From lehigh.edu!virus-l Thu May 27 08:12:08 1993 remote from vhc Received: by vhc.se (1.65/waf) via UUCP; Thu, 27 May 93 20:41:34 1 for mikael Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2) id AA24534; Thu, 27 May 1993 18:30:55 +0200 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA17655 (5.67a/IDA-1.5 for ); Thu, 27 May 1993 12:12:08 -0400 Date: Thu, 27 May 1993 12:12:08 -0400 Message-Id: <9305271510.AA15923@agarne.ims.disa.mil> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: virus-l@agarne.ims.disa.mil Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: VIRUS-L Moderator To: Multiple recipients of list Subject: VIRUS-L Digest V6 #86 VIRUS-L Digest Thursday, 27 May 1993 Volume 6 : Issue 86 Today's Topics: EICAR'93 Call for Papers re: VMag Issues 1 & 2 Re: VMag Issues 1 & 2 IDES-of-March Virus Conference Battery Backuped Virus ? (PC) re: Cansu or V-Sign virus (PC) Re: Macafee v104 reported virus in memory (PC) Re: F-Prot 2.07 (PC) Ghost of Lacatedral? (virus?) (PC) help needed with Stoned [Michaelangelo A] in partition table (PC) re: Haifa (PC) "DIR" infection, or "Can internal commands infect" (PC) DOS6 Double Space and DOS Boot Sector Viruses (PC) Catalogger v0.9 (PC) is ready. Gotta Monkey on My Back!!! (PC) Re: Cure against Tremor available? (PC) The Anti-Viral Software of MS-DOS 6 (PC) Macfee v104 reported virus in memory (PC) Re: The Anti-Viral Software of MS-DOS 6 (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@AGARNE.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 29 Apr 93 11:19:07 +0100 From: amn@ubik.demon.co.uk (Anthony Naggs) Subject: EICAR'93 Call for Papers CALL FOR CONFERENCE PAPERS AND PARTICIPATION eicar CONFERENCE '93 When? December, 1st - 3rd 1993 Where? St. Albans, Hertfordshire, England The Occasion: 4th Annual Eicar Conference Submission Deadline: 31st May 1993 Following a successful event in Munich last year, the European Institute for Computer Anti-Virus Research (eicar), is holding its 1993 Conference on 1st - 3rd December. Eicar is an independent organisation supporting and co-ordinating European activities in the areas of research, control and prevention of computer viruses and related security compromising sabotage software. The conference will bring together users of computers and the world's leading experts and authorities in the anti-virus field along with the writers of anti-virus products that you are using such as Fridrik Skulason of Frisk - F-Prot, Joe Wells of Symantec - - Norton Anti-Virus and Alan Solomon of S&S International - Dr Solomon's Anti-Virus Toolkit. The conference covers all aspects of computer viruses and other malicious software including the following:- - - virus trends - anti-virus technology - - infection recovery tools - anti-virus product selection - - network security - system security - - backup measures - risk assessment - - corporate strategies - disaster recovery plans - - case studies - educational tasks - - impact on technology - epidemiology - - forensic procedures - legal aspects - - social implications - ethics Tutorial Day - is an optional tutorial on computer viruses and similar software threats Day One - will carry two tracks covering state-of-the- art information Day Two - continues the two tracks and concludes with a panel discussion Call for Exhibitors Whether or not you are considering speaking at the conference, you should at least be investigating the sales and marketing opportunities available at the exhibition. For further information on exhibiting at the conference, please contact Rebecca Pitt at the address below. Submissions of draft papers and panel proposals should be received by Friday, 31st May 1993. Please send your conference papers in ascii or Word for Windows, to the following address:- Miss Alison Sweeney Tel: +44 442 877877 Conference Manager Fax: +44 442 877882 S&S International Limited CIX: Sands@cix.compulink.co.uk Berkley Court, Mill Street Berkhamsted, Herts HP2 4HW, England ------------------------------ Date: Wed, 26 May 93 14:21:05 -0400 From: 96scsc@dylan.af.mil (Henry B. Tindall) Subject: re: VMag Issues 1 & 2 THE GAR writes: >the bomb. He suggested I contact an agent in my area, but told me the Good idea. Even if the FBI can't stop this type of activity, it is a red flag of sorts. Their computer crime division is a lot more active than you'd think. I'd be willing to bet that while you're reading this, an agent is checking the background of subscribers.... >attorney general's office would have