From virus-l@lehigh.edu Tue Nov 10 22:01:46 1992 Return-Path: Received: from Fidoii.CC.Lehigh.EDU by abacus (SunOS 4.1/SMI-4.1-01) with sendmail 4.1/SMI-4.1-01 id AA11778; Tue, 10 Nov 92 22:01:46 +0100 Errors-To: krvw@cert.org Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA11300 (5.65c/IDA-1.4.4 for ); Tue, 10 Nov 1992 15:52:14 -0500 Date: Tue, 10 Nov 1992 15:52:14 -0500 Message-Id: <9211101943.AA07075@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V5 #176 VIRUS-L Digest Tuesday, 10 Nov 1992 Volume 5 : Issue 176 Today's Topics: Re: Filler virus - Need Help! (PC) OS/2 system stopped due to virus (FAT partition)? (OS/2) (PC) "LARRY ON A SCREEN" Virus (PC) "SHIFTER" Virus. (PC) Re: Infection density (PC) Re: SCAN 95b doesn't find MtE in EXE files (PC) Syrian Brain II (PC) Is this a virus? (PC) Re: ExeBug - other names and removal? (PC) Re: Information on ExeBug requested (PC). What does the ANTI-TEL virus do? (HELP!) (PC) Virus or Hardware? (PC) Michelangelo (PC) PS-MPC, similar to VCL (PC) Virus Protection on NFS Servers Denning Key Registration Virus List of virus books and reviews CHRISTMA: The "Card"! (CVP) Quick antiviral listing (general) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 04 Nov 92 06:27:21 +0000 From: mcafee@netcom.com (McAfee Associates) Subject: Re: Filler virus - Need Help! (PC) Hello Gilles, you write: >I just find out that Filler virus has invaded my computer system. The >Scan Test (SCAN 8.9V97 - McAfee) sometime detect it and other time it >can't. Is there any other thing I can do to get rid of this damned >virus... While there is an actual Filler virus from Europe (?), we have not had any actual reports of the virus, other than the initial disk that was send to us. However, it is fairly common for the Filler virus to be reported in memory due to a conflict between VIRUSCAN (SCAN) and other anti-viral programs if they use the same "search string" to detect the virus but the other anti-viral program does not hide the search string in memory by ciphering or otherwise encrypting it. I would recommend that you check your PC to see if any other anti-viral programs are running and if so, disable them and reboot your system. If the virus is no longer reported by SCAN then it is a false alarm. Regards, Aryeh Goretsky Technical Support - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | mcafee@netcom.COM Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95054-3107 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/NETSCAN/VSHIELD/CLEAN/WSCAN/NETSHIELD/TARGET/CONFIG MGR ------------------------------ Date: Wed, 04 Nov 92 15:27:03 +0000 From: sci240s@monu6.cc.monash.edu.au (Wey Jing HO) Subject: OS/2 system stopped due to virus (FAT partition)? (OS/2) (PC) My PC has just been infected by an unknown virus (both McAfee Scan Version 97 and CPAV failed to identify it/them). SCAN only report that all of the hard disk boot sectors have been modified (as compared to a CRC file created before the infection). I have both MS-DOS 5.00 and OS/2 (with the latest CSD) installed with DOS on FAT and OS/2 on HPFS. I just got the following message while trying to run MS-WORD for Windows 2.00a under OS/2: ####### Start message ################# The system detected an internal processing error at location ##0160:fff6459e - 000d:959e. 60000, 9084 048600b4 Internal revision 6.466, 92/10/15 The system is stopped. Record the location number of the error and contact your service representative. ########## End of message ############### I got this identical message when I try to run W4W 2.00a twice. Can this be caused by a virus? Note that W4W was running happily for the last 2 days after installing the latest CSD except for minor screen repaint problems (I have only been editing files and have not tried anything else like printing etc). - -- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >Wey Jing Ho Tel: 61-3-573-2567 E-mail : sci240s@monu6.cc.monash.edu.au< >Physics Dept., Monash University ( Caulfield Campus ), Melbourne, AUSTRALIA< ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ------------------------------ Date: 04 Nov 92 08:22:50 +0000 From: riordan.cybec@tmx.mhs.oz.au (Roger Riordan) Subject: "LARRY ON A SCREEN" Virus (PC) This virus was first reported (to our knowledge) by Brian Mariott, Dept of Computer Science, University of