From lehigh.edu!virus-l Thu Apr 15 03:44:57 1993 remote from vhc Received: by vhc.se (1.65/waf) via UUCP; Thu, 15 Apr 93 16:37:57 GMT for mikael Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2) id AA23850; Thu, 15 Apr 1993 13:55:08 +0200 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA01721 (5.67a/IDA-1.5 for ); Thu, 15 Apr 1993 07:44:57 -0400 Date: Thu, 15 Apr 1993 07:44:57 -0400 Message-Id: <9304151053.AA13078@first.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@first.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #63 VIRUS-L Digest Thursday, 15 Apr 1993 Volume 6 : Issue 63 Today's Topics: Scanners getting bigger and slower Scanners getting bigger and slower Re: Virus vectors of infection AIUTO! HELP! (PC) RE: Is "Untouchable" (V-ANALYST) Effective (PC) Optimum Strategy for Virus Checking (PC) Novell & Virstop (PC) That's not a bug, its a Feature (was re: Vshield) (PC) Viruses and Canada (PC) Re: Catch from DIR? (PC) Re: Port Writes (PC) Re:Boot-virus or false positive? (PC) re: viruses and compression (PC) Re: ANSI viruses and things that go bump in the night (mostly PC) Re: Unknown little virus? (PC) Re: Unknown little virus? (PC) Re: Censoship/40-Hex (PC) Re: Help wanted with Dir-II virus (PC) Re: Terminator 2 and Bert virus ?? (PC) Re: Virus Data Base (PC) Re: viruses and compression (PC) Re: Windows 3.1 virus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: Fri, 09 Apr 93 00:20:13 +0100 From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) Subject: Scanners getting bigger and slower Amir Netiv writes: Inbar Raz said that chances of big companies of getting infected are small. Amir replied: > I wish it was so. If it was, then they wouldn't need an Anti Virus in > the first place, and the PC's/Networks etc' would work fine. > But take notice that *people* use these PCs, and > wherevere people are envolved anything could happened. I work as a programmer, as you probably know, and the main field I work in is Data Security. More than once I had a meeting with Bank representatives, and even a Hospital representative, which wanted to know more information. All of them came to a point where they said - "But what good is a SmartCard, if people can lose it just as well as they can lose/give away their password?" There is no reply to that. The human factor will always exist, and this is really a matter of being loyal, obedient and trustful, not to mention that the human kind is known for making mistakes. > Someone can get a floppy from home and run it on the > network, or you can buy a *NEW* "clean" software package to be used at > work only (but the company that sold it to you also has employees that > jurk-around with thair PC at work), so eventually, a virus can find its > way in your PC by many ways, and you cannot assume anything for a fact > (unfortunately). Exactly - if you don't trust your people, there is no software in the world that can solve this. Maybe if you combine voice-recognition, or pupil recognition, then you may get a high level of security, but these solutions are not practical at all, at least not in our filed - the home/company computers for personal everyday use. > Just to remind you of the magazine in France that gave away > thousends of copies of infected floppies (FRODO virus), or several > *major* companies in Israel that *SOLD* infected software.... Not to mention the rumors that some Anti Virus writers used to spread viruses in order to create/enlarge a market for their merchandise... I wouldn't be suprised to hear that an Anti-Virus company directly, or indirectly, caused the big boom about the Michaelangelo virus last year. Frisk wrote to Inbar that the number of viruses should not affect the speed significantly. Amir wrote: > That is true, if the scanner is designed properly the number of viruses > will have small affect on the speed: Suppose your method of chacking a > file for virus presence in based on an algorithm which generates the > pointer to the data concerning the virus in your scanner, so there is > always but *ONE* process per tested-file running and a second cpecific > process for verification... whatever the number of viruses known at that > time. But still, the more viruses there are, the more time you'll have to spend searching, or, to put it in other words, there are more things to search for. ( in every scanned file, that is, exclusive of various 'Turbo Scanning' techniques...) > As for memory requirements, programs are converted more and > more into DPMI programs, so in Protected Mode the memory > problem is smaller... This is true, but the least program of all to EVER announce - "Sorry, 386 and up" is an Anti-Virus program. This program is always guarenteed to have a market, no matter what new chip Intel is announcing or what old chips people laugh about - as long as it runs MS-DOS :-) > Besides: most programs are becoming GENBERIC programs, thus minimizing > the need of huge database for more and more viruses. Generic programs were more of effect in the days where all the viruses were leaching - adding to file. Today, you have a lot of new techniques, that are hard to detect, and virus writers invest a lot of time and effort making sure each virus is different than the others, just so you can't use a generic disinfector. Maybe a generic scanner, but what good is a scanner without a disinfector? Inbar Raz - - -- Inbar Raz 5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660 Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il - --- FMail 0.94 * Origin: Inbar's Point - Home of the UnTinyProg. (9:9721/210) ------------------------------ Date: Sun, 11 Apr 93 12:45:00 +0100 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: Scanners getting bigger and slower Inbar Raz writes to Amir Netiv: IR: > I work in is Data Security. More than once I had a meeting with > Bank representatives, and even a Hospital representative, which > wanted to know more information. All of them came to a point where > they said - "But what good is a SmartCard, if people can lose it > just as well as they can lose/give away their password?" > There is no reply to that. The human factor will > always exist, and this is really a matter of being > loyal, obedient and trustful, not to mention that the > human kind is known for making mistakes. ... > if you don't trust your people, there is no software in the world > that can solve this. Maybe if you combine voice-recognition, or > pupil recognition, then you may get a high level of security, but these > solutions are not practical at all, at least not in our filed - > the home/company computers for personal everyday use. Just as I said: If you can't trust your people you need a stronger solution to the virus probleb... However if you *DO* trust them... You don't need an anti virus, do you? ;-) Anir Netiv: >> Just to remind you of the magazine in France that gave away >> thousends of copies of infected floppies (FRODO virus), or several >> *major* companies in Israel that *SOLD* infected software.... Inbar Raz: > Not to mention the rumors that some Anti Virus writers used to spread > viruses in order to create/enlarge a market for their merchandise... > I wouldn't be suprised to hear that an Anti-Virus company directly, or > indirectly, caused the big boom about the Michaelangelo virus last year. I wouldn't also... Is it just one company? Do you remember who published the first GENERIC method