To: VIRUS-L@LEHIGH.EDU Subject: VIRUS-L Digest V6 #151 -------- VIRUS-L Digest Tuesday, 30 Nov 1993 Volume 6 : Issue 151 Today's Topics: Bleeding edge & scanners? Re: Liabilities Article available (General) general information on computer viruses Re: Draft Swiss AntiVirus regulation Re[2]: Liabilities Percentage of virus that infect boot sectors essex virus (PC) Generic boot virus? (PC) Re: VIRSTOP.EXE and 386max memory manager.... (PC) Re: IBM pc's and viruses (PC) Re: Stoned Dual-report with McAffee Scan (PC) Wrapper Virus? (PC) MS-DOS 6.2 is not a virus (it just acts that way) (PC) Re[2]: Sorry I need more RAM Memory (PC) Re SCAN memory requirements (PC) False +ve: SCAN thought that VET was infected with Invisible Man (PC) need help with possible virus (PC) Re: Why should a scanner HAVE to open a file? (PC) Re: Scanning below the DOS level (PC) Virstop & Boot sector infectors (PC) Re: Attention! False positives in SCAN 108 (PC) Re: Scanning below the DOS level (PC) F-PROT 2.10 now available (PC) 1.2 Getting Started (CVP) Quick reference antiviral review chart Administrative: Call for volunteers VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 22 Nov 93 09:48:50 -0500 From: BRENNAN@hal.hahnemann.edu (A. Andrew Brennan) Subject: Bleeding edge & scanners? I've seen a recent rash of "Is this the newest version?" and "where else is this package available" messages on here ... Since it's beginning to look like a large number of anti-virus ppl are on the net (whatever gave me that idea? :^) - how about a possible solution to these that would keep the FAQs up-to-date, and the dates & CRCs for the most recent versions in "authorized" sites? With c.virus being a moderated list (and I'm not complaining or offering to replace the moderator - I'm lucky to keep up with the messages as is) any time a new release is "announced," there's a bit of lagtime between it's actual release and the announcement circulating. This morning I grabbed FP_210.zip (ftp://oak.oakland.edu/pub/msdos/ - virus/fp_210.zip) which has a Nov 21 (yesterday) date. Generally I don't worry about CRCs, secure archives - the whole shooting match. But - by the same factor - I am often a couple of weeks behind releases of F-Prot. I checked the newsgroup to see if there had been a release note - it hasn't come through yet. So - I'll probably end up sitting on this one until I see a note because I have no way to be sure that it's legit. Perhaps it's just a minor point, but it might be an overall answer to some of the "most recent" questions if the AV people could keep verbose archive listings in their .plan files ... or have a dummy account with a listing in it's .plan file. I suppose that this would be asking everyone to check the FAQ before asking "recent version" questions ... but we all do that already, don't we? :^) andrew. (brennan@hal.hahnemann.edu) ------------------------------ Date: Mon, 22 Nov 93 10:53:40 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Liabilities Karl Tarhk (ktark@src4src.linet.org) writes: > With all the respect this analogy is seriously flawed. Most analogies are, including yours, as I will show below. > Viruses are not living entities that can 'escape' unless helped by > humans with secondary intentions. While they are indeed not living organisms, they can very well "escape" against the will of the person who has them, if this person it not knowledgeable and/or no careful enough. I am certain that many readers of Virus-L/comp.virus can confrim that, based on their own experience. Heck, even I have once accidentally released a virus on my computer and the sucker succeeded to infect al lot of four files, before I figured out what's happening and was able to stop it. > Viruses are just inanimated pieces > of computer code. That doesn't prevent them from spreading rather well. > By attributing non existent powers to computer code > using such analogies is a dangerous thing. The main properties of computer viruses I was refering to were "spreading" and "causing damage". Is *this* what you are calling "non-existent properties"? > If you take a couple of > preventive measures no computer virus can escape like a 'tiger'. If you take the proper preventive measures, you can prevent even a tiger from escaping. You have completely missed my point. My point was that *if* the tiger (or the virus) escapes and causes damage, then you are liable for it. > Lets look at the following counter analogy: > I am a gun manufacturer and inventor. Should I be held liable for the > uses and misuses of such weapon, if I am not able to control who gets > it and who does not? Absolutely, positively NOT! Your analogy is flawed too. You are standing on US-centric positions. The world is wide and there are many countries in which owning, buying, or selling a weapon *is* illegal, regardless of whether you misuse it or not. (Please, folks, it is not my intention to start a gun/anti-gun flamewar here. I just want to point out that just because something is allowed in your country, you should not assume that it is also allowed everywhere else in the world. Also, unlike guns, computer viruses *are* able to spread and to cross national boundaries.) > The bottom of the line here is not whether to write viruses or not to > write viruses but who gets them. Nope. The bottom line is whether damage is caused. And spreading computer viruses *is* causing damage. > And we all know that there is a few CARO virus collections floating > around in the wrong places, so that should answer the question of who > is responsible or who is not. You all know? Then all your knowledge is wrong. :-) First of all, there is no such thing as a "CARO virus collection". It simply doesn't exist. Each CARO member is maintaining his own virus collection. Second, anybody can claim whatever they want (e.g. "I have the CARO virus collection", or "I wrote the K-4 virus", or "I know who killed JFK", or whatever). However, irresponsible claims tend to lower the reputation of the person who is making them. > The point to be made is, that regardless of how careful anyone is > distributing code , for each person the code given to, the > possibilities that the code will end up in the wrong hands is > increased at an exponential rate. Yes, I would agree with the above. That's why, the more limited the circle of people who get malicious code is, the better. This is one of the reasons why I am opposed to the virus exchange BBSes. It is just irresponsible to distribute malicious code without any control whatsoever on who will get it and what it will be used for. > >I don't think that virus creation should be forbidden per se. But I do > >think that if a virus is found somewhere where it is unwanted, the > >author of the virus should share the responsability, even if he has > >not introduced the virus into that system. > By the same token, the manufacturers of firecrackers should be held > liable when someone uses their product in a malicious