From lehigh.edu!virus-l Mon Nov 30 16:43:34 1992 Date: Mon, 30 Nov 1992 09:35:48 -0500 Message-Id: <9211301342.AA02696@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V5 #189 Status: R VIRUS-L Digest Monday, 30 Nov 1992 Volume 5 : Issue 189 Today's Topics: Reviewing reviews (PC, probably) norton antivirus bbs (PC) Brain Viruses (PC) Windows Virus?? (PC) New Mutation Engine. (PC) Untouchable (PC) Antiviral SW leftovers (PC) "FORM" virus (PC) VSUM Listing (PC) Re: Plague Virus Information??? (PC) NEW VIRUS, named COLLEGE (PC) Help Bugs in DOS (PC) Scanner Wars (was MtE Wars) (PC) SCAN 99 and MtE detection (PC) ViruScan v99 and OS/2 (OS/2) Potentially stupid question (OS/2) (PC) German FAQ Dr. Cohen's Comments (was: Mr. Slade's Listings) Index to files on anti-virus sites? MtE detection tests (part 5/5) (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 20 Nov 92 18:55:32 -0800 From: rslade@sfu.ca Subject: Reviewing reviews (PC, probably) I note a psoting through Newsbytes today, regarding an announcement by International Data Security (whose initials, interestingly, turn out to be IDC) , ranking the world's antiviral software. Now, I don't know how badly this got garbled by Newsbytes, but we only have Dr. Sol's AVT, CPAV, NAV, and McAfee listed. McAfee gets off with highest marks at 95%. The tests were supposed to have been conducted over 15 months by Virus Bulletin, VSUM library, NCSA (ah, but which one?) and the Hamburg Virus Test Center (Vesselin?). (Sorry, McAfee got 97%. It was the only one that got more than 95% is what the report says.) Although IDC is reporting this as "test results", it looks an awful lot like they just went and added up everyone elses results. ============== Vancouver ROBERTS@decus.ca | "Don't buy a Institute for Robert_Slade@sfu.ca | computer." Research into rslade@cue.bc.ca | Jeff Richards' User p1@CyberStore.ca | First Law of Security Canada V7K 2G6 | Data Security ------------------------------ Date: Sat, 21 Nov 92 23:11:17 -0500 From: gene shackman Subject: norton antivirus bbs (PC) Hello, I am trying to update my Norton Antivirus program. I want to call their Symantec BBS to get the most recent virus definitions file, and the phone number I have is (408) 973-9834 for the 9600 baud line. I cant seem to connect, however. Is there a different number at this time? Thanks, Gene Shackman LAN Supervisor Sociology SUNY at Albany GS6206@albnyvm1 ------------------------------ Date: Sun, 22 Nov 92 07:35:41 +0000 From: ec49726@uxa.cso.uiuc.edu (Manny DeSoto) Subject: Brain Viruses (PC) Hi, I'm new to this newsgroup and I don't read it often. Further yet, I am not very updated on viruses in the 90's. At any rate, I just wanted to know what a "brain virus" is and how it differs from a "normal" virus. All responses are welcome. Please email direct. Thanx in advance! Manny DeSoto | Life is what happens while NREMT-A, CPR - Instructor American Red Cross| you're making other plans. University Of Illinois @ Urbana - Champaign | Illini Emergency Medical Services | ec49726@uxa.cso.uiuc.edu ------------------------------ Date: 22 Nov 92 16:50:26 +0000 From: gt0201g@prism.gatech.edu (Cynthia Hsin-I Lin) Subject: Windows Virus?? (PC) I been having some problems with my MS-Windows and I am wondering if it is a virus. Lots of my windows icons had changed for no reason. I have no way to change my icon back. I did file-properity-change icon: the icon shown selected is the correct icon, but it did not display the correct icon. The first icon I notices was for Excel, I have a yellow round face with red triangle eyes. It looks very evil. More then half of my icon changed. Does anyone have the same problem? NAV, SCAN, CPAV did not detect any present of virus. Is windows virus different then DOS? Is there anti-virus program for windows virus? Please help. Cindy - -- Cynthia H. Lin Georgia Institute of Technology, Atlanta Georgia, 30332 uucp: ...!