of how to clean the 1963 virus without an Anti-Virus program ? Amir Netiv: >> If the scanner is designed properly the number of viruses >> will have small affect on the speed: Suppose your method of chacking a >> file for virus presence in based on an algorithm which generates the >> pointer to the data concerning the virus in your scanner, so there is >> always but *ONE* process per tested-file running and a second cpecific >> process for verification... whatever the number of viruses known at that >> time. Inbar Raz: > But still, the more viruses there are, the more time you'll have to spend > searching, or, to put it in other words, there are more things to search > for. (in every scanned file, that is, exclusive of various 'Turbo > Scanning' techniques...) You didn't get my point: (Sorry I cant be more specific due to understandable reasons, but I'll try to explain better)... As I said: Suppose you've discovered that when a specific virus infects a program the result is such that if you do a certain process on the file the result will always be the same... for example lets say that the Jerusalem virus allways adds 1800 bytes to the file and the 170th word of the end of the file - 1800 equals 1800 (NOT THAT IT IS REALLY SO). So if you take ANY file and do: (FileSize-(FileSize-1800))-170 the result will always be 1800 (if the file is infected). Now suppose the result is 1704, this will indicate a Cascade virus etc... the next step is to verify that the virus is really there and you didn't just get a random true result, and again, you might build a structure in your program that is built like this: Base tructure adress + offset. Each offset (say in multiples of 50) contains the verification data for each virus, and the offset is calculated so that the result (1800 !?) is the pointer to the right offset. You spent only 2 cycles to verify each virus on your list... Amir Netiv: >> As for memory requirements, programs are converted more and >> more into DPMI programs, so in Protected Mode the memory >> problem is smaller... Inbar Raz: > This is true, but the least program of all to EVER announce - "Sorry, > 386 and up" is an Anti-Virus program. This program is always guarenteed > to have a market, no matter what new chip Intel is announcing or > what old chips people laugh about - as long as it runs MS-DOS :-) True. I didn't say DPMI is the best solution for it, however I do claim (and you see it on most memory consumers today) that programs know how to use EMS or XMS if available, or use overlays if too big. I myself think that programs should use as little memory as possible, and I think that Windows has introduced a problem that soon will hit us all, of using memory with no care to other programs reqirements. Amir Netiv: >> Besides: most programs are becoming GENBERIC programs, thus minimizing >> the need of huge database for more and more viruses. Inbar Raz: > Generic programs were more of effect in the days where all the viruses > were leaching - adding to file. Sure, but they are even more important today. Ask Nemrod about the generic methods in McAfee's package... Inbar Raz: > Today, you have a lot of new techniques, that are hard to detect, > and virus writers invest a lot of time and effort making sure each > virus is different than the others, just so you can't use a generic > disinfector. Some infection methods are harder to disinfect then others, However there are Generic disinfection techniques for all viruses today (except the distructive viruses), generally: if a file works after infection that means that the information for it's recovery exists and one should only look in the right place. Inbar Raz: > Maybe a generic scanner, but what good is a scanner without > a disinfector? Please recall the method of renaming files to clean the DIR-II virus, (as well as meny other methods), wouldn't you call a program that uses it a "GENERIC DISINFECTOR" ? Inbar Raz: > Just thought you'd like to know - I once talked with Zvi I know... Warmly * Amir Netiv. V-CARE Anti-Virus, head team * - --- * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Wed, 14 Apr 93 11:03:21 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus vectors of infection bediger@nugget.rmnug.org (Bruce Ediger) writes: > There are two likely, but unacceptable, answers to the question and its > followup. > 1. Thundering silence. Silence, from me?! You must be kidding... :-)) > 2. An insistence that Fred Cohen's original papers demonstrate that viruses > spread due to information transitivity. That's true, but it answers to a different question - *why* do the viruses spread, not how... > A. Networks. Correct, although I think that it is less important for the global virus spread than B. It might be more important, however, for the virus spread within a local, highly networked place. > B. Media transfer from infected machine to uninfected machine. > It may be necessary to break this down into two classes: "informal > transfer", such as bringing a diskette full of games to work, and > "formal transfer", when a vendor ships mass-produced media with a > viral passenger. > C. "Virus Exchange" bulletin boards. C. is actually a form of A. > D. Source code published in books. This is a form of B., if you consider books as media. > E. Malicious individuals gain access to computers and insert viruses manually. If they bring the virus on a diskette, that's a form of B. I think you mean when they create the virus manually, using the editor/compiler/assembler/debugger of the attacked computer. > The November, 1988 worm and the DECnet worms used network related methods > to spread. The geography of the spreading is irrelevant because of network > connections, but based on the public reports, it appears fairly easy to > determine that the worms spread via network protocols. The also seem to be > of short duration and low number of hosts infected. According to the > GAO/IMTEC-89-57 report, the Nov 88 worm infected 1000-3000 hosts. RFC 1135 > says that within 48-72 hours, all instances of the worm had disappeared. > In the report SPAN-027, the "Father Christmas" DECnet worm is said to have > been on the loose approximately one day, and infected around 40 hosts. > According to CIAC Advisory A-4, the "OILZ" variant of the WANK DECnet worm > "attacked 60 hosts". This compares to estimates of tens of thousands of > PCs infected with the Michelangelo virus a year ago. There are several reasons for this. Worms usually spread between highly interconnected and similar environments. This helps them to spread extremely quickly, but also makes them relatively easy to detect and remove from all attacked hosts. With viruses like Michelangelo, the things are not so easy. They can attack MS-DOS and Xenix machines, lay dormant on a diskette forgotten in a drawer, and it's kinda difficult to send an e-mail message to all system administrators of PCs with information how to detect and remove the virus... Especially having in mind that some of these "system administrators" have never made a backup and may not know how to boot from a diskette or how to use DEBUG. > It would seem that if "Virus Exchange bulletin boards" are important, > then outbreaks of new viruses would be contemporary, yet widely spread > geographically. Not quite. There are not so many VX BBSes around - of course, even one is one too much, but nevertheless they are not so many to make a BIG