Received: from fidoii.CC.Lehigh.EDU by abacus.hgs.se (5.65c/1.5) id AA04490; Tue, 2 Mar 1993 14:06:31 +0100 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA43686 (5.67a/IDA-1.5 for ); Tue, 2 Mar 1993 07:08:25 -0500 Date: Tue, 2 Mar 1993 07:08:25 -0500 Message-Id: <9303021206.AA00725@first.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@first.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #37 Status: RO VIRUS-L Digest Tuesday, 2 Mar 1993 Volume 6 : Issue 37 Today's Topics: Re: polymorphic compiler Re: your opinions on virus legality Virus Development Programs Help - Windows Virus (!?!?!) (PC) Re: EXE/COM switch (PC) Re: standardization (PC) Re: New Virus (PC) Re: PC Magazine on Anti-Virus Software (PC) Re: Request for virus tools (PC) Re: FPROT, Thunderbyte, & DataCrime II (PC) Need info on whale. (PC) 1591/1575 (PC) False Power Pump (2) w/F-Prot207? (PC) Re: Rebuilding partition tables (PC) Re: KRNL386.EXE erased (PC) Re: NAV questions (PC) Re: CMOS virus (PC) Re: Norton buggy??? (or I have a PROBLEM!) (PC) CLEAN 102 (PC) McAfee VIRUSCAN V102 uploaded to SIMTEL20 and OAK (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: Sun, 28 Feb 93 19:22:01 +0000 From: houle@nmt.edu (Paul Houle) Subject: Re: polymorphic compiler ACDPAUL@vm.uoguelph.ca (Paul D. Bradshaw) writes: >Am I missing something important about this polymorphic compiler? If >the good guys have GOOD polymorphic compilers then won't the bad guys >have quality polymorphic compilers as well? Wouldn't this mean that a >virus writer could write one simple virus, and compile it n times to >release n copies into the wild? It seems to me that virus writers >would benefit more from a polymorphic compiler than anti-virus >software writers would. Afterall not that many viruses target >specific anti-virus software. Well, my original point was that such a polymorphic compiler would be a superior method of implementation of polymorphism than, say, MtE. I also mentioned that polymorphism might be a good feature for antivirus software, but I especially wanted to say that the polymorphic compiler used in viruses would be a threat that antivirus people will eventually have to face, although I don't think I got that across very well. Fortunately, I've got better things to do than try to write one, and if this turns out to be true, I've got about as much to do with it as Arthur C. Clarke had to do with the communications satellite. >What if this compiler were applied to the code for an existing >successful virus like stoned? My idea for the polymorphic compiler is for it to compile some kind of intermediate representation into polymorphic code. Conceivibly you could put it together with the right parts and make a C-like language, or a FORTH-like language, or whatever. The thing I have in mind wouldn't be able to "polymorph" existing assembly code, although such a thing is certainly possible if you don't care about code quality (but you do with successful viruses). The architecture that I'd see for a polymorphic compiler virus could be broken down into at least four parts. I. TEXT segment - this contains fixed data, displayed text strings, etc and is encryped by the PC (polymorphic compiler), prehaps using a one-time pad. II. DNA segment - this contains the intermediate representation of the code that the polymorphic compiler will "polymorph" occasionally or whenever the virus writer wants it. Also encrypted. III. PC segment - the actual polymorphic compiler, for which the intermediate code is stored in the DNA segment itself. As such, the PC can be shipped with the virus and is also variable, so it is not a simple attack point for antivirus software. IV. VIRUS segment - code for the virus, includes payload (if any) and infection logic and all that other stuff. This sort of virus will probably be the next generation of polymorphic viruses. One would hope that it isn't coming soon to a computer near you, because this sort of thing could make both file and memory scanning obsolete, or at least orders of magntiude harder, particularly if it were combined with the technology from Commander Bomber. Since it would also allow viable stealth viruses (can protect in-memory section from scanners), it may even be able to thwart integrity scanners. It's the kind of thing that I don't really want intellectual priority on if I happen to have it. ------------------------------ Date: Mon, 01 Mar 93 16:12:38 +0000 From: gary@sci34hub.sci.com (Gary Heston) Subject: Re: your opinions on virus legality luis.gamero@canrem.com (Luis Gamero) writes: >No. If you keep it in your OWN posession how could it be illegal? >You can own a gun and