VIRUS-L Digest Wednesday, 12 Oct 1994 Volume 7 : Issue 83 Today's Topics: The camel's back Re: Netcom distributing viruses Re: How does one become an insider? Re: How does one become an insider? Re: Hackers, etc Distribution of Viruses Netcom distributing viruses How does one become an insider? DOS/unix integrity checker, with source (PC) (UNIX) Goldbug: Killmonk Help? (PC) Re: GenB Virus - Need Help! (PC) Re: HELP!! w/ TSR Virus and Stacker (PC) Re: FORM_A (PC) Re: How do I load VSHIELD on high memory? (PC) Re: How do I load VSHIELD on high memory? (PC) Help! Controlling Virsus (PC) Whisper (PC) Goldbug virus (PC) WPWIN6.0a and NATAS (PC) Possible virus (PC) Re: FORM_A (PC) NYB [genp] virus (PC) NYB virus (PC) Satan Bug virus (PC) Satan virus! Any remover available? (PC) Stealth virus (PC) `_2kb' virus (PC) Re: Help Win 32 Bit File Virus? (PC) Re: How do I load VSHIELD in high memory? (PC) "stealth boot" or "genb" virus? (PC) B1 virus (PC) Re: Central Point Update? ---- FTP site? (PC) Argh.. Help me with VCL-DIAT... (PC) Re: Windows Virii (PC) Re: F-PROT and UMB's (PC) Re: VIRUS INFECTION - (PC) Re: Thunderbyte anti-virus - how good? (PC) Re: How to Remove a swiss virus from the partition table? (PC) Re: Re; [News] KAOS? (PC) Re: Video virus? (PC) Re: Looking for specific-purpose virus scanner (PC) Fixing the boot sector of a floppy? (PC) Virus Source code on CD ROM? (PC) KOH (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 12 Oct 94 13:47:14 -0400 From: "Kenneth R. van Wyk" Subject: The camel's back Some of you probably noticed a rather large (even larger than normal!) batch of virus simulator-related postings in the last VIRUS-L digest. These were examples of the straw that broke the (proverbial) camel's back. I'm getting complaints from people saying that I'm censoring their postings (the batch that you saw were the _mild_ ones!); I'm getting complaints from people saying that this stuff has gotten out of hand; I'm getting complaints from people that just want to complain about something - anything! Enough is (more than) enough. To those that want to carry on the philosophical debate on the merits and non-merits of virus simulators, please find another home for your "discussions". If, at some point in the future, you feel that you can carry on the same discussions without the mud-slinging, then I might be willing to let you try again, but in the meantime, no more virus simulator postings. Cheers, Ken Kenneth R. van Wyk Chief, Operations Branch Automated System Security Incident Support Team (ASSIST) Center for Information Systems Security (CISS) Defense Information Systems Agency (DISA) Moderator, VIRUS-L/comp.virus krvw@ASSIST.MIL ASSIST Hotline: +1 800 357 4231 ASSIST e-mail: assist@assist.mil ------------------------------ Date: Wed, 28 Sep 94 09:45:32 -0400 From: Nick FitzGerald Subject: Re: Netcom distributing viruses ygoland@hollywood.cinenet.net (Yaron Y. Goland) wrote: [interesting points about lowest common denominators deleted] [not so interesting points about Yaron's religious persuasions deleted] [aside: that was not actually Vessilin's point, but I'm sure he'll defend himself! 8-) ] > Because viruses are basically text... Huh?? Pray explain--this is about the dumbest thing I've heard here except for people saying you have to format a HD to remove a virus. > ... any licensing of their distribution is > equivalent of licensing freedom of speech. ... Ahh--now I understand. Argument ad absurdsum. If you define a virus as text you can extend that to "speech" then argue that you can do whatever with it under your rights as guaranteed by the US Constitution. Politely and respectfully--what a load of shit. Do a few basic philosophy courses. You may learn some better debating skills and some simple ethics/morals. A point that Vesselin is often at pains to express but that the virus- apologists continually and completely -ignore- is that "rights" have associated "responsibilities". Many laws in many countries, including in the US, proscribe citizens rights (often given "freely" elsewhere in that country's legal structure) for the simple reason that the citizenry are deemed incapable of (or unwilling to!) responsibly use those freedoms (in certain situations). These "exceptions" are often, though nowhere near universally, "justified" (and accepted--this peculiarity alone should be the subject of much stronger exploration than I am currently aware of!) on the grounds of "national security" and the like. What is at issue here is really the question of what is a "reasonable ethical position" to take on relatively freely distributing viruses (though Vesselin's foray into legalities, as quoted by Yaron, somewhat obscures that point). I side with Vesselin and many others--making viruses more freely available to the mindless morons (who otherwise would have insufficient clues and/or motivation to find virus samples for themselves) who think it funny/clever/interesting to infect the computers of friends/neighbours/schools/anyone --is-- irresponsibly negligent. Making your system openly available to such usage and not stomping on it once advised that it is occurring is at least contributory negligence. And before all you hot-shot bush-lawyers jump in and say "but the US Constitution guarantees us freedom of speech, blah, blah, blah", just think for a minute. There are at least two very serious issues here: 1. Your guarantee of "freedom of speech" does --not-- guarantee you "freedom of means of expression". What does this mean? It means you can say whatever you like in the privacy of your home (and maybe elsewhere) but that no "service provider" is required to give you "air time" to express your opinions. You don't like that? Well go re-write your constitution! A service provider, say for argument's sake Netcom, is perfectly entitled to make -and enforce- a condition on any subscriber to its services that they will not distribute viruses via Netcom's system. Vesselin (and I and others) believe that Netcom is negligent and exercising poor judgement by -not- exercising a policy like this. Whether Netcom does not exercise such a policy in their/its misguided belief that the US Constitution's "freedom of speech" provisions prohibits them from so doing is something I can only speculate on, not having directly confronted them/it on this matter. 2. I forget who said it first (and much more elegantly!) but your freedom of expression ends where my magnetic media begins. In "releasing" a virus (which, sans weasel-words, is what "expressing yourself through publishing a virus" is) you lose "control" of it and by design it will "deliberately" spread elsewhere, causing damage, loss of time/revenue/whatever... This effect of your act of "expressing yourself" is much more likely and predictable than the occasional house- burning or stoning inspired by the lunatic ravings of neo-fascists, anti-semites or whoever. > ... It is easy to license people's > right to drive as a physical object is involved. You, or anyone else, have a "right to drive" ?? Hmmm--many would disagree with you. The fact that most states (and I do - -not- mean as in United -States-) have a minimum age and proficiency level for the issuing of a driver's license --and-- that they easily, commonly and -expectedly- take those licenses off people (for drunk driving, excessive speeding, dangerous driving, etc, etc) would suggest that driving is something few people actually strongly believe humans have a "right" to do. > ... But viruses are nebulous > entities whose very definition has caused years of acrimonious debate. It > seems simple to say 'anyone who releases a virus to an irresponsible > person should be held legally liable' but its practical effect is > horrifying. It means that every time one utters a phrase or a word one is > put in very real jeopardy of being legally liable beyond the usual > liabilities for uttering falsehoods. Your own article on integrity > checkers gave me several ideas on virus design, if I actually designed and > released a virus based on your comments should you be put in jail? I was right--argument ad absurdsum. If you really think there is a shred of useful argumentative debate in the above quote I'd suggest that you change your medication. Yes, I have slipped into an ad hominem attack but the above is so bizarre that I cannot understand how someone could sensibly utter it - -and- expect it to be taken seriously. Further, the effort to deconstruct it and show up its absurdities really doesn't seem worth the effort. If I missed some deeper meaning, either due to my own denseness or Yaron's obscurity, I look forward to Yaron showing me up in this forum. > Vesselin's papers on potential virus and "anti anti-virus" attacks serve > two purposes: > > 1. Bozo virus writers who hadn't already thought of them will be > presented