difference. Furthermore, if the VX BBSes were important, we would see more -exotic- viruses appearing in the wild. And indeed, we are seeing such things happen from time to time. The DataLock.920.A virus was detected in the Technical University of Sofia just a few weeks after it has appeared in California. A few obscure Russian viruses like SVC.6_0 and Vacsina.Multi are in the wild in England. Starship has been seen in the wild in Germany. Such viruses are unlikely to spread so far in a "natural" way, at least so quickly. Probably the VX BBSes have helped much in those cases... > If a malicious individual gains access to computers and inserts > viruses manually, there should be a series of geographically localized > outbreaks of nearly identical viruses. I suppose "series" presumes that the > malicious individual performs the act several times. This does happen too. For instance, the Kamikaze virus has been detected in the wild only once - in the Institute for Mathematics at the Bulgarian Academy of Sciences. It is extremely unlikely that a virus like it will be able to spread in a "natural" way. > Infection via media transfer would look very different if some vendor provided > distribution media that was already infected than if someone just brings > an infected disk home from a user group meeting, or to his/her office. > Depending on the scale of the vendor's distribution, outbreaks might be > provincial, national, continental or international. The virus itself should > be identical everywhere. This happens a lot, indeed. The vendors distribute viruses very rarely, but on a very wide scale. And from the computers that are infected this way, the viruses continue to spread further, usually via floppy disks. BTW, maybe this is one explanation why boot sector infectors are more widespread than the file infectors - in the diskette copying process a boot sector infector is much more like to "slip" on a vendor's diskette than a file infector - because the executable programs are well-known to the vendor and usually generated in place, while the boot sector virus might just be present on the formatted diskette... > If viruses spread via publishing of source code, then inevitable typographical > errors would creep into the code during transcription. Multiple similar, Not necessarily. Any such error is quite likely to make the virus non-functional. Such virus will either not spread at all, or be corrected by some hacker and the "corrected" variant will spread. This is exactly what happened with the Vienna variant published in Ralf Burger's book. > the persistent nature of reference books. The geographic spread should > be mostly coincident with the languages the reference book is published in. Not necessarily, because once the virus is translated into electronical form, it will continue to spread via all other means - media, networks, VX BBSes, etc., therefore making its distribution more fuzzy than the distribution of the book itself. People tend to copy diskettes/files much more often than they are copying (or buying) books. > The DECnet worms may illustrate a case of publishing of source code. > I gather from SPAN report SPAN-027, CERT Advisory CA-89:04, and CIAC > Advisory Notice A-4, the DECnet worms were all quite similar, and all were > written in DCL. Thus each infected site had full source to them. The WANK > worm also happened about a year after the Father Christmas worm. Nevertheless, the sources for the WANK/OILZ worms are very rare - we could obtain only the source of WANK and with a great effort. We still have not the sources of the Internet worm (except the incomplete discompilation that has been published in 2600). And, the WANK/OILZ worms are -totally- different from the Father Christmas worm. > A counter-example might be Mark Ludwig's "Little Black Book of Computer > Viruses." Source code for several viruses is provided. If the "timid" > virus is made into several variations, publication of source code might > be considered an effective vector of infection. If the "Little Black Book" > viruses don't collect imitations over the years, publication should not be > considered a threat. Since Ludwig's book is more accessible that Burger's, > the "Vienna" virus variation would have to be considered in a different light. That's why we are already seeing Timid variants - much more than Vienna variants for the same amount of time after the publication of the respective books... Currently we have the following Timid variants in our collection: Timid.290 Timid.297 Timid.305.A Timid.305.B Timid.306.A Timid.306.B Timid.320 Timid.371 Timid.382 This includes the original, I don't recall its infective length right now. In a private message to me Mark Ludwig wrote that he would be convinced that his book has caused damage if he receives reports about some of his viruses being found in the wild. We (the VTC-Hamburg) do not collect such statistics; maybe those of you who do (especially the guys from IBM have some very good statistics on this) should watch out for Mark Ludwig's viruses (or their variants) and send him copies of the relevant reports. And, since we were talking about ways for infection, you should consider also the combination of the methods listed by you - e.g. a virus writer creates a virus, posts it to a VX BBS, a disgruntled employee downloads it, infects a vendor's master copy, the vendor ships thousands of copies of the virus, hundreds of users get infected, from them the virus spreads to the local area networks, etc. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Sat, 10 Apr 93 20:49:00 +0100 From: Paolo_Rossi_Tiller@f419.n332.z2.fidonet.org (Paolo Rossi Tiller) Subject: AIUTO! HELP! (PC) Hello All, Now are the 02:54 and I am working on my BBS. I have a problem. Diagnosis programs report that I have my Partition Table corrupted, and, during the Autoexec.bat the system is generating a music and: > I'm the invisible man, > I'm the invisible man, > Incredible how you can > See right through me. > I'm the invisible man, > I'm the invisible man, > It's criminal how I can > See right through you. appear on my video. For some programs like Scan V.102, F-Prot, CPAV there are NO virus in my system. Do you know some virus that affect the Partition Table and produce this song? How can I remove it without reformat my HD? Sorry for my English... :-) Bye Paolo Rossi Tiller, The Underground CoSysOp of 2:332/419 - --- GoldED 2.41+ * Origin: It's Time for Ragnarok.. (2:332/419) ------------------------------ Date: Tue, 13 Apr 93 23:29:25 -0400 From: Subject: RE: Is "Untouchable" (V-ANALYST) Effective (PC) chermesh@chen.bgu.ac.il (Ran Chermesh) writes: > Our department considers buying an anti virus package. High in the list is > an Israeli product, sold in Israel under the name V-analyst-3 and in the US > as Untouchable. The feature of most interest to us is the way this package > claims to deal with future viruses. Since this feature can't be tested > experimentally, the best way is to learn from the experience of other. At the last company I worked for, we evaluated several packages. We spent about 2 months evaluating Untouchable from every angle and found it to be the best at what it does. Unfortunately "best" tends to fluctuate as each vendor releases a new version of their program. One example of the recovery feature. One of our people compiled a Pascal program and ran it through the package. Then he recompiled