From virus-l@lehigh.edu Mon Nov 9 20:27:01 1992 Return-Path: Received: from Fidoii.CC.Lehigh.EDU by abacus (SunOS 4.1/SMI-4.1-01) with sendmail 4.1/SMI-4.1-01 id AA11205; Mon, 9 Nov 92 20:27:01 +0100 Errors-To: krvw@cert.org Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA11492 (5.65c/IDA-1.4.4 for ); Mon, 9 Nov 1992 14:17:32 -0500 Date: Mon, 9 Nov 1992 14:17:32 -0500 Message-Id: <9211091912.AA05064@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V5 #174 VIRUS-L Digest Monday, 9 Nov 1992 Volume 5 : Issue 174 Today's Topics: scan with compressed drvs?? (PC) Re: Checking high memory with VSCAN (PC) Re: Comment on the MtE wars (PC) Re: KEY Press virus & McAfee v97 (PC) Re: MtE ?? (PC) Re: MtE ?? (PC) Re: VCL? (PC) Dangerous bug in CHKDSK that comes with MS-DOS 5.0 (PC) Re: Checking high memory with VSCAN (PC) Re: Comment on the MtE wars (PC) Re: SCAN 95b doesn't find MtE in EXE files (PC) Re: Checking high memory with VSCAN (PC) Re: SCAN 95b doesn't find MtE in EXE files (PC) Goblin virus (PC) Outdated F-PROT?? (PC) Where to find VSUMX (PC) Am I Infected? (PC) Re: Comments on Recent Postings, Virus-L V5 #169 What has became with R.T.Morris ? FP-206A.ZIP - F-PROT 2.06a: Virus detection/removal software (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 02 Nov 92 07:57:36 +0000 From: confused@cwis.unomaha.edu (stephen richard smith) Subject: scan with compressed drvs?? (PC) I couldn't find the FAQ post, I hope this isn't covered, If it is please forgive me. I have questions in relation to use of NAV. with superstor. I know when I was using stacker I had to run NAV from within a stacked drv to insure proper scan results due to problems with stacker I have switched to superstor and while it(in my opinion) is a more stable and superior compression prg. the documentation sucks. I have called them and got half an answer (perhaps this is why stacker is #1) MY QUESTIONS: 1> should I run NAV from within the superstor container also- I assume so as the basic concepts between the two are the same. 2>can I run NAV from within a stacked container and get proper results on a scan of a non stacked drv. please Email answers to confused@cwis.unomaha.edu THANK YOU FOR YOUR TIME SRS. [Moderator's note: The VIRUS-L/comp.virus FAQ is available via anonymous FTP from cert.org (192.88.209.5) in pub/virus-l OR by sending e-mail to listserv@lehigh.edu stating "info virus-l". A new FAQ release is in the works and will also be posted to news.answers.] __________________________________________________________________________ | the federal government is basically one enormous, ongoing meeting from | | HELL-----Dave Barry | - -------------------------------------------------------------------------- ------------------------------ Date: 02 Nov 92 13:55:37 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Checking high memory with VSCAN (PC) ianst@qdpii.comp.qdpi.oz.au (Ian Staples) writes: > Hmmm... does this imply that once we all have OS/2 or whatever on 386s > or better, and 32-bit applications addressing oceans of flat memory > space then we will have to wait forever for SCAN or some other to scan > the whole bloody lot when we boot up each morning? I sincerely hope that no anti-virus program will be that stupid! Under OS/2 in 32-bit mode, when your program (or a virus) wants to "address" a memory chunk, it must first allocate it. And when it allocates it, the OS nicely wipes it out. Therefore, there's virtually no hope to "find" the virus in this way - the most you could do it to wipe it out. But you cannot do even that, since memory allocated for one process is protected from the other processes, so they cannot just poke around... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 02 Nov 92 13:59:51 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Comment on the MtE wars (PC) hobbit@ftp.com (*Hobbit*) writes: > Obviously none of you are willing to publicly discuss the exact hows > and whys of anyone's MtE-detection algorithm, for the usual reasons. Yes, this is usually considered a trade secret. > So the entire discussion is so far based on percentage hit rate, which Correction: the discussion is not based on the percentage hit rate. There is no such thing as percentage hit rate when you are speaking about a known virus. Your scanner either is able to detect it reliably, or it isn't. My tests are trying to show which scanners are NOT able to detect the known MtE-based viruses reliably (because I cannot prove that I scanner DOES reliable detection - I can only try to find out an example that proves that a scanner is NOT able to do reliable detection). > for me has significantly less meaning in terms of explaining WHY > product A sucks and product B is so much better. Is