From CUNYVM.CUNY.EDU!lehigh.edu!virus-l Wed Feb 10 03:43:37 1993 Date: Mon, 8 Feb 1993 15:40:00 -0500 Message-Id: <9302082003.AA03078@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #21 Status: R VIRUS-L Digest Monday, 8 Feb 1993 Volume 6 : Issue 21 Today's Topics: re. Patriotic Virus Writers general entertainment Re: On the definition of viruses Re: scanners. Viral antivirals - one vote against Re: scanners. Re: Sale of Viri Re: What is a virus ? Re: scanners. Virus Stats Wanted Re: + - viuses Virus Friendly AV Software (PC) Micheangelo Virus (PC) Zerotime/Slow virus (PC) Virus scan on a compressed drive (PC) Re: Virus scan on a compressed drive (PC) Re: NAV questions (PC) CMOS virus? (PC) New files on phil (PC) Worm wannabe - "WANK" (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 04 Feb 93 07:33:11 -0500 From: Jagdev Panesar Subject: re. Patriotic Virus Writers Regarding the item in the Digest V6 #16, it was reported in the British press on 3-feb-93 that 6 members of this 'ARCV' group have been arrested. The report says that the group may have written 30-50 relatively harmless viruses, distributed via bulletin boards, some of which have spread e.g. to Ohio. No charges have been made as yet, but the equipment has been seized and the viruses are being analyzed. ------------------------------ Date: Thu, 04 Feb 93 13:39:04 +0000 From: kelty_h@aci_1.aci.ns.ca (KELTY HAMILTON) Subject: general entertainment Just mentioning a good virus article in the February "Discover" magazine. Thought you virus fanatics would be interested in its coverage of virus origins. ------------------------------ Date: Thu, 04 Feb 93 12:54:20 -0500 From: Y. Radai Subject: Re: On the definition of viruses Concerning the alternative argument which I gave for undecidability of virushood (? virality?) of a program, Jerry Leichter writes: >There are at least two problems with this approach: > > - It has nothing to do with viruses! Suppose I attempt to recognize > "programs that print the number 4". What does "print the > number 4" mean? Well, it might mean "ALWAYS prints 4" or > "SOMETIMES prints 4" or "in some well-defined circumstances > prints 4". But the program > if then print 4 > cannot be computably tested under ANY of these definitions. > The non-computability is in the ; the fact that > you can attach it to just about any predicate says nothing > about the predicate. Correct, but my argument was proposed as an alternative to Fred's informal proof of undecidability, which goes something like this: Suppose there were a function D which inputs a program file p and which always halts, correctly outputting 'true' whenever p is a virus and 'false' whenever it isn't. Then let P be a program consisting of only the following code: If not D(P) then infect Now (1) if D(P) = true, then P does nothing, so P is not a virus, so D has erred. (2) If D(P) = false, then P infects, i.e. P is a virus, so again D has erred. My point is that the same comment which you made above, Jerry, ap- plies just as well to Fred's proof. So maybe you should redirect that comment to him. > - None of the definitions that Radai gives really tell us what we > really want to know about a program. If the in > if then > can be satisfied, then certainly we don't want the program > around (assuming is an operation we don't ever want > carried out). If we can prove that CAN'T be > satisfied, then perhaps the thing isn't "really" a virus, but > it's still dead code, and we'd prefer that it not be there. > However, we can live with it. (Such code can actually arise > as the result of a successful disinfection.) If we can't > prove either that IS satisfiable, or that it is > not, then I can't imagine any circumstances in which we would > treat this as anything BUT a virus. Again, I was writing under the influence of Fred's paper, where the problem is treated as a theoretical one. As soon as we turn to *practical* considerations, the picture changes. As I've said previously, if a detector produces no false negatives, and if the only false positives which it produces are of the above type (i.e. declaring the program to be a virus even though is never satisfied), we would have a very valuable detector indeed. If you wish to redefine 'virus' so that these are not even considered false positives, I won't object too strongly. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: 04 Feb 93 22:23:40 -0500 From: ac999512@umbc.edu (ac999512) Subject: Re: scanners. >I know this is probably a dumn question but I was wondering about the >realistic aspects of scanners like do they really protect as much as >some of the people that I have talked to seem to think? In my opinion >they are just merely an aid to problem solving and should not be used >as a general "cure-all" Well, scanners are fantastic for determining how wide-spread a virus is on your system, and great for determining just what you've been infected with, but you must already be infected for them to aid you in any way. They also cannot handle new and unknown viruses. For this reason they don't make an effective front-line defense. Active Monitor TSR prgorams can help catch a virus in the act, but often drastically reduce system performance and memory space. If you are in a high-risk environment, it can be worth the loss. HOWEVER- Some of the newer ones are getting more efficient in both speed and size. It really is a controversial topic as to which virus utilities are better than others. Just remember that the sheer number of viruses a scanner can detect is not the only important factor. You also need to know how fast it is, how accurately it identifies the virus, how many false positives you get, how many false negatives you get, whether or not it can detect the 10% or so of the viruses that are actually out 'in the wild', etc.. Hope that helps! :-) +--------------------------------------------------------+ | Ed T. Toton III | The viruses are coming, Hooray! | | Virus Researcher | Hooray! The Viruses are coming, | | | Hooray! Hooray! :-) | +--------------------------------------------------------+ ------------------------------ Date: Thu, 04 Feb 93 20:49:25 -0800 From: rslade@sfu.ca Subject: Viral antivirals - one vote against There have been discussions on the advisability of using viral programs to search out other viral programs. While there are certainly advantages to using the power of viral replication and propagation, most are unwilling to risk the possible consequences should the "antiviral virus" develop bugs or run into an unexpected environment or situation. I have recently come into contact with a viral antiviral program. An Atari lab that I am working with has most of the disks "infected" with a program that checks for "executable" boot sectors. If one is found, it is replaced with the "antiviral" code. This is all done "automatically" without any reference to the user. (I have not yet been able to identify the specific program. The only identificationis the message given at boot time: "This Anti Virus beeps and flashes if the actual bootsector is executable, then that might be a Virus: Remove this Anti-Virus by reset:") To date I have not found any way to remove it (not being familiar with Atari internals), nor has the person who initially installed it. It is now interferring with some of the systems we need to run: particularly an MS-DOS emulator. The "bootable" MS-DOS disks keep getting killed. ============== Vancouver ROBERTS@decus.ca | "Don't buy a Institute for Robert_Slade@sfu.ca | computer." Research into rslade@cue.bc.ca | Jeff Richards' User p1@CyberStore.ca | First Law of Security Canada V7K 2G6 | Data Security ------------------------------ Date: 05 Feb 93 07:45:52 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: scanners. TAWED@etsu.bitnet (Ed Street) writes: >I know this is probably a dumn question but I was wondering about the >realistic aspects of scanners like do they really protect as much as >some of the people that I have talked to seem to think? A scanner does not "protect" you, unless it is actively used to scan all incoming software before it is used...and even then it cannot "protect" you against a brand new virus. However, the authors of scanners, such as myself, are generally able to stay one step ahead of the virus authors...partly because it takes a less time to distribute a new scanner world-wide, than for a virus to become widespread by normal means. Also, as people tend to get hit only by 100 or so of the 2000 PC viruses that exist, and as those 100 viruses are generally detected by most scanners, they do, yes, provide a certain degree of protection...if properly used. - -frisk - -- - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: 05 Feb 93 14:22:47 +0000 From: Sam Wilson Subject: Re: Sale of Viri johan@blade.stack.urc.tue.nl (Johan Wevers) writes: > frisk@complex.is (Fridrik Skulason) writes: > >As I have said before - the lack of any action against virus writers > >is the primary reason why viruses are a problem today. > > Really? Then tell me, how would you take any legal action against virus > writers? How would you even find them? >From the front