the germ of an idea that they will possibly (and mostly badly) > implement in some future virus rather than having to wait (the possibly > decades) for some other virus writer to dream it up and implement it. > > 2. Other anti-virus researchers and anti-virus s/w writers receive a > bunch of useful information to help them further hone their ideas and/or > anti-virus s/w. The latter especially will tend to put them -ahead- of > the pack of virus writers, particularly in the arena of integrity > checking s/w. Most of us weigh the two against each other and say "Thank you Vesselin--you have done the anti-virus side a big favour" (and you - -should not- read that in a sarcastic tone!). (Also, note that Vesselin claims many/most of these ideas either come from existing viruses or from discussions with virus authors who have thought something up but not tried implementing it.) By publicizing the current, known weaknesses of currently popular anti-virus methods Vesselin is helping the anti-virus s/w developers who care (yeah--not all of them!) to improve their products. On balance, I believe the better products will be improved faster than the "bad guys" will "improve" their viruses, based on the same information. The anti-virus slobs will lumber along, as per usual picking up PC Rag "Editor's Choice" awards by the armful, until about 12-18 months after these techniques are widely employed in several by then common viruses, but then--most of "us" don't use those products and warn other off them for exactly these (and other) reasons. It's a good thing I wasn't in rant mood! 8-) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 ------------------------------ Date: Fri, 30 Sep 94 18:43:05 -0400 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: How does one become an insider? dave nikuya wrote: )Dear Friends, [introduction deleted] )Can there be no middle ground, where a responsible entity can make )viruses available to adults willing to identify themselves and sign )a statement promising responsible use, to remain on file? [more stuff deleted] )that I am not an "insider" in the AV community, so I can't just ask )strangers to send me their viruses like you do. )It is not at all clear to me how an outsider becomes an insider in the )AV community. Must one work for a Fortune 500 company, or at a major )university? It seems to me that there are many sincere and competent [more deleted] )experience. No less authorities than Vesselin and Frisk have made )very forceful posts that simulators are useless for working with AV )products, so what am I to do? I consider myself a responsible, )competent, and sincere student of viruses. I have nothing but )contempt for anyone who would encourage or allow the distribution of )unmarked, infectious viruses to an unknowing person. I feel that I )need live viruses to increase my knowledge of them and the products )that combat them, but I am not an insider, so I can't get them from )CARO or whatever. That leaves me two choices---get them from Ludwig's Very cogent and well stated. Writing and trading viruses is -not- a reprehensible activity. There are certain specialists who seem to have a special feeling of superiority. They use overbearing and at times abusive language. Let's learn about viruses. Let's learn about how they operate and how to protect ourselves. It's not enough to have "experts" who -know- and have everyone else be ignorant. I was infected with STONED.AZUSA before - -anything- I had access to could even -identify- it, let alone clean it. I wrote my own cleaner, because it was -destroying- my files on floppy. Was I supposed to send a copy to a specialist and wait a couple of weeks, not using my machine, until Vesselin or some other "special" person figured it out? NO! I wrote my own disinfector. And why shouldn't I do so for another person? Why cannot someone send ME a copy of some virus or other? In fact, one has, and I found him a "signature" which could be used by McAfee's scanner. He is now clean. But I'm not one of the "insiders", so sending me a virus was actually a reprehensible act. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Sat, 01 Oct 94 10:24:44 -0400 From: Zeppelin@ix.netcom.com (George Paulsen) Subject: Re: How does one become an insider? dnikuya@netcom.com (dave nikuya) writes: >Well, this is a very stringent requirement. While I sympathize with >your motives, I am sure that you are aware that many people suspect >elements of the anti-virus community of spreading viruses in order to >increase demand for their services. And as I have already stated, I >consider you to be one of the most helpful and competent people in >cyberspace, but I do not know you personally, and I recently saw an >article which stated that some people believe that you are the Dark >Avenger. So it would be very difficult for anyone to _prove_ that he >should be one of the elite to whom people can send viruses in full >confidence that they won't be misused. You know, it has been a long time since I saw this statement made, but you are correct. Of the 30 or so people I have met within the viri community, all DO believe that he is the DA !! >It is not at all clear to me how an outsider becomes an insider in the >AV community. Must one work for a Fortune 500 company, or at a major >university? It seems to me that there are many sincere and competent >people who would not meet these criteria, and possibly some nefarious and >incompetent people who would. Am I completely ignorant of the >facts? Is there some professional organization that I can join which >will allow me access to the virus libraries even though I am not a >Ph.D.? After contacting the FBI/FCC/NSA, I have found that here in Calif. it is NOT illegal to have/write viri what so ever. It is only illegal to send them over state lines, unless it is to an AV company. That is what I got out of it. >I >I beg you to recall that you were not always a world-renowned >authority, and that you wouldn't be one today if someone hadn't taken >a chance by providing you with live viruses. And if I may say this >without offense, if the laws did become more restrictive, >a student at a Bulgarian university would probably not be high >on the list of people to trust with viruses. You can't stop the "I'm holy, and you NOT," attitude, just understand that if not for research, we would all still be riding horses. >P.S. > > >Dave N. >- -- > dnikuya@netcom.com > > -Zep- ------------------------------ Date: Sat, 01 Oct 94 11:07:29 -0400 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: Hackers, etc > BTW--I am also trying to make contact with the man who produces the Hack > Report and another e-publication called the Bounty Hunter. If you know of > their e-mail address, I would appreciate it. The guy who used to do the hack report had to retire due to health reasons. Bill Lambdin was supposed to take it over, but that plan fell through. Last I heard was that someone else, possibly the guy who does the Biunty Hunter, would be taking over. However the hack report has not appeared since a joint Jan/Feb issue. Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas Lead, Follow, 34 InterNet: iandoug@cybernet.za P.O. Box 484 or get out of 1,73 FidoNet: 5:7102/119 7532 Sanlamhof the way. 57 TopNet: 225:2048/1 South Africa (Ted Turner, CNN) INTB PGP key available. - ----------------------------------------------------------------------------- ------------------------------ Date: Sat, 01 Oct 94 11:40:01 -0400 From: William Hugh Murray <0003158580@mcimail.com> Subject: Distribution of Viruses - -- [ From: William Hugh Murray * EMC.Ver #2.0 ] -- jmccarty@spd.dsccc.com (Mike McCarty) (Who seems to be consuming much of the bandwidth around here) writes: >I do not think that virus exchange is reprehensible. I believe I have >seen him quoted as "maintaining" a virus collection for purposes of >virus eradication, not maliciously infecting people. I also do not computer science would have recognized the extent of his ignorance and would have behaved more conservatively. I would have no problem with giving a copy of any arbitrary virus to Vesselin Bontchev. He is known to me personally and collegially. I know his competence, his intent, and his interests. I can reasonably predict the consequences of giving him a virus. I would not have very much problem with giving a copy of a very common virus to anyone. While I cannot predict all of the consequences of the virus, and while I recognize that it became common from only one copy, one more copy of the virus is not likely to make the situation much worse. However, I will not give away a copy of an arbitrary virus to an individual not well known to me. For example, I would not give a copy of an arbitrary virus to Mr. McCarty. While he may take this personally, it really has nothing to do with him. It has to