Tasmania, on Virus L, on 7th Oct. They received it from a computer shop, which had found it on a PC brought in by a customer. We received a sample on Oct 20th. It is a resident .COM & .EXE infector, adding 491 & 507 bytes respectively. Like Troi2, recently reported, it hides in the 2nd half of the interrupt table, overwriting interrupts 80 to FF, and, like Troi 2, it frequently crashed in our tests, again presumably because it overloads the system stack. It has one most unusual bug; it gives a "Write protect error writing drive .." message (and usually hangs), if you run a program from a write protected disk - even if the file is already infected! The virus uses the word 'GM' (474dh) as the signature. This is found at offset 4 in .COM files, and at offset 12h (the checksum field) in the .EXE header. The message below can be seen almost at the end of infected files. It includes a counter (set to 19 in our sample) which is decremented each time a program is infected. When the counter reaches zero the message Larry on a Screen is displayed instead of running the program. This virus does not pose a serious threat, as it does no deliberate damage, and is so unreliable that most users will realise something is wrong, even before they get the message. VET 7.06 will detect this virus, and restore infected files. It will also detect and repair files infected with Shifter (also recently found in Australia), and will detect a number of viruses recently discovered overseas. Roger Riordan. CYBEC Pty Ltd Ph: +61 3 521 0655 PO Box 205, Hampton. Vic 3188 AUSTRALIA Fax +61 3 521 0727 ------------------------------ Date: 04 Nov 92 08:24:37 +0000 From: riordan.cybec@tmx.mhs.oz.au (Roger Riordan) Subject: "SHIFTER" Virus. (PC) We received a copy of this virus, which is believed to have been found recently in Australia, 0n Oct 14th. The following notes are based on a preliminary analysis, and many parts have not been analysed in detail. The virus is an alternating .EXE and Master Boot Record infector, and will only run on ATs and PCs with an 80286 or later microprocessor. It is a complex virus, and analysis has been made more difficult by the inclusion of many 80286 specific instructions. It has a number of unusual features, and several nasty tricks which will cause the user serious inconvenience. It claims to be destructive, but this appears to be bluff. When an infected file is run the virus looks for the "AT" flag in the BIOS (FC at address FFFF:000Eh). If this is found (and the MBR is not already infected) the virus overwrites the original MBR, without saving it, and writes 12 more sectors to track zero, head zero, starting at sector three. It also writes zeroes to bytes 34 & 35 in the CMOS RAM. These two bytes are subsequently used as an elapsed time counter, which determines when the various nasty tricks come into play. These bytes are defined as "Reserved", and apparently are normally unused. The virus then disinfects the original file (whether or not it infected the hard disk) and writes the clean version back to the original disk. It then loads the original program and permits it to run normally. When a PC with an infected hard disk is booted the virus goes resident, reserving 7K at the top of memory, and traps Ints 8, 9, 11, 17 & 21. Int 8 (timer tick) is used to increment the counter in CMOS RAM each minute. This enables various nasty tricks after different delays. The Int 21 handler looks for functions 30 (Get version no), 4b (Load & execute), and 4e (Find first). It appears that the virus only infects files returned by 4e (Find First) and only if they are .EXE files between 8000 & 327,680 bytes in length. If this is correct it is a very ineffective infection procedure. We certainly had trouble getting infected samples. When a file is infected the length is increased by (decimal) 6672 bytes. The other interrupts are used to harrass the user. After the virus has been present for 10 days and 10 hours the Int 9 (keyboard) handler will occasionally randomly either ignore keystrokes, or trigger a RESET. After 13 days and 13 hours Int 21, function 4b (Load & execute a program) will sometimes cause a message stating that the hard disk is being formatted to appear. Meanwhile random sectors are read, so that the disk light remains on, but it appears that no damage is actually