WARNING FOR ThunderByte USERS ----------------------------- If you run the ThunderByte virus scanner you MAY see one or more files flagged by TBAV as 'probably' or 'might' be infected. This is a known 'FALSE ALARM'. Please see the attached email from Frans Veldman from ESaSS confirming this. The 'FALSE ALARM' only appears with the huerustic setting set to HIGH (using the 'hr' switch on the TBAV command line. It can also be changed from the TBAV.EXE menus. CHEKMATE.EXE, MD5.EXE and SETUP.EXE are ALL protected by a polymorphic security envelope system .(Protect! COM/EXE from Jeremy Lilley.) This program is what TBAV is flagging as it does use polymorphic code to thwart hackers. If this continues to be a problem, then I will probably remove that 'extra' level of protection as it appears to be causing more harm than good. I apologise if this is causing you any annoyance. Regards, Martin Overton PS No other virus scanner I have tested has ever flagged ANY file in this ZIP as infected. These include: F-Prot 2.18, McAfee Scan 2.2.0, Dr Solomon AVTK 7.12 etc. When TBAV is run in AUTO hueristic mode (without the 'hr' switch). You SHOULD see the details below. ---------------------------------------------------------------------------- Thunderbyte virus detector v6.35 - (C) Copyright 1989-1995, Thunderbyte B.V. TbScan report, 06-09-1995 10:54:49 Parameters: c:\temp\cm105d lo ln=c:\temp\cm105d\auto.log ** Unregistered evaluation version. Do not forget to register! ** Found 23 files in 1 directories, 8 files seem to be executable. 0 files were checked for changes, 0 files have been changed. 0 files are infected by one or more viruses ----------------------------------------------------------------------------- When TBAV is run in HIGH hueristic mode (with the 'hr' switch). You SHOULD see the details below. ----------------------------------------------------------------------------- Thunderbyte virus detector v6.35 - (C) Copyright 1989-1995, Thunderbyte B.V. TbScan report, 06-09-1995 10:54:24 Parameters: c:\temp\cm105d hr lo ln=c:\temp\cm105d\high.log ** Unregistered evaluation version. Do not forget to register! ** C:\TEMP\CM105D\1001.EXE might be infected by an unknown virus c No checksum / recovery information (Anti-Vir.Dat) available. 1 Found instructions which require a 80186 processor or above. @ Encountered instructions which are not likely to be generated by an assembler, but by some code generator like a polymorphic virus. C:\TEMP\CM105D\4001.EXE might be infected by an unknown virus c No checksum / recovery information (Anti-Vir.Dat) available. 1 Found instructions which require a 80186 processor or above. @ Encountered instructions which are not likely to be generated by an assembler, but by some code generator like a polymorphic virus. C:\TEMP\CM105D\CHEKMATE.EXE might be infected by an unknown virus c No checksum / recovery information (Anti-Vir.Dat) available. K Unusual stack. The program has a suspicious stack or an odd stack. @ Encountered instructions which are not likely to be generated by an assembler, but by some code generator like a polymorphic virus. C:\TEMP\CM105D\SETUP.EXE might be infected by an unknown virus c No checksum / recovery information (Anti-Vir.Dat) available. K Unusual stack. The program has a suspicious stack or an odd stack. @ Encountered instructions which are not likely to be generated by an assembler, but by some code generator like a polymorphic virus. C:\TEMP\CM105D\MD5.EXE might be infected by an unknown virus c No checksum / recovery information (Anti-Vir.Dat) available. G Garbage instructions. Contains code that seems to have no purpose other than encryption or avoiding recognition by virus scanners. K Unusual stack. The program has a suspicious stack or an odd stack. @ Encountered instructions which are not likely to be generated by an assembler, but by some code generator like a polymorphic virus. C:\TEMP\CM105D\1001.COM might be infected by an unknown virus c No checksum / recovery information (Anti-Vir.Dat) available. 1 Found instructions which require a 80186 processor or above. @ Encountered instructions which are not likely to be generated by an assembler, but by some code generator like a polymorphic virus. C:\TEMP\CM105D\101.COM might be infected by an unknown virus c No checksum / recovery information (Anti-Vir.Dat) available. 