Return-Path: Received: from IBM1.CC.Lehigh.EDU by abacus (SunOS 4.1/SMI-4.1-01) with sendmail 4.1/SMI-4.1-01 id AA15513; Thu, 21 May 92 01:28:29 +0200 Message-Id: <9205202328.AA15513@abacus> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 2835; Wed, 20 May 92 19:03:57 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 9345; Wed, 20 May 92 19:03:35 EDT Date: Wed, 20 May 1992 18:48:39 EDT Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU Sender: Virus Discussion List Comments: Warning -- original Sender: tag was krvw@CERT.ORG From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V5 #107 Comments: To: VIRUS-L@ibm1.cc.lehigh.edu To: Multiple recipients of list VIRUS-L Status: RO VIRUS-L Digest Wednesday, 20 May 1992 Volume 5 : Issue 107 Today's Topics: Can a virus survive being pkzipped or otherwise compressed? (PC) Hit by Joshi, HD died ? (PC) Re: Virus from "DIR"? (PC) Virus? Vlad The Inhaler (PC) clock ram resident virus (PC) f-prot/windows/novell (PC) Re: Problems with PKatz's software ... (PC) Re: COPS for Novell? (PC) (Novell) Re: Question about Dark Avenger (PC) Cute virus names sorted (PC) F-Prot information Wanted (PC) PC\MS DOS based Viruses & OS\2 2.0 (PC) (OS/2) Question on CODE 252 (Mac) Re: Is a "good virus" a bad idea? Re: Lines of defense against viruses Virus information wanted How to deal with virus distributors? Revision to Product Test PT-34, IBM Anti-Virus Product, 2.1.9 Revised Product Test PT-12, Virucide Plus Checklist part 14 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 14 May 92 09:00:44 -0800 From: kjb@calmasd.prime.com (Ken Brucker) Subject: Can a virus survive being pkzipped or otherwise compressed? (PC) A columnist in a local computer magazine (Computer Edge for those in the San Diego area) mentioned that viruses can't survive or at least typically don't survive compression into zip files and other archives. Has anyone had this experience? And has anyone seen the contrary? Thanks! Ken - -- - ------------------------------------------------------------------------------- ** Ken Brucker -- VMS/Ultrix Systems Programmer/Mangler -- Computer Vision ** kjb@calmasd.Prime.COM ** Practice Random Kindness and Senseless Acts of Beauty ------------------------------ Date: 15 May 92 03:43:51 +0000 From: grx0627@uoft02.utoledo.edu Subject: Hit by Joshi, HD died ? (PC) The PS/2 80 in our Lab was hit by the Joshi virus today. I was scanning and cleanning a infected floppy disk. After that, I turned off the system and turn on again, the system can only boot from a floppy disk and I could no longer get access to the hard disk. I think the hard disk was also infected, but I forget to scan it before I turned off the system. Any help are welcome desperately. Thanks! *********L. Chen, Biomechanical Lab. Univ. of Toledo.*********** ------------------------------ Date: Fri, 15 May 92 12:04:00 From: Simon Callan (on GN08) Subject: Re: Virus from "DIR"? (PC) It is a commonly stated fact, that it is not possible for a virus to infect a computer, simply by the user doing a dir on a disc. However, this is not entirely true - on the Acorn Archimedes, if you catalogue a disc under the desktop (the RISC-OS GUI) you **CAN** catch a virus. When the desktop opens a directory on a disc, it checks to see if it has previously seen the application(s) in that directory, and if it has not, it runs the !BOOT file associated with the application to set up the commands and icons used by the application. If this has been contaminated with a virus, the virus loads itself on to the machine. Fortunately, most of the (~16) Archimedes viruses are very simple, and easy to detect. Since the Archimedes OS is held in ROM, there can be no boot sector viruses, and stealth viruses would have great difficulties on hiding their changes to files. Simon Callan ------------------------------ Date: Fri, 15 May 92 14:31:00 -0400 From: mhuxo!rjg@att.att.com Subject: Virus? Vlad The Inhaler (PC) Has anyone heard of a PC Virus called Vlad The Inhaler? I received a report from someone saying when they went to hot key between applications in Windows, a message flashed on the screen "VladTheInhaler". Bob Garrity r.j.garrity@att.com ------------------------------ Date: Fri, 15 May 92 12:28:28 -0700 From: A.J. Subject: clock ram resident virus (PC) hello, does anybody know of any clock resident viruses for either Amiga, Mac or PC computers ??? if so what viruses are they ... I think my amiga is infectedwith one ... please send more information on these type of viruses and procedures on removing them ... thankx ps. please give names and complete