Return-Path: Received: from hooch.CC.Lehigh.EDU by abacus (SunOS 4.1/SMI-4.1-01) with sendmail 4.1/SMI-4.1-01 id AA23781; Tue, 14 Jul 92 03:09:29 +0200 Errors-To: krvw@cert.org Received: from localhost by hooch.CC.Lehigh.EDU (AIX 3.1/UCB 5.61/4.03) id AA18017; Mon, 13 Jul 92 20:28:57 -0400 Date: Mon, 13 Jul 92 20:28:57 -0400 Message-Id: <9207140028.AA02092@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: Kenneth R. van Wyk To: Multiple recipients of list Subject: VIRUS-L Digest V5 #129 Status: RO VIRUS-L Digest Monday, 13 Jul 1992 Volume 5 : Issue 129 Today's Topics: FORM Virus picked up in Amsterdam airport (PC) Methods for virus defense (PC) Re: 696/Scr2/Enemy (PC) Rapid rise of the FORM virus; why? (PC) F-PROT 2.04b (PC) Warning: dangerous bug in SCAN 93 (PC) Re: Disinfectant 2.9 vs ChinaTalk (Mac) Re: Disinfectant 2.9 vs ChinaTalk (Mac) ChinaTalk search and repair string for AntiVirus 2.0 (Mac) "Virus fighters fume..." Suzana's Thesis Questionaire New test results available Review of Vi-Spy (PC) VDS 2.10 is released (PC) File listing on risc.ua.edu VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 08 Jul 92 11:32:19 -0400 From: Ken De Cruyenaere 204-474-8340 Subject: FORM Virus picked up in Amsterdam airport (PC) A colleague (without internet access) tells me that one of his fellow employees (they work for a gov't utility) picked up the FORM virus while using a PC provided for general use in an airport "executive" lounge in Amsterdam. It did not spread after his return to Manitoba (Winnipeg) as he was belatedly suspicious and checked a diskette he had used in Amsterdam with McAfee (V84). This is second hand information, so I don't have any other specific details, but it occured on approximately June 30th. - ---------------------------------------------------------------------- Ken De Cruyenaere 'USER' - The word that Computer Security Coordinator computer professionals use Computer Services when they mean idiot. University of Manitoba Bitnet: KDC@CCM.UManitoba.CA Voice:(204)474-8340 FAX:(204)275-5420 ------------------------------ Date: Thu, 09 Jul 92 09:46:07 +0000 From: 007 Subject: Methods for virus defense (PC) brian@53iss6.waterloo.NCR.COM (Brian W. Gamble) writes: >Given that scanners are not the whole answer, just what combination >of programs and techniques is "state of the art" this month? >Please keep the responses to the user level for this one. Pretend >that I've just gotten a PC and know very little more than how to >load DOS. The "state of the art" method of virus defense is not to depend on a single method, such as a scanner, since it is too easy for a virus to sneak by just one method of protection. Rather, a multilayered defense is needed. See the bottom of this article for a quick review of what I see as the "layers". A most basic defense would include: + A clean, write-protected bootable floppy disk. A DOS master disk works well for this. + A TSR virus scanner that starts up whenever the computer is turned on. I recommend Frisk's F-Prot, a free* program available via ftp. + A non-TSR scanner to identify an infection. Again F-prot seems best. *Free to single users in a non-commercial environment. ALWAYS boot from a clean disk before starting any scanning! I would suggest that a beginning user not even INSTALL the scanner onto his hard disk-- it is quite a risk, since if the scanner gets infected and the person scans, that infection will spread to EVERY FILE ON THE HARD DISK! A more secure defense includes the above plus: + A write-protected floppy with a virus scanner on it. This is often a bootable floppy, so it covers the bootable disk requirement, above. + Keep a backup copy of all programs as you install them. This means saving the original .ZIP files from shareware programs and keeping the original installation disks for commercial programs. Write-protect them and keep them in a safe place. The most secure defense that I would find feasible is all of the above plus: + An integrity-checking program such as Integrity Master. This requires some in-depth knowlege to be truly effective. + "Bait" files to catch viruses that may be in memory. (unreliable and generally suited only for snagging a sample of the virus for analysis.) + Heuristics analysis (from F-Prot) to find unknown viruses. It is necessary to generate a "clean-system" report (preferably hard copy) since this method generates lots of ambiguous messages, and the user will need to know which messages are "normal". + A disassembler/debugger to look at the actual program code. Very technical, but virtually foolproof. + A complete routine-backup system of all new or modified files. All of this can be summarized into these "layers" of defense: 1) Clean system memory-- assured by the boot disk 2) TSR scanner-- constant checking for known viruses 3) Integrity Checker-- periodic checking for program corruption (covers known and unknown viruses, plus non-virus related corruption like disk errors or self-modifying programs.) 