Date: Thu, 16 Jul 92 22:15:00 -0400 Reply-To: From: Kenneth R. van Wyk Subject: VIRUS-L Digest V5 #130 VIRUS-L Digest Thursday, 16 Jul 1992 Volume 5 : Issue 130 Today's Topics: Various Qs (VirusCure, F-PROT, DIR II, UNIX) (PC) (UNIX) Request - PS10 virus info (PC) Re: 696/Scr2/Enemy (PC) Re: Methods for virus defense (PC) Re: Rapid rise of the FORM virus; why? (PC) Re: F-PROT 2.04b (PC) Re: Warning: dangerous bug in SCAN 93 (PC) spanish telecom (PC) McAfee Products (PC) Re: Disinfectant 2.9 vs ChinaTalk (Mac) Re: GateKeeper (Mac) Re: GateKeeper (Mac) Resolution of 'what to do about virus distributors Book Review Quick antiviral comparison VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 13 Jul 92 14:16:08 -0400 From: Fabio Esquivel Chacon Subject: Various Qs (VirusCure, F-PROT, DIR II, UNIX) (PC) (UNIX) Hi, everybody. This is the first message I send to you. Just some questions: - Has anyone in the net ever heard of the IMSI antivirus product VirusCURE PLUS 2.37 (march 4th, 1992)? It's documentation says that it is developed in association with McAfee, but VirusCURE detect less strains than ViruSCAN. VirusCURE detects the DIR-II -"Creeping Death"- virus, which is widely spread here in Costa Rica, but is yet unable to disinfect it. Fortunately, since Clean89 release, it is getting under control. - I've tried Fridrik's F-PROT 2.02D & 2.03A but it cannot scan the infected files ("Error reading "), so the virus is not detected. Using Norton's DiskEdit I made a copy of the virus code into a new file called DIR2.COM in the same floppy disk and ran F-PROT again. I got the same result with the infected files, but F-PROT identified the virus in the new file; however "Virus could not be removed". OK, but F-PROT did not try to do so: there were no more disk access after I answered 'Y' when asked "Disinfect (Y/N) ?". Is it fixed in newer versions? I've studied DIR-II code with some detail. Amazing. Do you know that DIR-II cannot activate in MS-DOS 5.0? I've heard that DOS 5.0 was totally rewritten from scratch in order to eliminate many bugs and make it more efficient. When an infected file is run, DIR-II reuses some code in low memory (DOS kernel, I think), but returns to the prompt if DOS is loaded low (by means of Int 20h), or crashes the computer when DOS is loaded high. However, I think that the disinfection procedure is relatively simple, in comparison with those viruses that attach to the executable files, once the file first-cluster number decoding formula is known. - I need information about Unix viruses and antivirus products. Could anyone give me information about, or tell me where can I find it? - Finally, has anyone heard of Windows-specific viruses? Thanks a lot, Fabio Esquivel - fesquive@ucrvm2.bitnet ------------------------------ Date: 11 Jul 92 21:29:02 +0000 From: steve.kirkland@f533.n712.z3.fido.zeta.org.au (Steve Kirkland) Subject: Request - PS10 virus info (PC) I am using a ibm compat with dos5 the system is protected with vshield93 when i tryed to run xtgold i recieved a message that the xtgold.com was infected with PS10 virus I then scanned the disk with vscan93 which reported no infection Mcafees virus list does not say any thing about ps10 yet vshield picked something up if any body has any information on this could you please drop a line regards Steve Kirkland - --- Maximus 2.01wb * Origin: The Big Apple , Sydney Australia (3:712/533) ------------------------------ Date: Wed, 15 Jul 92 02:27:02 +0000 From: mjbrown@magnus.acs.ohio-state.edu (Mike J. Brown) Subject: Re: 696/Scr2/Enemy (PC) > [tale of woe, wrapped up by this, deleted ] uh-oh... I feel a flame coming on... [Moderator's note: Please take any flames to another mailing list/newsgroup.] >So, Mike, you're saying you had a disc full of pirated software, and a >virus burned you? Didn't even back it up after you bought it, or clean >it off? Yes. No. No. Seriously intended to do both, but "twas too much trouble" or so I thought. I did wipe out everything I knew I wouldn't use, but left intact Norton, WordPerfect, Procomm Plus, and a couple others I thought I ought to keep because I might use them someday (Microsoft C...). >It's quite possible that something on the system was infected when you >bought it. Quite. Probably will never know. >Did you scan it immediately upon purchase? Yes. F-Prot (Feb. 1992 version) said no problems. >Did you ask the seller for the manuals and originals for all that neat >stuff on it? Yes. The thing is, he got most of his stuff from work. >Did you happen to run any of that stuff for the first time right before >the problems showed up? No telling what was on there....at least, not >any