page of 'Computing', a UK weekly trade paper (the one which gave us the recent article on supposed 'mainframe viruses'), 4 February 1993: "Apache scalps virus cowboys "Police raided the homes of suspected computer virus authors across the country last week, arresting five poeple and seizing equipment. "The raids were carried out last Wednesdau by police in Manchester, Cumbria, Staffordshire and Devon and Cornwall. "Scotland Yard's computer crimes unit co-ordinated the raids under the codename Operation Apache. " A spokeswoman for the Greater Manchester Police said: 'The investigation began in the Mancheter area following the arrest of the self-styled president of the virus writing group in Salford last December.' "Police would not reveal the man's name, but said he had been released on bail. "Last week's raids led to the the arrest of a further two people in Manchester. Three other suspects were also arrested in Staffordshire, Cumbria and Cornwall. "PCs and floppy disks were seized in all the raids. "All those arrested have been released on police bail pending further investigations." Sam Wilson Network Services Division Computing Services, The University of Edinburgh Edinburgh, Scotland, UK ------------------------------ Date: Fri, 05 Feb 93 11:22:41 -0500 From: "William Walker C60223 x4570" Subject: Re: What is a virus ? Referring to my attempt at a natural-language virus definition, Vesselin Bontchev writes: > 1) As Dr. Cohen pointed out, "instructions" is not an appropriate > term. Use "symbols" instead. > 2) After "certain conditions" I would add " or in a certain > environment". Okay. > 3) Don't like the term "functional duplicate". As you explain further > in your message, you mean "a copy that might not look the same as the > original, but which does the same things". What if it doesn't do the > same things? I would argue that it is possible to make it do more > things and it is obvious that it is trivial to make it fewer things... > That's why I would prefer the term "possibly evolved copy" instead of > "functional duplicate". I thought about this almost immediately after I posted the message, but I decided to wait until after the first replies came back before I posted anything else. There is a limit to how much a virus can change its functionality, since the "parent" must contain within itself the changes it is going to make in the "child," and if the "child" or some later generation is going to eventually produce a copy of the original "parent," it must contain all the functionality of the "parent" as well. Take, for example, a bipartite (two-part) virus which infects files and boot sectors. The file infector must contain not only the functions which infect the boot sector but those which will eventually infect files again. Likewise, the boot infector must contain not only the file infector but what will again be the boot infector. In this example, neither the boot infector nor the file infector alone produce "functional duplicates" of themselves. Together, though, the boot infector and the file infector are considered one virus, designed to go through two infection steps, and together as one virus they produce a "functional duplicate" of the pair. With this example, I'll agree that my wording "functional duplicate" is poor, but I am at a loss to come up with a better term. I don't think that "possibly evolved copy" is suitable, because "evolved" implies an involuntary change. Any functional changes made in the copy will be those which have been intentionally coded for the original to make. > 4) What is "intercept program execution"? The non-resident viruses do > not intercept anything; they get executed only when the user runs the > infected program. Oh, yes, they DO intercept program execution! A non-resident virus may not intercept DOS interrupts or whatever, but it intercepts the call to the original program; otherwise, it would never get executed. If a virus doesn't intercept program execution in some way -- ANY way -- it would never be run, never spread, and thus not be a virus. > 5) Don't like the term "executed". What about source files, macros, > BASIC programs? I would use the term "interpreted" or at least > "executed or interpreted" instead. > 6) Since the virus may or may not return control to the original > infected program, is it worth the effort to include this in the > definition? Regardless whether it returns control to the program, it > will be a virus, if it matches the other parts of the definition. Okay. > So, let's try again: Here goes: A computer virus is a sequence (or sequences) of symbols which, when executed or interpreted under certain conditions or in certain environments, will make a functional duplicate of this sequence (or sequences) and will place this duplicate where it will intercept program execution at a later time under certain conditions. This is called "replication" and the duplicate retains at least the capability to recursively replicate further. A virus may also have additional functions, but these functions are necessary for something to be called a virus. I like your addition about 'replication." > Hm, still doesn't sound perfect to me... Me, either, but we'll keep working on it. - - - - - - - - - - From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) > First, my opinion needs to be stated: A worm is not a virus. This is a > matter of definition and proofs can be generated either way depending > on definition. > ... > On the other hand, a process which copies itself onto a disk and modifies > AUTOEXEC.BAT to execute it through a simple append operation would be a worm: > nothing was *replaced*. On the other hand, if AUTOEXEC.BAT were renamed A.BAT > and replaced with the malicious code as AUTOEXEC.BAT and the final line > called A.BAT, this would be a virus - replacement occured. How many hands do you have? ;-) > In simplest terms, a worm propagates through *addition* a virus propagates > though *replacement* (though it may reschedule the original to avoid > detection). Hmmm... let's see... Suppose a hostile PC program locates a file like FUBAR.EXE and *adds* a program FUBAR.COM, which is a duplicate of itself, but doesn't *replace* anything. Is it a "companion worm?" Or suppose a hostile Macintosh program *adds* a WDEF resource, which is a duplicate of itself, to the Finder "Desktop" file, but doesn't *replace* anything. Is it a "WDEF worm?" I think that the boundaries have become sufficiently fuzzy to make continued separation between "worms" and "viri" purely academic. But anyway, enough of this.... Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | "Windows is an excellent anti- OAO Corporation | virus tool. As soon as you Arnold Engineering Development Center | get infected, it crashes ... 1103 Avenue B | sometimes even before." Arnold Air Force Base, TN 37389-1200 | -- Vesselin Bontchev ------------------------------ Date: Fri, 05 Feb 93 19:20:47 +0000 From: X0421DAA@helios.edvz.univie.ac.at Subject: Re: scanners. TAWED@etsu.bitnet (Ed Street) wrote > I know this is probably a dumn question but I was wondering about the > realistic aspects of scanners like do they really protect as much as > some of the people that I have talked to seem to think? In my opinion > they are just merely an aid to problem solving and should not be used > as a general "cure-all" I don't know what the people you talked to think, but a scanner *can not* and is not intended to be a general "cure-all". A scanner can only assist you in detecting those computer viruses known to its programmer at the time when the version of the scanner you are using was released. Some time ago I asked the manufacturer of a scanner (don't remember who it was) why most companies highlight their scanners and talk much less about their checksumming products? He told me that users seem to like scanners (maybe because it is easier for them to grasp how a scanner works than a checksumming product). The big advantage of a checksummer is that it protects you against many more things than just computer viruses. Disadvantage: Checksumming takes longer than scanning (at least now; if there is more polymorphic viruses around, checksumming will be faster at one point)... Michael Weiner (x0421daa@vm.univie.ac.at, *temporary*) ------------------------------ Date: Fri, 05 Feb 93 20:01:14 +0000 From: Eriq_Neale@unt.edu (Eriq Oliver Neale, ACS) Subject: Virus Stats Wanted >From the "I don't know where else to look" department: Is there anyone or any place that is a repository for virus stats, as in estimated numbers of computers infected, that kind of thing, for 1992 or the few years previous? I've been asked to give my virus presentation for another class at the University in a few weeks, and since I've not updated the presentation in a couple of years (and I have a few weeks to prepare), I thought I'd try to get some more up-to-date numbers. 