Received: from fidoii.CC.Lehigh.EDU by abacus.hgs.se (5.65c/1.5) id AA03820; Wed, 3 Mar 1993 13:47:55 +0100 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA02468 (5.67a/IDA-1.5 for ); Wed, 3 Mar 1993 07:28:36 -0500 Date: Wed, 3 Mar 1993 07:28:36 -0500 Message-Id: <9303031221.AA09531@first.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@first.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #38 Status: RO VIRUS-L Digest Wednesday, 3 Mar 1993 Volume 6 : Issue 38 Today's Topics: Re: your opinions on virus legality Why only PCs? Sources of virus information Re: your opinions on virus legality PC Magazine reviews virus (PC) Re: EXE/COM switch (PC) Re: New Virus (PC) Re: PC Magazine on Anti-Virus Software (PC) Re: Michelangelo or STONED? (PC) Signitures (PC) problems with f-prot's virstop. (PC) Re: PD Virus Detect/Clean (PC) Re: standardization (PC) CHKDSK (PC) new mcafee progams available (PC) New files on risc (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: Tue, 02 Mar 93 15:29:44 +0000 From: antkow@eclipse.sheridanc.on.ca (Chris Antkow) Subject: Re: your opinions on virus legality Posession of a handgun is NOT illegal in Canada so long as you have an FAC (Firearms aquisition certificate). Are you perhaps hinting that the global computing community should be issuing VAPC's (Virus Aquisition and Posession Certificates) ? This is getting quite interesting. I think I'll get in touch (whenever I find time) with the local Mississauga, Ontario constabulary in charge of computer crimes and pick his brain on this matter... I could see the point if a firearm is mistakenly discharged, the owner is held personally liable, but a virus? As stated before in this conference, some people just plainly DON'T KNOW that they are infected and innocently and unbeknownst introduce it on another system whenever new software is installed. Are they to be shot down and held liable for "doing their job" or for being a "good samaritan". Sure copying of software is illegal, but people do it all the time... Could this perhaps be a detterant in order to get people to stop copying programs? The plot thickens... Cheers... Chris antkow@eclipse.sheridanc.on.ca ------------------------------ Date: Tue, 02 Mar 93 15:38:23 +0000 From: Jason.Price@lambada.oit.unc.edu (Jason Price) Subject: Why only PCs? I have a question. Why is it that all the virus discussions are about PC's and Mac's? There ARE other computers out there. What about NeXt, C-64, Amiga's. I never see hardly anything on those types of computers. Is it possible those types don't have as many virus problems as PC's? Jason - -- The opinions expressed are not necessarily those of the University of North Carolina at Chapel Hill, the Campus Office for Information Technology, or the Experimental Bulletin Board Service. internet: laUNChpad.unc.edu or 152.2.22.80 ------------------------------ Date: Tue, 02 Mar 93 11:33:35 -0500 From: David Stang <75300.2673@compuserve.com> Subject: Sources of virus information Hello, faithful readers of Virus-L. I'm sure all of you join me in congratulating our moderator, Ken van Wyk, on his new job down here in Washington and in thanking him for continuing his efforts with Virus-L. I'd also like to thank Vesselin for mentioning our newest product, V-Base: sbonds@jarthur.Calremont.EDU (007) writes: >>Currently, MSDOSVIR is the only list I know of that contains accurate >>or nearly accurate virus info. Frisk also has good information, but >>it is rather brief. Vesselin responds: >There are two other alternatives. First, we are working on a browsing >program for the Computer Virus Catalog (of which MSDOSVIR is only a >part). The package, called CVBASE is available via anonymous ftp from >our site. >The second alternative is produced by ICSA and is called V-Base. A >demo version of it (supporting only the viruses with names beginning >with A, B, and C) is also available from our ftp site. You can also download the demo version of V-Base from the ICSA's BBS (202-364-0644 - filename VBASEABC.ZIP). We're trying very hard to be accurate and welcome any comments and certainly additional information. If you do send us information, we'll investigate it and cite you as a source. We're also including general information on prevention, detection and removal, along with articles that are of interest to both users and managers. V-Base is updated monthly and is available both in single user licenses and site licenses. (end plug) On another topic: Next week marks this industry's annual Ides of March conference in New York. As in the past, there will doubtless be some stimulating talks and valuable catching-up with each other. - -- The following statements are *not* meant as a flame against the coordinators of the event - rather, it's an attempt to avoid potential confusion.