done. After 15 days & 15 hours Int 21, function 30 (Get DOS version) will always return version 2.0, and this will cause many programs to abort. VET 7.06 can detect this virus, and restore infected files. It cannot safely disable the virus, so it will ask the user to reboot from a clean disk if the virus is detected in memory. If the Master Boot Record is infected, and VET has been previously installed for the PC, VETHDFIX can put back the saved copy of the MBR. Otherwise VET can replace it with a "Plain Vanilla" boot sector. This will normally work perfectly, but we cannot guarantee it will work on all PCs. Roger Riordan. CYBEC Pty Ltd Ph: +61 3 521 0655 PO Box 205, Hampton. Vic 3188 AUSTRALIA Fax +61 3 521 0727 ------------------------------ Date: Wed, 04 Nov 92 15:49:00 -0700 From: haymoree@byu.edu (Edward Haymore) Subject: Re: Infection density (PC) : chess@watson.ibm.com (David M. Chess) writes: : > I'd like to start a brief tangent on the question of how many files : > are generally infected in a file-infector incident. Does anyone have : > any interesting experience of insights to share? A friend of mine got the Sunday virus and didn't notice for a few months -- he ended up with around 100 infected files. - -- Ed Haymore ed_haymore@byu.edu ------------------------------ Date: 04 Nov 92 16:00:28 -0800 From: a_rubin@dsg4.dse.beckman.com Subject: Re: SCAN 95b doesn't find MtE in EXE files (PC) Stefano_Turci@f0.n462.z9.virnet.bad.se (Stefano Turci) writes: >The conversion is very simple, in fact COMTOEXE adds 32 bytes long >header at the top of the file, and the CS:IP points to the first byte >after the header. Does this work? I though you needed to reset segment registers for the converted program to run. If not, I can understand why the scanners don't detect it (although they should detect as a "varient" or "dropper".) - -- Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea 216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal) My opinions are my own, and do not represent those of my employer. My interaction with our news system is unstable; please mail anything important ------------------------------ Date: Thu, 05 Nov 92 03:47:37 +0000 From: int477k@lindblat.cc.monash.edu.au (Mr Brenton Judge) Subject: Syrian Brain II (PC) I had a call last night from a user whos machine was reporting that whilst his executables existed in directory listings, when he tried to run them DOS reported that it was a "Bad command or file name", every time he ran a file from the HD, and then after that every time he ran a file from the HD or his floppy. After getting him to upload the first executable that was run in his autoexec.bat from his HD, it was easy to find a virus which had its name clearly marked out as the Syrian Brain II virus. I had a quick look at the virus, and given the simplicity of the viral code (infect everything that the user tries to run after virus hooks int 21H) and the number of errors in the programming which would cause most of its messages to become corrupt, I wondered if this was as the name suggests a Syrian virus, or is it far more likely that its one made here. Has anyone else ever come across it? Brenton Judge ------------------------------ Date: Thu, 05 Nov 92 17:20:41 +0000 From: rknazik@x102a.harris-atd.com (knazik bob) Subject: Is this a virus? (PC) My 386 PC reports that I have 654360 conventional memory when I do a "chkdsk" or a "mem" (DOS 5.0). This is 1024 short of the expected amount. I seem to remember that there was a virus that caused this result, but VSCAN finds nothing wrong. Does anyone know if this is a virus or just some weird hardware failure ? Any help is appreciated. thanks Bob Knazik rknazik@x102a.ess.harris.com ------------------------------ Date: 05 Nov 92 09:59:21 +0000 From: duck@nuustak.csir.co.za (Paul Ducklin) Subject: Re: ExeBug - other names and removal? (PC) Thus spake mybdav02@uctvax.uct.ac.za: >There is an outbreak of EXEBUG virus on campus. >It is easily removed by copying the original partition table from >H0,T0,S17 to S17. Yes-ish. You must boot clean first, though. This is easier said than done with EXEbug. The virus tells your PC (by altering the CMOS setup) that it has no floppy drive A: installed. Some BIOSes, seeing this, figure that trying to boot from an uninstalled drive is pointless, and thus insist