VIRUS-L Digest Wednesday, 10 Aug 1994 Volume 7 : Issue 64 Today's Topics: Re: Bad and good viruses... Re: virus in jpgs Re: Virus Simulators Looking for Virus Scan Strings Naming of Viruses Virus Scanning Literature Re: virus in jpgs 386/486 Unix virus protection (UNIX) Virus Scanners For Sun System (UNIX) Re: Virus: Forms (PC) Re: Norman Virus Control and Satan Bug (PC) please send me info on Mr-D (PC) SMEG; please fill me in (PC) Form on floppy, unformat-problem? (PC) Re: Vshield (PC) Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Re| Server-Downing Viri (PC) Server-Downing Viri (PC) Stealth.B Pain (PC) Search for ftp site (PC) Cascade virus (PC) Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Re: Best Anti-virus software (PC) Using two TSRs simultaneously? (PC) Satan Virus (PC) B1 virus on Chicago (PC) Strange DOS 5.x-6.x behaviour (floppies) (pc) need help with possible filler virus infection (PC) Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Form virus on DOS (PC) AntiExe / Genp /Genp info needed.... (PC) Mummy Virus (PC) Tamsui? (PC) Re: Help ! virus Genb is killing us all (PC) Need info about "Ripper", "Keypress", "Kampana" viruses (PC) Help on Budo Virus (PC) Re: Filler Virus problem (PC) Re: Help ! virus Genb is killing us all (PC) FTP site now available EICAR 94 Conference VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 03 Aug 94 00:09:43 -0400 From: bsemtner@autodesk.com Subject: Re: Bad and good viruses... From: hauh@ismennt.is (Haukur Hreinsson) roger.ertesvaag@thcave.bbs.no (Roger Ertesvaag) writes: >* In a message to All on 06-28-94, Bradley said: >B> It's a virus that does what I said. It includes an uninstall option for >B> the hard drive. If you want to know more, I have the full KOH document >B> in my little personal FTP site: ftp.netcom.com:/pub/bradleym >B> Just read the KOH.readme to find the KOH directory, and DON'T take the >B> actual program out of the U.S. because it's export controlled. >A virus that's export controlled? You must be kidding! This is no joke. According to the ITAR regulations, taking this virus out of the US gets you 41 to 52 months in prison! Imagine now that somebody is in court, accused of violating the regulations by exporting KOH. I would like to see some discussions about the bizarre implications of this being a virus in this, bring the thread to life again. - ------------------------------ Does this mean importing a virus into the US breaks the importation controls??????? As all software in Australia has warnings that an import licence is required to send software to the US. Bernie Semtner LEC T/S Autodesk Australia. All opinions are mine and mine only and do not reflect any opinion/s of my organization or anybody else. ------------------------------ Date: Wed, 03 Aug 94 08:13:07 -0400 From: "A.APPLEYARD" Subject: Re: virus in jpgs fletcher@bud.peinet.pe.ca (Scott Fletcher) wrote on Thu 07 Jul 94 13:59:41 - -0400 (Subject: virus in jpgs):- > ... said that virus's can be hidden and released from jpgs ... What are JPG's? ------------------------------ Date: Wed, 03 Aug 94 10:28:38 -0400 From: lfred JilkaILKA Subject: Re: Virus Simulators hi all, I feel, that at least part of the problem, that now and then some- body tries to create virussimulators comes from the fact, that you are usually will never see, what the virus-alert-screen looks like and if it actually works, especially under windows. A kind of alleviation could be, to make an "/ALERT" switch, to trigger this screen without the need of a virus, or a cheat-program. Greetings, Alfred - -- ...^^^^^.. ******************************** A U S T R I A . Linz : * Geological Survey, Austria * : * * : * * :* Vienna: * jilka@gbaws4.zamg.ac.at * :^^^.........:. Salzburg : * * : * Innsbruck : * Phone: +43/1/712-56-74/85 * ........... HOME Graz : * Fax: +43/1/712-56-74/56 * :.. * * ...: * * :........: ******************************** BB | !BB William Shakespear ------------------------------ Date: Wed, 03 Aug 94 18:22:39 -0400 From: Iolo Davidson Subject: Looking for Virus Scan Strings stevet@fujitsu.com "Steve Tamanaha" writes: > Does anyone have any virus scan strings availible? > If so, please e-mail them to jims@fsba.com Virus Bulletin regularly publishes such strings as are possible for new viruses. This is too primitive a method for finding many viruses though. And it's slow. - -- WITHIN THIS VALE YOUR HEAD GROWS BALD OF TOIL BUT NOT YOUR CHIN AND SIN Burma Shave ------------------------------ Date: Wed, 03 Aug 94 21:07:54 -0400 From: michael_d_jones@ccm.hf.intel.com (Michael D. Jones) Subject: Naming of Viruses This may be a trick question, or a useless one depending on your point of view, but what determines the correct "official" name for a virus. For example, say I have two different virus scanners and they both catch the same virus, but they report it as being a different virus, what virus did I just catch? I know the easy answer is: who cares, you caught it!, but what if I didn't catch a virus that this particular scanner said that it should catch, because one or both of us used the "unofficial" and not the "official" name. Do you see where I'm going with this? I've heard people talking about the CARO names, although I don't recall this ever being explained on the list and I can't