way? > NO! If this "someone" manifactures firecrackers and distributes them to children, telling them "look how great it will be to put some fire on that building" - yes, such person should be held liable. Besides, there are many *useful* applications for firecrackers. I have yet to see *one* useful application of a computer virus (as most people understand it, not as Dr. Cohen undertsands it) that cannot be performed (often much better) by a non-viral program. > You are assuming something that can NOT be proven: Computer viruses > are inherently destructive. Not quite. All I am saying is that the computer viruses as we have seen them -can- and -are- destructive. I don't think that anybody thinks otherwise. If you do, you are seriously fooling yourself. Whether computer viruses are inherently destructive in theory is a different question and I will be glad to do some research in this direction, but we are not talking about the theory now. We are talking about the viruses that exist *now* and that destroy data *now*. > This is false; and, while a million of > you will argue that a good use for a computer virus is yet to be > found, there is yet to be proven that there isn't a good use for a > computer virus. > QED You seem to have missed you lessons of formal logic. Maybe you should have payed more attention at school. We are not arguing that it is proven that there isn't a good use for a virus. We are just saying that none has been found yet and all the currently created ones are destructive - some of them intentionally, some of them not. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 22 Nov 93 11:18:38 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Article available (General) Hello, everybody! The November issue of "Virus News International" has published an excellent article - "A Reader's Guide to Reviews" by Sarah Tanner. It is a sarcastic set of rules that shows how to do incompetent reviewing of anti-virus products. Read it, you'll love it. Many of you will recognize several of those rules being actually used in published reviews... I am still laughing... With the kind permission of Paul Robinson, the editor-in-chief of "Virus News International", I received the article in electronical form and made it available for anonymous ftp. Feel free to download and distribute it, provided that the appropriate credits are given to VNI. The full reference of the article on our anonymous ftp site is ftp.informatik.uni-hamburg.de:/pub/virus/texts/revguide.zip Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 22 Nov 93 14:39:48 -0500 From: U60780@UICVM.UIC.EDU Subject: general information on computer viruses We are computer illiterates at the University of Illinois at Chicago. We are doing a final assignment in our English class. Graduation is only three weeks away and we need help in order to get this assignment done on time. We need some general information on computer viruses and their effect on computers today. Please reply asap as we only have three class periods to finish this somewhat impossible assignment. ------------------------------ Date: Mon, 22 Nov 93 19:24:58 -0500 From: datadec@ucrengr.ucr.edu (kevin marcus) Subject: Re: Draft Swiss AntiVirus regulation Fernando Bonsembiante wrote: >Viernes 05 de Noviembre de 1993, kevin marcus writes to All: > > km> I don't think that would be very funny. > > km> Have you ever heard of something called, "ethics" or "morals"? I don't > km> think that there would, "be no difference". > > I'm speaking in legal terms. You can't write a law speaking of ethics or >morals. As ethics and morals change from place to place, from time to time, >an from person to person, we should have something very clear do >differentiate between what is legal and what is not. So, if the law makes no >difference betwen virus writing and anti virus writing (both activities need >the knowledge, the analysis and the exchange of existing computer viruses), >you can say that one is 'moral' and the other isn't, but you will go to jail >anyway. > I have had the fotunate experience of not having taken any law classes, so this makes me seem much more like a "common sense citizen" - at least, that is how I think of myself. Why are there laws (in my country, at least), that say you can't take other people's property, or kill people? Maybe my... er, uh, religion, says this is okay. However, the rest fo society doesn't think so. They think that would be unethical. So they make laws. Laws, in this country, are supposed to be made by the people, to protect the people, for the people. And, laws DO change. Can you say, "repeal", Yes, laws do need to be defined well, and that is why we have this stuff called voting in this country - so we pick people that we think will make laws which represent our thoughts. If they don't, then we get someone else that does agree with us. > km> virus, and that to write a virus, no matter what you say it's for, > km> you have malicious intent. The current idea is to label the definition > km> of a virus as malignant programs, so that the intent can get ruled out. > km> (IMHO) > > Ok, but we must take care in that definition. We must arrive to a clear >definition to avoid future problems with the law. To quote a friend: what's >the difference between a computer virus and Stacker or Double Space? An >automathic compression program is changing our files without authorization. >We could talk about 'implicit authorization'. I don't say it would be >impossible to differentiate between a virus an a 'legal' program, but we must >be very careful when writting the law. Think about that: if some person finds >a commercial program that can be considered as 'malicious' acording to the >law's definition, perhaps something like Double Space or Pklite, that person >may think that it would be great to sue Microsoft or Pkware and get some >millions of dollars for free... I am not going to get into the what is a virus definition here, but the user is clearly benefitting from the use of Stacker or DOuble Space. They want to have it. They think it's a useful piece of software. By them willingly installing the software on their computer, they are saying, "I authorize this program to work on my computer". Now, they don't have so much control over a virus, do they? I'm not talkign about the scanty few which tell you they are infecting a file or what-not, but the general population of viruses - the 99% that don't do that. - -- -- Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu CSLD Room Monitor, Thurs 10-12p, Sunday 5-10p (909)/787-2842. Computer Science, University of California, Riverside. ------------------------------ Date: Mon, 22 Nov 93 22:40:55 -0500 From: "Jimmy Kuo" Subject: Re[2]: Liabilities ktark@src4src.linet.org (Karl Tarhk) writes: >Lets look at the following counter analogy: >I am a gun manufacturer and inventor. Should I be held liable for the >uses and misuses of such weapon, if I am not able to control who gets >it