upon booting from hard disc. This gets the virus executed, and installed in memory. The virus then attempts to boot from floppy -- if there is a bootable floppy in the drive, you then seem to enjoy a clean boot, though the virus is already active and working. The virus' stealth mechanisms, once resident, deflect access from 0.0.1 to 0.0.17. So, when the virus is around, the partition record looks normal -- and the partition table looks correct. DOS, when working out which partitions belong to it, gets everything right. When *not* resident, 0.0.1 is pure virus code, with complete nonsense in the partition table zone. Boot without the virus, and DOS sees no partitions belonging to it -- ergo, no C: drive! So, if you try to boot clean to remove EXEbug, try logging to drive C: after bootup. If you get "Invalid drive specification", then that's *good* news. If you can reach drive C:, it means the virus is resident. Go into your CMOS setup, tell the system you *do* have a floppy drive and then instantly reboot from floppy. Only when drive C: is "absent" should you fire up NU, DE, DISCHAK or whatever to move 0.0.17 to 0.0.1. >Another question: the virus formats an extra sector on floppies and > copies the original boot sector there - how does one read this > sector? Does the virus have to be in memory? With the virus in memory, you'll see the "hidden" sector when you try to read 0.0.1 from floppy, thanks to EXEbug's stealth. So you can use the virus to access this extra sector...but then you can't write back over the infected 0.0.1. Try Explorer or PEEKA. - -- - --..--..--..--..--..--..--..--..--..--..--..--..--..--..--..--..--..--..-- Paul Ducklin duck@nuustak.csir.co.za CSIR Computer Virus Research Lab * Box 395 * Pretoria * 0001 S Africa ------------------------------ Date: 05 Nov 92 10:00:54 +0000 From: duck@nuustak.csir.co.za (Paul Ducklin) Subject: Re: Information on ExeBug requested (PC). Thus spake mybdav02@uctvax.uct.ac.za: >Recently, I have had a run-in with the so-called ExeBug virus I see you're posting from Cape Town -- not surprising that you've had EXEbug, because it's rapidly becoming the most common virus in South Africa. We've had reports of people buying new PC gear that came with the virus already present, which would help to explain its prevalence and rapid spread. If my memory serves me right, the virus appeared in about April 1992, near Pretoria. >I used CLEAN 97 A: [Swb] /nomem to remove the virus, and CLEAN >reported that it had removed the virus. However, on >rebooting (before any other programs were run), the partition table of >the HDD was infected! I assume the /nomem switch "turns off" the virus-in-memory check. If so, this is extremely silly. EXEbug's stealth is such that all writes to the partition record while the virus is resident get deflected to its hidden copy of the "real" partition record. You can't remove EXEbug with conventional techniques whilst it's resident. BOOT CLEAN BEFORE GOING VIRUS HUNTING... >In the article by BIT magazine, it was stated that the virus formatted >an extra sector for itself, and copied the original boot sector there. >I couldn't find this extra sector with Norton 6.01's DISKEDIT, so >copied clean boot sectors from other disks to the infected disks. Try Quaid's excellent Explorer, or Alan Solomon's PEEKA, if you wish to look at weird sectors. On high-capacity discs, EXEbug formats an extra track -- track 80 -- for its own use. Look for 80.0.1. On low-cap discs, it's at 40.0.1. One serious flaw in the virus is that it assumes that 720KB stiffies have 40 tracks (0..39), rather than 80, and formats its "extra" track at 40.0, obliterating anything that was there before! DISKEDIT is a "clever" program, which knows the geometry of specific mdeia. When you ask it to read a particular physical sector, it pops up an input form asking you to enter the track, head and sector you wish to look at -- and helpfully performs validation on your input. So, you can't ask to look at track 40 of a 360KB disc-- DISKEDIT is "intelligent" enough to know that your "40" is erroneous! - -- - --..--..--..--..--..--..--..--..--..--..--..--..--..--..--..--..--..--..