discriptions of the viruses you know of and how to remove them. (amiga,mac or pc) that infect the clock cmos ?? - -aj. ------------------------------ Date: Fri, 15 May 92 17:08:50 -0400 From: Paul Massue-Monat Subject: f-prot/windows/novell (PC) I fell that I should share this good news to all readers of virus-l and novell. Windows 3.1 comes with new versions of himem.sys, emm386.exe and smartdrv.exe - These software are defintely a major improvement over the past versions. Because of them, not only my windows world but also my dos world is better. Most notable is the fact that I can now loadhigh virstop.exe (I could only devicehigh before). As you probably know, there was a bug (for which a fix exist) in Windows 3.0 that impaired your outputs when you were loading certain TSRs (such as virstop.exe). With virstop.exe loaded, I could not print to my networked postcript printer. This problem is now fixed! May you upgrade to windows 3.1 or at least get the improved software! Paul Faculty of Administration Phone: 613-564-6895/6500 Massue-Monat University of Ottawa Fax: 613-564-6518 Lab Mgr. Canada K1N 6N5 Internet: monat@acadvm1.uottawa.ca ------------------------------ Date: 16 May 92 15:36:41 +0000 From: nevries@cc.ruu.nl (Nico de Vries.) Subject: Re: Problems with PKatz's software ... (PC) BRENNAAA@DUVM.BITNET (A. Andrew Brennan) writes: > I don't believe that Katz has email access (someone please > tell me that I'm wrong) but there presently exists a major > problem with the PKWare stuffs. Are you refering to the weak AV the weak encryption or the bugs? > Basically, everyone is waiting with baited breath for the > PKZip 2.xx release - something that has been hitting the soon- > to-be-released rumor mills for a while. I remember seeing a > file that claimed to be beta for 1.93 and have seen 2.01 files > on a few locations - never there very long. ALL 2.xx version till now have been fake versions. The current release date is June (but thats the nth we saw :-(). >... > The second article went over the verification code and > registration information that is used by PKWare. How to dupe > it, etc. such that people think that they are getting the > package "straight from Katz." The authenticy verification of PKZIP is very weak. Multiple programs to crack it are available. >... > andrew. (brennaaa@duvm.ocs.drexel.edu) Nico E. de Vries - -------------------------------------------------------------------------- USENET: nevries@cc.ruu.nl FIDO : 2:281/708.1 VOICE : +31-3404-24931 (+31-30-316931) FAX : +31-30-312033 BBS : +31-30-341401 (Nico De_vries) COMPUSERVE: coming soon (I hope) This text reflects MY opinion, not that of my employer (BITECH). O O This text is supplied 'AS IS', no waranties of any kind apply. | I am famous for my typostyle so don't bother complaining about it. \_/ "Predicting the future is just as dificult as understanding the past." ------------------------------ Date: Sun, 17 May 92 23:46:33 +0000 From: rick@mathcs.sjsu.edu (Richard Warner) Subject: Re: COPS for Novell? (PC) (Novell) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >Is anybody aware of a Novell NetWare-oriented program to check the >security of a Novell LAN? Like the usage of obvious passwords, shared >directories left writable by several people, possible virus infection >paths, etc.? Something like COPS does for Unix? And, if there is no >such thing yet, don't you think that it's more than the time to create >it? While not as complete as COPS, Novell has a 'security review' program for Netware that checks for obvious security holes (too lax on disk create/write rights, too many supervisors, users without passwords, etc.). This has been part of Netware for at least 7-8 years now. (It comes in every box, by the way). +-----------------------+-------------------------------------+ | Richard M. Warner | Internet: rick@sjsumcs.sjsu.edu | | | CompuServe: 71121,2257 | +-----------------------+-------------------------------------+ | ** DISCLAIMER: All opinions are strictly my own. I work | | hard enough at forming them! | +-------------------------------------------------------------+ ------------------------------ Date: 18 May 92 10:47:00 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Question about Dark Avenger (PC) BONDIR@vaxb.gbus.virginia.edu writes: > I am confused about the recent column in InfoWorld describing the Dark Well, let's say that InfoWorld is not the world's most competent source of information concerning viruses... > Avenger engine. Just as one can have self-extracting archives, so the > engine self-encrypts and