Received: from fidoii.CC.Lehigh.EDU by abacus.hgs.se (5.65c/1.5) id AA10408; Wed, 17 Feb 1993 23:19:23 +0100 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA31867 (5.67a/IDA-1.5 for ); Wed, 17 Feb 1993 16:43:57 -0500 Date: Wed, 17 Feb 1993 16:43:57 -0500 Message-Id: <9302172048.AA01904@first.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@first.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #28 Status: RO VIRUS-L Digest Wednesday, 17 Feb 1993 Volume 6 : Issue 28 Today's Topics: Re: Michelangelo origins (CVP) Re: Pundits and bandits Re: How to measure polymorphism Re: general entertainment F-Prot 2.07 & Append (PC) Is this a virus? (PC) Re: green catipillar (PC) Re: Michaelangelo's payload (PC) Re: MtE Infected... (PC) Re: New virus in Germany :-( (PC) Re: International computer virus day (was: Michelangelo Virus?) (PC) Re: Notes about Sunday Virus (PC) Virstop 2.07 & Lanworkplace = Windows Hangs... (PC) Re: STONED update/additional info questions. (PC) Re: Suggestion to the developers of resident scanners (PC) FORM (again!) (PC) Re: windows virus (PC) - is WALDO one? Re: New Virus (PC) Re: NAV questions (PC) Re: New virus in Germany :-( (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: 15 Feb 93 19:09:35 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Michelangelo origins (CVP) rslade@sfu.ca writes: > information can be overwritten, resulting in a loss of data. One > version of Stoned (which I do not have) is reported not to infect > 3.5" diskettes: this is undoubtedly the template for Michelangelo > since it doesn't infect 3.5" disks either. I don't have such version of Stoned either, but the rest of your sentence is not quite correct. Michelangelo infects 3.5" 1.44 Mb floppies, but the infected ones have the Media Description Byte in the boot sector destroyed, which makes them unreadable on some computers. They are perfectly infective, though. The virus also tries to infect 3.5" 720 kb diskettes - there is nothing in the code to stop such attempts. However, due to a bug, the virus tries to infect them as high-capacity diskettes and to store the original boot sector at a non-existing location. This produces an error and the virus just gives up. > Stoned has "spawned" a large number of "mutations" ranging from > minor variations in the spelling of the "payload" message to the > somewhat functionally different Empire, Monkey and No-Int > variations. Interestingly, only Michelangelo appears to have been > as "successful" in reproducing, although the recent rise in Monkey > reports is somewhat alarming. The major reason of the spread of No_INT and Michelangelo was that they have been distributed with commercial software... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 15 Feb 93 20:14:44 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Pundits and bandits fergp@sytex.com (Paul Ferguson) writes: > Well, it may stop them from authoring viruses, but unfortunately > virus "creationists" are like a pesky rodent infestation -- you > eradicate six of them and there are six (times two) that step in > to take their place. Bah, I disagree... Convicting a few virus writers will have enough preventing effect at least towards the other "wannabes" from the same country... Wonder why nobody else has released yet another Internet worm from the USA?... :-) > PGP public encryption key available upon request. Please, consider this a request. I am collecting public keys and am making them available by anonymous ftp. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 15 Feb 93 18:52:53 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: How to measure polymorphism houle@nmt.edu (Paul Houle) writes: > If an antivirus program is not polymorphic, it potentially can be > recognized and tampered with by a virus. The code can be altered so it alway s > reads "clean", or the files it keeps can be altered to delete signatures (fo r > scanners) or to change CRCs, message digests, whatever is used to protect > programs. Therefore, for safety, an antivirus program should ideally be > different in every installation. The filename should be different, the code Yes, that's a very good idea. And it can be implemented quite easily, no need to have the "polymorphic compiler" you are talking about. Just have some polymorphic engine in the intallation program and use it to encrypt and prepend a random decryptor to the executable before installing it. Of course, you could even use MtE for that purpose, but this is not a wise idea, because then everybody's scanner will detect your program as infected with an MtE-based virus... :-) This