more. The only things that I ran for the first time right before the problems were two freebies: one was a graphics demo I got from garbo, the other was the Screaming MeMe Hypertext magazine I got from a friend, who got that from a bbs in his area. The demo checked out okay, but the Hypertext viewer HYPE.EXE *was* infected... it could have just been passing the infection back to me...I had given him a bunch of text files and LIST.COM a long time ago. He didn't get around to using it until the day he gave me MeMe. He ran and then Zipped MeMe *after* running LIST so I could have passed the virus to him via LIST first, or perhaps he had the virus beforehand and I got it from him. Both of our systems had problems at the same time. - -- Mike Brown mjbrown@magnus.acs.ohio-state.edu "The Universe is a spheroid region 705 meters in diameter." ------------------------------ Date: 15 Jul 92 08:40:07 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Methods for virus defense (PC) sbonds@jarthur.Claremont.EDU (007) writes: > + A TSR virus scanner that starts up whenever the computer is turned on. > I recommend Frisk's F-Prot, a free* program available via ftp. Thanks for the recommendation, but I would like to point out that F-PROT is not exactly free. The english language shareware version is free of charge for PRIVATE USE ONLY. I ask a very modest fee in other cases, but there is a significant difference between a low fee and no fee at all. Then of course there are several translated, commercial versions available in several European countries, which are just distributed as regular "shrinkwrap" software. - -frisk ------------------------------ Date: 15 Jul 92 08:44:49 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Rapid rise of the FORM virus; why? (PC) chess@watson.ibm.com (David M. Chess) writes: >seems to have taken off in the last six months or so. Does anyone >know of a massive shipment of FORM-infected diskettes or anything >similar that could help account for it? I have no proof, co I cannot name the company yet, but I suspect that pre-formatted 3.5" 1.44MB disks from a *major* diskette producer are to blame. This cannot be proven until a sealed box, with infected diskettes is located, however. - -frisk ------------------------------ Date: 15 Jul 92 08:47:22 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: F-PROT 2.04b (PC) KGGXG@ASUVM.INRE.ASU.EDU (Grant Getz) writes: >I've been watching on OAK.OAKLAND.EDU, one of the usual sites for >F-PROT I believe, and have not seen this version yet. Is it available >at any other sites? No, I delayed the release of 2.04B, because of an enormous flood of new viruses - I plan to cover around more (in addition to the 50 or so, that I have already added). I sent out one single copy of 2.04b to a person who needed it to disinfect a virus that 2.04a could only detect, but not remove, but 2.04b has not been officially released yet. - -frisk ------------------------------ Date: 15 Jul 92 08:52:16 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Warning: dangerous bug in SCAN 93 (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >2) With the Whale virus SCAN misses mutant #33. Well, I'm not surprised - I miss it too. :-) Actually, I am not convinced this is a legitimate mutant of Whale - this is just a single sample floating around under the name of WHALE#33.COM, but structurally it is different from all the others. However, the reason I have not added detection of it is simple - I just cannot get it to work, and I have a suspicion this may simply be a damaged file. - -frisk ------------------------------ Date: Wed, 15 Jul 92 12:47:31 +0000 From: P.E.Beaman@lut.ac.uk (Peter Beaman) Subject: spanish telecom (PC) I would like to know what exactly the Spanish Telecom virus does. I have found an infested laptop computer (Toshiba) with it on. As I work in a large University Department I would especially like to hear from other people who may have experienced this virus. Does The Dr.Solomon Tool kit deal adequately with this particular virus? I have just sent of for the latest version. Any general advise to try and track this virus down too? I have at least 2 infested floppy which are hit too. Yours anticipatorily Peter Beaman ------------------------------ Date: Thu, 16 Jul 92 08:28:27 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: McAfee Products (PC) Lately I have been seeing a number of questions involving McAfee Associates use of the [GEN-P] and [GEN-B] identifiers with reguards to low-level viruses. Earlier we were greeted by such cryptic identifiers as NO-INT [STONED]. The reason is that the identifier in brackets merely indicates to