4) Non-TSR scanner-- periodic checking to identify known viruses 5) Heuristsics-- periodic checking for many known and unknown viruses 6) System Familiarity-- constant checking for unusual activity (see below). Often overlooked, but still important is familiarity with your computer. If you've booted your computer a hundred times with the same configuration, you're bound to get a "sense" of how long it ought to take. If something changes this, like a boot sector virus, something will seem "wrong". Then you know it's time to pull out the scanner. (After rebooting from your floppy, of course.) Maybe Windows seems to take a bit too long to load up, or perhaps you saw an extra drive-access flash after exiting Kermit. All of these are cues to reboot and check. Maybe it's nothing! Maybe not. It's pretty easy to check. (A whole lot easier than picking up the pieces of your hard disk afterwards, even WITH complete backups.) For starters, get F-prot and put together a bootable floppy. This will give you a high degree of protection with a minimum of inconvenience. -- 007 - -- 000 000 7777 | sbonds@jarthur.claremont.edu 0 0 0 0 7 |----------------------------------------------------------- 0 0 0 0 7 | Childhood is short... 000 000 7 | ...but immaturity is forever. ------------------------------ Date: Thu, 09 Jul 92 16:02:19 +0000 From: gary@sci34hub.sci.com (Gary Heston) Subject: Re: 696/Scr2/Enemy (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >mjbrown@magnus.acs.ohio-state.edu (Mike J. Brown) writes: [tale of woe, wrapped up by this, deleted ] >> 10. The worst part is, I bought my computer used, so the hard drives >> came packed full of things I can't easily replace! >Repeat after me: ALWAYS MAKE BACKUPS. So, Mike, you're saying you had a disc full of pirated software, and a virus burned you? Didn't even back it up after you bought it, or clean it off? It's quite possible that something on the system was infected when you bought it. Did you scan it immediately upon purchase? Did you ask the seller for the manuals and originals for all that neat stuff on it? Did you happen to run any of that stuff for the first time right before the problems showed up? No telling what was on there....at least, not any more. - -- Gary Heston SCI Systems, Inc. gary@sci34hub.sci.com site admin The Chariman of the Board and the CFO speak for SCI. I'm neither. "Always remember, that someone, somewhere, is making a product that will make your product obselete." Georges Doriot, founder of American R & D. ------------------------------ Date: Fri, 10 Jul 92 14:53:03 -0400 From: "David M. Chess" Subject: Rapid rise of the FORM virus; why? (PC) Going through the quarterly statistics, we notice that the FORM virus seems to have taken off in the last six months or so. Does anyone know of a massive shipment of FORM-infected diskettes or anything similar that could help account for it? It's been around for some time, and we've had a steady trickle of reports from Switzerland, but in the last couple of quarters it's risen rapidly in the data. We'd like to find some hint as to why! DC ------------------------------ Date: Fri, 10 Jul 92 14:59:24 -0400 From: Grant Getz Subject: F-PROT 2.04b (PC) On July 6 Fridrik writes: >From: frisk@complex.is (Fridrik Skulason) >Newsgroups: comp.virus >Subject: Re: 696/Scr2/Enemy (was Re: Scream II virus help?) (PC) >Message-ID: <0002.9207081351.AA27869@barnabas.cert.org> >Date: 6 Jul 92 22:54:47 GMT >Sender: virus-l@lehigh.edu >I have... version 2.04B (to be released tomorrow or the day after) includes >disinfection of this virus. I've been watching on OAK.OAKLAND.EDU, one of the usual sites for F-PROT I believe, and have not seen this version yet. Is it available at any other sites? No pressing need right now just like to have the latest and GREATEST available in case the need does arises. Thanks in advance for any help! - - R. Grant Getz INTERNET - KGGXG @ ASUVM.INRE.ASU.EDU Support Systems Analyst (192.67.165.36) Arizona State University BITNET - KGGXG @ ASUACAD