do with my ignorance of him. It is not that I expect him to behave irresponsibly, but that I cannot well predict that he will not. While I might be able to know enough about the behavior of a virus to predict its behavior in a particular computer, I cannot predict its behavior in an arbitrary computer whose use and application is not known to me. While I can predict its behaviour in a small closed population of computers, I cannot predict its behavior in a large and open population of computers. I can reasonably predict that there are potentially bad consequences which might result from such an act. Its release is at least a rude act; potentially it is catastrophic. I am not opposed to considering my own selfish interest when making ethical decisions (One of my associates has described me as a Kantian idealist). I am a user of computers and have an interest in the orderly behavior of all computers. Viruses continue to diminish my enjoyment of my computer and the enjoyment of the community of the advantages of all computers. As I do not soil my own nest and do not throw my waste in the street, I do not distribute viruses; they contaminate and pollute. There are few bad consequences that will flow from my choice. One possibility is that I might restrict the flow of legitimate knowledge. However, there are few interesting things about a virus that cannot be expressed in a safe form. I might, as those who advocate the broadcast of viruses argue, contribute to an illegitimate guild. Given the already too wide distribution of viruses, their persistence in the environment, and the number and persistence of the virus writers, I am prepared to take that risk. One thing that I am clearly not prepared to do is to take lessons in ethical analysis or behavior from those who write viruses. Where I cannot know, I behave conservatively. Once the virus leaves my hand, I lose control. If I cannot exercise control late, then it is conservative to control early. What I advocate here is individual choice and responsibility. I do not expect to convince Mr. McCarty where my colleagues have failed. I do not advocate the use of the coercive power of the state to force any of you to do what I cannot convince you to do. I do not expect to convince all of you, but the world will be a more orderly place if I can convince some of you. On a list with all of the ethical decisions that confront me and the community, I do not suppose that this one is close to the top of the list. However, the analysis that I use here is applicable to the more important items on the list. William Hugh Murray New Canaan, Connecticut ------------------------------ Date: Sat, 01 Oct 94 15:00:23 -0400 From: Iolo Davidson Subject: Netcom distributing viruses jmccarty@spd.dsccc.com "Mike McCarty" writes: > Hey! We agree! I think it would be difficult to properly write such a > law, but I think it could be done. Wording would be something like: > > An act making it a crime to distribute programs with malicious > intent, or to distribute programs containing malicious code to > persons whom the distributor knows or has reason to believe > will use or distribute the programs with malicious intent... Intent is one of the hardest things to prove. In the UK, we have just had charges dropped in a case where a man advertised a collection of viruses for sale in a magazine. He had included a phrase like "the viruses in this collection are supplied for the purposes of study" somewhere in the fine print, and that was thought by the council for prosecution to be sufficient to cover his ass. - -- TO A SUBSTITUTE NOTHING HE GAVE A TRIAL BUT HIS SMILE IT TOOK OFF Burma Shave ------------------------------ Date: Sat, 01 Oct 94 15:01:26 -0400 From: Iolo Davidson Subject: How does one become an insider? dnikuya@netcom.com "dave nikuya" writes: > bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > > >However, I also believe that it should be made a crime ("criminal > >negligeance"?) to give a virus to somebody who you are not > >convinced that they would be competent and responsible enough to > >handle it properly. > > Well, this is a very stringent requirement. Indeed it is. I believe it should be. However, I don't much care for the idea of involving the law. Much of what follows is not a complaint about the law, though, but about the reluctance of researchers to hand out viruses to people they don't know, due to their own strictures of conscience and duty of responsibility. > While I sympathize with your motives, I am sure that you are > aware that many people suspect elements of the anti-virus > community of spreading viruses in order to increase demand for > their services. What is the tie-in between this bit of folklore and Vesselin's proposal that giving irresponsible people access to viruses should be illegal? > I recently saw an article which stated that some people believe > that you are the Dark Avenger. More folklore. Repeating baseless allegations, even in this watered down form, is not very responsible. > So it would be very difficult for anyone to _prove_ that he > should be one of the elite to whom people can send viruses in > full confidence that they won't be misused. It is a judgement call. Some researchers will not exchange material with others whom they do not trust or like, regardless of reputation. There is no obligation to do so. One can make up one's own mind as to the level of responsibility one requires in ones associates, as with any professional body. > Can there be no middle ground, where a responsible entity can make > viruses available to adults willing to identify themselves and sign > a statement promising responsible use, to remain on file? There is another aspect here. Some (most?) responsible people lack the knowledge and expertise required to handle viruses safely. Viruses even catch out experts on occasion. What form of statement would guarantee that the researcher would not subsequently be open to accusation of irresponsibility by those who might be harmed, should the person making the statement turn out not to be reliable, capable, or honest? How about a headline in the computer press: "Author of Catch'Em Anti-Virus Hands Viruses to Maniac" More folklore about wicked anti-virus researchers for you and others to repeat. > By way of analogy, guns are obviously very dangerous, and are > involved in thousands of crimes and accidents every day. Yet in > the US, you do not have to prove that you are responsible and > competent to buy a gun; The USA is an anomally in this matter. Many countries have very stringent requirements for possession of firearms. In Britain, you need a licence issued by the police, with your photo on it, which is only issued to those who can establish a need for such firearm, comply with security requirements, and a whole lot of other conditions. In Japan, it is not possible for an ordinary citizen to own a firearm at all. > Another thing we have learned in the US is that making things > illegal can create new problems. With alcohol in the 1920's and > many drugs today, [etc] I agree with this and have in fact recently posted similar sentiments as far as the use of legislation goes. However, I still don't think viruses should be freely available. Certainly no responsible person should make them freely available. In fact, I regard this as part of the definition of "responsible person". > the Ludwig-bashers in this forum may have done more harm than > good. If you read the early issues of his newsletter, it seems he was > really trying to put out good information of use to researchers, but > in later issues he includes articles that seem slanted more toward the > people wanting to spread viruses than to contain them. Intent counts for nothing. Statements of intent are often fallacious ass-covering, a nod and a wink to technically comply with laws that have some kind of "intent" provision. > there seems to be a very small number of > established AV researchers, some of whom are regular contributors > to this forum, who are widely accepted as the "legitimate" AV > community. While I am sure that it is unintentional, there is > often an undercurrent of condescension or even ridicule when > these insiders refer to people who are interested in AV > activities, but who have not established themselves as members of > this community. You will see the same reaction from lawyers and doctors when an amateur makes a pronouncement in the field of law or medicine. > For example, Vesselin's statement regarding Ludwig's CD-ROM: > "most respectable anti-virus researchers refuse to even take a > look at it." Well, I bought it, and I also subscribe to his > newsletter. Yes! I admit it! This would put you in a somewhat questionable ethical position if you were an anti-virus software producer, with major corporations amongst your clients. Most such