-- Some of you saw my picture in an ad for the conference in Computerworld and are probably assuming that I'll be speaking. And some of you didn't see the ad but are expecting me to speak because I've done so in the past. However, I'd like to make clear that I was never invited to speak, and I did not give permission for my picture to be used in promotional material. A truly unfortunate turn of events, and I regret that I won't be seeing all of you this year. I hope all who attend have a good time. David Stang Director of Research International Computer Security Association voice: 202-364-8252 fax: 202-364-1320 BBS: 202-364-0644 ------------------------------ Date: 02 Mar 93 22:32:55 +0000 From: dudleyh@redgum.ucnv.edu.au (Dudley Horque) Subject: Re: your opinions on virus legality bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > >You see, there are BIG differences between the local laws in the >different countries. You shouldn't assume that something is legal or >illegal (and should remain so) just because it is so in your >particular country. On the other side, computer viruses do not >recognize country boundaries... That's USAns for you. But everyone else gets the last laugh... many of their kids in secondary education cannot even point out where USA is on a map. They also insist on calling USA America, thus insulting the Canadians, Mexicans, et al. Still, this does cut down on the number of dangerous viruses that the USAns can write. - -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Ciao4niao My philosophy on life is far too deep Dudley Arthur Horque to fit into two lines... I'd need three. ------------------------------ Date: 27 Feb 93 15:41:00 +0000 From: bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) Subject: PC Magazine reviews virus (PC) Quoting from Christopher Yoong-meng Wo to All About PC Magazine reviews virus on 02-26-93 CY> Somehow, this review seems out of sync with almost everything I've re CY> here about virus scanners. Opinions? It seems to me a letter to the CY> letters page signed by a major virus researcher (or ten :-) ) would c CY> a lot of weight. I read that article, and I don't like it at all. 11 viruses is not a large enough sample to test anti-viral software when there are around 2,000 known specimens. If they had tested these products against the viruses known to be in the wild, the tests would have a lot more validity. Bill - --- * WinQwk 2.0 a#383 * Hacked version of LHarc released as LHice 1.14 ------------------------------ Date: Tue, 02 Mar 93 15:37:08 +0000 From: antkow@eclipse.sheridanc.on.ca (Chris Antkow) Subject: Re: EXE/COM switch (PC) The fact of the matter is, that any resident virus that monitors function 4Bh, subfunction 00h (Int 21h) WILL be able to infect a file, even if the extention has been renamed... (Provided the virus is written "correctly"... Gack). Whenever a file is executed, it is immediately passed to AX,4B00h/INT 21h. The rest is at the mercy of the viral code... If the file can't be executed, then it's never passed to AX,4B00h/INT 21h... (Someone correct me if I'm wrong...) Cheers... Chris antkow@eclipse.sheridanc.on.ca ------------------------------ Date: Tue, 02 Mar 93 15:52:04 +0000 From: antkow@eclipse.sheridanc.on.ca (Chris Antkow) Subject: Re: New Virus (PC) Well, if it is a Sourcer-Generated disassembly, it's a damn good one. I don't know German, but it compiles into a working copy and you are able to make modifications to it and the pointers are flexible, unlike Sourcer's static, rigid offsets... As far as I know, Sourcer does not let you EASILY change a disassembly becuase of the EQUates and static values it generates. This disassembly has a VSTART EQU $ and a VEND EQU $ that makes for flexible code length finding and changes the relative offsets based on actual code length and not "what sourcer wants to be in a certain location". I'll double check, as I've only looked it over on about 2 occasions, but It sure looked like the real think... Cheers... Chris antkow@eclipse.sheridanc.on.ca ------------------------------ Date: 02 Mar 93 12:08:23 From: smd@hrt216.brooks.af.mil (Sten M. Drescher) Subject: Re: PC Magazine on Anti-Virus Software (PC) On 1 Mar 93 17:28:42 GMT, frisk@complex.is (Fridrik Skulason) said: Fridrik> Joe.George@nd.edu writes: >Hello: >Do people in this group support Pc Mag's Editor's Choice Awards to >Central Point Anti-Virus and Norton's Anti-Virus? I thought the best >protection was McAfee's SCAN backed up by F-PROT or vice-versa. >In the review, F-PROT received a honorable mention because it correctly >removed all of the virus's it found. The review did not test McAfee's >SCAN. Fridrik> Well, they did not want to include any shareware programs at Fridrik> all (quite silly, because they are the most popular ones) - Fridrik> therefore no SCAN, and F-PROT only got included because we Fridrik> have an expanded, commercial version available. I am not Incorrect - McAfee was represented by an expanded, commercial version called Pro-Scan. I agree that excluding shareware programs from review was silly, but they did mention the shareware parallels of both packages. Of course, F-Prot Pro was (probably justifyably) as superior to F-Prot, while Pro-Scan was portrayed as lacking in comparison to the SCAN/CLEAN/VSHIELD trio. Fridrik> terribly happy with the review, of course - well, it was nice Fridrik> to see that I had one of the 13 (out of 24) scanners that Fridrik> detected all the 11 (!!!) viruses, and that F-PROT was the Fridrik> only program that could remove them all correctly, but the Fridrik> basic problem with the review, from my point of view is that Fridrik> they did not ask any virus "experts" for advice, and relied on Fridrik> incorrect or incomplete information (for example they say that Fridrik> 57 variants of Jerusalem exist, where the correct number is at Fridrik> least 125). So, basically it is a good review of anti-virus Fridrik> program interfaces - their virus collection is far too small That's been what I've seen from all of the anti-virus reviews in the mass-market magazines. Don't worry about accuracy if you want to get a good review - just put on those bells and whistles! Fridrik> (11 viruses is silly...they should have used at lest the Fridrik> 50-100 that are in the wild), the viruses they used are old, Fridrik> so a program that had not been updated for 18 months would Fridrik> have detected all but one or two....and so on... Fridrik> Anyhow, I wrote them a 4-page letter about this... I hope that they have the balls to print an accurate portion of your letter. - -- +---------------------------+--------------------------------------------+ | Sten Drescher | "My country, right or wrong. When right, | | 2709 13th St #1248 | to be kept right. When wrong, to be put | | Brooks AFB, TX 78235-5224 | right." | |---------------------------+----+---------------------------------------+ | sdrescher@animal.brooks.af.mil | | +--------------------------------+---------------------------------------+ ------------------------------ Date: 02 Mar 93 14:40:33 +0000 From: "G.Randolph Bickerton" Subject: Re: Michelangelo or STONED? (PC) bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) writes: > Quoting from Leprican~~~ to All About Michelangelo or STONED? ( on > 02-21-93 > > L > Reformatting it from a write-protected floppy didn't remove it, eithe > L > Does anyone have any suggestions on how to combat this virus? > L > thanks, > > You should be able to repove Michelangelo with Clean with the following > from the command line. > > CLEAN C:[MICH] > > [Moderator's note: See the recent discussions on the potential > problems with using this command.] > > Maybe you have a new variant of Michelangelo. > > The reason the format didn't remove the virus is because viruses like > michelangelo and stoned hides in the partition table of the hard drive, > and Format never touches this area. > > Bill > > - --- > * WinQwk 2.0 a#383 * JERUSALEM (Arnakia) activates Tuesday the 13th > Isn't the correct procedure to repartition the hard disk then reformat? G. Randolph Bickerton GRB@rbyte.proteus.qc.ca P.O. Box 781 TEL (514)744-5524 Pte-Claire Dorval, PQ H9S 2L5 FAX (514)748-8109 ------------------------------ Date: 03 Mar 93 00:37:31 +0000 From: motazev@hobo.ECE.ORST.EDU ( ) Subject: Signitures (PC) To check for an executable file a virus will read in the appropriate bytes and check to see if it is "MZ". Why do some viruses check for "ZM"? What