Return-Path: Received: from CS2.CC.Lehigh.EDU by abacus (SunOS 4.1/SMI-4.1-01) with sendmail 4.1/SMI-4.1-01 id AA14263; Mon, 31 Aug 92 22:08:08 +0200 Errors-To: krvw@cert.org Received: from (localhost) by CS2.CC.Lehigh.EDU with SMTP id AA13421 (5.65c/IDA-1.4.4 for ); Mon, 31 Aug 1992 15:38:07 -0400 Date: Mon, 31 Aug 1992 15:38:07 -0400 Message-Id: <9208311930.AA08349@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: Kenneth R. van Wyk To: Multiple recipients of list Subject: VIRUS-L Digest V5 #143 Status: RO VIRUS-L Digest Monday, 31 Aug 1992 Volume 5 : Issue 143 Today's Topics: Possible Virus Infection - info pls (PC) Re: 4096 (frodo) false alarm? (PC) Comments on Untouchable... (PC) hardware protection against PC viruses (PC) VACSINA Information Wanted (PC) Re: help, high weirdness (PC) Re: Stoned/Azusa haunting (PC) Re: Unix servers and DOS viruses (PC) (UNIX) re: V-SIGN virus (PC) re: On integrity checking (PC) McAfee's 95 series (PC) Re: new virus found (PC) Re: Anyone for a Feist ??? (PC) Re: What is the best anti-virus program??? (PC) CPAV and Windows (PC) OS/2 boot sectors (OS/2) BBS listing Products for review - shipping Re: Jerusalem virus (CVP) Symantec announces NAVSCAN (freeware) (PC) McAfee VIRUSCAN V95 uploaded to WSMR-SIMTEL20.Army.Mil (PC) F-PROT new version announcement (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 24 Aug 92 12:57:06 +0000 From: ede890psft@vx24.cc.monash.edu.au Subject: Possible Virus Infection - info pls (PC) Readers, I am not sure whether this is an occurrence of a virus, but it does seem strange. On Sunday, 23/8/92 (not US date format folks), a young 11 y.o. friend called me and asked me for my advice. He owns a clone 286 PC and was attempting to copy a file from a floppy to the hard disk. When using the copy command, the machine would hang. Earle (your author), being a smarty, said, no worries. I obtained their DOS disk, write protected, and did a file compare between the COMMAND.COM on the DOS disk and the hard disk. The two files were the same size but contained different info. I did not retain the comparison or the old COMMAND.COM. Other problems experienced at the same time:- - - files and directories have disappeared. - - SCAN 80(?) reports no virus (I know, it is an old version but I didn't have my toolkit with me). I have quarantined the machine and post this for thoughts, requests, advice .... The problem seems!! to have stopped but I think that the solution was too easy. Earle ORENSTEIN Student Nbr 11188707 GR Dip Comp Monash University Faculty of Computing ede890@mings3.cc.monash.edu.au ------------------------------ Date: Mon, 24 Aug 92 16:57:45 -0400 From: kw3@prism.gatech.edu Subject: Re: 4096 (frodo) false alarm? (PC) In VIRUS-L Digest V5 #140 nyh@gauss.technion.ac.il, Nadav Har'El writes. stuff deleted --- >didn't help. Does anyone know of a program to clear every unused >portion of the disk (i.e. parts of sectors after eof, and totally >unused sectors)? stuff deleted ---- Yes. There is a real handy public domain utility called Prune v2.1. Prune will clear the unused space in a cluster after EOF and all unused clusters. It will also do subdirectories and allows a user definable fill pattern. The program is available from the authors on their BBS. Sydex BBS Eugene, Oregon USA 503-683-1385 Keith R. Watson Georgia Institute of Technology, Atlanta Georgia, 30332 uucp: ...!{decvax,hplabs,ncar,purdue,rutgers}!gatech!prism!kw3 Internet: kw3@prism.gatech.edu ------------------------------ Date: Sat, 22 Aug 92 02:04:17 +0000 From: swispl@Solomon.Technet.sg (SW International) Subject: Comments on Untouchable... (PC) The company has just purchased a whole batch of spanking brand new PCs for a major project. As luck would strike it, I've been choosen as one of the guys to look after its "Virginity" against viruses. I would very much like to hear your worthy comments of the following Virus detection/terminator software on the market: * Untouchable (by Fifth Generation