and who does not? Absolutely, positively NOT! Yes! If you are negligent. There are laws which will charge a parent with manslaughter if a child finds a gun that has not been properly secured and shoots someone. And if you want to still use this analogy, if I buy a gun (a program) but the firing mechanism blows up in my face (trojan/viral code), yes the gun manufacturer is liable. Someone asked me today what I thought of Nuke. My whole answer was "They don't understand the first amendment." I fully support the first amendment. But there's been a lot of case law which restricts its scope. Most Americans don't understand the first amendment. So Nuke is not unique. Jimmy Kuo cjkuo@symantec.com Norton AntiVirus Research ------------------------------ Date: Tue, 23 Nov 93 06:10:17 -0500 From: David Hanson Subject: Percentage of virus that infect boot sectors While discussing anti-viral strategies with a user the other day, the subject of backups (naturally) came up. Of course, a good backup strategy should be your first line of defense against virus problems. I noted that use of a tape backup can be especially effective against boot sector virus, as there is no boot sector on a tape to carry the infection into your backups (as opposed to a file infector). My question is, what percentage of known virus are boot sector infectors? What percentage of common (ie., "in the wild") virus are boot sector? Dave Hanson "Objects in the mirror are closer than they appear." ------------------------------ Date: Sat, 20 Nov 93 20:11:43 -0500 From: mosier@moose.uvm.edu (Mike Osier) Subject: essex virus (PC) Recently, there have been a number of infections of the Essex Virus here on campus...I've searched far and wide for more information on this virus only to find nothing on the net...I've even gone so far as to check the documentation of Scan and Central Point AV, as well as write McAfee's support line on the net (which didn't know anything about it, although the program detected it)... An individual within the department found a way to remove the virus from HD's, but I'm unsure if this will remove it from floppies also...it was in the following batch file: FDISK /MBR SYS C: I know this works fine for the hard drive, but will it also work for infected floppies (of which I have several dozen to disinfect)...only a handful of the floppies are boot disks (therefore the "sys" command won't help out there)... I would also appreciate any other information about the virus (ie actual location of infection and method of infection [besides boot rec virus, etc)... please e-mail me at mosier@moose.uvm.edu as I do not subscribe to this list, as well as to save bandwidth... Thanks in advance Mike Osier - ---------------------------------------------------------------------- Michael Osier = mosier@moose.uvm.edu = Og | It's these little things = mosier@lemming.uvm.edu | they can pull you under Biochemical Science | Live your life filled with University of Vermont | joy and wonder ACS counselor | -R.E.M. - ---------------------------------------------------------------------- ------------------------------ Date: 15 Nov 93 04:48:00 +0000 From: syzhang@violet.ccit.arizona.edu (ZHANG, SHIYU) Subject: Generic boot virus? (PC) Hi, netters, Do you ever heard of a General Boot virus called [Genb]? SCAN108 can detect it but can not remove it (using CLEAN108). I tried F-PROT but it could only tell me that this was "a possible new stone virus". How to get rid of it? Sure I know I can format the disks, but, you know... Thanks. Shiyu syzhang@ccit.arizona.edu ------------------------------ Date: Mon, 22 Nov 93 04:54:56 -0500 From: oep@colargol.edb.tih.no (Oeyvind Pedersen) Subject: Re: VIRSTOP.EXE and 386max memory manager.... (PC) Min-Chin Hsiao (minchin@rumba.seas.upenn.edu) wrote: : Hi everyone, : What curious me was that why 6.01d handles it like a brisk but 7.0 : would no? I know that there might be some significant changes... but it : really bugs me.... I might return the product unless someone can help me solve : the problem..... : Thanks very much in advance for any tips and advice you can give. I believe this is a bug in 7.0, because Qualitas has released a upgrade of 7.0 to 7.1 (a EXE-file called M700A.EXE). You will also have to load VIRSTOP before the 386MAX.SYS. I don't know if this M700A.EXE-file is available public, but I guess you can contact Qualitas if not. - - oep ------------------------------ Date: Mon, 22 Nov 93 10:16:12 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: IBM pc's and viruses (PC) David M. Chess (chess@watson.ibm.com) writes: > To make a diskette that'll boot your machine with DOS, but with > the reference partition visible, make a disk copy of a reference > diskette (that is, a track-for-track copy), and replace the COMMAND.COM, > IBMBIO.COM, and IBMDOS.COM on the copy with the same-named files > from your favorite DOS machine. Then boot your Model 90 or > whatever from that diskette; you *should* find yourself in DOS, Hmm... From the above description, I get it that the code that tells the BIOS to "enable" the (normally hidden) reference partition is in the boot sector. The fact that it is possible at all via software, looks like a security hole to me. What would prevent a virus writer from implementing the same code in a, say, boot sector virus and make it infect the reference partition at boot time? And, as you said yourself, it is not trivial to disinfect it... What was the reason to introduce this reference partition at all? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 22 Nov 93 11:00:49 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Stoned Dual-report with McAffee Scan (PC) THE GAR (GLWARNER@samford.bitnet) writes: > Can anyone tell me why some machines would report being infected > with STONED twice on a single scan? I'm running Scan 108, and > when I scan some infected machines it reports that STONED has > been found in the partition table, then scans a minute more, > and reports the same thing again. Hm... SCAN indeed can report more than one virus when only a single one is present. However, I am not aware of any cases when it reports Stoned twice. The duplicate reports for SCAN 108 and boot sector viruses from my collection are: CARO virus name: Viruses reported by SCAN 108: ================ ============================= BootEXE.452 BFD [BFD], Generic Boot [Genb] Joshi.B ExeBug1 [ExBg1], Generic Boot [Genb] The duplicate (and even triplicate) reports happen much more often with file viruses. This is a bug reported to McAfee Associates more than half a year ago, yet it has never been fixed. If there is enough interest, I can post the full list of multiple reports for file viruses. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 22 Nov 93 11:18:59 -0500 From: Brian.Garrett@nrl.navy.mil (Brian S. Garrett) Subject: Wrapper Virus? (PC) IBM AntiVirus/DOS,Version 1.03 has reported the following message on my machine. The following are probably infected: C:\BYTE\T.EXE Wrapper C:\BYTE\TIMESET.COM Wrapper C:\BYTE\TSREGSTR.COM Wrapper C:\NORMAN\AD.EXE (A) V516 I have scanned using F-Prot v2.09f as well as Scan 9.20v109. Neither of these programs identify these files as being suspect. I have also looked for information using VSUM and can find no information on the Wrapper virus. Can someone provide me information on the wrapper virus? Is this just a false positive? Thanks. Brian S. Garrett ADP Security Naval Research Laboratory Washington, DC email: Brian.Garrett@nrl.navy.mil ------------------------------ Date: Mon, 22 Nov 93 14:22:35 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: MS-DOS 6.2 is not a virus (it just acts that way) (PC) Downloaded the upgrade for MS-DOS 6.2 from the MS bulletin board. Curiously enough the README states that the files are not to be posted on BBSs (right) and installed on my test machine. A few caveats: 1) Between the Del_Old_Dos.1 and the STEPUP directory (which must be on C if you use the defaults) and the new files, make sure you have at least 6-7 Mb free before you start. I saw no check for this. 2) Machine seemed to hang for a very long time at about the 81% mark (5% note in lower right of screen). At this point the new IO.SYS and MS-DOS.SYS files have been copied but the new COMMAND.COM is not yet present. If you abort here, I suspect the PC will not boot properly. Eventually it does continue but that particular sequence is very slow. 3) The installation found *something* wrong with mode.com and memmaker.exe & refused to update them (told the setup to continue anyway & would suggest this - see last two sentances in (2). (Both were originals dated 3-10-93) 4) If you have downloaded the "supplemental" files for DOS 6.0, these are not included and will probaby whine "incorrect version". Skilled use of Ben Capstricum's UNP (UNP312.zip) plus DEBUG (look for the string 30 cd 21 and change the CMP AX,0006 that follows closely to CMP AX,1406) "fixed" this without using SETVER (no garentees at all 8*). Curiously while most DOS programs use Packed files, CHKDSK used PKLITE. The very annoying disclaimer about using SCANDISK instead can also be removed with DEBUG. 5) The NOVELL NETX332.EXE for MS-DOS 6.0 had the same problem - not liking the 6.20 version number. I just do not like SETVER - Note: of the multi-screen default SETVER load, NONE of the entries were what I use. 6) HIMEM.SYS now has a lengthy (10+ seconds on 286 with 4 Mb extended) check of extended memory but at least it tells you what it is doing. 7) As previously mentioned, no update to MSAV appeared to be performed (files still dated 3-10-93) 8) Like on a full instalation, DELOLDOS will remove the "old" DOS directory but does not remove the STEPUP directory - you'll have to do that manually. 9) Do not use DBLSPACE on this machine so have not tried as yet. SCANDISK is nice but take a coffee break. Warmly, Padgett ------------------------------ Date: Mon, 22 Nov 93 21:43:52 -0500 From: "Jimmy Kuo" Subject: Re[2]: Sorry I need more RAM Memory (PC) Bryan Bross wrote: >Ng Bee Yong (byng@solomon.technet.sg) wrote: >: Has anyone encounter the following error message from SCAN? >: Sorry, I need more RAM memory >: 390 kbytes should be enough >: Is it some kind of bug in SCAN? I am quite sure I have more than 500 kbytes >: of conventional memory before running SCAN. It happened when I scanned some >: standalone machines, and also when I tried to scan the network. >: Anyone knows the problem please enlighten me. Thks. >: The error occurs sometimes before checking of RAM for viruses, sometimes in >: the midst of scanning some files. >I had that problem for a while and it bugged me as well. I was running >386MAX v7.0 & VSAFE.exe from Norton. I didn't know which one of these was >causing the problem at the time, but now I am pretty sure it was vsafe. >Get rid the that piece of trash software, and use fprot's virstop or >something. I have not had any problems since I terminated vsafe, although >I am not running 386MAX right now either. Good Luck! Everyone deserves to be blasted sometime. But this is not our time. VSAFE is *not* a Norton product! VSAFE is from Central Point and all you have to do is listen to Vesselin regarding CPAV. Jimmy Kuo cjkuo@symantec.com Norton AntiVirus Research ------------------------------ Date: Tue, 23 Nov 93 01:29:45 -0500 From: "Roger Riordan" Subject: Re SCAN memory requirements (PC) Ng Bee Yong (byng@solomon.technet.sg) wrote: : Has anyone encounter the following error message from SCAN? : Sorry, I need more RAM memory : 390 kbytes should be enough : Is it some kind of bug in SCAN? I am quite sure I have more than 500 kbytes : of conventional memory before running SCAN. It happened when I scanned some : standalone machines, and also when I tried to scan the network. Several people have written suggesting that this may be a bug in some versions of Scan, or an interaction with other software. However we also encountered the message, and have established that it is not a bug, but a normal feature of both Scan108 and Scan109 (Yes; the McAfee version, not the one with the new Ignorant virus, which I am told is widely available on Aussie BBS's). Have just done some tests with the help of a TSR called Grab, which does just that - it grabs a chunk of memory and sits on it, but does nothing else. Here is what we found with Scan109 Available memory Result 393K Appeared to run normally till I scanned a dirty directory. On one pass it just stopped after maybe 200 files with no message. On the next it checked almost 400 files, then gave the message Sorry,I need more RAM memory. 390K bytes should be enough. 381K Announced "Scanning boot sector of drive E:", then gave the message and stopped 360K Message immediately after "Scan 9.20V109 Copyright ..." 280K Immediately got message "Abnormal program termination." Incidentally Scan109 has almost established another milestone; it takes 9M 40 sec to scan a nearly full 360K floppy on an XT! By comparison VET 7.5 will do a normal scan, with no limitations whatever, if there is 260K available, and will do a partial scan (which will detect the 200 odd viruses which are at all common, and automatically repair infected files and boot sectors) if there is 140K available. Oh, and it checks the floppy on the XT in 21 secs. Cheers! Roger Riordan Author of the VET Anti-Viral Software. riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Tue, 23 Nov 93 05:16:20 -0500 From: A.APPLEYARD@fs1.mt.umist.ac.uk Subject: False +ve: SCAN thought that VET was infected with Invisible Man (PC) "S.Manifould" wrote to pc-cluster-ops@umist.ac.uk on 22 Nov 93 16:35:52 GMT (Subject: virus hoax), and it was forwarded to me: Everyone, Just a quick note to tell you all about a virus problem I thought I had today (Mon 22 Nov) A student had left me a message that " All the 386 and 486's have been infected with the Invisible Man virus [IMF]". He had run the lastest version of McAffee scan (9.19 V108) on the machines and it had reported the infection. However Vet 7.4 did not report any infection. Upon investigation it appears that VET_RES was causing the McAffee scan to report an infection. ie once VET_RES was removed from memory the McAffee scan didnt find anything. Cheers, Steve M. ------------------------------ Date: Tue, 23 Nov 93 05:19:49 -0500 From: kbruce@oasys.dt.navy.mil (Ken Bruce) Subject: need help with possible virus (PC) Greetings all, I have had a strange occurance happen to a new pc that I am setting up in a classroom. The pc came with Windows and Dos 6.0. Another group at my work has setup NCSA 2.3 for tcp/ip operation, and I was setting up our Novell access software. While editing one of the batch commands, MFE (my favorite editor) had experienced one of the keys to change. Specifically, the escape key began to print one of the upper ascii characters, I am not sure what the ascii number is. However, I couldn't do anything like save or abort, all I could do was reboot the PC. The pc rebooted OK and I could still access the tcp/ip and novell hosts OK. But when I try to go in to Windows, it fails. So I run my favorite file manager, XTgold and I see a strange file in the Windows directory. The file name begins with the strange character that my escape key turned into then the music symbol then press.ent (**press.ent). This file has read only and system attributes. I ran Norton disk doctor which showed my FAT was hosed up, then promptly locked up. I can't exactly remember what the NDD message was. I ran chkdsk which showed about 1100 crosslinked files. One of the files that is hosed is msdos.sys. My question is obviously have I experienced a virus, if so which one, and how do I clean it. The machine still boots up, however, I cant get rid of **press.ent and when I run XTgold, it shows subdirectories with the music symbol. I humbly await your advice. |-----------------------------------------------------------------------------| | kbruce@oasys.dt.navy.mil | Opinions expressed herein are not those | | Ken Bruce | of my employer. They are not even mine. | | David Taylor Model Basin | The devil made me do it. | | Code 3581 Customer Support | | | (301) 227-4030 Autovon 287-4030 | Chairman of the Bored. | |-----------------------------------------------------------------------------| ------------------------------ Date: Tue, 23 Nov 93 07:50:18 -0500 From: Eric_N._Florack.cru-mc@xerox.com Subject: Re: Why should a scanner HAVE to open a file? (PC) >>>I would think that this is not altogether correct, though I`d have to do some >work on it. In theory, DIR and FAT info should tell you where a file starts, >and you should also be able to use that information, and mathmatics, to move t o >a particular offset, to look for your string. I grant you, this would be >slow.... at least slower than opening the files. Well, how do you suppose DOS manages its filing system? If well-written, code to give read-only access to a DOS drive without using DOS is likely to be much *faster* than DOS. There's a lot less work to be done, and much less housekeeping -- no writes to worry about, for a start.<< Well, his point was that if I were to try and trace (in reverese) the ownership of each sector, it would result in a slower scan.... and he`s correct. However what he (and you, apparently) does not know is that my design (on paper) does not intend to do that. The only time the scanner I`m designing would bother to look up the ownership of the file is when it finds a string matching one in the virus table. The reason for this design is that you are also correct; scanning without going through DOS has the potential for going FASTER, (with certain provisos, of course) and, as suggested, also will not infect as it goes. >>Sure, it would be incompatible with all the not-straight-DOS implementations of DOS drives around (emulators, compressed drives, networks...). So, in those cases, use the regular DOS calls to talk to the filing system.<< Note my earlier response on being limited to standard solutions to non-standard problems, because of weird iron. ------------------------------ Date: Tue, 23 Nov 93 09:49:58 -0500 From: hstroem@ed.unit.no Subject: Re: Scanning below the DOS level (PC) David_Conrad@MTS.cc.Wayne.edu writes: > But one major reason for not scanning at the sector level, the most > important reason IMNSHO, hasn't been mentioned. Any scanner which did > this would lose compatibility with future DOS versions, or with other > environments (OS/2, Windows NT, UN*X DOS boxen) which emulate DOS. A > program which opens and reads a file via handles and standard calls will > be able to do so under DOS 8.21, even if it uses something like HPFS. > Any program which tries to redo DOS will get hopelessly confused and fail, > I hope gracefully, at worst it may fail catastrophically. > Of course, someone might reply that scanners are updated so frequently > that a new update would follow close on the heels of any major change in > the DOS filesystem, and a scanner could check the DOS version (but what of > SETVER?) There is no need to check for the DOS version. A program working at sector-level would most likely not work very well with OS/2 and Windows-NT. Since the low-level support on these platforms are not sufficient to do "safe" sector reading the same way you do in DOS. A different program would be needed for running under OS/2 and Windows-NT. But, talking about future DOS compatibility is something else. The type of filesystem (FAT/HPFS/NTFS/etc) is described in a one-byte field in the partition-table (contained in the HD's first sector). And as long as your program is able to read at sector-level, it should have no problems finding out what kind of file system it is dealing with, and use different routines for the different file systems. To handle the low-levels of HPFS and NTFS may not be as easy as handling the FAT filesystem. So programs like TBScan might have to tell the user that only FAT partitions may be scanned in a low-level manner. Sincerely, Henrik Stroem Stroem System Soft ------------------------------ Date: Tue, 23 Nov 93 09:53:39 -0500 From: Fabio Esquivel Subject: Virstop & Boot sector infectors (PC) Hi gangs. I allways supposed that Virstop.EXE from the F-Prot package was capable of detecting diskettes infected with a boot sector virus, even a simple one: Stoned. VShield shows a message when I issue a DIR command over an infected disk, but Virstop does not say anything. F-Prot.EXE identifies it correctly. Is this a bug? Or a feature (just because boot sector viruses do not get active when a DIR command is issued)? To Vesselin: Regarding the question about Frisk's name on viruses... Check the description of Billboard 1.0 virus on VsumX310. DATA SEGMENT PARA PUBLIC name DB 'Fabio Esquivel' ; C:\> dir a: bitnet DB 'fesquive@ucrvm2.bitnet' ; Virus found in drive A: internet DB 'fesquive@ucrvm2.ucr.ac.cr' ; Install, Kill, Panic?