From: SDS::"virus-l@lehigh.edu" 18-SEP-1992 12:03:56.08 To: 3338$SPAN::HENDEE CC: Subj: VIRUS-L Digest V5 #153 Received: from Fidoii.CC.Lehigh.EDU by Sdsc.Edu (sds.sdsc.edu STMG) via INTERNET; Fri, 18 Sep 92 15:10:24 GMT Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA14638 (5.65c/IDA-1.4.4 for ); Fri, 18 Sep 1992 10:56:41 -0400 Date: Fri, 18 Sep 1992 10:56:41 -0400 Message-Id: <9209181352.AA05376@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: Kenneth R. van Wyk To: Multiple recipients of list Subject: VIRUS-L Digest V5 #153 VIRUS-L Digest Friday, 18 Sep 1992 Volume 5 : Issue 153 Today's Topics: Re: Now I know I have something. (PC) Re: new virus found (PC) Re: Bug in F-PROT? (PC) Castlewoflenstein (PC) Re: Problems with F-PROT (V2.05) (PC) Jerusalem and Netware (PC) Problem w' booting C: then A: (PC) Re: Problem with Vshield 5.1B95 (PC) Information on CPAV and McAfee (PC) Virus Analysis of BootExe Virus (PC) Re: NAVSCAN (PC) Maltese Amoeba virus (PC) Which detect/protect s/w? (PC) Information on CPAV vs McAfee (PC) Re: "New" 1530 virus ? (PC) Re: F-prot false alarm? (PC) Re: PC Guardian contact info? (PC) Re: Amiga virus info (Amiga) Re: Apple IIgs virus program? (Apple ][) Re: self-checking programs I-M124.ZIP available (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: 14 Sep 92 09:07:13 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Now I know I have something. (PC) mcampbel@nyx.cs.du.edu (Matthew Campbell 'The Fire Fox') writes: > wuarchive. Is F-PROT supposed to have -AV with the files when > unzipped? Mine doesn't. No, F-Prot does not come in an archive with -AV codes. The -AV codes are essentially useless to protect from tampering. DON'T RELY ON THEM! There is a short (under 50 lines) C program that can fake any -AV code used by PKZip. For instance, here is a short archive, which looks like if it is packaged by McAfee Associates, but of course it isn't: section 1 of uuencode 5.15 of file ttt.zip by R.E.M. begin 644 ttt.zip M4$L#!`H``"```*=9+AF6L!A>.````#@````#````5%145&AI2!-8T%F964@07-S;V-I871E Message: This is either a corrupted program or one which contains > instructions wich do not exist on all 80x86 processors. > It will crash on some machines. > -- text files were noted as suspicious such as NEW.205, SCAN.DOC, > LANGUAGE.DOC, CONFIG.SYS, AUTOEXEC.BAT, and all scan.crc files. Well, that's normal. All those are text files and therefore really don't contain valid 80x86 CPU instructions... :-) Please, be sure to perfectly understand the limitations of the heuristic scanners, before using one... > A disk editor revealed extra garbage added to the ends of the > suspicious files as named by F-PROT v205. The extra stuff held two Doesn't matter. The slack space in the last cluster (after the end of the files) is not used by DOS and does not receive control. At least three viruses (Number_of_the_Beast, Int13, and Necropilis) make use of it, but they store there the overwritten -origianal- part of the file, not th virus body. If you are still worried, you could wipe out the slack space, by using e.g. WipeInfo from the Norton Utilities package. > For the next two sectors it had something that looked like a data file > containing names of viruses like: Violator, Stoned, Vienna, Hydra, and > had names of the current scanners, characteristics of viruses, the > months of the year, and some names of some countries. Don't worry, this is just some garbage left in the slack space. > What should I do? First, you must prove that you really have a virus. Try creating several large files, containing only NOPs and try to infect them. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 14 Sep 92 09:47:20 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: new virus found (PC) RZOTTO@NYX.UNI-KONSTANZ.DE (Otto Stolz) writes: >> * FREDDY >> Freddy was made by one of a student in a academy of >> computer in Indonesia. It infected the program, not a boot >I fear, this name has already been given to another virus (cf. thee >above quote from an old VIRUS-L posting). If I'm right, you'd better >choose another name for the new beast, otherwise please tell us which >name the Indonesioan virus has acquired, meanwhile. Ah...I had forgotten about that one. However, I am not sure if it matters, as that "Indonesian Freddy" never materialized - that is, no virus researcher seems to have a copy of it. Maybe it existed, maybe it did not, but for now, I'll consider it to belong to the "rumored" category. - -frisk ------------------------------ Date: 14 Sep 92 10:01:28 