1 Found instructions which require a 80186 processor or above. @ Encountered instructions which are not likely to be generated by an assembler, but by some code generator like a polymorphic virus. C:\TEMP\CM105D\4001.COM might be infected by an unknown virus c No checksum / recovery information (Anti-Vir.Dat) available. 1 Found instructions which require a 80186 processor or above. @ Encountered instructions which are not likely to be generated by an assembler, but by some code generator like a polymorphic virus. Found 23 files in 1 directories, 8 files seem to be executable. 0 files were checked for changes, 0 files have been changed. 8 files are infected by one or more viruses ----------------------------------------------------------------------------- Below is the response from Frans Veldman of ESaSS: ----------------------------------------------------------------------------- :From @linux4nn.iaf.nl:Veldman@esass.iaf.nl Mon Jun 05 08:46:00 1995 Received: from punt.demon.co.uk by salig.demon.co.uk with SMTP id AA802341960 ; Mon, 05 Jun 95 08:46:00 BST Received: from punt.demon.co.uk via puntmail for ChekMate@salig.demon.co.uk; Mon, 05 Jun 95 05:17:18 GMT Received: from linux4nn.iaf.nl by punt.demon.co.uk id aa23614; 5 Jun 95 6:16 +0100 Received: from uni4nn.iaf.nl (root@uni4nn.iaf.nl [193.67.144.33]) by linux4nn.iaf.nl (8.6.9/8.6.9) with SMTP id HAA02674 for ; Mon, 5 Jun 1995 07:23:59 +0200 Received: by uni4nn.iaf.nl with UUCP id AA08573 (5.67b/IDA-1.5 for ChekMate@salig.demon.co.uk); Mon, 5 Jun 1995 07:16:45 +0100 Received: from esass.iaf.nl by iafnl.iaf.nl with UUCP id AA12194 (5.65c/IDA-1.4.4); Mon, 5 Jun 1995 06:51:32 +0200 Received: by esass.iaf.nl (UUPC/extended 1.11n); Sun, 04 Jun 1995 12:17:26 dst Date: Sun, 04 Jun 1995 12:17:25 dst From: Frans Veldman Message-Id: <2fd18837.esass@esass.iaf.nl> Organization: Thunderbyte anti-virus (TBAV) support HQ To: ChekMate@salig.demon.co.uk Subject: Re: URGENT - Why is TBSCAN Flagging Clean Files!? Status: R On Fri, 2 Jun 1995 10:25:11 GMT, "ChekMate Support" wrote: > Hi Frans, > Hi! [Snip!] The problem is known to us. It is also known to Jeremy Lilley. Protect! encrypts the files using a VARIABLE encryption scheme. The decryptor looks different all the times. If you run Protect! twice on the same identical file, the final result is different. Because the result of Protect! is different every time you use it, it sometimes creates a decryptor that is exactly the same as a decryptor found in a certain polymorphic virus. The result is that some anti-virus program(s) detect the protected file as a virus. Sometimes by name, but sometimes it just looks very virus alike. Because the result of Protect! is different all the times, it is not possible for us to recognize any Protect!ed file in advance and hence avoid false alarming. [Snip!] In case you are wondering about the direct cause of the heuristic flags of TbScan: > # Found a code decryption routine or debugger trap. This is common > for viruses but also for some copy-protected software. Isn't this the truth? It applies perfectly to Protect!ed files. > G Garbage instructions. Contains code that seems to have no purpose > other than encryption or avoiding recognition by virus scanners. This is also understandable. > K Unusual stack. The program has a suspicious stack or an odd stack. This requires a little more knowledge to understand it, but it is caused by Protect! and it can easily be avoided by its author. > @ Encountered instructions which are not likely to be generated by > an assembler, but by some code generator like a polymorphic virus. Since the code that Protect! adds to the protected files is not created by an assembler program or compiler but dynamically generated by Protect! this is also logically that TbScan raises this flag. All of the above is *VERY COMMON* for viruses, about 50% of the viruses raise these flags, but very few innocent programs raise the same flags. This is why TbScan says 'probably a virus', and not 'definitely a virus'. [Snip!] -- Thunderbye, Frans Veldman = veldman@esass.iaf.nl Phone (ESaSS) + 31 - 8894 22282 = = 2:282/222.0@fidonet Fax (ESaSS) + 31 - 8894 50899 = = Fax (VirLab) + 31 - 59 182 714 = = Ham radio: PE1PVX @ 430.050MHz NFM, 145.600MHz NFM DTMF-page 789 = = PGP fingerprint: 8A 0F 36 90 29 6D 19 42 B7 8D 74 9A A7 E5 28 4E = ----------------------------------------------------------------------------- *** END OF DOCUMENT ***