Systems), * Turbo-Anti virus (by CARMEL Software Engineering), * McAFee Thank you in advance... Regards, Alvino... - -- SW International Systems Pte Ltd | "I've got a plan so cunning 14, Science Park Drive | you could put a tail on it and Singapore Science Park | call it a weasel".. Black Adder Singapore 0511 | Tel: (65) 778-0066 | Fax: (65) 777-9401 | swispl@solomon.technet.sg ------------------------------ Date: Mon, 24 Aug 92 16:49:47 +0000 From: barry.fagin@dartmouth.edu (Barry S. Fagin) Subject: hardware protection against PC viruses (PC) I have recently seen some literature on ViruGuard, a PC expansion card that claims to defeat all IBM PC viruses. Does anybody know anything about this? Is it all it's cracked up to be? Please reply to this account; any help would be much appreciated. Thanks. - --BF ------------------------------ Date: Wed, 26 Aug 92 06:24:20 -0400 From: G J Scobie Subject: VACSINA Information Wanted (PC) I have found the VACSINA virus on a student laptop which came in for repairs. Using the following software produced these results: Bates Anti-Virus Utilities v3.37 TREE.COM Found Vacsina - TP05 <1206> MEM.EXE Found Vacsina - TP05 <1206> F-PROT v2.04 TREE.COM Infection: Vacsina (TP-5) MEM.EXE Infection: Vacsina (TP-5) CHKDSK.EXE Infection: Vacsina-loader I am interested in the result of F-PROT indicating CHKDSK. Is this file infected - probably but to what extent? Is it important that one utility recognised CHKDSK while the other did not? As always thanks in advance. Garry Scobie Senior Computing Officer Edinburgh University Computing Services Scotland e-mail: g.j.scobie@uk.ac.edinburgh ------------------------------ Date: 26 Aug 92 07:48:37 -0500 From: wjh0265@tamsun.tamu.edu (William Hobson) Subject: Re: help, high weirdness (PC) Keyboard problems - what fun!! After having done battle recently, here are a few observations and solutions I have used: 1) If it is WordPerfect you are having the problem with, use the /nc /nk command line switches. 2) Bios problems seem to really jump forward when networking these faulty BIOSes. 3) Also be aware that other problems can look like this one: we had a PC that had the fan go out on the power supply that created these symptoms (I have seen a LOT of fan failures recently :-( ) ------------------------------ Date: Wed, 26 Aug 92 08:57:49 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Re: Stoned/Azusa haunting (PC) >From: drt@brolga.cc.uq.oz.au (David Taylor) > >Anyone know if these two virii mutate when they're together? Nyet, comes under the thories of simularity and contagion. Bet the system will not boot by itself either. Used to be that we got reports of Joshi/Stoned allatime but then the PC would still boot since they didn't fight. What has happened is as follows: The machine was infected by Stoned. This put the Stoned code in sector 1 and the *real* MBR in sector seven. Since Stoned is non-stealth it copied a copy of the partition table into itself. Then the machine was infected by Azusa which moved the Stoned code into *another sector but not 7* (I forget which) and itself into sector 1 also copying the P-Table into itself. Now when a boot occured, the Azusa ran & went resident at the TOM. It then loaded the Stoned which, being obliging went resident itself just under the Azusa. Then it loaded the *real* MBR and booted. Next, the Stoned resident portion looked at sector one and observed that it was *not Stoned* and reinfected, moving the Azusa MBR into sector seven. At this point we have Stoned in sectors 1 & *some other sector* , Azusa in sector 7, and the *real* MBR is just a memory. The machine now refuses to boot except from floppy and the user notices *something* amiss. (Viruses and Trojans, and Worms - Oh My !) SCAN is exectuted from floppy. Even if the /M is used, nothing will be detected since neither of these viruses (original flavour) survives a re-boot. SCAN runs & finds whichever infected last in the MBR (say Azusa). CLEAN comes along and cleans [AZUSA] by