will practially elliminate a direct attack against the virus. Of course, in theory, the virus writer could create a virus that contains a detector for your polymorphic engine, but I wish 'em luck trying to do that... :-) More likely they'll just stick to a stealth virus. Of course, the implementation of the polymorphic anti-virus program should be strong enough - e.g. an integrity checker that shokes when a virus deletes its dabases of checksums is not good, even if it is a polymorphic one... :-) Oh, yes, and it is enough to make the executable different each time. You don't need to bother with the names of the data files, if you provide the possibility to the user to use just -any- names... Possible problems - encrypting the executable and prepending a decryptor is not trivial for some executables (e.g., Windows applications), but it is not an unsolvable problem... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 15 Feb 93 21:20:16 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: general entertainment bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > The article is "Discover" does not make an exception - lots of > technical and factual details are wrong. Maybe the funniest of them is > the conjecture that "Diana P." in Dark Avenger's viruses has something > to do with Lady Diana, Princess of Wells. However, the general > analysis of the situation in Bulgaria that leaded to the creation of > so many viruses there is rather exact. > [Moderator's note: FYI, I think that's "Princess of Wales".] Ooops, sorry... :-( My apologies to Lady Diana... But my ignorance on the subject somehow demonstrates how popular she is in Bulgaria and how probable is that the Dark Avenger has used her name in his viruses... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Mon, 15 Feb 93 13:57:42 +0000 >From: chl@dmu.ac.uk (Conrad Longmore) Subject: F-Prot 2.07 & Append (PC) F-Prot 2.07 seems to clash with the MSDOS APPEND command. The problem occurs trying to load VIRSTOP after APPEND. VIRSTOP won't install, complaining that the version of DOS is incompatible or a virus is active in memory. The solution is to load APPEND after VIRSTOP, or even better - stop using APPEND altogether. - -- // Conrad Longmore / Janet: chl@uk.ac.dmu / // // Bedford College / Internet: chl@dmu.ac.uk / "It's all gone // //------------------/ Phone: +44 234 345151 / horribly wrong" // // c/o De Montfort / Fax: +44 234 342674 / // ------------------------------ Date: Mon, 15 Feb 93 09:15:35 -0600 >From: "MICHAEL @CPEAK 6807" Subject: Is this a virus? (PC) A friend of mine is running a 386/40mhz machine with ms-dos 5.0 and an ide drive partitioned into 4 smaller drives. recently (the last 3-4 weeks we have experienced crashes on 3 out of the 4 disks. what has happened is if you were in an executable file, all of a sudden the FAT gets scrambled for the drive you executed from, and the disk must be reformatted to recover. I have tried to recover with norton disk doctor ver 6.01 to no avail (too many cross-linked files to deal with). Running scan v100 shows no viruses, running f-prot 2.07 in scan mode shows nothing, in heuristic mode it shows xtg.exe to be suspicious but no known virus. Since we have formated each of the three partitions, everything works fine. but we are concerned as to wether this could be a virus or meerly a hardware failure? We have restored from tape to get both really old versions and recent versions (from the 4th of feb. 1993 and from backup disks from november 1991) and there doesn't appear to be any differences in the file sizes. Any ideas? The system is only 6 months old. Oh yeah, no messages are displayed, so we aren't sure what we are dealing with, except it has happened with three different executables (telix, ACAD10, and frontdoor 2.02). thanks, Michael ------------------------------ Date: 15 Feb 93 18:34:54 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: green catipillar (PC) hzuzan@sgi1.mathstat.uoguelph.ca (Harry Zuzan) writes: > Does anyone know what the green catipillar virus does? In short, it displays a green caterpillar, crawling on the screen. > Will it do any harm? Not intentionally. But it may crash your computer, interfere with other software, infect your friends, etc. > Can I get rid of the virus? Of course. Just replace the infected file with a clean copy. Or use some disinfection program (e.g., F-Prot). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 15 Feb 93 19:03:12 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Michaelangelo's payload (PC) mar@dcc.ufmg.br (Marcio Migueletto de Andrade) writes: > It is known that the Michaelangelo virus makes use of INT 1Ah (AH=4) > to read the system date. It works on a 386, but fails on a XT (nothing It will also work on a '286 and on some XTs with a CMOS-based clock. > is returned). The virus still works but the payload is never > achieved. Is it due to an old BIOS ? Yes. > Is there a *standard* way to > read the system date at *boot time* on a XT ? If not, any virus that No. A genuine XT just does not have a "system date" at boot time, because it doesn't have a clock/calendar or CMOS RAM to store such values. At boot time the system date on a XT is initialized to January 1, 1980. > uses the same function cannot work properly in such machines. Correct. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 15 Feb 93 19:41:35 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: MtE Infected... (PC) mdewaele@TrentU.CA (martin dewaele) writes: > I have Norton Anti-Virus 2.1 and it has detected what is called the > MtE Infected virus. Yet the Repair function states that it is unable > to repair the infected file. As far as I know, NAV is not able to repair any MtE-based virus. It is even not able to detect them reliably. If you -must- repair that file, try the program TbClean from the TBAV package. It is a generic disinfector (i.e., not virus-specific) and sometimes succeeds to disinfect the MtE-based viruses, especially if they are in a COM file. CPAV 1.3+ also can disinfect some of the MtE-based viruses. There is also a German product that can do that, but I guess it is not interesting to you. Nevertheless, it is much better to just delete the infected file and replace it with a clean copy. However, what bothers me is that you are talking about a single file (if I've understood you correctly). In this case, it is likely to be a false positive alarm (for more information about that, please read the FAQ). Thus, you are advised to try a couple of other scanners that are able to detect MtE-based viruses reliably. Two general-purpose scanners (shareware) that can do that are SCAN 100 and F-Prot 2.07. An MtE-only detector, called CatchMtE is freeware and is available from most anti-virus sites, including ours. If no other scanners reports the file as infected, it is almost certainly a false positive. In this case you are advised to contact your local Symantec tech support. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 15 Feb 93 19:51:11 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: New virus in Germany :-( (PC) ballerup@diku.dk (Per Goetterup) writes: > Some of those words are from material by the Belgian techno/industrial > band named 'Front 242'. "Neurobasher" is a B-side song from the > "Tragedy For You" remix-maxisingle, and the sentence "Moment of terror > is the beginning of life" is from the inner cover of their album > "Front By Front" (I think). Hmm, this is yet another proof of the connection that exists between the virus writers and the fans of this kind of music... :-) A colleague of mine in Bulgaria has a paper on this subject; unfortunately it is in Bulgarian... Maybe, if she is reading this, she would like to post a translation... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 15 Feb 93 19:15:54 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: International computer virus day (was: Michelangelo Virus?) (PC) ahubbell@abacus.bates.EDU (Arlyn) writes: > The question came up in our office today: Is the world expecting another > round of the Michelangelo Virus to turn up on march 6 this year? Does > anyone know if the date trigger on the virus checks for the year? > [Moderator's note: Michelangelo does not check for the year; it > triggers on 6 March of any year.] Disclaimer: the opinions expressed below are entirely my own. The VTC-Hamburg might or might not agree with them. In any case, we do not want to be accused in starting another virus scare. Answer: Yes, as Ken points it out, the Michelangelo virus does not check for the year and activates on March 6 on ANY year. Now, may I remind you that regardless of the world-wide virus scare the last year, when you might have hoped that even the little old ladies that can't program their microwave have been warned about the virus, there were still a couple of thousands of trashed hard disks on March 6 around the world. This year, nobody's going to believe us when we tell them that computer viruses exists and can damage your data. This year March 6 is a Saturday, so it is unlikely that you'll even turn your office computer (the one with the important date) on. Yet, Michelangelo is not dead. It is still around and is