Received: from fidoii.CC.Lehigh.EDU by abacus.hgs.se (5.65c/1.5) id AA26941; Mon, 1 Mar 1993 22:02:00 +0100 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA37296 (5.67a/IDA-1.5 for ); Mon, 1 Mar 1993 15:31:18 -0500 Date: Mon, 1 Mar 1993 15:31:18 -0500 Message-Id: <9303012031.AA27911@first.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@first.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #36 Status: RO VIRUS-L Digest Monday, 1 Mar 1993 Volume 6 : Issue 36 Today's Topics: Re: your opinions on virus legality RE: your opinions on virus legality Opinions?: Netware .NLM virus checkers (Novell) PD Virus Detect/Clean (PC) Re: FPROT, Thunderbyte, & DataCrime II (PC) Re: Rebuilding partition tables (PC) Re: Question about Patricia Hoffman and John McA Re:Michelangelo detect/removal instructions (PC) Re: Scanning memory (PC) Re: EXE/COM switch (PC) Scanners and Compressed Disk Boot Sectors (PC) Is this a virus? (PC) Michelangelo or STONED? (PC) scanners. (PC) strange behaviour, may be a new virus... (PC) Re: Rebuilding partition tables (PC) scanners. (PC) Re: PC Magazine reviews virus scanners (PC) Re: standardization (PC) Re: my idea for detecting (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: 26 Feb 93 17:30:20 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: your opinions on virus legality luis.gamero@canrem.com (Luis Gamero) writes: > No. If you keep it in your OWN posession how could it be illegal? > You can own a gun and not use it. That's not illegal. Wrong. In my country (Bulgaria), it is illegal to have a gun, unless you are working for the police, army, etc. You see, there are BIG differences between the local laws in the different countries. You shouldn't assume that something is legal or illegal (and should remain so) just because it is so in your particular country. On the other side, computer viruses do not recognize country boundaries... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Fri, 26 Feb 93 12:54:19 -0500 From: "Hansen, Gary" Subject: RE: your opinions on virus legality Luis Gamero writes re: virus legality: >No. If you keep it in your OWN posession how could it be illegal? >You can own a gun and not use it. That's not illegal. True. But if your gun goes off--either accidentally or intentionally--and somebody else is injured, then you are legally responsible. Could say the same thing about viruses, I suppose... Gary Hansen SDSM&T Computing & Networking Services ghansen@silver.sdsmt.edu ------------------------------ Date: Thu, 25 Feb 93 22:14:49 +0000 From: ccab@augustana.edu (Andy Barcus (7209)) Subject: Opinions?: Netware .NLM virus checkers (Novell) Can anyone recommend for or against (by personal experience) any of the .NLM virus checkers ?? Please send to my address as well as the list. ccab@augustana.edu Thanks, Andy. ------------------------------ Date: Thu, 25 Feb 93 19:33:21 +0000 From: Carpenter@Fwva.Saic.Com (Apprentice Wizard) Subject: PD Virus Detect/Clean (PC) I'm looking for opinions on the best public domain virus detectors/cleaners. Any help would be greatly appreciated. Thanks - =-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-= Scott Carpenter VAX Systems Manager Ya dina' tell 'im how long it'd really SAIC Falls Church, VA take ta fix it did ya'? CARPENTER@FWVA.SAIC.COM M. Scott, CAPT, SUFP =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ------------------------------ Date: 26 Feb 93 14:45:28 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: FPROT, Thunderbyte, & DataCrime II (PC) mharlos@ccu.umanitoba.ca (Michael Harlos) writes: > I've just run FPROT 2.07 for the first time, in a "real DOS" (not OS/2 > DOS) session, with several Thunderbyte TSR's loaded. One of the > Thunderbyte TSR checks for suspiciuos activity. > FPROT warned me that "DataCrime II virus search activity was found in memory". > This warning did not occur if I ran FPROT from a clean floppy boot, or if > I remmed out the lines in the autoexec.bat & config.sys files that loaded > the Thunderbyte TSR's. It also doesn't occur in OS/2 DOS, in which I don't > load the Tbyte programs. It's definitively a false alarm, but it is difficult to tell whose mistake it is exactly. One reason may be that the Thunderbyte TSR (TbScanX?) keeps some unencrypted strings in memory. On the other hand, why should F-Prot find the DataCrime II virus in memory at all?? If I recall correctly, DataCrime II is a non-resident virus... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Fri, 26 Feb 93 05:53:41 +0000 From: chowes@sfu.ca (Charles Howes) Subject: Re: Rebuilding partition tables (PC) chowes@sfu.ca (Charles Howes): Has anyone written a program that will allow you to create a new partition table sector from scratch? padgett@tccslr.dnet.mmc.com (A. Padgett Peterson): Well I have all of the pieces, just not ready for Prime Time... ..(important stuff deleted).. Thus the information can be found in not one but *four* different places on a DOS disk (Unix or Novell are different but the info is still there - just keep fresh batteries in your TI Programmer 8*). riordan@tmxmelb.mhs.oz.au (Roger Riordan): You may recall that AntiCad (which goes off either if you access... ..(important stuff deleted).. I imagine this was the type of situation chowes@sfu.ca (Charles Howes) had in mind in his original query. Anyone got any other ideas? - ------ Actually, I hadn't thought of it that way, but that describes it pretty well. I'd like to see a program that will tell me what these four sources are saying the hard disk should be, allow me to pick the one I think I picked when I first partitioned my hard disk, and lay down a brand new set of sectors. I want to completely replace the four sources of information that may be conflicting. I want these sectors to look like they did the day after I bought and formatted my hard disk. And if the only damage to my hard disk was those sectors, I want my FAT table and root directory to be the same as they were the day before. What does fdisk do? I had hoped it replaced the entire sector that has the MBR and partition table in it, and leave the rest alone, but that does not seem to be the case. Am I wrong? Is format in charge of the DBR's? Does sys diddle with it too? One thing I can say for sure is that some versions of NDD ask you 'are you having problems booting from your hard disk' and can't fix the "problem" that they detect. ------------------------------ Date: 26 Feb 93 17:11:45 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Question about Patricia Hoffman and John McAfee sbonds@jarthur.Claremont.EDU (007) writes: > information found in VSUM. As to contacting Ms. Hoffman, I did > exactly that about a year and a half ago. After disassembling the > Cinderella virus, I sent a copy of my findings to Ms. Hoffman so she > might be able to update her entry for Cinderella. I never received > any reply, and the entry on Cinderella remains the same as it always > was. I've had similar experience to yours, except that it was not about a single virus only... The final result was the same as in your case, however... :-\} > VSUM is a potentially very useful product. How many times on this > list alone have we seen people asking "I've got XXXX virus, what does > it do??" My only beef with VSUM is that the information is SO > inaccurate. The VSUM hypertext interface is extremely easy to use, if > only we could couple that with some genuinely accurate information! > Currently, MSDOSVIR is the only list I know of that contains accurate > or nearly accurate virus info. Frisk also has good information, but > it is rather brief. There are two other alternatives. First, we are working on a browsing program for the Computer Virus Catalog (of which MSDOSVIR is only a part). The package, called CVBASE is available via anonymous ftp from our site. It is a -very- preliminary version. We expect to release a much improved version in the next few days, together with an updated version of the Computer Virus Catalog (still hopelessly incomplete - only 155 MS-DOS viruses are described, sigh...) The second alternative is produced by ICSA and is called V-Base. A demo version of it (supporting only the viruses with names beginning with A, B, and C) is also available from our ftp site. It uses the same format as VSUM, so one can use the same hypertext engine to view it. It is still quite incomplete, and many of the entries bear the brevity of the virus descriptions in F-Prot, but at least the information is more exact than in VSUM. > Too bad we can't get MSDOSVIR in hypertext format. This might improve in the future... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Fri, 26 Feb 93 12:48:50 -0500 From: Garry J Scobie Ext 3360 Subject: Re:Michelangelo detect/removal instructions (PC) Hi there, bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >Nope, won't work on a hard disk. DEBUG's "l" command can only read >logical sectors. That's OK on a floppy, but on the hard disk the >virus is in the MBR, which does not belong to any logical partition >and thus can be accessed only as physical sector. So, in this case >you'll have to write a short assembly-language program that reads the >MBR. David Chess in virus-l Volume 3 Issue 109 (7 June 1990) mailed a small program which I believe may be of interest here. Cheers Garry Scobie Edinburgh University Computing Service Scotland e-mail: g.j.scobie@ed.ac.uk ------------------------------ Date: 26 Feb 93 13:03:01 -0500 From: ac999512@umbc.edu (ac999512) Subject: Re: Scanning memory (PC) >> I think it best that scanners should check interrupt vectors and so >> forth to determine if the virus is active, then inform the user as to >> the presence of the virus, and whether or not it is active. > >That's rather difficult to implement reliably. What does "check the >interrupt vectors" mean? Just look in the Interrupt Vector Table? Many >viruses don't modify it at all. And what if something (a TSR) has >intercepted the vector -after- the virus? What then? Trace the >interrupt vectors? Again - too unreliable on some machines. No, this >is not a good idea... Yes, perhaps so. That's what I get for letting my fingers move faster than my thoughts! :-) . But at the very least a scanner *would* be able to tell the difference between Stoned at the top of system RAM, and Stoned in the DOS buffer, and in that case *could* inform you as to whether it's active or not. I realize this works only for the viruses you know are capable of being in only one location to be active, but I still don't feel satisfied when people continuously think they are being nailed by Stoned, drive themselves crazy looking for it, and the whole time it's only in the DOS disk buffer. +-------------------------------------------------------+ | Ed T. Toton III, Virus Researcher ac999512@umbc.edu | | BREAKFST.COM halted! Cereal port overflow! | +-------------------------------------------------------+ ------------------------------ Date: Fri, 26 Feb 93 15:03:36 -0500 From: Fabio Esquivel Subject: Re: EXE/COM switch (PC) Hi netters. Sometime ago I wrote a program that changes the executable filename's extensios (EXE & COM) to another user-given extensions. The idea was to see if file infector viruses could infect those files too (those with the new extension). I had to modify COMMAND.COM as well internally in order to allow it to recognize the new extensions (eg EEE instead of EXE and CCC instead of COM) and to be able to execute the files. I tested 10 or more different file infectors against the renamed files and all of them were able to infect the files correctly. You may say "Why did you change the file extensions?". The program would just be installed in computers used by "fool" users, that is, people who doesn't even know what is a DIR command or what is a directory name; users who just know some menu program that runs in the autoexec.bat. If they bring a new diskette from home with a funny game, it will not run because the game has an EXE or COM extension, which are not recognized by the modified COMMAND.COM. Anyway, the experiment failed and the file infector viruses (DIR-II, Dark Avenger, Lisbon (Vienna), Sunday and others) did infect the files. I think there's no way of fooling file infector viruses, is there? Regards, /&\ (o O) * * * * * * * * * * * * * * * *ooO* (_) *Ooo* * * * * * * * * * * * * * * U * * Fabio Esquivel Chacon * Computerize God - It's the new religion * * fesquive@ucrvm2.bitnet * Program the Brain - Not the heartbeat * * University of * * * * Virtual existence / Superhuman mind * * Costa Rica * The ultimate creation / Destroyer of mankind * * "My girlfriend, * Termination of our youth / For we do not compute * * ____/| music and * * * \'o O' computers * "Computer God" - Dehumanizer * * =(_*_)= drive me * Ronnie James Dio - Black Sabbath (1992) * * U crazy..." * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ------------------------------ Date: Fri, 26 Feb 93 15:35:28 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Scanners and Compressed Disk Boot Sectors (PC) Recently there has been some discussion concerning a problem with scanning compressed drives for viruses and constantly getting a flag that the "boot sector has