retrieving the sector AZUSA stores the *real* MBR in except that this contains not the *real* MBR but Stoned. SCAN now reports [STONED]. CLEAN having the [STONED] reported verifies that it is in sector 1 and replaces sector 7 into sector 1. Except 7 contains not the *real* MBR but AZUSA. SCAN now reports AZUSA. etc etc etc. You get the idea. Answer: Well, you could use my FixMBR, select *any* sector with a valid p-table and let it install the *Safe* code, or you could just use DOS 5.0 FDISK /MBR Either will work. Breezily, Padgett ------------------------------ Date: Wed, 26 Aug 92 09:04:41 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Re: Unix servers and DOS viruses (PC) (UNIX) >From: cohen@fitmail.fit.qut.edu.au (Mr Fred Cohen) > > Which brings me to one last point. I got a lot of complaints, >but only one person wanted to perform similar experiments to confirm >our results. Next week if all goes well and the crik don't rise, we will be setting up a Novell 3.11 LAN (Netware - Intel based) for some testing & validation. Suggestions for experiments (please be explicit), uuencoded cracker programs (or name & archive site), as well as general encouragement would be welcome. To keep the bandwidth down, please reply to padgett@tccslr.dnet.mmc.com (I'net) and not Virus-L. Breezily, Padgett ------------------------------ Date: Wed, 26 Aug 92 10:30:46 -0400 From: "David M. Chess" Subject: re: V-SIGN virus (PC) Originally reported in Turkey, where it's called CANSU, this virus seems to have reached the U.S. recently. It's a relatively simple master-boot-record infector. Here's what I posted to VIRUS-L last time someone asked... The virus is indeed a master boot infector that takes 2K and does a simple self-modification. Of the three signatures that you give, only the first will ever appear in the master boot record, and it will appear in only about one-third of infections. The other two signatures are in the non-boot-sector part of the virus, but they will be visible in memory if the virus is active in the system. Here are three better signatures for the virus; at least one will be found in every infected MBR, and in memory if the virus is active: 31C0 8ED0 8ED8 8EC0 48 89C4 30E4 CD13 72FA %s the Cansu virus. Boot records. No mutants. 31C0 8ED8 8EC0 8ED0 48 89C4 30E4 CD13 72FA %s the Cansu virus. Boot records. No mutants. 31C0 8EC0 8ED0 8ED8 48 89C4 30E4 CD13 72FA %s the Cansu virus. Boot records. No mutants. (This is the format that the IBM Virus Scanning Program uses, but it should be readily convertible.) If you have the IBM Virus Scanning Program version 2.2.1 or better, it will detect the virus. The Cansu doesn't seem to have any destructive effects; it will sometimes display a sort of "logo" when booting an infected machine, but this shouldn't be counted on for detection. As for disinfection, since it's a normal master-boot-record infector, you can use FDISK /MBR, or anything else that can fix the master boot record code without altering the partition table data (see previous talk in VIRUS-L about this). DC ------------------------------ Date: Wed, 26 Aug 92 10:36:16 -0400 From: "David M. Chess" Subject: re: On integrity checking (PC) tck@netlink.cts.com (Kevin Marcus) asks whether a disinfect-on-the-fly virus wouldn't escape notice from an integrity checker if it was active while the checker was running. Yes and no! The same applies for any other stealth technique; it will fool an integrity checker *if* it is active when the checker is running *and* the checker doesn't defeat the particular kind of stealth. The various integrity checkers that don't require a cold trusted boot before running all incorporate some sort of anti-stealth hacks to prevent the most common kinds of stealthing. The kind you mention would be reasonably easy to detect (an open-for-read shouldn't cause a write!). There is of course much room for an arms race here, with viruses being written to escape detection by existing anti-stealth methods, anti-virus