Return-Path: Received: from CS2.CC.Lehigh.EDU by abacus (SunOS 4.1/SMI-4.1-01) with sendmail 4.1/SMI-4.1-01 id AA13621; Wed, 19 Aug 92 18:52:27 +0200 Errors-To: krvw@cert.org Received: from (localhost) by CS2.CC.Lehigh.EDU with SMTP id AA12360 (5.65c/IDA-1.4.4 for ); Wed, 19 Aug 1992 11:55:19 -0400 Date: Wed, 19 Aug 1992 11:55:19 -0400 Message-Id: <9208191546.AA13760@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: Kenneth R. van Wyk To: Multiple recipients of list Subject: VIRUS-L Digest V5 #141 Status: RO VIRUS-L Digest Wednesday, 19 Aug 1992 Volume 5 : Issue 141 Today's Topics: Re: Waldo ?? (PC) Where's Waldo?! Was: Re: Waldo ?? (PC) Re: I Need an unattended scanner (PC) Re: Is "Bloody" a virus? (PC) Re: McAfee GENP/GENY identification (PC) Re: Scan93 Calls Michangelo "Stoned" (PC) Re: Strange MBR (PC) Re: victor charlie (PC) Netware and viruses - some new results (PC) Re: help, high weirdness (PC) Re: 4096 (frodo) false alarm? (PC) Need Advice on Evaluating and Ordering Antivirus Software (PC) Re: F-Prot 2.04c (PC) os/2 changes to boot sector (OS/2) Virus questionnaire, pls Re: Jerusalem virus (CVP) New Uploads on risc (PC) Preliminary Conference Announcement VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: 18 Aug 92 03:09:37 +0000 From: george@mulgulgum.asis.unimelb.EDU.AU (George Ferenc) Subject: Re: Waldo ?? (PC) treeves@magnus.acs.ohio-state.edu (Terry N Reeves) writes: > Anyone know of a virus/trojan/joke/ etc that self-identifies as Waldo? > > I have not seen it, unfortunately I have only a sketchy report of a > message seen periodically on a pc running windows 3.1 & corel draw > 2.0. I ma told a "waldo virus" is identified. Unfortunately I can't > even be sure the word virus was in the actual message. > > f-prot 2.04c finds nothing not even with heuristic scan. (two false + > only) scan 93 ditto. Hi, This is not a virus. If you are runing an old (i.e. not the latest) version of Corel Draw under Windows 3.1, the program will crash when you use the 'Blend' function. It worked fine under Windows 3.0. Hope it helps, George. - -- o*****************************************************************************o * George Ferenc Information Technology Services, Melbourne University * * Analyst/Prog... No, Software Engineer. At least it's trendy. * * E-Mail address george@asis.unimelb.EDU.AU * * Tel. (B/H) (03) 344 6393 * * Tel. (A/H) Are you kidding ? * o*****************************************************************************o * Trying to establish voice contact. Please talk to your keyboard. * o*****************************************************************************o ------------------------------ Date: Tue, 18 Aug 92 07:07:50 +0000 From: mcafee@netcom.com (McAfee Associates) Subject: Where's Waldo?! Was: Re: Waldo ?? (PC) Hello Mr. Reeves, The "Waldo" message is an error message from Windows version of CorelDraw. I was under the impression that this error message only appeared in beta test versions of the software (which would be usually limited to a few beta test sites) but it may have been present in the production version. You should be able to contact the manufacturer for a patch. Regards, Aryeh Goretsky Technical Support /in reply to/ treeves@magnus.acs.ohio-state.edu (Terry N Reeves) writes: >Anyone know of a virus/trojan/joke/ etc that self-identifies as Waldo? > >I have not seen it, unfortunately I have only a sketchy report of a >message seen periodically on a pc running windows 3.1 & corel draw >2.0. I ma told a "waldo virus" is identified. Unfortunately I can't >even be sure the word virus was in the actual message. > >f-prot 2.04c finds nothing not even with heuristic scan. (two false + >only) scan 93 ditto. > >Anyone?? - -- - - - - McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | ObQuote: "Log... from Blammo" Santa Clara, California | | 95054-3107 USA | BBS (408) 988-4004 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | USR Courier DS 14.4Kb| or GO VIRUSFORUM ------------------------------ Date: 18 Aug 92 10:31:44 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: I Need an unattended scanner (PC) cass8806@elan.glassboro.edu (KYLE CASSIDY) writes: > I'm using V-shield93 right now, and i'm wondering if i should use > this in conjunction with a more sophisticated scan program, but i'd like one > that i can set to scan the disk when i'm not around (like at 3 in the > morning) i'm running windows and i leave the machine on 24 hours. are there > programs that do this? What you actually need is not a special scanner - any off-line scanner like SCAN or F-Prot will do the job. What you need is a scheduler for Windows - a program that starts another program at a prescribed time. I don't know about such program (I am not using Windows myself), but it should exist - several such programs exist for DOS. I advise you to check at Simtel20 or ask in one of the Windows-related newsgroups. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 18 Aug 92 10:41:46 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Is "Bloody" a virus? (PC) lewin@brokaw.lcs.mit.edu (Jonathan Lewin) writes: > My PC has begun to display the words "Bloody" and "Jun 4, 1989" on > boot-up. Is this a known virus? Yes, it is. It is a Stoned variant and infects in a similar way. There are at least 4 different known variants. > If it is, could someone PLEASE tell > me, and advise me how to get rid of it? Since it is a master boot sector infector, to remove it from your hard disk it is enough to boot from a DOS 5.0 system diskette and execute FDISK /MBR. After that you can boot from your hard disk and examine all diskettes. The virus can be removed from the infected ones - just copy the files from them somewhere else, then reformat the diskette and copy the files back. Make sure that the virus is not memory resident and active, otherwise it will re-infect the diskettes. Most popular scanner/removers like F-Prot and CLEAN are able to remove this virus. > The PC it is on is vital to a > small company, and I don't want it to start losing files. Due to way it infects disks, it may damage some hard disks and high-capacity diskettes when it infects them. Therefore, the damage is noticed at once. If it has not damaged your hard disk, it means that it won't do it in the future. However, diskettes with strange formats (e.g., backups made by some backup programs) might be irreparably damaged. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 18 Aug 92 11:18:03 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: McAfee GENP/GENY identification (PC) james.roy@synapse.isis.org writes: > I certainly agree that IDEALLY one would like to identify the exact > virus and be able read up about it and also have a utility to clean it > out of the system. > However, in practice, there are too many viruses coming out for any > anti-virus company to keep up, you risk not getting updates in time even > if available, cleaning is not 100%, new polymorphic viruses are > self-mutating and as they improve will become invisible to scanners and > other heuristic techniques. > Rather than look for the perfect scanner, one should accept their > limitations and only use them as gross filters for incoming software. The above is, of course, true in general. However, some scanners ARE better than others. The fact that a particular scanner (SCAN in this case) is not able to provide good virus identification, does not mean that good virus identification is impossible. It just means that this particular scanner is a rather poor tool for identifying viruses. For instance, Dr. Solomon's Anti-Virus ToolKit provides MUCH better identification than McAfee's SCAN (I am not comparing the other features), regardless that both products exist in one and the same virus population. > Generic protection virus control is essential in a modern computing They are just one line of defense. I would refrain from calling it "essential", but I agree that it is useful. > Our firm distributes Victor Charlie which can deal with all known and > unknown viruses. My deep regards to your company and to the product (greetings to Alan Dawson if you happen to see him), but please refrain from claims that it can deal with unknown viruses. I have seen the product about two years ago. It had the same claims associated with it, yet it miserably failed to deal even with some of the existing viruses. Polymorphism and advanced stealth were serious obstacles against it then. I do not doubt that it has been much improved since then, yet I am pretty sure that it won't be able to deal with all unknown viruses... The virus authors out there are pretty ingenious, you know... I strongly doubt that a single company is able to thinks of and prevent all kinds of attacks, let alone of all possible but still unknown attacks. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 18 Aug 92 12:33:50 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Scan93 Calls Michangelo "Stoned" (PC) voorhis@aecom.yu.edu (Adrienne Voorhis) writes: > There has been some discussion recently about how (unnamed > versions of) McAfee's Scan program are announcing an infection by > Stoned when other virus scanners are calling it Michelangelo. > A copy of Michaelangeo that I have saved from April 1992 is > detected by Scan89 as Michaelangeo, but is detected by Scan93 as > Stoned. My guess is that other posters that have reported this > phenomenon are not dealing with a new variant of Michaelangelo. It's > just that the newest version of Scan got sloppy and detects all > Michealangeo infections as Stoned. (I haven't heard that > Michaelangelo has any other strains detected.) Your guess is correct. SCAN has become significantly worse in virus identification since version 89. Since Michelangelo is indeed a Stoned variant, it is not surprising that SCAN detects it as such. > Not knowing the actual virus that has infected your machine can be > a real problem. Previous posts, for example, have described the > special problems that users face when disinfecting a computer that has > been infected by both Stoned and Michelangelo. If the scanner does > not even distinguish between the two, how is the user supposed to know > why he or she is having no luck disinfecting the computer? A very good argument why exact virus identification is very important! Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 18 Aug 92 12:39:36 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Strange MBR (PC) phil@cs.utexas.edu (Philip Smolen) writes: > I noticed a machine with a strange MBR at work recently. The first 16 > bytes look like this: > EA 05 00 C0 07 E9 99 00 02 6F 79 00 F0 E4 00 80 > Has anyone seen anything like this? Does anyone know what could have > caused this? Yup. The first few bytes are typical for a Stoned-infected boot sector. Either a variant of Stoned failed to infect this particular disk properly, or (less probably) some "clever" program tried to vaccinate your hard disk. It is, indeed, immune against Stoned infections now, but unfortunately, it has also become non-bootable. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 18 Aug 92 12:47:18 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: victor charlie (PC) james.roy@synapse.isis.org (James Roy) writes: > It takes a radically different approach to virus control than McAfee's > products. It is a generic product which looks for virus activity and > can detect all viruses even those previously unknown. It is very dangerous to make claims that a single anti-virus program is able (in its current state) to detect any possible viruses - including the currently unknown ones... In all cases I have seen, programs which made such claims could be easily bypassed just by a combination of the currently existing virus techniques. Some of them could be bypassed even by some of the existing viruses... > - a quick (3 second) routine which runs bait files and checks key > files and areas to detect active viruses. This can be circumvented in different ways: 1) The "bait file" technique is not able to detect boot sector infectors, non-resident, or companion viruses. 2) If the names of the generated bait files are easily predictable, a targeted virus can easily avoid to infect them. 3) A virus which infects only sometimes, or only files with particular properties, may just not want to infect the bait files. > Once detected the signature > of the virus is captured in real time and a reboot is forced to purge > it from memory. Because of this feature you do not have to depend on > updates from the developer nor risk extensive damage to your files due > to a virus unknown to the version of the scanner you have; This method (on-the-fly scan string capturing) fails miserably with polymorphic viruses. As to the damage - if the user is "lucky" enough, the payload of the virus may trigger and cause significant damage - which would not happen, had the virus been previously detected by a scanner. > - an audit routine that allows you to record encrypted checksums of > all your executable files and later run a comparison. This will > detect all changes to files and allow you to track down elusive > viruses; An integrity checker, that is. This is a very powerful tool for virus detection, but there are some pitfalls: 1) If an intelligent stealth virus is active in memory during the integrity check, the integrity checker will be unable to spot the modifications. 