not use it. That's not illegal. This varies depending upon local law somewhat more than virus possession. And, with the ignorance and hysteria pervading the various legal systems where computers, software, and viruses are concerned, it seems to be a matter of proving oneself innocent rather than being proven guilty. >Canada Remote Systems - Toronto, Ontario BTW, possession of a handgun is a crime in any part of Canada. Not a good analogy for you to use.... - -- Gary Heston SCI Systems, Inc. gary@sci34hub.sci.com site admin The Chairman of the Board and the CFO speak for SCI. I'm neither. Remember: A majority of the American people voted against *all* of the Presidential Candidates. How encouraging.... ------------------------------ Date: Sun, 28 Feb 93 11:48:51 -0500 From: sgt@lakes.trenton.sc.us (Sgt Rock) Subject: Virus Development Programs I just picked up the March 16th 93 issue of PC Magazine and was quite interested in the article on antivirus software. It discussed some virus development programs: The Phalcon/Skism Mass-Produced Code Generator, the Virus Construction Set, and the Virus Construction Laboratory. These programs sound scarey to me. Does anyone out there know anything about them? Where do they originate and are they available for general use or are they controlled as they should be? ------------------------------ Date: Sun, 28 Feb 93 11:40:27 +0000 From: jlowder@vx24.cc.monash.edu.au Subject: Help - Windows Virus (!?!?!) (PC) One of my friends has a problem when printing out in MSWord 2. When she goes to print, she seems to get a "Falling Letters" type virus attack her printer. Since I'm no technical or mathematical wiz could someone give me a hand here. I have no idea (besides formatting the entire hard disk) of how to get rid of it. McAfee's V100 does not pick it up, so this makes me wonder what it is. It could be attacking anything (that's the worst part). Print Manager Word Stylesheets Printer Drivers (I know that only exe com and overlay files usually hold viruses, but it does not mean they have to attack the exe file they are in to cause damage) Well I'm just puzzeled! Could someone give us a hand here?!?? Jase. /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/ /* jason lowder */ /* jlowder@vx24.cc.monash.edu.au */ /* */ /* ~zeros and ones will take us there~jesus jones~ */ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/ ------------------------------ Date: 01 Mar 93 13:18:52 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: EXE/COM switch (PC) Peters@DOCKMASTER.NCSC.MIL (Donald G Peters) writes: > Here is an idea I have cooked up to defend against some types > of viruses. It has not (to my knowledge) been in print before. I am seeing this proposed averagely once every couple of months. Ah, you mean in print? In print, there was an article in Virus News International, explaining why this is not a good idea, or more exactly why it doesn't work and shouldn't be relied on. > Viruses which infect files often *look* for the extensions > EXE and COM. A more exact way to say this is "Some viruses look at the file extensions". Because: 1) Some viruses (most) don't look at the file extensions at all. 2) Some viruses look not exactly for EXE and COM, but for *.CO?, *.*M, and other weird things. > If no such files exist, the virus will not > replicate. If it is one of the silly viruses of the above type. But, the viruses of this type are usually non-resident, and non-resident viruses don't replicate well anyway... > >From what I have read, many viruses are *either* EXE or COM > infectors, but not both. And many are both, and some even infect SYS files too, and some infect boot sectors, master boot sectors, COM, EXE, and SYS files. > And even for viruses that infect > both types, the following defense may work against them. Most probably it won't, see below. > The trouble with the XXX idea above is that the programs > cannot be found and cannot be run with such a name. My idea This is trivial to be fixed by just changing 6 bytes in the command interpreter. > is to rename all your EXE files as COM and rename all your > COM files as EXE. This is even worse than to rename the files to non-executable extensions. If you just swap the extensions, many of the viruses that would be fooled by the above scheme won't be fooled any more. > Believe it or not, DOS is still able to > run your programs after you make this switch. DOS does not Believe it or not, but most viruses are just as smart as DOS in this case... :-) > rely on the extension to determine if the program is > relocatable (a la EXE) or not (a la COM), rather it looks > for the file signature ("MZ", the initials of the early > Microsoft employee who developed this scheme) and takes > action upon that. "ZM" instead of "MZ" also works... Anyway, many viruses are doing just that - infecting anything that DOS Execs (via INT 21h/AX=4B00h), and determining the file type from the first two bytes of the file. > Now any virus which is tailored to work specifically on > one type of program is not very likely to work when you > pull this trick on it. I will leave it to the experts on > this forum to determine the details of that. Any virus which is silly enough to rely on the file extension (like Jerusalem), will infect such files incorrectly, so that they will crash, I agree. But, this still will not prevent dozens of more intelligently designed viruses to infect the files correctly... > I will also leave it to an enterprising individual to > determine wither COMMAND.COM will run if it is renamed > to COMMAND.EXE (with the appropriate change to the COMSPEC > variable in CONFIG.SYS). Personally, I doubt it, but No need to doubt it - DOS can run just anything as a command interpreter, if you put the appropriate line in CONFIG.SYS. > perhaps a simple modification to the boot sector may make > this possible. The boot sector contains the names of the DOS files, not the name of the command interpreter. > In the future, viruses WILL be able to defeat this approach, It's not in the future, sorry. Such viruses exist since 1988. The first one was Cascade, I think... > are vulnerable to viruses. I would appreciate comments from > the experts on this forum who know *exactly* how various > viruses work (or who can simply test this idea with > viruses that they contain in safe keeping.) In short - the idea of changing the executable extensions works in the following cases: 1) It stops all non-resident viruses I've seen so far. 2) It stops the "fast infection" capability of the fast infectors. That is, such viruses will still infect when you execute a file, but not any more when you are copying it. However, it is possible to design a virus that will still infect EXE files when they are copied, even if their extension is different. Note that the above points apply only in the general case, when you are changing the executable extensions to something completely different, not when you are just swapping them. The modification that you are proposing will stop fewer viruses. In general, changing the executable extensions is something like the ReadOnly attribute - doesn't harm a lot and stops some silly viruses, but by no means is a reliable protection scheme. Speaking about changing the names, there is yet another thing you can do at almost no cost and achieve some (not much) additional protection. You should keep a hidden spare copy of the command interpreter and have something like that: CONFIG.SYS: shell=c:\foo\bar\spare.cpy AUTOEXEC.BAT: copy c:\foo\bar\spare.cpy c:\command.com >nul set comspec=c:\command.com This way, viruses that infect the command interpreter as the first thing they do when executed, will be fooled to infect C:\COMMAND.COM. However, at boot time (when the virus is not yet in memory), this file will be restored automatically from the image C:\FOO\BAR\SPARE.CPY. Again, don't rely too much on the above - it is by no means fool proof. It just helps a bit. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 01 Mar 93 13:53:19 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: standardization (PC) micke@qainfo.se (Micke Larsson) writes: > Solomon's FindVirus have a /EICAR switch which outputs the Eicar code for > viruses found. These codes are a part of the CARO naming standard. Really? I didn't know that the EICAR code is part of the CARO naming standard. It shouldn't be, for two reasons. First, the CARO naming scheme (which is not yet a standard, alas), does not rely on this number. Second, FindVirus outputs an EICAR number only for those viruses, which it is able to identify exactly. In practice, this means almost all non-encrypted and some of the encrypted viruses. For instance, try it with a few Cascade samples - you'll see that it outputs one and the same EICAR number (665C6657) for ALL Cascade.1701.* variants. Obviously, we cannot use for identification an algorithm that produces one and the same output for -different- viruses. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 01 Mar 93 17:19:17 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: New Virus (PC) antkow@sis.uucp (Chris Antkow) writes: > Actually, The Whale source code is posted on a few Canadian VX >boards, however, it is in German, making any modifications by a >"wannabe" virus writer a bit difficult. Uh, I thought that was a commented Sourcer-generated disassembly - not the actual source...a small, but VERY significant difference - are you sure it is the actural source ? - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: 01 Mar 93 17:28:42 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: PC Magazine on Anti-Virus Software (PC) Joe.George@nd.edu writes: >Hello: >Do people in this group support Pc Mag's Editor's Choice Awards to >Central Point Anti-Virus and Norton's Anti-Virus? I thought the best >protection was McAfee's SCAN backed up by F-PROT or vice-versa. >In the review, F-PROT received a honorable mention because it >correctly removed all of the virus's it found. The review did not >test McAfee's SCAN. Well, they did not want to include any shareware programs at all (quite silly, because they are the most popular ones) - therefore no SCAN, and F-PROT only got included because we have an expanded, commercial version available. I am not terribly happy with the review, of course - well, it was nice to see that I had one of the 13 (out of 24) scanners that detected all the 11 (!!!) viruses, and that F-PROT was the only program that could remove them all correctly, but the basic problem with the review, from my point of view is that they did not ask any virus "experts" for advice, and relied on incorrect or incomplete information (for example they say that 57 variants of Jerusalem exist, where the correct number is at least 125). So, basically it is a good review of anti-virus program interfaces - their virus collection is far too small (11 viruses is silly...they should have used at lest the 50-100 that are in the wild), the viruses they used are old, so a program that had not been updated for 18 months would have detected all but one or two....and so on... Anyhow, I wrote them a 4-page letter about this... - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: 01 Mar 93 17:37:40 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Request for virus tools (PC) gscobie@castle.edinburgh.ac.uk (G J Scobie) writes: >Hi there, >Over the years I have collected a wide range of tools to use when >dealing with PC viruses. However, I'm interested in what other readers >of this board use for disassembling code, inspecting memory, protection, >eradication etc etc. I guess I'm not a typical reader, but well..... I use DEBUG for most of my analysis...I have been using that program for a LONG time - started on a Victor 9000, before there was any IBM PC...and I have not yet seen any need to switch. I use Sourcer for some disassemblies - but not always - it has some problems. Inspecting memory: Debug and my own old F-MMAP (those of you that ever got a copy of F-PROT 1.x may remember it). Protection, eradication...well, my own program, of course :-) ... however, I have copies of SCAN and Dr Solomon's toolkit that I run for comparison - none of the other programs are of any help to me. - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: 01 Mar 93 17:53:53 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: FPROT, Thunderbyte, & DataCrime II (PC) mharlos@ccu.umanitoba.ca (Michael Harlos) writes: >I've just run FPROT 2.07 for the first time, in a "real DOS" (not OS/2 >DOS) session, with several Thunderbyte TSR's loaded. One of the >Thunderbyte TSR checks for suspiciuos activity. >FPROT warned me that "DataCrime II virus search activity was found in memory". "virus search pattern", actually...well, this sounds like a false alarm to me Don't worry about it. I'll give the thunderbyte authors a call and see if we happen to use the same pattern, or what is going on... - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: Mon, 01 Mar 93 14:40:24 -0500 From: ed street Subject: Need info on whale. (PC) I have just recently isolated a strain of the whale virus and I havn't figured out how it mulitplies yet, it only seems to go resident and slow things down. does anyone know how it works and what it does cause f-prot doesn't give that much of a description of it.. thanks. ed. ------------------------------ Date: 01 Mar 93 21:54:25 +0000 From: psgrbbc@prism.gatech.edu (Brian Cooper) Subject: 1591/1575 (PC) Ok, some friends of mine in another department were having a network card (and software) installed. The Norton Antivirus Program (NAV) on their computer picked up the 1591 virus when the bonehead network support individual installed the network files. Two network files were infected as well as command.com and nav.exe (the norton program). He (the network bonehead) proceeded by removing the virus using NAV (I don't know how he did it; I assume NAV provided some instruction