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Bug in F-PROT? (PC) Kevin_Haney@nihcr31.bitnet writes: >I was using F-PROT 2.04c from a bootable DOS 5.0 diskette. After >booting from the A: drive, I wanted to scan another diskette in the A: >drive. F-PROT produced unintelligible messages, such as "cotaaly >tanmcyng, ico staro%Nnurta...". Another user here reported the same >phenomenon. Does anyone have an explanation and/or fix for this >problem? Well, the explanation is quite simple. All text messages F-PROT uses are stored on disk, and only read into memory when necessary. So, if you run F-PROT from a diskette, and then remove/replace that diskette, you will get unpredictable behaviour. I am sorry, but there is simply no way this can be fixed. If you only have a one-disk machine, you can usually bypass the problem by creating a RAMDISK and move the program there. - -frisk ------------------------------ Date: Tue, 08 Sep 92 23:11:08 -0400 From: Rick.Schryvers@psycho.fidonet.org (Rick Schryvers) Subject: Castlewoflenstein (PC) This is just a friendly little warning to all in echoland. Seems as if some generous "programmer" has taken upon himself to construct a virus and attach it to a hacked game. The game is called "CASTLE WOLFENSTEIN" , the virus is in a file called "wolfchet.exe" its basically a cheat program that allows you to have unlimited lives and unlimited ammunition in the game. However, it also infects your boot track of your hard disk. McCaffee v.91b identified this virus as the "Wolf" virus, however others have mentioned it may be a variant of the "Whale" virus. I aquired this game from a local BBS and like any good pc owner should, was scanning my recent downloads and POOF there it was. It hadn't become active yet so I didn't loose anything. However, I did realize one thing, this program sat on my hard disk for 9 days before I found it. Why you might ask? Well it seems that I didn't realize that many virus scanners cannot/don't look into zipped files. I had kept the file zipped for awhile before I unzipped it. In fact, I almost ran the cheat program when it hit me that I hadn't scanned in a day or so and it might be a good time to do it....(I must have a gaurdian angel). Just thought I would let you know...by the way...the virus made its way to South Florida by way of a British sailor. As many people know, the Port of Tampa is a stop off point for many British warships. One of these warships had a sailor on it who with the use of his Laptop computer brought over software from Europe and posted it on Florida BBS's. I'm not accusing the sailor that he knew what was going on, however, it does seem that alot of viruses seem to orginate in places other than the USA. Let me know VIA EMAIL if anyone else has had experience with this virus as I don't post here often...(its long distance to my mail hub). See ya .. OFFLINE 1.40 * We don't need no steenking tag lines... - -- Internet: Rick.Schryvers@psycho.fidonet.org UUCP: ...!myrddin!tct!psycho!Rick.Schryvers Note:psycho is a free gateway between Usenet & Fidonet. For info write to root@psycho.fidonet.org. ------------------------------ Date: 14 Sep 92 10:59:05 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Problems with F-PROT (V2.05) (PC) KDC@ccm.UManitoba.CA (Ken De Cruyenaere 204-474-8340) writes: > 1) It no longer has the "SCANNING MEMORY FOR VIRUSES" box > come up at start-up time, though that is apparently what > it is doing. Result is an span of several seconds where the > menu appears ready for action but does not respond. Hm...right - this was a side-effect of a small last-minute change I made. Fixed now. > 2) VIRSTOP no longer hangs up the boot when it notices that > it has been changed. It still produces the warning message, > with the recommendation to boot from a clean floppy, then > allows the boot to continue. This managed to slip through testing somehow...fixed now. > 3) This might not be new to 2.05. When you define some > signature strings a file called USER.DEF is created. > When you INSTALL F-PROT, USER.DEF is NOT one of the files > copied over. (shrug) well, the original idea was that one would normally only use "Install" from a write-protected floppy disk, where USER.DEF could not be created, so I did not bother to copy this file, but maybe I should. - -frisk ------------------------------ Date: Mon, 14 Sep 92 07:59:13 -0400 From: G J Scobie Subject: Jerusalem and Netware (PC) From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Re: NetWare and viruses - some new results (PC) >Unfortunately, many users (and some