_ DATA ENDS ------------------------------ Date: Tue, 23 Nov 93 09:57:26 -0500 From: hstroem@ed.unit.no Subject: Re: Attention! False positives in SCAN 108 (PC) Vesselin writes, > 2) SCAN 108 reports the file HS.COM from the arhive hs32.zip as > containing the "TridenT [TridenT] Virus". > In our particular example, the program HS.COM is encrypted and > decrypts itself at runtime. Correction; HS.COM and HS.SYS decrypts their DATA AREAS at runtime. > Possible solutions. > a) Inform the author of HS and ask him to use a different decryption > routine. I've already fixed the problem. HS is currently at v3.5 and the decryption routine has been changed to avoid false positives from SCAN 106-109. HS v3.5 (or 3.6) will probably be available on the InterNet before christmas. I just want to verify that the new Int_10 MBR infector doesn't trick v3.5 before I release it ;-) Sincerely, Henrik Stroem Stroem System Soft ------------------------------ Date: Tue, 23 Nov 93 10:19:14 -0500 From: hstroem@ed.unit.no Subject: Re: Scanning below the DOS level (PC) Vesselin writes: >> All this, to get past stealth viruses. >And even without a guarantee to succeed. Virus like Dir_II or Int13 >will be still able to stealth the infection from the scanner. If you take the trouble to handle the low-levels of the FAT filesystem, you must of course also take the trouble to handle sector reading and writing in a similarly "secure" manner. This would be accomplished by calling the ROM BIOS handler for INT 13h directly, or by writing to the ports of the harddisk controller (good luck :-0). It will make things even more complicated, but it is nothing the average antivirus programmer can't handle (right? :-)). Henrik Stroem Stroem System soft ------------------------------ Date: Sun, 21 Nov 93 11:03:01 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: F-PROT 2.10 now available (PC) I just uploaded F-PROT anti-virus, version 2.10 to my primary distribution site (oak.oakland.edu), and to garbo.uwasa.fi as well. The file should be available for download on Monday, November 22nd. This new version adds detection and identification (and in most cases disinfection) of a record number of new viruses - over 500 new ones since version 2.09f was released two months ago. - ----------------------------------------------------------------------------- >From the NEW.210 file: Version 2.10 - major changes: We have re-designed the method F-PROT deals with new variants of known viruses. Previously it would always refuse to disinfect a virus, even if it was only slightly different from a variant it recognized. Now it will attempt to determine if the new variant is sufficiently similar to a known variant to attempt disinfection, using the same method as for the known one. We still would like to ask F-PROT users to send us samples of all viruses that are reported as new, modified or unknown variants. Version 2.10 - the following problems were found and corrected: 2.09 occasionally missed samples of the Tremor and Phoenix.2000 viruses - fixed now. When disinfecting certain viruses, such as Jerusalem from .COM files, F-PROT would not retain the date/time of the file, but instead set it to the current date/time. Fixed. If F-PROT was run twice in a row from interactive mode, and found some viruses on the first pass, it would occasionally claim the MBR was infected on the second pass. F-PROT would only search for user-defined patterns in boot sectors in "Quick" mode, not in "Secure" - it should have been the other way around. Version 2.09 could not reliably disinfect the "Monkey.B" virus - it was handled correctly on 360K diskettes, but just reported as new or modified variant of Stoned otherwise. Version 2.10 - minor improvements and changes: We have significantly increased the use of "exact" identification of viruses, where F-PROT uses a 32-bit checksum to distinguish between very similar variants. This is one of the explanations for the extremely large number of new variants listed below. Version 2.10 - new viruses: The following 58 viruses are now identified, but can not be removed as they overwrite or destroy infected files. Some of them were detected by earlier versions of F-PROT, but only reported as "New or modified variant of..." Abraxas (1171 and 1200) Atomic.480 Burger (405.B and 8 "no-name" 560 byte variants) Civil War.444 Knight Leprosy (350, 647 and Clinton) Milan.WWT.67.C Naught (712 and 865) Proto-T.Flagyll.371 SillyOR (60, 66, 68, 69, 74, 76, 77, 88, 94, 97, 98, 99, 101, 102, 107, 109 and 112) Tack (411 and 477) Trivial (26.B, 27, 28, 29, 30.D, 30.E, 40.D, 40.E, 40.F, 42.C, 42.D, 43, 44.D, 45.D,and 102) VCL.527 Viruz ZigZag The following 448 new viruses can now be detected and removed. Some of these viruses were detected by earlier versions, but are now identified accurately. 3y 4-days 4res _127 _130 _132 _205 _330 _409 _524 _584 _593 _655 _1417 _1536 _2878 Abbas Alabama.C Ambulance.E Andro Andromeda Arcv.companion Armagedon.1079.D Atomic (Toxic, 166, 350 and 831) Attention.C Aurea Australian Parasite.272 BadSector Best Wishes (1024.C and 1024.D) Black Jec (284, 323 and 235) Black Monday (1055.E, 1055.F, 1055.G and 1055.H) BloodRage Bootexe Bubonic Bupt.1279 Cascade (691, 1701.G, 1701.H, 1701.J, 1701.K, 1701.L, 1704.L, 1704.N, 1704.O and 1704.P) Checksum.1253 Chris Civil War III Clonewar (238, 546, 923.A and 923.B) Cobra Coib Comasp.633 Coffeshop.1568 Cybercide.2299 Cybertech (501 and 503) Danish Tiny (163 and Kennedy.B) Dark Apocalypse Dark Avenger (1800.F, 1800.G, 1800.H, 1800.I, 1800.Rabid.B, 2000.Copy.C, 2000.DieYoung.B, 2100.DI.B, Jericho and Uriel) Dashel DataCrime (1168.B and 1280.B) DataLock (920.K1150 and 1740) Dbase.E Dejmi Destructor.B Devil's Dance (C and D) Digger.600 Dos 7 (342, 376 and 419) Dosver Doteater (C, D and E) Dracula Du Dy Dzino Finnish.709.C Friday the 13th (540.C and 540.D) Frodo (F, G and H) Fumble.E Gemand Genc (502 and 1000) Goga Golgi (465 and 820) Granada Grog (Lor, 990 and 1641) Guppy.D Halloechen (B and C) Hates Headcrash.B Helloween (1227, 1384, 1447, 1839, 1888 and 2470) Hi.895 Hidenowt HLLC (Even Beeper.C and Even Beeper.D) Infector (759 and 822.B) Intruder.1317 Italian Boy IVP (540, Bubbles, Math, Silo and Wild Thing) Jackal Japanese_Christmas.600.E Jerusalem (664,1960,1829.Anarkia, 2223, Anticad.2900.Plastique.B, Anticad.2900.Plastique.C, Anticad.2900.Plastique.D, AntiCad.3012.C, AntiCad.3012.D, Fu Manchu.D, Sunday.G, Sunday.H, Sunday.I, Sunday.J, 1765, Groen Links.D, PSQR.B, Solano.Syslexia.B, Solano.Subliminal.B, Westwood.B and 31 "no-name" insignificant 1808 byte variants) Jest K-4 (687 and 737) Kemerovo.257.E Keypress (1215, 1232.D, 1232.E, 1232.G, 1232.H, 1232.I and 2728) Kernel Lapse (323, 366 and 375) Leningrad II Literak Little Girl.985 Lockjaw (808 and Black Knight) Lock-up Loki.1234 Lyceum.930 M_jmp (122, 126 and 128) Magician Manuel (777, 814, 840, 858, 876, 937, 995, 1155 and 1388) Matura.1626 Mel Merry Christmas MG (2.D and 3.C) Mgtu (269, 273.B and 273.C) Minimite