find my copy of the FAQ right now. Which brings up another question I'll ask later. so is there some type of criteria by which a virus is named and if so, why do different scanners sometimes report the same virus as being different? I think I may have just answered my own question. Although I don't think so. I don't want to turn this into the holy war that the "good" vs "bad" virus debate did, but I would be very interested in peoples comments on the subject, especially from the scanner developers and the virus hounds that study this stuff all day. :) I would still be interested in seeing a finger, gopher, WWW source for virus info. No, I'm still not interested or qualified enough to manage it either Perry. I'd even be interested in a DOS or Windows based app if I could find one that was fairly reliable and up-to-date. Sorry Patricia, even though yours is the best and easiest to use that I have found so far, truth is, it doesn't meet the above requirements very well. I know it sounds like I'm just complaining and not giving any solutions, but I don't have any solutions, just suggestions. Concerning the FAQ. The FAQ says, "The FAQ is a dynamic document, which changes as people's questions change." But the FAQ also says that it was last updated on 18 November 1992. So either the date has not been updated since 1992 or people have been asking the same questions since 1992. It's not really that bad is it Vesselin and Frisk. :) I also tried to subscribe to the mailing lists for this group a couple of weeks ago, but I haven't seen anything yet. Is perhaps the FAQ incorrect (see above), did I do something wrong, or did my request just get lost somewhere out there? Boy, that was a lot. Sorry to those of you with slow links who didn't care about this and had to d/l it or to those of you who just don't care. Michael D. Jones -- My views do not represent any organization with with which I may be affiliated, they are my own, period. ------------------------------ Date: Thu, 04 Aug 94 14:08:39 -0400 From: toloo@eleceng.ee.queensu.ca (Mansour Toloo Shams) Subject: Virus Scanning Literature Hello: Where can I find any literature on the Viruses, scanners, etc? Are there any computer file describing them? Best Regards Mansour ------------------------------ Date: Fri, 05 Aug 94 09:42:24 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: virus in jpgs Scott Fletcher (fletcher@bud.peinet.pe.ca) writes: > I just finished talking to someone who said that virus's can be hidden > and released from jpgs. It is the first time I have ever heard of this. You mean JPEGs, right? The files containing compressed graphic information. The short answer is that no, no such virus exists and no such virus can be written. The long answer... Well, it is possible to hide a message in a graphical image, but distributing it over the least significant bits that code each pixel. This message could contain anything, including a virus. Of course, it is not possible to activate the virus (i.e., make it infect) by juts viewing the image; you'll have to extract the virus to an executable file first and then run this file. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 03 Aug 94 18:32:46 -0400 From: Iolo Davidson Subject: 386/486 Unix virus protection (UNIX) aflynn@netcom.com "Alana Flynn" writes: > I am looking for virus protection software for pc-based unix systems. > > If there is no such software available on the commercial market, then > I would appreciate any suggestions for a convincing argument as to why > virus protection software is not needed. The key word above is "pc-based". Running Unix on a PC compatible makes it vulnerable to a class of PC viruses, the boot/partition sector infectors. These subvert the BIOS rather than the operating system, and act before the operating system is loaded. Inadvertant booting from an infected floppy can infect the hard disk, regardless of operating system. I'm not sure that the computer will operate properly under Unix afterwards, though I know of one system with both DOS and Unix partitions which was infected with Michelangelo and worked fine until it triggered and wiped much of the disk. I believe it is unlikely that a boot/partition sector virus will spread to further floppies under Unix. I don't know of any Unix specific anti-virus software, but nor can I give you the reassurance you ask for. Perhaps you could keep a DOS boot disk and DOS anti-virus software just to do a periodic scan for BIOS level viruses on these machines. - -- WITHIN THIS VALE YOUR HEAD GROWS BALD OF TOIL BUT NOT YOUR CHIN AND SIN Burma Shave ------------------------------ Date: Thu, 04 Aug 94 15:03:17 -0400 From: toloo@eleceng.ee.queensu.ca (Mansour Toloo Shams) Subject: Virus Scanners For Sun System (UNIX) Hello: Are there any virus scanners for the Sun system? If so please send me their name and the site at wich they are located. Best Regards Mansour ------------------------------ Date: Wed, 03 Aug 94 02:25:49 -0400 From: rcw@csn.org (Robert C. White Jr.) Subject: Re: Virus: Forms (PC) Mike Murphy (mike.murphy@atlwin.com) wrote: : I have been hearing rumors of some Super-Monster virus called FORMS. I I never believed in viruses until Microsoft anti-virus caught the forms virus - and successfully removed it from our PC