satan Bug, did miss some .SYS-files because of a bug. This has been corrected long time ago, however. Sincerely, Kristian A. Bognaes Norman Data Defense Systems ------------------------------ Date: Tue, 02 Aug 94 10:29:20 -0400 From: rreymond@VNET.IBM.COM Subject: How bad is FORM? (PC) Mike Murphy wrote: >I have been hearing rumors of some Super-Monster virus called FORMS. Ahem... If you mean FORM, well, it's not exactly that monster, at least is nothing but a little waste of time... Unless you have as primary partition on your hard disk an OS/2 HPFS partition. In this case, FORM represents a real danger. But only in this case, and a bit on *very full* disks. .............................................Bye| ..................................................Roberto - ----------------------------------------------------------------------- * All the above are my own opinions, not necessarily shared by IBM * *********************************************************************** Roberto Reymond IBM PSP - Computer Emergency Response Team Italy RREYMOND@VNET.IBM.COM Circonvall. Idroscalo RREYMOND at VNET 20090 Segrate (MI) ITIBM99K@IBMMAIL.COM MI SEG 526 Italy .........Phone +39.2.596.25244 Fax +39.2.596.29587.............. *********************************************************************** * " Another one bites the dust| " , Queen (The Game, 1980) * *********************************************************************** ------------------------------ Date: Tue, 02 Aug 94 10:37:28 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Stealth.B Pain (PC) jmccarty@spd.dsccc.com (Mike McCarty) writes: >This critical attitude is unworthy of the bandwidth it used in >transmission. I would rather see you offer helpful suggestions, esp. to >the people at Central Point, encouraging them to improve their product. Oh..boy...now you really managed to annoy Vesselin, I guess....you cannot imagine how unresponsive CP has been to his suggestions in the past. >If Mark Ludwig actually published the source for a virus, and did not do >so with the intent that others use it for illicit purposes, but rather >to educate the public at large, then: Educate ...huh.... as far as I can see his only interest is simply to make money. - -frisk ------------------------------ Date: Tue, 02 Aug 94 10:41:43 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: SBC virus? (PC) mhsalmon@descartes.uwaterloo.ca (Mark Salmoni) writes: >I have a virus call SBC that has infected all my .com files >I have disinfected all my files but it will not leave my command.com >files and If I delete those files my system will be non functional replace COMMAND.COM with a copy from a different machine (but same DOS version) and disinfect the other files. The most interesting thing about the SBC virus is its name ... it is taken from the initials of a person who accidentally released it....but the company forgot to tell the anti-virus companies that received a sample about this... - -frisk ------------------------------ Date: Tue, 02 Aug 94 10:44:44 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: virus 1028 Bytes need help (PC) moehlman@gelb.informatik.uni-bonn.de (Peter Moehlmann) writes: >I have this virus which is 1028 Bytes long and appends at command.com >and other com/exe-files at my c:-partition. hmmm....the only 1028 byte com/exe appender I find in my database is a variant of Dark_Avenger...Dark_Avenger.Slowdown, to be exact....There is one other 1028 byte virus, but that one is a Vienna variant, and only infects .COM files. - -frisk ------------------------------ Date: Tue, 02 Aug 94 10:45:56 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Virus scanner name/source?? (PC) un032314@wvnvms.wvnet.edu (JEFF BURES) writes: >I used to use a shareware virus scanner written by a guy >in Iceland or Greenland. I can't remember the name. oh, boy.....I wonder how many replies this guy is going to receive :-) :-) - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Tue, 02 Aug 94 13:37:57 -0400 From: sgallagh@vision-thing.com (Sean Gallagher) Subject: Virus Source code on CD ROM? (PC) I saw a post on another forum that stated a company, possibly American Eagle Publishing (?) was selling a CD ROM with the source code to approx 200 viruses. 1)Is this true? 2)Did I get the company's name right? 