Computing & Network Consulting Services - ODP PHONE - (602) 965-5663 Tempe, AZ 85287-0101 FAX - (602) 965-8698 ------------------------------ Date: 12 Jul 92 01:37:45 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Warning: dangerous bug in SCAN 93 (PC) Hello, everybody! Just before leaving for my holidays I performed the tests of running the three major scanners (Dr. Solomon's Anti-Virus ToolKit, F-Prot, and McAfee's SCAN) on our virus collection. When browsing the results I suddenly noticed a problem which is probably caused by a bug in SCAN. The bug consists in the following: SCAN does not detect some viruses in all infected files! Note that I am not speaking about not detecting some variants of viruses that it normally detects. I am speaking about the fact that some viruses are detected only in some of the files infected by them. I think that it is obvious why this is a dangerous problem. During the scanning of new software it may cause an old virus to pass undetected. During scanning of an infected system it may case some infected files to pass undetected and to cause a re-infection. This problem has been already mentioned in the discussion about detection of the MtE-based viruses. BTW, SCAN 93 is still unable to detect MtE reliably - it missed Groove and Questo (two MtE-based viruses). I didn't have the time to run it on a larger set of MtE mutations, but I have the strong feeling that it will miss some again. Anyway, the viruses that caused the problems were the following: Standard CARO virus name: Name that SCAN uses: - ------------------------- -------------------- Good_Bye.Hero.506 Fam3 [F3] Mayak E-92 [E92] Slovakia.2_02 Slovak [Slv] StarDot.789 Star Dot [Sdot] Ten_Bytes 1554 [1554] Tumen.2_0 Tumen [Tum] USSR-707 707 [707] Whale Whale [Whale] Some comments: 1) With the Mayak virus, SCAN misses the *.SYS files (this virus infects device drivers too). 2) With the Whale virus SCAN misses mutant #33. 3) StarDot, USSR-707, Ten_Bytes, and Whale are rather old viruses and should be detected reliably by most scanners. 4) The fact that SCAN misses Ten_Bytes is particularly dangerous. This virus is in the wild and has been accidentally distributed through Valert three years ago. SCAN misses most files infected with this virus. 5) I don't keep the old SCAN versions, so I don't know whether this bug is present in version 91 or it has been introduced with version 93. I have not noticed it in version 89-B, however. Unfortunately, tomorrow I am flying to Bulgaria, so I am unable to provide any help to McAfee Associates (like copies of the missed infected files, etc.). However, the fact that they detect -some- files infected with these viruses means that they have a copy of the virus. They only need to replicate the above viruses themselves and to see why some files are not detected. For reference which files are missed (and as evidence that it really happens), you can used the report files from the tests. They are available from our ftp site (ftp.informatik.uni-hamburg.de, IP=134.100.4.42), directory pub/virus/texts/tests. The file that is of particular interest is called FILEVIRS.REP and is contained in the archive reports.zip. It can also be used as a cross-reference between the virus names used by CARO and the three scanners, as well as for reference which viruses known to CARO are NOT detected by each one of the scanners. I wish I could post a summary of the results myself, but I am afraid that I won't have the time to do it. Anybody who downloads the files is welcome to do it and to post the results. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 10 Jul 92 09:38:38 From: pandy@hut.fi (Andreas Holmberg) Subject: Re: Disinfectant 2.9 vs ChinaTalk (Mac) Does anybody know if Disinfectant 2.9 detects the ChinaTalk virus or can we expect yet another Disinfectant update in the near future (when?) ? - -- =============================================================================== Andreas "Pandy" Holmberg Helsinki University of Technology E-mail: pandy@hut.fi Computing Center =============================================================================== ------------------------------ Date: Fri, 10 Jul 92 10:47:50 -0500 From: mha@baka.ithaca.ny.us (Mark Anbinder) Subject: Re: Disinfectant 2.9 vs ChinaTalk (Mac) pandy@hut.fi (Andreas Holmberg) asks... > Does anybody know if Disinfectant 2.9 detects the ChinaTalk > virus or can we expect yet another Disinfectant update in the > near future (when?) ? Disinfectant 2.9 was released