hard disk. Using a stray PC, I did some experiments with the virus - it appears that the machine catches it if you boot up with an infected diskette in the floppy drive. Once it is in memory, it infects other diskettes and the hard disk - whenever you copy a file to or from. It did not appear to do anything destructive to our system. I would be interested to hear if this virus has caused other people trouble - I have heard that it is fairly widespread. - -- Robert C. White, Jr. rcw@whitestar.com The WhiteStar Corp AOL: Proof that CMU wasn't so bad after all. Englewood, Colorado Ask me about my Malamute and receive free email. ------------------------------ Date: Wed, 03 Aug 94 03:27:10 -0400 From: Norman Data Defense Systems A/S Subject: Re: Norman Virus Control and Satan Bug (PC) One correction/clarification to my comments to Mr. Bontchevs reply to Mr. Guffey: SThe Satan Bug virus does NOT infect device drivers. It will infect renamed .EXE files, as it checks for the exe-header at the beginning of the file. Infections that occur when a file is copied, happens when the virus checks for the file extension (.EXE). One exception exists: some .EXE-files are both executables and device drivers (typically SETVER.EXE and SMARTDRV.EXE). We will detect infections of such files as for any .EXE file. Sincerely, Kristian A. Bognaes Norman Data Defense Systems ------------------------------ Date: Wed, 03 Aug 94 05:53:05 -0400 From: jroberts@ripco.com (Jack Roberts) Subject: please send me info on Mr-D (PC) my system was recently infected my a virus that TBAV called Mr-D or something of that sort. i would be interested in info on this virus. please email. thanks! ------------------------------ Date: Wed, 03 Aug 94 09:58:17 -0400 From: lfred JilkaILKA Subject: SMEG; please fill me in (PC) Hi, In one of the last issues (#56 I think) TBAV6.21 was announced. There I found the claim, that it was tested with 100.000 copies of whatever. If I recall correct, when experts were talking about the upcoming Mte they found ~15000 to 20000 variants of Mte-based viruses. Is SMEG that much more polymorphic? (Maybe my memory is corrupted, but this is what I recall) TIA, Alfred - -- ...^^^^^.. ******************************** A U S T R I A . Linz : * Geological Survey, Austria * : * * : * * :* Vienna: * jilka@gbaws4.zamg.ac.at * :^^^.........:. Salzburg : * * : * Innsbruck : * Phone: +43/1/712-56-74/85 * ........... HOME Graz : * Fax: +43/1/712-56-74/56 * :.. * * ...: * * :........: ******************************** BB | !BB William Shakespear ------------------------------ Date: Wed, 03 Aug 94 10:00:18 -0400 From: lfred JilkaILKA Subject: Form on floppy, unformat-problem? (PC) Hi all, last night I came to this conclusion: Form puts part of its body on floppies into the last 2 sectors (at least I read it this way). While floppies are formatted (since DOS 5.0) it puts some recovery-information in the same place. If a floppy is infected with form, this will probably be lost. And if someone manages to disinfect this floppy and uses UNFORMAT, he will have a problem. Am I right ?? TIA, Alfred - -- ...^^^^^.. ******************************** A U S T R I A . Linz : * Geological Survey, Austria * : * * : * * :* Vienna: * jilka@gbaws4.zamg.ac.at * :^^^.........:. Salzburg : * * : * Innsbruck : * Phone: +43/1/712-56-74/85 * ........... HOME Graz : * Fax: +43/1/712-56-74/56 * :.. * * ...: * * :........: ******************************** BB | !BB William Shakespear ------------------------------ Date: Wed, 03 Aug 94 16:06:38 -0400 From: mandrake@netcom.com (Wakko Singer) Subject: Re: Vshield (PC) Paul Browning (Paul_Browning@f0.n462.z9.virnet.bad.se) wrote: : Does anybody have any idea why Microsofts Vsafe is giving me false alarms - : there is one exe file that I have that when I try to run it - Vsafe Reports : that the file is infected with the Cook 7392 virus - I then scan it with msav : and mcafee v.116 and both of them say that it is virus free but - vsafe still : won't let me load the file unless I disable Vsafe - does anyone know why I am : getting these false alarms? I can't give you a reason, but Vsafe (DOS) gave me errors constantly. I stopped using it because it was more of a hinderance then a help. - -- ================================================================ Lance "Singer" Druger | "Are those cookies made with real girl scouts?" mandrake@netcom.com | - Wednesday Addams ldruger@s1.csuhayward.edu| ================================================================= ------------------------------ Date: Wed, 03 Aug 94 18:11:31 -0400 From: Iolo Davidson Subject: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) bontchev@fbihh.informatik.uni-hamburg.de "Vesselin Bontchev" writes: > Doren Rosenthal (as194@cleveland.Freenet.Edu) writes: > > > There is certainly room for disagreement here on the value of my > > Virus Simulator. > > There certainly is. I and at least Frisk, seem to think that this > value is negative - i.e., that it is not only useless, but also > harmful. Me too, for what it's worth. I don't speak for anyone else, but have heard other respected anti-virus researchers say the same thing. - -- WITHIN THIS VALE YOUR HEAD GROWS BALD OF TOIL BUT NOT YOUR CHIN AND SIN Burma Shave ------------------------------ Date: Wed, 03 Aug 94 18:15:20 -0400 From: Iolo Davidson Subject: Re| Server-Downing Viri (PC) bontchev@fbihh.informatik.uni-hamburg.de "Vesselin Bontchev" writes: > 1) The Jerusalem.GP1.