applications) become very unhappy >if they do not have WRITE right in their own directories. This was the >problem I had with one LAN last year, the custom MAIL facility >demanded WRITE right to itself. JERUSALEM spread like mad. I don't think this is on these days. If an application needs write permission for users in an area where the executables are stored then I will not allow it on a LAN I administer. However, enough of me :-) My experience of the Jerusalem Virus on netware 3.11 is that an infected station cannot infect a file on the server because of the use of INT 21h by the netware shell and the virus itself. Workstations just bomb out if an infected program is run from the workstations hard disk before any infection can take place. I am assuming that the above LAN was not netware or have I have just been lucky? Thanks in advance for any info on this. Cheers Garry Scobie Senior Computing Officer Edinburgh University Computing Services Edinburgh University e-mail: g.j.scobie@uk.ac.ed ------------------------------ Date: Mon, 14 Sep 92 17:46:27 -0400 From: kw3@prism.gatech.edu Subject: Problem w' booting C: then A: (PC) Someone recently noted that there is a trend in BIOS for boot from C: then A:. We have machines in use like this and have found a problem. Systems that have a SCSI controller will boot from A: even though the BIOS setup is set for C: then A:. I have been able to get it to work once but when reseting to A: then C: and back again it wouldn't work. SCSI controllers have built in BIOS so CMOS is set to no hard drives installed. It is possible that the BIOS is timing out before the SCSI controller generates a ready signal. This would result in BIOS thinking there was no hard drive. I will be trying additional test to see if there is a way to get the C: then A: option to work. If you have any information that might help solve this please let me know. In the mean time you may have a hole in your virus defense system. Keith R. Watson Georgia Institute of Technology, Atlanta Georgia, 30332 uucp: ...!{decvax,hplabs,ncar,purdue,rutgers}!gatech!prism!kw3 Internet: keith.watson@stucen.gatech.edu ------------------------------ Date: Mon, 14 Sep 92 22:23:43 +0000 From: mcafee@netcom.com (McAfee Associates) Subject: Re: Problem with Vshield 5.1B95 (PC) Hello Mr. Seymour, The "blem wit" is a message from inside your NETX file, if memory serves. Older versions of NETX substitute part of the "...proBLEM WITh..." error message for the filename. Upgrading to current versions of the drivers should make this go away. Regards, Aryeh Goretsky Technical Support /IN REPLY TO/ CHIP.S@BDSO.Prime.COM (Chip Seymour, Information Resources) writes: >I believe I am having a problem with VSHIELD. It loads ok, but when I >do a MEM/C, it produces "blem wit" as the program name. Anybody else >come across this? (v5.1B95) > >============================================================================= >Conventional Memory : > > Name Size in Decimal Size in Hex >- ------------- --------------------- ------------- > MSDOS 19472 ( 19.0K) 4C10 > SETVER 544 ( 0.5K) 220 > ANSI 4192 ( 4.1K) 1060 > HIMEM 1184 ( 1.2K) 4A0 > SMARTDRV 18592 ( 18.2K) 48A0 > RAMDRIVE 1184 ( 1.2K) 4A0 > ATDOSXL 9520 ( 9.3K) 2530 > MOUSE 14816 ( 14.5K) 39E0 > ETHDEV 30400 ( 29.7K) 76C0 > TCPIP 16480 ( 16.1K) 4060 > COMMAND 4416 ( 4.3K) 1140 > 3C503 3936 ( 3.8K) F60 > DOSKEY 4128 ( 4.0K) 1020 > IPX 16960 ( 16.6K) 4240 > NET5 42112 ( 41.1K) A480 > blem wit 38832 ( 37.9K) 97B0 <--------- > FREE 64 ( 0.1K) 40 > FREE 144 ( 0.1K) 90 > FREE 426944 (416.9K) 683C0 > >Total FREE : 427152 (417.1K) > >Total bytes available to programs : 427152 (417.1K ) >Largest executable program size : 426688 (416.7K ) > > 5242880 bytes total contiguous extended memory > 0 bytes available contiguous extended memory > 2293760 bytes available XMS memory > MS-DOS resident in High Memory Area - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | mcafee@netcom.COM Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95054-3107 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/NETSCAN/VSHIELD/CLEAN/NETSHIELD/TARGET/THE CONFIG MGR. ------------------------------ Date: Tue, 15 Sep 92 03:06:43 +0000 From: sengteik@iti.gov.sg (Chua Seng Teik (RC)) Subject: Information on CPAV and McAfee (PC) I am doing an evaluation on some Anti-Virus packages and I have narrowed down to 2 products namely Central Point AntiVirus and McAfee's suite of products. I wonder if anyone out there have done a similar comparison and is there any writeup that I can reference and use as supporting material. Cheers - -- Chua Seng Teik | Information Technology Institute internet : sengteik@iti.gov.sg | National Computer Board bitnet : sengteik@itivax.bitnet | 71 Science Park Drive voice : (65)772-0439 | Singapore 0511 ------------------------------ Date: Tue, 15 Sep 92 17:11:58 -0400 From: Roger Thompson <70451.3621@compuserve.com> Subject: Virus Analysis of BootExe Virus (PC) Boot Exe Virus A multipartite virus with a difference. The BootExe (temporary name) virus is an extremely efficient infector. It infects fixed disks, floppy diskettes, and certain EXE files. It's most unusual characteristic is that it infects during execution of the BIOS interrupt 13 (disk functions) rather than intercepting the DOS int 21 (file functions). By doing this it can avoid many monitor-type anti-virus interceptors. * BOOT RECORD EXECUTION When executed as a boot record, it acts as a conventional boot record virus. It reserves 4K of memory at the top of conventional memory, copies itself into this area, and intercepts int 13, redirecting it to it's own handler. The virus then checks for the presence of a hard disk and infects the partition table if one is found. Finally, the virus loads the original boot record and passes control to it. * EXE FILE EXECUTION As explained later, infected EXE files are executed by DOS as a COM file. The virus first relocates itself into the top of the allocated program memory. It then performs an "Am I Here" call. If it returns false (virus not present), it infects memory, and revectors int 13 to itself. Finally, the virus adjusts all relocatable references in the EXE file, sets the stack, and jumps to the original EXE entry point. These actions are normally performed by DOS when the EXE file is loaded. Now it is a COM file, the virus needs to perform them. * INTERRUPT 13 HANDLING The int 13 functions 0F and 02 are intercepted. All other functions are ignored. -Int 13 fn 0Fh The 0F function is to write a test buffer. Normally this function is rarely used, and it may only be applicable to an XT BIOS. The virus uses this function as an "Am I Here" call. Presumably this allows the function call to be recognized as a legitimate function (in case anyone is watching). If the virus is already resident it returns 19 in AH. -Int 13 fn 02h Function 2 is to read between 0 and 17 disk sectors (depending on the drive). The virus takes the following action before allowing the function to proceed. It reads the first of the target sectors to an internal buffer. It then tests the buffer to see if it is the header of an EXE file suitable for infection. If any of the following tests fail, it proceeds to the next stage. - - The sector must begin with the EXE file header of "MZ". - - The file size (according to the EXE header) must be less than 64K (so it will run as a COM file). - - The table of relocatable items must be 512 bytes in length and must contain at least 453 bytes of unused space. - - The program must request all available memory when it is run (most EXE programs do). When all these conditions are met, the virus inserts itself into the unused area of the relocatable table, converts the "MZ" to a short jump to itself and rewrites the sector to disk. This in effect converts the file to COM format. Unfortunately DOS will execute it as a COM, despite it having an EXE header, without warning. The next stage is to test if the disk request is for a diskette. If it is, and it is a read of the first cylinder, the virus checks to see if the diskette is already infected. If not, it inserts itself in the boot record of the diskette. * TRIGGERS The virus does not appear to contain any triggers. * DESTRUCTIVE ACTIONS The virus does not appear to contain any deliberately destructive code other than to infect disks and EXE files. * DETECTION Infected boot records and EXE files will contain the following byte sequence: BB 92 01 EB 21 10? A1 13 04 48 48 83 2E 13 04 04 04? BB 7A 01 8E C0 FC ------------------------------ Date: Wed, 16 Sep 92 03:45:59 +0000 From: rslade@sfu.ca (Robert Slade) Subject: Re: NAVSCAN (PC) al163193@academ01.mty.itesm.mx (Jesus Miguel Garcia Rodriguez) writes: > > Where can i get NAVSCAN? or When its gonna be out? It's on Compuserve. As far as when it will get out, don't hold your breath. Jimmy has stated that Compuserve is the best the company can do right now. It will *not* be posted to BBSes "around the world". If anyone has acces to it on CompuServe, they are allowed to repost it. Perhaps some kind soul will download it, and send xxencoded copies to site maintainers. ============= Vancouver