programs getting cleverer anti-stealth, and so on. I'd advise Ken not to let the discussion of possible methods get too detailed here in public! *8) A cold trusted boot is still the best idea; that's what I use... DC ------------------------------ Date: Wed, 26 Aug 92 11:17:41 -0400 From: HAYES@urvax.urich.edu Subject: McAfee's 95 series (PC) Hi fellows. In reply to my query about the authenticity of McAfee Associates "95" serie of programs i got a message from a Belgian user who mentionned that the files were on the GARBO server. It seemed to me that US programs should also been made available from a US site , so I fetched the files which are now available from us too. - ----- files: CLEAN95C.ZIP NETSCN95B.ZIP SCANV95B.ZIP VSHLD95C.ZIP - ----- Site: urvax.urich.edu, [141.166.1.6] (VAX/VMS using Multinet) Directory: [anonymous.msdos.antivirus] FTP to urvax.urich.edu with username anonymous and your email address as password. You are in the [anonymous] directory when you connect. cd msdos.antivirus, and remember to use binary mode for the zip files. - ----- PLEASE!!! Do not overload our small site and start FTP'ing after 21:00 Eastern time. Best to all, Claude. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: 26 Aug 92 15:33:10 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: new virus found (PC) sapao@dcc.ufmg.br writes: >A new virus not detected by McAfee's Scan93 nor Virx version 2.3 was >found in Brazil. F-prot said it's a new variant of jerusalem. Well, it turned out that it is not. This virus belongs to a separate family. It contains an encrypted text string "Freddy Krg", so I have proposed the name "Freddy" for it. F-PROT version 2.04d (a semmi-official version I just uploaded to SIMTEL20) can detect and disinfect this virus. However, there is no need to hurry and download this version, as I will upload 2.05 tomorrow, just before I leave for the virus conference in Scotland. - -frisk ------------------------------ Date: 26 Aug 92 15:43:06 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Anyone for a Feist ??? (PC) ISB202REID@redgum.qut.edu.au (Did somebody say Coffee ??????) writes: >A few days ago I came across a machine absolutely >covered by the feist virus.. Hm - strange. As fas as I know, Feist is unknown outside Russia. >Clean 93 wouldn't remove it, although it was in F-Prot 2.04a's >database, wouldn't even recoginise it !! In that case there are two possibilities: 1) This is a false alarm - F-PROT detects Feist without problems, I just checked. 2) This is a new virus, that (whatever other program you used) just happens to mis-identify as Feist. In this case I would need a sample of it to update F-PROT. However, It might also be interesting to see what other scanners report, or what F-PROT's Quick and Heuristic scan report. - -frisk ------------------------------ Date: 26 Aug 92 12:07:59 -0800 From: "a_rubin@dsg4.dse.beckman.com"@BIIVAX.DP.BECKMAN.COM Subject: Re: What is the best anti-virus program??? (PC) andreas@dutedib.et.tudelft.nl (A.A.Buykx) writes: >Hello, >I recently downloaded f-prot.exe and I downloaded earlier virscan. Now my >question is (I am a novice in *anti* virus programs): > Which one of these, or which other program should I use to > protect my beloved computer from being crunched by some virus. You can try posting on the group comp.virus, and get more responses than you want, but the quick answer is .... get more than one (except Central Point, which is incompatible with all other anti-virals). - -- Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea 216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal) My opinions are my own, and do not represent those of my employer. My interaction with our news system is unstable; if you want to be sure I see a post, mail it. ------------------------------ Date: Wed, 26 Aug 92 20:13:39 +0000 From: rslade@sfu.ca (Robert Slade) Subject: CPAV and Windows (PC) Cleaning out the desk today. :-) The rumours of parts of Central Point's Anti Virus being