-- Paul Ducklin duck@nuustak.csir.co.za CSIR Computer Virus Research Lab * Box 395 * Pretoria * 0001 S Africa ------------------------------ Date: Thu, 05 Nov 92 21:59:06 +0000 From: arup+@cs.cmu.edu (Arup Mukherjee) Subject: What does the ANTI-TEL virus do? (HELP!) (PC) Hi, my hard disk (unix partition! :-( just got nailed by what an anti-virus program claims is the "ANTI-TEL" virus. I didn't see it run, but after it had done its dirty work my screen was filled with messages saying something like "Campagna Telfonica (Barcelona)". Needless to say the disk wasn't backed up :-((((( I'm wondering if ANY of the data left on the disk is still valid.... If anyone can mail me a description of what this virus does in order to assist me in fixing the disk, I'll be forever in your debt.... (I'd be grateful for ANY information regarding it, actually....) Many thanks, - -Arup ------------------------------ Date: Thu, 05 Nov 92 16:05:35 -0500 From: ferris@turtle.fisher.com Subject: Virus or Hardware? (PC) I had an infection of the stoned virus and my hard disk started giving the 1701 error on bootup. I changed out the hard disk and controller with a new, low-level formatted drive/controller. I scanned all software for viruses and eliminated any that showed up. When the new disk was loaded with the old files, I scanned it and found no viruses. Now the new disk is giving me 1701's intermittently. Do I have a hardware problem or a virus? Thanks, Jeff ------------------------------ Date: Thu, 05 Nov 92 22:55:00 -0500 From: BOORMABC@snyalfva.cc.alfredtech.edu (SysOp... TECH-Line BBS... Alfred State) Subject: Michelangelo (PC) Does anyone know how Michelanelo is transmitted. We have a serious problem at this institution with it's spread. Basically my question is this: We know that it can transmit via a 5-1/4 disk in the A drive of a PC, but can it infect the boot sector of a 3-1/2 floppy in the B drive? Thank you. Brian C. Boorman SUNY College of Technology at Alfred ------------------------------ Date: Fri, 06 Nov 92 16:27:13 -0500 From: Mind Your Own Business!!!! Subject: PS-MPC, similar to VCL (PC) I have come across the Phalcon/Skism Mass-Produced Code Generator. Here is a bit of info on what it can do. 1) like VCL in design but no IDE. 2) Over 150 encryption techniques. 3) Creates compact commented code (ASM) 4) COM/EXE infections, option to exclude command.com 5) Both Resident and non-resident viruses 6) Two type of traversal for non-resident viruses 7) Three types of high memory residency routines for TSR's 8) Optinal Critical error handling routines (external) 9) variable activation dates So far the creation rate is about 80% (only small modifications to the 20%) There is now destructive code in the generator, but anyone with simple ASM knowledge can add them. Q: does McAFEE, for Frisk, have a scan string for the viruses made buy the MPC? ------------------------------ Date: Wed, 04 Nov 92 15:27:44 +0000 From: pahountis@alcoa.com (Julia Pahountis) Subject: Virus Protection on NFS Servers Does anyone have any prevention techniques/recommendations to share regarding virus protection on NFS file servers which are being accessed by MACs, PCs and UNIX workstations? I would appreciate any comments and ideas that you may have! Thanks, 100 Technical Drive - Bldg. B Alcoa Center, PA 15069 (412) 337-3744 ------------------------------ Date: Fri, 06 Nov 92 16:09:36 -0500 From: Lynn R Grant Subject: Denning Key Registration Virus I think we are witnessing the first virus that doesn't require any special code to operate. Just look at the sci.crypt forum. After Dorothy Denning's talk at the last NCSC conference about registering crypto keys with the goverment, there has been a tremendous response (mostly angry) on sci.crypt; the other day I checked the forum and there were 450 new postings since a day or two previous. Now postings are starting to be cross posted to the risks and privacy forums. This is sort of like the IBM XMAS virus, but it doesn't take any code. All you have to do is post a highly controversial item on a well-read forum, and wait for the responses to bring the network to its knees. Lynn Grant Grant @ DOCKMASTER.NCSC.MIL N8AF ------------------------------ Date: Fri, 06 Nov 92 23:22:37 +0000 From: leduc@angelo.amd.com (Paul LeDuc) Subject: List of virus books and reviews Any definite net viral book lists I do not know of. However, there are a few publications that I know of that are good sources of viral information. First, ACM has the