ROBERTS@decus.ca | "Remember, by the Institute for Robert_Slade@sfu.ca | rules of the game, I Research into rslade@cue.bc.ca | *must* lie. *Now* do User p1@CyberStore.ca | you believe me?" Security Canada V7K 2G6 | Margaret Atwood ------------------------------ Date: Wed, 16 Sep 92 18:34:54 +0000 From: samsung!ulowell!cps.msu.edu!reno@uunet.UU.NET (Gerald L Jr Reno) Subject: Maltese Amoeba virus (PC) Does anyone know anything about the Maltese Amoeba virus? I've been out of it for a bit, and just got a memo from a software company (John Wiley & Sons) informing me that some of their disks were infected. The letter only suggests that the virus "may, unfortunately, affect files on your hard drive" and that it is only detectable by the Norton Anti-Virus (Version 2.0). Being from a department (MSU Dept. of Statistics) that does not have acces to NAV, I'd really like to know if anyone has more information..... Thanks, Jerry Reno (reno@cps.msu.edu) ------------------------------ Date: 16 Sep 92 17:38:56 -0500 From: "J. Douglas Works" Subject: Which detect/protect s/w? (PC) Could someone E-mail or post what combinations of virus detection/protection programs are generally recommended? I have McAfee's SCAN and CLEAN (BTW, what IS the latest version # out there?), but are these two sufficient for detection? What do most people recommend for hard disk protection? F-Prot? Sentry? Any help would be appreciated. Thanks. - Doug .............................................................................. .............................................................................. ... | "He is no fool who gives what he cannot keep, ... ... --+-- to gain what he cannot lose." ... ... | - Jim Elliot ... ... | ... ...................... Internet: j1w@icf.hrb.com ............................ .............................................................................. J. Douglas Works * HRB Systems, Inc. * State College, PA 16804 USA ------------------------------ Date: Fri, 18 Sep 92 01:33:34 +0000 From: sengteik@iti.gov.sg (Chua Seng Teik (RC)) Subject: Information on CPAV vs McAfee (PC) Just like to find out if any of you has done any comparisons between CPAV (Central Point Anti-Virus) and McAfee. In particular features that are unique to either of these products. I would appreciate if you could e-mail me any relevant information on these 2 products. Thanks in advance. Cheers - -- Chua Seng Teik | Information Technology Institute internet : sengteik@iti.gov.sg | National Computer Board bitnet : sengteik@itivax.bitnet | 71 Science Park Drive voice : (65)772-0439 | Singapore 0511 ------------------------------ Date: 18 Sep 92 09:06:54 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: "New" 1530 virus ? (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >KDC@ccm.UManitoba.CA (Ken De Cruyenaere 204-474-8340) writes: >> A new virus has turned up on our campus. >> McAfee v95 identifies it as "1530" but will not clean it. >> F-PROT (V2.05) does not detect it (even in HEURISTICS) (!) >Hmm, F-Prot 2.05 detects all of the above... Seems that you have a new >variant. I suggest that you send a copy to Frisk. He did = I got it and it turned out to be a new virus, which I propose to call Alexander. It bears some resemblance to the Dark Avenger series, but I have not yet been able to determine how closely they are related. There is an indication that the virus is of East-European origin (written in Romania). Anyhow, I have updated F-PROT to find and disinfect it - look for version 2.05a (to be released on Monday). - -frisk ------------------------------ Date: 18 Sep 92 09:11:26 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: F-prot false alarm? (PC) franz@iveuncc.unive.it (Francesco Dalla Libera) writes: >andy@exp.uvs.edu.sr writes: >>Just obtained F-prot 2.05 from simtel. Unpacked it and did a secure >>scan. To my surprise backup.exe (from dos 5.0) was reported as being >>infected with the Stanco virus. False alarm - sorry folks. I did some (ehem) improvements in 2.05 regarding handling of the few viruses that actually spread in compressed form, such as Stanco, Happy Monday and Even Beeper. Unfortunately this caused some false alarms, so I changed back to my old, (but slower) method in 2.05a. I will upload 2.05a right after this weekend - I just want to include as many as possible of the 100+ new viruses that I just got - most of which were from Russia. - -frisk ------------------------------ Date: 18 Sep 92 09:15:15 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: PC Guardian contact