To: VIRUS-L@LEHIGH.EDU Subject: VIRUS-L Digest V6 #153 -------- VIRUS-L Digest Wednesday, 1 Dec 1993 Volume 6 : Issue 153 Today's Topics: re: More Liabilies.. Fictional virus and antivirus in Dr. Dobb's Journal , December 1993 Re: anti-virus legislation information on viruses and crime Liabilities BEB* virus (PC) ??? Getting rid of V-sign (PC) Re: Monkey is not cute! (PC) MS-DOS 6.2 upgrade (PC) November 17th Virus at Manchester Univ (England): from Italy? (PC) Re: MtE virus...what does it do? (PC) Re[2]: Which antivirus program (PC) Re[2]: November 17th virus at Manchester England? (PC) QUESTION: F-PROT virstop (PC) NetShield 1.55 Question (PC) Virus that affects printing only? (PC) Re: Restoring Floppy's Boot Sector (PC) McAfee VSHIELD vs Frisk VIRSTOP ??? (PC) S-Bug info?? (PC) Help for a virus victim in Auckland (PC) NAV Clinic 2.0 false alarm or bd SCAN 108? (PC) "Wrapper" (PC) File listing on risc (PC) Updates on risc (PC) "Using McAfee Associates Software for Safe Computing" by Jacobson VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 26 Nov 93 12:09:07 -0500 From: src4src!ktark@imageek.york.cuny.edu (Karl Tarhk) Subject: re: More Liabilies.. IN REPLY TO: Kevin Marcus (datadec@ucrengr.ucr.edu) K> wrote: K>>>such experiments in such restricted environments. It's writing viruses K>>>for the real computers that we label as malicious, unethical, and K>>>criminal. K>> K>>I disagree. I have no problems with people writing viruses. Releasing these K>>viruses into the wild to computers of unsuspecting users is what I consider K>>malicious, and unethical. Agree Totally, just a people who manufacture weapons cannot be held liable for the actions other take with them. K>> K>>As long as the virus is kept under controled condition, it is none of my K>>business if Joe user down the street write a virus. K> K> K>known that Joe wrote a virus. K>Clearly, however, Joe does release his viruses, or they "escape" where they K>are supposed to be. Who is to be the judge of who can or can't write K>viruses? Who is the one to say who is more responsible than someone else? The point here is not to judge who writes viruses or not, the point here is responsibility. Who is to say if you are responsible or not? The law. Being responsible applies to everyday life's behaviour, for example you have to be responsible when you drive your car, responsible to other drivers and pedestrians, if you are not (driving under the influence of alcohol is an example,) then you go to jail if caught, simple as that. If responsabilities in certain social behaviours are not enforced as you seem to imply then we will be in a lot a trouble! K>Indeed, it is malicious to allow a virus to spread to unsuspecting K>users, yes, indeed! K>but it is pretty unethical to write the virus in the first K>place. This argument is ridiculous! Using the same logic you used before, it can be proven that your train of thought is contradictory: Who are you to decide whether something is unethical or not? Who is the one to decide whether something is unethical or not? Writing a virus has nothing to do with ethics, as I said before it is yet to be proven than a virus has no benefits, then writing a virus is in no way unethical. Notice that I am refering just to the act of creating a virus. K>Why would you want to write one? There are a million possible reasons; just because you cannot see the sun it does not mean it does not exist. K>What benefit's can you receive from keeping a virus isolated and never K>let anyone see it? What benefit could a scientist receive from studying Anthrax viruses? if he obviously cannot release it? The mistake here again is that viruses are not inherently destructive they may have (at least in theory) a useful purpose. You have problems undertanding the basic premise that we, are not like others, i.e. everyone is different, including virus writers, and they all don't have a need to let people 'see' their work. Some people are beyond the adolescent stage of 'showing off.' (Some people are not :) ) K>To study it? If you wrote it, you sure as hell know what it will be K>doing. What about to study how it spreads in a particular with a particular operating system and particular software, to run an epidiological statistical study? This is one of may possible cases. K>> K>>>I don't think that virus creation should be forbidden per se. But I do K>>>think that if a virus is found somewhere where it is unwanted, the K>>>author of the virus should share the responsability, even if he has K>>>not introduced the virus into that system. K>> K>>I agree with this 100% K> K>Even if it were forbidden, how effective do you think any of the laws K>which state that would be? It will be useless, enforcing it would be like enforcing free speech and free writing. K>Murder is unethical and malicious, by society's K>standards today, it also has a lot of legislation against it. But, it K>still happens. It always has and it always will, regardless of laws and enforcement. It is part of human nature. So are computer viruses. K>Virus writing would be a very difficult thing to enforce. No, virus writing is impossible to enforce, short of being in a totalitarian state where public speech and writing is banned, because it is not in the state's best interests. It cannot be proven that writing viruses does not serve an educational purpose. The whole point is, viruses are more than destructive code, and are more than the 2 