* viruses capture NetWare login packets that > contain the password in clear and broadcast this password to a > particular node. Novell does not send passwords in clear since version > 1.x, I believe. At least not by default. I was fooling with my server the other day and found a SET parameter which seems to allow unencrypted passwords as an option (Netware version 3.11). - -- WITHIN THIS VALE YOUR HEAD GROWS BALD OF TOIL BUT NOT YOUR CHIN AND SIN Burma Shave ------------------------------ Date: Wed, 03 Aug 94 18:17:20 -0400 From: Iolo Davidson Subject: Server-Downing Viri (PC) fguidry@crl.com "Fran Guidry" writes: > Norman Hirsch wrote: > > >I recommend McAfee's NETShield, and NLM that has been Novell Tested and > >Approved for 3.11, 3.12, SFT-III, NetWare for OS/2 and 4.01. > McAfee? Most tests I have seen indicate that F-PROT and ThunderByte > are much more effective than McAfee in detecting virus infections. Unfortunately, the Netware NLM version of F-Prot (Net-Prot) does not have as good a detection rate as the DOS version, according to a recent Virus Bulletin test. - -- WITHIN THIS VALE YOUR HEAD GROWS BALD OF TOIL BUT NOT YOUR CHIN AND SIN Burma Shave ------------------------------ Date: Wed, 03 Aug 94 18:19:22 -0400 From: Iolo Davidson Subject: Stealth.B Pain (PC) jmccarty@spd.dsccc.com "Mike McCarty" writes: > I would rather see you offer helpful suggestions, esp. to > the people at Central Point, encouraging them to improve their product. Such suggestions have had no effect in the past. There are a number of viruses that attack a weak point in Central Point's checksummer, for instance. The weak point could easily be made impervious by a trivial change, which has been pointed out many times in the last few *years*, yet it remains. This is not the only weak point which has been known about for a lengthy period, either. > If Mark Ludwig actually published the source for a virus, and did not > do so with the intent that others use it for illicit purposes, but > rather to educate the public at large, then: Intent makes no practical difference. However, Mark Ludwig makes money from his books and virus distribution. I doubt that education is his primary aim. > I intend to get a copy of his book as soon as possible. *DING* Thank you for your custom, sir. Call again. - -- WITHIN THIS VALE YOUR HEAD GROWS BALD OF TOIL BUT NOT YOUR CHIN AND SIN Burma Shave ------------------------------ Date: Wed, 03 Aug 94 18:22:23 -0400 From: Iolo Davidson Subject: Search for ftp site (PC) pnd2@ukc.ac.uk writes: > Hi there n-surfers > was just wondering if there is a site available for scanners > from Dr.Solomons' ... Dr. Solomon's Anti-Virus Toolkit is a fully commercial product, and is not available as shareware, so it cannot be downloaded from anywhere. - -- WITHIN THIS VALE YOUR HEAD GROWS BALD OF TOIL BUT NOT YOUR CHIN AND SIN Burma Shave ------------------------------ Date: Wed, 03 Aug 94 18:24:59 -0400 From: Iolo Davidson Subject: Cascade virus (PC) gbbrooks@cs.buffalo.edu "G Brandon Brooks" writes: > Recently a computer at my work was infected with the > CASCADE virus. It hasn't done any harm so far as far as we can tell. > We're getting rid of it, but I was wondering what exactly does this > virus DO? Or HAS it done 'something' that we're unaware of? ;) The common Cascade causes letters to fall off the screen and lie in a heap at the bottom, but it doesn't normally trigger nowadays, because the trigger date has passed. This version does no deliberate damage, but there are a number of variants. - -- WITHIN THIS VALE YOUR HEAD GROWS BALD OF TOIL BUT NOT YOUR CHIN AND SIN Burma Shave ------------------------------ Date: Wed, 03 Aug 94 20:59:24 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Vesselin Bontchev wrote: )Doren Rosenthal (as194@cleveland.Freenet.Edu) writes: [stuff deleted] ) )Like two real, MtE-based viruses. How nice, isn't it? A member of the )Association of Shareware Professional, selling viruses... What's wrong with selling viruses? So long as the person buying knows what he is getting (no fraud) I see no problem. [more stuff deleted] )Rubbish. They are trivial to modify in a way that they can escape what )their author calls "control". Any kid who knows how to use DEBUG can )do it, by modifying just a couple of bytes. Additionally, those are )not just any two viruses, no. Doren Rosenthal is selling Dark )Avenger's Mutation Engine, thus providing a tool to any aspiring virus )writer. The MtE is only slightly more difficult to extract from the )virus (each replicant of which carries a copy of it), than to disable )the "control" mentioned above. Any kid who knows DEBUG can also get a copy of Michaelangelo or any other virus just by looking around a little. If it were difficult to get copies of viruses, then nobody would need protection or scanners, because it would be difficult to get infected. Get the drift? Until everyone knows how to write a virus, there will be those attracted to the mystique of it. I say publish source for viruses everywhere and make sure everyone can easily get a copy. You sound like some people who, from