2) There are several possible virus attacks against integrity checking programs, that a virus could use. Companion viruses and DOS-file fragmentation are two of them. Most of these attacks can be easily stopped by the integrity checking software, but the producers of this software must know about them and take some steps to stop them. Sincerely, do you know what the DOS-file fragmentation attack consists in, and does the integrity checking part of your product take care of it? 3) A specific kind of viruses - the so-called slow viruses, cannot be stopped by integrity checking programs. I mean, there is no practical way to do it, not that they are theoretically unstoppable. More exactly, I do not know about any practical way to stop them. > VC is a highly secure product designed to foil viruses which may be > specifically written to attack it. Viruses, written to specifically attack a particular product, usually do not spread very far, but they are particularly dangerous against this product, if they are well implemented. Why do you think that your product is so secure? What steps does it take to prevent a targeted attack? > It currently does not use a TSR due to the vulnerability of TSR virus > monitors to such targeted viruses. VC's checks are easily put into your > applications menu or batch files which allow it to be run automatically > (and silently) frequently during your computing day. A (rather stupid) targeted attack I can think of would be to inspect the programs started from CONFIG.SYS and AUTOEXEC.BAT, "scan" them for the "scan string" of your program, and delete them, or even better - replace them with the virus. BTW, how does your product react if the database of file checksums suddenly disappears? There are at least two viruses, which attack integrity checkers in this way, and they do it rather successfully... > It is, one might say, a scanner in reverse. Rather than relying on > scanning new files for viruses which the scanner knows about, VC is run > after a new application is run to see if any viruses have gone active. Problem is, this is quite unreliable, if the virus is already active and smart enough... > VC does have a scanner which it updates itself. One can use it for > scanning new files but it is primarily for used for tracking down a > virus once detected by the method described above. > Given the stealth viruses and polymorphic viruses which are out there, > scanners are becoming more and more limited in their effectiveness. I wholeheartly agree with the second paragraph, but think that it is in contradiction with the first. Scanning for a "captured" on-the-fly signature is still scanning. OK, this is an "auto-updating" scanner, but it still fails (even more often than the "normal" scanners) with the polymorphic and with some stealth viruses. Please, do not think that with the above criticisms I am trying to underestimate your product. I agree that it is probably a stronger line of defense against viruses than any scanner-only based defense. However, I cannot agree with the claims that it can "detect all viruses - known or unknown", although I can accept that it is able to detect whole classes of unknown viruses. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Wed, 19 Aug 92 08:06:46 -0500 From: cohen@fitmail.fit.qut.edu.au (Mr Fred Cohen) Subject: Netware and viruses - some new results (PC) At QUT, we have set up an experimental network to test viruses in networked environments, and the first results have just come in - unbelievable! I will be talking about this at length at the Virus Bulletin conference in a few weeks, but I though Virus-L readers would like to hear a bit before that. Test 1: Exhaustive test of netware preotection setting on files and directories against common viruses. Result: Only 3 of the 15 bits provide any protection - Execute ONLY? NO GOOD!!! Read ONLY? NO GOOD!!! Result: Novell manuals are completely backwards in their depiction of the rights granted through inheritance!!! If you follow the manual, you get wiped out! Test 2: Exhaustive testing of Unix based server - still underway Test 3: Same for OS/2 LAN Manager - to be reported at conference Other tests? Let me know what you want to know, and I will try to do it ASAP Conclusion: It is almost impossible to manage netware for safety against viruses, but it is probably possible if you are a GOOD ENOUGH sys admin. More conclusions to follow as they come available. FC ------------------------------ Date: Tue, 18 Aug 92 23:42:03 +0000 From: rslade@sfu.ca (Robert Slade) Subject: Re: help, high weirdness (PC) hurd@sfu.ca (Peter L. Hurd) writes: >Hi, I've been having strange hassles with my machine lately, symptoms >include; >1) Inability to boot from a floppy. It boots from c: always, no error >message if I leave a non-bootable floppy in there, and no booting from >a bootable. What kind of a computer do you have? Several models have CMOS/BIOS options