VIRUS-L Digest Friday, 19 Aug 1994 Volume 7 : Issue 71 Today's Topics: Re: Mutating viruses? Re: Mutating viruses? Re: Looking for Virus Scan Strings Re: Re| Viruses = Commercial Opportunity? Re: Virus signatures Central Point Internet Address? Re| Viruses = Commercial Opportunity? Re: viruses on MAINFRAMES (VAX,IBM,UNIX)? Re: How to save a boot sector (PC) Re: changing genP/genB virus (PC) Re: Re| FamM virus (PC) Re: Fixing the boot sector of a floppy? (PC) Re: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) KOH (PC) Re: virus construction labratory (PC) Re: Whisper Presenterar Tai-Pan (PC) Re: Rosenthal Virus Simulator (PC) NETSHLD on Novell? (PC) Re: Help Win 32 Bit File Virus? (PC) Re: McAfee Virus Scan (PC) Re: Help McAfee Virus Scan (PC) Whisper Presenterar Tai-Pan (PC) Re: TranScan (PC) Re: Invisible Man... (PC) Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Re: whisper virus (PC) Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Re: 666 virus (PC) Unknown problem (PC) Re: Best Anti-virus software (PC) Smeg viruses (PC) virus construction labratory (PC) Dr. Solomon Virus Signature Update (PC) Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Re: Virus Source code on CD ROM? (PC) Windows Anti-Virus Where (PC) Re: Need Help on "V-SIGN" virus (PC) Re: Stealth.B Pain (PC) Re: Virus Source code on CD ROM? (PC) Re: Smeg viruses (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 17 Aug 94 03:28:06 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Mutating viruses? M.W. Holcroft wrote: >c0900238@techst02.technion.ac.il (Dimerman Dan ) writes: >> In some antiviruses I noted that under the comment about certain virus, >> goes something about a "mutation" of some original virus. > >This type of mutation sounds a little strange... they would have to be >variants of some virus, rather than mutants, because if a virus mutates >properly, it should be unrecognisable from its 'parent' or source. Of >course, you might check for percentage similarity.... Or a totally different method could be used, like marking the infected files by changing the time/date stamp to a certain time, or only infecting files which have a seconds field of 30, or something equally effective. Hell, you could even say that the file just has to start with a jump instruction, or the last byte of the file has to be a "0" for infection. There are many other ways around this. >You might specify some instructions as being equivalent to others... >so > > MOVE.W a,b = MOVE.W a,c > MOVE.W c,b > MOVE.L a,b = MUL b,0 > ADD a,b > ADD.W a,b = MOVE.W a,c > SHR c,#8 > ADD.W c,a > ADD.W c,a (maybe not quite?) > etc etc The main problem with this approach is that offset address will be changing. What happens when a jump is suddenly out of range? Have substitutions for them all? Maybe for thejumps, but def. not the offsets. Perhaps an easier solution would be to say each instruction is going to be, say, five bytes, pick one of those from a table, and place totally bogus instructions in between so offsets remain the same? >(more efficient, more generalised, more stable, whatever), in which case it >is superior. Evolution is biased in favour of 'fit' and 'superior'. The >choice of fitness is arbitrary. Not like real evolution at all, where an >'inferior' organism might survive at 'bubble over' until a dramatic change >in the environment makes it more suited than any of its (previously >superior) competitors; and where perfectly fit organisms can become extinct >(unfit?) by chance (dinosaurs, etc). Actually, if a virus is sufficiently polymorphic that is changes itself enough, while it might have the same function, one could argue one mutation is more fit than another since it isn't detected as easily as some other mutation. For example, there is a need to be able to detect 100% MtE samples vs. 99% since one sample undetected could re-introduce the infection to the system. That 1% could be considered more fit. >On another track: why encrypt a virus???? To execute, it must decrypt. It >must therefore either use some OS decryption routine, or include >unencrypted decryption code, which will be the pattern to search for (might >use some autodecypt function shared with compacted programmes - I DO NOT >use auto decrypting executables for this reason. It IS a pain decrypting >to run, but you KNOW about it). Encrypted code cannot mutate (the chance >of altering a block of meaningless data, and expecting it to mean something >at some later stage AFTER the random alterations is tiny) so it too can be >used as the pattern to search for in a virus detector. Encryption is >useless; although it does mean that you cannot find calls to certain >routines (XBIOS calls, or whatever) so locating it in the first instance is >made more difficult, but once someone has done that, a virus detector can >be updated and the virus is no longer any more difficult to find than eny >other. Well, it is possible that some very ugly decryptors could look similar to a decompression routine, such as a PKLite type of envelope. And, as I mentioned before, there is a program which will palce an encrypted envolope on a program you have written to make it more difficult for someone to reverse engineer. Polymorphic encrypted viruses currently (not oligomorphic, mind you) create their own encryption and decryption routines at random. They do not theoretically, "mutate" in the sense of the word meaning they see what they are now, and then change one instruction into another. They instead generate totally new code. Therefore, since the encryption is changing, either the key or the actual encryption type, it's not necessary for the "encrypted code" to mutate; the new key or encryption method will force the encrypted code to look totally different anyways. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Wed, 17 Aug 94 08:24:52 -0400 From: Nick FitzGerald Subject: Re: Mutating viruses? s4mwh@csc.liv.ac.uk (M.W. Holcroft) wrote: [loooong discussions of "mutant" vs. "variant", code obfuscation and evolution deleted] > On another track: why encrypt a virus???? To execute, it must decrypt. It > must therefore either use some OS decryption routine, or include > unencrypted decryption code, which will be the pattern to search for (might This is misleadingly simplistic. Why should it not use variable, polymorphic "encryption" (much as you went to pains to describe earlier in your post) on its decryptor so each replicant's decryption code "looks" different and therefore isn't detectable by simple or wildcarded "pattern scanning". +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64(3)364 2337, FAX:+64(3)364 2332 ------------------------------ Date: Wed, 17 Aug 94 12:20:09 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Looking for Virus Scan Strings Kevin Marcus (datadec@corsa.ucr.edu) writes: > >Simple, sequential string search is an outdated mechanism for detecting > >viruses anyhow... > So, what would you suggest is a better alternative? It seems that > wildcarded search strings are the next step right after regular search > strings, but after that, what would you suggest? I think that Frisk is putting the accent on the word "sequential". He doesn't mean that scanning for non-wildcard scan strings is outdated (which it, of course, is), but also that scanning for one scan string at a time is also too inefficient nowadays. The next step, obviously, is to scan for all scan strings in parralel. There are several algorithms that describe how to do that. Roger Riordan has invented one and has described it in a conference paper; I could dig out the exact reference, if there is interest. A more general approach is described in a paper available from our site: ftp.informatik.uni-hamburg.de:/pub/virus/texts/viruses/fastsrch.zip When such methods are used, the scanning time of the scanner does not depend any more of the number of scan strings it is looking for. (The memory used by it, however, does.) The next step is obviously to use generic decryption techniques, in order to handle the polymorphic viruses - and again many of the contemporary scanners are already using them. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 17 Aug 94 12:44:17 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Re| Viruses = Commercial Opportunity? Kevin Marcus (datadec@corsa.ucr.edu) writes: > I do know, however, that when used properly, for example, the Innoculation > feature in NAV 3.0, you can detect just about any virus, and repair it, > as well. :-). Oh yeah? Could you please specify what do you mean exactly by "just about any"? NAV's misnamed "innoculation" is actually an integrity checker, and not very securely implemented, on the top of that. Also, could you please list the infection methods that the generic repair is able to repair - then I'll list you several more that it isn't able to repair... > Joe Wells (some guy in CARO) publishes a list of which other vendors (mostly > CARO members from what I remember seeing last, though it might have been > ALL CARO, I don't remember), have reported as a confirmed virus at some Not all CARO members and not only CARO members contribute to that list. It is true, however, that most of the contributors are CARO members. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 17 Aug 94 12:58:11 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus signatures Diego Montanez (diegom@pts.mot.com) writes: > I have to do a programming project and I inted to make a simple file-infecting > virus scanner. I sure hope that you want to write a scanner for file infecting viruses and not a virus scanner that infects files. :-) > My question is: how does the commercial antivirus scanners > accomplish this task and, Commercial anti-virus scanners nowadays use modern and sophisticated string matching algorithms, emulation, heuristics, and other such stuff, which is definitely too complicated for a beginner, so I am sure that your professor does not want you to do exactly that. Instead, you should just implement a program that does a dumb scan of the specified files for a set of simple scan strings. It will be rather slow and won't be able to handle too many scan strings, but I am sure that it will be enough for your project. Searching a file for a particular string of bytes is a trivial first-year programming project, so I won't elaborate on that and will skip to the next part of your question. > where could I get a library of virus signatures > to use with my program? Virus Bulletin publishes regularly exactly what you seem to need, but I do not know how to get them in electronical form. Alternatively, you could use some of the scan strings for the (no longer supported) HTScan. You can get them from our ftp site: ftp.informatik.uni-hamburg.de:/pub/virus/progs/vsig9305.zip They are rather obsolete (more than a year old) and you probably won't be able to use all of them (some of them contain wildcards), but for a student project that should be enough. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 17 Aug 94 13:48:43 -0400 From: rwh4+@pitt.edu (Richard W. Harris) Subject: Central Point Internet Address? Hi, According to the docs for Central Point PC Tools Anti-Virus, updates are available via the internet. However, they don't give the address. Could somebody here please tell me what it is. Thanks, - - Rick Richard Harris, Systems Analyst (rwh4+@pitt.edu) Office Systems Services, University of Pittsburgh NetWare Administrator and Oracle DBA University of Pittsburgh Imaged Record Retrieval System Ivanova is always right. I will listen to Ivanova. I will not ignore Ivanova's recommendations. Ivanova is God. And if this ever happens again, Ivanova will personally rip your lungs out. -- Ivanova ------------------------------ Date: Wed, 17 Aug 94 17:50:02 -0400 From: Iolo Davidson Subject: Re| Viruses = Commercial Opportunity? kazatski@kartaly.chel.su "Kazatski Oleg Nikolaevitch" writes: > iolo@mist.demon.co.uk (Iolo Davidson) > > > > 3) Do you really need to detect 4500 viruses to be a useful > > > product? There are many other products which don't detect nearly > > > that many which still sell *quite* well. Misattribution- I did not write the above, I was replying to it. > Are there the antivirus programm that can find nearly 4500 viruses ? Yes indeed. > > > (use Joe Wells' list, for example). > ^^^^^^^^^^^^^^^ > What is this ? A list of viruses found in the wild collated from reports from a large number of anti-virus researchers and vendors. - -- IF HARMONY THEN GET IS WHAT A TUBA YOU CRAVE Burma Shave ------------------------------ Date: Wed, 17 Aug 94 13:12:34 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: viruses on MAINFRAMES (VAX,IBM,UNIX)? rakesh@kuc01.kuniv.edu.kw (rakesh@kuc01.kuniv.edu.kw) writes: > Recently we had our PCs & Novell servers infected by some virus > (possibly called IM). We also have UNIX machines & IBM & VAX > Mainframes. Now, after this virus incident we are worried abou our > UNIX machines & Mainframes. A PC virus can't (to the best of my knowledge) infect a Unix machine. Two exceptions: 1) When the Unix mainframe is used as a file server for PC files. Then a virus from one of the PC workstations could either infect the PC files on the server or send infected files there. However, the Unix machine itself is not infected - it is only a repository of infected files. 