VIRUS-L Digest Wednesday, 10 Aug 1994 Volume 7 : Issue 66 Today's Topics: re: Need help on research paper Re: A new m naming scheme for settling the good virus issue Re: Few question regarding viruses Re: Good sources for virus information Few question regarding viruses Re: Few question regarding viruses RE: Is there a computer virus WWW home page anywhere? Re: Integrity Checking ANSI bombs (PC) Re: ANSI bombs (PC) Re: ANSI bombs (PC) Re: How to save a boot sector (PC) Re: Form Virus Mutation! Netware problem? (PC) "Parity Boot" virus of Germany and Virus Buster (PC) Re: Want info on "Stoned 4" (PC) Unidentified virus (PC) Re: Junkie virus (PC) Re: Yankee Doodle Virus? (PC) Re: NAV 3.0 update files (PC) Re: 4DOS 5.0f triggers TBAV 6.22? (PC) Re: Rosenthal Virus Simulator (PC) Re: Yankee Doodle Virus? (PC) Types of viruses??? (PC) Re: "Horse" virus? (PC)(Anywhere else?) Re: Want info on "Stoned 4" (PC) Re: Flash BIOS infector? (PC) Re: Modified Stoned???? (PC) Re: Tamsui/Christmas-1694? (PC) Flash BIOS infector? (PC) boot diskette (PC) nuage!.com is not a virus (PC) Re: TBAV 6.22's BUG?? (PC) Re: Need Help on "V-SIGN" virus (PC) Re: REQ: Help (PMBS, Stealth_boot.C) (PC) Re: Kaos 4 Virus (PC) Re: Jack the Ripper; will F-PROT's "vstop" prevent damage? (PC) Re: Virus Source code on CD ROM? (PC) tbav for windows v6.21 problem solved (PC) Re: Virus warning (PC) hs-beta.zip - Bootvirus detection/repair program (3.59 Beta) (PC) McAfee Viruscan 2.1 and V117 uploads to SimTel (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 08 Aug 94 17:12:27 -0400 From: "David M. Chess" Subject: re: Need help on research paper > I am doing a research paper, on an article that appeared in the > May 1993 issue of Spectrum. It was on computer viruses and epidemiology. > Basically it talks about the spread of viruses. If anyone has any info > post it in this newsgroup or email me at nthomas@dorsai.dorsai.org. Sorry for the delay in replying to you! I didn't see that issue of VIRUS-L until today, for some reason. We wrote the paper that you're referring to; what would you like to know about it? It was actually March 1993: J. O. Kephart, S. R. White, and D. M. Chess, "Epidemiology of Computer Viruses", IEEE Spectrum, March 1993, Cover and pp 20-26. (Reply to me directly if not of general virus-l interest...) - - -- - David M. Chess / "In the long run, life depends less on High Integrity Computing Lab / an abundant supply of energy than on IBM Watson Research / a good signal-to-noise ratio." - Dyson ------------------------------ Date: Mon, 08 Aug 94 19:56:53 -0400 From: eclipse@clark.net (eclipse) Subject: Re: A new m naming scheme for settling the good virus issue MANAL@delphi.com wrote: : How about this one: : Live program := a program that reproduces : Virus := a bad live program : bad := defined according to the morals and ethics of the individual No way. Virii needn't be 'bad', even in the real world, and there are many different ways of reproducing. The term "Virus" is pretty narrow in definition, actually, indicating that the program's primary vector is embedding its code in files or filesystems and seek- ing out more of the same to propagate itself through. So, there are many different kinds of live programs, and viruses needn't be 'bad' in any sense, ergo no go, Joe. )* eclipse ------------------------------ Date: Mon, 08 Aug 94 21:52:31 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Few question regarding viruses wrote: >I have few questions regarding to computer viruses: > >1. Can program infector viruses propagate via data file? It is possible that a virus can "infect" a data file, and still others prefer to intentionally modify them (Dbase). However, since data files are not executed, they are generally not targeted in the first place. >2. Virus that uses encryption is know as polymorphic? It is true that currently all polymorphic viruses are encrypted, but the opposite is not; many viruses use encryption without being polymorphic. >3. Is sealth virus uses enryption? Some stealth viruses use encryption, others don't. It is not necessary. >4. Can interrupt vector table can be modified by virus? Yes. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Mon, 08 Aug 94 22:02:05 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Good sources for virus information Michael Jones wrote: >Hi all, > >I'm wondering what would be good references for virus information? >Explanations of the types of viruses, as well as Trojan Horses, worms, >etc. What the different types do, how they do it. What a particular virus >does, how it does it, how to clean it, etc. I would like to increase my >knowledge of viruses and their methods, not to write them, I hate programming >with a passion, but rather on how they work and how to get rid of them. > >Any reccommended books, FTPable sources, documents, programs, and/or databases >would be greatly appreciated. FTPable information can be retrieved from: corsa.ucr.edu ftp.informatik.uni-hamburg.de ftp.mcafee.com those have documents, programs, and databases. There are still many others; Jim Wright maintains the list of archive sites with related information. There are several books which have focused on how to write viruses, and there are still a few others which talk more over about viruses and certain ones in particular. Virus-Bulletin has one published which is by far the most informative (IMHO), called Virus Bulletin's Guide to Computer Viruses. "FTP'able sources", I hope, does not refer to source code. It is quite available on the net, 40Hex, for example -- amongst other things. I'd rather not say where it is at though. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Tue, 09 Aug 94 03:04:43 -0400 From: Iolo Davidson Subject: Few question regarding viruses haq@savage.umiacs.umd.edu writes: > 1. Can program infector viruses propagate via data file? No. Theoretically possible, but there aren't any viruses doing this. > 2. Virus that uses encryption is know as polymorphic? No. Many viruses use simple encryption. Polymorphic means that each instance of the virus is encrypted differently, with the decryption stub also varied. Polymorphic is the extreme of encryption. > 3. Is sealth virus uses enryption? Stealth is a separate issue. Stealth viruses can be encrypted or not. Encrypted viruses can be stealthy or not. > 4. Can interrupt vector table can be modified by virus? Yes, and often is. Some viruses actually go resident in the high address end of the IVT. - -- FROM STATISTICS NO BRUSH THAT WE GATHER NO LATHER THE SWING IS TO Burma Shave ------------------------------ Date: Tue, 09 Aug 94 04:29:31 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Few question regarding viruses haq@savage.umiacs.umd.edu writes: >I have few questions regarding to computer viruses: >1. Can program infector viruses propagate via data file? yes and no. A virus can "infect" a data file ... some stupid overwriting viruses will for example just infect the first file in the current directory, but the virus will not spread further, unless the "data file" is renamed to an executable extension .DAT -> .COM for example. >2. Virus that uses encryption is know as polymorphic? no...viruses that use highly variable encryption are called "polymorphic"... viruses that just use simple encryption are not. >3. Is sealth virus uses enryption? some do, some don't thealth and encryption are tho independent properties. >4. Can interrupt vector table can be modified by virus? Modified in what sense ? All resident viruses will modify it, of course, and there are even some viruses that will make use of it ... store themselves in the upper half of the table, for example. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Tue, 09 Aug 94 09:31:29 -0400 From: "David M. Chess" Subject: RE: Is there a computer virus WWW home page anywhere? > From: Dennis.Clouse@ucop.edu (Dennis Clouse) > IBM ALMADEN ,http://index.almaden.ibm.com/1virus/virus.70 Almost! It's actually a gopher server, at URL gopher://index.almaden.ibm.com:70/1VIRUS/VIRUS.70 We hope to have a true www page by year-end or so, but the gopher page should work fine with both gopher clients and WWW/Mosaic clients. I recently added a pointer to the NIST Computer Security Gopher server as well. DC ------------------------------ Date: Tue, 09 Aug 94 10:18:33 -0400 From: "Y. Radai" Subject: Re: Integrity Checking Matt Jas recently posted two messages concerning CRC functions; I will reply to both of them in this posting. > Subject: Re: Integrity Checking > sikkid@axpvms.cc.utexas.edu wrote: >> I noticed that Vesselin stated that TBAV's integrity >> checker was "mediocre." I was just wondering why he said that, and >> what makes for a good CRC checker... I know a lot about viruses, but >> my knowledge of CRC calculation techniquesw is pretty limited... > > CRCs functions are a very simple linear function, so faking a CRC > takes about as much effort as calculating the CRC in the first place. Here we go again. About once a year someone writes something like the above in this forum. Yes, faking a CRC (i.e. finding another file with the same CRC value as that of a given file) is very simple ... provided that the forger *knows the particular CRC generator (divisor) which is being used*. This is indeed the case when a file is being transmitted publicly (this is the situation for which McAfee's VALIDATE program was designed). However, when CRC is used for detecting whether a file has been infected by a virus or otherwise modified while on the disk of a particular computer, the integrity checking program can and should be designed so that each user's generator is *unknown* to anyone else, and in this case, it is completely infeasible to perform the type of forging you're thinking of (or any other kind), at least if the generator and table of file-checksum pairs are made inaccessible to the forger. > The mathematics behind it are quite simple, if you want a complete > dissertation to it, you can find the mathematics in quite a few good > FAQ files on CRCs from sci.crypt, or you can mail me for a copy if > you cant find one. If these documents did not teach you the above distinction, then I think one can get much more reliable information by reading my article "Integrity Checking for Anti-Viral Purposes". Starting on or around Aug. 16, it will be available in zipped PostScript form for downloading from my FTP site VMS.HUJI.AC.IL (user ANONYMOUS, password RADAI_DOWNLOAD, mode BINARY, filename INTEGCH.ZIP, about 265 KB long). In order to read it, you must have access to a PostScript printer; it's 54 pages long. Note: Since it is to be published in a journal, I request that it be downloaded for the time being only by people who are willing to send me constructive comments for improvement. Moreover, it must not be made publicly available on any other FTP site (or via WWW, Gopher, or any other type of file server). After it has been published, I expect to make it publicly available on many sites. > hope this helped Sorry, but I think it may have confused more than it helped. I turn now to your other posting: > Subject: Re: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) > CRCs (for the most part (at least non cryptogarphic ones)) are linear > functions. so therefore faking them is *VERY* easy. One way to use CRCs for > haueristic cheking (CRCs are very fast which is why they are used) is to > use more than one CRC hash value (is this the correct term for it?) or to > use other methods as well as the CRCs (aka crypto CRCs or use a non > standard CRC method (such as Fletchers Sum) which is just as fast). Here you are not making the above mistake since in the context in which the claim was made (McAfee's VALIDATE) the generators are fixed and known. However, there are still a few errors: First, a couple of minor points concerning terminology: (1) *All* forms of CRC are considered to be non-cryptographic; examples of cryp- tographic hash functions would be MD5, SHA, HAVAL, but these are not CRC in any sense of the term. (2) CRCs are used not for heuristic checking but for integrity checking. More important: If by using more than one CRC hash value you mean using the CRC algorithm with two different generators, this is no more secure than using CRC with a single generator which is the least common multiple of those two generators. Finally, Fletcher's Sum is indeed fast, but it is definitely not a CRC method (non-standard or otherwise), and it is quite insecure. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Tue, 09 Aug 94 03:04:35 -0400 From: Iolo Davidson Subject: ANSI bombs (PC) as316@freenet.carleton.ca "Michael McGuire" writes: > I was wondering if anyone knew of a virus scanner/cleaner that > can clean something called an "ANSI bomb"? Just delete it. And don't install ANSI.SYS in your CONFIG.SYS, and you will be immune. If you need ANSI, then get one of the replacements that does not allow key redefinition (NANSI etc). - -- FROM STATISTICS NO BRUSH THAT WE GATHER NO LATHER THE SWING IS TO Burma Shave ------------------------------ Date: Tue, 09 Aug 94 04:25:44 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: ANSI bombs (PC) as316@freenet.carleton.ca (Michael McGuire) writes: >I was wondering if anyone knew of a virus scanner/cleaner that >can clean something called an "ANSI bomb"? I was told that they >can't be found by most scanners, and I think there's one going >around my area... An ANSI-bomb does not "go around" like a virus ... it doesn't spread. Typically is is just a text file that contains an escape-sequence that will redefine your RETURN key to something like "DEL *.*Y" This will only work if you use TYPE to look at text files, and if you have ANSI.SYS (or any other similar driver that allows keyboard re-definitions) loaded. The best defenses against something like this: use a program like LIST, not TYPE get a better driver, that does not allow redefinitions. As for a cleaner that can clean this .... just edit the file...or delete it. detecting something like this is IMHO not a job for a virus scanner. - -frisk ------------------------------ Date: Mon, 08 Aug 94 22:05:53 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: ANSI bombs (PC) Michael McGuire wrote: >I was wondering if anyone knew of a virus scanner/cleaner that >can clean something called an "ANSI bomb"? I was told that they >can't be found by most scanners, and I think there's one going >around my area... An ANSI Bomb is a sequence of characters which tells DOS's ANSI.SYS driver to create a macro -- and often, these are malicious. Most scanners these days scan for viruses, some trojans, and I don't know of any that scan for ANSI bombs. To completely eliminate the worry, just use a different, faster ANSI driver, such as NANSI.SYS, or ZANSI.SYS. THey should be available from your favorite archive site. If you don't want to try those, then PKSFANSI will also do the same thing; producing a beep whenever a sequence has been hit. Most BBS programs, AS WELL as Terminal programs completely filter out ANSI bombs, severely reducing their likelihood. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Mon, 08 Aug 94 05:10:47 -0400 From: mjb@doc.ic.ac.uk (Matthew Jude Brown) Subject: Re: How to save a boot sector (PC) Steve Tamanaha wrote: )How can you save a boot sector on to disk. (if you suspect a virus )and want to upload it to the anti-virus companies system for them )to inspect it?) Probably the best thing to do is to use a disk-archiving program (TeleDisk comes to mind, though there might be better ones) to store the entire (compressed) contents of the disk to a file. Often a virus will affect more than the boot sector of the disk, and the person taking a look at it (eg. myself) may need to see the rest. However, they may just want to look at the boot sector first, to make sure it's not one they already know of but wasn't in your version of their software. For this, most of the solutions already posted would be good. Personally, I'd rather have a real floppy disk mailed to me; it's probably easier. Not as quick, however, but it doesn't rely on someone getting the virus sample off the disk correctly. - -Matt - -- ____ Morven -- mjb@doc.ic.ac.uk -- m.brown@ic.ac.uk -- Matthew Jude Brown \ _/__ Sophos PLC, 21 The Quadrant, Abingdon, Oxon OX14 3YS - (0235) 559933 \X / 32 Goldsmiths Lane, Wallingford, Oxfordshire OX10 0DN (0491) 833990 \/ | We are the people our parents warned us about | ------------------------------ Date: Mon, 08 Aug 94 06:06:00 -0400 From: mjb@doc.ic.ac.uk (Matthew Jude Brown) Subject: Re: Form Virus Mutation! Netware problem? (PC) billt@pipeline.com (Bill Taub) writes: >The infected floppies found were not >bootable, yet Form is supposed to be a boot-sector virus. >(there were no COMMAND.COM nor IO.SYS on these disks. *EVERY* floppy disk has executable code in its boot sector. What distinguishes a bootable *DOS* disk is, as you say, the presence of MSDOS.SYS, IO.SYS etc. as files on the disk. This is just for DOS, however. If a floppy disk is in the drive at boot time the code in its boot sector will be loaded and run. *Any* disk, whether it has MSDOS on it or not. Take a look at the boot sector of a floppy with a disk editor some time; you'll find that bootable disks and non-bootable disks look exactly the same, and that furthermore that the Non-System disk or disk error Replace and press any key when ready message which prints if the disk is not bootable is actually printed up *by the boot sector code* if it can't find the system files on the disk. A disk doesn't have to boot to infect your system, and a boot sector virus won't generally bother to tell the difference between bootable and non-bootable disks. > Some machines ran fine (baring a few memory problems) except >for an audible key-click from the PC speaker. This was not >described in any listing for FORM that we encountered. This has always been a symptom of FORM. What listings were you looking at? - -Matt - -- ____ Morven -- mjb@doc.ic.ac.uk -- m.brown@ic.ac.uk -- Matthew Jude Brown \ _/__ Sophos PLC, 21 The Quadrant, Abingdon, Oxon OX14 3YS - (0235) 559933 \X / 32 Goldsmiths Lane, Wallingford, Oxfordshire OX10 0DN (0491) 833990 \/ | We are the people our parents warned us about | ------------------------------ Date: Mon, 08 Aug 94 18:01:47 -0400 From: jal@mcs.com (John A. LaCour III) Subject: "Parity Boot" virus of Germany and Virus Buster (PC) An associate claims that a disk given to him from someone else in the company is infected with the "Parity Boot" virus. His AVS, Virus Buster, is what lead him to this conclusion. I'm unfamiliar with this software or this virus. I suspect either he was already infected, or this program does a lousy job at keep signatures and/or scanning them. The software that was sent to