after changing a data variable in the program. Untouchable flagged the change (of course) but it also managed to restore the executable file to its original form. That is pretty good file recovery in my book. We found that it always recovered simple infections in other executable files as well. I think, however, that your decision should not be made based upon the ability of Untouchable to recover unknown infections. Your decision should be made based upon its ability to scan for all viruses and its ability to provide reasonable protection without the need for constant updates. The likelihood that you will be infected by a completely new virus is probably less than your chance of losing your drive to a hardware error. So.... BACKUP, BACKUP, BACKUP. After that, Untouchable should provide you with complete protection for all of your machines. I personally recommended that our customer buy several thousand copies. (They did.) But in my recommendation, I also told them that the real issue was not the cost of the program. It was the cost of changing the way people do computing. Computing should be integrity based. Untouchable tries to make people face the executable file integrity issue. Unfortunately, most low end packages and some operating systems do not care nearly as much about integrity as we did. IF your users are willing to deal with the messages that Untouchable will give them on a routine basis. IF your users are able to find out why these messages are there. (i.e. the software is self modifying, or a file was trashed, etc.) IF your users are supported by a group that can go out and diagnose the regular integrity problems that will be identified by Untouchable as possible viruses. (Remember "everything is a virus when a virus scanning package flags it.") 8-) IF your management feels that system integrity is worth the price you will pay for increased software support to users. THEN and only then will Untouchable be worth the money you will spend to get and support it. Untouchable is well worth the price you pay if you really want integrity on your machine. You might say "Doesn't everyone want system integrity?" Unfortunately the answer is no. If you aren't willing to argue with vendors that cut corners for a few extra microseconds, and aren't willing to put up with the "false alarms" that are generated when Untouchable finds a corrupted file, then you may not be willing to have machine integrity. In that case, you should probably get the cheapest scanner you can find that works reasonably well on all your systems. Then leave it there because the chances are very high that most of your users will be happy with the result and those that aren't probably will be a small enough minority that it won't matter. This may sound pessimistic, but I'm sure as I spend the next few weeks arguing these points with the group, you will find out more about why I say these things. Good Luck, Jim Molini | I believe that OS/2 will be the most important | operating system and possibly program of all time. | -- Bill Gates ------------------------------ Date: Wed, 14 Apr 93 03:45:18 -0400 From: "Roger Riordan" Subject: Optimum Strategy for Virus Checking (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes >riordan@tmxmelb.mhs.oz.au (Roger Riordan) writes: >> 5. By default VET will check the first 50 executable files it >> finds. Most program viruses will spread rapidly, so this will >> detect nearly all infections the next time the PC is booted. >Uh, what do you mean exactly by "the first"? Because, for a >non-resident virus that traverses the directory tree like Old_Yankee, >"the first" files is one thing and for a non-resident virus that >infects the files in the directories listed in the PATH variable (like >the Vienna viruses), "the first" might mean something completely >different... Again, for a non-resident virus (like Pixel) that infects >all COM files in the current directory, "the first" could have a third, >again completely different meaning. Make the virus resident and the >picture changes again... The strategy we use is to scan till we find a subdirectory, immediately dive into it, continue till we find another subdirectory, and so on. This is certainly not ideal, from the theoretical point of view, but it is something which will work on any PC, and has a good chance of catching a real virus, without making the scan time so long that the test is disabled. If you are computer literate, and know which programs you use, you can devise a better strategy, or you can check the lot if you like, but an imperfect test which is performed is better than an ideal test which is disabled. >> The author of the locally written Gingerbread virus went to >> inordinate lengths to hide it, but if it infected a PC with VET >> installed the user would be warned in the normal boot that the top >> of memory had been changed. After a clean boot VET would also warn >> that the MBR and the VET file were corrupted. > >You've had luck that the author has not used the method used by the >Necropolis (1963) virus to remain resident... There are viruses which do not visibly affect the memory map, but Necropolis, like Jerusalem, goes TSR, and changes the loading address. VET displays, but by default does not check, this. Most of the recent viruses load at the top of memory where they are readily detected. Roger Riordan Author of the VET Anti-Viral Software. riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Thu, 08 Apr 93 14:19:26 -0400 From: Michael_Kessler.Hum@mailgate.sfsu.edu Subject: Novell & Virstop (PC) A while ago, I wrote about a problem I had with Novell and Virstop, needing to unload a Novell driver, but denied access because of Virstop which had been loaded after the driver. I have received a solution, which I am passing along for those who might need it. There is an NLM called NLIClear.NLM which disconnects any attached station with no one actually logeed into the network from the server side. That user count is then available on other stations. HOWEVER, some device must be used to force a reboot of the station because starting it from its disconnected state disables F-Prot. In essence, the disconnected station must be automatically locked until restarted. Michael_Kessler@HUM.SFSU.EDU ------------------------------ Date: Tue, 13 Apr 93 11:50:52 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: That's not a bug, its a Feature (was re: Vshield) (PC) >From: sbarber@bach.udel.edu (Scott Allen Barber) >Subject: Vshield V102 Bug? (PC) >It seems that if I load VSHIELD, when I go to do a warm boot >(ctrl-alt-del) it will cause my computer to access the A: drive and >restart the cold-boot memory check. In this case it really is a feature. What is happening is that when VSHIELD goes resident it intercepts the "warm boot" function in memory and, when a warm boot is requested first checks for a disk in A: (why the light goes on) and if one is found, performs a scan for boot sector infectors before the boot is allowed to continue. For some reason McAfee decided to trigger a full cold boot sequence rather than trusting a warm boot (while I have seen some viruses that can trap/simulate a warm boot and remain in memory on a three finger salute, I do not know of anything that can survive a jump to FFFF:0000h). If you find it annoying, load my NoFBoot (freeware) after VSHIELD. Warmly, Padgett ------------------------------ Date: Tue, 