1992 is particlarly interesting to me because of the Michelangelo scare, but I'd be happy for anything more recent than 1989. The class I'm giving this presentation to is an information retrieval class, and the instructor has told me that the general attitude of the class towards viruses and the seriousness therof is rather "pooh-poohed." Needless to say, I'd like to try to change their minds for good. Though I've been pretty good of late keeping up with reading news, anything could change and I might not get back to read responses on the net, so please post them here, but e-mail me also. Thanks so much for the valuable pointers! - -Eriq Eriq O. Neale BITNET : LIPS@UNTVAX Lab/Network Manager Internet : neale@unt.edu Academic Computing Services Ma Bell : (817) 565-4808 University of North Texas finger @lipsmac.acs.unt.edu "If I got paid for what I say, I'd either be very rich, or very quiet!" ------------------------------ Date: 05 Feb 93 17:35:18 -0500 From: ac999512@umbc.edu (ac999512) Subject: Re: + - viuses Ok, I've been reading the messages going back and forth for quite a while here about what is the best definition for a virus. Well, here's one for you all to look at... A computer virus is a sequence of instructions or symbols which, when executed or interpreted under certain conditions and in certain environments, will be capable of producing a functional offspring, with possible evolution and/or modification, which is also capable of replication and propogation, and will be capable of placing this offspring where it will have a possible chance of being executed and/or interpreted at a later time under the same or different conditions and/or environments. Viruses must also have been constructed/designed with the original intent (unless designed by something other than a human being) and functional capability to replicate and propogate within a certain environment and under certain conditions without the consent or knowledge of any user, beyond the initial release of the virus into said environment. A virus may also have additional functions or processes, but only the above functions and processes are necessary for something to be considered a virus. Ok, now it's time for me to go run, duck, and hide before I get hit with a barrage of scrutiny! :-) +-------------------------------------------+ | Ed T. Toton III, Virus Researcher | |- - - - - - - - - - - - - - - - - - - - - -| | "SENILE.COM" found, insufficient memory | +-------------------------------------------+ ------------------------------ Date: Thu, 04 Feb 93 02:19:33 -0500 From: "Roger Riordan" Subject: Virus Friendly AV Software (PC) Another Virus Protection Program! Recently contacted by a user with a number of Mitac PCs. He reported that if he ran VET on the PCs, after booting from the hard disk, it reported top of memory was 9F80, & Stoned virus was active in memory, but MBR was "unknown, but seems OK". However if he booted from clean DOS disk there was no sign of virus. At first I thought he must have had a new strain, but then he mentioned "Mitac Antivirus", so I got him to install VET, and send me the reference disk, which has copies of both boot sectors. The MBR was clearly highly non standard, with "ANTIVRUSSYS" at offset 4 and messages about this being invalid at the end. The partition information appeared to be intact (apart from one sector having been reserved) and the sector was almost completely full of code. The program appears to start by loading part of the directory, and looking for the entry ANTIVRUS.SYS. If it finds this it loads three more sectors (presumably this file), starting at 8000. It checks that each starts with a particular word before loading the next. If it is happy it jumps to the start of the file. Otherwise it loads a sector from one past the last sector of the partition, writes it to the MBR and warns "File C:\ANTIVRUS.SYS is invalid or not found! Press a key!" When the user replies it runs the rewritten sector. Presumably this is a copy of the original MBR. It is not clear whether the program ANTIVRUS.SYS includes a copy of the MBR, or whether it loads it from the end of the partition. What is clear is that it does not bother to check it for viruses before saving it, and that if it is installed on an infected PC it hides the virus very effectively! Roger Riordan Author of the VET Anti-Viral Software. riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: 04 Feb 93 13:40:00 -0600 From: "WEINBERG RAINA" Subject: Micheangelo Virus (PC) I am writing an article for our Campus Paper on the Micheangelo Virus could someone please send me any inforamtion they have on this. Thank You, Rai. - -- _______________________________________________________________________________ "Hold on tight you know she's a little R A I bit dangerous, She's got what it