2) An IBM PC running Unix can be infected by a boot or a master boot sector virus. The virus won't be able to replicate further, but might be able to cause damage to the Unix filesystem. For more information, see the FAQ, questions C7 and E8. > We have heard that there are no known > viruses for UNIX,MVS & VMS. Is it true? No. There are 3-4 known Unix-specific viruses and several worms for Unix and VMS. > If it is true, then why > viruses don't exist or can't exist for these type of machines & > operating systems. They can and do exist, but are not as successful as on the PC platform. Countrary to the popular beliefs, this is not because of the availability of file protections, but because of the different culture of software sharing among the users of those operating systems. > If they exist, then from where can I get a list of > known viruses & how can we protect these machines (UNIX,MVS,VMS) from You can get some descriptions of Unix viruses from our Computer Virus Catalog. See the FAQ for information how to get it. > viruses? Lot of our users including system managers on these machines > use FTP to pull & install freeware software. Can this lead to some > sort of viruses or what other type of risk is involved? Unlikely, if the software is obtained from reputable sources. Even if it is not, a Trojan Horse attack is more likely than a virus attack. > The main point > here is if main frames can be infected by viruses & how? Yes, they can; just like any other general-purpose computer. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 17 Aug 94 01:39:44 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: How to save a boot sector (PC) Mike McCarty wrote: >Iolo Davidson wrote: >)> How can you save a boot sector on to disk. (if you suspect a virus >)> and want to upload it to the anti-virus companies system for them >)> to inspect it?) >) >)Most disk sector editors have a facility to save a sector to a file. >)Some AV software does, too. Why don't you ask the support desk for the >)AV Software company to whom you intend to send the sample how they >)handle this? > >What's wrong with DEBUG? It's suppled with all DOS systems for free. Well, if you want only a *boot sector* then it is maybe okay. If you want the MBR, then you will have to write a little assembler program to load in the MBR using INT 13h, and if someone makes a small typo (say, calling function 3, instead of 2), then they could waste their whole MBR real fast and have no clue. And, with more and more people moving to programs like Windows, fewer and fewer people are going to want to bother dealing with DOS's debug, it's cryptic commands, let alone writing a small assembler program. But, those are just my thoughts, of course. :) - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Wed, 17 Aug 94 01:45:22 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: changing genP/genB virus (PC) Jay_Leiser wrote: >I need some info. We got a virus that is detected as the stealth genb >when booting from hard drive and when booting from floppy it is detected >as a stealth genp. In addition this virus was detected as the newbug genp. > >Any information regarding theses viruses would be greatly appreciated. I'm rather curious how you know it's Steath. Genb and Genp, which are really crappy names, mean you might have a virus which corrupts your data slowly (say, Ripper), or it might do mostly nothing (NYB), or it might just have a nasty trigger, or maybe cause Windows to lock up, or it might not. Hell, maybe it will print out a message, or play a song, or it might not. It could do just about anything. Oh, and it also might not do anything. Be sure to let that particular program you're using (cough, cough) clean it to. I mean, if you can trust it enough to identify somethign as your system and have no idea what it is (and give you worthless information about it), then, by all means, that program must definitely know how to remove it safely, right? - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Wed, 17 Aug 94 01:54:43 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Re| FamM virus (PC) Kazatski Oleg Nikolaevitch wrote: >> Hey, does anyone out there know anything at all about the FamM >> virus or how to get rid of it? I found it using the clean-up and scan shareware >> programs put out by McAfee, but it seems to be a memory resident virus, and >> I think it has infected most of my hard drive, any help would be appreciated! > >The Family [Fam] viruses are a number of viruses, usually very recent, >using standard viral code. SCAN is able to detect them through generic >detection, but CLEAN does not have the ability to remove those. As >with the GENB and GENP viruses, please forward a copy of an viruses of >this sort to McAfee Associates for analysis and identification. Yep, and F-Prot might be able to detect them, and TBScan might be able to detect them, and -- hey, maybe a few other programs. So when you get one, make sure that you have got a happy person on the other line when you are trying to figure out how to get rid of it. Or, you could optionally go for a product that will detect it, and also remove it much more reliably than any of the others mentioned above, if it is installed correctly. (NAV 3.0's innoculation technology does this) - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Wed, 17 Aug 94 01:56:42 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Fixing the boot sector of a floppy? (PC) renrick tulloch wrote: > Alot of are floppies were infected by the Genb and Genp virus, >which effects the boot sector. Is there a way to overwrite th boot >sector of the floppy with out deleting the contents of the disk. > >EX: I know you can fix the boot sector of the hard drive with the >command fdisk /mbr but is there a command for diskettes that will do >this? Sort of. If you use the dos SYS comand, it will rewrite the boot sector on a hard drive or a floppy disk, but it also makes the disk a system disk which eats up over one hundred K if it's not already a system disk. I've nto played with it enough to say, but there might be a way to trick it so that it doesn't actually copy system files. That is, without hacking it up. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Wed, 17 Aug 94 02:02:20 -0400 From: nhirsch@panix.com (Norman Hirsch) Subject: Re: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) David_Conrad@MTS.cc.Wayne.edu writes: >From: David_Conrad@MTS.cc.Wayne.edu >Subject: Re: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC) >Date: 16 Aug 1994 10:10:10 -0000 >Vesselin writes: >>I (David Conrad) wrote: >> >>> Perhaps the time has come for McAfee to give up on the CRC polynomials, >>> which of course can be forged, and to start using something better, like >>> MD5. They could publish source code for the validation program as well as >>> the executables. >> >>There is one problem which remains even if a cryptographically strong >>hash function like MD5 is used. The attacker could just modify the >>files, compute the MD5 hashes of the modified files, and replace the >>new MD5 values in the documentation. This way he will succeed to fool >>the user who does not have an independent way to obtain the real hash >>values. In fact, this is exactly what the forgers have been doing even >>now, because most of them don't know how to forge CRCs. >> > >I wasn't talking about putting the hashes in the documentation. I meant >publishing them in comp.virus/VIRUS-L and other places. I specifically >*would* *not* put them in the docs, since this is worse than useless, and >I can't for the life of me imagine why McAfee does so. In addition to the validate values of the executables, the doc file is authenticity verified by PKUNZIP. Any change in the docs to support the change in validate codes will fail authenticity verification including the codes at the end of the process. While either method is certainly not the greatest in terms of security, taken together they are a formidable obstacle. I am unaware of anyone or any example where BOTH methods were bypassed. Best regards, Norman Hirsch Phone: 212-304-9660 NH&A, authorized McAfee agent Fax: 212-304-9759 577 Isham St. # 2-B BBS: 212-304-9759,,,,,,,3 New York, NY 10034 CompuServe: 72115,661 USA Internet: nhirsch@panix.com ------------------------------ Date: Wed, 17 Aug 94 02:22:53 -0400 From: starrd@hollywood.cinenet.net (David Starr) Subject: KOH (PC) I would like information about the KOH "virus". It is supposed to be harmless and it encrypts your computer (which I like!) using the IDEA encryption. Can someoone please start talking about it? Thanks! ------------------------------ Date: Wed, 17 Aug 94 03:41:20 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: virus construction labratory (PC) ROCKFOR101 wrote: >Has anyone heard of a piece of software called "Virus Construction >Labratory"? If so where might I find it? [God, you've gotta love those aol posts. Can't wait for all the CompuServe ones. Netcom ones are pretty good though. I just didn't think it could get much better.] [How'd this one get through? That is pretty close to a virus request, and letting it through suggests requests for the PS-MPC, the MtE, etc. would get through, too. Not to be a snot, of course, mr. moderator.] The Virus Construction Laboratory is a mostly worthless utility which have a nice interface which was ripped off from Borland that will generate mostly buggy viruses. If you feel like wasting the time debugging them, you might get one that works eventually, but you'd probably do better without it. Curious: Why do you want that anyways? - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Wed, 17 Aug 94 04:03:44 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Whisper Presenterar Tai-Pan (PC) The Killer wrote: >Does anyone have any knowledge of the Whisper Presenterar Tai-Pan virus? >I had a difficult time discovering this virus due to the fact that it >could not be detected with Norton, MSAV, or PCTools 8.0 AV. It adds >about 500 bytes to infected files (Only exe's under 64k) with the message >Whisper Presenterar Tai-Pan printed within. I was able to delete my >infected files by using scanning for them with TBAV, but I am still >curious of what damage the virus may have done if I left it on my >system. Does it activate on a certain date? Has anyone even heard of >this virus? The sample I have seen has an infective length of 438 bytes, and only infects .EXE files. >From a super-quick disassembly, I see that is uses int 21h with ax=7bce for it's memory check; it ax=7bce on return, if it is still 7bce, then it stuff itself into memory. It has the text, "[Whisper presenterar Tai-Pan]" in it unencrypted, and it doesn't seem to have a trigger in it. If you call up the Norton people, they will give you a fixup for NAV (at least for version 3.0 they will) so you can detect and clean this virus. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Wed, 17 Aug 94 04:16:48 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Rosenthal Virus Simulator (PC) Iolo Davidson wrote: > datadec@corsa.ucr.edu "Kevin Marcus" writes: > >Re: Rosenthal's virus simulation stuff [much clipped] >> How about, instead of telling him that he is wrong and bad, and he >> shouldn't be doing something, suggest something that would let him >> continue to produce his program, without offending you. > >Offending Vess isn't the issue. "Simulated viruses" are a sham, useless >for the purpose they are supposed to serve. Real viruses are viruses. >Neither should be distributed. There is no way to make this "product" >acceptable. The concept is fundamentally flawed. > >> Obviously, a >> simulation is exactly that, and could not possibly be a "real test" for >> an Anti-Virus product since the only test that counts is a *real* virus. > >Exactly. So the "simulated viruses" are a sham. Would you buy a word >processor that *pretended* to write text to files? Of course not (unless it also could fool my English profs. :)) but I would most definitely consider using, say, a flight simulator (a real one) before I were to jump into an airplane and try to fly it away!! The look and feel could be quite an important aspect in a flight simulator; one should be able to react to whatever event occurs. The look and feel of a virus could also be simulated so that when a person experiences similar activity on their computer, they would be able to think back to how things transpired intheir simulation and take an appropriate course of action. What is your... expert opinion on how average users should be trained in how to become suspect to a virus, and take appropriate action instead of the simulator? >> For example, have you ever seen a test done with "Fake viruses were >> used in this testing" in fine print? Of course not. > >Actually yes, there was such a review in a highly respected UK magazine. >The word "fake" was not used, but the test objects were discribed as >"deactivated" viruses or something of the sort. Crap test of course, >half the scanners found nothing at all. Well, I guess that's just the UK