included with the next release of MS-DOS, discussed here previously, would seem to be confirmed by now. This prompted, in my mind, the possibility that Windows would have some such capability in its next release as well. This was brought home to me as I tried to install the Logo computer language on a machine recently. I was installing two versions, one for DOS and one for Windows (both based upon the LSRHS version.) Both versions contained files named LOGO.EXE. For reasons of the path and environment requirements of the files, they were extracted into different directories, and the Windows version copied into the main directory as WLOGO.EXE. In attempting to install the program within Windows, both LOGO.EXE files were found, even though one was not a Windows program. Both files prompted an alert window from CPAV. Neither program was identified by the full path name. The filename alone was given. It is reasonable that a "new" file should be flagged by change detection. However, the WLOGO.EXE file never generated an alert. The alert generated was very terse. It simply stated that the file LOGO.EXE had changed. It did not indicate that this was a new file. The only options were "OK" and "Cancel". "OK" what? OK to kill the file? "cancel" my Windows session completely? OK appeared to let the Windows installation procedure proceed. However, sometimes (I tried the installation more than once) the CPAV window was not removed. Activity "behind" it would "show through", but the original screen was not redrawn. Although the "OK" allowed the operation to proceed, subsequent runs still did not "know" about the LOGO.EXE file. ============= Vancouver ROBERTS@decus.ca | Life is Institute for Robert_Slade@sfu.ca | unpredictable: Research into rslade@cue.bc.ca | eat dessert User p1@CyberStore.ca | first. Security Canada V7K 2G6 | ------------------------------ Date: Mon, 24 Aug 92 09:28:11 -0400 From: Kevin_Haney@nihcr31.bitnet Subject: OS/2 boot sectors (OS/2) Yaron Goland asks >My Question is as follows:Does os/2 change the boot sector of >drives under it's control? In addition, I understand why my first 1 >meg, boot manager, partition would have a self booting program in it >but why should my D drive have one? Os/2 does NOT boot from D drive >and dos boots from C drive! So should there be a self running >program on my D drive? I'm very concerned as this sort of activity >is standard viral activity. And finally, is there any known virus >which targets cmos and clears out sections of it? Yes, if you have a dual boot machine, the boot sector is changed from an OS/2 boot sector back to a DOS boot sector when you execute the BOOT command, and vice versa when you go back to OS/2. Nothing abnormal there. Concerning the detection of a supposedly "self booting program", I would surmize that the integrity program you use, like almost all DOS programs, wasn't written to take into account the fact that it could also be run on an OS/2 machine. The OS/2 boot record is different than the DOS boot record, albeit similar in structure, so this is probably what is producing your message, since the OS/2 boot program could very well be described as self-booting. About the possibility of a CMOS virus, as far as I know, the CMOS memory is not in the address range of 80x86 processors, so a program usually cannot access this memory directly or change it. Not to say that it's impossible, but I have heard of no viruses that target CMOS. It is far more likely that this problem is the result of a bad battery or motherboard problem. The CMOS memory chip itself can also go bad. Kevin Haney Internet: khv%nihcr31.bitnet@cu.nih.gov ------------------------------ Date: Wed, 26 Aug 92 19:37:04 +0000 From: rslade@sfu.ca (Robert Slade) Subject: BBS listing On the basis of some past requests, I have undertaken to compile a listing of BBSes with a major antiviral emphasis. The following is the result so far: Yes, boys and girls, two calls over the three virus related echoes have produced