takes Raina Weinberg to make ends meet the eyes of a lover _Memphis State University_ that hit like heat. You know she's Memphis, Tn USA a little bit dangerous." _ROXETTE_ MCSWEINBERG@MSUVX1.MEMST.EDU _______________________________________________________________________________ ------------------------------ Date: 04 Feb 93 23:23:57 +0000 From: bgroen@metz.une.edu.au (Bernie Groen) Subject: Zerotime/Slow virus (PC) Need help,have a virus Norton antivirus 2.1 calls it SLOW, Fprot 2.07 calls it a varient of Zerotime neither one will remove it. Scan 100 does not see it at all. Anyone have any idears on how to get rid of this problem. So far 4 machines have been infected. Thanks for any help. *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* - - Bernie Groen - * University of New England * - - Armidale NSW 2351 - * Australia. * - - * * bgroen@metz.une.edu.au - *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* ------------------------------ Date: Fri, 05 Feb 93 09:20:49 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Virus scan on a compressed drive (PC) >From: wongja@ecf.toronto.edu (WONG JIMMY PAK-YEN) >I'm considering getting some sort of disk compression utility for my >PC (such as Stacker). Are virus scan programs still able to detect a >virus on a compressed hard drive? Presently, when I download some ZIP >files, I SCAN the disk containing the zipfile, unzip the files onto my >hard disk, and scan the unzipped files. Will this still work on a >compressed drive? This is a common concern and the answer is that compressing a drive using those compression mechanisms I have seen (Stacker, SuperStor) does not pose a problem to virus scanners with two exceptions: a) If the scanner uses Int 25 to examine the DOS Boot Record (not the MBR) it may pick up the special BR that the compression routine attaches to its "phantom" drive. If this occurs, a DBR virus such as the MusicBug could be missed (but a good scanner would find it in memory and booting from floppy without the compression driver would also). b) If the scanner bypasses DOS (using direct BIOS reads) to defeat stealth viruses, this will not work on a compressed drive. I have only seen one scanner with this feature and you can turn it off - in operation it is obvious since it only reports a limited number of files. Otherwise, scanners using DOS to open and examine the files will work just fine since the drive redirection is handled below the DOS level. Incidently, I regularly use disk compression on some of my PCs and it works very well. Warmly, Padgett ------------------------------ Date: Fri, 05 Feb 93 18:47:40 +0000 From: mcafee@netcom.com (McAfee Associates) Subject: Re: Virus scan on a compressed drive (PC) Hello Jim, You write: >Hi, > >I'm considering getting some sort of disk compression utility for my >PC (such as Stacker). Are virus scan programs still able to detect a >virus on a compressed hard drive? As long as you have the device driver(s) necessary to access the Stacker compressed volume running on your PC you should have no problems checking the volume for viruses. This should apply to all anti-viral software, not just VIRUSCAN. > Presently, when I download some ZIP >files, I SCAN the disk containing the zipfile, unzip the files onto my You do not need to run VIRUSCAN until after you have unzipped the .ZIP file. >hard disk, and scan the unzipped files. Will this still work on a >compressed drive? Yes. > Besides uncompressing onto a floppy first and >scanning the floppy(too inconvenient!), what other options are there? You could set up a RAM disk and uncompress to that. It is much faster to scan a RAM disk then a floppy disk. > >Thanks in advance, >Jim Regards, Aryeh Goretsky Technical Support - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | mcafee@netcom.COM Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95054-3107 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/NETSCAN/VSHIELD/CLEAN/WSCAN/NETSHIELD/TARGET/CONFIG MGR ------------------------------ Date: Fri, 05 Feb 93 23:01:17 +0000 From: rflood@cis.umassd.edu (Richard M. Flood) Subject: Re: NAV questions (PC) balog@eniac.seas.upenn.edu (Eric J Balog) writes: >Hi! I have two questions: >1) I have NAV 2.0 (included w/ NDW 2.0), and I just downloaded >nav20a10.exe from dorm.rutgers.edu. Does my version of NAV now check >for all of the viruses that NAV 2.1 checks for? (mine checks for 451 >viruses/1159 strains) >2) Last week, someone posted a message comparing the effectiveness of >several anti-virus programs. Can anyone tell me how NAV rates as >compared