for you. Respectible mag, eh? - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Sun, 14 Aug 94 12:48:01 +0200 From: Fred_Janssen@f0.n31.z9.virnet.bad.se (Fred Janssen) Subject: NETSHLD on Novell? (PC) > I'd like to install the NETSHLD160 but I can't do this. > May I need any extra NLM or what? > I've the netshld160.zip and a Novel 3.11 network. What you need are some updates and patches. At least you need CLIB.NLM 3.11 (or more recent, look for LIBUP3.EXE on novell. com). Furthermore you need SPXFIX2.NLM (look for STRTL3.EXE on novell.com). Al the rest you'll find in the Netshield manual. Fred - --- * Origin: Fred's Place (9:31/0) ------------------------------ Date: Tue, 16 Aug 94 16:41:29 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help Win 32 Bit File Virus? (PC) Amir Netiv (Amir_Netiv@f120.n9721.z9.virnet.bad.se) writes: > Remember to boot from a clean DOS floppy first. > If you want another assurance for the existance of a Boot sector (or MBR) > virus on your machine) run CHKDSK and look at the summary: if total memory is > less then 655360 it might indicate a virus of this kind. You are wrong. First, if he boots from a clean floppy first, there will be no virus in memory, and therefore CHKDSK will not display any memory decrease. Second, the number quoted by you is valid only for systems with 640 Kb conventional RAM. Third, please check the FAQ, question C11 for many examples of memory decrease that is *not* caused by a virus. > Last (but not least): Running: > FDISK /MBR > (of DOS 5 or higher) might help solving this situation (beware of this if your > disk is not standard DOS). It might also completely screw up the disk of the poor user you are advising, if the virus does not preserve the MBR (e.g., Monkey). That's why, *before* trying the FDISK/MBR trick, one must *always* check that the hard disk is accessible (e.g., DIR C:). If it is not - DO NOT RUN FDISK/MBR! Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 16:45:18 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: McAfee Virus Scan (PC) Wee Keng Hor (weekh@merlion.singnet.com.sg) writes: > Recently McAfee has released 2 kinds of virus scan. Besides the > normal scanvXXX.zip, cleanXXX.zip etc, it also has another kind > of virus scanning s/w. > Can someone tell me what are the differences between them or are > they the same? They are different. The new generation has the scanner and the cleaner combined, has the virus scan string, removal routines, and names moved to external data files (so that the scanning engine does not need to be updated) and several other improvements. Unfortunately, the product seems to have been released rather preliminary. It looks like a product that is about 6 months before beta testing. It has a much lower detection rate than the old SCAN and a much higher rate of unreliable detections. My advice is not to use it, until McAfee manages to release a version that actually works. If you insist on using McAfee's anti-virus products, better stick with the old version (117), at least for now. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 16 Aug 94 16:54:53 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help < Bad Sectors 1.2 C(Virus) on Novell Netware > !!!!! (PC) marina kaganovic (msmar@olive.mscc.huji.ac.il) writes: > I have in my Novell Netware one very pretty virus , called Bad Sectors > 1.2 i have tried to kill (clean) him with Unvirus,Vanalyst-3 labs.>, clean,vshield nothing helps , all antiviruses have tald me > that the virus is removed but in few days i see him again and again , > i'm really do not want to re-install my Novell , if anybody knows how > to fight with this Bad Sectors 1.2 please send me e-mail I seem to remember that somebody (Zvi Netiv?) has told me that BRM's scanner had a bug that prevented it from properly removing this virus. I don't recall, however, what the bug was. Anyway, I just tested F-Prot 2.13a and it seemed to disinfect both variants of this virus without problems. It is not able to distinguish between the two variants, but the difference is very insignificant. I am sending you a copy of this message by e-mail. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 17 Aug 94 07:37:44 -0400 From: mikael@vhc.se (Mikael Larsson) Subject: McAfee Virus Scan (PC) Wee Keng Hor wrote in a message to All: WKH> Recently McAfee has released 2 kinds of virus scan. Besides WKH> the normal scanvXXX.zip, cleanXXX.zip etc, it also has WKH> another kind of virus scanning s/w. WKH> Can someone tell me what are the differences between them or WKH> are they the same? The new VirusScan is going to replace scan 1xx series in the future, the new serie is faster and improved with memory usage. Doesnt require as much memory as scan 1xx serie. You can find the new one on mcafee.com or ftp.sunet.se /pub/pc/Antivirus MiL, mikael@vhc.se Virus Help Centre - --- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Virus Help Centre Phone : +46-26 275740 Internet: mikael@vhc.se Box 244 Fax : +46-26 275720 Minicall: 0746-393334 S-811 23 Sandviken BBS #1: +46-26 275710 FidoNet : 2:205/204, 2:205/234 Sweden BBS #2: +46-26 275715 Auth. McAfee Associates Agent - - send mail to pgpmil@vhc.se for automated reply with my public pgp key - ------------------------------ Date: Wed, 17 Aug 94 07:38:35 -0400 From: mikael@vhc.se (Mikael Larsson) Subject: Whisper Presenterar Tai-Pan (PC) The Killer wrote in a message to All: TK> Does anyone have any knowledge of the Whisper Presenterar TK> Tai-Pan virus? I had a difficult time discovering this TK> virus due to the fact that it could not be detected with TK> Norton, MSAV, or PCTools 8.0 AV. It adds about 500 bytes TK> to infected files (Only exe's under 64k) with the message TK> Whisper Presenterar Tai-Pan printed within. I was able to TK> delete my infected files by using scanning for them with TK> TBAV, but I am still curious of what damage the virus may TK> have done if I left it on my system. Does it activate on a TK> certain date? Has anyone even heard of this virus? The virus is originally from Sweden and is actually named Taipan the text "Whisper presenterar Tai-Pan" means Whisper presents Tai-Pan. The virus add 438 bytes to all .EXE files it infects (or .COM or .OVL files that has an EXE header in them).... It doesnt do any harm or activate on a certain date. You can find it with this search string: "E8 00 00 5E 83 EE 03 B8 CE 7B CD 21 3D CE 7B 75" TaiPan MiL, mikael@vhc.se Virus Help Centre - --- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Virus Help Centre Phone : +46-26 275740 Internet: mikael@vhc.se Box 244 Fax : +46-26 275720 