to decide whether there was a >case, but he didn't think there was. The editor of Chaos Digest is a >member of the EFF, (the electronic version of the ACLU), so I would >bet that anyone who messes with him would get a lawsuit. The editor is not the worry. It's the bozos in the field who put this kind of information to use that scare the %^&*@# out of me. If one subscriber gets caught, though, the rest will get the idea that big brother IS watching. Without a demand for his service, he'll fall by the wayside (hopefully). <:^) /------------------------------------------------------------------------\ |Henry B. Tindall, Jr. | "Intuition is Logic without the | |NCOIC, Small Computer Support Center | confines of Language" | |Dyess AFB, TX 79607-1266 | -- Henry B. | \------------------------------------------------------------------------/ ------------------------------ Date: Thu, 27 May 93 03:44:32 -0400 From: rol@grasp1.univ-lyon1.fr (Paul Rolland) Subject: Re: VMag Issues 1 & 2 bontchev@rzsun2.informatik.uni-hamburg.de (Vesselin Bontchev) wrote: > > THE GAR (GLWARNER@samford.bitnet) writes: > > [Stuff Deleted] > > As I mentioned, he lives in France and I bet that he doesn't give a > dime about the US laws, be them Federal or not... However, the French > have some laws limiting the user of encryption (anybody from France > care to comment?). One could try to argue that the published documents > contain encrypted stuff (the debug scripts, the encrypted viruses) and > try to make the French government take some action, but I'm not > holding by breath... > Well, I've found the Chaos Digest mentionned, and had a look at it... Too bad, but the only things that could be considered as encrypted are some source of viruses in a debug form. Concerning encryption, if my memory is good (you can doubt about it if you want), you can't transfer encrypted data on a public media (phone lines for example) without an authorization from the government. Of course, they never controled what is exchanged by BBS, and for sure people are mainly transferring ZIPped files... but this is not encrypted. However, I don't think that it could be possible to prevent the diffusion and the publication of such a magazine in France. Paul Rolland A bug can be changed to a feature by documenting it. Developpers know ! ------------------------------ Date: Thu, 27 May 93 04:08:13 -0400 From: "Roger Riordan" Subject: IDES-of-March Virus Conference On 7th April dklefkon@well.sf.ca.us (Richard W. Lefkon) wrote > ........ > As some know, the way the conference is run is being reorganized > from the ground up. This process is not yet finished. When it > is, the overall plan for March 1994 in New York will be made > available to interested parties. On 13th April he wrote to me > ... When you receive your Proceedings in a few weeks, ..... > ... As you have probably been told, I will most likely not be > the person organizing the program for 1994. On 16 April jsb@well.sf.ca.us (Judy S. Brand) wrote > It appears that someone who had been on the 1993 New York > "Ides of March" program committee mistakenly reported to > Virus-L that there were no significant changes for 1994. > > The person does not seem to have read my letter last week > to "Ides of March" attendees. It contained this announcement: > > "Next year, for the first time, the specialists > on our greatly expanded Program Committee will > take complete charge of organizing the presen- > tations and sessions." So the significant changes are that: 1. We will have a bigger committee, with even greater potential for chaos. 2. Dick Lefkon will no longer officially be in charge, but Judy Brand (who we understand is Dick's wife) will continue to act as Conference Chair. Each delegate to the recent conference paid a registration fee ranging from $325 to $425. If we add a conservative $200 for accomodation and travel, and $400 for two days pay, and we assume that there were 500 paying delegates (in the absense of any reliable information on the subject) the total cost of this conference was almost certainly well in excess of $500,000. If any individual had paid this amount for a service which failed as spectacularly as this conference did they would certainly take legal action. Unfortunately it would be difficult to establish just how much loss the delegates had suffered, and difficult for any individual to take action. However the registration form clearly stated "Registration includes Proceedings, ... ". As these are valued (by the organisers) at $100 per copy, the organisers are in clear breach of contract to the tune of something like $50,000. It is now 11 weeks since the conference, when we were promised we would receive them "Tomorrow", then "they will be posted first thing next week", and 7 weeks since I was promised them "in a few weeks", but still no one has received them. Despite all this Ms Brand appears to think that the organisers can make a few cosmetic changes and continue as before. Is there anyone, or any organisation, who/which is in a position to ensure firstly that the organisers meet their legal obligations with respect to the Proceedings, and secondly that they are not permitted to attempt to repeat this fiasco? Roger Riordan Author of the VET Anti-Viral Software. riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Wed, 26 May 93 09:38:45 -0400 From: tyjori@uta.fi (Johan Rimminen) Subject: Battery Backuped Virus ? (PC) I thought ; is that possible to have battery backupped virus ? As I know there are some unallocated memory for setups and chipset use. Moreover, as I recall Chip&Techs chipset have over 30 kb "free"memory. Just for curiosity. -jr tyjori@uta.fi ------------------------------ Date: Wed, 26 May 93 10:44:52 -0400 From: "David M. Chess" Subject: re: Cansu or V-Sign virus (PC) >From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) >unlike other BOOT or >MBR infectors this virus does not keep a backup of the original sector. >Therefore in some cases an infected disk will not boot, and it will not be >possible to access it with normal means. Perhaps you're thinking of the Azusa virus? The CANSU keeps a copy of the original boot record (more specifically, of the 40 bytes of it that it alters), and uses it to boot the machine normally once it has run. The main oddish thing about CANSU is that it's slightly polymorphic ("oligomorphic"), which is unusual for a boot virus. DC ------------------------------ Date: Wed, 26 May 93 12:11:17 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Macafee v104 reported virus in memory (PC) davids@software.mitel.com (David So) writes: >How can I clean up these virus? Shutdwon the system does not seem >to work. You probably don't have a virus. Removing VSAFE will do the trick - it leaves various virus fragments in memory, and one of them just happens to match the search pattern SCAN uses. I suggest you complain to Microsoft about the problem, as this is entirely their (and Central Point's) fault. - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: Wed, 26 May 93 12:13:31 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: Re: F-Prot 2.07 (PC) bontchev@rzsun2.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >But it's a cute idea to veirfy both the compressed and uncompressed >image of the file and to accept any of them - maybe more producers of >anti-virus software should become to implement it. I cannot do that and will not - I append certain information to F-PROT.EXE after it is compressed, and I need to be able to change it later. I am not willing to open up what I consider a loophole, by allowing F-PROT to be run uncompressed. - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: Wed, 26 May 93 15:27:08 -0400 From: ma@id.com (Mary Anne Walters) Subject: Ghost of Lacatedral? (virus?) (PC) Anyone have any info/experience with a Colombian virus called Lacatedral (or maybe La Catedral?) Thanks Mary Anne ****************************************************************************** ------------------------------ Date: Wed, 26 May 93 22:49:55 -0400 From: robert@arbo.microbiol.uwa.oz.au (Robert Coelen) Subject: help needed with Stoned [Michaelangelo A] in partition table (PC) The problem: f-prot (2.08) reports Stoned [Michaelangelo A] in the partition table and says this version cannot remove the virus machine: 486, Award Bios (i think 1991), Caviar 120 Mb HD (Seagate) I have tried a range of things, such as fdisk, delete partition, reestablish partition, etc : all to no avail I need some help !! *---------------------------------------------------------------------* Robert Coelen | from the land d r Dept of Microbiology | o e The University of Western Australia | w d Nedlands, 6009 | n n robert@arbo.microbiol.uwa.edu.au | u *---------------------------------------------------------------------* ------------------------------ Date: Thu, 27 May 93 07:44:20 +0000 From: wolfgang.stiller@rose.com (wolfgang stiller) Subject: re: Haifa (PC) REYNOLAP@snybufva.bitnet (Paul