solely to handle the recently-discovered T4 virus, and does not detect ChinaTalk. (Disinfectant finds only known viruses, and must be updated for each new incident.) ChinaTalk is technically a Trojan horse, not a virus, since it does not spread on its own, depending instead on unsuspecting users to pass it along. Disinfectant has traditionally not addressed the issue of Trojan horses, but you never know... John may consider this one. Mark H. Anbinder TidBITS Contributing Editor and member of Disinfectant Working Group - -- Mark H. Anbinder mha@baka.ithaca.ny.us BAKA Computers, Inc. QuickMail QM-QM 607-257-2614 200 Pleasant Grove Road Phax 607-257-2657 Ithaca, NY 14850 Phone 607-257-2070 "From Washington, this was Eric Sevareid. Thank you, and good night." ------------------------------ Date: Sat, 11 Jul 92 01:49:16 -0500 From: Werner Uhrig Subject: ChinaTalk search and repair string for AntiVirus 2.0 (Mac) The detect and repair strings are as follows: ChinaTalk Detect DHQA AzBO F5YB SUtJ VAAA =jyC D7QO Tfft y4AG AkR4 APx6 D7Q* Tffu E4AG CkM4 SHfz I6A3 gKwA AaYA zmkR rkd2 /ABY 7npw zz7z zaAA zhs Repair *PsD C6Jg ABnT nFDd ADQM There will also be a self-extracting archive with the antidotes in it that CP's TechSupport people will be putting up on AppleLink, CompuServe, and, I believe, America OnLine once they are satisfied everything is correct. It will also be made available on the Internet and Usenet (by me or someone else) [ MacTools 2.0 AntiVirus is a product of Central Point Software ] werner@cs.utexas.edu | ..!uunet!cs.utexas.edu!werner | werner@UTXVM.bitnet "When it all really gets to you, remember: it's only ones and zeros." ------------------------------ Date: Fri, 10 Jul 92 17:17:14 -0400 From: WHMurray@DOCKMASTER.NCSC.MIL Subject: "Virus fighters fume..." The article virus fighters fume over (The) little black book (of computer viruses) by James Daly, quoted the reactions of experts to the ethics of the publication of the book by Mark Ludwig which contained real virus code. The publication of viruses is reprehensible, in part because the author cannot control how the virus will behave in the population at large. Indeed, he cannot know enough about the population to even begin to predict. It is further reprehensible because knowledge of a virus is essentially sufficient for its use; nothing else is required. This can be contrasted to the knowledge of how create an atomic explosion. In addition to the general and special knowledge, one would have to have access to scarce materials and technology. On the other hand, someone who publishes a virus on paper can expect that it will spread more slowly than if it were published on diskette and that it will require the conscious cooperation of an human agent. Mr. Ludwig's defense is that "computer viruses are not evil and that programmers have a right to create them, possess them, and experiment with them." Be that as it may, they are inherently dangerous; therefore programmers will have to get along without the help of polite and orderly people. By selling viruses, Mr. Ludwig distances himself from those people. His action is motivated by nothing more than greed; he deserves the censure and notoriety that will surely be his. Computer viruses are destructive of that public trust that is necessary and essential to our enjoyment of the benefits of computing. We are all somewhat poorer for the actions of Mr. Ludwig and his publisher. Even terrorists do not poison the well. William Hugh Murray New Canaan, Connecticut ------------------------------ Date: Fri, 10 Jul 92 22:39:59 -0400 From: Jon Freivald Subject: Suzana's Thesis Questionaire I have received a copy of Suzana Stojakovic-Celustka's Thesis questionaire from our gratious moderator and have made it available on my mail-server. If you would like to obtain a copy of the questionaire, send mail to mail-server@jaflrn.uucp (if that bounces, try jaflrn!mail-server@uunet.UU.NET) containing the following line of text: get dos/virus/suzana.txt If there are any problems with the mail-server, please contact me ASAP. Jon ============================================================================= Jon Freivald ( jaflrn!jaf@uunet.UU.NET ) Nothing is impossible for the man who doesn't have to do it. ============================================================================= ------------------------------ Date: 12 Jul 92 02:05:16 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: New test results available Hello, everybody! I just ran the three