{decvax,hplabs,ncar,purdue,rutgers}!gatech!prism!gt0201g Internet: gt0201g@prism.gatech.edu ------------------------------ Date: Sun, 22 Nov 92 13:18:08 -0500 From: Darryl Burke Subject: New Mutation Engine. (PC) I have come across a new version on the mutation engine version 1.0B It's the same concept as version 9.1b does anyone have more information on this little sucker??? Are there any "Scanners" that will detect this new version? Darryl Burke. Acps7115@ryevm.ryerson.ca dburke@maple.scs.ryerson.ca ------------------------------ Date: Sun, 22 Nov 92 21:42:05 +0000 From: cs105ta2@scs.carleton.ca (Rick Wirthlin) Subject: Untouchable (PC) I was wondering if anyone else is using the Untouchable virus scanner and how they find it. Any comments on this package would be appreciated as I have some concerns about its ability to detect new viruses. Rick Wirthlin Carleton University School of Computer Science Internet: cs105ta2@turing.scs.carleton.ca specify full return address as a lot of my mail gets lost in the computer void.... ------------------------------ Date: Mon, 23 Nov 92 13:12:04 -0500 From: Luca Parisi Subject: Antiviral SW leftovers (PC) Hello Virus-L-ers, I've read the list for some months and I've found here answers to many of my questions about viruses, but I'm afraid I have some more left... I received a phone call today (from a virus-aware PC user) saying: " I' ve had some random problems on my PC and wondered if some virus could be responsible for this. The scanners I used (McAfee & F-Prot) couldn't find anything, but they are getting oldish. I also poked around with PCTools, and find a strange repeating pattern in the slack space of many .EXE files. It contains something like 'Carmel SW' and a copy of the 'MZ' signature, not the usual garbage... While I get up-to-date scanners, Do I need to panic? " Since I know of no viruses made by Carmel SW, but I've found it in the contacts list as an ANTI-virus producer, I guessed that it was a "leftover" from their Turbo Anti-Virus integrity checker module. The only problem is the user swears he has NEVER used Turbo A-V, but that's his business ... :-) Question #1: Is my guessing about Turbo A-V right ? Question #2: Assumed I can't buy all the Anti-viral SW currently on the market, is it possible (wise?) to have a synopsis of the various "leftovers" that I can find on a HD on which a virus-buster has been before me, like this ? : . *.CPS hidden Files -> CPAV was used here . 77-bytes *._XE, *._OM Files -> NAV . 10 bytes file growth, fixed trailer -> McAfee's Scan /AV (possibly more detailed ?) Question #3: Am I asking the right things in the right place ? :-) Thanks, Luca. Luca Parisi (MC1980@mclink.it) ------------------------------ Date: Mon, 23 Nov 92 22:23:05 +0000 From: m4tangla@student.business.uwo.ca (Michael Tanglao) Subject: "FORM" virus (PC) I am currently having problems getting rid of the "FORM" virus from our LAN sys. Does anyone know anything about this virus? Norton Anti-Virus does not seem to eliminate it, although F-prot does. I am using F-prot on all the stations, so I thought I had taken care of it. Unfortunately, some bizarre disk errors have occurred recently. Does anyone know anything about what this virus does? Are there Norton virus definitions available for it? Please send all replies to lawphf@ccs.cc1.uwo.ca. Thanks. m4tangla@student.business.uwo.ca (Michael Tanglao) Western Business School -- London, Ontario ------------------------------ Date: Sat, 21 Nov 92 17:49:00 +0000 From: Eyal_Horn@f202.n9721.z9.virnet.bad.se (Eyal Horn) Subject: VSUM Listing (PC) Hello Scott, Saturday November 14 1992, Scott Begin writes to All: SB> I have heard reference to the VSUM listing as a reference on the SB> characteristics of viruses. I know I can download it off the McAfee SB> BBS and that it is a HyperText document, but I have never worked with SB> HyperText. I know it is some sort of database, but nothing more than SB> that. Once I would download the VSUM listing, what software would I SB> need to use it? Will this software run on an 8088 or a 286/386 with SB> nothing more than Hercules Graphics? Where can I get a copy of the SB> software? Do I even have everything right about the VSUM listing? You don't need any special program to use the VSUM listing. Everything you need is contained inside the archive itself. Eyal Horn, The SysOp of Off-Hook ][. - --- * Origin: Off-Hook ][,Israel,+972-3-5030873,24Hrs,9600,8N1,MNP9 (9:9721/202) ------------------------------ Date: Tue, 24 Nov 92 22:27:00 +1000 From: OLEARYM@qut.edu.au Subject: Re: Plague Virus Information??? (PC) Hi folks, Just finished reading an old computer magazine which claims that a Brisbane virus "expert" created the plague virus. I thought this virus was created in the USA. Any information on the accuracy of this report or on the plague virus would be appreciated. - --------------------------------------------------------------------------- AARnet Address: m.oleary@qut.edu.au =========================================================================== ------------------------------ Date: Tue, 24 Nov 92 12:28:29 -0500 From: RICHARDS@nrcbsc.nrc.ca Subject: NEW VIRUS, named COLLEGE (PC) I just received this notice this morning on our internal net at the National Research Council of Canada. Algonquin is a Technical College in Ottawa, Canada. Will try to get more information to forward. - ------------------------------------------------------------------------------ FORWARDED FROM: Holmes, Randy FROM: Blouin, Peter DATE: 11/24/92 08:59 TO: Holmes, Randy Toews, Bob CC: SUBJECT: NEW VIRUS IN TOWN PRIORITY: ATTACHMENTS: This notice was passed on to me from Jim Keller of the Structures and Materials Lab. Please let your users know. The RCMP has reported that a new virus has been developed at Algonquin College and is now spreading throughout town. It is known as the "COLLEGE" virus and may not yet be detected by our anti-virus software. The officer interviewed had lost his hard disk while investigating the virus. I strongly urge that everybody routinely backup important files using the tape backup available or diskettes and avoid "free" data or software which may have originated at the college or outside NRC. ------------------------------ Date: Tue, 24 Nov 92 20:20:41 +0000 From: khaw@eagle.sangamon.edu (Thiam Khaw) Subject: Help Bugs in DOS (PC) [ Article crossposted from comp.os.misc ] [ Author was Thiam Khaw ] [ Posted on Sun, 22 Nov 1992 21:52:25 GMT ] It was brought to my attention from a friend of mine that there were some bugs when using the ATSPEED.COM. Apparently, instead of speeding up the repeat keystroke of the PC, the corrupted program (ATSPEED.COM) will delete the Config.sys file in the PC. The next time the PC is started, normal application such as windows does not work. By making the Config.sys read only does not help at all too. The following changes has been noted externally: i) the attribute of ATSPEED.COM has been changed to make is Read-Only and Hidden. ii)The size of the file has increase from 214 to 342 bytes and the date/time created from 06-12-88 5.54 p.m. to 01-01-99 12:59p. Well, I need your help to solve this. Any ideas? If you do, Please e-mail to me directly. Thanks. khaw@eagle.sangamon.edu ------------------------------ Date: Tue, 24 Nov 92 16:14:25 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Scanner Wars (was MtE Wars) (PC) IMHO what we are seeing is the final breakdown of the scanner as the first line of defense that was predicted in these (electronic) pages over two years ago. The simple volume of viruses, encrypted or not, is getting out of hand. In the meantime, the integrity managers continue to languish on the shelf. There are several which meet my requirements for notification when needed, keeping quiet when not, some of which I have been using for some time: Enigma-Logic's PC Virus-Safe, Dr. Panda's Physical, and Leprechaun's Virus Buster. I have not had the opportunity to try Fred's ASP but have no reason to doubt its effectiveness. You never see these advertised and rarely are part of popular magazine shoot-outs yet they are effective in ways that simple scanners are just beginning to appreciate (McAfee's VSHIELD comes close but is still missing some key elements). The big difference ? Each has a TSR that is really a change monitor and each keeps a record in a single location of changes (an audit trail). Where most systems are just a snapshot of *now*, these allow you to analyze what has gone before, often an essential clue in