responsible people consider it wrong to help create a market in viruses or contribute to any financial or other incentive for their writing and distribution. Elsewhere you reckon yourself to be responsible and respectable, but some would argue that the above means that at the very least you do not understand the issues well enough to be trusted by the anti-virus community. This is not a question about whether you are good intentioned, but whether you understand the ramifications of your actions. > My problem is that I am not an "insider" in the AV community, so > I can't just ask strangers to send me their viruses like you do. Responsible researchers don't send viruses to strangers. If you mean strangers sending viruses to researchers, which they often do when they need help, then all you need is an anti-virus product with customers to support, or a reputation as a helpful and effective souce of aid in distress. Strangers will then send you their problems to fix. > It is not at all clear to me how an outsider becomes an insider > in the AV community. It is similar to the process of becoming a power line worker. You buy a ladder and some rubber boots, then ask the electricity company for some power lines you can practice on. > Is there some professional organization that I can join which > will allow me access to the virus libraries even though I am not a > Ph.D.? There are professional organisations that non-PhDs can join, but that won't give you access to the libraries which are the property of individual members, nor to any common library the organisation may keep as far as I know. Being a PhD won't either. > I happen to be fascinated with assembler language and direct > control of devices on PCs. Not a good enough reason to convince someone to give you a bunch of viruses, however responsible or respectable you might be. > I would like to pursue a career in this > area. > possibly even go to work for an AV > vendor as a programmer. This is certainly a legitimate and responsible way to work out your fascination with the subject. In fact, to free yourself from any such fascination. If you want to work with viruses, this is probably the only way to go. You can't start in the way the pioneers did, anymore than you can join in the pioneering era of aviation or the cinema. It is too late. > However, it seems that many of the insiders are setting up > criteria that will guarantee that outsiders remain so indefinitely. I believe that those who work to restrict access to viruses are simply trying to reduce the incident of user infection, just as they represent themselves to be. However, I say again: intent counts for nothing. The effect of such effort is what counts, and I think the primary effect has been to reduce the risk to the general public. If there is a secondary effect of making it difficult for new researchers to get started, then that is acceptable. It is difficult for new doctors and lawyers to get started too. And actors, writers, and artists if you look at another aspect of "breaking in". In fact, try getting *any* job without previous experience in the field. > The most obvious example of this is regarding virus exchange. I > have seen many posts from insiders that encourage questioners to > send them a virus for study. Then these same insiders discourage > making viruses available for study to anyone else. For "study" read "unknown purposes" and for "anyone else" read "all and sundry". People who want to get hold of viruses never say "I just want to play with them" or "I hear you can issue a collection of them on a CD and make a lot of money". They say "I want to study them and learn how to counter them" or "I need some viruses to test anti-virus products". Some of the people who say these things are genuine and sincere, certainly. - -- TO A SUBSTITUTE NOTHING HE GAVE A TRIAL BUT HIS SMILE IT TOOK OFF Burma Shave ------------------------------ Date: Wed, 28 Sep 94 09:45:03 -0400 From: hobbit@bronze.lcs.mit.edu (*Hobbit*) Subject: DOS/unix integrity checker, with source (PC) (UNIX) A week ago I presented this to various security-related forums, but realized that I'd completely left out the antivirus community. This surely has its uses in the DOS environment as well as unix. Some enterprising soul might even want to try porting it for Macintosh... The package is called "L5". It is a single small program that recursively walks down a directory structure, generating listings of files and directories it finds along the way. An MD5 cryptographic checksum is also generated and displayed for every file, so the output of the program becomes a secure "snapshot" of what's on your disk. You can send the output where you like, e.g. to a floppy where you safely store such things. You can get L5 via FTP from asylum.sf.ca.us:/pub/hobbit/L5.tar.Z. If you are a trusting soul and/or can't build your own executable for some reason, there is a pre-built L5.EXE in the same directory. More information is available in the README that comes in the package. The original idea came from the unix file integrity checker called Tripwire, which although a great package, is very large and unix-specific. L5 could be considered the boiled-down essence of Tripwire, with some DOS compatibility hacks thrown in. A big point in favor of this package is that it is an integrity checker that is cryptographically infeasible to spoof, and is SUPPLIED WITH FULL SOURCE, unlike most of the others we've seen come along. CAVEAT: This version still has a little trouble with DOS file naming formats, such that invoking "l5 c:" will not do the right thing. To take a snapshot of your whole C: drive, you either need to first log to that drive and then invoke "l5 /", using a forward slash and leaving out any drive specifications; OR invoke "l5 c:\*.*", which causes the wildcarder to fill in all the [visible!] filenames. [I recommend using the former workaround.] If time permits or someone sends me some improved code to deal with this, I'll fix it in a future release. Your compiler may also already have opendir() and readdir() routines; check before you build to see if you really need the dosdir.* files. OTHER CAVEAT: The MD5 code is abysmally slow on a DOS machine. It can process a maximum of 4 Mb per *minute* on a 386/33, with target files on a ramdisk and maximal compiler optimizations -- closer to 3Mb/minute over files on a hard drive. This is one price of better security, I suppose, unless there is a faster version of MD5 floating around for real-mode x86 architectures. To work around this, I'd suggest limiting the scan to directories containing important system files and apps, and any "virus-bait" files you are directly working with. For a little assurance, the L5 of L5.EXE should look substantially like: L5.EXE//F 2138 100777 1 0/0 22060 2e88bd58 2tQ0g60:ieV7IwENEFUlC5 _H* ------------------------------ Date: Tue, 27 Sep 94 19:32:54 -0400 From: kenney@netcom.com (Kevin Kenney) Subject: Goldbug: Killmonk Help? (PC) I expect to run into Goldbug. Too many people I know are running the pirated Doom 2: and I'm about to pass them F-Prot 2.14. I know, for now, that they'll have to delete infected files, but what should I have them do about the partition table effects? Will booting from a clean floppy and rerunning FDISK (no MBR) be sufficient (probably then having to reformat)? Is there an easier way if no partition table copy is available? (Is rebuilding it via a disk editor (if possible) just a matter of typing in the cylinder/sector/head count numbers the right places?) Assume no mirror/norton rescue/image/etc. (This should be equivalent to having Monkey without KillMonk , shouldn't it?) Wish me luck... About to dig though my archives for Monkey-cleaning articles... KpK ========================= KILL THE PARANOIDS Have fun! A Public Service Message, making paranoids happier, All standard disclaimers: apply! by letting them know that they are right. :o -> :> kenney@netcom.com ------------------------------ Date: Wed, 28 Sep 94 09:45:18 -0400 From: kellogg@netcom.com (Lucas) Subject: Re: GenB Virus - Need Help! (PC) Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) wrote: : Steve Daley (spdaley@undergrad.math.uwaterloo.ca) writes: : > Having a problem with several computers, reporting GenB, Generic Boot Virus. : Sigh... Here we go again. Please, take care to review just a few : messages that have been posted here before. In short, there is no such : thing as "the GenB virus". This is a way of McAfee's SCAN to tell you : "this boot sector is very suspicious and I am pretty sure that it is : infected, but I really have no idea which particular virus it might be : infected with". : > The following programs give the following reports: : > McAfee 2.01 GenB at 960k : > Thunderbyte Unknown Boot sector virus : > MSAV Nothing : > CPAV Nothing : The first two