To: VIRUS-L@LEHIGH.EDU Subject: VIRUS-L Digest V6 #152 -------- VIRUS-L Digest Wednesday, 1 Dec 1993 Volume 6 : Issue 152 Today's Topics: Virus Myths 10th Edition Re: Freeware distribution of anti-virus software Book information request. Re: Tales about viri Re: Virus at an atomic power station Re: Automated virus scan every n days ? (PC) WinSleuth? (PC) Re: Once a week batch file (PC) Re: Sorry, I need more RAM memory (PC) Automated Virus Scan Every n Days - Remindme.zip (PC) Re: Commercial Virus Scanners in the dark??? (PC) Re: Removing Boot Sector Virus from Floppies (PC) Form Virus + WinNT 3.1 (PC) Re: Commercial Virus Scanners in the dark??? (PC) Automated virus scanning (PC) Re: Full version of AVP 1.07 available (PC) Re: Horror of Horrors! (PC) Re: Problems with Anti-Tel (A-Vir) (PC) Re: Removing the Moctezuma virus (PC) WinNT + Dos 6.0 + Form VIRUS!! (PC) Strange Behavoiur of F-PROT, possible boot sector virus? (PC) Thunderbyte's reply about danger of TbClean (PC) 'D3' virus (PC). prevent programs (PC) Re: Save all you can (CVP) Getting Resources (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 23 Nov 93 11:52:04 -0500 From: "Mark J. Miller" Subject: Virus Myths 10th Edition I've recently uploaded the 10th edition (4-Oct-93) of Computer Virus Myths by Rob Rosenberger & Ross M. Greenburg to the SIMTEL 20 archives & its primary mirror at OAK.OAKLAND.EDU. This document explains some of the more common misconceptions about viruses & what they can/cannot do. The file at OAKLAND is pub/msdos/virus/mythsv10.zip (PKWARE 2.04g). The file was uploaded by permission of the authors. Mark J. Miller Instructional Computing Programmer/Analyst Saginaw Valley State University mjm@tardis.svsu.edu ------------------------------ Date: Tue, 23 Nov 93 18:35:01 -0500 From: "R. Wallace Hale" Subject: Re: Freeware distribution of anti-virus software Kristian A. Bognaes (Norman Data Defense Systems) wrote: >I am a supporter of the freeware and shareware principles, and have >both written and supported applications on a "please support" basis. A friend in Gvarv frequently mentions both your firm and product, but I got the impression that there was little interest in the BBS and shareware world. >Still, I have a concern regarding this method of distribution when it >comes to anti-virus protection software: - It seems to be working quite well for Frisk et al... >I never made any money either, although the software is in use by many). Neither did I. R. Wallace Hale "Thinking is the hardest work there is, halew@nbnet.nb.ca which is the probable reason why so few BBS (506) 325-9002 engage in it." - Henry Ford ------------------------------ Date: Wed, 24 Nov 93 05:00:23 -0500 From: d.phillips@open.ac.uk (Dave Phillips) Subject: Book information request. I have been speaking with Kev HARRIS@lib.swbts.edu about info on viruses and how they work and I told him about a new book I have got hold of. He requested more info on it and suggested I post the info to the bulletin board. So heres the info. Book; The Survivors Guide To Computer Viruses Edited by Victoria Lammer isbn no 0-9522114-0-8 Its a book that brings together core info from previous editions of "Virus Bulletin" Its the first edition release in september 93 and can be obtained from Virus Bulletin Ltd in the UK Email address for more info is VIRUSBTN@VAX.OX.AC.UK I,m reading the book at present and find the info inside to be interesting and informative. ( This is IMHO) Regards ------------------------------ Date: Wed, 24 Nov 93 08:50:30 -0500 From: ganino@jumbo.Read.TASC.COM (James S. Ganino) Subject: Re: Tales about viri > > Hi, this is JJ Merelo, from Granada, Spain. I gotta give a short talk > to non-techie users, and would like to add some spicy stories about > funny mistakes about viri/outright catastrophes caused by them/and any > other anecdote that may make some laughs (or some Oooohs) in a > conference. > For Oooohs, Aaaahs, and Laughs, I have found Pamela Kane's book, V.I.R.U.S Protection: Vital Information Resources Under Siege, to be a treasure trove. It is four years old, but it is still fun reading. If you wish, you can try to contact her directly; the latest e-mail address I have for her is pskane@dockmaster.ncsc.mil. - -- James S. Ganino TASC 55 Walkers Brook Drive Reading, MA 01867 ------------------------------ Date: Wed, 24 Nov 93 14:37:17 +0000 From: pdb@cdc.demon.co.uk (Peter Burnett) Subject: Re: Virus at an atomic power station A.APPLEYARD@fs1.mt.umist.ac.uk writes: > On Ceefax (text info transmitted via BBC TV 1 (a British TV channel) on >evening of Wed. 10 Nov 1993:- > VIRUS: A computer virus sparked a safety scare at Sizewell B nuclear power >station, the latest Computer Weekly says. A man was later sacked for >introducing unauthorized software. Well, the procedures that they have at SizeWell B Power Station failed as on ALL security gates at the station, there is a BIG blue sign saying that all PC based disks MUST