dimensional pieces of code some people would like them to appear. Regards. Karl Tarhk - -- ktark@src4src.linet.org ------------------------------ Date: Sat, 27 Nov 93 14:39:52 -0500 From: hstroem@hood.ed.unit.no Subject: Fictional virus and antivirus in Dr. Dobb's Journal , December 1993 While reading the most recent issue of Dr. Dobbs I found an interesting short-story in Michael Swaine's column; Swaine's Flames. The story is set in the year 1995. It concerns the InterNet and describes some kind of new law that demands that everyone connected to the InterNet have a Guardian on their machines. The Guardian is the interesting part of the story; "Guardians are, in layman's terms, antivirus viruses, capable of seeking out and destroying invading computer viruses." It is the classic science fiction idea that the most effective means of defense against a worm or a computer virus must be an anti-worm or anti-virus. A little like the tape worm in "The Shockwave rider". As always in SF we are here talking about a network environment, and not about infection trough floppy disk exchange. Maybe a virus or a worm made by the "good guys" would be the most effective protection against a particularly successful "virus" or worm of the future? If we get UNIX systems that are as compatible with each other as the different DOS versions are today, we might see some fairly widespread worms or viruses on such platforms as well. Windows for workgroups 3.11 shows some nice advances in TCP/IP support and integration towards Windows NT Advanced Server. This, combined with the forthcoming Chicago (DOS 7/Win 4), may help getting far more people to buy a network card or a modem. And with the hardware and software in place, we are only waiting for InterNet to reach the average computer user. So, maybe the benign virus can exist after all? Just a thought, Henrik Stroem ------------------------------ Date: Mon, 29 Nov 93 13:05:51 -0500 From: ksaj@pcscav.com (OS R & D) Subject: Re: anti-virus legislation I just read in the news about how Sweden will be making virus writing illegal. Unfortunately, the definition of a virus that they list in the bill is very poorly written. By definition, it covers Stacker (or any other disk compression utility), and worst of all, it covers most anti-virus packages, because they (without authorization) will halt your machine if certain actions are detected. An example is: Thunderbytes TBFILE will reboot your machine if a program attempts to tunnel for an original interrupt entry point. Because it doesn't allow you to save your work, some data could be destroyed, ie: not saved to the disk. Even halting the machine temporarily, while timing critical functions are being exercised would be considered an unauthorized altering of data, since the results of the timings would be thrown off. Sweden's legal definition of a virus would be impossible to uphold in court, unless it is drastically changed. (we won't get into viable definitions, as I am sure the FAQ covers this well enough). BTW: Sweden is attempting to lump trojans into their definition of a virus. Doing this will only make the definition more vague than it already is. karsten johansson - --- ksaj@pcscav.com (OS R & D) PC Scavenger -- Computer Virus Research, Toronto CANADA (416)463-8384 Free services: send EMAIL to info@pcscav.com or virus.list@pcscav.com ------------------------------ Date: Tue, 30 Nov 93 09:31:44 -0500 From: clark@gl.umbc.edu (Kathleen Clark) Subject: information on viruses and crime I'm doing a paper dealing with computer viruses and the crime associated with it. I was wondering if anyone knows of a ftp site or something where I could find some information on either legislation that has been passed to deal with viruses, or information about people who have been caught infecting computers. Thanks a lot! Kathy clark@umbc.edu ------------------------------ Date: Tue, 30 Nov 93 09:56:40 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Liabilities Vesselin writes in response to an earlier posting: >> I am a gun manufacturer and inventor. Should I be held liable for the >> uses and misuses of such weapon, if I am not able to control who gets >> it and who does not? Absolutely, positively NOT! >Your analogy is flawed too. You are standing on US-centric positions. >The world is wide and there are many countries in which owning, >buying, or selling a weapon *is* illegal, regardless of whether you >misuse it or not. IMHO this has nothing to do with it, rather it is the *attitude* to which people treat viruses/firearms that is a major part of the problem: Kids see firearms portrayed in the media as bright, noisy devices that have no lasting effect. Until they actually use one (and then it is often too late) they do not experience the real effects (why military service has firing ranges - not so much to teach accuracy but to teach what the effects of firing a weapon are.). In another lifetime, I recall a bar in which automatic weapons had to be checked at the door (sidearms were OK, besides, no one would have checked them). People there tended to be polite. At the time I had a Navy flare gun with a 10 guage shotgun shell loading #2 buck. Use just about guarenteed loss of a finger or two, it was for times when the alternative was worse. Kids watching TV never see anyone deafened by firing a weapon in a closed area or choking on the fumes. They never *smell* death. Kickboxers all have perfect