him is a copy of a specialized package used in house. No other users have reported any problems and the procedures for manufacturing the diskettes is rather 'clean'. Please email me any information you have about this virus and/or comments on this anti-viral software 'Virus Buster'. Thanks, John ------------------------------ Date: Mon, 08 Aug 94 19:30:47 -0400 From: fletcher@atlas.cs.upei.ca (Scott Fletcher) Subject: Re: Want info on "Stoned 4" (PC) tomb@bedford.progress.COM (Tom Barringer) writes: >From: tomb@bedford.progress.COM (Tom Barringer) >Subject: Want info on "Stoned 4" (PC) >Date: 8 Aug 1994 17:33:46 -0000 >I work in a software retail store. A customer came in a few days ago >reporting that Microsoft Antivirus was indicating that he had a virus >named "Stoned 4", but that Norton, Central Point, and McAfee Scan were >not detecting it. >I see "Stoned.June_4th" and "Stoned.8" in virus lists but no "Stoned 4". >Does anyone know anything about this? Hi Tom, One of our people at work got hit by stone 4 also. He believes that it came from a second hand 40 mg harddrive that he bought real cheap. he ended up reformatting both drives. His anti virus checker that comes with Dos 6.2 didn't catch it. I would like to get more information on this particular virus also. Scott Fletcher End User Support PEINet ------------------------------ Date: Mon, 08 Aug 94 20:21:33 -0400 From: M.Bontoft@mailbox.uq.oz.au (Matthew Bontoft) Subject: Unidentified virus (PC) A friend of mine has been suffering from a virus that no scanner he has used has been able to detect. Basically it loves to pop up during programs esp Optune, although it has been known to appear during video displays such as games and in other utils like Xtree Gold. When it pops up an 8 digit counter appears like 00000000 and starts counting up supposedly to 99999999. It has caused FAT damage before it reaches the counter, although the counter has never been allowed to continue. Upon replacing ALL files with a re-format of the drive in question with reliable sources the program went away for a while but on this isolated machine it has since returned. It has been around for at least 6 months and is beginning to become a problem. Has anyone heard or knows where to get a cleaner for this? thanks in advance ------------------------------ Date: Mon, 08 Aug 94 22:13:26 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Junkie virus (PC) Peter Moehlmann wrote: >No chance, no help to clean the infected files from this virus. >does fprot 213 still works? >Does clean XX still clean this files? NAV 3.0 detects and removes this virus. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Mon, 08 Aug 94 22:19:05 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Yankee Doodle Virus? (PC) wrote: >I'm looking for information on a virus known as the "Yankee Doodle" virus. >Does it exist? If so, can anyone lead me to a source for a scanner to detect >it? Thanks in advance for any help. There are many varients of this virus. At 5pm, it plays the song of the same name. It's relatively old. Most varients infect .COM and .EXE files, though some only infect .EXE's. I don't have source to a scanner to detect it, though it should be a pretty trivial task to write one, despite what others may think in this group. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Mon, 08 Aug 94 22:28:26 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: NAV 3.0 update files (PC) Indiana Jones wrote: >Does anyone know of a FTP site with NAV 3.0 update files that were written >AFTER May '94? I thought that rzsun2.informatik.uni-hamburg.de was supposed >to carry all of Symantec's anti-virus upgrades, but it looks like no one >carries an update more current than nav30may.zip. :( > >Any assistance would be GREATLY appreciated! The August update should be available on corsa.ucr.edu for anonymous ftp in /pub/anti-virus-utils in the next day or two. (Still haven't gotten around to fiing it up yet. :|) - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Mon, 08 Aug 94 22:47:11 -0400 From: bshumer@dorsai.dorsai.org (Bob_Shumer) Subject: Re: 4DOS 5.0f triggers TBAV 6.22? (PC) Michael Edson (mmedson@crl.com) wrote: : I just downloaded Thunderbyte 6.22 and ran a scan on my hard drive. All : sorts of heuristic alarms went off when it scanned 4DOS 5.0f (4dos.com). : Earlier versions of TBAV did not do this. Just to play things safe, I : deleted 4dos.com, rebooted from a clean floppy, and downloaded a fresh : copy of 4dos. Same alarms. The TBAV documentation shows that 4DOS 4.0a : will trigger the alarms, but is silent as to my version. : Have I done what it takes to be sure that this is a TBAV problem, and not : a virus? The four flags are normal, for a hr scan. Hr scans are for people who can interpret the meaning. Pklite 4dos.com and you wont get the flags. Bob/NYC ------------------------------ Date: Mon, 08 Aug 94 22:52:55 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Rosenthal Virus Simulator (PC) Vesselin Bontchev wrote: >Doren Rosenthal (as194@cleveland.Freenet.Edu) writes: >> [Moderator's note: Why are you surprised that I approved Dr. Cohen's >> posting? Although lengthy, his opinions were well formed and civil. >> There's no restriction against posting controversial opinions! I >> generally only reject unrelated (to the topic of viruses) submissions, >> virus code (source or binary), and uncivil postings.] > >One additional restriction that Ken has not mentioned above, is that >requests and offers for viruses (e.g., virus exhcange) are also >rejected. I believe that *this* was the reason why your articles were >suppressed in the past. I hope that they will be again, if you attempt That's odd. I often see messages with virus exchange intent behind them, such as, "Please send copies to anti-virus researchers", but, let me guess, since it is not a known virus at that time, you're allowed to plead ignorance? Or is it just blatant exchange? >> I have written such a useful virus and have made it >> publicly available as shareware (see VIRSIM2C.ZIP) for over a > >And I thought that this is not a place for virus advertisements... Indeed. >Anyway, as I have explained to you many times, your viruses (there are >two of them, actually) are not harmless. You are