to other anti-virus programs? Their is a hypertext program that is all about viruses. It conyains a list of most of the known viruses, how to find them, how to get rid of them, andit has a section of how all the diffrent virus programs rate. As far as I know Macafee SCAN gets a score of 90% and NAV gets a score of 65%, this is just from memory but you can find out yourself by ftping vsumx###.zip ( the numbers are the most current version I think it is 212 ) from most of the better ftp sites. ------------------------------ Date: 05 Feb 93 23:38:54 +0000 From: victor@ccwf.cc.utexas.edu (V Menayang) Subject: CMOS virus? (PC) I wonder if a virus can erase the information stored in CMOS? If it can, what virus/viri known to work this way? The reason I am asking these questions is that the computer repair person we took our Grid system machine to claimed that our problem (floppy drive wouldn't refresh) is caused by a virus. I don't know much about virus but the claim sounds suspicious because he said that the virus is [stoned]. Thank you for any advice/information on this. Victor Menayang - -- - ------------------------------------------------------------- Victor Menayang victor@ccwf.cc.utexas.edu ============================================================= ------------------------------ Date: Fri, 05 Feb 93 08:20:20 -0600 From: John Perry Subject: New files on phil (PC) - -----BEGIN PGP SIGNED MESSAGE----- Hello Everyone! FP207.ZIP has been made available on phil.utmb.edu (129.109.9.23). It is located in the pub/virus-software/pc directory. If you have any problems or questions, contact me by email at perry@phil.utmb.edu - - -- John Perry - perry@phil.utmb.edu (129.109.9.22) PGP Public Key available by fingering perry@phil.utmb.edu - -----BEGIN PGP SIGNATURE----- Version: 2.1 iQCVAgUBK3J3gFoWmV4X/7GZAQEQDQQAqLX46WW7KiFgCvtv3LGCikDOoLSg8QoV 7uJtlUwCa/CLiS+5e2MTPppJa4o7Tb6EZLjOapnbukhSnblzjJpPXHvF79g1Audv 9AugLycWLbKniZaRTQctB9UZMsl6GUG9li2Jp5I9tfADeVtQioIj0bErOzPL/Bzq D3ug1VkUbuU= =93To - -----END PGP SIGNATURE----- ------------------------------ Date: Fri, 05 Feb 93 16:31:43 -0800 From: rslade@sfu.ca Subject: Worm wannabe - "WANK" (CVP) HISVIRU.CVP 921215 Worm Wannabe - "WANK" In October of 1989, another network worm was found to be making the rounds -- on VMS machines connected through DECnet. While even to this day there is considerable debate as to Morris' intentions with regard to the Internet Worm, for the "WANK Worm", as it is known, there is no such ambiguity. WANK was intended for propaganda, plain and simple. WANK used a number of features similar to those of the Internet Worm. Mail was used to spread the worm from system to system, and "standard defaults" (in this case "system" and "field service" accounts and passwords) were used to try to get the worm running on a new machine. In addition to guessing system passwords, the WANK worm also attempted to change them. As the program would have no further use for them, once started, this would appear to have been directed at inconveniencing the system operator. The message carried by the worm spoke of "Worms Against Nuclear Killers" and announced that the infected system had been "WANKed", as well as displaying a "text graphic" of WANK. It also contains the quotation "You talk of times of peace for all, and then prepare for war". Obviously the author had believed the reports of the Internet Worm which had spoken of massive numbers of military computers being affected. Ironically, few, if any, of the people who saw the WANK worm's message would have had anything to do with the military. Some aspects of the worm were just plain obnoxious, such as appearing to delete all of a user's files, and paging users with the PHONE program. A few weeks later, a second VMS/DECnet worm was released, with very few changes from the original WANK. This "knock-off of a knock-off of a knock-off" tends be the more the rule than the exception in virus research. Of the thousands of MS-DOS viral programs, the vast majority result from "bit twiddling" in an attempt (often less than entirely successful) to fool scanners. In the end it often means nothing more than more, and more boring, work for the authors of scanning programs. copyright Robert M. Slade, 1992 HISVIRU.CVP 921215 ============= Vancouver ROBERTS@decus.ca | Life is Institute for Robert_Slade@sfu.ca | unpredictable: Research into rslade@cue.bc.ca | eat dessert User p1@CyberStore.ca | first. Security Canada V7K 2G6 | ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 21] *****************************************