13 Apr 93 16:11:48 +0000 From: aparker@mach1.wlu.ca (alan parker S) Subject: Viruses and Canada (PC) Perchance now is the time for me to raise a couple of little queries; firstly as the buck stopper at a Canadian University I find that the majority of viruses that cuase hits here are variants of Stoned. The software in general use is from Leprechaun, Virus Buster; now the latest hit is of a new variant of Stoned which is detected by Scanv102, and F-prot-207 as new variants, but I haven't seen or read anything about a new variant.. The trend seems to be turning msdos/io.sys files as non-hidden, and increasing io.sys for example to 40470 under dos 5. The norm also seems to be DD floppies becoming 1.3+Gigabytes of storage space with the obviously dubious file names it creates. I note also that stoned appears to have dos 3.x as part of its make up. I realise that this is probably something much asked, but I'm not aware of anything relating directly to this in FAQ or in recent posting. I've read recently much about the wonders of Untouchable(tm); now I've had 3 different suites of programs from them, Untouchable 1.3, Search and Destroy, and Untouchable NLM, I'm not at all impressed. The evaluation copies sucked. As I've said the we normally suffer from stoned, although we have had a single hit from Form(ouch nasty beastie), and a little something from the Mte which proved to be very spreadable. The Untouchable software (all of it) failed miserably with all but the oldest variants of Stoned(Manitoba being our most frequent), also the safe disk it had made didn't seem to allow corrupted files to be restored from the information saved about them, which Virus Buster was able to do. Anyone care to comment, Alan ------------------------------ Date: Wed, 14 Apr 93 10:39:12 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Catch from DIR? (PC) louis_rs@bruny.cc.utas.edu.au (Louis *grin* siuoL) writes: > That may be one way. A method that I KNOW WILL WORK is, to trap DOSs > findfirst and findnext services, and infect any files that are > returned via thos services. Is as easy as traping DOSs Exec services, > which is what a large number of virii do. That's a completely different matter. It explains how a virus active in the memory of the PC can infect a -clean- diskette when you do a DIR on it. So far we are speaking about the possibility to infect a - -clean- PC when doing a DIR on an -infected- (or otherwise prepared) diskette. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Wed, 14 Apr 93 10:42:12 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Port Writes (PC) Sorry to post a follow-up to my own message, but I just learned something important related to "port writes" that I thought I should share with you. In his previous message, Inbar proposed a method of attack (via direct control of the hard disk through the ports) and in my reply I proposed a possible defense against it, using the "device ready" interrupts. It turns out that a new, Russian virus has appeared, which works exactly "the other way around" to achieve something that the Russian anti-virus expert Eugene Kaspersky calls "hardware-level stealth". I am referring to a method, described in the April issue of Virus Bulletin. Maybe, if Eugene is reading comp.virus, he would like to re-publish his article here. I'll describe only in short what the method consists in. You see, the "tunneling attack" proposed by Inbar can be used by the anti-virus software to "tunnel" beneath the stealth viruses, i.e. as an anti-stealth technique. Indeed, if you are using direct port addressing to read and write to the disk, it seems that you will be able to bypass all possible stealth viruses that might be active in memory, right? Wrong! The Russian virus (its name is Strange, BTW, and it is a MBR infector) uses the "device ready" interrupt trick (described by me as a form of anti-virus defense!) to achieve an yet unseen level of "stealthiness"... Indeed, as Dr. Solomon says, in the virus field black is white and white is black... In short, the trick consists of intercepting the "device ready interrupts" (differently for XT and AT class machines) to detect that the disk has been or is about to be read, and then modifies the result of the read request to "stealth" its presence... Therefore, even if you are using "clean" (unintercepted) INT 13h, or direct calls to the controller BIOS, or even access the controller through the ports, the virus will be able to fool you that it is not present... This shows once more how futile all so-called "anti-stealth" tricks are and how important it is to boot from an uninfected, write-protected system diskette (the "magic object"), in order to ensure that no virus is active in memory... Unfortunately, since the trick to fake clean boot by altering the CMOS has been discovered by the Exe_Bug virus, using the "magic object" correctly has become not so easy to describe... Fortunately, the CMOS trick works only on some computers... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Wed, 14 Apr 93 11:07:01 +0000 From: eliza@tigern.nvg.unit.no (Elisabeth Bull) Subject: Re:Boot-virus or false positive? (PC) I wrote some time before easter and asked for help on a possible boot-virus. I have received many letters from helpful netters. One thing I did not mention in my original letter was that my Hd is Stacked with Stacker (v.3.0). This turned out to be the source of my problems - the scanner checked the integrity of my stacked drive. This is useless, and in my case it produced a false positive. To summarize: Don't scan a stacked drives boot-sector. Or more general (quoted from Vesselin Bontchev's letter): "An integrity checker should not check the boot sectors of volumes that are accessed via a user-installed device driver." - -------------------------------------------------------------------------- Elisabeth Bull e_mail: eliza@swix.nvg.unit.no - -------------------------------------------------------------------------- ------------------------------ Date: Wed, 14 Apr 93 08:53:56 -0400 From: sgr4211@ggr.co.uk Subject: re: viruses and compression (PC) > From: sosc1043@wc05.writer.yorku.ca (Colin Beckmann) > > Greetings > I was wondering if anybody could tell me if it is possible for a > scanner to detect a virus in a compressed file or on a stacked hard drive On a Stacked drive, yes - the reading of files from a stacked drive involves Stacker uncompressing them "on the fly", so a scanner would be "seeing" a normal file and would probably be unaware that they had been stored in a compressed form. In the case of files that are simply compressed using a utility program such as PKLITE, most scanners should detect viruses if they attach after the compression is carried out (because the virus itself will not be compressed) but if the virus was present when the file was compressed, it would only be detected if the scanner used the appropriate algorithm to uncompress the file before scanning. F-Prot has such capabilities - I'm sure Frisk won't mind the following plug, which is an extract from one of the "read me" files he provides with his excellent scanner: "F-PROT can scan inside most PKLITE, LZEXE, ICE, DIET and EXEPACK compressed files, and support for the remaining compression program will be added in the near future, if necessary. Please keep in mind that if a file is infected after compression, the virus is always detected