distributing >malicious code to your users. You are distributing the MtE - attached >to your viruses - and by doing this you are a shame for all shareware >producers. Also, it is trivial for any hacker to modify your viruses >in a way to suit his needs, and even possibly to include intentionally >destructive functions. Therefore, you are providing to the maliciously There is a product called, "Secure," though I forget who produces it. (if it is an issue, I can find out). This program does *NOT* use the MtE, but, some engine of it's own. You feed it some program that you have, and it generates a random encryptor/decryptor envelop, complete with somewhat foolish (i.e. disabling the keyboard) anti-debugging tricks. The purpose of the product is to keep people from fricking with a program you wrote, which is a pretty useful function if you are, for example, working with copy protecting your program, and want it to be as difficult as possible for someone to crack, with as little difficulty to yourself. It is possible, for any hacker to alter this program so that it produces viruses instead. And, I have seen a program which actually intentionally modifies known programs into trojan horses. (Though it wasn't made by a company, of course.) So by all this, does that mean he would be okay by you if he only distributed the MtE by itself? Would you prefer he write his own engine to demonstrate polymorphism? Or what? How would you suggest he change it so that we could all get along? >inclined people easy means to transport their malicious code. I So only malicious people are interested in his product? >certainly wouldn't call such actions "commendable". In the beginning I >was ready to give you the benefit of the doubt - having in mind your >"simulated viruses", I was ready to think that your actions are caused >by simple incompetence. However, since then I (and several others) >have explained you multiple times how harmful your actions are, and >you are still persisting with them. Therefore, I must conclude that >you are doing it intentionally and with malicious intents in mind. >That is, you are a virus writer and distributor. How about, instead of telling him that he is wrong and bad, and he shouldn't be doing something, suggest something that would let him continue to produce his program, without offending you. Obviously, a simulation is exactly that, and could not possibly be a "real test" for an Anti-Virus product since the only test that counts is a *real* virus. For example, have you ever seen a test done with "Fake viruses were used in this testing" in fine print? Of course not. >> year now with very positive response from its users. > >This is irrelevant. First of all, most users to not have the technical >knowledge to correctly asses the damaging potential of your product. >Second, I am certain that there are people who give a "positive >response" to those who run virus exchange BBSes too. There are enough >people around who enjoy causing mindless damage, and people like you >and Mark Ludwig are just helping them. How can you be so certain? With all the publicity that viruses are getting these days, many people are curious about them. If they can find something easily (say anonymous FTP), then they are bound to use it. My guess is that many peopel search the net for information on viruses -- check out how many peopel read this group who aren't virus writers. >> The Virus Simulator MtE supplement not only requires the users >> permission before infecting a file, but it will only infect >> programs that the copyright holder (me) has supplied and >> authorized. It discourages tampering, and verifies its own >> integrity and that of its host program before infecting it. > >In simple words: any hacker worth his salt, can modify the virus, >removing all "safeguards" just in a matter of minutes, using DEBUG. >Then he can easily add his own damaging routines, or (not so easily) >extract the polymorphic engine and use it in his own viruses. This argument is bogus still. *ANY* hacker can modify *ANY* program in just a matter of minutes using DEBUG and add their own routines. And, chances are that if they were going to do this, they'd either modify a currently existing virus they already have, or they would not do it to one which was protected. >> Virus Simulator continues to be quite popular for the purpose it >> was designed and its users continually report that the MtE >> supplement performs a very useful function that they appreciate. > >Many users "appreciate" Mark Ludwig's book and CD-ROM with viruses, >but this of course does not mean that they are good things. Indeed. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Tue, 09 Aug 94 02:03:14 -0400 From: jantz@netcom.com (Mark R. Jantz) Subject: Re: Yankee Doodle Virus? (PC) dwburger@rocky.ucdavis.edu wrote: : I'm looking for information on a virus known as the "Yankee Doodle" virus. : Does it exist? If so, can anyone lead me to a source for a scanner to detect : it? Thanks in advance for any help. Yes, it certainly exists. It's a DOS virus. Most virus scanners should be able to find it. One such scanner that you can get by anonymous FTP is McAfee's scanner. Just FTP to mcafee.com. Go to /pubs directory, then antivirus I think. Download scanv117.zip. While you're at it, get clean117.zip. Download to a floppy disk and unzip. /\/\ark ------------------------------ Date: Tue, 09 Aug 94 03:04:50 -0400 From: Iolo Davidson Subject: Types of viruses??? (PC) hstroem@ed.unit.no "Henrik Stroem" writes: > Iolo Davidson writes: > > > Every formatted PC floppy contains an executable. > > Nope. "Every" is a bit too strong a word. > > Every PC floppy formatted by a "normal" format program contains an > executable. Ok, so thanks a bunch for confusing the user level readers of this group even more than they were before. The technical level readers already know that strange wierd out of the ordinary odd things are possible, but I was trying to counter the general user's belief that data only disks are safe from viruses, a belief which is the bane of anyone who has ever worked in anti-virus support or done a virus cleanup. Still, you have made yourself look clever and me look stupid, and that is after all the important thing. - -- FROM STATISTICS NO BRUSH THAT WE GATHER NO LATHER THE SWING IS TO Burma Shave ------------------------------ Date: Tue, 09 Aug 94 04:36:59 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: "Horse" virus? (PC)(Anywhere else?) Blaine.Delancey@lambada.oit.unc.edu (BlaineDeLancey) writes: >Has anybody got information on the "Horse" virus? A friend of mine >reported detecting it, I think with PC Tools Antivirus(?), There are several "Horse" viruses ... at least the following ones: Horse.1154.A Horse.1154.B Horse.1158 Horse.1160 Horse.1576 Horse.1594 Horse.1610 Horse.1776 Horse.2248 There is also the Horse_Boot family of boot sector viruses. Have your friend run some other scanner that can identify the virus properly .... then it might be possible to tell what the virus does. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Tue, 09 Aug 94 04:40:55 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Want info on "Stoned 4" (PC) tomb@bedford.progress.COM (Tom Barringer) writes: >I see "Stoned.June_4th" and "Stoned.8" in virus lists but no "Stoned 4". >Does anyone know anything about this? MSAV/CPAV do not use standard naming, so it is sometimes a bit difficult to say what they are talking about. I have made a cross-reference list for some of the other products, by running them on my own collection, but so far I have not been able to do that for those programs ... they just crash on my collection. I have heard this name before, but I just cannot remember what it is supposed to refer to. - -frisk ------------------------------ Date: Tue, 09 Aug 94 04:46:32 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Flash BIOS infector? (PC) kent_norman@ccmailsmtp.ast.com (kent norman) writes: >Are there any viruses that infect a flash BIOS? not as far as we know. >If the disk used to write (flash) a new BIOS was infected, could it embed itself >into the new BIOS? quite possibly yes. >If embedded in the new BIOS, it seems it would be impossible to remove it would not be impossible to remove...although it would be difficult if it made the machine unbootable, otherwise one could write a program that would disable it ... load a replacement BIOS into RAM or something before updating the flash memory. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Tue, 09 Aug 94 04:57:40 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Modified Stoned???? (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >> Roger Espejo >> Mensaje 1.12 >> Lima - Peru. >Hm... Could be a virus, or a joke, or something else. Hm...I have seen this before - and I sort of recall it encrypted inside some virus....let's see...F-prot detects a boot sector virus I call "Espejo" virus, but I think it is also known as "Crazy boot"....I guess that's the one. It infects the MBR ... so a "generic" MBR disinfection should be able to get rid of it....that is, the instructions Vesselin gave: >Try booting from a clean floppy with DOS 5.0 or above, make sure that >you can still access the hard disk (e.g., "DIR C:"), and run >FDISK/MBR. Then boot from a clean floppy with the same operating >system as the one installed on your hard disk, and run SYS C:. This >should take care of anything present in the boot sectors. - -frisk ------------------------------ Date: Tue, 09 Aug 94 05:07:00 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Tamsui/Christmas-1694? (PC) kenney@netcom.com (Kevin Kenney) writes: >Ran into the virus F-Prot 2.13 calls Tamsui and can disinfect, >and that Nav 3.0 with 7/94 definitions (30a09) calls Christmas-1694 >(the correct file size increase) and can't disinfect. >VirHunt 4.0D did not detect this virus. >I don't see references to this in the MSDOSVIR files or VSUMX 4.01 >Can somebody send some background data? The virus does contain the >plaintext string 'Merry Christmas and happy new year! Written from >Tamsui Oxford college' I haven't analysed it in detail....it infects only EXE files, is 1694 bytes long, but I got my first sample of this virus from Patty Hoffmann over a year ago, so it should have been included in VSUM....and indeed it is....under the name of "Merry Xmas". The information there is not 100% correct, but compared to many other entries it is not bad. One note: VSUM says "Removal Instructions: Delete infected files", which is quite silly as several products, (including F-PROT, as you noted) can disinfect it, although they usually leave 1-15 extra bytes at the end. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Tue, 09 Aug 94 06:15:29 -0400 From: Iolo Davidson Subject: Flash BIOS infector? (PC) kent_norman@ccmailsmtp.ast.com "kent norman" writes: > Are there any viruses that infect a flash BIOS? Not yet. > If the disk used to write (flash) a new BIOS was infected, could it > embed itself into the new BIOS? Probably not how it would work. This certainly would not happen if an existing virus happened to infect such a disk. It would require something purpose written, probably not actually a virus, but a dropper. A virus could not propagate very widely if it only infected flash bios update disks, so it would be more likely to be written as a normal boot sector virus which could also write itself into flash bioses if present. Or into a particular type of flash bios, as the details for doing this vary from make to make. These details are not documented, which makes a difficult programming task even more difficult. Don't think anyone can do this yet. > If embedded in the new BIOS, it seems it would be impossible to remove > since any new flashes would be after the computer loaded the bad > BIOS and before reading the floppy with the new BIOS code. I think the first virus attack on a flash bios will be a damage payload. This is a lot simpler to do than any infection scheme. And yes, once damaged, the bios will no longer be able to boot the computer, even to load an undamaged bios update, unless there is a routine for doing so stored in ROM. I investigated this subject for a newspaper story some time back, and found it very difficult to get any details or even comments from manufacturers of computers that use flash bios. They do not advertise this feature when present, and you may well have a computer that uses it without knowing. Any laptop built in the last year or so almost certainly