fast identification and recovery. These are the "something" detectors that are essential in determining that changes have occurred and each has the capability to check every file on the disk for changes as well as unknown files. Your scanner says the MtE is present ? A change detector will identify every file that has changed - not identify the infection but will identify the change. Worried about Commander Bomber ? The file changed. Not to say that there are not caveats and performance hits, but these can be minimal. As far as I am concerned, this kind of layered approach is the only effective answer and if used effectively, the pressure will be off the scanners to perform with blinding (and careless) speed. However the market is speaking (from ignorance). Integrity managers are languishing and the colorful scanners with nice GUI pop-ups are selling while the people with the answers that do not need updates are having to let people go and are not being able to create the Windows/OS2/Unix answers that are going to be needed in a year or two (some do work under Windows but more because they do not try to be fancy, rather just report when necessary). Have yet to see something that reconnects each Window. NLMs are a case in point. The ones I have seen are nothing more than glorified scanners that detect infections on the LAN only after it has taken place (failed attempts are not noted). From the way they act, it seems as if someone just took a MS-DOS engine and replaced the DOS calls with Netware ones, making no use of the dual state nature of a client-server pair. The BIOS level is even easier to work in yet now we are down to just one anti-viral of any kind (and it is not a scanner) other than my own technology demonstrators - after almost three years the only people who seem unafraid other than Andy Hopkins are AMI, Phoenix, and Western Digital - not vendors that you normally think of in terms of anti-virus. The simple fact is that it is trivial to write a virus to get around a scanner and only slightly more difficult to get around all of the common ones. At the same time it is very difficult to write an intrusion program that can get around a good layered set of integrity management routines. As far as hardware is concerned, selection of the boot drive (C:) is sufficient. If you really want to boot from a floppy, 20 bytes in the MBR (software) will let you hold down the Ctrl key while booting to redirect the boot to A: instead of C:. A few more bytes and you can restore the interrupt table even if you do manage to become infected first. In a single state machine a virus cannot protect itself any more than a program can. "Turing" works both ways. When you have a physical control problem or detecting intrusion immediately is not enough then write protecting the disk is necessary. Roger Thompson (Leprechaun again) has a nice hardware device that goes in an IDE cable and lets you use the keyboard lock switch to do the same thing to a partition. For an RLL, MFM, or SCSI drive, a simple spdt switch, a 10k resistor, and a bit of wire is all that is needed (keyboard lock switches are usually spst). Not necessarily appropriate for a standalone, but to be able to write protect all elements on a server other than the network directories themselves is an elegant solution and even an ST-412 drive is big enough for the MS-DOS part of a multi-gibabyte server. So you see that you must be able to escalate the response to match the threat, for a server, a bit more investment and protection is appropriate but for normal PCs, boot selection and some simple integrity software is very difficult to defeat. IMHO scanners belong on write protected maintenace disks and stand-alones used for screening of new software, not on workstations. However "Ten million lemmings can't be wrong." Warmly, Padgett ------------------------------ Date: 24 Nov 92 20:59:45 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: SCAN 99 and MtE detection (PC) Hello, everybody! As soon as the new version (99) of McAfee Associates' VIRUSCAN was officially available, I downloaded it directly from their anonymous ftp site and repeated