programs are saying essentially one and the same thing - : a quite probably infected boot sector; infected by a virus they are : unable to recognize. The last two program have such a bad detection : rate, that it is not worth even talking about them. : > No attempts to remove the virus work. I have done the following (as : > well as about 500 other things): : > 1. Make 6.2 boot disk on clean machine with only Himem.sys and Emm386 loading : > - boot infected machines and check with Scanner - Same Result as above : Of course. If your hard disk is infected, scanning it after a clean : reboot will naturally indicate that it is still infected. : > 2. Sys the hard drive from a clean floppy : > 3. Re-format hard drive, re-install DOS from BRAND NEW package : Those two steps wouldn't help if the virus is in the MBR. However, in : this case SCAN would have reported the virus as "GenP", not as "GenB". : Are you completely certain that it is reported as "GenB"? : > 4. Low level drive, then do step 3. : You mean, even low-level formatting the drive did not help? In this : case, your machine might just have a weird boot sector that happens to : trigger the heuristics of SCAN and TbScan. Although, having in mind : what SCAN uses as a heuristic in this case, this seems rather : unlikely. A much more probable conjecture is that the "clean machine" : you used to prepare the bootable floppy on was not that clean at : all... : I would suggest that you send a copy of the boot sectors of an : infected hard disk to an anti-virus researcher. : Regards, : Vesselin : - -- : Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg : Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN : < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C : e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany Are you running any other anti-virus hardware or software? Sounds like it could be a bios protection program. KD ------------------------------ Date: Wed, 28 Sep 94 09:45:11 -0400 From: kellogg@netcom.com (Lucas) Subject: Re: HELP!! w/ TSR Virus and Stacker (PC) Bryan M. Becker (bbecke1@umbc.edu) wrote: : Can someone please help me, : I have Stacker on my hard drive. I also have the Liberty Virus there : too. The Liberty Virus is a TSR virus that effects .com and .exe files : when they are executed. : If I boot from a disk without the Stacker driver, I can only see some of : my hard drive. So I need the driver to see all of the hard drive. When : I boot from the disk stacker must swap drives. Now the virus is loaded : into memory and I haven't done anything. I run scanners from my floppy : and it tells me that a virus is loaded into memory. : I have no idea what to do. I've tried everything I can think of!! Can : anyone please help? : Thanks so much, : Bryan : : *********************************************************************** : Bryan M. Becker E-Mail : bbecke1@gl.umbc.edu : University of Maryland - Baltimore County -> Retrievers : *********************************************************************** Bryan, In order to properly remove this virus, you first need to find a way to activate the device driver that loads the stacked volume, without using the device driver from off of the hard disk. With some versions of Stacker, they provide a way to do that during the installation procedure of Stacker. I recommend that you call Stack Electronics in Carlsbad, CA, and ask them how to perform this task. Once this is accomplished, it is a simple matter of deleting all of the infected files, and restoring them from a known uninfected source. Ciao, Lucas ------------------------------ Date: Wed, 28 Sep 94 09:45:14 -0400 From: kellogg@netcom.com (Lucas) Subject: Re: FORM_A (PC) Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) wrote: : Bob Smith (bosmith@umich.edu) writes: : > I have a DOS 486 machine that is reporting FORM_A virus from McAfee's : > scan 2.0.1e program. : I do not have a copy of this version of SCAN any more, but SCAN : version 2.10 reports as "FORM_A" the two different (but similar) : variants - Form.A and Form.B. Interestingly, it reports Form.C as : "FORM.A". : > I have searched mcafee.com, oak archives and : > cert.org for methods or programs to remove this virus but have not : > found anything. : Are you sure that you have looked carefully? First of all, Form.A is : the most widespread virus in the world, so almost all virus removers : should be able to handle it properly. Can't SCAN 2.10 remove it? : That's wouldn't surprise me - SCAN 2.x is an unfinished product which : is rather bad from the anti-virus point of view. However, at least the : old CLEAN (117) should be able to remove this virus. Also, have you : checked F-Prot 2.13a - also available from the oak archive? I know : that it is able to remove all the variants of Form. There are many : other product which should be able to remove this virus, because it is : very well known. : Regards, : Vesselin : - -- : Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg : Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN : < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C : e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany Vesselin, Release 2.1.1 has been posted to mcafee.com, and it does remove the form_A virus. This product is still not particularily robust in it's virus removal; however, it is the most robust detector McAfee has released. I'm interested in your opinion, KD ------------------------------ Date: Wed, 28 Sep 94 09:45:24 -0400 From: kellogg@netcom.com (Lucas) Subject: Re: How do I load VSHIELD on high memory? (PC) Jason Hong (hong@csulb.edu) wrote: : I am using VSHIELD version 117 with SCAN 117 on 386 and 486. : There is a switch that keeps VSHIELD on high memory (/LH). : However, it is not stayed on high memory after runningg : memmaker command. : If I take out the parameter (/LH), it stays on conventional memory. : Then I can not launch some DOS application under Windows. : Is there any way that I can keep VSHIELD on high memory? : - -- : Documentary Photographer, |hong@csulb.edu| : Auto-Mechanics, & |ACS, CSULB | : Software Engineer. Jason, Try version 2.1.1, just released this evening, which automatically polls memory to see what is present. It uses expanded [preferable], extended, upper, and/or conventional. If two page frames [128 kbytes] of expanded are available, it will then load the rest of the code [8 kbytes] into upper [if UMB is supported], or conventional. The filename is vsh_211.zip, and you may obtain it from mcafee.com. kd ------------------------------ Date: Wed, 28 Sep 94 09:45:36 -0400 From: mcafee@netcom.com (McAfee Associates) Subject: Re: How do I load VSHIELD on high memory? (PC) Hello Mr. Hong, Usually I reply to questions about McAfee software directly by email, however, since the reply may be of interest to others I am posting it to comp.virus. Anyways... VSHIELD Version 117 has a /LH switch to make it load the majority of its code into an upper memory block. In order for VSHIELD to make use of upper memory do not allow your memory manager's optimization program to attempt to load VSHIELD high. Instead, run VSHIELD with no "LOADHIGH" commands at the beginning of your AUTOEXEC.BAT with the /LH switch plus any other switches. If VSHIELD reports that it cannot load high even when loaded as the first TSR consider running it with the /SWAP switch. Alternatively, you may want to consider running VShield 2.1, which has better memory management features than Version 117. Regards, Aryeh Goretsky Technical Support hong@csulb.edu (Jason Hong) writes: >I am using VSHIELD version 117 with SCAN 117 on 386 and 486. > >There is a switch that keeps VSHIELD on high memory (/LH). >However, it is not stayed on high memory after runningg >memmaker command. >If I take out the parameter (/LH), it stays on conventional memory. >Then I can not launch some DOS application under Windows. > >Is there any way that I can keep VSHIELD on high memory? > >- -- > > Documentary Photographer, |hong@csulb.edu| > Auto-Mechanics, & |ACS, CSULB | > Software Engineer. > - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, Suite 200| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for McAfee anti-virus, network management and help desk software. ------------------------------ Date: Wed, 28 Sep 94 09:45:44 -0400 From: Neill Phelan Subject: Help! Controlling Virsus (PC) Hi, Could someone please help me? I have a user who wants to be on the Internet from his PC which is also linked to our Novell network. I would rather that he would have a dedicated PC for use on the Internet but that is not possible. Is there any way that I can safely allow him to use the two networks without one corrupting the other. I need a simple method which I know will work and will never fail. Neil Phelan FBD Insurance plc Dublin fbdcomp@iol.ie ------------------------------ Date: Wed, 28 Sep 94 09:46:00 -0400 From: da884@cleveland.Freenet.Edu (David Toste) Subject: Whisper (PC) Boy what I night! I just found out that I had the Whisper virsu at work and went into the network and found it there as well, but only in my working directory. I HOPEFULLY removed all of the files that where infected. Well got home and did a virus scan which IU haven't done in awhile(I've learned my lesson, DON'T DROP YOUR GAURD!) Well 41 files found to have the Whisper virus!! and McAfee's CLEAN wont clean it, the ONLY way is to delete the files. IBM AntiVirus program is out the window, the stupid thing didn't detect it. - -- David Toste [VE3TOS] AMPRnet : ve3tos@ve3tos.ampr.org Don Mills, Ontario Packet : ve3tos@va3bbs.