CLEAN what method it is to use to remove the virus. If an MBR virus stores the original MBR in sector 7, the STONED removal method is apt. Lately, there has been a more disturbing trend to leave off the explicit identification and identify whole families of viruses simply as [GEN-P] (GENeric-Partition). Since IMHO it is important for those cleaning up after infections to know what it is they are dealing with once an infection has been identified, I sincerely hope that this trend will not continue. Warmly, Padgett ------------------------------ Date: Tue, 14 Jul 92 19:02:18 +0000 From: j-norstad@nwu.edu (John Norstad) Subject: Re: Disinfectant 2.9 vs ChinaTalk (Mac) pandy@hut.fi (Andreas Holmberg) wrote: > Does anybody know if Disinfectant 2.9 detects the ChinaTalk > virus or can we expect yet another Disinfectant update in the > near future (when?) ? ChinaTalk is a Trojan Horse, not a virus. Disinfectant does not attempt to deal with Trojan Horses, only viruses. There will be no new Disinfectant release to deal with ChinaTalk. John Norstad Academic Computing and Network Services Northwestern University j-norstad@nwu.edu ------------------------------ Date: Wed, 15 Jul 92 06:26:22 -0400 From: N.R.Paterson@st-andrews.ac.uk Subject: Re: GateKeeper (Mac) A colleague who uses Gatekeeper 1.2 recently upgraded to System 7. GateKeeper started reporting that Finder needed Res (Self) privileges. Is this right? If so, why are these privileges not the default? - -Norman Paterson ------------------------------ Date: Wed, 15 Jul 92 11:16:17 -0400 From: Ephraim Vishniac Subject: Re: GateKeeper (Mac) A colleague who uses Gatekeeper 1.2 recently upgraded to System 7. GateKeeper started reporting that Finder needed Res (Self) privileges. Is this right? If so, why are these privileges not the default? --Norman Paterson The current version of Gatekeeper is 1.2.6, released 9 July 1992. Version 1.2.2 (released 26 January 1992) introduced some changes for compatibility with System 7 Tune-Up. To get the most benefit from the use of anti-viral software, it's extremely important to use the latest versions. Gatekeeper 1.2.6 is available by anonymous ftp from all the usual places, including rascal and sumex-aim. Ephraim Vishniac ephraim@think.com ThinkingCorp@applelink.apple.com Thinking Machines Corporation / 245 First Street / Cambridge, MA 02142 One of the flaws in the anarchic bopper society was the ease with which such crazed rumors could spread. ------------------------------ Date: Tue, 14 Jul 92 10:25:54 -0400 From: JMAASKANT@thorin.uthscsa.edu Subject: Resolution of 'what to do about virus distributors' about a month ago I posted a message asking for input on how to deal with a BBS system that was distributing viruses. Legal recourse was essentially a dead end. The problem was resolved by applying peer pressure :-) Running a BBS system is, for many, an ego oriented experience and this is one of those cases. Finding that several of the places he frequented no longer consider him a worthwhile human being apparently caused him to rethink things. (Or at least make his indescretions private and unadvertised...) Cheers, Jan (Jmaaskant@uthscsa.edu / jan.maaskant@f255.n387.z1.fidonet.org) ------------------------------ Date: Tue, 14 Jul 92 09:43:34 -0400 From: Ian Leitch Subject: Book Review Publications about viruses and other computer crime often seem either to be technical material designed to assist professionals or to be popular "hype" which mis-leads the general public. I was pleasantly surprised recently to read a new book written in simple, non-technical language to give the layman a comprehensive view of data crime. It is called "Approaching Zero" (the subtitle of "Data Crime and the Computer Underworld" is more meaningful) by Bryan Clough & Paul Mungo, Faber & Faber, ISBN: 0-571-16546-X, cover price of 14.99 pounds sterling. This readable book presents detailed accounts of actual incidents of phreaking, hacking, virus writing, and other keyboard crime. Although, the main purpose is to describe the actions and motivations of the perpetrators, these are interwoven with the reactions of the victims, the police and legal authorities, and the "good guys" (such as some of virus experts who contribute regularly to this list). Although written like a popular novel, it conveys many factual details. In illuminating the largely unknown world of the computer underground, it dispels many of the widespread myths about it. The authors show a healthy sceptism for many of the claims that are commonly heard; they see their mission to describe (rather than to propose remedies). However, they issue an extreme warning about the