be checked for virus's before being allowed onto the site and it provides a phone number that anyone can call for assistance. Most equipment is searched prior to allowance on the site ( I am a recent vistor as a contractor to the site ), allthough I must say, when I went onto the site, I had PC disks with me, but was never asked about them nor did I offer them up for site inspection either. In one respect, there own procedures and other things failed. Signs, personell and associated items DID not work. Whatever procedures you have, if they fail to be implemented, then the barriers are useless. Peter. - -- +----------------------------------------------------------------+ | Peter Burnett Post Design Services Software Support | +----------------------------------------------------------------+ ------------------------------ Date: Tue, 23 Nov 93 11:07:18 -0500 From: fguidry@crl.com (Fran Guidry) Subject: Re: Automated virus scan every n days ? (PC) lubberland@unh.edu wrote: >conn0060@maroon.tc.umn.edu (Michael F Conners-1) writes... >>>FPROT on my system. What I am looking for is a program/autoexec code >>>that will execute F-PROT and SCAN only once on say Thursday and then ignore [ stuff deleted ] >>I am also looking for a way to do this. My e-mail address is > >No, no! Put it on the net, please! > Is this a FAQable item? I have a terrific program by Yossi Gil called EVERY.COM, which provides very powerful and testing for time periods. For instance, the program supports commands like every week run.exe every month run.exe every year run.exe as well as every thursday run.exe The doc gives no indication of licensing fees, so I'm assuming the program is freeware. I have just checked and the file is available on oak.oakland.edu in pub/msdos/batutl/every15.zip. Fran ------------------------------ Date: Tue, 23 Nov 93 11:14:25 -0500 From: Fabio Esquivel Subject: WinSleuth? (PC) Does anybody have any experience with the Win Sleuth antivirus? Where is it from? Is it good? Someone here says it identifies the Kamikaze and OM-97 viruses in the same PC, though F-Prot just finds Kamikaze. Any answer will be greatly appreciated, DATA SEGMENT PARA PUBLIC name DB 'Fabio Esquivel' ; C:\> dir a: bitnet DB 'fesquive@ucrvm2.bitnet' ; Virus found in drive A: internet DB 'fesquive@ucrvm2.ucr.ac.cr' ; Install, Kill, Panic?_ DATA ENDS ------------------------------ Date: Tue, 23 Nov 93 13:00:34 -0500 From: tdavis@shuttle.cc.umr.edu Subject: Re: Once a week batch file (PC) There have been several recent postings on the subject of running AV programs at boot on specific days. There have also been similar messages on CIS. Legare Coleman posted a batch file solution on CIS that works with the more recent DOS versions - those allowing CALL. (COMMAND /c does not work.) I have modified his solution to eliminate the need to prepare a second batch file in advance, and to have the code clean up completely after itself. Inclusion of these line in AUTOEXEC.BAT will CALL a batch file named AVBATCH.BAT at (every) bootup on every Tuesday. Users will need to supply the AVBATCH file. This code is easily modified for any day of the week, or specific fully qualified date. - -----------------------------cut here---------------------------------------- echo set dow=%%3> current.bat echo. | date > getdate.bat call getdate del getdate.bat del current.bat if "%dow%" == "Tue" call avbatch set dow= - -----------------------------cut here---------------------------------------- Things to watch out for: %%3> must be exactly as shown, with 2 '%'s and no space between '3' and '>'. If the day of the week is not the 4th item in the top line of the date display, adjust the '3' accordingly. 'current' must be the first word in the top line of the date display. If not, substitute whatever is there. 'echo.' is whatever is required to echo a CR to the pipe. The 'if' test must match the day name wanted, with no extraious spaces. The last line has no spaces following the '='. This works because the date text is written to a batch file, the first word of which is a valid command (because we made a batch file with that name). When GETDATE is called it jumps to CURRENT.BAT, passing it the rest of the top line of the date response as arguments. CURRENT.BAT then places the 3rd argument into the environment, where it can be retrieved when CURRENT.BAT terminates and the CALL returns. T.E.D. (tdavis@shuttle.cc.umr.edu) ------------------------------ Date: Tue, 23 Nov 93 13:24:33 -0500 From: mcafee@netcom.com (McAfee Associates) Subject: Re: Sorry, I need more RAM memory (PC) Good morning Bill, vfreak@aol.com writes: >From: byng@solomon.technet.sg (Ng Bee Yong) [...deleted...] >Yes: this is a known bug in Scan 108. It is caused by using the /A Wrong. This was a known bug in Version 107 and was fixed in Version 108. The current release is Version 109. >parameter to scan all files. This bug happens after scanning >approximately 1,000 files. Stop using