the MtE detection tests with it. Here are the results. Program: SCAN 99 Actually, the above should read "NETSCAN 99B". We keep our replicants of MtE-based viruses on a Novell NetWare server (they occupy more than 60 Mb). As you all know, SCAN is not supposed to work with networks; you must use NETSCAN to scan them. However, I have forgotten that, and SCAN 97 -did- work with networks perfectly! I was rather surprised when version 99 refused to scan the networked drive where the viruses were... :-) Obviously this has been an unwanted "feature", which has been later removed... Anyway, I was forced to use NETSCAN during the tests. I suppose that SCAN has exactly the same MtE detection algorithm, but of course, have no proof for that. However, each time NETSCAN missed a replicant, I copied it to the local hard disk and verified that the SCAN 99 misses it too. Therefore, I can say that SCAN 99 has at most no better MtE detector than NETSCAN 99B. In the description below, each time I am saying "SCAN", you should understand "NETSCAN 99B", having in mind that the missed replicants were double-checked with SCAN 99. 1) The standard test. Virus name: Total samples: Detected: Missed: Reliable? - ----------- -------------- --------- ------- --------- CoffeeShop 2000 2000 0 Yes CryptLab 2000 2000 0 Yes Dedicated 2000 2000 0 Yes Fear 2000 1879 121 NO Groove (EXE) 2000 2000 0 Yes Groove (COM) 2000 2000 0 Yes Pogue 2000 2000 0 Yes Questo 1994 1852 142 NO This version of SCAN seemed to be unreliable only with Fear and Questo. All missed files were unencrypted. A total of 263 samples out of 4000 were missed. For those who like statistics, this means that the detection rate is 93.4% or that one infected file is missed in every 15. In fact, SCAN misses almost -all- unencrypted replicants of those two viruses (their number was 141 for Fear and 150 for Questo). It is still beyond my understanding why this happens - it is so simple to pick a scan string from the MtE body and besides, SCAN -does- detect the unencrypted replicants of the other viruses... Maybe somebody from McAfee Associates can explain what the technical problem is? 2) The additional test. Virus name: Total samples: Detected: Missed: Reliable? - ----------- -------------- --------- ------- --------- CoffeeShop 3 3 0 Yes CryptLab 1 1 0 Yes Dedicated 108 108 0 Yes Fear 28 25 3 NO Groove (EXE) 1 1 0 Yes Groove (COM) 21 21 0 Yes Pogue 102 102 0 Yes Questo 100 94 6 NO Clearly the same results as above. All viruses except Fear and Questo are detected reliably. Only unencrypted replicants of Fear and Questo are missed. The numbers are too small to be useful for any kind of statistics; they just confirm the main conclusion of the standard test. 3) The acid test. The program was tested against 5 replicants of Insufficient - a companion MtE-based virus. One of the replicants was not detected. Not surprisingly (after the above results), it was unencrypted. 4) The additional acid test. Since the tests of version 97 of the product, some new MtE-based viruses appeared. I decided to test the new version against a few replicants of each of them. The test results are not of any serious value, since only very few replicants were used and no other scanner were submitted to the same tests; so these results cannot be used for comparison. The following new viruses were used: A) Encroacher.A, 7 replicants. SCAN detected all of them. B) Encroacher.B, 6 replicants. SCAN detected all of them. C) Groove.B, 11 replicants. SCAN missed one of them. However, the missed sample is encrypted. When the tests were already ready and I was writing this message, one of McAfee Associates' programmers (Igor Grebert) contacted me and told me that if SCAN doesn't achieve 100% detection in my tests, I should try it with the /A option. According to the documentation, the /A option means "scan all files", i.e., files with any extension (not only the executables). The reason for it is that some files with non-executable extensions (e.g. .APP) might be Exec'ed from an application. If a virus is active in the memory of the computer at that time, it may infect this file. Therefore, once an