normally. Finally, F-PROT will not scan inside self-unpacking archives, or .ZIP, .ARJ or similar files." I don't know of any scanner that scans inside archive files (such as .ZIP, .LZH etc.). > or if the virus can be detected on a file that has been backed up using > DOS or Norton backup. Some how I doubt it but I am asking to be sure. I don't know of one that will check inside these. Presumably in the case of Norton backup the scanner would need to employ the appropriate uncompression algorithm. In the case of DOS backups, as far as I know they were not compressed prior to version 6.0. With v6.0, however, Microsoft have included what appears to be a cut-down version of the Backup utility from Norton's Desktop for Windows. This will compress if as it backs up, but you can disable this feature if you wish. A thought - the full-featured Norton backup used to support a "proprietary disk format" option which apparently allowed faster writing to disk. As this would be a non-DOS format, scanners would presumably not even recognise that such disks contained any data unless they specifically "knew" about Norton's proprietary format. The cut-down version bundled with DOS v6.0 appears to have had this feature removed (along with one or two other nice features). If any product is likely to "know" about the compression algorithms or proprietary format used by Norton, it would be Norton Anti-Virus - however, I have no knowledge of this product. If no-one else answers, try contacting Symantec. Regards, Steve Richards. ------------------------------ Date: 14 Apr 93 08:25:39 From: smd@hrt216.brooks.af.mil (Sten Drescher) Subject: Re: ANSI viruses and things that go bump in the night (mostly PC) On 6 Apr 93 19:50:08 GMT, padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) sai d: Padgett> a) If you have the stock ANSI.SYS loaded, have demonstrated Padgett> that it is possible to construct a mechanism that will cause Padgett> an infection to occur on execution of a DIR command on a Padgett> "prepared" floppy. Agreed. Padgett> b) There is no real need for anyone to have ANSI.SYS loaded. Well, yes, no need for the DOS ANSI.SYS. Padgett> IMHO while ANSI.SYS once had a real value for key redirection, Padgett> this is no longer true. Today the main reason is to set the Padgett> screen colors (a PROMPT string containing [37;44m will Padgett> produce a blue background with white letters). You can do the Padgett> same thing with a one byte change to COMMAND.COM (DOS 5.0 and Padgett> 6.0 COMMAND.COM contain on byte pair "B7 07". The second byte Padgett> defines the screen colors on a CLS (07 is low white on black). Padgett> Using DEBUG you can change this byte (found at DEBUG offset Padgett> 4A53 in DOS 6.0) to 17 for a blue background or 0F for bright Padgett> white on black - - nice on older laptops - Note: you will need Padgett> to reboot after the change & COMSPEC must point to the new Padgett> COMMAND.COM. Hmmmmmm. Now, tell me, how does this patch allow me to change screen colors in my PROMPT string? Answer: it doesn't. A better answer, rather than to tell people to make binary patches to their OS, is to use one of the multitude of ANSI drivers that don't support, or allow you to disable, key redirection. Just off the top of my head I can think of NANSI, NNANSI, ZANSI, ANSIPlus, and ANSI.COM (from PC Magazine). - -- +---------------------------+--------------------------------------------+ | Sten Drescher | "Jill's fourth grade class raised $200 | | 2709 13th St #1248 | from a bake sale to reduce the federal | | Brooks AFB, TX 78235-5224 | deficit. If the deficit is $4 trillion, | |---------------------------+ how many bake sales will they need to pay | | smd@animal.brooks.af.mil | for a $30,000 jogging track?" R Limbaugh | +---------------------------+--------------------------------------------+ #include ------------------------------ Date: 14 Apr 93 13:36:35 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Unknown little virus? (PC) gary@sci34hub.sci.com (Gary Heston) writes: >32 bytes isn't enough to write an interrupt service routine, much less >anything resembling a virus. Eh, one can easily write a virus (well, a stupid overwriting one) in less than 32 bytes - I think 24 bytes is the minimum .... but not a memory resident one. - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: Wed, 14 Apr 93 13:36:37 +0000 From: s9106568@sandcastle.cosc.brocku.ca (PAUL NOLL) Subject: Re: Unknown little virus? (PC) Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) wrote: : motreba@mat.torun.edu.pl (Maciej Otreba) writes: : > Last time I had virus in my PC. It came from Internet probably with one : > from shareware games. : Uh, according to my experience, the executables on the net are usually : virus-free... In fact, they are even more reliably virus-free than the : files on a local BBS, which are known to be more reliably virus-free : than the shrink-wrapped software distributed by some companies... :-) : > The problem is that teh virus was not detected by any : > program. I tried to find it by Scan 100, F-Prot 2.07 and Polish AV program : > MkSVir (available at FUNET with on-line translator). This virus caused : Scan and F-Prot can find almost even self-spreading nasty that is : internationally know and MkSVir probably can find all local Polish : nasties (haven't tested a recent version soon, but it seems to be : rather good). Chances are that you don't have a virus problem. : > Paintbrush, MS Word 2.0 and System Editor. It was probably very small. I : > think it took 32 bytes of base memory (difference between memory with and : > without virus). : There's no way to fit a memory-resident virus into 32 bytes... Several : cases of missing 16 bytes of memory are mentioned in the FAQ; I am not : sure what exactly can cause 32 bytes of memory to be missing... : > I throw it out by formatting HD and setting up system : As usual, this is never necessary. : > again. My question is: has anyone heard/seen anything about this virus? Is : I would bet that the problem has not been caused by a virus. : > Which programs in Internet might be infected? : None, I guess... Sounds like a bug in the person version of Windows. I have had similar problems with my version of windows and a 486 when I had the 32-bit addressing turned on. I was getting programs that quit unexpectedly and I could not recover from them using control-alt-delete to have windows trap the problem and shut down the application, but the machine locked up. I took the 32-bit access off and no futher problems. The application that was giving me the problem was WordPerfect for windows (mainly). If you are having problems with windows for your sanity's sake put Dr. Watson in the startup. Dr. Watson is an excellent program because it monitors your system while running windows and when an application quits unexpectedly it takes a snapshot of the current state of your machine, memory, and registers. It then writes this information to a file, along with the programs that were being run at the time of quiting You can then mail this file to MicroSoft and they will tell you why this problem is occuring. Reformating your disk for a virus that only "surfaces" in windows is really unnecessary because windows istill flaky, if it screws up assigninresources to it self it will crash. It does not sound like a virus to me, but a bug in Windows. - -- Be Seeing You. ############################################################### " We