teeth & usable noses. Part of Driver's Ed. used to be a film called "Signal 30". It was not a pretty film but it was real though it did not have much of the impact that multi-media could provide today - guess the powers that be feel that kids are too delicate for that type of thing. (When the movie "Beetlejuice" came out my thought was that they made it a comedy because if it were done straight like John Carpenter's "The Thing" it would have been too intense for the viewing public.) Problem is that we have allowed people to develop a false sense of consequences and are reaping the effects. Viruses are just one manifestation and IMHO a rather trivial one though to an affected individual it seems bad enough - I just hope that is the worst thing they ever face. However it is part of the same sick culture that sees life as a cartoon. It will work for only so long as reality can be kept at bay. Long time ago I read a short story about a future driver's license test. The applicant was wired into a "VR" system and made to experience a bad crash that was their fault. Anyone who still wanted to drive a car failed. Coldly (42 this morning), Padgett ------------------------------ Date: Fri, 26 Nov 93 23:17:09 -0500 From: jhusvar@nimitz.mcs.kent.edu (John Husvar) Subject: BEB* virus (PC) ??? A friend just found a virus on a download of Blue Wave Offline Mail Reader. This virus infected his DOS directory, inserting 2 files to DOS. the files he found were " BEB_____ " (8 letters, no extensions) The final 5 letters changed each time the directory was accessed using the more command. ( A simple DIR command always failed to show the files at all. But when more was used, e.g. DIR | more, the files showed up as noted) The files did not seem to do anything to the system, but one has to wonder what would have happened when or if the two filenames finally matched. The virus has remained on the HD through a low-level format and on a 3.25 floppy through a Norton Utilities WIPE command. On the HD format, two files were created with a .FIL extension, attributed RO, hidden, and archive. Norton screen message said "Saving unformatted data." Any attempt to delete or otherwise manipulate those files resulted in the usual "access denied." They weer finally removed by Norton Utilities Disk Editor. He used that to find, re-attribute, rename, and delete those .FIL files. Does anyone know anything about this virus? (Posted for a friend who has no net access) - -- John Husvar, Art History, Kent State University (Yes, THAT Kent State :) jhusvar@mcs.kent.edu - john.husvar@akron-info.com - bf910@cleveland.freenet.edu Pres. ICBAGWA (Int'l Confraternity of Bad-Ass Gimps With Attitudes) ------------------------------ Date: Sun, 28 Nov 93 19:37:45 -0500 From: kdbreck@casbah.acns.nwu.edu (Keith Breckenridge) Subject: Getting rid of V-sign (PC) A number of us have discovered the v-sign virus in the MBR of our dos 6. double=spaced hard-disks. Does anyone know of an anti-virus application that will remove this virus? Most applications don't even recognize it. ANy suggestions will be gratefully received. ------------------------------ Date: 29 Nov 93 09:51:48 -0500 From: sullivan@cobra.uni.edu Subject: Re: Monkey is not cute! (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > > I also got KillMonk version 1.1. > > The latest version of KillMonk is 3.0. Available from our ftp site. I looked at 2 or 3 sites and 1.1 was all that was available. Shortly after sending the post, I saw a post from the author about 3.0 and ftp'd it directly from him. I did notice yours after the fact. BTW, the sites that I looked at before the post have been updated. 3.0 was the answer I needed. > Yes, Monkey is one of the MBR infectors that CANNOT be removed with > FDISK /MBR. Even worse, using this approach with such viruses could > (and usually does) lead to data loss and a knowledgeable technical > person should be consulted to repair the damage. Sure, now you tell me ;-} And I'm the person that usually gets consulted on these things, so I guess I'm out of luck. But I got several good responses directly of things I can try. I'm going to be sending lots of appreciation messages here shortly. > It is easy to check whether the MBR infector you want to remove is of > this type. When you boot from your MS-DOS 5.0+ floppy, do a DIR on the > hard disk. If DOS is still able to recognize the volume, FDISK/MBR > will work. If you get "Invalid drive C:" or something like that, don't > use FDISK/MBR. Is this common enough to be added to the FAQ? Or is it there and I just missed it? I try to pay attention. > The /disk option has nothing to do with this, but I am surprised that > VirStop doesn't find it with the /boot option or doesn't lock the > system booted from an infected hard disk. Even when unable to > recognize the virus, it used to be able to report something about the > interrupt vectors being changed, or the possible presence of a boot > sector virus in memory, or something like that. Maybe Frisk could > comment on this? After posting, I called the support number and talked to one of the people working on this specific problem. He said that it was a bug in the VIRSTOP code that failed to recognize it on anything other than a 360K diskette. > With VShield you could use the /SWAP option - it is roughly equivalent > to VirStop's /disk and reduces the memory used by the program to only > a few Kb - for the price of some slowdown. That