still causing about 1% of the reported infections. This year there will be some hard disks trashed on March 6 too. Maybe hundreds of disks around the world, maybe even a thousand or two. Almost nothing. But you wouldn't want that to be YOUR hard disk, would you? This year, like any other, on March 6, like on any other day, hundreds of viruses are lurking around, causing the other 99% infections. Viruses like Stoned and Jerusalem, like Form and Green Caterpillar, that don't do anything remotely as spectacular and thrilling as Michelangelo. Yet they -are- lurking around, they -are- infecting the computers around and they -are- causing data destruction - - often unintentionally, due to bugs. So, how about declaring March 5 as International Anti-Virus Day? There are several things you can do to participate: 1) Get a good, up-to-date scanner and run it at least once. Computer viruses -do- exist. It is rather unlikely, but one of them might be on your computer, or on that nifty game your kid just copied from a friend. Scanners are a weak line of anti-virus defense, because they cannot detect new viruses, but most good scanners can detect all widespread viruses. There are some very good scanners, which are essentially free. Get one and use it. 2) Back-up your data. Don't delay it until you finish that other "more important job", or it might be too late. Devise a good backup strategy and follow it strictly. 3) Get a good integrity checker and install it on your system. There are several shareware ones, which are not 100% fool-proof, but are good enough. Besides, all widespread viruses are foolish enough and will be detected. 4) Tell all your friends who are using computers about these four points and ask them to participate. Remember - every virus that is detected and destroyed means one virus less to attack somebody's systems in the future - maybe even yours. 5) Try to follow those guidelines during the whole year, not only a single day. After you get used to them, you'll see that it's not that difficult at all. 6) Educate your fellow users. If you are a system administrator, a tech support person, or just have some friends who are also using computers, educate them about computer viruses. You are already reading Virus-L/comp.virus; that's good. Get the FAQ and read it. Get some of the information sources referred there and read them. Share your new knowledge with other computer users. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 15 Feb 93 20:04:03 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Notes about Sunday Virus (PC) EM436861@ITESMVF1.RZS.ITESM.MX (Mario Rodriguez (Virus Researcher)) writes: > Sunday infects programs with extensions .COM, .EXE and .OVL as they are exe > uted. The .COM files grow 1,636 bytes, and files .EXE and .OVL grow between 1, That's not quite correct; the virus does not infect overlays. It intercepts INT 21h/AX=4B00h and infects anything executed this way, except COMMAND.COM. If the file being executed matches the specification ????????.??M, then it will be infected as a COM file, otherwise - as an EXE file. Overlays are NOT loaded this way. > Sunday intercepts interrupts 21h (Dos services) and 8 (time of day), but th > last one is only intercepted if the year is different 1989. In any other year > the virus will activate on Sundays, and in that day 10 seconds after an infect > d program is excecuted, th virus will 'teletype' the next message using interr > pt 10h (video services): No, version A of the virus does not do that. It contains a bug (waits for the eight day of the week), due to which it never activates. What you have is probably Jerusalem.Sunday.10_seconds. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Mon, 15 Feb 93 15:34:54 -0500 >From: "Rich Travsky 3668 (307) 766-3663/3668" Subject: Virstop 2.07 & Lanworkplace = Windows Hangs... (PC) I have been using VIRSTOP from the recently released version 2.07 of F-Prot, and have noticed the following about a couple of the new options (/COPY and /BOOT) under Lanworkplace. My setup: a 386 Zenith pc; on a Novell 3.11 lan using ODI; using Lanworkplace. Besides the Novell stuff, Lanworkplace uses another piece of network software called TCPIP.EXE. Virstop is loaded after all the network software. When I start up Windows (3.1), it generally puts me right back at the dos prompt. Or it might just hang the machine, forcing a re-boot. Once, by chance that I wasn't able to repeat, I got a message saying something like "not enough file handles for dos operation" (or words to that effect). So, I tried increasing the number of file handles. Sure enough, the