#scon.on.ca.noam !* SOON TO BE RELEASED *! Internet : da884@cleveland.freenet.edu Author of SWLOGit (The Ultimate SWL'ers ToolBox) Fidonet: 1:250/930 ------------------------------ Date: Wed, 28 Sep 94 19:50:31 -0400 From: Zvi Netiv Subject: Goldbug virus (PC) >From Fidonet echomail: -=> Quoting Koen Lenaers to All <=- KL> Does anybody know something about the Goldbug virus? I've heard of KL> it, and now I want to know what is right about they told me... Goldbug infects the mbr by writing the virus code into sectors 0,0,1 and 0,0,13 and relocates the original mbr to sector 0,0,14. The virus uses high memory and won't be active if no high memory manager is used. An infected hard disk won't be accessible, if booted from a clean DOS floppy. Goldbug uses stealth to conceals the faked mbr. The above implies an interesting and simple removal method (only from the mbr): rename config.sys and autoexec.bat to non-executable names and reboot. Goldbug will remove itself from the mbr and reinstate the original one in place. When active, Goldbug hooks INT 10, so that if you use Qemm, you will notice the message "cannot find INT 10" when loading. Goldbug spawns into EXE files, renaming the original file by removing it's extension and changing its attribute to "system", hiding the file from the DIR command. The spawn usually retains, but not always, the original filename. It is actually overwritten by the virus and becomes a dropper itself. Another misleading feature of the virus is that the trojanized file is exactly the same size as the original one. Trojanized files having a companion with the original name will operate as ususal. Otherwise, nothing will happen when invoking the program. This should alert a virus aware user. Goldbug is detected and removed automatically from the mbr by the SeeThru (c) technique. The integrity checker will find all the trojanized files and if attempting to restore them genericly, then they will be declared unrecoverable, and thus removed. The original files can be renamed back and have their "system" attribute reset to normal, with a file management utility. SCAN 117, F-Prot 2.14, Integrity Master 2.22, and TBscan 6.24 did not detect Goldbug, nor indicated suspicious activity. I don't know if Goldbug is in the wild. Regards, Zvi Netiv, InVircible . Available from ftp.datasrv.co.il/pub/usr/netz/invb601.zip ------------------------------ Date: Wed, 28 Sep 94 22:16:13 -0400 From: yoonb@assets.wharton.upenn.edu (Baryn Yoon) Subject: WPWIN6.0a and NATAS (PC) It seems that Vi-Spy 12.0 release 8.94 was issuing a false alarm for NATAS. Vi-Spy release 9.94a corrects this problem. WPWIN6.0a is NOT infected with the NATAS virus. Thanks to everyone for responding. - - baryn yoon byoon@eniac.seas.upenn.edu yoonb@assets.wharton.upenn.edu ------------------------------ Date: Thu, 29 Sep 94 04:13:50 -0400 From: Kash_Sharvini@mindlink.bc.ca (Kash Sharvini) Subject: Possible virus (PC) My keyboard goes burserk at times, the caplock comes on by itself, long delays for letters to appear on screen, the num lock can scroll lock come on at random. could I have virus? I've checked my pc with McAfee v2.1.0 but didn't detect anything. there are no funny TSR snooping around my pc either. The problem seems to be getting worst so any help soon would be appreciated. I just hope I can log back on to read replys :( thanks ------------------------------ Date: Thu, 29 Sep 94 06:26:09 -0400 From: mfoss@sognsvn68.sio.uio.no (Marco Foss) Subject: Re: FORM_A (PC) dhartung@chinet.chinet.com (Daniel A. Hartung) says: > >Bob Smith wrote: >>I have a DOS 486 machine that is reporting FORM_A virus from McAfee's >>scan 2.0.1e program. I have searched mcafee.com, oak archives and >>cert.org for methods or programs to remove this virus but have not >>found anything. >> > [stuff deleted] >Thus a simple method of removing the infection is to reformat >the disk. If you have a hard disk, FDISK /MBR (master boot recrod) >may be able to restore a previously stored clean copy of the >boot record. Run your scan both before and after. > >UNFORMAT, however, is a risky utility to run -- since it creates >a new copy of the current boot sector, which happens to be infected. > >There are several utilities as well (check your utility package docs) >that may be able to restore the boot record. > An easier way to remove the FORM_A virus from your harddisk would be to boot from a floppy with the same operating system on it, and then use DOS' sys command to recreate the operating system on your PC. There might be a problem if you don't have a bootdisk handy, though. - --+-------------------------+--------------------------------------- Marco Foss | Voice: +47 22 18 75 63 | Fax: +47 22 18 75 30 SiO IT, OSLO, Norway | Email: mfoss@sognsvn68.sio.uio.no - ----------------------------+--------------------------------------- ------------------------------ Date: Thu, 29 Sep 94 10:02:21 -0400 From: young.koh@jntsea.gsfc.nasa.gov (Young J. Koh) Subject: NYB [genp] virus (PC) My system seems to be have been infected by the NYB [genp] virus. Latest version of scan detected it in my boot record and FAT, buy my previous version could not detect it. Clean doen't know what to do with this virus. It seems that I might have had this virus for a while, since I just recently got the latest version of scan. But even so, my system seems to be acting normally. I haven't had any problems recently. So, what is this NYB virus? How do I disinfect it? I don't want to take any chances because it is residing in my boot sector, and that could wipe out my hard drive. =================================================== Young J. Koh young.koh@jntsea.gsfc.nasa.gov Jackson & Tull Engineers NASA Goddard Space Flight Center, Greenbelt, MD ------------------------------ Date: Thu, 29 Sep 94 14:15:46 -0400 From: dg748@cleveland.Freenet.Edu (Sam J. Arendec) Subject: NYB virus (PC) I need info on the NYB virus. CPAV was unable to detect it. McAfee 9.25 was the only anti-virus program that finally eradicated it. Any contributions would be appreciated. ------------------------------ Date: Thu, 29 Sep 94 18:07:56 -0400 From: sotiris.baxevanis@intelsat.int Subject: Satan Bug virus (PC) Anybody has any experience with this virus. Norman claims to be the only capable of fully detecting and cleaning the virus is this true? Can other programs like McAfee detect the virus but not clean it with the only option being to delete the infected file or do we need to buy the Norman software? thanks ------------------------------ Date: Thu, 29 Sep 94 19:26:31 -0400 From: hnguyen2@mason1.gmu.edu (Hai H Nguyen) Subject: Satan virus! Any remover available? (PC) I had trouble with satan virus last week. I tried to use NAV (3.0), CPAV, SCAN, but none of them are able to remove the virus. So, I had to delete the infected file and re-install DOS (it's painfull!!) Anybody knows if there is any remover for satan? Thanks for reading - ---- hnguyen2@mason1.gmu.edu \\\|/// phone#: 911 \\ ~ ~ // PC Troublemaker (/ @ @ /) SysOp Terminator +-------------------- oOOo-(_)-oOOo ------------------------+ | LOVING IS LIKE PROGRAMMING. IF YOU MAKE A MISTAKE, YOU | | WILL HAVE TO SUPPORT IT FOR THE REST OF YOUR LIFE | +-----------------------------------------------------------+ ------------------------------ Date: Thu, 29 Sep 94 21:54:22 -0400 From: "Margaret Lane (NC)" Subject: Stealth virus (PC) dear virusees and virusers, i need some advice. the stealth virus has vanquished my boot sector, and even mcafee's clean and scan programs say it's irreparable. much of my data and junk is not backed up, thus i need some advice to aid myself in this situation. so, intelligent computer gurus and idiots alike reply with advice on what to do or where to go in email, please! sorry if i'm posting to the wrong group. and, to those of you innocent computer users out there, watch out for the stealth! it's a nasty one. (some virus-writer is probably pretty proud, now) ------------------------------ Date: Fri, 30 Sep 94 11:44:39 -0400 From: "A.APPLEYARD" Subject: `_2kb' virus (PC) Where I work we had an attack of what