would help, but we already have complaints about response time. How much slowdown are we talking here? Noticeable? > > NAV is just plain too expensive for most of our people. > > And doesn't run on XTs. :-) Another good point. > > We've tried forcing a scan with F-Prot each time a diskette drive is > > chosen, but on anything less than a 386 it's just too time consuming. > > Just curious, how did you achieve this? With 4DOS (or something like > that) and "a:" aliased to some command? We have a little in-house utility written in Pascal that asks the students what diskette drive they're going to use. It's built into our standard batch files so that we can do a change to the appropriate drive and directory before calling an application. Then we check that drive to be sure that there's actually a disk there. It saves a lot of garbage being written to the wrong place and a lot of heartbreak from students who "lost" their documents. This is all protected in a Novell subdirectory, so they can't bypass it unless they really know what they're doing, and have a lot of diskette based Novell utilities in their possession. > If you are concerned only about this particular virus, and if the > price is a considerable issue to you, use KillMonk - it is free, as > far as I recall, and deals with this virus (and with a related one - > INT_10) pretty well. I got it and it works!!! But it's re-active. I was hoping to stay pro-active with an intercept. > Another good idea is to install some kind of program that > automatically restores the boot sector(s) if they are modified. > DiskSecure II is a pretty good solution. If you are not happy with This, I will probably implement where I can. The problem with this is that, 1) it needed to be done before the fact and 2) we can only control this in the student computer centers. We're still not going to get campus wide protection. > > Is there a chance this would be included in version > > 2.10? > > Yes. Actually, 2.10 (which is now out) does detect and identify this properly now, but Frisk said that VIRSTOP still doesn't intercept correctly. They patched it and e-mailed me a copy of VIRSTOP 2.10a and it works perfectly. Thank you, a million times. > Regards, > Vesselin Thanks for all the help I've gotten. Diane ============================ sullivan@uni.edu Diane Sullivan ISCS NTS University of Northern Iowa Cedar Falls, Iowa 50614-0121 (319) 273-6814 ------------------------------ Date: Mon, 29 Nov 93 11:05:18 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: MS-DOS 6.2 upgrade (PC) Have been able to download the "free" MS-DOS 6.2 upgrade from the Microsoft bulletin board (1.3 Mb) and there are a few caveats: I puchased and use MS-DOS 6.0/6.2 and feel that 6.0 was shoved out the door "before its time" by the marketeers. If anything 6.2 is even less well integrated and there are serious problems with the STEPUP program. If you have a perfectly pristine MS-DOS 6.0 installation and did not download the "supplemental disk" with EDLIN, COMP, etc. everything will be fine, else there may be a few surprises: Apparently, the stepup program makes no initial check of the MS-DOS 6.0 installation before having at it. Some of the first files "updated" are the two system files IO.SYS and MSDOS.SYS. One of the last is COMMAND.COM. If an abort occurs in the middle, you could have aproblem. As each program is processed, the STEPUP program apparently checks the length of each file before patching and will refuse to patch a program that is "incorrect". Since the old files only work with 6.0, guess what ? This means that if an .EXE was infected by a virus (see there is some revelance to V-L) and the size was not restored exactly, guess what again. Next, on slower machines there is a long pause around the 80% done mark (so long on a 286 that I thought the machine had hung - took almost 5 minutes to continue). If you reboot there (this is before COMMAND.COM is fixed), GWA. Finally, any unpatched program such as those on the supplemental disk will refuse to run since they are for 6.0 and not 6.2 (now if you unpack the program and patch the CMP AX,0006 that follows the 30 CD 21 string (worked for me 8*) to CMP AX,1406, you might not need SETVER (which IMHO is too long already). Caveat y'all. As noted, the update to MSAV promised in the .TXT is just not there. Even so, it does seem to be worth the price ($0.00) if just for v5.0 of SmartDrv that claims to now include CD-ROM caching (my son says the voices in the 7th Guest still skip though). Warmly, Padgett ------------------------------ Date: Mon, 29 Nov 93 11:08:45 -0500 From: barnold@watson.ibm.com Subject: November 17th Virus at Manchester Univ (England): from Italy? (PC) You're probably seeing a new variant of November 17 (AKA NOV17). Some festering (fill in the blank) in Italy has been producing variants of this virus, and we keep on seeing them, occasionally in real incidents. Your best approach is probably to simply delete infected files and replace them with originals. Bill Arnold (IBM AntiVirus development) ------------------------------ Date: Mon, 29 Nov 93 12:31:58 -0500 From: jdark@hebron.connected.com (Thrush) Subject: Re: MtE virus...what does it do? (PC) John Coughlin (jcoughli@vela.acs.oakland.edu) wrote: : I recently encountered a virus that Norton NAVSCAN identified as : MtE. Unfortunately, Norton didn't provide a description of the virus; if i'm not mistaken it's a virus created