Minicall: 0746-393334 S-811 23 Sandviken BBS #1: +46-26 275710 FidoNet : 2:205/204, 2:205/234 Sweden BBS #2: +46-26 275715 Auth. McAfee Associates Agent - - send mail to pgpmil@vhc.se for automated reply with my public pgp key - ------------------------------ Date: Wed, 17 Aug 94 09:47:58 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: TranScan (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >If this is what you mean, it does not have a price. It is not for >sale. You are not supposed to have it. :-) uh, Vess...he asked about Transcan, not Trashcan :-) - -frisk ------------------------------ Date: Wed, 17 Aug 94 09:53:39 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Invisible Man... (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >variant still appended to the files. Any other scanner that I tested >either was unable to disinfect this virus, or even didn't detect it at >all. I just added file disinfection of both variants to F-PROT. The update has already been sent to the distributors of the Pro version, but this will also be included in the shareware 2.14 version. I also improved the identification ... It seems that F-PROT used to detect the virus, but it would occasionally "identify" V2P6 samples as infected with a new variant of Invisible Man....not a critical bug, as we never attempt to disinfect anything we are not sure we identify 100%, but irritating.... - -frisk ------------------------------ Date: Wed, 17 Aug 94 09:57:31 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Eugen_Woiwod@mindlink.bc.ca (Eugen Woiwod) writes: >How can it lead to worse anti-virus products? Maybe some authors get lazy >because they can't keep up with the flood of new viruses? Laziness is not the problem ... a lack of time and skilled people is. - -frisk ------------------------------ Date: Wed, 17 Aug 94 12:06:41 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: whisper virus (PC) Eugen Woiwod (Eugen_Woiwod@mindlink.bc.ca) writes: > Tbav's TBSCAN would/should detect it, and TBCLEAN should be able to clean > it. You are wrong, on both points. TbScan 6.22 detects this virus *unreliably* (i.e., only some of the replicants) as "unknown virus". TbScan 6.23 - I DO NOT RECOMMEND TO ANYBODY TO USE THIS VERSION. It is buggy. On my system it severly crashes, causing "Exception #13" under QEMM 6.01. This happens when scanning a file infected by this particular virus - and with many files infected by other viruses too. DO NOT USE THIS VERSION. TbClean 6.23 is unable to disinfect the files infected by this virus either; it says Starting clean attempt. Analyzing infected file... Anti-Vir.Dat record not found: original state unknown. Trying emulation... Emulation terminated: Encountered an endless loop. Sorry, the collected information is not sufficient to clean file... [Huge announcement of TBAV 6.23 deleted.] > Piet de Bondt E-mail: > bondt@dutiws.twi.tudelft.nl Did you really have to post this here - and twice, on the top of that? Piet de Bondt is perfectly able to post here by himself and regularly does so. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 17 Aug 94 12:34:40 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Rosenthal Virus Simulator VIRSIM2C.ZIP (PC) Eugen Woiwod (Eugen_Woiwod@mindlink.bc.ca) writes: > > Unfortunately, one can argue that the increased number of viruses in > > circulation will lead to worse anti-virus products...I will be presenting > > a paper on that subject at a conference later this year. > How can it lead to worse anti-virus products? Maybe some authors get lazy > because they can't keep up with the flood of new viruses? The authors of anti-virus products are usually not lazy, but they indeed can't keep up with the flood of new viruses. When there are thousands of viruses around, even if a scanner misses only a couple of percents of them, that still means dozens of viruses that could sneak in undetected. And the more viruses there are, the higher the probability that you will get infected, because the more undetected viruses there will be - even if they are only a small percentage of all known viruses. > Seems the author > of ThunderByte Anti-Virus is doing pretty damn good in that department at > least. In various tests, TBSCAN has detected more viruses then Mcafee's > SCAN and F-prot. He is doing a pretty good job, indeed, although, according to my tests, he is not doing as well as F-Prot (but still much better than SCAN). Nevertheless, TbScan has an excellent detection rate - version 6.22 has a detection rate of 94%. (Version 6.23 crashes, but that's a different story.). Still, those undetected 6% mean that 269 of the known viruses in my collection are not detected... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 17 Aug 94 12:48:23 -0400 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: 666 virus (PC) Philip Kremer (pkremer@epas.utoronto.ca) writes: > I'm sure that I have a virus, since two of my jpegs were ruined, and > since, while I was using WordPerfect, I got "666" on my screen. But At your place I wouldn't be so sure. While a virus could, of course, cause the above symptoms, just because you have observed them does not necessarily mean that you have a virus. Countrary to the popular belief, the fact that something was damaged on your computer does not mean that it has to have a virus. Of course, it *could* be a virus, and if it is, it is not anything that I can identify from this description. > McAfee's virus-scan software won't detect it. Can anyone suggest > other virus-scan and virus-clean software? F-Prot and AVP have a very high detection rate and are freeware/shareware, so they are always a good thing to try. But if you indeed have a virus (which I doubt), it is likely to be a new one and therefore not to be detected by the scanners... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 17 Aug 94 14:06:38 -0400 From: demo1@nbnet.nb.ca (Eric Robichaud) Subject: Unknown problem (PC) Hi there! One of my clients as two standalone IBM PC. He often copies files from one computer to the other one. Our technician checked for viruses with F-prot and Mcafee's latest virus detecters (with bootable disquettes). Guess what? He couldn't find any viruses. He also checked out the hardware and found nothing. Is it a stealth virus? Is there a new tough virus out there? Any suggestions would be appreciated. Thanks in advance Eric ------------------------------ Date: Wed, 17 Aug 94 14:54:31 -0400 From: Bob Janacek <74431.1646@CompuServe.COM> Subject: Re: Best Anti-virus software (PC) Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de writes: > A word to the wise: beware of using two scanners that contain > the same scanning engine. This is a very good point. F-Prot and VirusNet use the same scanning engine and will detect the same viruses. If you choose to use two scanners, they should definitely be based on different detection engines. VirusNet adds network management and DOS/Windows interfaces to F-Prot, but its detection rating is exactly the same as F-Prot. Regards, Bob Janacek - 74431.1646@compuserve.com ------------------------------ Date: Wed, 17 Aug 94 17:50:17 -0400 From: Iolo Davidson Subject: Smeg viruses (PC) cudat@csv.warwick.ac.uk "J M Hicks" writes: > >The following is taken from a Maltese newspaper, The Times > >of Friday, July 22, 1994. The report is provided from > >Reuters. > > >...The viruses, Queeg, named after a character in a television > >science fiction series, Pathogen and Germ, destroy data > >on a computer's hard disk and can disable the external disk > >drive, meaning victims have to take their computer apart to > >fix it... > > Is it really true that the computer has to be taken apart? If so, > how does the virus disable the disc drive? Taken apart to get at the *external* disk drive? I suspect this was written by someone who has vast expertise in journalism. The only time I have known a virus necessitate the lifting of the hood was when a colleague had to disconnect a drive while cleaning EXEbug, which alters the CMOS. The drive was not damaged, but the CMOS setting stopped it booting from a floppy while the hard drive was available, and the hard drive was infected. > I'm always disturbed by reports that software can damage hardware. Stop believing them then. - -- IF HARMONY THEN GET IS WHAT A TUBA YOU CRAVE Burma Shave ------------------------------ Date: Wed, 17 Aug 94 17:50:29 -0400 From: Iolo Davidson Subject: virus construction labratory (PC) rockfor101@aol.com "ROCKFOR101" writes: > Has anyone heard of a piece of software called "Virus Construction > Labratory"? If so where might I find it? This group is not a virus exchange facility. - -- IF HARMONY THEN GET IS WHAT A TUBA YOU CRAVE Burma Shave ------------------------------ Date: Wed, 17 Aug 94 17:50:45 -0400 From: Iolo Davidson Subject: Dr. Solomon Virus Signature Update (PC) hkueee2!h9114644@uunet.uu.net "CHAN TAK YIN" writes: > Can anyone tell me where can I ftp the signature update of Dr. > Solomon Toolkit? You can't. It is not available by ftp. And it isn't called a signature file either, the word "signature" being very misleading when applied to viruses. Dr. Solomon's virus finding information is supplied as "driver" files. There is a UK online service where you can download the drivers if you are a member, and you can get them from S&S technical support BBS, but most people get update disks automatically by post, as you generally get a years update subscription when you buy Solomon's. - -- IF HARMONY THEN GET IS WHAT A TUBA YOU CRAVE Burma Shave ------------------------------ Date: Wed, 17 Aug 94 17:51:31 -0400 From: as194@cleveland.Freenet.Edu (Doren Rosenthal) Subject: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) ==================================================================== August 17, 1994 Subject: Re: Rosenthal Virus Simulator (VIRSIM2C.ZIP) (PC) Date: Wed Aug 17 06:51:50 1994 Vesselin Bontchev writes: > I am intelligent enough and have enough experience to figure out what > your product does after I heard about it - even before seeing it. > After I saw it, I saw that I was right in my assumptions, which didn't > surprise me at all. Vess, I don't think anyone doubts that your level of intelligence allows you to form an opinion about a product, even before seeing it, and find your assumptions would latter not surprise you at all. I'm sorry you feel it necessary to defend your intelligence and I don't believe a personal attack on your intellect has any place in a scientific forum. If your intelligence was ever been called into question, it was certainly not by anything I said. Perhaps you could take this opportunity to publicly reveal your IQ and put to rest any doubts. Doren Rosenthal =================================================================== ------------------------------ Date: Wed, 17 Aug 94 19:12:50 -0400 From: mandrake@netcom.com (Wakko Singer) Subject: Re: Virus Source code on CD ROM? (PC) Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) wrote: : Mike McCarty (jmccarty@spd.dsccc.com) writes: : > I take it you do not live in the USA, understand the concept of liberty, : > or believe in it if you do live here and understand it. : I take it he just has a better grasp of the concept that every liberty : comes with responsability. I agree, Napalm is not redily avaliable to every teenager that wants it. In many ways a virus is as dangerous or more so. I think it is in some ways very iresponsable to publish this type of disk. I also see its usfulness if it is distributed to people that write virus protection progams. : I've often seen people in your part of the : world to be lacking the grasp of this concept... Let's not make generiazations please. I forget who said it but, " All generlizations anr dangerous, even this one." - -- ============================================================================ Lance "Singer" Druger mandraknetcom.com Natives who beat drums to drive off evil spirits are objects of scorn to smart Americans who blow horns to break up traffic jams. -Manry Ellen Kelly ============================================================================ ------------------------------ Date: Wed, 17 Aug 94 22:04:13 -0400 From: mroshan@julian.uwo.ca (m. roshan) Subject: Windows Anti-Virus Where (PC) Where (FTP) can I get a good windows TSR virus protector. Ian Reply to this meesage please. ------------------------------ Date: Wed, 17 Aug 94 23:01:45 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Need Help on "V-SIGN" virus (PC) Vesselin Bontchev wrote: )Mike McCarty (jmccarty@spd.dsccc.com) writes: ) )> Many (most?) viruses cannot be _totally_ cleaned. ) )*All* viruses can be *cleaned* (i.e. removed) "totally", in the sense )that no trace of them would remain. What you mean is that not in all )cases it is possible to recover everything that might be infected or )damaged, unless one has clean backups or originals. That is precisely the meaning of what I said. You deleted the part which explained that. It is not necessary for you to explain to me what I mean to say; I already _know_. And please don't delete important parts of my posts when you quote them. This makes it appear that your motives