major scanners (Dr. Solomon's Anti-Virus ToolKit - - FindVirus 4.23 with drivers of June 11, 1992; F-Prot 2.04a; and McAfee's SCAN v93) on our virus collection. The raw output of the scanners, as well as the output preprocessed into tables is available from our ftp site: ftp.informatik.uni-hamburg.de, IP=134.100.4.42, directory pub/virus/texts/tests. Since the tables are very wide (220 characters per line) PostScript versions which print on an A4 page are also available. File: Contents: ----- --------- naming.zip Description of CARO's virus naming scheme, with a list of all malware known to CARO, its CARO name, and how the three scanners call it. namingps.zip The same files as in the archive above, but in PostScript format. rawreps.zip The raw output of the three scanners. F-Prot is also run in "heuristic" mode on the file virus collection. reports.zip The output of the three scanners preprocessed in tables, showing the name of each file in our virus collection, the CARO name of the virus in it, and how each one of the three scanners detects it. reps_ps.zip The same files as in the archive above, but in postScript format. Since our modem is rather slow (9600 baud), ftp-ing the files across the ocean is quite painful. I'll appreciate if somebody downloads the files and makes them available at one of the major archive sites which carry such stuff. I tried to upload them to cert.org, but without success (probably messed something). [Moderator's note: I've downloaded the above files and placed them on cert.org in the pub/virus-l/docs/vtc/tests directory, under the same filenames as above (all in lowercase).] Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Sat, 11 Jul 92 17:32:54 -0700 From: rslade@sfu.ca (Robert Slade) Subject: Review of Vi-Spy (PC) PCVISPY.RVW 920711 Comparison Review Company and product: RG Software Systems Inc 6900 East Camelback Road Suite 630 Scottsdale AZ 85251 602 423 8000 FAX (602) 423-8389 BBS (602) 970-6901 Ray Glath <76304.1407@CompuServe.COM> Vi-Spy 9.0 Professional Edition Summary: Scanner, disinfection and operation monitoring Cost: $150, site licensing available (starting at $40/unit min. 25) Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 2 Ease of use 3 Help systems 1 Compatibility 3 Company Stability 3 Support 3 Documentation 2 Hardware required 4 Performance 3 Availability 2 Local Support ? General Description: Virus scanning and disinfection, both resident and non-resident. Also some recovery and operation monitoring. Recommended for intermediate users. Provision is made for Windows operation. Automatic scheduler utility. Comparison of features and specifications User Friendliness Installation Vi-Spy was shipped to me on writable but protected media, low density 3 1/2" and high density 5 1/4", but I have been informed by Ray Glath that this is only for review copies: ordinarily the product is shipped on non-writable disks. An installation program is provided, as are instructions for manual installation. The automatic installation seems to consist merely of copying and decompressing files, although it does check for viral infection before proceeding and will refuse to proceed if infection is present. Installation to Windows is a part of the package, but in testing this was found not to work effectively. (An addition was made to the WIN.INI file, but no "icon" was entered into the Windows system.) (Ray Glath contests this: there is supposed to be an additional step that the user is directed to take. I ran the installation three times and reached the same result each time.) Ease of use The various programs are easy to use, although the plethora of command line options recommends careful study of the manual. The on-screen messages are quite clear, and contain good explanations of the options and possible situations to the user. Help systems The VSMENU programs allow "on-line" reading of the documentation, and also provides for additional material to be added by the user. However, it would be difficult to call it a "help system" as such. The onscreen display is simply a visual editor. One would hope, for example, to be able to "search" the list of viral programs: one cannot. Compatibility No problems were found in testing. The primary test machine reserves an extensive area at the top of memory. In testing, this was identified as a possible viral type activity. The potential danger, as well as other possible causes, were listed, but there was an option to proceed, rather than merely reboot. Company