Mirror.B MPS-OPC II.754 Mr. G.314 Mshark.378 Multi.B Murphy (1277.B and Woodstock) Mutator (307 and 459) Never Mind Nina (B and C) No Bock.B No Frills.835 November 17th (690, 800.A and 800.B) Npox (955, 1482, 1722 and 1723) Nygus (163, 227 and 295) Nympho OK Oropax (B and C) Osiris Override Parity.B Particle Man PC-Flu Phx Pit Pixel (277.B, 300, 343, 846, 847.Advert.B, 847.Advert.C and 847.Near_End.B) Pojer.1935 (only COM files - EXE files are not infected properly, the virus code is only appended) PS-MPC (331, 349, 420, 438, 478, 481, 513, 547, 564, 574, 578, 597, 615, 616, 1341, 2010, Alien.571, Alien.625, Arcv-9.745, Arcv-10, Deranged, Dos3, Ecu, Flex, Geschenk, Grease, Iron Hoof.459, Iron Hoof.462, Napolean, Nirvana, Nuke5, Page, Shiny, Skeleton, Soolution, Sorlec4, Sorlec5, Soup, T-rex, Toast, Toys and McWhale.1022) Quadratic.1283 Radyum (698 and 707) Rape (2777.A and 2877.B) Rasek (1489, 1490 and 1492) Red Diavolyata (830.B and 830.C) Retribution Ripper Russian_Mirror.B Sata.612 Saturday 14th.B Satyricon Screaming Fist.I.683 Shake.B Shanghai SI-492.C SillyC (208 and 215) Sistor (1149 and 3009) Skew.445 Slub Smoka Sofia-Term (837 and 887) Stardot.789.C Sterculius Spring Stimp Storm (1172 and 1218) Stupid.Sadam.Queit.B Sundevil Svc (1689.B, 1689.C and 3103.D) Sybille Sylvia (1321 and 1332.E) Syslock (Syslock.C and Syslock.D) Taiwan (708.B, 743.B and 752.B Testvirus-B (B and C) Thirty-three Tic.97 Timid.302 Tomato Totoro Traveler Jack (854, 979, 980 and 982) Unexe Uruk Hai.427 Ussr-707.B Vacsina (634,TP.5.B and TP.16.B) Vbasic.D VCL (506, 507, 604, 951, Anti-Gif, ByeBye, Earthquake, Paranoramia, Poisoning, VF93, VPT and Ziploc) VFSI.B Vienna (566, 623.B, 627.B, 644.C, 648.J, 648.K, 648.O, 648.Reboot.B, 648.Reboot.C, 648.Reboot.D, 648.Q, 648.R, 648.S, 648.X, 758, Choinka.B, Choinka.C, W-13.534.H, W-13.534.I, W-13.534.J, 648.Abacus, Bush and IWG) Virdem (1336.Bustard.A, 1336.Bustard.B and 1336.Cheater) Wilbur (B and D) Wildy Willow.2013 Wisconsin.B Wolfman.B Wvar Xph (1029 and 1100) Xtac Yankee Doodle.Login.2967 Year 1992.B Youth.640.B The following 71 new viruses can now be detected but not yet removed. _1403 _1798 Arcv (916, Friends.839, Jo.911, Scroll and Slime) Arusiek.817.B Atas II.1268 Barrotes.1303 Bobo Calc Civil War.552 Close Darkray Digger (1000 and 1512) Dir-II (G, J and L) Du Dwi Error Inc Fairz Honey Inoc IVP (Mandela and Swank) Jerusalem.Zerotime.Australian.B Little Red Malmsey.806 Marzia Mayak Mr D (A and B) Multichild.110 Mutator.780 Mystic Necro-fear November 17th.1007 Number of the Beast (B.2 and E.2) Phalcon.Emo Predator (1072, 1137, 1148, 1195 and 2448) Proto-T.1053 Rape.1885 S-bug.Fruit-Fly Sarov Screaming Fist (II.650, II.652 and II.724) Screen+1.1654 Seat Serene Shoo (2803 and 2824) Skater (699, 977 and 1021) Soupy (1001 and 1072) Student Suriv 1. Xuxa.1405 SVC.2936 Svm Velvet Yankee Doodle.2189 Zherkov.2435 The following 3 viruses which were detected by earlier versions can now be removed. HLL (3680 and Antiline) Loren ------------------------------ Date: Sat, 20 Nov 93 18:10:22 -0500 From: "Rob Slade" Subject: 1.2 Getting Started (CVP) BEGPAN4.CVP 931015 1.2 - Getting Started You likely have more resources than you realize. First of all, your own observations. If you can keep cool, and not panic, you can probably note and recall more than you think. Don't consider this as a potential loss of your accounts receivable, look at it as a detective story. Look for the clues. Get some paper and a writing implement. (Pen, pencil, sharp piece of coal: in this situation, who's fussy?) You will want to be as accurate and detailed as possible. Most crimes aren't solved by "Elementary, my dear Watson," cerebrations, but by "Just the facts, ma'am," deliberations. Start writing now. What type of computer is it? What operating system? What version of the operating system? What happened? (In detail.) Now start to inventory your resources. First, you want anything that can tell you about this machine. Do you have invoices with details of the machine such as the operating system and version? Invoices for the software? Was a file created for this machine? Have you got a file listing from the last time anything was added to it? What *was* the last thing added to it? Have you got a file listing from when it was first set up? Have you got a recent backup? (You do? Fortunate mortal!) Next, look for software that can tell you things about the present state of the machine. You do have some. There is a fair amount the operating system itself can tell you. How much disk space is left? Has that changed a lot? Memory is a *very* important factor. The Mac system info will tell you what programs are using how much memory. The MS-DOS CHKDSK program will tell you not only about the disk space and other interesting things, but also about the "total memory," which can sometimes pinpoint specific viral programs. If you have MS-DOS 5 or higher, MEM/C can give you a *lot* of information. Even if you can't use it, people you call on for help might be able to. Do you have utility or disk tool programs? These can also give you valuable information. Both commercial and shareware utilities can help here. If the computer is still working reasonably well, look at the memory statistics. Look at the files. Are there a lot of hidden files? Are there a lot of new files? Are there a lot of files with very close "creation dates"? Look at the disk boot sector, and the master boot record. There should be some common system messages there. If you don't see them, or see some odd messages, that's an indication, too. Are you writing all this down? Or, if the printer is still working, printing the screen to save all the data? (Starting to feel less panicked? Yes, you usually feel better when you have something to do.) copyright Robert M. Slade, 1993 BEGPAN4.CVP 931015 Permission granted to distribute with unedited copies of the Digest ====================== DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 DECUS Symposium '94, Vancouver, BC, Mar 1-3, 1994, contact: rulag@decus.ca ------------------------------ Date: Sat, 20 Nov 93 18:17:19 -0500 From: "Rob Slade" Subject: Quick reference antiviral review chart QUICKREF.RVW 931114 Quick reference antiviral review chart This listing is intended to give a quick overview guide to the comparative features and effectiveness of the many different antiviral products. If the version numbers are out of date, please send updated copies for review to Rob Slade at the address given at the end of this list. Product Ver Type UI Doc Ease Ovrl Price Comments SDRIMOE CG 1-4 I U 1-4 | | | | | | | | Amiga BootX (discontined)5.23 SDRM G free amiga.physik.unizh.ch, ux1.cso.uiuc.edu or wuarchive.wustl.edu /mirrors2/amiga.physik.unizh.ch/util/virus Computer Virus Cat.9308 info 4 4 Free CARO, cert LDV 1.73 VirusChecker 6.26 free amiga.physik.unizh.ch, ux1.cso.uiuc.edu or wuarchive.wustl.edu VirusX (outdated?) s.tibbett on BIX VirusZ 3.06 Virus Tracker 2.45 