exactly nothing. Very discouraging. I may attempt a compilation of the phone numbers contained in "taglines" on messages. there are two problems with this: I cannot give any indication of the status or stature of the boards so identified, only the number and the fact that they carry a virus related echo, and not all taglines contain the phone number of the board. There is a third possibility in the longer term. The Cyberstore online service is preparing to offer editorial "feeds" to BBSes and other information services. The first to be offered will be a "Virus Doctor" feed, which I am preparing for them. I should be able to obtain information about the boards which carry the service, and therefore build a base of BBS numbers from that. ============== Vancouver ROBERTS@decus.ca | "Is it plugged in?" Institute for Robert_Slade@sfu.ca | "I can't see." Research into rslade@cue.bc.ca | "Why not?" User p1@CyberStore.ca | "The power's off Security Canada V7K 2G6 | here." ------------------------------ Date: Wed, 26 Aug 92 19:54:32 +0000 From: rslade@sfu.ca (Robert Slade) Subject: Products for review - shipping I have just completed a major mailing requesting submission of antiviral products for review. I have sent this mailing to all those for whom I have valid addresses, based upon the CONTACT.LST. If any of you have not received a mailing from me, please consider this to be the request, as well as sending me your address and contact info. I have, in the past few days, started to receive some of the products for review. Unfortunately, most have been very badly prepared for shipping and customs. As I have no funding for the product reviews, I am unable to receive packages which arrive COD, postage or customs due. Some tips: Wherever possible, have a Canadian office or distributor forward the package, thus eliminating the whole problem. Don't use UPS. In two years I have never received an evaluation package shipped via them without major problems. Prepare the packages properly regarding customs documentation. As the packages, after review, will be used in seminars, they may be declared as educational material. However, please remember also to note that the package is an evaluation copy, and has no resale value. for purposes of the GST, please declare the "service value" at under $25. Alternately, please prepay the duty and taxes. As a side note, I had hoped, with this round of reviews, to include some book reviews as well. Unfortunately, the response from publishers has been very disappointing so far. ============== Vancouver ROBERTS@decus.ca | "Don't buy a Institute for Robert_Slade@sfu.ca | computer." Research into rslade@cue.bc.ca | Jeff Richards' User p1@CyberStore.ca | First Law of Security Canada V7K 2G6 | Data Security ------------------------------ Date: Mon, 24 Aug 92 08:46:07 -0400 From: Y. Radai Subject: Re: Jerusalem virus (CVP) Olivier M.J. Crepin-Leblond writes, concerning the Jerusalem virus: > In fact, some pointers now show the origin of the >virus to be Italy .... I've seen this claim in several places, and I'm curious to know what the evidence is for this "Italian Connection". In my opinion, it is quite unlikely that the virus originated outside of Israel for the following reason: Three other viruses were also discovered in Israel shortly after the Jerusalem was discovered, and it's clear from an analysis of them that they are *precursors* of the Jerusalem virus: sURIV 1.01 infects only COM files, sURIV 2.01 only EXE files, sURIV 3.00 combines the two into one virus, and the Jerusalem is an improve- ment over sURIV 3.00. Unless these viruses were also discovered in Italy, it's much more likely that the Jerusalem spread from Israel to Italy rather than the other way around. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Tue, 25 Aug 92 20:04:55 -0400 From: Jimmy Kuo Subject: Symantec announces NAVSCAN (freeware) (PC) Symantec has made available as freeware, a detect/delete only version of NAV. This program is made available through BBSes throughout the world. We encourage people to try the program. The user interface of NAVSCAN and NAV is similar throughout the Peter Norton line of products. NAVSCAN is a detection only version of NAV incorporating the August 1 update definitions set. (Files detected by NAVSCAN can be deleted from within NAVSCAN.) The August definitions set has also been sent to each of the BBSes so that full function NAV users can download and update their programs from a variety of BBSes. (You can also bug your sysop to start carrying each new month's update on that BBS.) Information on how to purchase the full function The Norton AntiVirus product is available in the NAVSCAN program. Jimmy Kuo cjkuo@ccmail.norton.com Norton AntiVirus Research ------------------------------ Date: Wed, 26 Aug 92 18:31:11 -0400 From: mcafee@netcom.com (McAfee Associates) Subject: McAfee VIRUSCAN V95 uploaded to WSMR-SIMTEL20.Army.Mil (PC) I have uploaded to WSMR-SIMTEL20.Army.Mil: pd1: SCANV95B.ZIP VIRUSCAN V95-B system scanner for PC's WSCAN95B.ZIP SCAN for Windows 3.X V95-B Windows version of VIRUSCAN NETSC95B.ZIP NETSCAN V95-B network file server scanner VSHLD95C.ZIP VSHIELD V95-C virus infection prevention TSR CLEAN95C.ZIP CLEAN-UP V95-C virus disinfection/removal tool WHAT'S NEW WITH VERSION 95 Version 95 of the VIRUSCAN (SCAN, CLEAN, VSHIELD, NETSCAN, and WSCAN) series has been released, adding 99 new viruses, for a total of 685 viruses, or counting strains, 1,401. Version 95 replaces V93. A V94 was in beta-test, but we discontinued it after reports of a Trojan horse "V94" from Monterrey, Mexico. In order to prevent any confusion, we have skipped ahead to Version 95. The current versions of the various programs are: VIRUSCAN, NETSCAN, and WSCAN Version 95-B VSHIELD and CLEAN-UP Version 95-C Older V95 (and 95-B) versions were NOT uploaded to SIMTEL20, Garbo, or any other internet sites. V95 (the initial release) had a problem with the /SAVE switch for all programs, and there were some message display bugs in the VSHIELD and CLEAN-UP 95-B that required replacement with a 95-C release. One new option has been added to VSHIELD, the /NI6510 switch. This switch fixes a conflict that occurs when VSHIELD is run on a PC with a Racal-Datacomm NI6510 network interface card. This fix is specific to the NI6510 and does not apply to any other product. Validation data for the above with VALIDATE.COM is as follows: CLEAN-UP 95C (CLEAN.EXE) S:98,237 D:08-20-92 M1: BE92 M2: 02BB NETSCAN B95 (NETSCAN.EXE) S:77,976 D:08-19-92 M1: 5CFA M2: 1DC6 SCAN FOR WINDOWS B95 (WINSTALL.EXE) S:13,269 D:08-19-92 M1: 3885 M2: 0813 SCAN FOR WINDOWS B95 (WSCAN95B.EXE) S:88,437 D:08-19-92 M1: 7FDC M2: 146A VIRUSCAN SCANV95B (SCAN.EXE) S:80,073 D:08-19-92 M1: 3885 M2: 0813 VSHIELD VSHLD95C (VSHIELD.EXE) S:44,991 D:08-21-92 M1: E7AB M2: 0B78 Regards, Aryeh Goretsky McAfee Associates Technical Support - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | mcafee@netcom.COM Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95054-3107 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/NETSCAN/VSHIELD/CLEAN/NETSHIELD/TARGET/THE CONFIG MGR. ------------------------------ Date: Thu, 27 Aug 92 10:36:18 +0700 From: frisk@complex.is (Fridrik Skulason) Subject: F-PROT new version announcement (PC) I just released a new major version of F-PROT - 2.05. It has been uploaded to WSMR-SIMTEL20.army.mil, and should be available on other major archive sites, such as OAK and GARBO (in Finland) within a few days. Version 2.05 - major changes: The number of encrypted viruses that F-PROT can now disinfect (without harming the original program, of course) has been increased considerably. Version 2.05 - the following problems were found and corrected. If the SHARE program was loaded, version 2.04 would display an "error opening ENGLISH.TX0" when that file was scanned. A similar error message could also be produced during installation. Version 2.04 would occasionally incorrectly report that a Dark