info? (PC) rslade@cue.bc.ca (Robert Slade) writes: >A recent report in Computing Canada says that the Ontario government >has switched from McAfee to a company called PC Guardian out of San >Rafael, CA. But what the report probably did not say was that the virus scanner included in the package deal was F-PROT. :-) - -frisk ------------------------------ Date: Mon, 14 Sep 92 19:38:41 -0400 From: Anthony Naggs Subject: Re: Amiga virus info (Amiga) Red Dragon, , asks: > Where can I get Amiga virus information? Sorry this is so late, I thought some other Amiga users would have answered this. The Virus Test Centre in Hamburg produces some material, which may not be comprehensive. It is available by anonymous ftp, and I think Ken has copies at cert.org for US access. system: ftp.informatik.uni-hamburg.de directory: /pub/virus/texts/catalog files: bytes date name 44234 Feb 10 1992 amiga.zip 16325 Jul 25 10:01 AmigaVir.792 user name: anonymous password: [your e-mail address] As this site only has a low volume modem link it is best to use a net copy program to fetch the file. (I have used the following copy programs, VAX/VMS: 'transfer', SUN Unix: 'hhcp'). Note the '.zip' file is binary and must be copied in binary mode, and may need to be decompressed with PKZIP on a MS-DOS system. The documentation for the better Amiga anti-virus software includes short descriptions of viruses. For ftp access try, (from Jim Wright's helpful postings), one of: system: ms.uky.edu (IP address is 128.163.128.6) directory: /pub/amiga/Antivirus system: eugene.utmb.edu (IP address is 129.109.1.21) directory: /pub/virus-software/amiga backup site to eugene system: beach.utmb.edu (IP address 129.109.1.207) directory: [ANONYMOUS.PUB.VIRUS.AMIGA] Hope this helps, Anthony Naggs Software/Electronics Engineer P O Box 1080, Peacehaven (and virus researcher) East Sussex BN10 8PZ Phone: +44 273 589701 Great Britain Email: (c/o Univ of Brighton) amn@vms.brighton.ac.uk or xa329@city.ac.uk ------------------------------ Date: Wed, 16 Sep 92 11:56:34 -0400 From: Subject: Re: Apple IIgs virus program? (Apple ][) I'm wondering if there is such a thing as a virus detection program available for the Apple IIgs computer. If it does exist please let me know where I can get the program, and if there is any cost associated. Thank you, Dennis J. Behrens ------------------------------ Date: 14 Sep 92 09:39:49 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: self-checking programs BURGER@dmrhrz11.bitnet (Christian Burger) writes: > executable after compilation. This package will probably not protect > against all stealth viruses but it will certainly provide a good > protection against the most common viruses. The stealth bomber package > is freely available via anonymous ftp from any simtel archive mirror > as /msdos/trojan-pro/stealth.zip. I would be interested in comments > of the virus gurus on this package. Well, your suppositions are right. It is unable to provide protection against some advanced stealth mechanisms, but it is able to catch all simple viruses and even some of the stealth ones. Some protection is better than no protection, just don't rely on it. BTW, have in mind that programs which perform self-checking cannot be disinfected from some of the existing viruses. The reason is that a lot of viruses are padding the EXE files so that their length becomes a multiple of 16 (completely unnecessary, but Jerusalem did it and lots of virus authors copied it from there). Most of these viruses don't keep a record of the actual file length, so this information is lost. Therefore, all disinfectors will leave up to 16 bytes of garbage, after disinfecting the file. Of course, the checksum of the file will not match any more, so a self-checking program will refuse to work. Yet another argument not to use disinfection but to replace the infected file with a clean copy. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Fri, 18 Sep 92 08:36:59 -0400 From: HAYES@urvax.urich.edu Subject: I-M124.ZIP available (PC) Just to report the availability of an update for Integrity Master. It is now available for FTP processing from us. - ----- Site: urvax.urich.edu, [141.166.36.6] (VAX/VMS using Multinet) Directory: [anonymous.msdos.antivirus] FTP to urvax.urich.edu with username anonymous and your email address as password. You are in the [anonymous] directory when you connect. cd msdos.antivirus, and remember to use binary mode for the zip files. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 153] ******************************************