time to time, decry alt.locksmithing because "someone might find out how to pick a lock". So what? You can't suppress knowledge. Anyone who really wants to get a copy of a virus can get one. I got one when I didn't even want it. Cost me many hours of disinfecting. What we need is good antiviral products. We do not need thought police. [more deleted] )BTW, does anybody have a probable conjecture why the virus writers )that want to make money from their viruses come mostly from the USA? )Doren Rosenthal, Mark Ludwig, John Buchanan... There must be some )social reason, like for the widespread creation of sophisticated )viruses in the East European countries... We believe in liberty. We believe in freedom of thought. We believe that individuals have intelligence. We believe that people should be free to learn and use everything there is to know in the universe. We believe individuals should be responsible for their _own_ behavior (and no one elses!). I don't think I like your ideas very much, sir. You remind me of the bureaucratic nonsense over here attempting to suppress pure mathematical research because someone might, just might, use it to create a cypher which the NSA couldn't break. DISTRIBUTE INFORMATION FREELY AND POSITIVELY. HOLD PEOPLE ACCOUNTABLE FOR THEIR OWN ACTIONS. I HATE being attacked by viruses. Let's stop them! But please QUIT TRYING TO SUPPRESS INFORMATION! LET'S SUPPRESS THE PEOPLE WHO DELIBERATELY CREATE AND RELEASE VIRUSES WITH MALICIOUS INTENT! What you say sounds like Nazi Germany and Communist Russia to me. There are a few intelligentsia who know how to run the lives of everyone else. They are allowed to collect viruses and thwart them for the rest of us. Oh, by the way, the ones who support this idea always seem to be a part of the intelligentsia, not one of the plebes. BAH! Only knowlege and experience can make a person safe from viruses. When we all know how they work then: there will be much less incentive to write them we will be able to protect ourselves from the ones being written Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Wed, 03 Aug 94 21:30:28 -0400 From: ubadeges@mason1.gmu.edu (Umar M Badeges) Subject: Re: Best Anti-virus software (PC) Andy Hon Wai Chu (umchu023@cc.umanitoba.ca) wrote: : csx134@cck.coventry.ac.uk (Philip Sherlock) writes: : > wrote: : >>Were trying to figure out the best Anit-virus software for both : >>Netware server's (NLM's) and DOS/Windows workstation. : >> : >>etc. : >Yes, use F-Prot. I have been using it now for two years and it has kept : >the network and all 50 workstations clear, as well as about another 60 : >stand alone machines in an educational environment. Updates are regular. : >What more can I say? : I agree, F-Prot is definitely ONE OF THE BEST, but if you are not using : F-Prot Profession, then I will suggest you use a supplement AV which will : do file integrity checking. (it is a effective way to prevent unknown virus.) : Keep going F-Prot, keep going Fridrik Skulason... :) : Andy Chu : - -- : Andy Hon Wai Chu : email: umchu023@ccu.umanitoba.ca : from: University of Manitoba, Canada Where can I get it. Thanks. ------------------------------ Date: Thu, 04 Aug 94 05:53:49 -0400 From: an448@freenet.carleton.ca (Yves Bellefeuille) Subject: Using two TSRs simultaneously? (PC) Is there any point in using two anti-virus TSRs simultaneously? I've managed to install the TSRs from both Norton Anti-Virus version 3.0 and F-Prot version 2.13a. Actually, Norton's NAVTSR is a resident scanner and generic monitoring program, while F-Prot's VIRSTOP is a resident scanner. The two TSRs seem to tolerate each other's presence in memory quite well. Does this have some disadvantage I don't realize yet? Or is it pointless? Yves Bellefeuille - -- Yves Bellefeuille | an448@freenet.carleton.ca (finger here for PGP key) Ottawa, Canada | ua294@fim.uni-erlangen.de Support the creation of Usenet group soc.culture.quebec. Mail "I vote YES on soc.culture.quebec" to jamesm@dialogic.com. ------------------------------ Date: Thu, 04 Aug 94 08:14:02 -0400 From: s0ujgg@fnma.COM (Joseph Gerrity) Subject: Satan Virus (PC) Can anyone give us information on getting rid of the Satan Virus. Thanks Joe Gerrity (202)752-1335 ------------------------------ Date: Thu, 04 Aug 94 15:59:22 +0000 From: juan_e@spcvxb.spc.edu Subject: B1 virus on Chicago (PC) Hi, I have a problem with a virus that McAffee has identified as BOOT.1 or B1. This virus has infect a system that is now evaluating the Chicago Beta. It unformats a disk in the A: when the Format function is being used on A: and does something that makes it hard to access the hard drive. The virus doesn't appear until a few weeks after installment of the Beta and does not go away easily after we have disinstalled Chicago. We're looking for a disinfector that works or a solution to this problem, if anyone has any idea would appreciate it very much. Please E-mail your suggestions to me -due to memory constrictions, the server gets purged on a weekly basis. Thank You, Ned St. Peter's College ------------------------------ Date: Thu, 04 Aug 94 12:40:44 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security) Subject: Strange DOS 5.x-6.x behaviour (floppies) (pc) Recently I noticed that there is "something" inside MS & PC