the /A parameter, and tyhe bug The nature of the bug in Version 107 was that SCAN would allocate memory to uncompress PKLITE and LZEXE files in and then fail to deallocate the memory if SCAN did not scan a compressed file before changing to another directory. SCAN would then run out of buffer space to read other files into, report that it required more memory, and return to the DOS prompt. >will stop occuring. > >Bill lambdin Aryeh Goretsky McAfee Associates Technical Support - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, 2nd Floor| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/VSHIELD/CLEAN/WSCAN/NETSHLD/TARGET/CONFIG MGR/PROVIEW ------------------------------ Date: Tue, 23 Nov 93 13:58:58 -0500 From: dbs4331@zeus.tamu.edu (Dan Sline) Subject: Automated Virus Scan Every n Days - Remindme.zip (PC) As I had mentioned earlier I have been developing a program to Scan every "N" days. The beta is available to anyone who would like me to send it to you in uuencoded format. The program is not restricted to scanning for viruses using one particular program. Instead, it can automate several other tasks for you (like backing up your system). If you would like a copy, or have an ftp site I could put the program on, please send me email (Sliner@tamu.edu), and I will send a copy to you. Thank you in advance, Dan Sline Bitnet: DBS4331@tamvenus sliner@drycas (secondary address) Internet: sliner@tamu.edu sliner@drycas.club.cc.cmu.edu Compuserve: 71161,1455 voicenet: 409-693-8730 mailnet: 304 Kyle College Station, TX 77840 The opinions expressed above are my own, and are not those of my employer. ------------------------------ Date: Tue, 23 Nov 93 14:26:31 -0500 From: datadec@ucrengr.ucr.edu (kevin marcus) Subject: Re: Commercial Virus Scanners in the dark??? (PC) Vesselin Bontchev wrote: >kevin marcus (datadec@ucrengr.ucr.edu) writes: >> >> I was a virus author, but decided that it was boring because, well, >> > >> >Agreed, it is. > >> Er...? How do you know if it is or isn't until you've done it? > >I am using my brains to figure it out. Don't you? ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >> >stuff. I've heard that it has been so successful, that once it has >> >detected the decryption routine used by some anti-virus product to >> >decrypt its scan strings, which has caused false positives... :-) > >> I wouldn't call anything that gets false positives, "so successful". > >Maybe you shouldn't judge something that you don't know. But, of ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Did I miss somethig here? Sometimes you are allowed to use your brain to figure out something, and other times you're not allowed to? If I use my brain here, I would say there is a contradiction. BTW, do you have more than one brain? - -- -- Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu CSLD Room Monitor, Thurs 10-12p, Sunday 5-10p (909)/787-2842. Computer Science, University of California, Riverside. ------------------------------ Date: Tue, 23 Nov 93 14:30:03 -0500 From: datadec@ucrengr.ucr.edu (kevin marcus) Subject: Re: Removing Boot Sector Virus from Floppies (PC) Vesselin Bontchev wrote: >kevin marcus (datadec@ucrengr.ucr.edu) writes: > >> >The operations mentioned above -do- access the boot sector. DOS needs >> >to read the BIOS Parameter Block from it, in order to figure out the >> >parameters of the floppy (size, location of the root directory, etc.). > >> Er... While true, keep in mind that this is treated as data, and not >> code - it is not executed. > >I obviously know that, because I have emphasized it several times >here. Which part of my message lead you to believe that I don't? Well, I was pointing it out for two reasons -- 1) Because the readers of virus-l/comp.virus don't know (they have to guess) who the self-appointed experts are, in comparison with the real virus researchers, so hearing it from more than one source would probably be a reassuring point for them. 2) I was just making it clear in that particular comment block - because it wasn't. The part up top there with the ">> >" in front of it. - -- -- Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu CSLD Room Monitor, Thurs 10-12p, Sunday 5-10p (909)/787-2842. Computer Science, University of California, Riverside. ------------------------------ Date: Tue, 23 Nov 93 18:41:56 -0500 From: lestat@pearl.ctt.bellcore.com (David Gonzalez) Subject: Form Virus + WinNT 3.1 (PC) Hello: I have just discovered that our WinNT PC is infected with the Form virus. This is a Boot Sector virus and seems to run only under the MS-DOS setup, not the WinNT setup. How can I get rid of it? I know how to do it in a plain MS-DOS machine, but this one is running both options, it has the NT-Loader that asks whether I want MS-DOS or WinNT loaded. I assume that doing sys C: just won't do it.... How can I create a new Recovery Disk, the current one is (as you may have guessed) infected by the Form