more file handles I set, the farther into Windows I get. However, Windows still fails, giving messages like "general protection fault", sometimes on progman.exe, sometimes on krnl386.exe, and sometimes with user.exe. At this point I was well over 200 file handles (also counting the ones allocated in the Novell NET.CFG file). Anyone have any thoughts, workarounds, etc.? Need more information? I think the two options are great additions to F-prot and we have some setups on our campus that could really use this. We haven't committed to distributing and supporting Lanworkplace yet, but if we do, we won't be able to recommend the use of these features. At the moment I'm only posting this to comp.virus; I may also post it to the Novell groups and the comp.protocols.tcp-ip.ibmpc group (so apologies if you end up seeing this more than once). Thanks all, +---------+ Richard Travsky RTRAVSKY @ UWYO . EDU | | Division of Information Technology | U W | University of Wyoming (307) 766 - 3663 / 3668 | * | "Wyoming is the capital of Denver." - a tourist +---------+ "One of those square states." - another tourist ------------------------------ Date: 15 Feb 93 20:28:30 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: STONED update/additional info questions. (PC) CASTILLO@nauvax.ucc.nau.edu (Ulysses Castillo) writes: > I want to thank the people who have responded with their ideas about > what might be happening. I also wanted to explain more clearly > the procedure we followed. Specifically: Sigh... Some people won't read the FAQ, regardless how often you tell them to do so. And some anti-virus producers won't fix their products, regardless how often you are telling them what's broken and how to fix it... > 3) Inserted an infected floppy in B:. > 4) Ran scan on b:. No virus found in memory, stoned virus found > in boot sector of B:. The scanning process has caused the infected boot sector of the floppy to be read in the DOS buffers. Now the virus is there (i.e., in memory), but, of course, is not active. > 5) Ran scan on B: again. Virus found in memory and in boot sector > of B:. (HOW???) Virus found in memory (in the DOS buffers), because SCAN is stupid enough to scan the whole memory, instead of only those places where this virus could reside, if active. Why the virus is found on the floppy I don't know, but this is again some kind of mistake. > 6) Reboot (cold boot, not control-alt-delete). This cleans the memory, including the DOS buffers, thus the virus code is wiped out. It has never been active anyway. > 7) Inserted infected disk in B:. > 8) Ran CLEAN on B:. Virus NOT in memory, but found in boot sector > of B:. Virus removed from B:. The cleaning operation has read the infected boot sector in the DOS buffers. > 9) Ran scan on B:. Virus found in memory. (Again, HOW???), but NOT > found on B:. Virus found in memory (in the DOS buffers), because SCAN is stupid enough to look for it there. > Again, from these observations we are being led to believe that stoned > loaded itself into memory after a read operation on the infected disk. Nope, it's actually DOS that loads the virus code (the infected boot sector) in its buffers. > Again, the documentation I've read on Stoned seem to indicate that > this is impossible. It is impossible for the virus to become ACTIVE, if you just read an infected floppy. But of course it is possible to place its code in memory - where do you think goes everything that you read from the floppy? > Alternately, it's been suggested that SCAN/CLEAN > can give false alarms on occasion. Yup. This is called ghost positive. It can be easily avoided by the producer of the scanner with a little bit of intelligent programming. I suggest that people REFUSE to use anti-virus software that is so stupid. Maybe some user pressure put on the developers will force them to fix the product. > Ideas? Read the FAQ. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 15 Feb 93 20:39:53 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Suggestion to the developers of resident scanners (PC) oep@colargol.edb.tih.no (oep) writes: > Frisk made the /DISK option for VIRSTOP a long time ago :-) Uhm, well, not so long time ago, I think... :-) > : 1) Scan the file when it is executed ONLY if it resides on a floppy. > Why not when executed from a network drive, where your friends has > put all their viruses....... Ah, yes, I forgot about that. Yes, the file should be scanned when executed from a network drive too. BTW, one thing that Frisk really *MUST* implement soon is an option to re-activate VirStop after the network shell has been