does. - -- FROM STATISTICS NO BRUSH THAT WE GATHER NO LATHER THE SWING IS TO Burma Shave ------------------------------ Date: Mon, 08 Aug 94 08:04:58 -0400 From: herb@dorsai.dorsai.org (herb_rabinowitz) Subject: boot diskette (PC) if using the new scn program by mcafee..what files must be put on a diskette to clean the system if a virus is found - -- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ "getting my mind set..confidence should herb@dorsai.dorsai.org show the way" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ "the chicken tomorrow is better than the egg today" ------------------------------ Date: Mon, 08 Aug 94 10:52:14 -0400 From: mikko.hypponen@wavu.elma.fi (Mikko Hypponen) Subject: nuage!.com is not a virus (PC) There are archives called ASS_PC4K.ZIP and NUAGE.ZIP floating around in BBS's and FTP sites. These contain demo programs from the Assembly'94 demo party, specifically the demos that attended the 'Intros smaller that 4 kilobytes' -competition. We have received a lot of queries about a file called NUAGE!.COM which can be found from these archives. The latest versions of F-PROT (2.13b) and McAfee SCAN (117 and 2.0.2) report it as possibly infected. However, the file is clean. NUAGE contains an encryption routine which is almost identical to the one used in the Reklama virus. Either the author of NUAGE has borrowed the routine from this virus or the routine has been published somewhere. In any case the file is clean. On the other hand, the demonstration values of NUAGE!.COM are not very high and it also leaves the machine in a non-stabile condition, causing a system crash almost always after it has been run. Thus, it might be the easiest solution to just remove the file and forget about it. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi PGP public key available, check the keyservs ------------------------------ Date: Tue, 09 Aug 94 07:50:49 -0400 From: bondt@dutiws.twi.tudelft.nl (Piet de Bondt) Subject: Re: TBAV 6.22's BUG?? (PC) is2a wrote: >Hello! Every Virus Researcher! > > I had gotten TBAV 6.22 from 130.161.156.11 last week. aka ftp.twi.tudelft.nl or dutiws.twi.tudelft.nl, dir /pub/msdos/virus/tbav > When I use it to scan my hard disk, a strange thing happened. > In the Windows 3.1 Chinese Version, there is a file named win386.ps2, > 852 bytes in legth, stays in \Windows\System. > When I use TBSCAN *.* hr to scan the sub-directory, TBSCAN halts!!! > It halts when the file win386.ps2 is scanned. This is a known problem and (if I'm right, remembering a mail from the authors I got yesterday) will be solved in v6.23, which will be out this week. > Sincerely. > Jimmy Chung BTW. They problem with v6.21 was also known and caused by a wrong language file. This was solved in v6.22 which was released a day or two later. (on July 11th) Piet de Bondt (this message posted 940809) bondt@dutiws.twi.tudelft.nl ============================================================================== FTP-Admin for MSDOS Anti-virus software at anon-ftp-site: ftp.twi.tudelft.nl ------------------------------ Date: Tue, 09 Aug 94 08:24:40 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Need Help on "V-SIGN" virus (PC) oerkul@site.gmu.edu (Oguz Erkul (CS 471)) writes: >Hi, > I am facing a virus which is called "v-sign" as the title >says. It is messing up the partition table, it is more like cansu >with some powerful stuff cansu and v-sign are just two names for the same virus.... - -frisk ------------------------------ Date: Tue, 09 Aug 94 08:36:28 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: REQ: Help (PMBS, Stealth_boot.C) (PC) fac0294@uoft01.utoledo.edu (Colin McGinnis) writes: >I'm new to this group and fairly new to USENET. A friend of mine is >having trouble: >It started when he couldn't load MS Windows. He would get the Windows logo, >and then back the C-prompt. When he used F-Prot, he got two different virus >messages. >"The PMBS virus search string has been found in memory." This is not 100% correct ... the machine is probably infected with the Stealth_Boot.C virus, but F-pROT also finds the PMBS pattern in that sector. The virus is identified accurately in the MBR, but just the first pattern found is reported in memory. >"The Master Boot Sector is infected with the C variant of the Stealth_boot >virus." >When he tried to disinfect the virus in the MBR, he got this message: >"Virus could not be removed - Original MBR was not found" I'm not sure why this failed, but the generic removal method should be able to deal with this case (boot from a clean DOS 5+ diskette, and if you can access drive C:, run FDISK /MBR). >It notes two programs (SPLITTER.EXE in two different directories) as being >"inoculated by Central Point Anti-Virus." Nothing to worry about there. We report this inoculation because it so frequently causes self-checking programs to report that they are infected, but you should just ignore this... - -frisk ------------------------------ Date: Tue, 09 Aug 94 08:40:27 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Kaos 4 Virus (PC) drcat@crl.com (David Shapiro) writes: >McAfee 1.17 or 2.10 will detect Kaos 4. Earlier versions will not - it >was just added in this release. A helpful individual in New York tried 3 >or 4 other virus scanners, including and none of them were able to detect >the virus. We released an update on July 27th to deal with this virus... >the impression that this is a very new virus - perhaps my shareware was >used as the first place it was 'released', I don't know. It is brand new, yes. Anyhow, the author of the virus frequently posts to comp.virus....why not just ask him how old the virus is ? - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Tue, 09 Aug 94 08:52:02 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Jack the Ripper; will F-PROT's "vstop" prevent damage? (PC) tneuhaus@worf.uwsp.edu (Tom Neuhauser) writes: >But I'd like to know if F-PROT's "vstop" will prevent damage by stopping >the action of Jack the Ripper? well, if a) you are using the current version of virstop (2.13a) and b) you have virstop loaded with the /BOOT switch, so it will check boot sectors when accessed then Virstop will intercept the virus, if (for example) you do a "DIR" on an infected diskette. What Virstop cannot