virus... - -- - --------------------------------------------------- David Gonzalez lestat@ctt.bellcore.com (Work) Bellcore dg4s@andrew.cmu.edu (Grad School) RRC 1-J214 lestat@rmece02.upr.clu.edu (UnderGrad School) 444 Hoes Lane Piscataway, NJ 08854 ------------------------------ Date: Tue, 23 Nov 93 18:48:59 -0500 From: "R. Wallace Hale" Subject: Re: Commercial Virus Scanners in the dark??? (PC) >> and one person (Rock Steady) developed a virus called "Varicella" > >However, TbScan was not able to detect the virus in the first place, >so few people would have the idea to run TbClean on an infected file - If I may quibble a bit, both versions 6.04 and 6.05 of TBScan detected the specimen of Varicella that I have, and the relevant versions of TBClean did allow the virus to become active... >However, I agree with you that that particular version of >TbClean was dangerously buggy. The bug has been fixed, however, since >a long time. Two months (or thereabouts) is a long time? R. Wallace Hale "Thinking is the hardest work there is, halew@nbnet.nb.ca which is the probable reason why so few BBS (506) 325-9002 engage in it." - Henry Ford ------------------------------ Date: Tue, 23 Nov 93 20:32:06 -0500 From: al026@yfn.ysu.edu (Joe Norton) Subject: Automated virus scanning (PC) I read a users message on here that wanted to execute a virus scanner once per week in his autoexec.bat file. I don't really recommend doing this since it's not as good as scanning after a clean floppy boot, but if you have many "WordPerfect Only" type people in a office that you manage it could be something that would get used, and a clean boot wouldn't be. Anyways..... I wrote such a program if anyone wants it. It takes a weekday as the first parameter, and any command you want to run after that. It runs the program once, and only once on the specified weekday even if you boot more than once on that day. It is less than 4k (done in Turbo Pascal) and freeware. If anyone wants it I can post or email a uuncoded copy to you. I can add more features and such if needed, but don't expect a Windoze version, etc....8-; I'd start to feel that I was writting "huge bloated code" if this got over 10k... ------------------------------ Date: Wed, 24 Nov 93 11:23:31 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Full version of AVP 1.07 available (PC) William Fang (int877w@lindblat.cc.monash.edu.au) writes: > I've downloaded the file, did a scan using scan 9.19 v108 and > f-prot 2.09f just to make sure I didn't bring any viruses with > the latest batch of downloads (no offence, I got a whole heap > of junk, not just your files ;-) You've had chance that you have not used the /A option, otherwise SCAN 108 would have reported a "virus" in one of the files in the package. This is a false positive, as I already explained in one of my previous articles. > Anyway, started the program on the Temp partition and it asked > for V_930915.-VB which I assumed was the database it was complaining > about. I renamed the V_931105.-VB file and it seemed to work. > Should I have V_930915.-VB or does renaming the new (? I guess) file > work. Or is there a switch I'm meant to be using to use the newer > database? Damn't! Stupid me... :-( That's entirely my fault, sorry for the confusion. I'll correct the archive on the ftp site at once. The name of the file (V_931105.-VB) is correct - this is the latest update (that's why the 'b' in the name of the archive) and it indicates the date it has been created (in yymmdd format). No, there is no switch to indicate which database of virus detection information to use. However, the name of the database to be used is kept in the file -V.SET. It is a text file and you can use a text editor to edit it and put there V_931105.-VB, instead of V_930915.-VB (which is its current contents). Once more, sorry for the confusion. Just in case somebody is interested, here is how it has happened. I received the package by snail-mail and the update by e-mail. The update archive contained a correct -V.SET file, but obviously I have messed something up while merging the two archives. > I've done a quick look through the manual, but didn't stumble > across on anything on the name of the database, just how to do > fancy stuff using the pro version, and as a non-programmer, had > no idea what it was about. If you are using the "regular" version (-V.EXE), then the only solution is to edit the file -V.SET manually. I guess, that's a misfeature that has to be corrected. However, if you are using the "professional" version (-VPRO.EXE), you can press F4 from the main menu. This brings a submenu, called "Base Set" and you can use it to add or remove virus definition databases that will be used by the program. You can also edit those databases, unless they are locked (the ones that come with the package -are- locked, in order to prevent misuse). The result is that the file -V.SET is updated. Just delete the old database name and add the new one. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 24 Nov 93 11:40:28 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Horror of Horrors! (PC) kevin marcus (datadec@ucrengr.ucr.edu) writes: > NAV 3.0 is quiet unlike 2.1, (or less), so if you have had bad experiences > with NAV int he past, you should not anymore (unless you have a processor > under an 80286... :(). I wouldn't say so. I have very serious problems to make NAV 3.0 run from a batch file and produce a sensible report. First of all, it is not possible any more to redirect its standard output - because it simply does not write to stdout any more. Second, I had a very annoying problem of NAV stopping after every infection found and waiting me to press . Setting Tools / Options / Scanner / Advanced / Immediate Notification to OFF takes care of the problem - but only when you run the program interactively. For some reasons, it doesn't work from the command line. That is, the program still stops, regardless that you have saved that particular option in its OFF status. Eventually, Jimmy advised me to set Tools / Options / Alerts / Remove Alert Dialog / After 0 seconds. Now the notification window disappears automatically, but it still appears (when the program is run from the command line), slowing down significantly the scanning process of a heavily infected system (or a virus collection). BTW, the above description gives some impression of how clumsy is to change a single option. Worse, it is not possible to change those options from the command line. You have to start the program interactively, change the options, exit the program (they get saved automatically), and then run the program from the command line with the option settings required for that particular case. At last, I was unable to produce a report file automatically. There is a /report option, but it doesn't seem to do anything at all. There is no way to make the program create a report file while it is working. The most one can do is to run the program, then when it finishes - examine the activities log (interactively, from the menus), and select to print part of it in a file. Clumsy, and inappropriate for automatic preprocessing of the results. I tend to call such programs "not suitable for testing". Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 24 Nov 93 12:07:34 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Problems with Anti-Tel (A-Vir) (PC) Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) writes: > 4) The virus is a DOS Boot Sector Infector, so in order to remove it, > it is enough to SYS the infected volume. Beware, however, that the > virus is stealth and you must make sure that it is not present in > memory when you are trying to remove it. The only certain way to > ensure this is to cold-boot from a write-protected uninfected system > diskette. Since you will do SYS, you must make sure that the diskette > contains the same version of the operating system as the volume you > intend to SYS. Ignore the above, it's completely wrong. This virus is an MBR infector, not a DBS infector. It can be removed with FDISK /MBR, but NOT with SYS. Sorry if my incorrect advice has caused any confusion and thanks to the person who spotted the mistake and e-mailed me. Too bad, it seems that I cannot keep in mind even the basic properties of the boot sector viruses... :-(( Probably there are too many of them already... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 24 Nov 93 12:28:08 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Removing the Moctezuma virus (PC) manas (SANYALM@CNSVAX.UWEC.EDU) writes: > I was trying to get rid of the Moctezuma virus. The virus infected just the > three .exe files on the disk. > It was not deteted by VPCScan V2.2. Version 2.2 is obsolete. The latest one is 2.91. It is able to detect the virus reliably. However, when I ran it in removal mode (-br), it said that the virus is removed, but didn't actually touch anything. Maybe the registered version doesn't have this problem. > CLEAN 9.17 V106 couldn't remove it. Neither can CLEAN 9.20 V109. > I used Norton AntiVirus V2.2 and that wouldn't remove it either. There is no such version of NAV. The existing ones are 1.0, 2.0, 2.1, and 3.0. Version 2.1 (with the latest updates of the virus definitions) is able to disinfect only the COM files. I was not able to make version 3.0 to do reliably even that. > What can I use to get rid of the virus without having to delete the files? I tested some other programs. Here are the results: F-Prot 2.10 - disinfects only COM files FindVirus 6.51 - doesn't disinfect anything AntiVir IV - disinfects only COM files CPAV 2.1 - doesn't disinfect anything IBM Antivirus/DOS 1.03 - doesn't disinfect anything AntiVirus Pro 1.07b - DISINFECTS EVERYTHING PCVP 1.23 - deletes everything UTScan 29.04 - doesn't disinfect anything and crashes VET 7.50 - doesn't disinfect anything Conclusion: Get AVP 1.07b from our ftp site (beware, it's more than a meg). It will be able to repair the infected files. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 24 Nov 93 17:05:15 -0500 From: lestat@pearl.ctt.bellcore.com (David Gonzalez) Subject: WinNT + Dos 6.0 + Form VIRUS!! (PC) Hello: I am having a bit of a problem with a boot sector virus called Form. It has managed to contaminate the Boot sector of my PC. Up to this morning, I was still able to boot WinNT and Dos, but now, it seems that the boot loader has been damaged since the machine just locks up. Unfortunately, I scaned the NT recovery disk and it also has the virus :-(. Now, I know how to remove the virus, and all that stuff, the part I don't know is how to avoid damaging the NT Loader. Just in case: Dos 6.0, WinNT 3.1 (without patches), McAffee Clean V108, Scan V109. Virus: Form, seems to be the "Canadian" variant according to data from the Vsum 310. - -- - --------------------------------------------------- David Gonzalez lestat@ctt.bellcore.com (Work) Bellcore dg4s@andrew.cmu.edu (Grad School) RRC 1-J214 lestat@rmece02.upr.clu.edu (UnderGrad School) 444 Hoes Lane Piscataway, NJ 08854 ------------------------------ Date: Thu, 25 Nov 93 15:54:45 -0500 From: eastwood@unbsj.ca (Eric Eastwood) Subject: Strange Behavoiur of F-PROT, possible boot sector virus? (PC) Hi, I am having a small problem with a possible virus on out campus (more specifically in out engineering PC lab). The problem is isolating the virus (?). The order of events are something like this: 1) 09:00 Get a report of a virus in the engineering PC lab. The lab is closed to all access until we can isolate the problem. 2) 09:30 Have the virus located on one machine in lab and get reports from F-PROT 2.09f saying that is the "TELECOM virus" is in memory. Only if you boot the machine using the hard drive and letting autoexec.bat be run. (loadhigh, mouse, doskey, msav and mode only programs in autoexec.bat). If autoexec not run virus not seen. 3) 10:00 Find virus on about half of the machines in the lab using F- PROT after booting the machines with a full pass of the autoexec.bat. 4) 10:15 Discover that only F-PROT will find the virus, MSAV and SCAN do not find the virus. 5) 11:00 Get virus to infect a disk with f-prot on the disk. The disk will consistently give a hit for the "TELECOM" virus. Cannot tell where the virus is because we do not have a duplicate and no file sizes or dates were changed. 6) 11:45 Try to get virus to infect another disk that we have made in our offices as a duplicate of a master disk. The virus will not attack the disk, even though it is still reported in memory. We also start to low level format each if the drives in the lab (20 machines in all) 7) 13:15 After trying for over hour an to get virus to act consistently, virus seems to disappear from the infected F-Prot disk even though it is write protected. 8) 13:45 Get the original disk that was used to do the scanning and find that it has been modified by Central Point Anti-Virus to have external self checking code. All disks scanned with this disk give gibberish lines such as follows when scanning the boot sector: Rn NCI brnmnirrrnrrrt,arrai-ars]/nha t virus-infected right now (Y/N) ? 9) 14:20 Gather all disk used to try to disinfect the lab. Boot and scan each disk, all report clean. The one machine in the lab that we have not reformatted still reports the TELECOM virus when msav is run. 10) 15:00 For the sake of our collective sanity, we stop trying to find the virus to sit back and reflect on what has happened. 11) 16:00 Show disk that virus had looked like it had left to the person who had initially isolated the virus. And the virus was back with more gibberish than before. And will not give a hit for TELECOM virus. As part of trying to figure out what happened I decided to write this note and try to see if any of you have any suggestions as to what we could do next? Have we been chasing a non-virus conflict between MSAV and F-PROT? Is there any other way to rid ourselves of this virus besides reformatting all of the hard drives on campus? K. Eric Eastwood, UNBSJ COmputing Services KEE@UNSBJ.CA *** K. Eric Eastwood, Systems Analyst, Computing Services - kee@unbsj.ca University of New Brunswick Saint John, P.O. Box 5050 - ph: (506) 648-5551 Saint John, New Brunswick, Canada E2L 4L5 - fax:(506) 648-5528 ------------------------------ Date: Fri, 26 Nov 93 05:02:46 -0500 From: bondt@dutiws.twi.tudelft.nl (Piet de Bondt) Subject: Thunderbyte's reply about danger of TbClean (PC) Hi all, Here is the *official* answer from Frans Veldman (author of TBAV) about the danger of using TbClean (esp. the heuristic cleaning) and the so called 'dangerous' virus "Varicella". These is no danger (at least not since the release of 6.02 or so) and there never really was !! > the _terrible_ bug, was with the TBCLEAN.EXE utility, this program which is Very exaggarated! See below. > and one person (Rock Steady) developed a virus called "Varicella" this > virus did exactly the above! meaning if I gave you a file (anyfile) > infected with the Varicella virus, and if you tried to clean this virus > infected file with tbclean, what would actual happen is that tbclean > will report "that this file is not infected by a virus" but what > _actually_ happen was that the virus escaped the controlled environment > that tbclean setup to try to disinfect the file, and the virus will go > resident and hook interrupts 21h,13h,8h,1ch. and it will allocate memory > under the TOM, and fool tbclean in reporting that no virus is in the > file, and tbclean will exit normally! > whereby, infact the varicella virus went resident and is now infecting > the system. and to advice you, the varicella virus is fairly a stealth > virus that disinfects files on the file, when opened and reinfects them > when closed, and it hides its virus length very well! such a virus can > easily get out of control on a huge level. all because we trusted > heuristic scanning! Heuristic scanning? Heuristic cleaning you mean! There is absolutely nothing dangerous with heuristic *scanning*. > because tbclean, actually tries to remove viruses from the infect file > by executing the virus, with the help of the int 1 & 3. makes this TbClean will normally use the Anti-Vir.Dat records, which do not pose any risk at all. Heuristic cleaning will only be performed as a last resort, if all other means to clean a file failed, mainly because the user neglected to use TbSetup. If you apply our tools correctly, there is and has never been any danger. > method very dangerous to use! as shown to you by mr. rock steady of > Nuke. If you don't like it, simply disable the heuristic cleaning feature of TbClean. > so before you think "heuristic" is the best method of > scanning/cleaning think again! the rate of false positives is WAY TOO > HIGH! and remember that the average computer user is not a geniusssis ??? How do you mean 'Too high'? According to what standard? The default heuristic mode of TbScan does not cause any false alarm. > heuritics may have a future, but not for a while, not till it is > perfected! Heuristic is already perfect. It detects about 90% of the new viruses. This means that 9 out of 10 completely new viruses are detected before we, the authors of TBAV, even have seen the virus. Anyway, to your information, the Varicella virus isn't able to escape from TbClean anymore since the last four releases. - -- Thunderbye, Frans Veldman <*** PGP 2.3 public key available on request ***> - -- Piet de Bondt E-mail: bondt@dutiws.twi.tudelft.nl =================================================================== FTP-Admin for MSDOS Anti-virus software at: ftp.twi.tudelft.nl ------------------------------ Date: Fri, 26 Nov 93 07:44:46 -0500 From: P.Lucas@mail.nerc-swindon.ac.uk Subject: 'D3' virus (PC). Does anyone have any information on what S&S [Alan Solomon] describe as the 'D3' virus? Its a boot-sector infector that apparently has no payload and is not stealthed. It hooks int13. Any additional info on its behaviour , or what its called by others, would be of interest. - -Peter J.M. Lucas NERC Computer Services Swindon England. pjml@swmis.nsw.ac.uk pjml@uk.ac.nsw.swmis g6wbj@gb7sdn.gbr.eu Why does Reality have to be in the public domain? ------------------------------ Date: Tue, 23 Nov 93 12:02:20 -0500 From: "Mark J. Miller" Subject: prevent programs (PC) Has anyone heard of a program that will allow you to specify that only certain programs can be run under MS-DOS? McAfee has VSHIELD, but I think it's kind of expensive. Also, I saw mention of a "Virus Bulletin". Can someone please tell me how to get copies of this? Thanks. Mark J. Miller Instructional Computing Programmer/Analyst Saginaw Valley State University mjm@tardis.svsu.edu ------------------------------ Date: Wed, 24 Nov 93 13:39:18 -0500 From: Ellen Carrico Subject: Re: Save all you can (CVP) > From: "Rob Slade" > BEGPAN3.CVP 931015 > OK. Maybe we don't yet know what is wrong, but if the computer is > still running, we can start some salvage operations. Let's do a > backup. > [stuff deleted] > What? Copy each individual file for Windows and all your Windows > apps? No. Don't bother with the programs. If it turns out that a > bunch of your programs are infected, the best thing to do, anyways, > bunch of your programs are infected, the best thing to do, anyways, > is erase and re-install them. Besides, the programs aren't the > valuable parts. How much did that really extravagant database > program cost you, anyway? $500? Even if you don't have the > original disks toinstall it again, you can run down to the store If you have a legal copy, you *should* have the disks, shouldn't you? > If you are on a network, backing up can be as simple as copying all > your data onto the server. This is especially so if the server is a As a former system/network admin I have to say there is NOTHING simple about having users back their