live on a placid island of ignorance, in the midst of black seas of infinity, and it was not meant that we should voyage far ... ! " -- H. P. Lovecraft (1890 - 1937) Paul Noll s9106568@sandcastle.cosc.BrockU.ca ############################################################### ------------------------------ Date: Wed, 14 Apr 93 14:06:04 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Censoship/40-Hex (PC) afrc-mis@augsburg-emh1.army.mil (David Hanson) writes: > Vesselin says: > > Burger's and Ludwig's books are crap > After wasting my time on a couple of bogus virus books ("dangerous", > because they contained *actual viral source code*), I dusted off > my assembly books, and am looking for some good disassemblers so I > can get decent information on the two virii that I have encountered > here in the "wild". It seems that in the current climate of viral > censorship, the only way to get decent info is to > a) Go to the "underground" (not always good information, but at least > they aren't afraid to share it...) > > b) DIY (Which I'm currently in the process of doing. It costs me spare time, > but I (slowly) gain knowldege and I know that the only person BS'ing > me is me. Indeed, DIY is the best way to learn a lot - even in the virus field. Most of those "underground" or legal (huh?) virus-oriented publications are too bad; it's much better to sit down and learn assembly language and the DOS internals from a good book and then try to disassemble a few viruses yourself. And since you asked about a good disassembler - Sourcer from V Communications is a good one. Actually, it is so good, that many people with no knowledge of assembler think that the output it produces when you run it on a virus is the "source" of this virus. In reality, it is not well adapted for the task of disassembling viruses, but it is still one of the best tools around. Just remember that you still need to do a lot of work, in order to produce a good disassembly - - just running Sourcer is not enough. > I've yet to read a decent virus book. Can you recommend a solid, > relevant virus book? Nope. All really good ones I've seen were actually anti-virus books... :-) > And how does a "good guy" get 40-Hex? There are different sources; some BBSes carry them without even knowing what's inside... > Wouldn't receipt of 40-Hex from > *any* source be participation in the -distribution- of this magazine? In a sense - yes, but if somebody sends it to you, there's not much you can do about it, right? My suggestion was that in such cases you just use the situation and read it. > Not necessarily by dissemenating the info ("good guys" would NEVER do > that), but by creating demand. Yes, and by creating an anti-virus program you are "creating a demand" or a "challenge" for the virus writers to write viruses that bypass your program. And by describing what a virus does and how it penetrates the system you are "giving the bad guys ideas". Yes, that's all true (in a sense) - but the important part is the income. If as a result of your acts you gets more users protected than endangered, it is my belief that you should just go on and do it. Of course, the estimation of what exactly prevails - the "bad" or the "good" is sometimes extremely difficult to make... > Tell me, where do YOU get 40-Hex from? Don't recall exactly; besides I got the different volumes from different places. Most of them were sent directly to me. I still don't have volume #10. One thing is certain - I didn't get them from virus exchange BBSes, because I don't call -any- BBSes. > Why should it be ok for you to receive it, but not me? But I am not saying that it wouldn't be OK for you to receive it; I am just saying that it won't be OK for me to send it to you or for you to send it further. > I do not wish to detract from the extremely valuable and "good" work that > you do as a virus researcher, just want to point out that "good"/"bad" > is not black/white, more like shades of gray. Oh, I know that; actually in the virus field it is much worse... As Dr. Solomon says, very often black is white and white is black... > BOTTOM LINE: I really get peeved when access to information such as > 40-Hex is limited "for my own good". So you don't like it? OK, let's try to put it in another way... Who cares about your own good? You are probably competent enough not to get infected by the viruses published in 40-Hex and probably trustworthy enough not to use them to infect somebody else's system. However, note that I have no way to know that for sure. And, if I make a mistake, I'll feel partially guilty for the resulting incident. Thus, I am concerned about -my- own good. Next, what if you just forget a diskette with all those viruses on your desk? Here comes Joe User, sees a diskette, puts it in his m... er, in his computer's disk drive and runs all programs on it - to see "what they are doing". Believe me, I've seen this happening, even with diskettes clearly labeled "DANGER! Contains VIRUSES!". So, I am concerned about other people's good. Next, suppose that I agree to send you 40-Hex, or any other viruses, and this becomes publicly known. What will be the result? People will not ask whether you are competent or trustworthy, or why do you need those viruses for. Instead, they'll say "Vesselin Bontchev spreads viruses", "VTC-Hamburg spreads viruses", "The anti-virus people are spreading viruses", "The anti-virus people are writing viruses and are spreading them to sell their products". And since the last thing is what you all silently suspect (although the stupidity of such thing becomes blatantly obvious if you bother to just -think- a little bit), everybody will believe in it and will repeat it. So, you see, I am concerned about my own and other anti-virus people's good. Do you see now how many other things I have to be concerned about? Do you like this explanation better? And you thought all we were concerned was -your- own good... Black is white. White is black. > I trust any expert as far as I can independantly verify what > they say. As a scientist, I am trying to provide verifiability of my claims any time I am able to do it. Unless I have to worry about more important things. You don't demand that NASA takes you in the Shuttle, in order to verify the claims that the Earth is round with your own eyes, do you? Regards, Vesselin P.S. Lots of smileys for the humor impaired... - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Wed, 14 Apr 93 14:43:46 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help wanted with Dir-II virus (PC) kleyngel@dutiws.TWI.TUDelft.NL (Raymond Kleijngeld) writes: > I recently discoverd the Dir-II virus on my system (486/33 with a > 212 Mb Hd). I've a bootable flop which contains no virus and > includes a virusscanner, scan v102 from Mcafee. I scanned the HD but > scan didn't detect any virus. So I assumed that the HD was clean. SCAN 102 is able to detect most of the existing variants of Dir_II. Either you have done something wrong, or it is not a virus, or it is a new variant. > I have read in the virlist.txt that the dir-II virus uses stealth > techniques and selfencryption . Maybe this is the reason that the > virus can't be detected. It is indeed very stealth. It doesn't use encryption; that entry in VIRLIST.TXT is bogus. Because it is stealth, you must first boot from a clean diskette, before trying to find it. Have you