Stability RG Software Systems is one of the oldest commercial (non-shareware) makers of antiviral software. Company Support The company lists phone, fax and BBS numbers for support. This is the first time I have received a tech support callback before I received the software for review. Two days before I received the package Ray Glath called to apologize for an unsatisfactory support call in which the caller had intimated he was myself. (I am by no means making fun of RG Software here. It should be noted that Ray Glath is one of the only producers of antiviral software who has bothered to take advantage of my offer to "review the review" before I posted it to the net. (Another notable exception is Ross Greenberg who posted a very gracious response after I stupidly failed to send him an advance copy.) He did so in writing and in depth. He also offered to provide the names of a number of referees as to the support RG Software provides.) Only one mention, strangely for a scanning program, is made of the need for updates. However, that mention is that return of the warranty registration provides the user with free quarterly upgrades for one year. (Ray Glath subsequently informed me that the user is informed at the end of the year, and offered the option of continuing with update maintenance.) The accompanying promotional material received with the package made strong representation regarding support. It stressed that many commercial antiviral packages have been bought, rather than developed, by the distributors. It is good to see that RG is bucking this disturbing trend. It also made much of the written material, including a white paper and the "Primer" (see below). The white paper was a fairly straightforward presentation of observations with regard to the viral situation, and a list of policy recommendations heavily weighted towards "only buy commercial software". (To be fair, BBSes are not portrayed as universally evil.) Documentation There are two booklets that come with the package, as well as a number of files on disk. One of the books is a "Guide to Operations": the actual manual for the program. The manual is quite clear as to the installation and operation. However, the layout gives a feeling of "clutter" and presents something of an imposing front. While there is a single sheet inserted into the front of the manual which provides for quick installation, more effective protection requires a thorough reading of the manual. This should not be a problem for any intermediate user as the manual is less than fifty pages. The second manual is a "Computer Virus Primer and Troubleshooting Guide". Accompanying forms and promotional materials allow you to order additional copies of this booklet "as an educational/training tool". While there is much material of merit in the booklet, in the end it is simply more documentation for the Vi-Spy program. (There is, for example, no attempt to deal with viral infections other than with an antiviral tool.) It is, however, considerably simpler to read than the "Guide to Operations". Hardware Requirements The only requirement listed is for DOS 2 or higher and at least 150K of memory. Performance In tests the program performed well and speedily. Messages, and particularly identification of viral programs, were quite clear. The package appears to be very concerned with boot sector infectors, a very good thing in the current climate. Local Support None provided. Support Requirements The intermediate user should be able to use this program very effectively, provided time is taken to read the manuals. The novice user should be able to obtain a good measure of protection from the automatic installation, but will likely require assistance in obtaining full advantage from the program. General Notes Recommended for intermediate users. Adjunct "changed detection" software might also be desireable. (In reaction to the review, Ray Glath informed me that change detection is due in the next release of the product.) copyright Robert M. Slade, 1992 PCVISPY.RVW 920711 ============== Vancouver ROBERTS@decus.ca | "If you do buy a Institute for Robert_Slade@sfu.ca | computer, don't Research into rslade@cue.bc.ca | turn it on." User p1@CyberStore.ca | Richards' 2nd Law Security Canada V7K 2G6 | of Data Security ------------------------------ Date: Fri, 10 Jul 92 22:18:10 -0400 From: "Tarkan Yetiser" Subject: VDS 2.10 is released (PC) Hello everyone, We would like to announce the availability of VDS (Virus Detection