kind of file does this denote? - -- Vahid motazev@hobo.ece.orst.edu ------------------------------ Date: Tue, 02 Mar 93 21:14:07 -0500 From: ed Subject: problems with f-prot's virstop. (PC) Here is a common problem that I have detected with f-prots virstop... When a program loads and virstop finds a virus it doesn't remove that program from memory and thus leads to further infection unless rebooted.. Any suggestion as to how to effictively remove the bug from memory??? ed. ------------------------------ Date: 03 Mar 93 09:43:37 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: PD Virus Detect/Clean (PC) Carpenter@Fwva.Saic.Com (Apprentice Wizard) writes: >I'm looking for opinions on the best public domain virus >detectors/cleaners. Any help would be greatly appreciated. Thanks - Simple. There are none. There are several good *Freeware* programs, at least for the Mac, as well as several good *Shareware* scanners/cleaners available, but no public domain ones - at least that I know of. - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: 03 Mar 93 09:52:45 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: standardization (PC) bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) writes: >I'm glad that scanner authors are using the CARO naming system. Unfortunately not all of them are - which is what is causing the confusion. >Occasionally I run into new or modified soecimens. How can I send these >specimens directly to CARO? You cannot. CARO maintains several mailing lists, for various purposes - one of which is supposed to be an "open channel" for "outsiders", but it is not for virus samples...just questions. >Up to now, I have be sending them to Glenn Jordan, Wolfgang Siller. or >yourself. yep...thanks... :-) The best way is actually just to do that...send us, or other CARO members like Vesselin Bontchev the viruses, either on a diskette or by E-mail (encrypted, please, and send the password via fax or by phone). If you have FTP access, you can also upload the samples to /incoming (which is write-only) on my personal machine (complex.is). Once I (or one of the other CARO members) get the viruses, they will be distributed to the rest of the group. - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: Tue, 02 Mar 93 03:42:25 -0500 From: A.APPLEYARD@fs1.mt.umist.ac.uk Subject: CHKDSK (PC) Ref these messages this year so far about CHKSDK:- [Chkdsk / undelete fix from Microsoft. (PC)] 002 [MS-DOS CHKDSK & VER /R (PC)] 003 [Re: MS-DOS CHKDSK & VER /R (PC)] 004 [DOS CHKDSK bug: How to show it with a small hard disk (PC)] 015 [DOS CHKDSK bug: a first (?) victim (PC)]spoilt hard disk root directory016 My only experience of CHKDSK so far is running CHKDSK /f today. On my PC just now it found and recovered over SIXTEEN MILLION bytes of hard disk storage in 40 lost chains. Many of them were work files left by (interrupted?) runs of an old Fortran compiler called WATFOR, which I had to use to prepare programs for running on some old PC's with 286 processors in that my department has. ------------------------------ Date: Mon, 01 Mar 93 22:39:51 -0500 From: HAYES@urvax.urich.edu Subject: new mcafee progams available (PC) Hi gang. Just received and fetched the new 102 serie of programs from McAfee Associates. Many thanks to Aryeh for mentionning their availability. Best, Claude. ========== Site: urvax.urich.edu, [141.166.36.6] (VAX/VMS using Multinet) Directory: [anonymous.msdos.antivirus] FTP to urvax.urich.edu with username anonymous and your email address as password. You are in the [anonymous] directory when you connect. cd msdos.antivirus, and remember to use binary mode for the zip files. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: Mon, 01 Mar 93 22:55:49 -0500 From: James Ford Subject: New files on risc (PC) The v1.02 series of McAfee files (scan, clean, netscan, OS/2 scan, OS/2 clean, etc) are now available via anonymous FTP from risc.ua.edu (130.160.4.7) in the directory /pub/ibm-antivirus. Also included is nshld111.zip (Novell NLM), allmsg.zip and the latest validate.crc. - ---------- A consultant may be defined as an unemployed practitioner. - ---------- James Ford - Consultant II, Seebeck Computer Center The University of Alabama (in Tuscaloosa, Alabama) jford@ua1vm.ua.edu, jford@seebeck.ua.edu Work (205)348-3968 fax (205)348-3993 ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 38] *****************************************