DOS 5.x and 6.x (checked 5.0 & 6.2 & was reported in 6.0 & 6.1 - NWDOS 7.0 is not affected). It appears that there is a "check" done by the above versions on the boot sector information of floppy disks when accessed beyond simply checking for a valid BPB. That is there are checks made on the code portion as well. Have not found exactly what is happening but it is apparent that some changes to the code section of a floppy disk boot sector will cause the above DOS versions to return a "General Failure" on attempts to access the disk. The important element is that the code may be functional and the BPB information correct, just DOS has a problem. One indicator is that while DOS will refuse to read the disk, the BIOS has no problem with it. If a machine is infected with a "stealth" boot sector infector, this could have the effect of such floppies being readable on infected machines and not "clean" ones. As a result such a disk may contain a virus that is fully able to infect a PC even though the DOS versions above will return a "General Failure" when accessed and some anti-viral programs may be unable to read the disks. Such disks may respond well to boot sector repair programs (such as my FixFBR v1.x or v2.1 - v2.0 has a problem). Warmly, Padgett ------------------------------ Date: Thu, 04 Aug 94 13:23:05 -0400 From: caesar@strauss.udel.edu (Johnny Chien-Min Yu) Subject: need help with possible filler virus infection (PC) I am getting the message "Virus found in memory [Filler]" just about every time that I scan my computer. But, when I reboot my computer from a disk and rescan my hard disk, the virus detection program from mcafee says that no virus is founded. Any suggestions? I recently found one of my text file to be partially corrupted(the letter e is replaced with letter g, etc). Need help desperately!! Thanks in advance ------------------------------ Date: Thu, 04 Aug 94 13:53:28 -0400 From: tracker@netcom.com (Craig) Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) wrote: : BTW, does anybody have a probable conjecture why the virus writers : that want to make money from their viruses come mostly from the USA? : Doren Rosenthal, Mark Ludwig, John Buchanan... There must be some : social reason, like for the widespread creation of sophisticated : viruses in the East European countries... In the USA there are many freedoms. One of which is the fact that law enforcement and current laws allow for people to sell viruses and people can legally have viruses as long as they don't do destructive things with them that affects any businesses, etc.. Unless a person has actually done something destructive with virueses they have in their collection, no one in the USA cares. Because of the lax US laws in this area people that you describe try to make money because they know that they have a good chance at capitalism. Hopefully, one day the US will be as strict as some parts of Europe are on viruses. ------------------------------ Date: Thu, 04 Aug 94 14:40:12 -0400 From: kirk@ix.netcom.com (Kirk Lipscomb) Subject: Form virus on DOS (PC) One of my clients called earlier and said he had the Form virus on his machine. It was detected by his copy of Central Point Anti-Virus. He ran CPAV against a floppy disk to remove the virus and it scrambled the disk so that it couldn't be read. Now he's afraid to use it to try to clean the hard disk. Can anyone give me more info on the Form virus? Should CPAV be able to clean it off of the hard disk without damage? Is another product (ie. McAfee etal) better for cleaning it out? - -- - ---------------------------------------------------------------------- Kirk Lipscomb kirk@ix.netcom.com Bedford, Texas ------------------------------ Date: Thu, 04 Aug 94 15:05:46 -0400 From: cmas@gwl.com (Craig Mason) Subject: AntiExe / Genp /Genp info needed.... (PC) Can someone send me/tell me where/ tell me about AntiExe? Also, we used McAfee clean and it thinks it worked - is it true? Did it really remove the virus? This is kind of humorous (isn't everything after dealing with viral infections for a few years...) Vesselin answered a question about someone getting a genb/genp virus - he responded by saying that SCAN (McAfee I assume, that's what I use v114) (I also use v2, but that's a whole nother story....) did not know what type of virus it was - merely that it was generic in nature and it knew something was amiss... That same day (yesterday) my site became infected with genb/genp - we use McAfee too. I took Vesselins advice and used F-prot - version 2.something detected it as the AntiExe virus - yikes! Have not heard of this one.... So , at the risk of annoying you by asking - can someone send me either info on AntiExe or tell me where the doc is.... that would ease our minds. thanks Craig Mason cmas@gwl.com - --- o o o o o o o o ______ ______ _ *o(_||___)________/___ O(_)( o ______/ \ > ^ `/------o-' \ D|_|___/ Craig Mason Senior Project Specialist Great-West Life Assurance Company 8515 E Orchard Road 1NB Englewood, CO 80111 (303) 689-3583 email address: cmas@gwl.com ------------------------------ Date: Thu, 04 Aug 94 18:30:12 -0400 From: JUNAIDN@ctrvax.Vanderbilt.Edu Subject: Mummy Virus (PC) I have just encountered the Mummy Virus on m IBM PC. So far as I know it only infect Executable