3)Have any controls been placed on the sale of this source code? 4)Is there any ballpark figure on how many copies have been sold, and to whom? Any info on this would be greatly appreciated. - --------------------- Sean Gallagher sgallagh@gcn.com sgallagh@vision-thing.com ------------------------------ Date: Tue, 02 Aug 94 14:37:10 -0400 From: Iolo Davidson Subject: "AntiCMOS" virus cleaner? (PC) tweaver@cs.UMD.EDU "Tom Weaver" writes: > The University of Md (including the dept I work in, botany) has had an > outbreak of a virus identified as "AntiCMOS" by fp-212, and "lenart" by > CPAV. CPAV claims to clean it - does anyone know anything about the virus > and if other packages can clean it off (I don't wanna by CPAV just for > this)? It seems pretty nasty... AntiCMOS is a primitive floppy disk boot sector and hard disk partition sector infector. It is buggy and causes unintentional hangs as well as its intended payload. If the virus triggers, it destroys the setup configuration in the CMOS memory. This may convince users that their hard disk has been wiped, but it is undamaged. The sytem just doesn't know it is there anymore. Restoring the setup information will bring it back. You shouldn't need an anti-virus to clean this if you have DOS 5 or 6. Just clean-boot the computer and use FDISK /MBR to replace the partition sector code on the hard disk. You also need to scan and clean all the floppy disks that have been in the machine(s). To be sure, this means any in the building, and any that students have at home. This is impossible of course, so the best thing to do is install a TSR scanner that will warn when anyone puts an infected floppy in the machine(s). TSRs can't prevent someone booting with an infected disk, but they can catch infected disks used in a day to day way. To clean floppies, copy the files off and reformat (with /u parameter to prevent unformatting), or use the SYS command (this won't work unless there is room for the DOS system files). - -- I'VE READ NOW THAT I SHAVE THESE SIGNS I'M GLAD I DID SINCE JUST A KID Burma Shave ------------------------------ Date: Tue, 02 Aug 94 18:26:23 -0400 From: X@cs.umbc.edu (X Development) Subject: TBAV for Windows (PC) Has anyone had problems getting TBAV for Windows v6.21 to work? It installs properly (and does the scanning during installation properly), however when I try to run the menu I get an error stating that a file has not been found. (Can't remember which, but it WAS in the dir.).. Tried putting the dir. in my path, etc. but no luck. ------------------------------ Date: Tue, 02 Aug 94 19:20:26 -0400 From: charles.m.robinson@medtronic.com (Charles M. Robinson) Subject: Re: Virus: Forms (PC) Mike Murphy (mike.murphy@atlwin.com) wrote: >I have been hearing rumors of some Super-Monster virus called FORMS. I >am not sure what this thing does, but a friend of mine who works with >main-frames is scared to death of this thing. >Does anybody have any FAQ's on this or have any reasonable knowledge of >what this thing does? >All assistance would be greatly appreciated, not only to me but to the >public as well. I'd like to know what this does, too, 'cos we've got it all over the place in one of the departments that we're starting to hook onto our network. It would be nice to know what kind of danger we're in! +-----------------------------------------+-------------------------------+ | Charles Robinson Mpls, Minnesota | "You can't have everything... | | email: charles.robinson@medtronic.com | where would you put it?" | +-----------------------------------------+-------------------------------+ ------------------------------ Date: Tue, 02 Aug 94 22:33:52 -0400 From: nguyen@panix.com (T. Nguyen) Subject: UNDETECTED th-th VIRUS!!! (PC) Hello folks... is there any1 getting hit by th-th virus yet??? i've tried these program to detect that virus... but no luck... central point anti-virus v2.2 Notorn Anti-virus v3.0 Scan v117 and clean from McAfee none of these program detect th-th virus any suggestion other program to detect th-th virus!!! ------------------------------ Date: Tue, 02 Aug 94 01:16:59 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: fp-213a.zip - Version 2.13a of the F-PROT anti-virus program (PC) I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ fp-213a.zip Version 2.13a of the F-PROT anti-virus program This is an "irregular update", which is being distributed because of the recent world-wide distribution of the 'Kaos4' virus. We do not release new versions for every new virus that appears..after all, there are several new ones every day. However, for the past two days we have received a large number of reports and samples from all over the world of a new virus, named 'Kaos4'. So far, verified reports or samples of this virus have been received from the US, Austria, Norway and Finland, but we expect the virus to have spread world-wide. We have not yet been able to trace the origin, but it *SEEMS* that the virus was distributed over Usenet, possibly in one of the alt. groups. Any information on how the virus spread would be appreciated. The virus is not very remarkable - it is a 697 byte non-resident COM/EXE infector, which contains the string "KODE4 / Kohntark" (The "o" has 2 dots above it). This string is not encrypted and can be found with any text search utility. The virus does not seem to have any specially interesting functions, and does not contain any destructive code, so the problem is not as serious as it might have been, but the virus might have non-intentional side-effects, such as preventing a machine from booting if it infects IBMBIO.COM/IBMDOS.COM on a machine running IBM DOS. F-PROT users are strongly advised to upgrade to version 2.13a. Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 63] *****************************************