McAfee Scan v116 reported as the `_2kb [Genp]' virus. Does VET find this virus? if so, under what name? It seems to me that SCAN includes various real viruses along with undefined boot sector and partition sector faults as [Genb] and [Genb], because everything classed as [Genb] needs CLEAN to obey the same instructions when removing it, and likewise everything classified as [Genp]. `_2kb' seems to be a real virus here: one of our staff had it on nearly all of his floppies, and it did affect how his PC ran. ------------------------------ Date: Fri, 30 Sep 94 11:42:00 -0400 From: aec@drum.msfc.nasa.gov (llertnac cire) Subject: Re: Help Win 32 Bit File Virus? (PC) a0631vdc@c1.cc.univie.ac.at (Gerhard Kluenger) writes: >: Hi there, >: > Help We have been getting an error message when >: > starting Windows 3.1 about not being able to start 32 Bit File Access. >: > This machine has been running for 8 months without this message. >: > It has now jumped to another machine through a bootable diskette. >I encountered a similar problem, after by accident I had a diskette in my >A-drive (without system). After reboot (DOS 6.2) all looked fine, but >loading win for workgroups 3.1 gave the msg: > "The MS Windos 32-bit disk driver WDCTRL cannot be loaded. There is >unrecognizable disk software installed on this computer. The address that >MS-DOS uses to communicate with the hard disk has been changed. Some software, >such as disk-caching software, changes this address. " >Any idea if - and what kind of - virus this might be? I was getting the same error messages. I ran Norton Anti-virus. It said that I had a virus called AntiEXE. Norton was able to inoculate it. Everthing's fine now. eric ------------------------------ Date: Fri, 30 Sep 94 11:40:18 -0400 From: "Michael Vollmer" Subject: Re: How do I load VSHIELD in high memory? (PC) Hi Jason (Hong) Jason Hong write on 27 Aug 94 to VIRUS-L > There is a switch that keeps VSHIELD on high memory (/LH). > However, it is not stayed on high memory after runningg > memmaker command. If I take out the parameter (/LH), it > stays on conventional memory. > Is there any way that I can keep VSHIELD on high memory? i have receive VIRUS-L 7/77 just on 27 Sept, therefore I don't know if you become a answer to your question. VSHIELD use only Expanded Memory, no Extended Memory to load high. You must use EMM386.EXE (include in MS-DOS) to build Expanded Me- mory (or Quarterdeck's QEMM or 386MAX). Load EMM386.EXE (or QEMM or 386MAX) in your CONFIG.SYS (Example: DEVICE=C:\DOS\EMM386.EXE). Naturally you have less Extended Memory if you build Expanded Memory, standard of EMM386.EXE is 256 KB. EMM386 itself use a part of your conventional memory Hope these could help you A virus free time Michael Vollmer vollmerm@fh-nuertingen.de Michael Vollmer Mail: vollmerm@fh-nuertingen.de ------------------------------ Date: Fri, 30 Sep 94 11:44:49 -0400 From: cassidy@mars.rowan.edu (KYLE CASSIDY) Subject: "stealth boot" or "genb" virus? (PC) We've seen this virus a lot lately in our labs. It is a boot sector virus, identified by macafee's scan as stealth boot "genb", but I find no mention of it in the literature. Disks (floppies) that are infected with it apparantly cannot be cleaned by Clean 117. Clean gives it the old college try and then informs me that the virus cannot be safely removed. Any suggestions on a good database also? Thanks, KC ------------------------------ Date: Fri, 30 Sep 94 18:26:28 -0400 From: tmd5991@ACFcluster.nyu.edu (MICHAEL DREYFUS) Subject: B1 virus (PC) Does anyone know how to get rid of the B1 virus? Thanks. Michael Dreyfus mdreyfus@phantom.com ------------------------------ Date: Sat, 01 Oct 94 00:06:39 -0400 From: datadec@corsa.ucr.edu (Kevin Marcus) Subject: Re: Central Point Update? ---- FTP site? (PC) groener wrote: >Does anyone know if Symantec has an FTP site so that I can get >updates on the Virus signatures? I try to keep the latest updates available for ftp from cs.ucr.edu. I also try to keep up with McAfee's scanner as well as F-Prot there, which is separate from the previous ftp site at ftp.cert.org. (There were no such programs available there.) I believe the latest copy of updates I have are August; they have yet to send me another, though I know October should be going out any minute. I think that ftp.informatik.uni-hamburg.de might have the most recent ones available. - -- - --> Kevin Marcus, Computer Science Dept., University of California, Riverside Email: datadec@cs.ucr.edu. "Two types of programs do CALL ; POP . They are viruses and a good chunk of DOS programs. Down with MicroSloth." ------------------------------ Date: Sat, 01 Oct 94 07:41:39 -0400 From: dvr@hooked.net (David Alga) Subject: Argh.. Help me with VCL-DIAT... (PC) I have some stupid virus on my system. This is the 3rd virus I have had in a month. This is getting annoying... Anyways, the new version of Scan from McAffee detects it as the VCL-DIAT virus, but the new version of Clean doesn't recognize it. F-Prot and TBAV don't find it. I ran a file a while back, then scanned it and found the virus. It infected 2 files in one of my directories. I deleted the files and the directory. My system has been clean since, and there is nothing in memory. I got a new .ZIP of the files, and installed it to a different directory, but when I scan these new files, it finds the virus in the files regardless of where I install it. I know the .ZIP file is clean of virii, as one of my friends scans it on his system and it's fine. If anyone can help me out, please mail me. Thanx... dVr@hooked.net ------------------------------ Date: Sat, 01 Oct 94 09:28:25 -0400 From: Zeppelin@ix.netcom.com (George Paulsen) Subject: Re: Windows Virii (PC) Cynthia Sue Garrett writes: > >Has anyone else ever seen a Windows specific virus? I was just >wondering, because as a Windows programmer(C++) I know just how much >control over the system the programmer can have. I myself am against any >malicious virus programming but have seen a Windows virus in a store >computer once. It opened many instances of a program and then scrolled >the focus through the instances so that you couldn't access the menu on >one instance to exit it easily. Eventually it opens so many instances >that anything you try to do is restricted for lack of memory. > > In my collection of over 4000 viri, I have three specific viri that are for Windows only. 1.) WinVir 2.) WhyWin 3.) WinWin I have stayed away from C++, and choose Assembly ad Pascal as my platform to work within. I recently (Feb 94) sent up my latest code to TBAV (yes that's right, I send everything I do directly to the AV), done in Pascal. It is a very simple com- pannion, spawning viri called Linda-Lou. It can be found in Patrica Hoffmans VSUM under a new arena called HLLS (high level Language). It replicates all the .exe files on your HD in the .com format, thus excuting first. What Pat Hoffman did not say was that it loads itself into memory over and over again. Once it has filled most of memory, UN-NOTICED, you get the error, "Out of Enviorment." At this time, most people would run their AV software, which is just what Linda Lou wants. It then follows the AV program that is run, via tree, delets it, them formats drive C - Z. A simple view of your Dir's would show all the dups, which you can easily delete then without any damage. The simplicity of the viri was intentional, for it was just to show my friends at the major AV companies that Pascal can and will move unrestricted. I suggest that if you are planning to start programing viri, which is seems is your direction, that you keep one thing in mind. DO NOT RELEASE TO GENERAL PUBLIC under any circumstances !! What gives me enjoyment, is seeing whatever I do, showing up in Pat Hoffmans VSUM, and seeing it say, "Not in the Wild." !!! -Zep- ------------------------------ Date: Sat, 01 Oct 94 09:31:52 -0400 From: Zeppelin@ix.netcom.com (George Paulsen) Subject: Re: F-PROT and UMB's (PC) trebor@test3.stack.urc.tue.nl (tREBOr) writes: > >I was wondering if F-PROT (v 2.12) scans UMB's (seg A000-FFFF, techn. >speaking) during the normal conv./HMA memory-scan. > >If it does: are there any viruses who utilize this area? > >If it doesnt: why not? > >Thanks, > > robert > >"Ambient is the mind" -- Carl Craig > > If I am not mistaken, A000-B7FF is pure video. C000-EFFF is the UMB area, although I may be wrong. -Zep- ------------------------------ Date: Sat, 01 Oct 94 09:34:32 -0400 From: Zeppelin@ix.netcom.com (George Paulsen) Subject: Re: VIRUS INFECTION - (PC) bpwarner@csupomona.edu (Brian Warner) writes: >{Note: My conection with this net is via a pc to a VAX to this newsgroup. I >thin4 my VAX account is safe.