infection is discovered, it is a good idea to run SCAN with the /A option, just in case, to verify that some of your files with non-executable extensions are not infected... However, nowhere in the documentation it is mentioned that the /A option increases the ability of the scanner to find viruses in files with executable extensions... Nevertheless, I re-ran the tests, this time with the /A option. Surprisingly, this time all infected replicants (except one) were detected. My guess is that this option also forces SCAN to plainly scan the whole file, instead of trying to be smart, so the (plain-text) scan string from the MtE body is found in the unencrypted samples that are normally missed. I do not think that this is a correct behavior; there is no reason why those samples should be missed in "regular" mode... Coming to think about this, maybe with the /A option SCAN will be able to detect the Commander Bomber virus reliably? (It is trivial to detect it, if you scan the whole file.) I'll have to check this... Anyway, it seems that when run with the /A option, SCAN (the same goes for NETSCAN) -is- able to detect the -known- MtE-based viruses reliably. The only one missed sample was Groove.B, which McAfee Associates probably have not seen yet. (Not that this is a sound excuse; for instance, F-Prot 2.06a -did- detect it, regardless that Frisk had not seen it either...) I would strongly advise McAfee Associates to fix the small buglet that forces you to use the /A option, in order to achieve reliable detection of Fear and Questo. Any number of normally missed replicants will be made available to them on request. Meanwhile, I would advise the users of SCAN to upgrade to version 99 and if they encounter an infection with an MtE-based virus, to re-run SCAN with the /A option. (It is highly probable that even without this option, at least -some- replicants of the virus will be detected, so you will be warned about the infection.) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Sat, 21 Nov 92 14:34:26 +0000 From: Brian_Hampson@f115.n101.z9.virnet.bad.se (Brian Hampson) Subject: ViruScan v99 and OS/2 (OS/2) Hi, There is an apparent problem with SCAN 9.0V99 running in a DOS session under OS/2 using HPFS file system Here is what it reported: - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- C:\>scan d: /nomem SCAN 9.0V99 Copyright 1989-92 by McAfee Associates. (408) 988-3832 Scanning for known viruses. Sorry, I can't scan drive d:! No viruses found. C:\>scan c: /nomem SCAN 9.0V99 Copyright 1989-92 by McAfee Associates. (408) 988-3832 Scanning for known viruses. Sorry, I can't scan drive c:! No viruses found. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= It can't FIND my Hard Disks...disconcerting. Here, on the OTHER hand, is what scan97B reported: - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- C:\>scan97 d: /nomem SCAN 8.9B97 Copyright 1989-92 by McAfee Associates. (408) 988-3832 Scanning for known viruses. Scanning Volume: DDRIVE Disk D: contains 28 directories and 696 files. No viruses found. C:\>scan97 c: /nomem SCAN 8.9B97 Copyright 1989-92 by McAfee Associates. (408) 988-3832 Scanning for known viruses. Scanning Volume: OS2 Disk C: contains 119 directories and 2827 files. No viruses found. - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Thought you might want to know. B. - --- Maximus/2 2.01wb * Origin: The CAGE, Vancouver, B.C. Canada (604)261-2347 (9:101/115) ------------------------------ Date: Tue, 24 Nov 92 17:44:51 -0500 From: Ken De Cruyenaere 204-474-8340 Subject: Potentially stupid question (OS/2) (PC) I am not too familiar with OS/2 but am told its going to be very popular soon :-(. Our antiviral software (F-PROT) doesn't seem to run well under OS/2. (It eventually hangs up when scanning, saying "ERROR SCANNING DRIVE D:") McAfee SCAN (V99) apparently gets the same results. My question: What are people running OS/2 using/running as anti-viral software? Ken D. - ---------------------------------------------------------------------- Ken De Cruyenaere "Having SMOKING and NON-SMOKING sections in a room is like have URINATING and NON-URINATING Computer