changed". Actually, this is an indication of a much more serious problem that A-V producers should address immediately: The problem indicates that the A-V product *thinks* it is checking the real OS boot sector when in reality it is checking the swapped compressed drive "boot sector". To me this means that a) the real boot sector is *not* being checked, and b) the A-V is relying on DOS Interrust 25 to read the sector rather than Interrupt 13 (or a direct BIOS call - better). The important thing is that while DOS since the early 3's has provided a means to validate /bypass Interrupt 13, there is no way to validate Interrupt 25. With the rise of companion and stealth viruses, to be sure in checking the low levels you must first authenticate the path to disk (it can be done even from DOS), and then walk the boot procedure to make sure that there are no "extra added attractions". This does not take any longer to do than using DOS (in fact is probably a few cycles shorter) and eliminates a possible intrusion path. As a consequence, the fact that the A-V is checking the STACed drive boot sector means more than just an error is being flagged each time, it would make me concered that the real boot sector may be skipped. Warmly, Padgett ------------------------------ Date: 22 Feb 93 20:29:00 +0000 From: bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) Subject: Is this a virus? (PC) Quoting from A_mtwiselt@cpvax.cpses.tu to All About Is this a virus? (PC) on 02-21-93 A.> happened is if you were in an executable file, all of a sudden the FA A.> gets scrambled for the drive you executed from, and the disk must be A.> reformatted to recover. I have tried to recover with norton disk It could be a new or unknown virus. If the files start to crosslink again, do the following. Format a low density diskette in A: of the affected computer. Copy a few .COM, and .EXE files to this diskette. Run each of the files twice Then mail the diskette to a virus researcher for study. Bill - --- * WinQwk 2.0 a#383 * GOT-YOU activates Jul - Dec ------------------------------ Date: 22 Feb 93 20:47:00 +0000 From: bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) Subject: Michelangelo or STONED? (PC) Quoting from Leprican~~~ to All About Michelangelo or STONED? ( on 02-21-93 L > Reformatting it from a write-protected floppy didn't remove it, eithe L > Does anyone have any suggestions on how to combat this virus? L > thanks, You should be able to repove Michelangelo with Clean with the following from the command line. CLEAN C:[MICH] [Moderator's note: See the recent discussions on the potential problems with using this command.] Maybe you have a new variant of Michelangelo. The reason the format didn't remove the virus is because viruses like michelangelo and stoned hides in the partition table of the hard drive, and Format never touches this area. Bill - --- * WinQwk 2.0 a#383 * JERUSALEM (Arnakia) activates Tuesday the 13th ------------------------------ Date: Sun, 21 Feb 93 08:37:00 +0100 From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) Subject: scanners. (PC) >> Scanners, assuming you are using a good one, is also a way to >> defend against NEW viruses. [...] > This is only true for heuristic scanners - if you use signature-based > scanners against new, unknown viruses - how will you detect them? > You told us you detected DIR-2 with a scanner. Either you used a heuro- > scanner or you detected the virus after it had been implemented in the > scanners - then it was no longer 'new'. I think I chose the wrong word. By NEW I meant 'Viruses you don't already have on your system'. I think we all agree that only heuristic scanners are able to provide SOME means of protection against completely new and unfamiliar viruses. True, I did find out the Dir2 after it was known. Still - I scan EVERY disk I put in my drive, even if I gave it to my best and most trusted friend, and I indeed got saved... Inbar Raz - - -- Inbar Raz 5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660 Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il - --- * Origin: MadMax BBS - Co-SysOp's Point. (9:9721/210) ------------------------------ Date: Thu, 19 Mar 92 23:28:04 +0100 From: Gerard_Mannig@f0.n462.z9.virnet.bad.se (Gerard Mannig) Subject: strange behaviour, may be a new virus... (PC) Hi all ! I recently experienced thinks somewhat surprising. Sound like a virus