files(.exe). Has anyone heard of it or know where I should go for an antidote? Please mail me. Thanx in advance. Azfar ------------------------------ Date: Thu, 04 Aug 94 20:27:05 -0400 From: kenney@netcom.com (Kevin Kenney) Subject: Tamsui? (PC) Ran into the Virus F-prot 2.13 calls Tamsui and can repair, and Norton 3.0 (7/94 defs 30a09) calls Christmas-1649 (the correct size increase) and can't repair. I looked in F-Prots list, the msdosvir files and vsumx 4.01 without finding anything about this one. Details anyone? Thanks in advanced, KpK ------------------------------ Date: Thu, 04 Aug 94 21:38:02 -0400 From: ahevia@dcc.uchile.cl (Alejandro Hevia Angulo) Subject: Re: Help ! virus Genb is killing us all (PC) Simon Chong (simon@sgp.hp.com) wrote: : Wonder if anyone come across Genb that attacked on the boot : sector of floppy diskette. It certainly appears harmless .. [deleted] : But the same McAfee Clean v115 does seems to be able to : clean the virus [Genb] on the floppy .. just seems to : hang there. Could this be another McAfee Clean's bug ?? : Any idea out there for an alternative ? This nasty ... [deleted] I have one (and I think it works!): You can use The Norton Disk Doctor (NDD) from Norton Utilities. If you choice the 'Diagnose Disk' option you may repair your floppy disk and recover "safely" your disk. (many times, when these virus have been "working", it's impossible to read the infected disk. Nevertheless, the method has recovered successfully the information). Where I know, NDD rebuild the boot sector if it is corrupted or damaged (if you know more about how it works, however, please tell me becase I think it could be fail sometimes and hang up the system). I used the version 8.0.20 of NDD. Maybe this method is easier (maybe not) but it's another alternative :) (and doesn't modify - in any way - the disk information!). I really hope that this will be userfull for you (if not tell me what happened). And remember, C vitamin is good for prevent flu... :) Lucky! Alejandro. - --- Alejandro Hevia Angulo. e-mail: ahevia@dcc.uchile.cl Departamento de Ciencias de la Computacion Facultad de Ciencias Fisicas y Matematicas Universidad de Chile - Chile. PD: Sorry, not ever my english it's so bad! :) ------------------------------ Date: Thu, 04 Aug 94 04:22:06 +0400 From: Kazatski Oleg Nikolaevitch Subject: Need info about "Ripper", "Keypress", "Kampana" viruses (PC) Hi ! Need the information about this viruses: 1. Jack Ripper 2. Keypress 3. Kampana What are the basic characteristics ? Are these viruse boot or file ? Thanks. - -- OK ------------------------------ Date: Thu, 04 Aug 94 16:40:05 -0300 From: ibaminformat@ax.apc.org Subject: Help on Budo Virus (PC) Hello, I'm looking for in how we finish with the Budo Virus. It infected our local network. Please. If someone knows how i'll . ------------------------------ Date: Fri, 05 Aug 94 09:39:43 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Filler Virus problem (PC) Matias_Piccione@south-america.notes.pw.com (Matias_Piccione@south-america.notes.pw.com) w rites: > Does anyone know how to deal with it ? You almost certainly do not have a virus, but a false positive caused by some incarnation of CPAV. Check your CONFIG.SYS and AUTOEXEC.BAT files for a line that causes the execution of a program called VSAFE. If you find it, remove this line and the problem will almost certainly go away. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Fri, 05 Aug 94 09:51:36 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help ! virus Genb is killing us all (PC) Simon Chong (simon@sgp.hp.com) writes: > Wonder if anyone come across Genb that attacked on the boot > sector of floppy diskette. There is no such thing as the Genb (or Genp for that matter) virus. It is a message used by McAfee's SCAN to tell you "There is something very suspicious in your boot sector (or master boot sector), and I am pretty sure that it is a virus, but I have no idea which particular virus it might be". > It certainly appears harmless .. Nobody can tell that. SCAN calls "Genb" about two dozens of completely different viruses - some of them destructive and some of them not. Unless the virus is identified, nobody can tell you whether it is destructive or not. > It seems to goes along with Genp which stick on to the boot > sector of hard-disk but can be remove using McAfee Clean v115. > (issue in June 1994). It is one and the same virus. McSCAN says "Genb" if it finds its heurstic scan tring in a boot sector and "Genp" if it finds it in a MBR. > But the same McAfee Clean v115 does seems to be able to > clean the virus [Genb] on the floppy .. just seems to > hang there. Could this be another McAfee Clean's bug ?? What does "hang" mean? Does it block your computer so that you have to press Alt-Ctrl-Del? Or is the floppy disk constantly spinning? In the latter case, try waiting some time - like several minutes. You see, when you tell CLEAN to remove a Genb/Genp virus, it begins to scan the disk for something that looks like a legitimate boot sector. If such a boot sector is found, it is moved over the infected one. Obviously, if the virus encrypts the original sector (e.g., like the Monkey viruses do), this heuristic will not work. When you tell CLEAN to remove "Genp" from your