ZeroVirus Atari Chasseur II D ATCHSSR2.RVW atari.archive.umich.edu FCHECK 25 I ATFCHECK.RVW atari.archive.umich.edu Protect6 DR ATPROTCT.RVW atari.archive.umich.edu or larserio@ifi.uio.no Sagrotan 4.12 S ATSAGRTN.RVW atari.archive.umich.edu VIRUSDIE S ATVIRDIE.RVW atari.archive.umich.edu Computer Virus Cat.9308 info 4 4 Free CARO, cert VKILLER 3.84 SD ATVKILLR.RVW woodside@ttidca.com or atari.archive.umich.edu /atari/Utilities/Virus Mac Advanced Security (see MS-DOS) Computer Virus Cat.9308 info 4 4 Free CARO, cert Disinfectant 3.3 SDR Free nwu, sumex-aim.stanford.edu, mac.archive.umich.edu Gatekeeper 1.2.9 R MO Free Chris Johnson Rival Microseeds Publishing SAM 3.0.8SD M $99 Symantec/Norton Virex 4.1 (see MS-DOS, product not by same author) VirusDetective 5.10.5 Jeff Shulman MS-DOS Advanced Security I OE C 2 2 3 1 PCADVGRV.RVW Advanced Gravis (no longer supported) AntiViral ToolKit 1.07B S IM $20 CARO, eugene@kamis.msk.su Antivirus (IRIS) SDR M C 2 2 4 2 $49 PCANTIVR.RVW Fink Enterprises Antivirus-Plus SDR M C 2 2 4 2 $99 PCANTIVP.RVW Trend Micro Anti-Virus Toolkit 6.0? SDRIMO CG 3 2 3 4 PCDSAVT.RVW S&S International Ltd., sands@cix.compulink.co.uk, perComp Verlag, Ontrack Central Point Anti-virusSDRI O G 3 2 2 2 not coexist with others Central Point PCCPAV.RVW Certus LAN 2.0 SD I O CG 2 1 3 2 PCCERTUS.RVW Certus (no longer supported? cf Norton AntiVirus) Computer Virus Cat.9308 info 4 4 Free CARO, cert Control Room I G 2 4 4 2 PCCTRLRM.RVW Borland Data Physician + 3.1A SDRIM C 2 2 2 2 PCDATPHS.RVW Digital Dispatch DISKSECURE 2.32A IM C 2 3 3 4 BSIs only risc, urvax, eugene cf also FixMBR, FixUTIL PCDSKSEC.RVW SafeMBR, CHKSMBR, CHKMEM, CHKBOOT in FixUtil etc. are free Eliminator 1.17 SDR C 3 2 3 2 PCELMNTR.RVW Thecia F-PROT 2.09F SDR CG 3 3 3 4 home - free, bus. - $1/CPU frisk@complex.is, risc, urvax, eugene, garbo PCFPROT.RVW Hoffman Summary 310 info G 3 3 $35 risc, urvax, eugene HTScan 2.0 S C 2 3 3 3 Free (non-comm.) (also VSIG 9303) risc, urvax, eugene, garbo HyperACCESS/5 S C 2 1 2 2 PCHA5.RVW, term program Higraeve with scanner IBM Antivirus/DOS 1.03 SRDI CG 2 2 2 3 $35 PCIBMAV.RVW local IBM rep Integrity Master 2.11 S I CG 3 3 3 $35 PCIM.RVW risc, urvax, eugene LANProtect 1.1 S CG 1 2 2 2 Intel Mace Vaccine 3.0 M G 1 3 2 1 PCMACE.RVW Fifth Generation Norton AntiVirus SDRI G 2 3 2 3 $130 PCNRTNAV.RVW Symantec/Norton PC-Cillin 2.95L SDRIM G 3 3 3 2 $139 PCCILL2N.RVW Trend Micro SafeWord Virus-Safe1.12 I C 2 3 4 3 PCSAFWRD.RVW Enigma Logic Thunderbyte Utility6.08 SDRIMOE C 2 2 3 3 $29 PCTBSCAN.RVW risc, urvax, eugene, garbo VACCINE (WWS) 5.00 SD IMO C 2 1 2 2 PCWWSVCN.RVW The Davidsohn Group VACCINE (Sophos) 9111 S I CG 2 2 2 3 PCSOPHOS.RVW Untouchable 1.1 SDRIM CG 2 2 2 2 PCUNTUCH.RVW Fifth Generation Systems VDS 2.10T I CG 2 2 3 2 PCVDS.RVW risc, urvax, eugene VET 7.0? SDRIM C PCVET (in process) Cybec Victor Charlie 5.0 IM C 3 2 3 3 $99 PCVC.RVW Delta Base Enterprises Virex-PC 2.91 SDRIM G 4 2 4 4 $49 PCVIREX.RVW Datawatch (VIRx now assumed under this product) ViruCide 2.41 SD G 3 4 3 3 $49 PCVIRCID.RVW Parsons Technology Virus0Buster 3.75 SDRIMO CG 3 3 3 4 PCVRBSTR.RVW Leprechaun Software (70451.3621@compuserve.com) VIRUSCAN Suite 108 SDRIM C 2 2 2 3 ~$25/module risc, urvax, SIMTEL, garbo, mcafee.com PCSCAN.RVW VirusSafe LAN 4.01 SDRI O CG 2 2 3 2 PCVIRSAF.RVW EliaShim Micro VIRx (see Virex-PC) Vi-Spy 10.0 SDR M CG 2 2 3 3 $150 PCVISPY.RVW RG Software Systems OS/2 HyperACCESS/5 S C 2 1 2 2 PCHA5.RVW, term program Higraeve with scanner IBM Antivirus/OS/2 1.03 SRDI CG 2 2 2 3 $35 PCIBMAV.RVW local IBM rep SCAN/OS/2 Suite 108 SDRIM C 2 2 2 3 ~$35/module risc, urvax, SIMTEL, garbo, mcafee.com UNIX Computer Virus Cat.9308 info 4 4 Free CARO, cert Tripwire I Free ftp.cs.purdue.edu pub/spaf/COAST/Tripwire | | | | | | | | Key: Type - S=scanner, D=disinfection (restoration of state), R=resident, I=integrity checking, M=activity monitor, O=operation restricting, E=encryption UI - user interface - C=command line, G=menu or GUI The following are based on a 1=poor - 4=excellent scale Doc - documentation Ease - I=installation, U=use Ovrl - overall rating for general use Sites: CARO - ftp.informatik.uni-hamburg.de (134.100.4.42) cert - cert.org (192.88.209.5) eugene - eugene.utmb.edu (129.109.9.21) garbo - garbo.uwasa.fi (128.214.87.1) nwu - ftp.acns.nwu.edu (129.105.113.52) risc - risc.ua.edu (130.160.4.7) simtel - wsmr-simtel20.army.mil urvax - urvax.urich.edu (141.166.36.6) For others see Jim Wright's postings. For more detailed reviews see /pub/virus-l/docs/reviews at cert For general virus info see VIRUSFAQ.TXT at cert Please send updated versions of antivirals to Rob Slade at 3118 Baird Road, North Vancouver, BC, Canada, V7K 2G6. Please note that all shipments from outside of Canada should state very clearly that the material is for evaluation and has no commercial value. In addition, it is advisable to declare a media cost of $1 per disk and an "intellectual property" value of $1 per item such that the total does not exceed $15. Neither Rob Slade nor V.I.R.U.S. take any responsibility for shipments delayed or refused at Customs for failure to follow these directions. copyright Robert M. Slade, 1992, 1993 QUICKREF.RVW 931114 ============== Vancouver ROBERTS@decus.ca | "It says 'Hit any Institute for Robert_Slade@sfu.ca | key to continue.' Research into rslade@cue.bc.ca | I can't find the User p1@CyberStore.ca | 'Any' key on my Security Canada V7K 2G6 | keyboard." ------------------------------ Date: Mon, 29 Nov 93 09:43:26 -0500 From: "Kenneth R. van Wyk" Subject: Administrative: Call for volunteers VIRUS-L/comp.virus readers: As you're all aware, there are several ongoing activities that are made available to this group, such as the Frequently Asked Questions (FAQ) list, the archive site maintenance, etc. Most of these are "background tasks" that people have volunteered to work on over the years. I'm personally finding less and less time to devote to these things, so I'd like to solicit volunteers to spearhead a couple of these things. Specifically, I'm looking for volunteers to do each of the following: - - Update and maintain the FAQ sheet. - - Coordinate and post product reviews. - - Maintain an anonymous FTP area containing the VIRUS-L/comp.virus archives (i.e., back issues, documents, reviews). If anyone would like to take on any or all of these tasks, please let me know. Unfortunately, all that I can offer in return is my gratitude, and due credit on all of the work. I can also guarantee that you'll meet plenty of interesting people. Thanks, Ken Kenneth R. van Wyk Chief, Operations Automated System Security Incident Support Team (ASSIST) Center for Information Systems Security (CISS) Defense Information Systems Agency (DISA) Moderator, VIRUS-L/comp.virus krvw@ASSIST.IMS.DISA.MIL ASSIST Hotline: +1 703 756 7974 ASSIST e-mail: assist@assist.ims.disa.mil ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 151] ******************************************