loaded... > I guess there are many ways to implement a resident solution, and by > giving the users all options, you get a flexible solution. But you also > make the resident routine more complex, and larger. Yes, flexibility is the key... But code added due to this kind of complexity does not increase much the resident program size. In any case, much less than the database of scan strings... > Regarding 486, how long do you think the 286 will live ? This is irrelevant. My colleague is using a slow '286 -now- and he is removing the virus protection due to the system slowdown -now-. (Actually, he removed it a few days ago.) Therefore, we need a fast resident scanner -now-. I'll try to convince him to use VirStop and we'll see whether the system slowdown will be bearable... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Mon, 15 Feb 93 16:23:41 -0500 >From: fergp@sytex.com (Paul Ferguson) Subject: FORM (again!) (PC) On 12 Feb 93 (14:53:29 GMT), Julian Haddrill wrote - > I too have had the same problem, with the 'FORM' virus. As you may have noticed, the FORM virus has enjoyed wide-spread propagation around the world. One of our clients in New York has had a re-occuring problem with it for six months or better. (Makes one wonder how "Corinne" is faring -- better than Sylvia, I would hope, considering that her address was not inclusive in the code!) > Scanning and finding the virus caused it to infect my PC, and I > had to Clean the PC from a Write-Protected safe floppy with > CLEAN on it. Your problem sounds as if you're either finding "ghost" signatures in memory (or in the master boot sector, which was not disinfected properly) or you somehow have managed to re-introduce the virus into your system in some fashion. Don't put all of your eggs into one basket: Try another recommended virus detection utility. > You've just got to be careful out there! Yes, we all do. :-) Cheers from Washington, DC Paul Ferguson | "Making duplicate copies and computer Network Integration Consultant | printouts of things no one wanted Alexandria, Virginia USA | even one of in the first place is fergp@sytex.com (Internet) | giving America a new sense of sytex.com!fergp (UUNet) | purpose." - Andy Rooney 1:109/229 (FidoNet) | PGP public encryption key available upon request. - --- fergp@sytex.com (Paul Ferguson) Access <=> Internet BBS, a public access internet site Sytex Communications, Arlington VA, 1-703-358-9022 ------------------------------ Date: 15 Feb 93 21:50:22 +0000 >From: andywang@crown.berkeley.edu (Andrew Wang) Subject: Re: windows virus (PC) - is WALDO one? chess@watson.ibm.com (David M. Chess) writes: >>From: S.M.Baines@sheffield.ac.uk >> >>I am sorry to be a nuisance, but several users of Windows at Sheffield >>appear to have been hit by a virus that isn't detected directly. Using >>memory resident virus checkers only detect a write to a protected file >>or disc, but not the name. Scanning the disc and memory also fails to >>show up the 'virus'. >Well, the possibilities seem to be: > - A genuine Windows-targetted virus, although that seems unlikely > since you say that the Windows files fail to run after > being altered, > - A Trojan Horse program that's just damaging the Windows files, > - A DOS virus that your "memory resident virus checkers" don't > have a specific signature for, but that they are able to > notice now and then, > - A system problem that's causing some component of the system > to mistakenly alter other components, > - A problem with your resident anti-viral, that's causing it > to give false reports and then mess up the system. We have been experiencing a problem with Windows that also may be connected with a virus. Recently a couple machines have been producing a "WALDO has caused a General Protection Fault" error, and then crashing hard. The only reason I suspect a possible virus is "WALDO". For those of you who haven't read Waldo books, I have been told there are a set of books where you have to find Waldo, and it can be very difficult to find him. I haven't been able to find any documentation of a virus called Waldo, but since our data is valuable to us, I am taking the possibility seriously. Here's some info: We run Word for Windows, Corel Draw, and Excel almost exclusively. I've just downloaded virscan90 but it turns up nothing. We use SCSI disks. If anyone can shed some light, I'd really appreciate it!!! Andrew ------------------------------ Date: 15 Feb 93 22:06:00 +0000 >From: "Tan Bui" Subject: Re: New Virus (PC) Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) writes... >Daphne Rosenhouse writes: >Whell, it