SIGSAC SIG for Security and Audit Control. Second, there is a magazine called ISPN Information Security Product News, that has virus related articles once in a while. Third, there is a software company based in the U.K. that puts out a newsletter called Virus Watch that is helpful. There are also quite a number of good books on the subject as well: A Pathology of Computer Viruses David Ferbrache The Computer Virus Handbook David Levin Worms, Trojans, and Viruses Computers Under Attack Peter Denning Hope this helps... And yes any sources you find would be of interest Paul ------------------------------ Date: Fri, 06 Nov 92 12:21:47 -0800 From: rslade@sfu.ca Subject: CHRISTMA: The "Card"! (CVP) HISVIRH.CVP 921022 CHRISTMA EXEC - the card In December of 1987 IBM mainframe computers in Europe, connected via the EARN network, experienced a "mailstorm". Such events are fairly common on the "internetworks", caused by mailer problems, incompatibilities, or even "autoanswer" daemons replying to messages from unmoderated "distribution lists". This particular mailstorm, however, was of unprecedented severity. It shut down whole sections of the net, at least as far as effective work was concerned. For many, probably for most, users, email is simply text. A select group are involved with the exchange of programs or other binary files, often UU or XXencoded and sent through email systems, and often "imbedded" within messages as a greater or lesser portion. Some users have these facilities provided for them, through systems that are configured with these functions. (NeXT users have these functions in automated form, for example, and also have a reputation for not knowing how they work, cross-posting incomprehensible garbage to distribution lists and newsgroups.) IBM mainframe users often have such functions provided through PROFS and an interpreter language called REXX. Programs in REXX are called EXECs. The CHRISTMA EXEC was a message that contained such a program. "Christmas card" messages with this system can be more than just the usual "ASCII tree". (Perhaps, since this deals with IBM mainframes, I should use the more generic "typewriter picture". Anybody remember what a typewriter was? :-) These messages could include forms of animation such as asterisk snowflakes falling on a winter scene, or a crackling fire from a yule log. The message header contained a note that "Browsing this message is no fun at all. Just type Christmas .." which was intended to stop people from trying to read the "source code" of the message, but it is unlikely that few would even think to do so. Typing either "Christmas" or "Christma" would generate the "card". It really wasn't anything special, a very simplistic conifer shape made out of "X"s. (Mine is *way* better :-) At least on the surface. However, at the same time that it was displaying the tree on the screen, it was also searching for the NAMES and NETLOG files associated with the user's account. This provided a list of other users that either sent mail to or received mail from this account. The important thing was that it was a list of valid email addresses. The CHRISTMA EXEC would then mail copies of itself to all of these accounts. The important point, technically, was that all of the accounts were valid. As a side benefit, all of those accounts would be used to receiving mail from the account that had just read it. And they would tell 40 friends, and they would tell ... copyright Robert M. Slade, 1992 HISVIRH.CVP 921022 ============== Vancouver ROBERTS@decus.ca | "My son, beware ... of the Institute for Robert_Slade@sfu.ca | making of books there is Research into rslade@cue.bc.ca | no end, and much study is User p1@CyberStore.ca | a weariness of the flesh." Security Canada V7K 2G6 | Ecclesiastes 12:12 ------------------------------ Date: Fri, 06 Nov 92 23:38:05 -0800 From: rslade@sfu.ca Subject: Quick antiviral listing (general) I am starting smarting from the flame burns I got last time I posted this. In addition, the net itself seems to agree with the complainants: it has "eaten" the last two postings. Nonetheless, five people have requested this lately, so ... QUICKREF.RVW 921106 Antiviral software and utilities "quick" reference Product Ver Type UI Doc Ease Ovrl Price Comments SDRIMOE CG 1-4 I U 1-4 | | | | | | | | Amiga BootX 4.50 