data up to a server. Often servers (DOS, OS/2 and Unix are the ones I'm familiar with) are carefully partitioned to make certain that *all* users have proper access and space availability. If someone suddenly decides to dump about 30-60 Mb of data and programs (I don't have any faith at all that people won't decide to back up their program files "just in case") onto a server which is already at maximum usage it can cause all kinds of nightmares for the administrator. In addition, a simple request to the adminstrator will often result in extra help in handling the backup. Trust me, there is a reason for system operators and admins to limit use and access. Come to think of it, I'm sure *I* spent alot more time being yelled AT than yelling at someone else. Oh, and one final point, your admin should *definitely* be told if your workstation is infected as part of your system security. > different type of machine (eg. you are working on a PC or Mac, and > the server is a VAX). Don't worry if the system operators yell at > youfor exceeding quota: this is an emergency, and they are always > yelling at somebody, anyway. YOUR emergency isn't necessarily anyone else's emergency ... ;-) > Of course, the best solution is to back up both ways. Redundant > backup, it's called. Poor choice of words. If something crashes, a > backup is *never* redundant. You're right that you can never have too many good backups. However, before you back up onto a server you need to check the policy that has been set by your company/school/administrator. Otherwise, you might find that the data you thought you had carefully and securely backed up onto the server was deleted by your adminstrator. > copyright Robert M. Slade, 1993 BEGPAN3.CVP 931015 > Vancouver ROBERTS@decus.ca | Lotteries are a tax > Institute for Robert_Slade@sfu.ca | on the arithmetically > Research into rslade@cue.bc.ca | impaired. > User p1@CyberStore.ca | > Security Canada V7K 2G6 | Ellen Carrico ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Microcomputer Coordinator "A motorcyle is a tool for turning the Machine Automated Services Age back on itself, for removing shackles. It Seattle Public Library won't fix everything that's wrong with the world, (206)386-4168 but, hey, ... it's definitely a move in the right ecarrico@spl.lib.wa.us direction." --Paul Pascarella ------------------------------ Date: Fri, 26 Nov 93 11:52:04 -0500 From: "Rob Slade" Subject: Getting Resources (CVP) BEGPAN5.CVP 931103 Getting Resources There are probably a number of things around you that you can use either to diagnose the problem or to aid in recovery. We've looked at some of the basic information, resources and history that might help. Now, let's look for some tools which might be less obvious. Another computer is a big help, particularly if you are pretty sure it hasn't been infected or affected. If you have several, that can be a real big help. Another computer can be used to examine (carefully) floppy disks and files from the infected machine, to try and determine what is being infected, and how. If you don't have a "clean system disk", that pre-requisite for any virus disinfection, you can make one from the other computer. You may be able to confirm or deny a virus infection with the other machines. If you suspect a virus simply on the basis that "something weird is happening," then you probably don't have a virus at all. Computers do many strange and wonderful things, only very few of them at the behest of viral programs. In any event, "swapping out" bits and pieces of the computers may identify some malfunctioning hardware. You still have a problem, but at least it is an isolated and identifiable one. Along with whatever system and utility software you can find, get several blank, formatted disks. Make some of them system disks. Copy a range of programs on to them, of different types and sizes. These disks and files you will want to use as bait. (If the infected computer uses different types and sizes of disks, get examples of all the various formats.) Record the file sizes and dates of the "bait" files, as well as the "free space" remaining on the disk. (Viral programs may use various means to hide the fact that a file has grown. Few, however, bother to try to hide the fact that disk space has shrunk.) Take a look at the boot sectors of the disks so that you will be able to notice any changes if they are changed. Get a pot of coffee. Get a few friends, even if computer illiterate, for the moral support and the extra eyes. (Observations are key.) Get some lunch. Get some perspective. Don't Panic. copyright Robert M. Slade, 1993 BEGPAN5.CVP 931103 ============= Vancouver ROBERTS@decus.ca | Life is Institute for Robert_Slade@sfu.ca | unpredictable: Research into rslade@cue.bc.ca | eat dessert User p1@CyberStore.ca | first. Security Canada V7K 2G6 | ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 152] ******************************************