infection, more precisely : a boot and/or MBR virus infection. Scenario: Students regularely save their work on both HD and 3.5" disks. Since January 8, 1993, floppy disk get unreadable after date were saved onto them. No data error or tampering symptoms on HD. These disk corruptions happened intermittenly. Norton Ut. or CP' DISKFIX got rid of this nasty thing. At this point of the history, we all could think about material trouble : this phenomena is reported on about 50 computers ! Considering this is a up to 2,000 people graduate school, each one of them needs to compute every day, let's imagine how nervous is the manager ! ... Let's get back to serious things, now. None of the following AV tools showed a known virus : SCAN99 TBSCAN5.03 VIREX 2.6 F-PROT 2.06 CATCHMtE 1.9 No time-stamp file corruption. No false defectives sectors No CHKDSK interesting indications ( loss of RAM,...) No more map MEM interesting info, showing an anormal TSR, for example.. When working this a clean-booted computer, everything seems to work fine. No file reproduction were noticed : on a clean-booted computer, I did a complete CRC ( with TBSCAN 503 ) control on each executable file. After having rebooted from the supposed infected HD, I ran some programs like FORMAT.COM and others. Once more, I re-booted with a clean-write-protected disk to ckeck out eventual CRC modifications : none. The only kind of viruses seems to be, IMHO, a BOOT virus and/or MBR virus : no filesize modifications. Unfortunately, I could'nt run SYS C: and FDISK /MBR to proof this. Some viruses 'experts' (?) told the manager that the BR was copied on sector 14. After ckecking this, no BR in there. The only virus beginning to act on Janury 8th is 'TAIWAN'. Problem is TAIWAN does *NOT* do that. Any idea would be warmly appreciated, if any. - --- PPoint 1.52 "Virus into the HD ? Dial +33 3559-9344 at once" * Origin: A Professional Point System (2:320/204.5) ------------------------------ Date: 27 Feb 93 08:21:02 +0000 From: phys169@csc.canterbury.ac.nz Subject: Re: Rebuilding partition tables (PC) riordan@tmxmelb.mhs.oz.au (Roger Riordan) writes: > You may recall that AntiCad (which goes off either if you access > ACAD.EXE, or if you hit C-A-D while the tune is playing) overwrites > all tracks on cylinder zero on drives A-D, then further tracks at > increasing intervals till it gets to the end of the disk, then fills > the CMOS RAM with 'FF's... > I imagine this was the type of situation chowes@sfu.ca (Charles > Howes) had in mind in his original query. Anyone got any other > ideas? If all else fails, you can get the size of the disk from either manufacturer's data or automatic detection in some BIOSes (like AMI) or my freeware CMOS299 program. After you find that out, you can set up the CMOS (again, my program or many modern BIOSes do a pretty good job of setting up something reasonable when asked nicely). Once you get to that stage, FDISK can create a new set of partitions (loosing everything) or something like Norton's Disk Doctor might be able to sniff out whatever remains of the original partitions. If too much has been written over there isn't a lot of hope, but somebody determined enough (with the knowledge to look for clues like the fact that .. in a subdirectory tells you where the parent directory, and therefore the two copies of the FAT) What can be useful is to know how to put a valid partition table on a disk, without touching any other sector on the disk. One way is to copy one off another disk with a disk editor, another is something like NDD that I mentioned before, another is a program which I can't remember at the moment but is free and I could grab it if anyone needs it. I have a feeling Padgett had one too, or was working on it? Mark Aitchison. ------------------------------ Date: Fri, 26 Feb 93 11:57:00 +0100 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: scanners. (PC) Hi Inbar. You write: > I think I chose the wrong word. By NEW I meant > 'Viruses you don't already have on your system'. I > think we all agree that only heuristic scanners are > able to provide SOME means of protection against > completely new and unfamiliar viruses. That is not the entirely correct. There are other ways to detect new viruses, these are what we call generic programs. However you are right in the manner that PASSIVE scanning will detect only known viruses, or possibly new ones