when the virus was detected. A couple of days later, my friend called me to take a look at their computer. I ran McAfee's SCAN v 100 and it detected the 1575 virus in himem. SCAN would only detect the virus when I used the /chkhi parameter. I powered down the computer and rebooted from a clean floppy to determine the extent of the hard disk infection. SCAN reported that no files were infected; yet SCAN continued to report a virus when I booted from the computers hard disk. When I renamed the autoexec.bat and config.sys files to *.bak, I rebooted. SCAN no longer reported a virus. I isolated the problem to the fact that one of the files originally reported to have the 1591 virus by NAV was being loaded in the autoexec.bat. When this occurred, scan would report a virus in memory. My questions: What are the 1591 and 1575 viruses? Why would SCAN report the 1575 in himem but not detect it's presence in the file? What should I do? I am no longer loading the questionable file, but I have not yet deleted it. Please respond via email. Thanks!! Brian Cooper ------------------------------ Date: Tue, 02 Mar 93 01:47:00 +0000 From: wdence@relay.nswc.navy.mil (Walter Dence) Subject: False Power Pump (2) w/F-Prot207? (PC) We just found what we hope is a false positive. It occurs on "power.exe" of Jul92. F-Prot207 calls it a "Power Pump (2)". Is this a false positive? "New.207" indicates that "Power Pump (1)" is a false positive, but that it has been fixed with F-Prot version 207. For now, we are assuming that it is a false positive. Thanks, Walt Dence ===================================================================== WALTER E. DENCE, JR. Data Acquisition Specialist Influence Mechanisms Branch, G95 Commander, Dahlgren Division Naval Surface Warfare Center Office: (301) 394-1707/1960 Dahlgren Division Detachment Fax: (301) 394-4510/4727 White Oak, G95 (W. Dence) DSN (AutoVoN): 290-1707/1960 10901 New Hampshire Ave. MilNet: wdence@nswc-wo.nswc.navy.mil Silver Spring, MD 20903-5000 Home: (301) 229-7394 (This is personal opinion, not official opinion.) ===================================================================== ------------------------------ Date: Mon, 01 Mar 93 21:01:59 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Re: Rebuilding partition tables (PC) >From: chowes@sfu.ca (Charles Howes) >I'd like to see a program that will tell me what these four sources are >saying the hard disk should be, allow me to pick the one I think I picked >when I first partitioned my hard disk, and lay down a brand new set of >sectors. Actually, there is one more source - opening the PC up and reading the manufacturer and drive number info off the label. IMHO it should not be difficult to detect the disk configuration &/or validate the CMOS information simply by "walking the disk" e.g. "validating" the sectors (would try Int 13 Fn 4) until an error occurs to find the total sectors/track, number of heads, and total tracks. IDE drives can be interrogated directly. Given that, next you could go on a scouting expedition for partitions making sure that the info makes sense e.g. the BPB in a tentatively identified DBR actually points to the right sector. Of course you need to do a bit of checking to determine which OS is in use, usually you can tell by the presence of hidden sectors and (for DOS) the size of IO.SYS or IBMBIO.COM with the date as a crosscheck. Of course now you need to find a root directory but the algorithm for detecting this is not difficult, people do it all the time by eyeball. Sure, it is not going to be 100% effective in every case, but you could hit 95% right now (I do better than that by hand) and by v3 should be as close as you could get. (unfortunately am working 60 hours a week & still need to paint my house 8*( - ever notice that we spend 80%+ of our time doing things we are not good at because we have no choice... >What does fdisk do? I had hoped it replaced the entire sector that has the >MBR and partition table in it, and leave the rest alone, but that does not >seem to be the case. Am I wrong? FDISK alone will build a P-table (*not* rebuild it) and place it in a sector with new MBR code *if the sector is zeroed first* otherwise, depending on the version, it may leave the original MBR code in place. FDISK/MBR (DOS 5.0 and 6.0 only) will replace the MBR code and leave the P-table alone. >Is format in charge of the DBR's? Does sys diddle with it too? Both of these can replace the DBR code. SYS *might* not (version again) load the Boot Partition Block found inside the DBR. FORMAT will build the FATs and a root directory, SYS will not. Probably the reason no-one has built