self-extracts. Because the encryption varies Not quite... The MtE is a library function, supplied in an .OBJ file. The virus writer has to write a virus which CALLs the mutating engine by name and link his code with this .OBJ file. When the library function is called, it gets some parameters - among them the address of a buffer for workspace and the piece of code that has to be "mutated". The function then composes a random encryption routine, uses it to encrypt the piece of code, then generates a random decryption routine which implments the decryption for the encryption method used, and prepends this to the encrypted code. > each time, the encrypted virus is essentially immune to detection by > anti-virus programs that scan for characteristic strings. What I Well, yes, but most scanners are more clever than that... The MtE (in fact - ANY MtE-based virus) can be detected by a scanner which uses algorithmic search - it is just very difficult to detect all possible mutations of the virus and simultaneously not to produce any false positives... But it is fully possible and, as I mentioned above, once it is done, the scanner will be able to detect any MtE-based virus. Since the code of the MtE itself is quite tricky and its source is not available, it is highly unlikely that the wannabe virus writers who enjoy producing Jerusalem and Vienna variants will be able to modify it... The only person who seems able to produce an "improved" version of the MtE is the Dark Avenger himself... > don't understand is this: surely the executable, self-extracting part > of the program must be invariable - it can't be encrypted, because > obviously it couldn't execute while encrypted. So why aren't such It's true that this part cannot be encrypted, but it is not true that it must be invariable. In fact, it varies very heavily - it is very different with each new infected file. > viruses easy to detect simply by scanning for the self-decrypting > executable portion? What you propose works for viruses which only use variable encryption (like Cascade), but doesn't work for the polymorphic viruses which vary even their decryption routines... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 18 May 92 11:07:33 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Cute virus names sorted (PC) Hello, everybody! As somebody noticed earlier in this newsgroup, I am somewhat too busy sorting the cute virus names. Meanwhile I have achieved some success, so I decided to publish the results. They (the results) are available for anonymous ftp from our ftp site: ftp.informatik.uni-hamburg.de (IP=134.100.4.42), directory pub/virus/texts/tests. There you can find the following files: - naming.zip. Contains a paper which describes the CARO standard virus naming scheme and the unique CARO names of every single virus variant we have in our collection. Since a major confusion exists about virus naming, especially for the file viruses (which are the majority), I have provided for comparison the virus names given by Dr. Solomon's FindVirus, Fridrik Skulason's F-Prot, and John McAfee's SCAN. - reports.raw.zip. Contains the raw reports of the of the scanners with best detection rate, when run on our full virus collection. The three scanners are Dr. Solomon's FindVirus 4.12 (drivers of March 28, 1992), Fridrik Skulason's F-Prot 2.03a, and McAfee Associates' SCAN 89-B. (I have received newer versions of the scanners just a few days ago, but didn't have the time to re-run the tests and re-create all the reports.) The archive also contains the output of F-Prot's heuristic analyser, when run on our virus collection, so that you can see how well it performs with real viruses (how bad it perfomrs with non-viruses you can check yourself.) Note that SCAN shows a signifficantly lower detection rate than the other two scanners. The reason probably is that I do not exchange actively virus samples with McAfee's group, so they don't have some of the viruses that we have and we don't have some of the viruses that they have. - reports.zip. Contains the same listings as above (except the output of the heuristic analyser), but preprocessed with a couple of awk scripts and listed in columns side-by-side. This form is much more readable, but the line width is huge - you are advised to print the files on a 132-characters per line printer, using condensed mode. A column which lists the standard CARO name is also added. - reports.ps.zip. Contains the same files as reports.zip, but in PostScript format, so that they are easy to print (but not that easy to read ) on A4 format pages. Hope the information will be of any use to you. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 11 May 92 11:35:48 +0000 From: ba.nguyen@f869.n681.z3.fido.zeta.org.au (Ba Nguyen) Subject: F-Prot information Wanted (PC) Hello, Would anyone know how I could get the latest version of F-Prot from Australia please. I am new to this group, so please bear with me. Any information regarding this would be greatly appreciated. Thanks in advanced. B. Nguyen ========= - --- Maximus/2 2.01wb * Origin: Adelaide Mailbase [61-8-269-1242] (3:681/869) ------------------------------ Date: Tue, 19 May 92 20:55:15 -0400 From: Subject: PC\MS DOS based Viruses & OS\2 2.0 (PC) (OS/2) I have a few questions for Ken, Vesselin, and the other GURU's as well as anyone who is knowledgable enough about PC\MS-DOS, Viruses, & OS\2 2.0. 1. Is it possible for a DOS based Virus to survive & thrive on a system running OS\2 2.0 using the (HPFS file system) instead of the (FAT system)? 2. Since IBM claims that OS\2 2.0 can run multiple dos sessions In virtual PC windows, if I opened up 5 windows and one of them crashed as a result of trying to load a DOS program that was infected by a 1571 Virus would OS\2 come completely crashing down? 3. What happens to OS\2 if while using the DOS compatibility box in full screen a partition table virus like the Jerusalem-b or Michaelangelo infect the system and alter the system? 4. If I loaded DOS, Windows3.0, WIndows 3.1, & OS\2 programs in seperate windows, and one of my Win3.0 programs get infected by a ping-pong virus will the other DOS sessions and the OS\2 session all become infected by this virus? (I know the ping-pong is more of an annoying virus than a destroying virus) 5. How do Fat killers, boot sector viruses, and partition table viruses deal with the HPFS system? What if you have more than one type of operating system on your hard disk? (ex. DOS, OS2, Unix***, Novell) *** This is not the full blown SCO version, it's more like COHERENT (a smaller version of unix that has alot of unix features) The reason for these questions is; I recently received an Evaluation Copy of OS\2 2.0 from IBM. I got by attending Last month's meeting of the NEW YORK CONSULTANTS SIG of which I am a member. The Guest Speaker WAS Gary Skiba, A Technical Advisor For IBM. And Frankly, I was impressed by his know-how on OS\2 and his ability to not make it a presentation on OS\2. I was also impressed with his ability to LISTEN and make us ask him real QUESTIONS About OS\2. WE GAVE HIM MORE THAN A MOUTHFUL!!! SINCE, WE WERE THE KINDS OF PEOPLE IBM WOULD HAVE TO CONVINCE. If OS\2 was to get off the Ground. "Intelligence was not something we expected to be coming from IBM." :) we're also hoping he was not a fluke, & that other intelligence exists there:) The reason I asked these questions is because I've been thinking about adding it(OS\2) to my hard drive when I get by system back intoworking condition. I am also going to be posting this message onto the OS2 newsgroups, but I wanted to start here first since the main reason why I would be adding it to my system is because I supposedly would be able to have an assembler in one window a dissassembler in another, a third window for including any pertinent virus info. into (DOK-V: A virus database project I'm working on), and a fourth window to safely test the effects of certain types of viruses and trace their logic. Any help that can be provided in answering these questions would be greatly appreciated. regards, Chris :) - ------- ____________________________________________________________________________ | CHRISTOPHER MATEJA (PRES. / OWNER) |BITNET: | | BITS-N-BYTES COMPUTER SERVICES |INTERNET: | | 333 15TH STREET |COMPUSERVE: 75230,476 (MORE TO COME) | | BROOKLYN, NY 11215 ( USA ) |FIDONET: ( COMING SOON ) | |=======================================-------------------------------------| | THE OPINIONS EXPRESSED ARE SOLELY MINE!!! (: NEVER ASSUME ANYTHING! :( | | Although, BITS-N-BYTES COMPUTER SERVICES is a member of the NY.Consultants| | Group, the opinions expressed ARE solely THAT OF THE PRES. Chris Mateja & | | May not reflect the opinions of this organization. | |____________________________________________________________________________| | "OS\2 2.0 and Viruses:" "talk about things that make you say" "Hmmmmmm" :)| :____________________________________________________________________________| ------------------------------ Date: Mon, 11 May 92 14:45:15 +0000 From: jka3_ltd@uhura.cc.rochester.edu (James Amenuvor) Subject: Question on CODE 252 (Mac) Someone posted the correct codes to enter into