using Dark Avengers Mutation Engine... it's been a while so I dunno if I got DA's name right. It basically mutates as it infects, to avoid signature scanners. ------------------------------ Date: Mon, 29 Nov 93 15:11:28 -0500 From: "Jimmy Kuo" Subject: Re[2]: Which antivirus program (PC) Piet de Bondt complains: >Well, in spite of all things people are going to say: vsumx is (mostly) >made available *through* McAfee's ftp site. This, and the fact that mcafee >is one of the oldest around, makes me think the tests for the vsumx-scores >are not very thorough. then offers: >I'll elaborate on this by means of a test a Dutch magazine (Personal >Computer Magazine) held in November this year. >Thunderbyte TBAV 6.05 >Sohos Vaccine 4.38 & Sweep 2.53 >F-Prot Pro 2.09 >McAfee Viruscan-VShield-Cleanup 106 >Dr. Solomons anti-virus toolkit 6.54 >PC Vaccine Professional 1.21 >IBM Antivirus 1.03 >Norton Antivirus 2.1 >Microsoft Anti-virus then makes the following conclusion: >I think that these test give at least one clue (but I'll mention >some other things too) : >***1) avoid ......... and Norton So, from someone who complains about improper test results, he offers test results from November of this year, which tests a product over a year old against fresh versions of other products. NAV 3.0 was announced in September of this year!!!! I know you didn't do the tests. But you did make this idiotic conclusion. Jimmy Kuo cjkuo@symantec.com Norton AntiVirus Research ------------------------------ Date: Mon, 29 Nov 93 15:11:40 -0500 From: "Jimmy Kuo" Subject: Re[2]: November 17th virus at Manchester England? (PC) A.APPLEYARD@fs1.mt.umist.ac.uk writes: > John Smith wrote to virus-info@mcc.ac.uk at 16 Nov 93 >17:31:19 GMT and the message found its way to me:- > > I have had one user with a laptop PC which who has had files infected with >the November 17 855 virus. Dr Solomon's Toolkit gave two different messages >for infected files: "filename identified as November 17.855 virus" or >"filename This virus is like November 17". Microsoft anti-virus in DOS 6 has >November 17 virus on its info list but did not identify this infection. >Neither did VET 7.3. The user had an old version of McAfees SCAN which did >report it (but apparently failed to clean despite saying it had). Dr Solomon >seemed to clean OK but Scan would still report the files as infected >afterwards. John Smith, Economics > (1) I later gave John Smith a copy of SCAN v.106 (he had v102). > (2) False positive? Ghost? Some new version and still infected? > (3) John Smith told me that the infected user blames a floppy that the >infected user got from a company director in Italy during a visit. While I am not familiar with your situation, I believe I can offer some information that might be helpful: We have "in-the-wild" reports (and sample) of a NOV17.800 virus. That is, it is a variant of the November 17th virus which is 800 bytes long. It happens to also trigger on January 1st and not November 17th when it will overwrite certain hard disk system area sectors. The fact that your report indicates the "November 17th" but not quite would lead me to point you in this direction. The 855 strain is the most popular and the repairs for this virus is most likely based on the virus having a length of 855. If the virus is only 800 bytes long, the repair would not be correct anyway. False positive? Most likely not! The definition for NOV17.800 with repair is in the December update of NAV 3.0. Jimmy Kuo cjkuo@symantec.com Norton AntiVirus Research ------------------------------ Date: Mon, 29 Nov 93 15:32:28 -0500 From: kwakely@uoguelph.ca (Kent J Wakely) Subject: QUESTION: F-PROT virstop (PC) I run in MS Windows most of the time. I know that F-PROT's virstop scanning utility won't pop infection alerts into Windows. I'm wondering, though, whether it will let you know about a possible infection after you exit Windows or not. Replies to the newsgroup or direct to kwakely@uoguelph.ca. Kent - -- - ------------------------------------------------------------------------------ Kent Wakely Community Affairs Reporter/Producer CFRU-FM 93.3 Internet:kwakely@uoguelph.ca Community Radio in Guelph - ------------------------------------------------------------------------------ ------------------------------ Date: Mon, 29 Nov 93 19:23:09 +0000 From: maniac@unlv.edu (Eric J. Schwertfeger) Subject: NetShield 1.55 Question (PC) I work for a Novell Reseller, and recently we decided to try NetShield to see how well it works. We tried it once almost a year ago, but weren't very pleased. At any rate, we're satisfied with the 1.55 release, with one minor problem. If we set it to scan all incoming files, nothing happens. Scanning both or outgoing works as expected. Is this a problem with NetShield (we had a similar problem last time), or an incompatiblility with 3.12? - -- Eric J. Schwertfeger, maniac@cs.unlv.edu ------------------------------ Date: Mon, 29 Nov 93 15:53:22 -0500 From: rcw@netrix.com (Ralph C. Wolman) Subject: Virus that affects printing only? (PC) Hi, Sorry if this is a FAQ - I'm new to this group. I am having a strange problem printing under Windows 3.1. I had an HP IIP printer and it started messing up the printing on documents and faxes. The way it looked, I thought there was an internal memory problem with the printer. Since the printer was quite old, I went out and bought a brand new HP 4. Now I am having similar problems on my new