Reynolds) writes: PR>We have several PC labs here at Buffalo State College. Yesterday one PR>lab with 10 machines was infected with Haifa-Family2(w)G. PR>This virus was in the Printer.sys file in the DOS subdirectory. I was PR>able to clean the 10 machines using the latest version of Virex. Does PR>anyone know what this virus does? I'm not sure exactly which variant of Haifa VIRx is annoucning but Haifa and it's variants are polymorphic file file infectors with a destructive activation. (Polymorhpic means that Haifa hides from scanners by using the variable encryption technique now made more famous in the MTE and initially seen in Casper and the V2Px series). I'll describe the original Haifa here in some detail. It is a resident infector of .COM and .EXE files. It will not infect overlay or .BIN or .SYS files. Haifa appears to add between 2350 and 2400 bytes to each file. Its first action is to locate the command interpreter (eg. COMMAND.COM) via the COMPSPEC= environment variable. Haifa is memory resident but no change to available memory will be visible using MEM or CHKDSK. If a large program is loaded, the PC will probably hang because the virus code is overlaid. After infecting the command interpreter, Haifa will infect files in the current directory and files in directories on the DOS path. On Aug 24th or Apr 8th, the virus will display several lines of text begining with: HAIFA VIRUS V1.12 WRITEN BY ........ The PC will then hang. The virus will overwrite the first 76 bytes of any .ASM file with code to overwrite track zero of the first hard drive. Any .PAS files with have the first 23 bytes overwritten by: CONST VIRUS= "HAIFA"; .TXT or .DOC files will have the following text planted near their center: OOPS! Hope I didn't ruin anything!!! Well, nobody reads those stupied DOCS anyway! (note the spelling of stupid;) When executed, the virus seems to infect from two to four programs, but will eventually infect all programs. This virus has no stealth capabilities and can be picked out quickly by using any directory listing program. When Haifa infects a file, it will set the minutes field of the time stamp to an even value (it clears the 0 bit) and it will set the seconds field to 38. Unusual numbers of progarms with seconds set to 38 are a possible indication of this virus. Regards, Wolfgang Stiller Research, 2625 Ridgeway St., Tallahassee, FL 32310 U.S.A. - --- SLMR 2.1a RoseMail 2.10 : ------------------------------ Date: Thu, 27 May 93 04:08:46 -0400 From: "Roger Riordan" Subject: "DIR" infection, or "Can internal commands infect" (PC) Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) wrote, in reply to Vesselin Bontchev: >> Finally, the DIR command causes various parts of the examined disk(s) >> to be read in memory, and in particular - the boot sector. > Just add here: > On the *first* time a floppy is accessed the bios attempts to read > the boot sector sometimes for several times if the read has > failed (reseting the floppy drive between attempts). > Later the Boot-sector is read once (or not at all) on each floppy access. > The aim of this is to read the BPB (Bios Parameter Block) holding the > information of how to read this floppy. Whenever you attempt to access a disk drive DOS first checks the status of the door open line. If the door has been opened since the last disk access DOS then reads the FAT. If this does not match the last disk read (or if the read fails) DOS then reads the disk boot sector. If this fails DOS will reset the drive and try again several times. Thus, in the normal state of affairs, the boot sector of each floppy is read just once. This READ is usually preceded by an attempt to read the FAT and this is preceded by a call to Int 13 to check the door opened status. I think this sequence is followed for DOS 3 on (but won't swear to the door status call for DOS 3). Roger Riordan Author of the VET Anti-Viral Software. riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Thu, 27 May 93 04:09:29 -0400 From: "Roger Riordan" Subject: DOS6 Double Space and DOS Boot Sector Viruses (PC) Other writers have reported that MBR infectors behave normally under DOS 6, but it was not clear what effect Double Space would have on viruses which infect the DOS Boot Sector on the hard disk. First we established 1. Under Double Space the original drive C is normally accessible as drive H. 2. Int 13 Sect 1, Head 1, Track zero will always return the true DOS boot sector. 3. Int 25 sect 0, Drive H will return the true (standard DOS 5) boot sector. 