a full replacement (yet) utility yet is the sheer mind-boggling number of OS varients out there - I just made a quick count of my DOS box and came up with 27 individual DOSes for the IBM-PC ranging from 1.25 to 6.00.0560 (revision "A" naturally). Unfortunately, if you pick the wrong one and leave the registers with the wrong values following the DBR execution, POP goes the weasel. Warmly, Padgett ------------------------------ Date: Mon, 01 Mar 93 22:08:30 -0500 From: Jimmy Kuo Subject: Re: KRNL386.EXE erased (PC) ls8139@cis.ohio-state.edu writes: >In comp.os.ms-windows.misc I was told that it is possible that >the reason I lost KRNL.EXE from my windows\system directory was >due to a virus. If anyone knows of a virus that does this please >tell me. I have scanned with Norton Desktop Antivirus and found >nothing. >Should I get another scanner or is Norton AV good enough. While it's true that it's "possible" you have a virus, the chance of a single file being lost being due to a virus is sooooooo smalllllll... And in the face of no other strangeness occurring on your system, your chance drops to nil. You should look to something other than viruses to explain your problem. Jimmy Kuo cjkuo@symantec.com Norton AntiVirus Research ------------------------------ Date: Mon, 01 Mar 93 22:08:32 -0500 From: Jimmy Kuo Subject: Re: NAV questions (PC) Eric J Balog writes: >1) I have NAV 2.0 (included w/ NDW 2.0), and I just downloaded >nav20a10.exe from dorm.rutgers.edu. Does my version of NAV now check >for all of the viruses that NAV 2.1 checks for? (mine checks for 451 >viruses/1159 strains) No. NAV 2.1 checks for high 1400 to low 1500 strains. And in order to get that many, you must have NAV 2.1. NAV 2.0 users may upgrade to NAV 2.1 through a number of programs. Depending on your date of purchase of the product, the upgrade may be free. Call 1-800-343-3714, x738 for details. Be sure to specify that you got NAV by buying NDW 2.0. Jimmy Kuo cjkuo@symantec.com Norton AntiVirus Research ------------------------------ Date: Mon, 01 Mar 93 22:08:34 -0500 From: Jimmy Kuo Subject: Re: CMOS virus (PC) V Menayang writes: >I wonder if a virus can erase the information stored in CMOS? Yes. But there's a difference between erase (reset) and erase (corrupt). >If it can, what virus/viri known to work this way? Many viruses fiddle with CMOS bits, some fiddle with it incorrectly and corrupt certain values. But none that I am aware of deliberately go and reset all the CMOS values. >The reason I am asking these questions is that the computer >repair person we took our Grid system machine to claimed >that our problem (floppy drive wouldn't refresh) is caused >by a virus. I don't know much about virus but the claim >sounds suspicious because he said that the virus is [stoned]. In this case, trust your judgment against the computer repair person. Since he brought up "Stoned," you should scan your other machines and diskettes. But you should also insist that the computer repair person scan his machines and diskettes. Not to blame the repair person but he generally has fewer machines to check than you do. >Thank you for any advice/information on this. You're welcome. Jimmy Kuo cjkuo@symantec.com Norton AntiVirus Research ------------------------------ Date: Mon, 01 Mar 93 22:08:48 -0500 From: Jimmy Kuo Subject: Re: Norton buggy??? (or I have a PROBLEM!) (PC) [Alan Mead describes what looks to be a false id of CVIR.] Please send me a copy of your program electronically. I would like to verify the false id and see why... Also, please specify which C compiler and version you are using. Our definition for CVIR has not changed since its inception in July of 1991. This is the first case of false id I've heard regarding that definition. Usually, cries concerning false ids happen right away. We usually don't have to wait this long to hear about it. >Also, I should think Norton would want to know about this. Thank you for reporting this. Jimmy Kuo cjkuo@symantec.com Norton AntiVirus Research ------------------------------ Date: Mon, 01 Mar 93 22:10:53 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: CLEAN 102 (PC) Tonight (March 1st) McAfee released version 102 of SCAN, CLEAN, & all. The documentation states that the removal routines for several of the viruses including MICHELANGELO have been re-written. Accordingly the trusty VP-1600 was cranked up once more. Like last time SCAN properly recognized the [Mich] lurking in the MBR but this time CLEAN properly, correctly, and safely removed the virus. What ever the bug in V100 was, it is now corrected within two weeks of its isolation. That is a quick turnaround and