Services sections in a swimming pool." University of Manitoba Bitnet: KDC@CCM.UManitoba.CA Voice:(204)474-8340 FAX:(204)275-5420 ------------------------------ Date: Wed, 18 Nov 92 15:24:00 +0000 From: Malte_Eppert@f6002.n491.z9.virnet.bad.se (Malte Eppert) Subject: German FAQ Hi Vesselin and the others! I'm happy to have access to VIRUS-L via VIRNet, this is very nice! I just wanted to make an offer: If there's any need for a German document about MS-DOS viruses (kinds of, what they can and can't do, how to fight them, which kind of antivirus-utilities exist and some really frequently asked questions), there is something I wrote some weeks ago. The only thing you need to get it is FIDO-Net access. The file is available in FIDO at the following adresses: - ------------- DISTRIBUTORS ------------- Germany: 2:240/11 Granny's Inn 2:240/500 Download Paradise I 2:240/501 Download Paradise II 2:240/505 Flying Sparks BBS 2:240/525 Radon 2:240/609 Downtown 2:241/3412 Bovender Mailbox System Frequest von 21.00 - 06.00 2:241/7518 Virus Help Service 2:246/18 Farmer's Node I 2:246/19 Farmer's Node II 2:247/352 -= CCSH =- 2:248/601 SCHNULLI-Box Switzerland: 2:301/503 LemaS 2:301/508 Jack of all Trades - ----------------------------------------- Archivname for download: VGER_FAQ.ARJ Magic for frequesting : VIRUSGER_FAQ Length of archive : 29455 Bytes - ----------------------------------------- cu! eppi - --- Via SCANTOSS V 1.37 * Origin: No Point for viruses - The EpiCentre! (9:491/6002) ------------------------------ Date: Tue, 24 Nov 92 16:48:40 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Dr. Cohen's Comments (was: Mr. Slade's Listings) >I am constantly amazed that ASP has not yet made Mr. Slade's lists. >We have been in the antivirus business since 1986, and yet the list >has hundreds of products/services/research groups/BBSs/etc. that have >been in existence for far less time, and with a very broad range of >different expertise. I simply cannot believe that Mr. Slade is not >aware of the existence of ASP. > And then we have the hundreds of bug reports and fixes posted >about various products on Virus-L. Why is this? Don't these companies >deal with their customers over the phone? Or is it just PR to keep >their names in front of the Virus-L public all the time? Possibly the reason that ASP is not reviewed/mentioned is that few people have it. Further, many a-v products discussed (not all) are available from one of the FTP sites for downloading and examination (even versions of Central Point and NAV were made available during the Michelangelo incident). Demand for a product must be created and there will be little discussion of a product no-one has. Further, while there have been some new product announcements, these have been limited to just that (usually) without hype. Bug reports (and fixes) are much more common. Virus-L has been remarkably free of marketing. For that matter, most announcements have been to address unfilled needs: If ASP does things that no-one else does, feel free to start a discussion, you might even get some helpful hints. For example, does it work with Windows 3.1 ? OS2 ? Unix ? Is there a BIOS element compatable with Novell servers ? Does it use a diffeent authentication mechanism on each PC ? > I wish Virus-L's moderator would make a defined policy about >what goes on V-L and stick to it. I could use the daily plug for my >products and services too, and yet we don't see all that much PR from >many of the companies that have products, only a small number that seem >to be in the Virus-L elite. Funny thing, I made a point of mentioning ASP in my last posting even though personally have never even seen a copy. Am sure that if you send Rob a copy he will review it. > By the way, Today, ASP created over 1500 new viruses (using our >automated program evolution system), and NONE of the scanners listed as >the best around detected ANY OF THEM! Most scanners specify "known viruses". What happens when used with an integrity management program that performs 100% signature validation ? (used to say "checksum" but have been corrected). Does ASP detect its own "viruses" ? I am