which allow you to disable floppy booting, or to "boot" from the B: drive. >2) Keyboard spaceyness, it gets to thinking that the shift is down, so >even numbers show up as @#$%^, and the alt ,and ctrl keys don't quite >do what I expect them to (usually happens in WP5.1) This is very widely known and seen behaviour, and I see it myself more often in Word Perfect than in other programs. (Mind you, I use WP a *lot*.) >3) My default settings in WP5.1 just reset, my Canadian WP expects US >lexicon, and other things reset to original. Again, this is a very common problem. All you have to do is go back into the "initial setting" setup and tell it that you want to use the UK langauge modules. (If it doesn't find this info, it "defaults" to the US files.) >4) QEMM sent me this error twice when loading F-PROT (or was it >VIRSTOP?) We've had a report about this type of thing, and I believe frisk is working on it. >5) VSHEILD sent me this once > >VSHEILD 4.9V93 >Sorry an impossible internal error occurred >Error code is 8522 Only once? how often do you use it (ie. boot up)? >6) F-PROT 2.04b and Scan 93 find nothing, although vshield found an >[emp] on a floppy and f-prot concurred, but I think I got that one >before it had a chance to do anything. F-prot heuristic search >reports that the shareware utility Directory control DC106f.zip >searches for executables. Well, that sounds like a reasonable thing for a disk/program manager to do. >Is it viral? ( He asks the impossible to answer question ) >thanks for any help or advice. Nothing you have said so far sounds like there is any viral activity. >- -- Pete Hurd, hurd@sfu.ca >Behavioural Ecology Research Group >Dept.Biol.Sci., Simon Fraser Univ. Check with Bill Kloubek or myself. ============= Vancouver ROBERTS@decus.ca | "Remember, by the Institute for Robert_Slade@sfu.ca | rules of the game, I Research into rslade@cue.bc.ca | *must* lie. *Now* do User p1@CyberStore.ca | you believe me?" Security Canada V7K 2G6 | Margaret Atwood ------------------------------ Date: 19 Aug 92 06:30:03 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: 4096 (frodo) false alarm? (PC) nyh@gauss.technion.ac.il (Nadav Har'El) writes: > I tryed using a disk optimizer like Aryeh Goretsky suggested, but it > didn't help. Does anyone know of a program to clear every unused > portion of the disk (i.e. parts of sectors after eof, and totally Try the Norton Utilities package from Symantec. The program WipeInfo from version 6.0 of the package has an option to "wipe the slack space of the disk" (as opposed to wiping the non-allocated disk space, which is also supported). It does exactly what you want. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Wed, 19 Aug 92 10:53:41 +0000 From: jody@lib.haifa.ac.il (Yosef Branse) Subject: Need Advice on Evaluating and Ordering Antivirus Software (PC) I am not very knowledgeable about computer viruses, but I need some advice regarding antivirus software from an administrative angle. I want to install such software in the library's ATs, a number of which are in a public area for searching CDROM databases. We have had several incidents of viruses getting into the hard disks via the diskettes used for downloading the results of searches. (I can't write protect the hard disk, because then the CDROM search software falls; it needs to write to the disk.) I currently have McAfee's VSHIELD (version 89) installed at these sites, and it works well, as far as I can tell. I know how to use SCAN and CLEAN when an infection occurs. I understand that in order to make the installation legal, I'll need a site license. Since I am just a small cog in a large institution, that means a formal purchase request, and I may need to justify the selection. This brings me to my main question: what evaluation criteria are used in selecting antivirus software? Are there studies available - a la Consumer Reports - of the various programs, recommending the best ones? I am satisfied with the McAfee product, but I have access to FPROT and could obtain others if need be. Price, of course, is another concern. How do the various packages compare in terms of their charges for site licensing? Do they offer special rates for academic institutions? Any information or references to previous material - whether in published form, or available via E-mail or FTP - would be greatly appreciated. I don't need an extensive technical analysis of any program, just an overall evaluation of its efficacy and price-worthiness. Thank you **************************************************************************** * Yosef (Jody) Branse University of Haifa Library * * Mt. Carmel, Haifa 31905, Israel * * Tel.: 972 4-240288 * * FAX: 972 4-257753 * * Israeli U. DECNET: HAIFAL::JODY * * Internet/ILAN: JODY@LIB.HAIFA.AC.IL * **************************************************************************** ------------------------------ Date: 19 Aug 92 15:18:56 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: F-Prot 2.04c (PC) gerald@vmars.tuwien.ac.at (Gerald Pfeifer (Prak Gusti)) writes: >Three days ago I downloaded F-Prot 2.04c (fp-204c.zip) from the net. >The 'Program - Performance' info in the interactive shell boosts a >much higher number of viruses and virus-families to be detected than >under version 2.04a. The documentation, however, does *not* mention >any advances/extensions/... (The documentation files seem to be >nearly unchanged since 2.04a) It is unchanged - I only change the "new.xxx" file for the major versions - that is, it will be changed for 2.05. However, please note that 2.04c is not an official release, and was not supposed to be widely distributed. And yes, I have indeed added over 100 new viruses since 2.04.. - -frisk ------------------------------ Date: 18 Aug 92 19:41:43 +0000 From: ygoland@edison.SEAS.UCLA.EDU (The Jester) Subject: os/2 changes to boot sector (OS/2) (Note:This post is being crossposted to comp.os.os2.apps and comp.virus in the hopes that one,or both, of the two groups can be of service) I currently run a program called 'Integrity Master' by Wolfgang Stiller. Among other things, this program checks the boot sector of each partition against a copy it made of the partition, to detect any changes. My harddrive is a 210 western digital pyranna(sp) which is currently set up with three partitions: OS/2 Boot Manager Partition-A 1 meg partition Dos Partition-A 1 meg partition FAT/HPFS-I have one last partition which is 200 or so megs and is then subdivided into two logical partition, the first is fat and the second is hpfs. For further reference paritions and logical partitions will be refered to as follows: C Drive-The 1 meg dos partition D Drive-The first logical drive in the last partition, it is of type FAT. E Drive-The second logical drive in the last partition, it is of type HPFS. My Problem is as follows:When I run IM (Integrity Master) under os/2 to initialize the boot sector, I don't have any problems. However if I then change to dos, dos will say that the D drive boot sector has changed! In addition it will say that there is a self executing program in my D drive dos boot sector! In addition if I then do NOT re-initalize my data (i.e. its still comparing my current boot sector to the picture it has in it's memory) and return to os/2, IM will still say that there is a problem! Matters are further complicated by the fact that I just had a cmos failure. The specific failure was that my harddrive and both my disk drives settings were set to 'disabled'. This could very well be a battery failure (even though I'v only had the mother board for 6 months) and I am getting a batter pack to take care of that eventuality. Finally, thinking that this was all very strange, I ran scan 93 which reported that everything was fine. In addition, other than my mysterious cmos erasures, I have not had any problems running dos, os/2, or any of my applications. My Question is as follows:Does os/2 change the boot sector of drives under it's control? In addition, I understand why my first 1 meg, boot manager, partition would have a self booting program in it but why should my D drive have one? Os/2 does NOT boot from D drive and dos boots from C drive! So should there be a self running program on my D drive? I'm very concerned as this sort of activity is standard viral activity. And finally, is there any known virus which targets cmos and clears out sections of it? Thank you for all help, answers can be posted or mailed to me as I am an avid reader of both groups and I regularly read my mail. Thanks again, Yaron (The Jester) Goland - -- "Only the blind see in color." "Any union based upon pigment is foolish ignorance designed to give power to those few who enjoy power's taste above the common welfare." ------------------------------ Date: Wed, 19 Aug 92 05:15:31 -0400 From: Stefano Toria Subject: Virus questionnaire, pls I am planning to set up a survey to obtain some information on the extension and characteristics of the virus problem in Italy. The idea would be to gather figures on facts such as: - - number of reported events - - number of affected PCs - - means of identification of the viral nature of the