shows that they are concerned. Sh*t happens. *Everyone* makes mistakes particularly in complex code (heck, the last time I looked DEC still hadn't gotten FORTRAN right 8*). The true measure of a company is whether they admit it publicly (see last week's VALERTs) and how fast it gets fixed. Warmly, Padgett ------------------------------ Date: Mon, 01 Mar 93 23:41:07 -0500 From: aryeh@mcafee.com (McAfee Associates) Subject: McAfee VIRUSCAN V102 uploaded to SIMTEL20 and OAK (PC) I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu: pd1: ALLMSG.ZIP Foreign language support files for McAfee 9.14 CLEAN102.ZIP CLEAN-UP 9.14V102 cleans viruses from PC & LAN NETSC102.ZIP NETSCAN 9.14V102 scans LAN's for viruses NETSH102.ZIP NETSHIELD scans Novell file server for viruses SCANV102.ZIP VIRUSCAN 9.14V102 scans PC's for viruses VSHLD102.ZIP VSHIELD5.22V102 virus infection prevention TSR WSCAN102.ZIP WSCAN V102 Windows 3.X version of VIRUSCAN WHAT'S NEW VIRUSCAN, NETSCAN, and SCAN for Windows Version 102 of the VIRUSCAN series adds detection of 74 new viruses, bringing the total number of known viruses to 1,134, or counting variants, 1,830. Version 101 gave a false alarm on the Parity virus [Pvar] and was recalled from distribution. It was not released on the Internet. CLEAN-UP Disinfectors for the VirDem-824 and Barrotes viruses have been added. Disinfectors for the 1575, FORM, KeyPress, and Michelangelo virus have been re-written. VSHIELD VSHIELD Version 5.22V102 has had several changes made internally to the program, most notably in the /ACCESS, /COPY, and /SWAP switches. The CHKSHLD program has been re-written to work with all versions of VSHIELD. NOVELL NETWARE/386 3.11 PROGRAM NETSHIELD Version 1.11 (V102) is a NLM (NetWare Loadable Module) for Novell NetWare/386 Version 3.11. It checks network file servers for all known computer viruses, including stealth and polymorphic (mutation engine) viruses, using McAfee Associates' VIRUSCAN virus scanning technology. Key features of NETSHIELD include checking files for viruses as they are accessed on the server, performing a scheduled scan, and notifying users if a virus is found. NETSHIELD does not changed the Last Accessed Date when scanning files. NETSHIELD runs on any Novell NetWare/386 3.11 file server with a minimum of 560Kb of free memory and should utilize about 4% of the CPU. NETSHIELD is not compatible with version 3.10 of Novell NetWare/386. OS/2 PROGRAMS The OS/2 versions of VIRUSCAN, NETSCAN, and CLEAN-UP Version 102 are available by anonymous ftp from the mcafee.com site in the pub/antivirus directory. They have all the same additions as their DOS counterparts FOREIGN LANGUAGE MODULES New foreign language modules have been created. See the VALIDATE VALUES below for specific languages now available. VALIDATE VALUES CHECKSHIELD 0.3 (CHKSHLD.EXE) S:8,009 D:02-11-93 M1: D7B0 M2: 0594 CLEAN-UP 9.14V102 (CLEAN.EXE) S:138,075 D:02-27-93 M1: 54A2 M2: 1631 LANGUAGE 9.14 (BULGARIAN.MSG) S:12,204 D:02-24-93 M1: 4E79 M2: 0625 LANGUAGE 9.14 (CATALAN.MSG) S:16,441 D:02-24-93 M1: FAE9 M2: 182C LANGUAGE 9.14 (DUTCH.MSG) S:16,751 D:02-24-93 M1: E697 M2: 1287 LANGUAGE 9.14 (FINNISH.MSG) S:15,742 D:02-24-93 M1: 5197 M2: 1156 LANGUAGE 9.14 (FRENCH.MSG) S:16,060 D:02-24-93 M1: 2623 M2: 0831 LANGUAGE 9.14 (GERMAN.MSG) S:17,210 D:02-24-93 M1: A3B4 M2: 0688 LANGUAGE 9.14 (HUNGARIA.MSG) S:16,385 D:02-24-93 M1: BB10 M2: 1D6E LANGUAGE 9.14 (ITALIAN.MSG) S:17,027 D:02-24-93 M1: 1EED M2: 16F8 LANGUAGE 9.14 (SPAN_SA.MSG) S.Amer S:16,271 D:02-24-93 M1: E8D0 M2: 12C1 LANGUAGE 9.14 (SPANISH.MSG) Europe S:17,019 D:02-24-93 M1: 579D M2: 04EF LANGUAGE 9.14 (SWEDISH.MSG) S:15,870 D:02-24-93 M1: 2B46 M2: 1C9F LANGUAGE 9.14 (SWGER.MSG) S:17,690 D:02-24-93 M1: 7AA6 M2: 12EA NETSCAN 9.14V102 (NETSCAN.EXE) S:109,481 D:02-27-93 M1: A13D M2: 04CE NETSHIELD 1.11V102 (NETSHLD.NLM) S:81,878 D:02-22-93 M1: FCE5 M2: 166F NETSHIELD 1.11V102 (VIR.DAT) S:37,826 D:02-22-93 M1: FABC M2: 0C8C VIRUSCAN SCAN 9.14V102 (SCAN.EXE) S:111,886 D:02-27-93 M1: 9FB2 M2: 0FD1 VSHIELD 5.22V102 (VSHIELD.EXE) S:45,724 D:02-27-93 M1: 06BB M2: 066C SCAN FOR WINDOWS 102 (WINSTALL.EXE) S:17,378 D:02-25-93 M1: EB0C M2: 00D1 SCAN FOR WINDOWS 102 (WSCAN102.EXE) S:76,202 D:02-25-93 M1: E7EC M2: 174A Regards, Aryeh Goretsky McAfee Associates Technical Support - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: aryeh@mcafee.COM 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | IP# 192.187.128.1 Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95054-3107 USA | USR HST Courier DS | or GO MCAFEE ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 37] *****************************************