SDRM G free amiga.physik.unizh.ch, ux1.cso.uiuc.edu or wuarchive.wustl.edu Computer Virus Cat.9207 info 4 4 Free CARO, cert VirusChecker 6.06 amiga.physik.unizh.ch, ux1.cso.uiuc.edu or wuarchive.wustl.edu VirusX (outdated?) s.tibbett on BIX ZeroVirus Atari Computer Virus Cat.9207 info 4 4 Free CARO, cert VKILLER 3.84 woodside@ttidca.com Mac Advanced Security (see MS-DOS) Computer Virus Cat.9207 info 4 4 Free CARO, cert Disinfectant 2.9 SDR nwu Gatekeeper 1.2.6 R MO Free Chris Johnson Rival Microseeds Publishing SAM 3.0.8SD M $99 Symantec/Norton Virex (see MS-DOS, product not by same author) VirusDetective Jeff Shulman MS-DOS Advanced Security I OE C 2 2 3 1 PCADVGRV.RVW Advanced Gravis Antivirus (IRIS) SDR M C 2 2 4 2 $49 PCANTIVR.RVW Fink Enterprises Antivirus-Plus SDR M C 2 2 4 2 $99 PCANTIVP.RVW Trend Micro Anti-Virus Toolkit 6.0? SDRIMO CG 3 2 3 4 PCDSAVT.RVW S&S International Ltd., sands@cix.compulink.co.uk, perComp Verlag, Ontrack Central Point Anti-virusSDRI O G 3 2 2 2 not coexist with others Central Point PCCPAV.RVW Certus LAN 2.0 SD I O CG 2 1 3 2 PCCERTUS.RVW Certus Computer Virus Cat.9207 info 4 4 Free CARO, cert Control Room I G 2 4 4 2 PCCTRLRM.RVW Borland Data Physician + 3.1A SDRIM C 2 2 2 2 PCDATPHS.RVW Digital Dispatch DISKSECURE 1.15A IM C 2 3 3 4 BSIs only risc, urvax, eugene cf also FixMBR, FixUTIL PCDSKSEC.RVW SafeMBR, CHKSMBR, CHKMEM, CHKBOOT in FixUtil etc. are free Eliminator 1.17 SDR C 3 2 3 2 PCELMNTR.RVW British Computer Virus Research Centre F-PROT 2.06 SDR CG 3 3 3 4 home - free, bus. - $1/CPU frisk@complex.is, risc, urvax, eugene, garbo PCFPROT.RVW Hoffman Summary 209 info G 3 3 $35 risc, urvax, eugene HTScan 1.8 S C 2 3 3 3 Free (non-comm.) (also VSIG 9210) risc, urvax, eugene, garbo IBM Anti-Virus Prod2.19 S C 3 3 3 3 $35/company PCIBMSCN.RVW local IBM rep Integrity Master 1.24 S I CG 3 3 3 $35 PCIM.RVW risc, urvax, eugene LANProtect 1.0 S CG 1 2 2 2 Intel Mace Vaccine 3.0 M G 1 3 2 1 PCMACE.RVW Fifth Generation Norton AntiVirus SDRI G 2 3 2 3 $130 PCNRTNAV.RVW Symantec/Norton PC-Cillin 2.95L SDRIM G 3 3 3 2 $139 PCCILL2N.RVW Trend Micro SafeWord Virus-Safe1.12 I C 2 3 4 3 PCSAFWRD.RVW Enigma Logic Thunderbyte Scan 4.3 S C 2 2 3 3 $29 PCTBSCAN.RVW (also VSIG 9210) (a beta version of a revised product, TBAVB500 is also available) risc, urvax, eugene, garbo VACCINE (WWS) 5.00 SD IMO C 2 1 2 2 PCWWSVCN.RVW The Davidsohn Group VACCINE (Sophos) 9111 S I CG 2 2 2 3 PCSOPHOS.RVW Untouchable 1.1 SDRIM CG 2 2 2 2 PCUNTUCH.RVW Fifth Generation Systems VDS 2.10T I CG 2 2 3 2 PCVDS.RVW risc, urvax, eugene Victor Charlie 5.0 IM C 3 2 3 3 $99 PCVC.RVW Delta Base Enterprises Virex-PC 2.2 SDRIM G 4 2 4 4 $99 PCVIREX.RVW Microcom ViruCide SD G 3 4 3 3 $49 PCVIRCID.RVW Parsons Technology Virus0Buster 3.75 SDRIMO CG 3 3 3 4 PCVRBSTR.RVW Leprechaun Software (70451.3621@compuserve.com) VIRUSCAN Suite 97 SDRIM C 2 2 2 3 ~$25/module risc, urvax, SIMTEL, garbo, mcafee.com PCSCAN.RVW VirusSafe LAN 4.01 SDRI O CG 2 2 3 2 PCVIRSAF.RVW EliaShim Micro VIRx 2.4 S C 2 3 4 4 Free (non-comm.) risc, urvax, eugene, SIMTEL, Microcom Vi-Spy 10.0 SDR M CG 2 2 3 3 $150 PCVISPY.RVW RG Software Systems | | | | | | | | Key: Type - S=scanner, D=disinfection (restoration of state), R=resident, I=integrity checking, M=activity monitor, O=operation restricting, E=encryption UI - user interface - C=command line, G=menu or GUI The following are based on a 1=poor - 4=excellent scale Doc - documentation Ease - I=installation, U=use Ovrl - overall rating for general use Sites: CARO - ftp.informatik.uni-hamburg.de (134.100.4.42) cert - cert.org (192.88.209.5) eugene - eugene.utmb.edu (129.109.9.21) garbo - garbo.uwasa.fi nwu - ftp.acns.nwu.edu (129.105.113.52) risc - risc.ua.edu simtel - wsmr-simtel20.army.mil urvax - urvax.urich.edu For others see Jim Wright's postings. For more detailed reviews see /pub/virus-l/docs/reviews at cert For general virus info see VIRUSFAQ.TXT at cert copyright Robert M. Slade, 1992 QUICKREF.RVW 921106 ============== Vancouver ROBERTS@decus.ca | Omne ignotum pro magnifico. Institute for Robert_Slade@sfu.ca | - Anything little known Research into rslade@cue.bc.ca | is assumed to be User p1@CyberStore.ca | wonderful. Security Canada V7K 2G6 | - Tacitus ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 176] ******************************************