System) version 2.10. We have enhanced the programs in the package considerably. A fully functional trial version is publicly available via anonymous-FTP and on many BBSes across the U.S.A. You are invited to try it to evaluate its suitability to your needs before you make a decision. We also would like to thank many people who took their time to offer us their ideas for improving VDS. We have listened. Here is a brief description of each program in the VDS 2.10 package: VDS.EXE This is the centerpiece of the package that performs comprehensive integrity checks on hard drives and provides you with an early warning that your system may be infected with a virus. This is the first line of defense that can help contain the spread of virus infections before they turn into epidemics. The program includes many recovery features as well as an audit trail capability to help technicians track down virus entry points and isolate incidents quickly. VDSFSCAN.EXE This is a virus scanner with a very easy-to-use menu interface and context-sensitive help. It is compatible with DOS-drives including network drives that allow access to DOS programs. It can also remove most boot sector infectors. We do not recommend "cleaning" infected program files, and do not provide such a capability. VITALFIX.EXE This is a low-level disk utility that allows you to perform many operations to handle MBR/BR viruses. Although it is very easy to use, thanks to its intuitive user interface, only people who are familiar with the layout of a DOS disk should use it on a regular basis. Differences between VDS 2.0 and VDS 2.10 ---------------------------------------- * Improvements: * Now VDS 2.10 can handle DR DOS 6.0 drives as long as they are NOT compressed. It is aware of DR DOS password protection scheme, and it can peacefully co-exist. Read HILITES.TXT for details. * VDS 2.10 can work under MS Windows 3.0 & 3.1 (limited) * Works under 4DOS * Users can specify the path to their command interpreter during installation if they do not have C:\COMMAND.COM as primary shell. * File names are displayed in a window during checking, and a directory tree is shown on the screen. * VDS integrity checker can handle 1500 executable files per partition * Report file has date and time besides viruses found, and is not deleted, but simply appended to. * Audit logs for added, deleted, and modified files are combined into C:\VDS210\VDS-STAT.LOG; date and time are written each time VDS reports something, and audit log is appended to, not overwritten. * Documentation is revised to provide more information, less hype. * Decoy launcher provides more information on active attackers. * Decoy launcher offers to copy the captured attacker to user-specified file, preferably on a diskette. * Decoy names are semi-random. * Decoy launcher checks for "companion" type of attack specifically. * VDS integrity checker TURBO mode is slightly slower, but more secure. * VDS will not automatically add signatures to its databases, but ask the user first. * VDS integrity checker do not look for multiple infections in a file, but stops after the first one is found. * VDS integrity checker -SCAN option is removed. * VDS installation makes one pass to scan and sign files, not two. If an infected file is found, the user is asked to delete it. If it is not deleted, operation will continue so that other infected files may be located. VDS will refuse to install at the end if there are any infected files left. * System files (IBMBIO.COM & IBMDOS.COM or equivalent names) are checked as part of system verification as well as file verification. No recovery is attempted on these two files to avoid absolute writes to the disk. User is advised to run SYS from a clean floppy to restore these files. * MBR and BR is backed up onto VDS emergency disk as is, not encoded, so that VITALFIX can be used to restore MBR if CURE (rarely) fails. * VDSDEV.DDR is backup to the emergency diskette as well. * Any MBR/BR infectors caught by VDSDEV.DDR are examined and numbered by the integrity checker. Up to 10 can be tracked. * VDSFSCAN has five more options: LOG ERRORS: will write error messages to a user-defined file. NETWORK : will continue to scan even if an access error occurs. WILDCARD : users can specify a file spec like *.COM. ALL FILES option is automatically set to YES. QUIET MODE: will not beep when an infected files is found. PAUSE FLAG: will not pause after each infection report. * VDSFSCAN has better context-sensitive help. * If no known