not going to address the morality issue of the above though I am certain that others will. > Example: (taken from Jon David's original example several years >ago - with modifications) Jon (correctly IMHO) also considers COPY a virus. This would seem to meet your definition as well. > Well, that's my view of it all. I figure I'll get plenty of >grief for having posted it (if it indeed gets posted), so don't bother to >complain directly to me - this is the sort of discussion we should have >on Virus-L in front of the whole world. OK Warmly, Padgett ------------------------------ Date: Mon, 23 Nov 92 09:29:37 -0500 From: "Gerry Santoro - CAC/PSU 814-863-7896" Subject: Index to files on anti-virus sites? There are a lot of files on the various anti-virus archive sites. Does anyone maintain an index to these files? I'm looking for something similar to the index files on archive.umich.edu in which there is a file name followed by a brief abstract of what the file contains. Such a thing (if it exists) would be real useful for people looking for a specific type of anti-virus program but not knowing its file name. If any anti-virus site does have such a listing could you please send me email or post the information here. gratzi! gerry santoro academic computing/speech communication penn state university ------------------------------ Date: 02 Nov 92 18:12:38 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: MtE detection tests (part 5/5) (PC) Hello, everybody! Here is the long awaited report about the MtE detection tests that we performed at VTC-Hamburg. It is rather longish, so maybe Ken should consider splitting it into parts. Normally, I should have put it for anonymous ftp, instead of publishing it here, but the preliminary results of the tests raised enough interest and discussions, so I decided to publish it in a whole in this newsgroup. Nevertheless, it - - -is- available for anonymous ftp as ftp.informatik.uni-hamburg.de:pub/virus/texts/tests/mtetests.zip [Moderator's note: The complete text of Vesselin's MtE tests are also available from: cert.org:pub/virus-l/docs/mtetests.zip As I had previously indicated, I have broken Vesselin's tests down into five parts and will post each seperately.] Enjoy. Comments, questions, and suggestions are welcome. Regards, Vesselin - - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ===== [part 5/5] 5. Summary. Here is a summary of all MtE-based viruses and a list of all scanners that reliably detected them. Virus Name: Reliably detected by: - ----------- --------------------- CoffeeShop CATCHMTE, F-PROT, FINDVIRU, GOBBLER, UTSCAN, VIRSCAN CryptLab ANTIVIR, CATCHMTE, F-PROT, FINDVIRU, UTSCAN, VHUNTER, VIRSCAN Dedicated ANTIVIR, CATCHMTE, F-PROT, FINDVIRU, GOBBLER, UTSCAN, VIRX, VHUNTER, VIRSCAN Fear ANTIVIR, AVP, CATCHMTE, CPAV, F-PROT, FINDVIRU, GOBBLER, UTSCAN, VIRSCAN Groove/EXE CATCHMTE, F-PROT, FINDVIRU, GOBBLER, VIRSCAN Groove/COM ANTIVIR, CATCHMTE, CPAV, F-PROT, FINDVIRU, GOBBLER, UTSCAN, VIRSCAN Pogue ANTIVIR, AVP, CATCHMTE, F-PROT, FINDVIRU, GOBBLER, UTSCAN, VIRSCAN Questo ANTIVIR, CATCHMTE, F-PROT, FINDVIRU, GOBBLER, UTSCAN, VIRSCAN The only winners for all MtE-based viruses used during the standard and the additional tests are: CATCHMTE, F-PROT, FINDVIRU, and VIRSCAN. During the acid test, FINDVIRU failed to detect all the 4 companion MtE-based viruses. The other three scanners succeeded to detect them. Therefore, the winners of the tests are: CATCHMTE (freeware), F-PROT (shareware, free for individual use), and VIRSCAN (commercial, but cheap). This looks rather strange, since it seems logical that the big companies that are producing anti-virus software have more time, money, and human resources to put in research and developpment. Yet, the commercial scanners usually showed worse results in MtE detection. Obviously, they are popular not because of their quality, but because of their flashy user interfaces and aggressive marketing strategies. Vesselin Bontchev, anti-virus researcher Virus Test Center, University of Hamburg, Germany ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 189] ******************************************