event - - reported strain and variant - - nature, extension and cost of the cure - - etc. Putting into practice one of Rob Slade's sound advices on prevention, I have already assumed that I am going to fail :-) i.e. that I am going to have a response rate <= 0.1% after the third poll. But I wish to go on anyway; the question is where can I obtain (by e-mail or ftp, if possible) information that I can use to set up a good questionnaire without having to start from scratch and re-invent the wheel. I know for sure that this kind of surveys are being regularly performed somewhere in the world; the ideal thing would be to lay my hands on a question sheet for one of the latest issues. My total, eternal gratitude :-) shall go to anyone who shall provide even the leanest shred of help on the subject. Stefano Toria - - ------------------------------------------------------------------------ Stefano Toria | MC-link, Rome, Italy | "Godi fanciullo mio: stato soave, Voice: (+ 396) 4180300 | stagion lieta e' codesta" Fax: (+ 396) 8413057 | - - ------------------------------------------------------------------------ ------------------------------ Date: Tue, 18 Aug 92 10:06:43 -0400 From: "Olivier M.J. Crepin-Leblond" Subject: Re: Jerusalem virus (CVP) Y.Radai denies ever objecting to the name "Israeli" virus but remembers objecting to the name PLO given to the virus by some people. I remember his message regarding the above. The coincidence of dates was due to the triggering of the virus on friday 13th. It was finally agreed that political issues regarding Israel and the middle east in particular were to be ignored in this case, because there was no evidence (and there still isn't any) that the virus was written for political purposes. In fact, some pointers now show the origin of the virus to be Italy - not at all the same part of the world. Moral of the story: a new virus can be isolated in a different country than where it originated. PS. I was indeed surprised when Padgett advanced the theory of anti-semitism, which I had never heard of before. Maybe the ":-)" had something to do with it... O. - -- Olivier M.J. Crepin-Leblond, Digital Comms. Section, Elec. Eng. Department Imperial College of Science, Technology and Medicine, London SW7 2BT, UK Internet/Bitnet: - Janet: ------------------------------ Date: Wed, 19 Aug 92 11:25:06 -0400 From: James Ford Subject: New Uploads on risc (PC) Two files have been uploaded on risc.ua.edu (130.160.4.7) in the directory /pub/ibm-antivirus: File validation info: (size/date/val1/val2) htscan18.zip 103,976 8-13-1992 2B21 1E71 (replaces htscan17.zip) vsig9207.zip 29,352 8-2-1992 C16E 135D (This VSIG9207.ZIP should just replace the previous vsig9207.zip, the only difference being the 'forgotten' safety-checksum). - ---------- If I had my life to live over again, I'd make the same mistakes sooner. - ---------- James Ford - Consultant II, Seebeck Computer Center The University of Alabama (in Tuscaloosa, Alabama) jford@ua1vm.ua.edu, jford@seebeck.ua.edu Work (205)348-3968 fax (205)348-3993 ------------------------------ Date: Tue, 18 Aug 92 13:49:43 -0700 From: Richard W. Lefkon Subject: Preliminary Conference Announcement (preliminary announcement 8/92) SIXTH INTERNATIONAL COMPUTER VIRUS & SEURITY cONFERENCE WED-FRI MARCH 10-12, NEW YORK'S PENN STATION RAMADA AND THEATRE MARRIOTT Spons. by DPMA Fin. Ind. Ch. in coop with ACM-SIGSAC, BCS, CMA, Computerworld, COS, EDPAA/ph, ISSA/ny, IEEE-CS GROUP PRICES: $975 for FOUR registrants (one new) $1185 for FOUR registrants (all first time attendees) $178 on-site nightly lodging for FOUR (2 rooms) (individual registration - divide by 3) 5 TRACKS - 53 VENDORS - 91 SPEAKERS - Learn the Latest Practical Expertise Concentrations include CIO/SVP, LAN, Technical/Research, Justice, Telecom Every Registrant Receives 800+ Page Complete Bound Proceedings Session speakers and chairs include Klaus Brunnstein (Hamburg), Fred Cohen (ASP), Tom Duff (AT&T), Harold Highland (Compulit), Stuart Katzke (NIST), Karl Levitt (Davis), Guillermo Mallen (Mexico), Bill Murray (Deloitte), Eiji Okamoto (Japan), Jane Paradise (Apple), Donn Parker (SRI), Padgett Peterson (Martin-Marietta), Gene Spafford (Purdue), Gail Thackeray (Phoenix), Ken van Wyk (CERT/CMU), Bill Vance (IBM). To learn about the other 74 speakers (papers are still arriving), please WRITE: Ides of March Conference, Box 894, New York, NY 10268 CALL: (800) 835-2246 x190 FAX: (303) 825-9151 E-MAIL: jsb@well.sf.ca.us ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 141] ******************************************