Avenger or SVC-infected file had been modified by adding some extra bytes. The virus names reported by the scanner did not always agree 100% with the virus information database - SADAM vs SADDAM, for example. If the /NOPACKED switch is used, the program no longer produces a warning about the files it skips. Version 2.05 - minor improvements: The following command line switches have been added to F-PROT: /PAGE - used to make the program pause after each page of output (only in command-line mode) /OLD - disables the "This version of the program is rather old" message. A corresponding switch was added to the virstop program. A /DISK command-line switch has been added to the VIRSTOP program, to allow it to swap signatures in from disk as necessary. Note: This must not be used if VIRSTOP is run from a diskette, which is later removed. This feature is new, and not fully tested yet - use with care. F-PROT now identifies Jerusalem-inoculated virus samples as such, instead of just reporting "Modified (5 bytes added)" F-PROT will now exit, if a virus signature is found in memory. As this might be a false alarm, it is possible to use the /NOMEM switch to skip the memory scan. The PRICING.DOC file has been renamed to ORDER.DOC, and includes more information than before on how to order the program. Version 2.05 - new viruses: The following 11 new viruses can now be detected but not removed, only deleted. This is because they overwrite infected files, or damage them irreversibly. FCB Leprosy-Silver Dollar MSK (Blaze and MSK) Reboot Patcher SHHS-B Tiny Hunter Trivial (16, 42, 50 and Hanger) The following 109 new viruses can now be detected and removed. _302 _334 _439 66A Ash (280 and 743) Astra-976 Atas (384 and 400) Athens Backfont-900 BFD (A and B) Bljec-Sad Baobab Capital Cascade-1701-D CC-145 Chad Cinderella-B Cossiga-Friends-B Cracky Crooked Dark Avenger-Father DM-400-1.04 End of Finnish-357 Flower Freddy Friday the 13th-ENET 37 Funeral Fungus Globe Hafenstrasse-1191 Happy Happy Monday (A, B and C) Hellween-1182 Hi Horror-1112 Irus Jerusalem-Timor Junior Keypress-1232-B Kinnison Lazy-B Lesson I Lesson II (358 and 360) Little Girl Little Brother-300 Magnitogorsk (2048-B and 2560-C) Mud Nov 17-768 Npox Number 1-Fiis Old Yankee-Black Peter Parity Boot PCBB (1650, 1652, 1658 and 1701) Pif-paf Pixel (297 and 342) Plutto Prime Protect (1157 and 1355) PS-MPC (644) Quake Reboot Russian Tiny-131 Screaming Fist (732, II-B and II-C) Siskin (Goodbye, 948 and 1017) Sistor-1000 Stanco Stupid-SADAM-FF Suicidal Suriv 1-Dad Sux SVC (5.0-B and 6.01-4661) Swiss Phoenix Tired Vacsina-Penza VCL (Code Zero, Donatello, Earthday, Enun, Kinison, Venom and Yankee-tune) VCS-Post Vienna (415, 744 and Vengeance) Vote (A and B) Yankee (1712 and 2968) Youth (640 and Futhark) ZZ The following 14 new viruses can now be detected but not yet removed. Andryushka (A and B) Astra-1010 Ear (Quake and Suicide) Emmie MtE (Cryptlab and Groove) Otto Slovakia (2.02 and 3.0) XPEH (3600, 3840 and 4048) Youth-Silence The following 47 viruses that could be detected but not removed with earlier versions of F-PROT can now be disinfected. Cheeba-(1.0 and 1.1) Cod Crew-2 Danish Tiny-Stigmata Demolition DM-330 Diskspoiler Doomsday Eastern Digital Eddie (MIR and Ps!ko) EMF EUPM Filedate 11 Hafenstrasse (781, 809, 818, 1641 and 1689) HH&H Horror (1137 and 1182) Keyboard Bug (709, 1598 and 1722) Lozinsky (1882, 1958, 2968 and 2970) Marauder (560 and 860) Mix-2 Munich Pathhunt Phalcon (Cloud and Ministry) Rape-2.2 Screaming Fist-Stranger Siskin-Resurrect Stahlplatte SVC-5.0-A Syslock-Advent Thursday 12 Vacsina TP-16 Multi Vienna (Dr.Q-1161, Dr.Q-1028 and 712) The following viruses have been renamed or re-classified. Plaice --> PCBB Russian Mutant --> Keyboard Bug-907 Resurrect --> Siskin-Resurrect Hero-394 --> Siskin-394 Hero-506 --> Siskin-506 Scion --> Doomsday Vacsina-Rybka --> Vacsina TP-16 Multi ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 143] ******************************************