printer. Everything else on my machine seems to work fine. I've run f-prot 2.09 and CPAV 2.1 on my machine before and found nothing (maybe these programs also got infected?). Is it possible that a virus could cause strange printing problems? Thanks in advance for any ideas. Regards, Ralph Wolman ------------------------------ Date: Mon, 29 Nov 93 16:07:03 -0500 From: datadec@ucrengr.ucr.edu (kevin marcus) Subject: Re: Restoring Floppy's Boot Sector (PC) Russell Aminzade wrote: >Here's my question. Is there a soul out there who can tell me >how to make these debug scripts into EXE or COM files? I have never >used DEBUG outside of a classroom (I shy away from Intel >chips as a rule anyway. Never could appreciate their sense of humor >- -- writing each byte in pig latin like that). I suspect it would >just be one more line or two of DEBUG I think that the best you could do without doing too much programming (if you consider batch files... programming), would be to merely make a batch file that executes the debug with the file redirection. On my hard drive, I have a directory called, "c:\dos", and another called "c:\utils". both of these are in my path statement. I could merely make a batch file which would be in the utils directory, say, readboot.bat, which would merely contain the line debug < c:\utils\goodbt, where goodbt is file which has the script. A similar batch file could be written for putting the boot sector to a floppy. And, if you don't want to see the debug stuff, simply put a "> nul". (At the end of the same line) - -- -- Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu CSLD Room Monitor, Thurs 10-12p, Sunday 5-10p (909)/787-2842. Computer Science, University of California, Riverside. ------------------------------ Date: Mon, 29 Nov 93 17:18:04 -0500 From: mramey@stein2.u.washington.edu (Mike Ramey) Subject: McAfee VSHIELD vs Frisk VIRSTOP ??? (PC) What are the pros and cons of McAfee's VSHIELD vs Frisk's VIRSTOP for resident anti-virus protection ? I have licenses for both programs in our department at the University of Washington. I use them in our computer labs. I recommend Frisk's F-PROT to users for scanning their disks, because it is easy to use (menu driven), it can both detect and remove viruses, it can supply information on viruses, and it is fast (tho' release 2.09f seems a bit slower than earlier versions). I recommend (and use) McAfee's VSHIELD for resident anti-virus protection, because the last time I tried Frisk's VIRSTOP I found it unsatisfactory. (Unfortunately that was a year or so ago, and I don't remember the details.) It seemed less thorough. One example: it did not check for a boot-sector-infected diskette in the A: drive on CTL-ALT-DEL reboot. It did not inform the user that it was checking for viruses, which tells the user what's going on and reminds them of the virus protection issue. Now I am installing McAfee's VSHIELD 108B (even tho' 109 was just released), and I am again having questions and reservations about VSHIELD. Basically, I feel that the program is becoming so complex and difficult to use that I am again considering using VIRSTOP. For example, VSHIELD documentation states: - p. 2: "The VSHWIN program allows VSHIELD to display messages while Windows 3.x is running." - p. 12: "The /WINDOWS option [using VSHWIN] allows VSHIELD to display messages under Windows 3.X in a Windows dialogue box. ... ... This option now installs the Windows display program and needs to be run once. ... For the VSHWIN program to display messages under Windows, VSHIELD must be run with the /ACCESS switch." COMMENTS: 0. It is -not- clear from the documentation whether the VSHWIN program is required "to display messages under Windows" or only if the user wants those messages displayed "in a Windows dialogue box". I don't think it's worth having a memory resident program running at all times just to put the VSHIELD messages in a dialogue box. 1. This is a change from the way the /WINDOWS option worked under release 102, and it requires users who had been using 102 to change their autoexec.bat file; they are likely to neglect this change. 2. The new implementation of the /WINDOWS option requires the user to use it -once only- (to install the VSHWIN program), and then not use the /WINDOWS option on subsequent everyday reboots; not a good design! And it changes the users Windows environment (WIN.INI file). More hassle. 3a. Using the VSHWIN program -requires- the /ACCESS option. Why??? 3b. Because /ACCESS cannot be used with /SWAP, the user is prevented from using that option which would save lots of RAM (UMBs may be full). 4. /ACCESS cannot be used with /BOOT. /ACCESS "is intended for high risk environments such as open-use computer labs...". It seems that /BOOT would also be suitable for the same high risk environments. Yet the two options are incompatible. 