done that? If not, this would explain why SCAN has not found it - but it should have found it at least in memory. > Actually I have the following problem. Because the virlist.txt > describes that the dir-II virus crosslink files and directories I used > chkdsk and norton diskdoktor to correct the problem. There are crosslinked It indeed cross-links files (not directories), but running CHKDSK/F or NDD is the worst thing you could do - you'll lose all your executable files this way. > files and directories. Norton disktor (ndd) repairs the files. It has actually screwed up everything. > After using NDD I use chkdsk and the unallocated chained are nicely > converted to files. I delete those files. Too bad; you've just deleted all executable files but the virus. > But when I run NDD again > I get the same errors and even some more. So I think that my system > is still infected. Not sure why more such problems appear, but in any case NDD is NOT the tool to use when you have a Dir_II infection. > Can anyone help me with this problem. I'm afraid that at the state your problem currently is, it's kinda difficult to help... If there were only the virus (without the screw-up caused by NDD) there wouldn't be any problems, but... > Because I have optimized the > programs to communicate with eachother I don`t like formating the > disk again. Then just restore from a backup. Oh, I guess you don't have a backup, right? Too bad... OK, next possibility - delete all executable files (I mean, files with COM and EXE extension), restore them from the original disks and re-compile any programs you have developed yourself from their sources. > So any comments about the dir-II virus are welcome. Some information about it can be found in ftp.informatik.uni-hamburg.de:/pub/virus/texts/viruses/dir2doc.zip If you need a disinfection program, take a look at ftp.informatik.uni-hamburg.de:/pub/virus/progs/dir2clr.zip Also, CLEAN is able to disinfect the most widespread variant of this virus. Note however, that none of those programs will be able to repair the screw-up caused by NDD. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Wed, 14 Apr 93 14:57:55 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Terminator 2 and Bert virus ?? (PC) houkes@eb.ele.tue.nl (Vincent Houkes) writes: > Hello there, Hi! > Can anyone help me with the following problem !!?? Yup. > Yesterday morning I found my system infected with two virusses. Scan > v100 found only one, and scan v102 detected a file with two. I found There's actually only one of them, see below. > The viruses were called the Terminator 2 virus (stealth), and the Bert > virus. The latter was only found by vers. 102. Alas there is no > description of those viruses in the virlist.txt, and vsum x303 doesn't > answer completely too (only some info on the terminator, terminator > 2001 (or something like that) and the terminator 3002 (or something > like that)). Are you sure that you have looked? Really hard? Even using the "search" capability of VSUM? Or under the 'T' entry? Hint: "your" virus is listed as Terminator-2294 in VSUM. I could tell you that the description of the virus in VSUM is verbose, incorrect, and incomplete, but that wouldn't be something terribly new, would it? I have recently posted a description of this virus here; just look a few issues back. The virus seems to be in the wild in the Netherlands. > Does anyone know these viruses. (scan gives [Term2] and [Bert] ) This is actually a bug in SCAN 102 (version 100 didn't have it for this virus). It reports the Terminator_II virus (or Terminator-2294, if you prefer) as two viruses - [Term2] and [Bert]. This is not something terribly new either - SCAN reports several viruses as more than one and the problem has been reported to McAfee Associates since a long time. Hopefully they are working on it... When the next SCAN comes out, I'll post a list of all incorrect multiple reports it gives on out virus collection. > Second of all, is there a way to check zip files before extracting > them on viruses ??. I am aware of only one anti-virus program that supports this - this is the scanner (UTScan) from Untouchable (dunno how it's called in the Netherlands; maybe V-Analyst 3). What's wrong with unzipping the files first? There are enough shell programs that let you do that and scan for viruses automagically. > f-prot 207 cannot locate the viruses, not even in a heuristic scan. !! Correct, version 2.07 of F-Prot is not able to detect the Terminator_II virus. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Wed, 14 Apr 93 15:11:40 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus Data Base (PC) keith.watson@stucen.gatech.edu writes: > I just found an ad for a hypertext virus database. V-Base from > International Computer Security Associates. A free demo is available from > their BBS at 202-364-0644. The free demo is also available for anonymous ftp as ftp.informatik.uni-hamburg.de:/pub/virus/progs/vbaseabc.zip > Is this a rehash of Vsum No, but you can use the same hypertext engine (VSUM.EXE) to view the information in it. > or is the long awaited > for virus database finally here? I'm afraid that not yet. > Comments? Describes fewer viruses than VSUM, is significantly less verbose and less inexact than VSUM. Still has some errors and LOTS of incomplete entries. The authors are more willing to cooperate to fix the mistakes/omissions, however - you can send them corrections and supposedly they'll be fixed in the next version of the product. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Wed, 14 Apr 93 15:18:06 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: viruses and compression (PC) sosc1043@wc05.writer.yorku.ca (Colin Beckmann) writes: > I was wondering if anybody could tell me if it is possible for a > scanner to detect a virus in a compressed file Possible? Yes. Some scanners (VirX, SCAN, F-Prot, UTScan) do it for some (the most popular) compressors (PKLite, Diet, etc.). No scanner does it for all existing compressors. > or on a stacked hard drive Without leading the Stacker device driver? Possible - yes. Practical - no. So, no scanner does it currently. > or if the virus can be detected on a file that has been backed up using > DOS or Norton backup. No, but Central Point Software's Backup can be configured to scan for viruses when backing up or restoring. Not that it is a very good scanner, mind you... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Wed, 14 Apr 93 15:23:04 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Windows 3.1 virus (PC) fites@qucis.queensu.ca (Philip Fites) writes: > Today, someone reported actually cleaning up a 36 byte virus. I,have > real trouble believing this; the smallest I know of is 44 bytes and > isn't viable, much a Windows specific infector. > Do you know of anyone with real data on this? (Bontchev or Skulason, > perhaps?) The shortest virus I've seen is 25 bytes and it works only sometimes on some systems. It is definitively not a Windows-specific infector, although it will "infect" (overwrite) anything, including Windows applications, due to pure stupidity. I know of only one Windows-specific virus and it adds 854 bytes to the infected files. I find it difficult to believe that somebody can fit a viable virus into 36 bytes, let alone a Windows-specific infector. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 63] *****************************************