4. Int 25 sect 0, Drive C will return a dummy boot sector. This contains a copy of the size info, and is also standard DOS 5, but contains the text MSDSP6.0 in the OEM field, and DBLSPACE as the volume label. For our tests we used AntiCad, which infects both files and DOS boot sector. We were only able to infect the hard disk DOS boot sector by running a file on drive H, after running an infected file (from floppy), so the virus was in memory. If we checked the boot sector on drive C, using Int 25, we got the standard (clean) DOS dummy, but we were able to detect the virus in the drive H boot sector. We were able to recover and replace the original boot sector in the normal way, after disabling the virus in memory. AntiCad infected executable files in the normal way, but the system crashed quite often when we first ran an infected file. We could not establish a pattern (though at one stage I thought it was every 2nd boot!) The crash probably occurred when the virus attempted to infect the DOS BS, as it only occurred when the first file was run. Once the boot sector was infected the virus was activated normally when the PC was rebooted. In summary Double Space will signicantly reduce the risk of multi-partite viruses infecting the hard disk DOS boot sector (as relatively few files will be run from drive H), but may confuse attempts to check the boot sector using Int 25. (All this is somewhat academic, as not many viruses infect the DOS boot sector. Form is the only one I can think of that is at all common.) Roger Riordan Author of the VET Anti-Viral Software. riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Thu, 27 May 93 08:35:53 +0000 From: steinael@ifi.uio.no (Steinar Eliassen) Subject: Catalogger v0.9 (PC) is ready. The last testversion of Catalogger, v0.9, is now ready. Catalogger generates a catalogg of all the files on the harddisk, together with a checksum calculated using all bytes in the file. It can also compare this catalogg with files on the hardisk, and will detect any changes in the files. This program, is ofcourse, free, and v1.0 will come with sourcecode in BC/C++ v3.1. The program is maily made to stop unknown viruses. If you leave me a note, I will send you this program in uuencoded format. /Steinar. ------------------------------ Date: Thu, 27 May 93 05:33:31 -0400 From: cxf12@po.CWRU.Edu (Christopher Fenton) Subject: Gotta Monkey on My Back!!! (PC) Has anyone dealt with the "Monkey" virus before???? It has taken up residence in the boot sector of several of my machine and I'm trying to establish an appropriate cure, but I can't find any referances to it in the literature. Any help would be greatly apreciated. Pertinent e-mail is always welcome. C. H. Fenton - -- Christopher H. Fenton "Aw, Tipper come on, cxf12@po.cwru.edu Ain't ya' been getin' it on??? AIS Computer Operations Ask Ozzie, Zappa or me Case Western Resevre Univ. We'll show what it's like to be free" ------------------------------ Date: Wed, 19 May 93 21:34:00 +0200 From: Robert.Hoerner@f2170.n492.z9.virnet.bad.se (Robert Hoerner) Subject: Re: Cure against Tremor available? (PC) DE> is there any new development re: disinfection of the Tremor virus? Are DE> there antiviral programs by now which can handle this beast? TBCLEAN from TBAV-package is able to clean TREMOR-infected files. F-PROT 2.08 finds it. I myself wrote a finder+cleaner : ANTISER.ZIP, frequestable. It desinfects TREMOR-infected files just at the moment, they are started. No danger for re- infection anymore. Does not work on packed files ! If you need more information : ask. Ciao, und viele Gruesse, Robert - --- * Origin: Virus Help Service Karlsruhe, 49-721-821355 (9:492/2170) ------------------------------ Date: Thu, 27 May 93 08:36:21 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: The Anti-Viral Software of MS-DOS 6 (PC) I am not going to try to improve on Mr. Radai's masterful evaluation of MSAV, rather I would like to point out that its shortcomings represent an opportunity rather than a problem. First, the lack of any boot sector checking in MSAV. I would like to point out that my FREEWARE (if I can't get rich, I'll settle for glory 8*) FixMBR with the SafeMBR code is entirely compatable with MS-DOS 6.0/MSAV. True this does not protect 100% since the boot record is still exposed (I bogged down on a "universal" boot record but SMBR type checking for DOS 4-5-6 boot records would be easy, possibly in FixUtil6 (once I get the