Virex 3.x so that it will scan for CODE 252. My question is will the application update the init when the Virex installer is used so that the init will also detect the virus. Thanks a million in advance for any help. Any more information on CODE 252 or any new Mac viruses will also be greatly welcomed. James. ------------------------------ Date: 15 May 92 01:08:16 -0500 From: allens@yang.earlham.edu (Allen Smith) Subject: Re: Is a "good virus" a bad idea? WALKER@aedc-vax.af.mil (William Walker C60223 x4570) writes: > From: Werner Uhrig >> have you ever heard of a human immunization that spreads >> "virus-like"? I haven't, but even if it was possible, who >> would/should take the responsibility to consider the whole >> world as their private laboratory...?!? > > There is a proposed cure for one of the genetic illnesses (I forget which > one) which is not only "virus-like," but is "virus-based." A sample of > the patient's DNA is extracted, the mutated portion which causes the > illness is removed and replaced with the normal genome, and the new DNA > is inserted in the protein case of a REAL virus (sans viral DNA, of > course). I also forget the particular virus used, but it is one which > causes a respiratory disease (the influenza virus, I think). The patient > then breathes some air which is "intentionally contaminated" with the new > "viri," which "attack" the lung cells, inserting the "fixed" DNA in the > cells, and thereby curing the genetic illness. This process is, I > believe, currently undergoing FDA examination. > > One of the strongest objections to this procedure is almost exactly the > same as that stated by Mr. Uhrig: who would be responsible if the "viri" > escaped into the world? Opponents are quick to point out the dangers of > this procedure. The DNA in the "viri" is geared toward one specific > human -- the patient. If another person should breathe these "viri," his > DNA would be replaced, too. The results could then be worse than a mere > mutation -- some of his own cells would no longer be compatible with the > rest of his body, resulting in tissue rejection, a new form of cancer, or > who knows what. If the people doing the procedure have the sense to remove histocompatibilty antigen DNA from the virus (almost certainly the case), then there's no problem. There's also the point that if the section of the viral DNA/RNA coding for the outer protein capsule and for other aspects of reproduction not neccessary for the implantation are removed, then viral further reproduction is virtually impossible. > > How could a procedure of this kind be controlled? It can't. How do you > know when all of the viri have "attacked?" You don't. Suppose a person > receives this treatment, then goes out and breathes the "unused" viri on > someone, who inhales them in turn. Can this be controlled? No, unless > you seal the patient in a "plastic bubble" for the rest of his life. Not > an attractive solution. It can certainly be controlled. Viri won't last forever, especially if they are chosen properly to have a weak shell. After a bit to give time to infect, numerous means may be used to clean out the person's lungs. > > Perhaps a coresponding computer-virus example can be used in the "good > virus" argument. > Not really. A computer virus is designed to infect further "organisms"; a gene therapy virus is not. -Allen ------------------------------ Date: Fri, 15 May 92 18:12:00 +0300 From: Y. Radai Subject: Re: Lines of defense against viruses In reply to S. Tripathi's question, > What would be the best line(s) of defense agianst viruses? Robert Slade mentions, among other things: >2) a "boot completion" memory and system check. At the present time I >am not aware of any products which do this automatically. All I am >thinking of here is a simple check of memory to ensure that nothing >new is in memory which is not there at the normal boot time. This is >intended to protect the further steps against stealth attacks. I'm not sure if this is what you're referring to, but Fred Cohen's ASP takes a "snapshot" of memory and registers (between loading of device drivers and invocation of the command interpreter) on a presumably clean system, and then automatically restores the snapshot at the same stage on every subsequent boot. >Vesselin says there are three types of antiviral software; I make some >minor subsetting and come up with five. .... Three types? Five? How about *thirteen*? Almost a year ago I start- ed to make a list of anti-viral techniques, but after I got up to a dozen, I put the list into a drawer (figuratively