this just me, or Simple. :-) Reliable detection of the MtE-based viruses is -extremely- difficult. Therefore, only anti-virus companies with very capable R&D departments are able to solve the puzzle. (Note: this is not a flame to anyone; for instance I don't know how reliable detection can be achieved.) The current tests clearly show that very few AV companies have indeed solved the puzzle. BTW, it was demonstrated to me that no scanner can be made to detect reliably unknown unencrypted MtE-based viruses. Sorry, but I cannot discuss the details in public. The important thing is that the virus could do some tricks to prevent this. None of the currently known MtE-based viruses does this trick, so this fact should have any impact on the current MtE detection by the scanners. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 02 Nov 92 14:13:47 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: KEY Press virus & McAfee v97 (PC) mcafee@netcom.com (McAfee Associates) writes: > We've reproduced the problem of SCAN reporting a variant of the > KeyPress virus multiple times in a file and will be fixing this in a > subsequent version of SCAN. While you are at it, please also have in mind that: BetaBoys.Rattle is reported as Rattle [Rttl] and Mexican [Mex]; Burger.* are reported as Burger [Burger] and FamilyQ [FQ]; Cascade.1701.D is reported as JoJo [JoJo] and Yap [Yap]; Crew.* (except Crew.1.C) are reported as Crew-2480 [2480] and FamilyM [FM]; FaxFree.Topo is reported as Lamer [Lam] and Topo [Topo]; Happy_New_Year.1600 is reported as Happy N.Y. [HNY] and Voronezh [Vor]; Horse.1154.* are reported as 512 [512] and Horse [Hrs] (in some files only); Jerusalem.Mummy.1_2 is reported as Mummy [Mum] and FamE [FE]; Jerusalem.Timor is reported as 1241 [1241] and Jerusalem [Jeru]; Leprosy.G is reported as infected twice by Leper [OW]; Leprosy.Plague is reported as Viper [Vip] and Plague [Plg]; MShark is reported as FamN [FN] and FamM [FM]; Murphy.Brothers is reported as Brothers [Bro] and 1530 [1530]; Murphy.Tormentor.* are reported as LixoNuke [Lix] and Murphy [Murphy]; Sorry for the long list, but I hope that it might help to some other readers too. Hope you'll fix that in your next version. > >places... Unfortunately, this is not always the case, which explains > >why SCAN does not detect Commander Bomber infections reliably - the > >virus can reside just anywhere in the file and control is transferred > >to it in a non-trivial way... > Are you sure of this? The reason I ask is that does not always use > the "top-and-tail" (or "beginning-and-end," etc.) method of searching > for file-infecting viruses, especially if a "fragmentation attack" is > performed. Am I sure about -what-? That SCAN 97 does not detect Commander Bomber reliably? Yes, I am sure about it. It doesn't detect it reliably. It misses this virus in some of the infected files. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 02 Nov 92 14:34:43 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: MtE ?? (PC) hps@sdf.lonestar.org (Holt Sorenson) writes: > MtE is the Mutation Encryption Engine developed by Dark Avenger. It > changes filesizes, checksum, and other info that would make it > possible to detect a virus in a file at runtime so that the virus can > continue to hide on your computer. The latest version is .91b, unless > DA has released a newer one. You can get it from your favorite AV > researcher that trusts you or off a virus bbs. I won't give you any > such info (bbs's or copies of the software.) If you don't know > assembly, it wouldn't help you much anyway. Couldn't people get their facts right before posting? Anyway, here is the correction: 1) Dark Avenger has indeed been involved heavily in the development of the MtE, but according to some sources, this is not -entirely- his product. 2) All the MtE does by itself is to take a piece of code, encrypt it using a random key, generate a random decryptor, prepend the decryptor to the code, and return a pointer to the area of memory that contains the decryptor and the encrypted code. Nothing more. Not a virus per se. Everything else has to be supplied by the virus writer. The changes of the file sizes, checksums, and other info that you are mentioning come from the virus, not from the MtE. It is perfectly possible to write a stealth MtE-based virus, that will hide these changes. 3) The latest available version of MtE is 0.90-beta. What has been distributed as 0.91 and what many people blindly believe to be 0.91 is just a bugfix in the random number generator (not in the MtE). 4) No self-respecting anti-virus researcher will distribute the MtE package to anybody except other anti-virus researchers. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Mon, 02 Nov 92 10:10:10 -0500 From: Y. Radai Subject: Re: MtE ?? (PC) Holt Sorenson writes: > MtE is the Mutation Encryption Engine developed by Dark Avenger. It > changes filesizes, checksum, and other info that would make it > possible to detect a virus in a file at runtime so that the virus can > continue to hide on your computer. Changes filesizes and checksums??? You've missed the entire point of MtE! MtE (Mutation Engine) is a method for converting a given virus into a *polymorphic* one, i.e. one which looks different on each infection, because of variable encryption and/or because of replace- ment of some instructions by others which have the same effect. MtE consists of an .OBJ module which, when linked to a assembled virus containing a call to it (and to a random-number generator supplied in another module), causes the virus to become polymorphic. There are several specially designed scanners which claim to achieve perfect detection on MtE'd viruses, and these claims are often correct in the case of mutations in which the viral code is actually encryp- ted. But in some cases MtE does not perform an encryption, and some scanners fail in such cases. A few scanners succeed in detecting all such viruses in some existing text suites, but it is apparently impossible to obtain 100% detection on all possible MtE mutations (i.e. even when the underlying virus is unknown) in those cases in which an MtE encryption is not performed. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: 02 Nov 92 14:59:11 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: VCL? (PC) hps@sdf.lonestar.org (Holt Sorenson) writes: > VCL is a Borland IDE based "Virus Creation Laboratory" that creates Don't blame Borland for what it not their fault. VCL is created with Borland's TurboVision, that's why it resembles to Borland's IDE. What you are saying seems to imply that Borland is somehow involved in the creation of this stupid piece of malware that is VCL. > poorly optimized, inefficient overwriting .COM and .EXE infectors. It creates buggy, usually not running, not optimized at all, stupid overwriting .COM infectors. Some of them can overwrite just all files (*.*), but this does not mean that they can correctly infect EXE files (i.e., without damaging them). It can also produce lame trojan horses. It also tries to produce companion viruses, but they don't work. > You can get ahold of it on most virus bbs's or from a virus writer or > an anti-virus buff who would trust you with it. If you understand The above is a totally unfounded flame against the honest anti-virus researchers. You have already posted it twice. If you have any facts, please speak up. But facts only, please. > Assembly it is possible to patch the code and create virii and some of > the code is sound enough to create a virus with. Compared to the You mean, if you are good enough in assembly language, you might find the bugs in the viruses that VCL generates and eventually fix them. I mean, fix the viruses, because you cannot fix the VCL program itself - it's too buggy for that. But why bother? Anybody who is able to fix those bugs should be able to write a virus himself, instead of using the stupid things that VCL generates... :-) > current technology available in the virus world it is outdated. It has already been outdated, when it has been released... :-) > Unfortunately, the author has promised to release a second version > which is supposed to have several improvements that will make it more Ah? Maybe he will be able to make a proper install program the next time... The current installation procedure is buggy. > fun for researchers to play with. I doubt it will create any serious > problems though. The release will probably be in January or Feruary of Of course, it doesn't create any serious problems. The only serious problem is the trend - it's much harder to deal with 2,000 virus creation tools than with 2,000 viruses... Fortunately, it is much harder to write a working virus creation tool than it is to create a working virus... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 02 Nov 92 18:11:33 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Dangerous bug in CHKDSK that comes with MS-DOS 5.0 (PC) Hello, everybody! The following is part of a posting to one of the newsgoups. I am submitting here the relevant part, which I believe to be of interest to the readers of VIRUS-L/comp.virus. Regards, Vesselin Subject: MSDOS 5.0 chkdsk WARNING! Date: 30 Oct 92 19:12:47 GMT From: john@attcan.UUCP (John Benfield) [stuff deleted] (This is NOT an official report from Microsoft or AT&T. It's just my own friendly posting to try to help) Program: chkdsk O/S : MS-DOS 5.0 Symptoms: Users running chkdsk with the /f option have 256 copies of the FAT written onto their hard disk starting at the first copy of the FAT. The result being that all directory information and a significant amount of the data in the data area are irrecoverably destroyed. Affected users: Any users using 256 sector FAT's. How to tell if you're at risk: Run chkdsk WITHOUT the '/f' option and check the "Total allocation units on disk". If this number is more than 65280, you're at risk. DO NOT USE CHKDSK TO CORRECT ANY DISK PROBLEMS if this is the case. You'll trash your disk. Solution: Call Microsoft and request the 5.00A upgrade. They know about the problem and they've fixed it. They've also done some diddling with the following programs: (though I don't know what they did to them.) deloldos.exe diskcomp.com diskcopy.com doshelp.exe dosshell.exe dosswap.exe emm386.exe expand.exe format.com himem.sys mirror.com qbasic.exe recover.exe setver.exe undelete.exe xcopy.exe Apparently, the only place that Microsoft posts information of known bugs is on CompuServe in something they called the Microsoft Knowledgebase. If there's anyone out there who regularly reads this forum on CIS, maybe you'ld like to volunteer to cross-post to this group? [stuff deleted] - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Mon, 02 Nov 92 20:26:45 +0000 From: gary@sci34hub.sci.com (Gary Heston) Subject: Re: Checking high memory with VSCAN (PC) ianst@qdpii.comp.qdpi.oz.au (Ian Staples) writes: [ about a discussion concerning potential high memory viruses ] >Hmmm... does this imply that once we all have OS/2 or whatever on 386s >or better, and 32-bit applications addressing oceans of flat memory >space then we will have to wait forever for SCAN or some other to scan >the whole bloody lot when we boot up each morning? No. During boot, you'd simply install Virscan as your first step, and let it trap anything that attempts to load while infected. On booting, the memory contents are ignored and overwritten, so there's no need to scan it. - -- Gary Heston SCI Systems, Inc. gary@sci34hub.sci.com site admin The Chairman of the Board and the CFO speak for SCI. I'm neither. "...I looked out my window, and saw Kyle Pettys' car upside down, then I thought 'One of us is in real trouble'." Davey Allison, re: a 150MPH crash ------------------------------ Date: Mon, 02 Nov 92 20:07:28 +0000 From: gary@sci34hub.sci.com (Gary Heston) Subject: Re: Comment on the MtE wars (PC) hobbit@ftp.com (*Hobbit*) writes: >Obviously none of you are willing to publicly discuss the exact hows >and whys of anyone's MtE-detection algorithm, for the usual reasons. >So the entire discussion is so far based on percentage hit rate, which >for me has significantly less meaning in terms of explaining WHY >product A sucks and product B is so much better. Is this just me, or >does it smell like so much handwaving to anyone else, too? No, not to me. I want to see a high hit rate from a large suite of test files, using every MtE-based virus known to generate the test files. I'm not concerned with the algorithm, for a few reasons: a) I'm not writing viral or antiviral code, so I have no use for it; b) The authors of the antiviral products have invested a considerable amount of work in them, and I see no reason to disclose that information to their competitors (free information is a nice idea, but won't work in other than a utopia, which we're not in...); c) Disclosing how the scanners detect MtE would assist Darkie in finding ways around detection, something I'm *not* in favor of; d) There are independent surveys of the effectiveness of the scanners, listing how well each of them do in identical environments. >Unfortunately I feel like I still have to slog through it all to find >the occasional hard useful facts. ..Welcome to the net.... :-) I find this group to be quite useful, due in great part to the excellent job being done by KvW, and really appreciate his time and efforts. I shudder to think what this group would be like if unmoderated.... - -- Gary Heston SCI Systems, Inc. gary@sci34hub.sci.com site admin The Chairman of the Board and the CFO speak for SCI. I'm neither. "...I looked out my window, and saw Kyle Pettys' car upside down, then I thought 'One of us is in real trouble'." Davey Allison, re: a 150MPH crash ------------------------------ Date: Tue, 03 Nov 92 00:41:41 +0000 From: mcafee@netcom.com (McAfee Associates) Subject: Re: SCAN 95b doesn't find MtE in EXE files (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: [...description of MtE virus samples deleted for brevity...] >Just some more information. Of the above missed samples, 141 (of 142) >Questos were unencrypted and 143 (out of 145) correctly infected >Groove EXE files. The fact that they are unencrypted, means