do, however, is to prevent the machine from becoming infected, if you boot from an infected diskette ... as the virus is then executed before Virstop ... it can only detect the infection in that case, not prevent it. - -frisk ------------------------------ Date: Tue, 09 Aug 94 09:15:07 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Virus Source code on CD ROM? (PC) sgallagh@vision-thing.com (Sean Gallagher) writes: >I saw a post on another forum that stated a company, possibly American Eagle >Publishing (?) was selling a CD ROM with the source code to approx 200 viruses. >1)Is this true? There are two virus CD-ROMs out....I haven't seen them - I don't want to pay for viruses, or violate the compilation copyright getting a copy, and the producers have not sent me a free sample.... anyhow....the first disk is...well, pretty bad...It contains a few sources, but they are practically all from 40Hex and other easily obtainable sources. The other one is...well, a lot better...a pretty big collection of viruses, properly organized, and quite "clean", compared to the usual "underground" collections that I receive regularly - which typically contain around 20% junk (innocent programs or intended/corrupted viruses)....at least according to a list I got with the output of running my F-PROT on the disk. >3)Have any controls been placed on the sale of this source code? Controls ? ..... You must be joking....This is USA, remember. - -frisk ------------------------------ Date: Tue, 09 Aug 94 09:40:59 -0400 From: bondt@dutiws.TWI.TUDelft.NL (Piet de Bondt) Subject: tbav for windows v6.21 problem solved (PC) Hi, I read a message in VIRUS-L digest v7n63 this afternoon, regarding a problem in TBAV for Windows v6.21 This was the message: (from X Development; X@cs.umbc.edu) > Has anyone had problems getting TBAV for Windows v6.21 to work? It installs > properly (and does the scanning during installation properly), however when > I try to run the menu I get an error stating that a file has not been found. > (Can't remember which, but it WAS in the dir.).. Tried putting the dir. in > my path, etc. but no luck. There were two problems: 1) in v6.21 was a wrong language file included which caused some 'hangs' 2) for the windows version you also need *some* files from the regular tbav6xx.zip file (dos version), eg. the virus-database, and some more. unfortunately, this is not very clearly stated in the info-files... Piet de Bondt (emailed on 940809) bondt@dutiws.twi.tudelft.nl ============================================================================== FTP-Admin for MSDOS Anti-virus software at anon-ftp-site: ftp.twi.tudelft.nl ------------------------------ Date: Tue, 09 Aug 94 10:08:58 -0400 From: oep@colargol.edb.tih.no (Oeyvind Pedersen) Subject: Re: Virus warning (PC) Norman Data Defense Systems A/S (norman@norman.no) wrote: : We have discovered an infected file which has been spread on Usenet in : the group 'alt.binaries.pictures.erotica'. The virus is called Chaos4/ : kohntark 697, and is a com/exe infector. No current scanners seem to be : able to detect it yet. A detector/disinfector routine is available in F-PROT version 2.13a does detect and remove this virus. Has been around since 27. July. - -oep ------------------------------ Date: Tue, 09 Aug 94 00:55:36 -0400 From: hstroem@ed.unit.no (Henrik Stroem) Subject: hs-beta.zip - Bootvirus detection/repair program (3.59 Beta) (PC) I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ hs-beta.zip Bootvirus detection/repair program (3.59 Beta) Beta version of HS.COM v3.59 Major enhancements are: 1) QEMM STEALTH support! 2) DiskSecure support! All versions. 3) Maybe XT support? Not tested. Uploaded by the author, Henrik Stroem Stroem System Soft hstroem@ed.unit.no ------------------------------ Date: Tue, 09 Aug 94 00:31:31 -0400 From: lucas@mcafee.com (Kelly Lucas) Subject: McAfee Viruscan 2.1 and V117 uploads to SimTel (PC) I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ scn-210e.zip VirusScan V2.1.0 scans/cleans for viruses vsh-210e.zip VShield V2.1.0 virus prevention TSR wsc-210e.zip VirusScan V2.1.0 for windows scanv117.zip Viruscan V117 scans for viruses clean117.zip Clean-up V117 removes viruses vshld117.zip VShield V117 virus prevention TSR wscan117.zip Viruscan V117 for windows virdt117.zip Netshield VIR.DAT V117 virus signature update WHAT'S NEW VirusScan 2.1.0 .DAT files o Enhanced detection of the Freddy Kruger virus. o CLEAN.DAT has been modified to provide more efficient removal of known viruses. VirusScan for DOS, V2.1.0 o The /STD switch has been removed, because the default for VirusScan has been changed to scan only standard executable files. Additionally, /ALL has been added, to provide for scanning all all files, regardless of extension. o Conventional memory requirements should not exceed 340 kb, even if no EMS memory is allocated. The /MANY switch has been added, providing an easy method for scanning and cleaning multiple numbers of floppy disks. o Scan now searches internally in PK-Lited files VShield V2.1.0 o A /POLY switch has been added that enhances the detection of poly-morphic viruses. This option is not compatible with /anyaccess, /fileaccess, or /bootaccess. This option utilizes a new file called vsheml.exe. WScan V2.10 o This is the first release of our new windows product. Unlike the older 1xx series of WScan, which utilizes a .pif file to execute scan for DOS, this product is a true windows product that adds features such as: -scheduled scanning -help menus -customizable scanning profiles and a host of other features too numerous to list. Version 117 of all products provides enhanced detection and removal of new viruses since the release of 116. For instructions on using the programs, please refer to the VirusScan documentation. For Validate values, please refer to the PACKING.LST enclosed inside each .ZIP file. Regards, Kelly Lucas Technical Support - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: lucas@mcafee.COM 2710 Walsh Ave, 2nd Floor| FAX (408) 970-9727 | IP# 192.187.128.1 Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051- USA | USR HST Courier DS | America Online: McAfee ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 66] *****************************************