are not pure. It seems that you are trying to aggrandize yourself at my expense. Others do not need for you to explain to them what I was trying to say when they see the whole post, including what you deleted. Also, it is obvious to anyone who knows about disc drive technology that one can simply put the disc in a strong magnetic field and remove all traces of a virus having been on the disc. I don't believe that the intent of the original poster was to find out whether the virus could be removed in such a way that it would not come back. Rather, he wanted to know whether the "infection" could be "cleaned". I took that to be a rather novice person wanting to know whether full recovery would be possible. )> I had a Stoned.Azusa )> infection some time back. I removed the infection. But backup discs' )> data had been _damaged_ by the virus, and a few of the files were )> _unrecoverable_. ) )What kind of backup did you use? DOS BACKUP. )Also, V-Sign is quite different from )Azusa. Never said otherwise. You're feeling agressive as usual. )When Azusa infects a floppy, it overwrites the sector at Track )39, Head 1, Sector 8. This is at the end of a 360 Kb floppy (thus )unlikely - although possible - to destroy something). However, it is )in the middle of a high-capacity floppy, thus almost certainly )destroying information there. When I got infected, there was nothing available to me which would clean the infection. So I disassembled Azusa and figured out how to disinfect. I wrote my own disinfector which worked quite well on both 360K and 1.2M floppies. So I don't need tutorials on _that_ particular virus. Also, DOS BACKUP uses the entire disc. Thus it was not only likely, it was a _surety_ that the overwritten sectors of the disc would contain useful data even on a 360K floppy. Contrary to what you say. )As opposed to it, V-Sign can distinguish between the different floppy )disk formats. It also uses the last sector of the root directory, thus )making it less likely to destroy something. It has one bug, however )(well, actually it has several, but this one is relevant to data )destruction on floppies) - it incorrectly computes the end of the root )directory for 1.44 Mb diskettes, destroying the information near the )beginning of the data area. Of course, if the virus infects a floppy )with a custom format (as the one used by some backup programs), all )bets are off, because the sectors overwritten by the virus could )contain just anything, including important stuff to access the data on )the floppy. This is one of the arguments why even viruses that are not )intentionally destructive (both Azusa and V-Sign are not intentionally )destructive) are often causing damage. This information may or may not be true. I'm not familiar with the V-Sign. I will say this: Any virus which overwrites any part of any disc can corrupt it in such a way that no disinfector can reverse the damage. At least we agree on this one thing. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Wed, 17 Aug 94 23:05:53 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Stealth.B Pain (PC) Vesselin Bontchev wrote: )Mike McCarty (jmccarty@spd.dsccc.com) writes: ) )> Even so, I stand by what I said. And I do not care one whit whether Mr. )> Bontchev gets annoyed. ) )He is not annoyed... Only mildly amused... :-) Has seen enough people )like you on the net. :-)) I do not find you amusing. Annoying, sometimes, but not amusing. On rare occasions you are informative. You are an intelligent, educated man. You are also (so it seems to me) fairly knowledgeable about viruses. Your personality could use a little work, especially in the humility department. I have seen too many people on the net like you. But I digress. )[Mark Ludwig making money with his viruses] ) )> Even if he did it only to make money and not to encourage others to )> destroy persons data, I still think that what he did was good. ) )Well, most people seem to disagree with you on this point. So what? - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Wed, 17 Aug 94 23:09:47 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Virus Source code on CD ROM? (PC) Vesselin Bontchev wrote: )Mike McCarty (jmccarty@spd.dsccc.com) writes: ) )> I take it you do not live in the USA, understand the concept of liberty, )> or believe in it if you do live here and understand it. ) )I take it he just has a better grasp of the concept that every liberty )comes with responsability. I've often seen people in your part of the )world to be lacking the grasp of this concept... I don't think so. I am firmly convinced of this. Liberty and responsibility always go hand-in-hand. Either without the other is a bad thing. )> Controls placed on sale of source code? ) )> Give me a break! ) )Sounds strange to you? To me it doesn't... How about selling some )biological viruses that cause human diseases? I guess that should be )OK, no? After they will be educating the public that protections have )to be taken against those diseases... I have no problem with people growing, investigating, and selling viruses which cause human diseases. Do you? I do have problems with people growing and spreading viruses with the intent of causing disease. This is and should be a crime. I have no problem with people growing and investigating, e.g. HTLV III virus. I have a real problem with members of ACTUP intentionally attempting to spread this virus. Very different things. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Wed, 17 Aug 94 23:15:25 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: Smeg viruses (PC) Vesselin Bontchev wrote: )J M Hicks (cudat@csv.warwick.ac.uk) writes: ) )> Is it really true that the computer has to be taken apart? If so, ) )No. ) )> I'm always disturbed by reports that software can damage hardware. ) )Most (all) of those reports are either urban legends or concern )outdated/defective hardware. Many hard discs can be damaged by repeated seeking from track 0 to a track beyond the end of the disc and back. Some can also be damaged by repeatedly spinning up and down without waiting for the functions to complete. This can damage driver transistors, and occasionally cause head crashes. Early monitors (and cheap current ones) could be damaged by software reprogramming the horizontal retrace rate. These forms of damage are becoming more rare as time goes by. (This not to Vesselin) Why are you disturbed by the reports? Because you fear for your hardware, or because you don't believe in them? Or what? Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 71] *****************************************