direction events are taking: the expanding volume of computer crime, particularly the growth and diversity of computer viruses, will cause huge numbers of computers to "Zero out"; after all, the technology and means to wipe out computer systems already exist. The table of Contents is: Phreaking for Fun Breaking and Entering Data Crime Viruses, Worms, Trojans, Bombs The Bulgarian Threat Hacking for Profit The Illuminati Conspiracy Crackdown Finally, for those who like to read such books in their native tongue, the publisher's blurb says that editions are being prepared in Spanish and American English. - -------------------------------------------------------------- Ian Leitch E-mail (JANET): i.leitch@uk.ac.ucl London School of Hygiene and Tropical Medicine Keppel St Tel: (+44) 71 927 2260 London WC1E 7HT Fax: (+44) 71 436 5389 - -------------------------------------------------------------- ------------------------------ Date: Thu, 16 Jul 92 09:53:35 -0700 From: rslade@sfu.ca (Robert Slade) Subject: Quick antiviral comparison QUICKREF.RVW 920714 Antiviral software and utilities "quick" reference Product Ver Type UI Doc Ease Ovrl Price Comments SDRIMOE CG 1-4 I U 1-4 | | | | | | | | Amiga Computer Virus Cat.9201 info 4 4 Free CARO, cert VirusChecker 5.40 ab20.larc.nasa.gov VirusX s.tibbett on BIX ZeroVirus Atari Computer Virus Cat.9201 info 4 4 Free CARO, cert VKILLER 3.84 woodside@ttidca.com Mac Advanced Security (see MS-DOS) Computer Virus Cat.9201 info 4 4 Free CARO, cert Disinfectant 2.8 SDR nwu Gatekeeper 1.2.6 Chris Johnson Rival Microseeds Publishing SAM 3.0.8SD M $99 Symantec/Norton Virex (see MS-DOS, product not by same author) VirusDetective Jeff Shulman MS-DOS Advanced Security I OE C 2 2 3 1 Advanced Gravis Antivirus (IRIS) SDR M C 2 2 4 2 $49 Fink Enterprises Antivirus-Plus SDR M C 2 2 4 2 $99 Trend Micro Anti-Virus Toolkit SDRIMO CG 3 2 3 4 S&S International Ltd., sands@cix.compulink.co.uk, perComp Verlag, Ontrack Central Point Anti-virusSDRI O G 3 2 2 2 not coexist with others Central Point Certus LAN 2.0 SD I O CG 2 1 3 2 Certus Computer Virus Cat.9201 info 4 4 Free CARO, cert Control Room I G 2 4 4 2 Borland DISKSECURE 1.15A IM C 2 3 3 4 BSIs only cf FixMBR, FixUTIL risc, urvax, eugene Eliminator 1.17 SDR C 3 2 3 2 British Computer Virus Research Centre F-PROT 2.04B SDR CG 3 3 3 4 home - free, bus. - $1/CPU frisk@complex.is, risc, urvax, eugene, garbo Hoffman Summary 206 info G 3 3 $35 risc, urvax, eugene HTScan 1.7 S C 2 3 3 3 Free (non-comm.) (also VSIG 9204) risc, urvax, eugene, garbo IBM Anti-Virus Prod2.19 S C 3 3 3 3 $35/company local IBM rep Integrity Master 1.13 S I risc, urvax, eugene Mace Vaccine 3.0 M G 1 3 2 1 Fifth Generation Norton AntiVirus SDRI G 2 3 2 3 $130 Symantec/Norton PC-Cillin 2.95L SDRIM G 3 3 3 2 $139 Trend Micro SafeWord Virus-Safe1.12 I C 2 3 4 3 Enigma Logic Thunderbyte Scan 3.3 S C 2 2 3 2 Free (non-comm.) (also VSIG 9204) risc, urvax, eugene, garbo VACCINE (WWS) 4.30 SD IMO C 2 1 2 2 Worldwide Software Victor Charlie 5.0 IM C 3 2 3 3 $99 Delta Base Enterprises Virex-PC 2.2 SDRIM G 4 2 4 4 $99 Microcom ViruCide SD G 3 4 3 3 $49 Parsons Technology Virus0Buster 3.75 SDRIMO CG 3 3 3 4 Leprechaun Software (70451.3621@compuserve.com) VIRUSCAN Suite 93 SDRIM C 2 2 3 3 ~$25/module risc, urvax, SIMTEL, garbo VirusSafe LAN 4.01 SDRI O CG 2 2 3 2 EliaShim Micro VIRx 2.3 S C 2 3 4 4 Free (non-comm.) risc, urvax, eugene, SIMTEL, Microcom Vi-Spy 9.0 SDR M CG 2 2 3 3 $150 RG Software Systems | | | | | | | | Key: Type - S=scanner, D=disinfection (restoration of state), R=resident, I=integrity checking, M=activity monitor, O=operation restricting, E=encryption UI - user interface - C=command line, G=menu or GUI The following are based on a 1=poor - 4=excellent scale Doc - documentation Ease - I=installation, U=use Ovrl - overall rating for general use Sites: CARO - ftp.informatik.uni-hamburg.de (134.100.4.42) cert - cert.sei.cmu.edu (or cert.org) 192.88.209.5 eugene - eugene.gal.utexas.edu garbo - garbo.uwasa.fi nwu - ftp.acns.nwu.edu (129.105.113.52) risc - risc.ua.edu simtel - wsmr-simtel20.army.mil urvax - urvax.urich.edu For others see Jim Wright's postings. For more detailed reviews see /pub/virus-l/docs/reviews at cert For general virus info see VIRUSFAQ.TXT at cert copyright Robert M. Slade, 1992 QUICKREF.RVW 920714 ============== Vancouver ROBERTS@decus.ca | "It says 'Hit any Institute for Robert_Slade@sfu.ca | key to continue.' Research into rslade@cue.bc.ca | I can't find the User p1@CyberStore.ca | 'Any' key on my Security Canada V7K 2G6 | keyboard." ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 130] ******************************************