hard disk, it obviously finds a copy of the original MBR pretty quickly - probably because the virus stores it somewhere in the first track. On a floppy, however, the virus probably stores the original boot sector at the end of the floppy. Therefore, you'll have to wait until CLEAN reaches the end of the floppy. > Any idea out there for an alternative ? This nasty Yes - use a better scanner, one that is able to identify "your" virus correctly, and to use virus-specific knowledge to remove it. Take a look at F-Prot; it's a pretty good one and, unlike SCAN, is free for individual use. > little (call it so as we still don't know what effect > it has on our system) virus is spreading like > an epidemic --- flu ! Consider using some generic boot sector virus protection. If you can instruct the CMOS of your computer to boot from the hard disk first (instead of from the floppy) - do so. If not, install either Padgett's DiskSecure II, or Henrik Stroem's HS. (Henrik, I lost your e-mail address, but in case your are reading this: the beta version of your program that you sent me still does not work on my system. It says that my system is infected.) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 03 Aug 94 19:22:46 -0400 From: spaf@cs.purdue.edu (Gene Spafford) Subject: FTP site now available Announcing the COAST Security FTP Archive! The COAST group at Purdue are happy to (finally) announce the availability of our security archive. The archive is currently available via FTP, with extensions to gopher and WWW planned soon. The archive currently contains software, standards, tools, and other material in the following areas: * access control * artificial life * authentication * criminal investigation * cryptography * e-mail privacy enhancement * firewalls * formal methods * general guidelines * genetic algorithms * incident response * institutional policies * intrusion detection * law & ethics * malware (viruses, worms, etc) * network security * password systems * policies * privacy * risk assessment * security related equipment * security tools * social impacts * software forensics * software maintenance * standards * technical tips * the computer underground The collection also contains a large set of site "mirrors" of interesting collections, many of which are linked by topic to the rest of the archive. You can connect to the archive using standard ftp to "coast.cs.purdue.edu". Information about the archive structure and contents is present in "/pub/aux"; we encourage users to look there, and to read the README* files located in the various directories. If you know of material you think should be added, please send mail to security-archive@cs.purdue.edu and tell us what you have and where we can get a copy. In order of preference, we would prefer to get: -- a pointer to the source ftp site for a package -- a pointer to a mirror ftp site for the package -- a uuencoded tar file -- a shar file -- a diskette or QIC tape If you are providing software, we encourage you to "sign" the software with PGP to produce a standalone signature file. This will help to ensure against trojaned versions of the software finding their way into the archive. Any comments or suggestions about the archive should be directed to "security-archive@cs.purdue.edu" -- please let us know what you think! - -- Gene Spafford, COAST Project Director Software Engineering Research Center & Dept. of Computer Sciences Purdue University, W. Lafayette IN 47907-1398 Internet: spaf@cs.purdue.edu phone: (317) 494-7825 ------------------------------ Date: Fri, 05 Aug 94 06:16:12 -0400 From: gcluley@sands.co.uk Subject: EICAR 94 Conference EICAR 94 CONFERENCE November 23-25, 1994 "Improving Small Systems' Security and Safety" S&S International, developers of Dr Solomon's Anti-Virus Toolkit, are hosting this year's EICAR conference. The European Institute for Computer Antivirus Research (EICAR) was founded in 1991 in Hamburg as a European umbrella organization for people and organisations interested in the virus issue. CARO (Computer Antivirus Researcher's Organisation) is a related group, consisting of the technical people from leading antivirus companies, universities, and some private individuals. EICAR's conference this year will be held at BP House Hemel Hempstead Hertfordshire United Kingdom between 23-25 November 1994. The 3 day conference concentrates on measures, practical experiences and standards to "Improve Small Systems' Security and Safety". The subtitle is "Reducing Vulnerabilities of Working Place Computers and Networks in Enterprises, Public Agencies and Institutions". This conference offers the opportunity to talk and discuss with the top 20 anti-virus technical people in the world. Day One of the conference (November 23) is restricted to EICAR working group and members' meetings Program Committee: Alan Solomon (Chair) Chris Fischer Fridrik Skulason Paul Langemeyer Anthony Naggs Organisation Committe: Alan Solomon (Chair) Julie Bartle (S&S International) Prices: Non-EICAR member: 595ukp + VAT EICAR member: 545ukp + VAT If you would like more information about this event contact Julie Bartle at S&S International PLC - email: jbartle@sands.co.uk ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 64] *****************************************