that they >can be easily detected, if SCAN contained a signature, picked from the >body of the MtE (not from the body of the particular virus). This is >so obvious, that I cannot figure out why SCAN is not doing it >already... Let's hope that it will be included in the next version. [...rest of message deleted...] If VIRUSCAN did not pick up unencrypted copies of a virus, that means that we do not have a copy of the virus. Readers may wish to note that sometimes the MtE produces an "unencrypted" virus, that is, one where no MtE encryption is performed. In this case, no MtE virus would be found, and VIRUSCAN (SCAN) would have to look for the actual virus code. If we do not have a copy of that particular MtE-based virus, then unencrypted copies will not be found until we receive a copy and analyse it. Regards, Aryeh Goretsky Technical Support - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | mcafee@netcom.COM Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95054-3107 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/NETSCAN/VSHIELD/CLEAN/WSCAN/NETSHIELD/TARGET/CONFIG MGR ------------------------------ Date: Tue, 03 Nov 92 01:07:10 +0000 From: mcafee@netcom.com (McAfee Associates) Subject: Re: Checking high memory with VSCAN (PC) Hello Ian, ianst@qdpii.comp.qdpi.oz.au (Ian Staples) writes: [...message I wrote about memory regions deleted for brevity...] >Hmmm... does this imply that once we all have OS/2 or whatever on 386s >or better, and 32-bit applications addressing oceans of flat memory >space then we will have to wait forever for SCAN or some other to scan >the whole bloody lot when we boot up each morning? Since OS/2 is a virtualizes memory in DOS sessions, you would only have to check the memory allocated for that particular DOS session--not all the memory available to the system. Regards, Aryeh Goretsky Technical Support - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | mcafee@netcom.COM Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95054-3107 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/NETSCAN/VSHIELD/CLEAN/WSCAN/NETSHIELD/TARGET/CONFIG MGR ------------------------------ Date: Tue, 03 Nov 92 04:37:12 +0000 From: mcafee@netcom.com (McAfee Associates) Subject: Re: SCAN 95b doesn't find MtE in EXE files (PC) Hello Vesselin, you write: [...my comments about release dates on V95 and V97 deleted...] [The ">>" indicates comments from me.] >When the preliminary tests were done, the latest available version of >SCAN was 95b. Since the results were alarming, I decided that it is my >duty to inform the users about a particular deficency in the then >latest version of the product. Even if a newer version of the product >were available (which it wasn't then), and even if it were able to >detect the MtE-based viruses reliably (which it still isn't, see >below), my message would alarm the users to urgently upgrade to the >newer version. I still think that there is nothing incorrect in what I >have done. SCAN missed 317 out of 15,996 viruses, or about 0.02% of the samples. Rather than post the "alarming" results, do you not think a message to myself (or better yet, to one of our programmers) would have sufficed? A detection rate of approximately 99.8% on a virus, or set of MtE-based viruses does not seem especially bad, in lieu of the fact that we have not received any confirmed reports of the virus yet [outside of virus- exchange BBS's and the like]. [...comments about detection of MtE-based viruses added in SCAN V97 from myself and your comments about downloading V97 deleted...] >The results are rather poor - they clearly show that version 97 of >SCAN is not able to detect reliably ANY of the MtE-based viruses too. >I have proven this to you, by sending you a batch of examples that Yes, you have, and I am not so much questioning this as the manner in which it was reported. >SCAN 97 was unable to detect. I have also offered to help you fixing >the problem and even suggested an easy solution for the other 284 >missed samples. What do you want more? Next time, perhaps you could check with us about your results? I think it would be more appropriate to say "SCAN missed X out of Y samples of the Z virus. I've notified McAfee Associates of the problem and they will (hopefully) fix it shortly." than your earlier post, which seemed rather alarmist to me. >> I can understand your desire to provide the readers of comp.virus with >> timely, accurate information about the efficacy of different anti-viral >> packages, however, posting one message decrying the deficiencies of >> one brand of software with an endnote about other packages sounds less >> like a genuine attempt at impartial research and more like alarmist scare >> tactics, or even