} > >I thin4 my pc might be infected with a virus. My virus checher dosn't detect >anything, but I have some strange symptoms. Three of my 4eys are returning >incorect va5ues, as you can see. 5 and 4 are two examp5es of said errors. This >is my first expierience with a virus, if it is a virus. My question is, does >anyone recognize these symptoms... and can someone refer me to a particu5ar >virus program.... and is this program on the internet.... I have thought about >bootinig my pc from drive a, but that dosn't wor4 - It continues booting on >drive C:, ignoring the boot dis4 in drive A:. > >I understand that my post is rather distorted with errors (4, 5, etc.) but I >hope that someone can he5p me. and forgive the messy nature of this post... > >SYMPTOMS: -Incorrect responces are being given from my 4eyboard. > -I havn't noticed any change in memory. It appears that you have a keyboard remapping. There is a possibility that you have been struck by some mild sort of Ansi Bomb. I suggest that you take your Dos Disketts, and find the Keyboard.Com, and after expanding it, use it to replace the original that lies in Dos. Hey, just food for thought. -Zep- ------------------------------ Date: Sat, 01 Oct 94 09:54:24 -0400 From: Zeppelin@ix.netcom.com (George Paulsen) Subject: Re: Thunderbyte anti-virus - how good? (PC) clotsche@coh.fgg.EUR.NL (Pim Clotscher @ COH) writes: >Where can I get objective information about the thunderbyte anti-virus >package? There was a review/test in Virus Bulletin of july 1994, but I have >no access to that information. Can anybody tell the conclusion / strong >points, weak points, etc.? I for one use TBAV, and have so for about two years. I have found that in the couse of writing viri code (which TBAV get exclusivly), TBAV sets off flags mor often than not. It is only when those flags do not appear, do I call the product finished. I have tested my same code against F-PROT( in either High Hur, and normal mode), Scan, Nav, VirX (which is almost as good as TBAV), and IM. None of those, except VirX came even close. Of the 4000 + viri I have, when unzipped into one dir, TBAV found close to 3800 of them. Which leads me to believe that simple byt changes, called variants, don't warrant a new sig. -Zep- ------------------------------ Date: Sat, 01 Oct 94 11:18:57 -0400 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: How to Remove a swiss virus from the partition table? (PC) Tony Castillo (castillo@casino.cchs.su.oz.au) wrote: > No, I'm not having a good day... Just want to ask everyone on how > I can remove a swiss virus from the Partition table without low leverl > formating the hard-disk... It there any virus cleaner that can be able > to remove it from the partition table. If by Swiss you mean swiss_boot, which is what Mcafee calls Exe_Bug, then you can fix it with a sector editor. First check your cmos to make sure the A: drive is still enabled. Then boot off a clean diskette, and use a sector editor to move 0,0,17 to 0,0,1. Suggest you first save 0,0,1 to a file in case of problems. Else use F-Prot..:-) Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas Lead, Follow, 34 InterNet: iandoug@cybernet.za P.O. Box 484 or get out of 1,73 FidoNet: 5:7102/119 7532 Sanlamhof the way. 57 TopNet: 225:2048/1 South Africa (Ted Turner, CNN) INTB PGP key available. - ----------------------------------------------------------------------------- ------------------------------ Date: Sat, 01 Oct 94 11:20:46 -0400 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: Re; [News] KAOS? (PC) Kazatski Oleg Nikolaevitch (kazatski@kartaly.chel.su) wrote: > Any name of this virus is "Kaos4". > So far, verified reports or samples of this virus have been > received from the US, Austria, Norway and Finland. and South Africa... Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas Lead, Follow, 34 InterNet: iandoug@cybernet.za P.O. Box 484 or get out of 1,73 FidoNet: 5:7102/119 7532 Sanlamhof the way. 57 TopNet: 225:2048/1 South Africa (Ted Turner, CNN) INTB PGP key available. - ----------------------------------------------------------------------------- ------------------------------ Date: Sat, 01 Oct 94 11:25:10 -0400 From: iandoug@cybernet.za (Ian Douglas) Subject: Re: Video virus? (PC) Chris584 (chris584@aol.com) wrote: > We have lost several monitors in the past month, and have read that > there are viruses which can alter frequencies or voltages sent to the > monitor or video card. Please advise whether this is true, how to > detect such a virus, whether standard virus detection packages can > detect such a virus, etc. Many rumours of such viruses, none yet found to exist... Cheers, Ian - -- - ----------------------------------------------------------------------------- Ian Douglas Lead, Follow, 34 InterNet: iandoug@cybernet.za P.O. Box 484 or get out of 1,73 FidoNet: 5:7102/119 7532 Sanlamhof the way. 57 TopNet: 225:2048/1 South Africa (Ted Turner, CNN) INTB PGP key available. - ----------------------------------------------------------------------------- ------------------------------ Date: Sat, 01 Oct 94 14:06:00 -0400 From: safety@gti.gti.net (Safety Net) Subject: Re: Looking for specific-purpose virus scanner (PC) A scheduler can run a server scan at predefined times. Configure it to scan during slow periods such as 6:00am, lunch, 6:00pm, etc. If you're looking for a biased opinion, our VirusNet LAN system has DOS and Windows schedulers which will meet your needs. They will monitor the return code to trigger a series of events if a virus is found. However, if you're in a Netware environment, you may want to go with an NLM solution such as CPAV, NAV or others. Don't overlook your workstation virus protection, though. Since a large percentage of infections are caused by boot track viruses, your server-only approach will provide only partial protection. Regards, Bob Janacek - Technical Director Safetynet, Inc. Mark Mckenzie (bemckenz@sciborg.uwaterloo.ca) wrote: : I am looking for a virus scanner that can be used with a network that : scans periodically all files entering the system. If there is a syst : out there that only operates when the network isn't busy, that would be : even better. : Something like a virus shield isn't exactly what I want, because the : program should be tranparent unless a virus is found. Something that only : works on bootup isn't good either, because often the network servers are : running for long periods of time. : Does such a program exist? : Thanks... : - -Mark Mckenzie : ------------------------------ Date: Sat, 01 Oct 94 15:00:53 -0400 From: Iolo Davidson Subject: Fixing the boot sector of a floppy? (PC) jmccarty@spd.dsccc.com "Mike McCarty" writes: > Iolo Davidson wrote: > > )> We agree again. It should not be hard to write a utility No, this was what you wrote, and what I was replying to. Please try to keep attributions in order. > I do not claim that you or anyone else "bumbles along in the dark", > and I resent your putting words into my mouth. Uh huh. - -- TO A SUBSTITUTE NOTHING HE GAVE A TRIAL BUT HIS SMILE IT TOOK OFF Burma Shave ------------------------------ Date: Sat, 01 Oct 94 15:01:41 -0400 From: Iolo Davidson Subject: Virus Source code on CD ROM? (PC) jmccarty@spd.dsccc.com "Mike McCarty" writes: > I am convinced that freely accessible virus source > will make writing viruses a thing of the past. Demonstrably not true. Many existing viruses have been based on published source code. Some of these variants are trivial rewrites to include the "author's" name or just due to slight variations in the assembler used. Publishing the source leads to more viruses, not less. One wonders how you come to be possessed of such a conviction, when the only evidence is against it. - -- TO A SUBSTITUTE NOTHING HE GAVE A TRIAL BUT HIS SMILE IT TOOK OFF Burma Shave ------------------------------ Date: Sat, 01 Oct 94 15:02:44 -0400 From: Iolo Davidson Subject: KOH (PC) jmccarty@spd.dsccc.com "Mike McCarty" writes: > Iolo Davidson wrote: > > ) I hope we are not going to get another thread about so-called > ) "beneficial" viruses. We have just finished that idea off. > > I am not so sure you have "finished that idea off". I think that people > just got tired of discussing it. There were a few who supported it, a > few who vociferously repudiated it. You seem to be saying that those who > repudiated it "won" the debate. I very much doubt that. I don't think > anything got resolved at all. We won, you lost. I know you don't accept it. Too bad. Your problem. I stand ready to hash the whole thing through again, though, for the benefit of those with open minds. In fact, I insist on doing so whenever the subject comes up. Don't want anyone to be deluded by the self-serving claims of virus writers who are desperate to rehabilitate their shabby images. - -- TO A SUBSTITUTE NOTHING HE GAVE A TRIAL BUT HIS SMILE IT TOOK OFF Burma Shave ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 83] *****************************************