bottom six inches of stucco off my house, finish painting it, and get the a/c working in the Judge). As far as the easy disable in memory as documented widely, a tiny TSR (uses no free RAM) could disable the disabler just as easily. Finally, given that the signatures are distributed separately, what is to stop an enterprising person from distributing their own signature update for use with MSAV having a much higher detection rate (for a suitable fee of course) ? Thus the question must be not "whether MSAV is the One True Answer" but "*could* it be ..." e.g. is the engine robust enough ? Certainly, Windows is not without its share of problems but still is used by many as a "start". Now let's look on the positive side: MSAV is at least trivially integrated into DOS. I haven't tried it yet but would expect it to be compatable with disk compression and Windows 32BitDiskAccess (possibly why the boot sector component is disabled in VSAFE). One would have expected MS to have checked it against necessary functions that we do not know about (yet 8*). In other words, the hard part (nice human interface & it works) is done and the a-v people can concentrate on improving the detection rate plus the low level add-ons. There are some drawbacks that I know of. For instance you can take a looong coffee break while waiting for the memory scan on a 4.77 Mhz PC or XT but this is fixable or possibly no-one will care. Already I can see this happening. STAC (mfr of STACKER) has announced a set of tools for DBLSPACE (which desperately needs help) & I expect they'll make a bundle. To me MSAV represents the same opportunity & the only question is: "Who will it be" ? Warmly, Padgett ps STAC also quietly announced availability of STACKER for OS/2 on p 170 of the May 24 PC-Week. Did anyone else notice ? ------------------------------ Date: Thu, 27 May 93 09:48:05 -0400 From: davids@software.mitel.com (David So) Subject: Macfee v104 reported virus in memory (PC) Macafee v104 scan does not recognize the DOS 6.0 vsafe (dos vshield). When I unloaded it from the memroy, everything is fine. Thanks/david - -- David Y. So Mitel Corporation Phone: 613-592-2122 x3018 350 Legget Drive, Kanata Fax : 613-592-4784 Ontario, Canada K2K 1X3 Email: david.so@Software.Mitel.COM ------------------------------ Date: Thu, 27 May 93 10:26:10 -0400 From: Y. Radai Subject: Re: The Anti-Viral Software of MS-DOS 6 (PC) In connection with the following passage in my article: >> For years users complained that >>they could not use any other scanner after CPAV, since it did not bother to >>encrypt its scan strings, thus causing other scanners to detect its strings i n >>memory buffers or in the CPAV.EXE and VSAFE.COM files themselves, and produci ng >>false alarms. My tests indicate that this problem has finally been corrected , >>but it has taken much too long. Frisk writes: >Unfortunately no...Here is for example one report I received yesterday from >one of my largest users: > >>I have encountered interaction between DOS V6.0's VSAFE and McAfee V104 and >>F-Prot 2.08a >> >>If I have VSAFE loaded McAfee says >> Found the Israeli Boot [Iboot] Virus active in memory >> >>F-Prot says >> Stoned >> >>DOS V6 Antivirus show no viruses. (Fine I know the DOS V6 is the 'weakest' >>scanner of the bunch) > >A similar problem happens with Turbo Anti-Virus and CPAV. In MSAV's case it >seems to depend only on *how* VSAFE is loaded into memory. I do not notice any behavior like that described above when I use McAfee's Scan V102, S&S's FindViru 6.18, or UTScan 28. I find it only when I run F-PROT after running MSAV. I then get the message "The xxxxxx virus search pattern has been found in memory" (where xxxxxx is "Telecom", unless VSafe is loaded in extended memory, in which case xxxxxx is "Stoned"). I therefore think that the problem lies with F-PROT rather than with MSAV or VSafe in this particular case. I would like to take this opportunity to mention an error and a few typos in my article as published here on Tuesday: Section "MSAV", paragraph 2, lines 5-6: "main menu" should be "Options menu". Section heading "SECURTTY HOLES" should obviously be "SECURITY HOLES". Section "MSAV", paragraph 5, delete the right parenthesis at the end of the paragraph (after "Anthrax"). In the section "CONCLUSIONS AND CONJECTURES", entry "INTEGRITY CHECKING", line 2, please delete the blank before the words "On files,". Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 86] *****************************************