worse, marketing :-) > >It's very strange to see the above posted by someone from McAfee >Associates... Even if we don't pay attention to the fact that it does >not correspond to the truth (as I explained above), I still remember You did download V97 of SCAN as fast as you could and repeat your tests, which I find commendable. Even if I don't agree with how you reported the results. >an article posted somewhere (maybe even here), which described how >McAfee Associates sponsored a particular set of anti-virus product >evaluations and insisted that only old versions of the scanners of >their main competitors were tested. McAfee Associates has sponsored (that is, paid for) anti-virus product testing by a number of independent organizations, using then-available versions of competitors' anti-viral programs. To do otherwise would be worthless. >> I note that several other anti-viral >> packages such as NAV, CPAV, Untouchable, Novi are not mentioned at all. > >I don't have a copy of Novi. And, unlike your product, all the >products mentioned above are not shareware - they are all commercial, True, but they all of them are also widely-used, at least here in America. In Europe, I would imagine that Dr. Solomon's AVTK is used more widely, etc. >so I obviously cannot easily get the latest versions as quickly as >with your product. Besides, I am only a human and cannot do everything As am I. [Shut up, Spencer] >at once. In fact, the MtE tests even of your product were made >possible mainly because two visiting students from Rostok spent a lot >of time to generate 16,000 naturally infected samples (do you >understand what all this means, having in mind that some of the >MtE-based viruses infect only 2-3 samples in the current directory and >do not go resident?), and one of our students urgently ran two tests >(with version 95b and 97 of SCAN) and summarized the results... > >I -will- publish MtE detection data for 17 scanners, each of which >claims (like yours) that it is able to detect all MtE-based viruses Hopefully they will be published together at once. [Moderator's note: Vesselin's MtE tests are available from: cert.org:pub/virus-l/docs/mtetests.zip ftp.informatik.uni-hamburg.de:pub/virus/texts/tests/mtetests.zip For those without FTP access to the net, I have broken Vesselin's tests down into multiple chunks and will be posting each separately.] >with 100% reliability... As I said, I don't know about Novi, because >I don't have it, but NAV 2.1, CPAV 1.3, and UTScan 23.00.12 (the >scanner part of the Untouchable, since Untouchable is mainly an >integrity-based product) all failed the test - just like SCAN 97, they >turned out to be unable to detect all MtE-based viruses used during >the test reliably. > >> In any case, I would strongly suggest that you complete your research in >> the future before posting incomplete results. > >I am doing my best to provide the most complete data possible to the >users. So does the rest of the VTC-Hamburg. What has been observed in >SCAN 95b was a BUG, that's why I was precipitated to publish the >information about it. Or do you want to hide from your users that a >particular (even if not the latest) version of your program is buggy >and provides a false sense of security? [...rest of message deleted...] Bugs can be fixed. Bearing in mind that I am, after all, a McAfee Associates employee, I believe that McAfee Associates (and myself) have been very forthcoming to users about reporting bugs, fixing them, and suggesting workarounds while the bugs do get fixed. Regards, Aryeh Goretsky Technical Support - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | mcafee@netcom.COM Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95054-3107 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/NETSCAN/VSHIELD/CLEAN/WSCAN/NETSHIELD/TARGET/CONFIG MGR ------------------------------ Date: Tue, 03 Nov 92 10:05:18 +0000 From: P.E.Beaman@lut.ac.uk (Peter Beaman) Subject: Goblin virus (PC) We have just located a Goblin Virus on a researcher's disc who has come from Mexico. I have used the latest version of Dr.Solomon's Toolkit to erase the virsus but just wanted to know how wide spread Goblin is and whether the disc I repaired should still be used, in case any residual affects remain. I look forward to hearing your views Peter Beaman Social Psychology Technician LUT UK ------------------------------ Date: Tue, 03 Nov 92 16:17:45 +0000 From: ajchuah@mtu.edu (Low Profile) Subject: Outdated F-PROT?? (PC) Frisk and all, I am currently using F-prot 2.04b on my machine and am using Virstop. I haven't had any problems until recently. I wanted to use F-prot 2.05 but since there was some mention on problems, i decided to stick with 2.04b. Anyway, now when i boot