with heuristic scanners only. Yet there are programs that detects new viruses while attempting to execute (such is IRIS's TSR module, and some optional McAfee's VSHIELD functions, and there are others...) Our software for example, will detect new viruses, and even eliminate them while they are completelly unknown to the program. All the best * Amir Netiv. V-CARE Anti-Virus, head team * - --- FastEcho 1.21 * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Sun, 28 Feb 93 07:12:19 +0000 From: jeffb@world.std.com (Jeffrey T Berntsen) Subject: Re: PC Magazine reviews virus scanners (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >cwong@cs.cornell.EDU (Christopher Yoong-Meng Wong) writes: >> Have others seen the March 16, 1993 issue of PC Magazine yet? Normally, I >> wouldn't expect this group to care much, but this magazine has tremendous >> influence in the industry. A summary: >> 1. Editors' choices are CPAV and NAV. >This alone tells enough about the level of competence of the >reviewers... I guess they have looked again to the user interface, >instead of to the anti-virus features... That's complete nonsense. PC Magazine looked again to the products they get the most money for the slick ads they print, as usual. Jeff Berntsen jeffb@world.std.com ------------------------------ Date: 25 Feb 93 20:45:00 +0000 From: bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) Subject: Re: standardization (PC) Quoting from Fridrik Skulason to All About Re: standardization (PC) on 02-25-93 FS> We did....more than a year ago...:-) Really? I wasn't aware of that. but then it's kinda hard to compare names on hundreds of specimens. The only reason that I brought this up is because recently a friend of mine called wanting help with removing the green catepillar virus. I gave him some info, and explained how to remove it. he isn't exactly a rocket scientist, and two hours later he called back saying that he had the 1575 virus. Jerry was paranoid, so I calmed him down, and explained that 1575 and Green catepillar viruses were one and the same. I drove over and gave him a copy of Patricia Hohhman's VSUM, and showed him that they really were the same virus. I am sure there are other people like jerry that use two or more scanners, and I believe standardizing the names would be the best thing scanner authors could do for their users. Getting off my soap box now. ;-) FS> Actually, there is a *semi-official* naming standard...the CARO namin FS> which unfortunately is not used by all the programs on the market. E I'm glad that scanner authors are using the CARO naming system. Occasionally I run into new or modified soecimens. How can I send these specimens directly to CARO? Up to now, I have be sending them to Glenn Jordan, Wolfgang Siller. or yourself. I would like to be able to send these specimens directly to CARO to cut down on the ammount of time to get these to CARO. Bill - --- * WinQwk 2.0 a#383 * SUNDAY activates any Sunday ------------------------------ Date: 25 Feb 93 21:08:00 +0000 From: bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) Subject: Re: my idea for detecting (PC) Quoting from Fridrik Skulason to All About Re: my idea for detecting on 02-25-93 FS> Almost, but not quite - it will miss any "companion"-type viruses. Frisk: My idea will detect companion infectors. by the following means. using the .* wildcard on .EXE files, and LHA A -A or PKZIP -wHS will add these companion infectors regardless of what attributes they set. I thought I explained this in the original message. Naybe I didn't describe the process well enough. I said that I was no writer. ;-) FS> Hey, why not me...*grin*... because I didn't have your phone number handy. FS> I see a few problems....by including only a few files, there is a cha FS> missing certain viruses...for example those which only infect files i FS> the current directory. If none of your "victim" files happens to be correct, but most of these would be of the direct infector variety wouldn't they? FS> Still, overall it is an easy-to-implement "early-warning" system. Thanks Frisk. My idea is for the users that think "virus detection=scanning". This idea would detect these new or modified viruses that a scanner would miss. Bill - --- * WinQwk 2.0 a#383 * SATURDAY THE 14TH activates Saturday 14th ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 36] *****************************************