could be as you say (a variant of the WHALE), but it would >be rather surprising, since the Whale is an old one and from a viral >point of view... an unsuccessful one. > >I find it hard to believe that someone will use this as a base virus >for modifications. [...] Well, from my point of view, the Whale virus is one of the better viruses written by the virus authors. It uses stealth techniques and has procedures to keep away the unsuspecting and the less qualified 'debuggers'. It is a virus from which you can learn a lot, and I am sure that some people will take its source codes for modifications. Take the Jerusalem virus for example. It is a rather old virus, and yet, modifications have been made to it, and have been released. Although the Whale virus has flaws, we can learn a lot from it. ------------------------------ Date: Mon, 15 Feb 93 22:29:58 +0000 >From: mcafee@netcom.com (McAfee Associates) Subject: Re: NAV questions (PC) Ioep@colargol.edb.tih.no (oep) writes: [comments about NAV and SCAN and VSUM deleted] >As far as I know, there is a close link between the authors of SCAN and >VSUM, and i wouldn't trust the test as a purely independent test. > >I did *not* say that I trust NAV either.... There is no close link between McAfee Associates and Ms. Hoffman, at least, none different from that between her and any other anti-viral vendor. Regards, Aryeh Goretsky Technical Support - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | mcafee@netcom.COM Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95054-3107 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/NETSCAN/VSHIELD/CLEAN/WSCAN/NETSHIELD/TARGET/CONFIG MGR ------------------------------ Date: Mon, 15 Feb 93 18:16:21 -0500 >From: Fabio Esquivel Subject: Re: New virus in Germany :-( (PC) G'day netters: Per Goetterup (ballerup@diku.dk) writes: > Malte_Eppert@f6050.n491.z9.virnet.bad.se (Malte Eppert) writes: > >>- - contains the encrypted text "T.R.E.M.O.R was done by NEUROBASHER / >> May-June'92, Germany" and "MOMENT OF TERROR IS THE BEGINNING OF >> LIFE" >>- - Length: exactly 4000 bytes > > Just for your information: > > Some of those words are from material by the Belgian techno/industrial > band named 'Front 242'. "Neurobasher" is a B-side song from the > "Tragedy For You" remix-maxisingle, and the sentence "Moment of terror > is the beginning of life" is from the inner cover of their album > "Front By Front" (I think). I'm not stranged about this; just FYI: - The DIR-II alias "Creeping Death" may come from the Heavy Metal band "Metallica": third song, B-side, "Ride the Lightning" long play. - Dark Avenger mentions "Eddie lives... Somewhere in Time", where Eddie is the Iron Maiden's puppet and 'Somewhere in Time' is their 1986 long play. - The variant of Dark Avenger "Die Young" (V2000-B virus) mentions "Only the good die young", which is the last song, B-side, of the "Seventh Son of a Seventh Son" long play of the same Speed Metal band Iron Maiden. Even more, the string "Seventh son of a seventh son" is found inside the "Seventh Son" virus... - The "Evil Men" virus (variant of Dark Avenger) contains the text "The Evil that men do" which is a song from the same long play "Seventh son of a seventh son". - The V800 virus has the encrypted text "Live after Death" which is the name of the album that Iron Maiden released in 1985 (live in from California and Hammersmith Odeon, London). - The August 16th virus has the string "IRON MAIDEN" inside... - The Enigma virus contains the string "This is the voice of Enigma... the spirits of the hell are coming back!". The first sentence is from the song "The voice of Enigma" (1st A-side) from the long play "ENIGMA+ MCMXC a.D." of the group (yup!, you guessed it) Enigma. In the back cover of this album you can read the string "LPVIR 1" ("Long Play Virus 1"?). As you can see, there's a couple of music-fans writting viruses out there. So beware of those neighbors who like the music/noise... Regards, Fabio * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Fabio Esquivel Chacon * Computerize God - It's the new religion * * fesquive@ucrvm2.bitnet * Program the Brain - Not the heartbeat * * University of * * * * Virtual existence / Superhuman mind * * Costa Rica * The ultimate creation / Destroyer of mankind * * "My girlfriend, * Termination of our youth / For we do not compute * * ____/| music and * * * \'o O' computers * "Computer God" - Dehumanizer * * =(_Q_)= drive me * Ronnie James Dio - Black Sabbath (1992) * * U crazy..." * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 28] *****************************************