speaking) and forgot about it. (Admittedly, one of the techniques is hardware, but Tripathi's original question was not limited to software.) Anyway, I've pulled out that list (the only thing I've added since then is the snapshot technique) and it is appended below. I fully expect to see reactions such as "Why isn't my technique X listed?" or "Technique Y isn't the same sort of animal as the others and should be omitted" or "Technique Z should be broken up into seve- ral sub-techniques" or "No, no, you must change the classification structure entirely!", etc., so please view this list as simply a basis for discussion and improvement (eventually to find its way into the FAQ sheet). Anti-viral Techniques --------------------- 1. Known-virus scanner (Searches for strings/patterns characteristic of known viruses) 2. Known-virus remover (file/boot-record disinfector) (Technique 2 is usually part of the same program as 1; McAfee's programs are an exception. The progam(s) may be resident (scanning only programs which are about to be executed and possibly diskettes which are about to be accessed) or non-resident (scanning all or selected files at once).) 3. Generic (heuristic) scanner (Looks for suspicious code) 4. Generic monitoring program ("filter") (Resident program which checks for suspicious behavior) 5. Checksumming (integrity checking) Checks if any file or boot record has been modified. This may be implemented in three ways: (a) by a non-resident program activated by explicit program call, in order to check all files or a specified list of files all at once, usually at boot time by virtue of the program name being placed in the AUTOEXEC.BAT file. (b) by a memory-resident program to check each program which is about to be executed. (c) by code attached to each program, which is executed just before the program itself is executed. 6. Generic disinfection 7. Hardware write protection (all or part of a disk) 8. Software write protection 9. Special MBR to make hard disk appear non-existent when booting from a diskette 10. Encryption of files, with decryption just before execution 11. Vaccination (Insertion of identifying string into a file or boot record to fool virus into thinking that the file is already infected) 12. Bait ("decoy") program 13. Snapshot (Makes a copy of memory and registers on a presumably clean system, and then restores them at the same stage on every subsequent boot.) Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Fri, 15 May 92 17:28:21 -0600 From: a18808@itesocci.gdl.iteso.mx (Bru Villase#or Pilar) Subject: Virus information wanted I am a new user of this list and I would like to Know what viruses do you have information? and if it is possible to send me a list of the viruses you know how to eliminate. Pily Bru from Iteso. Mexico ------------------------------ Date: Sun, 17 May 92 16:05:00 -0500 From: Subject: How to deal with virus distributors? I have run a BBS system since 1986. Until today, the local scene has always been fairly innocuous (kiddie pirate boards are about the worst). Today I found a message indicating a local system was now distributing viruses (virii?) and source. I called up and went through the new user rigamorol, and with only minimal effort (a callback verifier and questionaire) had access to a good assortment of them, including construction toolkits, source in various languages, droppers, and the like. The stated purpose is 'education' What is the best way to deal with this? Jmaaskant@uthscsa.edu (jan.maaskant@f255.n387.z1.fidonet.org) jmaaskant@uthscsa (bitnet) ------------------------------ Date: Thu, 30 Apr 92 07:43:04 -0600 From: Chris McDonald ASQNC-TWS-R-SO Subject: Revision to Product Test PT-34, IBM Anti-Virus Product, 2.1.9 ******************************************************************************* PT-34 April 1991 Revised April 1992 ******************************************************************************* 1. Product Description: The IBM Anti-Virus Product is a program to detect computer virus signatures in the PC-DOS (MS-DOS) and OS/2 environments. This test report addresses version 2.1.9. 2. Product Acquisition: The program is available from the IBM Corporation through a variety of means. The licensing cost of the program is $35.00. IBM retains title to the scanning program but licenses its use in the United States and Puerto Rico. Updates cost $10.00. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-5712, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I acquired the original copy of the program and version 2.1.9 through Computerland. The initial licensing and upgrade fees were sent directly to the IBM Corporation, Grand Central Station, P.O. Box 2646, New York, NY 10163. Computerland (located in Las Cruces, NM, USA) has continued to charge me nothin g for their time or intercession. [Moderator's note: The remainder of this product review (and MANY other product reviews) is available by anonymous FTP on cert.org (192.88.209.5) in pub/virus-l/docs/reviews/pc/mcdonald.ibm.antivirus] ------------------------------ Date: Thu, 14 May 92 08:54:01 -0600 From: Chris McDonald ASQNC-TWS-R-SO Subject: Revised Product Test PT-12, Virucide Plus ******************************************************************************* PT-12 June 1990 Revised May 1992 ******************************************************************************* 1. Product Description: VIRUCIDE PLUS is a commercial anti-virus program to detect and to remove known computer virus signatures for the MS-DOS computer environment. This report addresses version 2.41, released April 1, 1992. 2. Product Acquisition: The product is available from Parsons Technology, Inc. The address is Parsons Technology, Inc., One Parsons Drive, P.O. Box 100, Hiawatha, IA 52233. The company has a toll free number for orders, 1-800-223-6925, or 1-319-395-9626. The cost of a single copy, as of May 1992, was $69.00. Registered users of VIRUCIDE can upgrade to VIRUCIDE PLUS for $32.00 which includes shipping and handling. The vendor states that upgrades will remain on approximately a quarterly basis for $15.00 with shipping and handling. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-5712, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. 4. Product Test: a. I ordered my original copy of VIRUCIDE and all upgrades directly from Parsons Technology. The upgrade to VIRUCIDE PLUS (VP) cost $29.00 which included a new User's Guide. VP retains the same detection and disinfection component licensed from McAfee Associates, but adds a terminate and stay resident (TSR) component, VIRUCIDE SHIELD, licensed from Trend Micro Devices, Inc. [Moderator's note: The remainder of this product review (and MANY other product reviews) is available by anonymous FTP on cert.org (192.88.209.5) in pub/virus-l/docs/reviews/pc/mcdonald.virucide] ------------------------------ Date: Fri, 15 May 92 19:03:10 -0700 From: rslade@sfu.ca (Robert Slade) Subject: Checklist part 14 920515 PRTCKLE.CVP Antiviral checklist - part 14 Just to finish off, and for quick reference: For each computer: _ Directory list of all program files, date and size _ List of programs run at startup _ "Source code" for menus _ Description of boot sector _ Description of partition boot record _ Description of memory map at startup _ Description of interrupts at startup _ Backup "originals" of software _ Backup of hard disk directory structure _ Clean, protected bootable system diskette For each office: _ Description of current common viri _ List of local virus information contacts _ List of all hardware and software purchased, supplier and serial number _ Designated machine for receiving/ testing new disks/software _ Log of disks/programs received _ Memory and disk mapping utilities Regularly: _ Back up data _ Monitor disk space, map, memory map _ Monitor program file sizes At software install/change: _ Protect original _ Install from protected backup _ Trial run on isolated system _ Map memory before and after run _ Offer "bait" files and disks If infection found: _ Send copy to recognized researcher _ Isolate machine and disks _ Perform minimal disinfection Once again, note that this checklist does not require any specific antiviral software. Antivirals will be dealt with in due course. copyright Robert M. Slade, 1992 PRTCKLE.CVP 920515 ============= Vancouver ROBERTS@decus.ca | "Kill all: God will know his own." Institute for Robert_Slade@sfu.ca | - originally spoken by Papal Research into rslade@cue.bc.ca | Legate Bishop Arnald-Amalric User p1 @ CyberStore 85301030 | of Citeaux, at the siege of Security Canada V7K 2G6 | Beziers, 1209 AD ============= for back issues: Contacts list: cert.sei.cmu.edu, /pub/virus-l/docs/reviews Reviews: cert.sei.cmu.edu, /pub/virus-l/docs/reviews/pc Column: cert.sei.cmu.edu, /pub/virus-l/docs/slade.cvp.articles For those without ftp, see Jim Wright's posting, or use Cyberstore. Also FREQ from 1:153/733 The Cage 604-261-2347. (btw, Ken, is cert.org working? I haven't received mail back, but I haven't seen the Solomon review either. No push, just checking.) ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 107] ******************************************