5. /COPY "cannot be used with the /ACCESS, /BOOT, or /SWAP options". Deciphering the documentation and configuring the program is too damn much trouble! Comments from users of VSHIELD and VIRSTOP (or both!) would be welcome. Thanks, -Mike Ramey ------------------------------ Date: Mon, 29 Nov 93 18:15:39 -0500 From: gbock@yorick.umd.edu (Glenn Bock) Subject: S-Bug info?? (PC) I just spend the past few hours removing a virus that fp-209f called S-Bug (?) as it called it, a particularly ichy com,exe,ovl infecting program virus. I have no information on this virus ans was wondering if anyone has any info on it. I've reptedly tried re-infecting a 'protected' machine 'virstop.exe loaded as a device driver' and found the machine became masively reinfected Am I safe to assume that this is a RECENT new virus (first infection last week) and if so any info on keeping this bug from re-infecting the machines? Any help wold be great... Forever, Glenn ------------------------------ Date: Mon, 29 Nov 93 18:56:02 -0500 From: maven@kauri.vuw.ac.nz (Jim Baltaxe) Subject: Help for a virus victim in Auckland (PC) Hi Can anyone tell me the name of an experienced anti-virus worker who could help someone in Auckland who has been hit by what appears to be a new, unidentified, possibly locally written virus? It's gotten onto their network server crashing it and leaving a "gotcha" message in some of its system files. Please reply, urgently, directly to me by e-mail and I will supply more details. Thanks muchly Jim Baltaxe - jim.baltaxe@vuw.ac.nz ******************** Are you man enough to change things? ********************* Contact: Wellington Men for Nonviolence or Manline Telephone Counselling Service - phone (04) 472 7982 ------------------------------ Date: Tue, 30 Nov 93 05:32:10 -0500 From: msyrak@emma.ruc.dk (Mads Syrak Larsen) Subject: NAV Clinic 2.0 false alarm or bd SCAN 108? (PC) Hello out there A friend of mine has told me that his antivirus program Norton Antivirus Clinic ver. 2.0, has found virus in som PK-ware files he has received from me. The virus is the Maltese Amoeba . I have tried scanning with SCAN ver. 108 and Central Point antivirus which both have the Maltese Amoeba in their vir-list, but neither of them finds anything. I just wanted to know whether anybody knows if it is a known bug in NAV Clinic 2.0 or whether the other 2 simply dont do their jobs properly. Thanks in advance Mads S. Larsen dep. of Computer Science, University of Roskilde, Denmark (msyrak@dat.ruc.dk) ------------------------------ Date: Tue, 30 Nov 93 12:40:50 -0500 From: barnold@watson.ibm.com Subject: "Wrapper" (PC) The 3 hits on "Wrapper" are known false positives, sorry. In a marathon day of analysis I accidentally (and unknowingly) included a scan string for degarblers (decryptors) produced by a tool that a few shareware programs use to hide the contents of programs. The scan string is for the simple lodsw/xor ax,foo/stosw degarbler that this protection program attaches to programs. IBM AntiVirus 1.04 does not issue this false positive. The "V516" hit on norman/ad.exe is another story. Is this program an anti-virus program, or associated with an anti-virus program? (A company with NORMAN in its name recently was boasting that they had the only shipping product that detected Satanbug, which was simply untrue when the add copy was circulating.) If it's an anti-virus program, and current versions of f-prot/scan find nothing, then it's probably a false positive on scan strings left "in the clear" in ad.exe. But this is just a guess. Bill Arnold (IBM AntiVirus development) ------------------------------ Date: Mon, 29 Nov 93 13:16:05 -0500 From: James Ford Subject: File listing on risc (PC) This is a listing of files on risc.ua.edu in the /pub/ibm-antivirus directory and /pub/ibm-antivirus/Mirrors/mcafee. Since the cert mirror directory only contains documentation, I have not included it at this time. Please let me know if any files are out of date. Thanks. - -------------- file /pub/ibm-antivirus/0files.9311 ------------------- Listing of risc.ua.edu for Mon Nov 29 11:51:21 CST 1993 /pub/ibm-antivirus - ------------------ 0files.9311 cvcindex.zip nsh152a.zip vcopy82.zip 20a10.zip dir2clr.zip secur235.zip vdetect.zip Mirrors/ ds231b.zip sentry02.zip vds210t.zip Valert-l.readme fixutil5.zip stealth.zip virlab15.zip Virus-l.faq fp-209f.zip tbav605.zip virpres.zip Virus-l.readme fshld15.zip tbavu605.zip virsimul.zip aavirus.zip fsp_184.zip tbavx605.zip virstop.zip allmsg.zip gs.zip tbsg601a.zip virusck.zip avp.zip hack1192.zip trapdisk.zip virusgrd.zip avp_107b.zip hs32.zip unvir902.zip virx28.zip avs_e224.zip htscan20.zip uxencode.pas vkill10.zip bbug.zip i-m151.zip v-faq.zip vshell10.zip bootid.zip innoc5.zip vacbrain.zip vsig9305.zip catchm18.zip killmnk3.zip vaccine.zip vstop54.zip ccc91.zip langv106.zip vaccinea.zip vtac48.zip chk.zip m-disk.zip validat3.zip vtec30a.zip chkint.zip msg_9_12.zip vc300ega.zip wcv201.zip cvc792am.zip mtetests.zip vc300lte.zip wp-hdisk.zip cvc792ma.zip nav21upd.zip vcheck11.zip ztec61b.zip cvc792ms.zip nav30upd.zip vchk23b.zip /pub/ibm-antivirus/Mirrors/mcafee/antivirus - ------------------------------------------- 311lib.exe Index langv106.zip scanv109.zip vsh109.zip 3nsh155.zip clean109.zip ocln109.zip sentry02.zip wscan109.zip 4nsh155.zip killmnk3.zip oscn109.zip strtli.exe /pub/ibm-antivirus/Mirrors/mcafee/utility - ----------------------------------------- Index mcf100.zip target15.zip wpv102a.zip ccp11.zip pv12.zip tcm100b.zip /pub/ibm-antivirus/Mirrors/mcafee/vsum - -------------------------------------- Index vsumx310.zip ------------------------------ Date: Mon, 29 Nov 93 22:55:51 -0500 From: James Ford Subject: Updates on risc (PC) Thanks to those who informed me of outdated files. The following files have been placed online on risc.ua.edu. Please note that the program F-Protect (fp-210.zip) is now being mirrored from complex.is. This means that the file fp-210.zip (and later files from Frisk) will now be located in /pub/ibm-antivirus/Mirrors/complex.is. - -- jf - ------------------- file /pub/ibm-antivirus/0files.9311 ------------------ Listing of risc.ua.edu for Mon Nov 29 15:19:53 CST 1993 /pub/ibm-antivirus - ------------------ virx291.zip /pub/ibm-antivirus/Mirrors/complex.is - ------------------------------------- drinfo.exe fp-210.zip xxdecode.c xxencode.c ------------------------------ Date: Fri, 26 Nov 93 12:02:18 -0500 From: "Rob Slade" Subject: "Using McAfee Associates Software for Safe Computing" by Jacobson BKUMASSC.RVW 930817 International Security Technology Inc. 99 Park Avenue, 11th Floor New York, NY 10016 212-557-0900 fax: 212-808-5206 "Using McAfee Associates Software for Safe Computing", Jacobsen, 1990 There are many books which are aimed at helping you use specific commercial programs. Usually, however, such books are either targeted at "dummies" or purpose to reveal secret or undocumented features. The title here seems to suggest both a generic goal, safe computing, and a specific means. Those "in the know" of course, realize that safety here is being limited to protection against viral programs. Certain other works have been associated with the company named here, and have resulted in rather unfortunate products. In the Foreword and Preface we see the game "rah, rah" chauvinism. It is, therefore, a rather pleasant surprise to find that chapter one, in defining viral programs, doesn't do a bad job. A computer virus is said to execute with other programs, but that explanation is immediately extended with a lucid and factual account of the boot sequence on MS-DOS computers. It even distinguishes between the boot sector and the master boot record (although Jacobson loses points for referring to the MBR as the partition table.) The rigorous will find errors in the first chapter. Program infection is shown strictly in terms of an appending virus. Although FAT or system viri (referred to as "cluster-point") are described, companion viri are not. The statement is made that "viruses may include a Trojan Horse": the definition is that of a trojan, the examples are clearly logic bombs. Chapter two is entitled "Planning a Virus Control Program". This would seem to be concerned with establishing the level of risk for a company and producing policy and procedures for virus protection. Unfortunately, the detail included here is very sparse. Some extremely broad guidelines are given, but the reader is literally left with more questions than answers after reading this chapter. Eventually a companion volume by the same author is mentioned as dealing with the details. At the beginning of chapter two one is told that chapter three, "Virus Prevention Techniques" gives the answers for protecting a single computer. Rule one: write protect everything. Rule two: Buy SCAN. Rule three: buy *more* SCAN. Rule four: have extra copies of SCAN around (be sure to buy extra licences.) Chapters four to seven are basically reworkings of the documentation for VSHIELD, SCAN, CLEAN and the network uses thereof. One immediately asks, of course, which version was used. One is not immediately answered: chapter eight indicates, and nine supports, the presumption that version 85 was used. In the mailing with my review copy I received a letter indicating that update files are produced. The files, USINGxxx.ZIP, where xxx is the version number, are stated to be available on the McAfee BBS and the McAfee forum on Compuserve. Apparently the updating is not constant: the "current" version of the McAfee products, as this was received, was 106, and had been for some time. According to the letter, the "current" version was USING102 and USING106 was due out shortly. Chapters eight and nine tell you how to get technical support, first, and a copy of the program, second. The answers are to call the McAfee BBS, the McAfee Compuserve forum, or call McAfee Associates and buy it. An order form for the McAfee products is bound into the back of the book: it will surprise no one that the publisher of the book is a McAfee agent. Chapter ten is entitled "The Ten Most Common Viruses". Those familiar with the sometimes unfortunate accuracy of the VSUM lists will recognize the entries. In a listing at the end of the chapter, BRAIN and Stoned are included in a list of "stealth" viri which can cause "catastrophic damage" or "cause all files to become infected during the scanning process". Essentially, what you have here is printed (and dated) documentation for the McAfee programs. Since the functions of the programs change less frequently than the scan strings, most of the material is still relevant. Problems can be checked against the current McAfee documentation. As such, this may be a useful book, fairly reasonably priced considering the cost of the programs themselves. One shortcoming is that the network section still relies on the combination of stand-alone software: the NLM versions are not mentioned. In contrast to most "third party" books, though, there is little here that will either change the performance or ease the use, of the product under discussion. copyright Robert M. Slade, 1993 BKUMASSC.RVW 930817 Permission granted to distribute with unedited copies of the Digest ====================== DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 DECUS Symposium '94, Vancouver, BC, Mar 1-3, 1994, contact: rulag@decus.ca ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 153] ******************************************