up my machine, when it loads Virstop, it gives a message that sounds something like "This version of F-prot is rather old and ..." overall what it is trying to say is the version of f-prot i have is old and that i should replace it. Is this some form of virus, a way of your program notifying me to switch or what? This message comes on the screen without fail for the past 2 weeks. Any help would be great. BTW, what is the scope on the latest version of f-prot? Thanx. - -- - ------------------------------------------------------------------------------- | | *BARK* *BARK* *BARK* In Love with OS/2 | | Alex J Chuah | 38640Trident8900Cw1MViewSonic6ESVGAMonitor | | ajchuah@mtu.edu | 64Kcache8MBof70nsOkidataML93onLPT1 | | ajchuah@mtus5.cts.mtu.edu | 80MB+1.3GBHDAlwaysIN2000SCSIController | | | ATIetc/ionCOM2Identity256GSScanner | - ------------------------------------------------------------------------------- ------------------------------ Date: Tue, 03 Nov 92 17:15:39 +0000 From: millernw@craft.camp.clarkson.edu (Neal Miller) Subject: Where to find VSUMX (PC) Until I received a disk error this morning, I had a copy of a VERY nice database of virus info in hypertext format. It appeared very complete and was well written. I've been tromping all over wuarchives trying to find it again without any luck. If anyone could post/mail a sitename (number) and directory, I'd appreciate it. - Neal Miller - -- - ----------------------------------------------------------------------------- Neal Miller | "Why not go mad?" | millernw@craft.camp.clarkson.edu Clarkson University | - Ford Prefect | dark@craft.camp.clarkson.edu - ----------------------------------------------------------------------------- ------------------------------ Date: Mon, 02 Nov 92 15:45:45 -0500 From: ferris@turtle.fisher.com Subject: Am I Infected? (PC) I had the stoned virus and I was getting 1701 (or 1710, I forget) error on bootup. Supposed to indicate a hard disk error, I think. I replaced the hard disk and controller, virus scanned everything that went into the new disk. Ran the machine for a couple days with no problems, then, after leaving it powered down for two weeks, it came up with the 1710 (or 1701, I for...) error again. Now it boots erratically, but it will boot from a floppy, which it wouldn't do with the old drive. (Won't access the hard drive after floppy boot.) Am I stoned or hardware failured? Help, help, hellanddamnation. ------------------------------ Date: Mon, 02 Nov 92 14:56:55 -0500 From: "Tom Zmudzinski" Subject: Re: Comments on Recent Postings, Virus-L V5 #169 In VIRUS-L Digest V5 #169, "William Walker C60223 x4570" said: > This, as well as other, similar exchanges, has caused VIRUS-L, a > discussion list I consider very valuable, to become increasingly > irritating to read. While there may be times that people need to > speak out against something (e.g. Virus Simulator or CPAV's causing > false positives), please keep the heat down and the professionalism > up. YAY, BILL !!! Please, please, PULL-EASE !!! Let's keep it: DEFAULT=FLAME-OFF Tom Zmudzinski ZmudzinT@CC.IMS.DISA.MIL =-=-=-=-= The preceding was a paid fanatical announcement =-=-=-=-= ------------------------------ Date: Tue, 03 Nov 92 09:29:11 -0500 From: lieberzeit@vax.felk.cvut.cs Subject: What has became with R.T.Morris ? Please, can someone tell me, what has became with R.T.Morris (the author of The Internet Worm)? The last news I have is that he was found guilty of violating the Federal Computer Fraud and Abuse Act and sentenced to 5 years and $250.000. I am not sure this news is the final one. Was not there a court of appeal? I would also appreciate any further details. Thanks, V. Lieberzeit The Czech University of Technology Internet: lieberzeit@cs.felk.cvut.cs Faculty of Electrical Engineering BITNET: LIEBER@CSEARN Department of Computer Science Tel.: +42 (2) 29 78 41, ext. 440 ------------------------------ Date: Sat, 07 Nov 92 15:52:58 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: FP-206A.ZIP - F-PROT 2.06a: Virus detection/removal software (PC) I have uploaded to WSMR-SIMTEL20.Army.Mil: pd1: FP-206A.ZIP F-PROT 2.06a: Virus detection/removal software I don't know why this always happens....but right after I uploaded F-PROT 2.06, I got a message about a problem, which forced me to release 2.06a The problem is as follows - if a single copy of the program is installed on a network, it can only be used by one user at a time - attempting to run the program while somebody else is running it will generate a sharing violation. I'm really sorry about the inconvenience.... frisk - - - Fridrik Skulason frisk@complex.is ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 174] ******************************************