infections can be found in a file, NONE IDENTIFIED instead of CLEAN will be reported. This is to emphasize that known virus scanning is only as accurate as the signature database. * Virus signature database is updated to include 35% more viruses. * Both VDSFSCAN and VDS scanner has MtE-recognition capability. * Operation of VDSFSCAN and VITALFIX can be interrupted by pressing CTRL-BREAK as well as the ESCAPE key. * VITALFIX has a new option to search for Extended Partition Records. * VITALFIX can preserve DR DOS security during new MBR construction. * VITALFIX menu options are more self-explanatory. * If the MBR code is intact, but the partition table is modified, then a warning will be issued; however, VDS will NOT attempt auto-recovery to avoid possible damage. * In command line mode of VDSFSCAN, copyright and licensee name do not scroll off any more. * Non-DOS partitions are ignored. * ESC will get you out of input fields as well as menus. * We included a simple batch file (REMVDS.BAT) to uninstall VDS 2.0. * VITALFIX is no longer copied to the hard disk during installation. Due to possible misuse, only PC-techies should have it. * Bug fixes: * If the partition table was not available, VDS would abort operation. Now it not only bypasses such viruses, but also recovers on the fly. If only the partition table is modified, then VDS will ask you if you would like to recover or not. * CURE option did not work in some cases. * Some hidden files were missed. Fixed. * TSRs that grabbed the hardware timer interrupt (08) would get chopped off even when not suspicious. Now VDS is less brutal to such TSRs. * VDSFSCAN would stop after identifying first infected file if the WHOLE option is set to YES. Not any more. * VDSFSCAN would miss a few viruses that append to EXE files; fixed. * On network drives, VDSFSCAN would stop if it came across an inaccessible file such as NET$OBJ.SYS. Now it will only issue an error message (log it as well if LOG ERRORS is set to YES), and continue. For this to work, NETWORK option should be set to YES. * VDSFSCAN output file name had to be 5 characters or more, making it hard to direct output to a printer. Now, you can specify PRN as the output file name to print reports as the scan proceeds. * VDSFSCAN needed two backslashes (as in C:\\) to scan the root. * VITALFIX and VDS would cause memory protection violation in some cases. No more. Try -Xclude option if necessary. * VITALFIX did not recognize non-DOS partitions properly. * On disks with more than 5 partitions, VDS would abort installation. * Blink problem on CGA color monitors is eliminated. * Other * Due to popular demand, academic site license now covers students as well as the employees of the school at no extra charge. * Both 5.25" and 3.5" diskettes are provided. No need to specify. * Pre-paid orders in the U.S.A. and Canada get free shipping. Regards, Tarkan Yetiser VDS Advanced Research Group P.O. Box 9393 (410) 247-7117 Baltimore, MD 21228 e-mail: tyetiser@ssw02.ab.umd.edu ------------------------------ Date: Mon, 13 Jul 92 09:13:05 -0400 From: James Ford Subject: File listing on risc.ua.edu Here is the current filelist for risc.ua.edu (130.160.4.7). If you see a file that is outdated, please point me to the right direction to get an update. Several files have been uploaded (asig9207.zip, fp-204a.zip, vsumx206.zip, etc) but I've been out of touch lately and haven't posted them to the list. - -- James - ----------------------------------------------------------------------- 0files.9207 cvc291at.zip netscn93.zip vaccinea.zip virusgrd.zip aavirus.zip cvcindex.zip pcv4.zip validat3.zip virx23.zip asig9207.zip dir2clr.zip pkz110eu.exe validate.crc vkill10.zip avs_e224.zip fixfbr11.zip scan93.zip vc300ega.zip vshell10.zip bbug.zip fixmbr24.zip secur235.zip vc300lte.zip vshld93.zip bootid.zip fixutil3.zip sentry02.zip vcheck11.zip vsig9206.zip catchmte.zip fp-204a.zip stealth.zip vcopy82.zip vstop54.zip ccc91.zip fshld15.zip tbresc19.zip vdetect.zip vsumx206.zip chk.zip fsp_183.zip tbscan33.zip vds20t.zip vtac48.zip chkint.zip htscan17.zip tbscnx31.zip virlab15.zip vtec30a.zip clean93.zip i-m113.zip trapdisk.zip virpres.zip wcv201.zip cpavse.zip innoc5.zip unvir902.zip virsimul.zip wolfchk.zip cvc192am.zip m-disk.zip uxencode.pas virstop.zip wp-hdisk.zip cvc192ma.zip navm.zip vacbrain.zip virus-l.faq wscan93.zip cvc192ms.zip navupd01.zip vaccine.zip virusck.zip ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 129] ******************************************