To: VIRUS-L@LEHIGH.EDU Subject: VIRUS-L Digest V6 #155 -------- VIRUS-L Digest Tuesday, 7 Dec 1993 Volume 6 : Issue 155 Today's Topics: Virus/gun analogy doesn't work Re: Article available (General) Re: Liabilities Re: Freeware distribution of anti-virus software Re: Commercial Virus Scanners in the dark??? (PC) Another false positive with SCAN (PC) Re: Removing the Moctezuma virus (PC) Re: Strange Behavoiur of F-PROT, possible boot sector virus? (PC) HELP! Filler/Swedish Disaster Attack. (PC) Inconsistent virus reporting (PC) The _new_ stoned virus (PC) False positive : SCAN thought VET infected with Invisible Man (PC) (PC) New version of stoned virus & DOS 3.3 (PC) Any reviews of InVircible/V-Care ? (PC) Re: Monkey is not cute! (PC) Re: Re[2]: November 17th virus at Manchester England? (PC) Re: McAfee VSHIELD vs Frisk VIRSTOP ??? (PC) Re: S-Bug info?? (PC) Re: MS-DOS 6.2 is not a virus (it just acts that way) (PC) FreqList WildList 9312 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 01 Dec 93 12:20:43 -0500 From: ksaj@pcscav.com (OS R & D) Subject: Virus/gun analogy doesn't work Most virus writers I have met are fairly cunning people. I think that if an argument is to be made to validate the writing of viruses, the 'gun' analogy must go. A more 'cunning' argument is needed. The problem is this: You must have a *license* to sell guns, and you must have a *license* to buy guns. Taking that into consideration, the argument then becomes: 'If I was a *certified* gunsalesperson [politically correct, I guess], and I *legally* sold a gun to someone who was *legally* entitled to use one, and they shot somebody with it, I cannot be charged for their wrongdoing.' This is still true, but, put this into virus terms, and we have a problem. 'If I was a *certified* virus-writer, and I *legally* sold a virus to someone who was *legally* ... ' The finish isn't necessary. It is painfully obvious that this argument needs revision. How about if I 'legally installed', ummm, 'legally spread'. This just doesnt' work for me. Please don't flame me for this message, as I am not stating any 'for' or 'against' views on virus writing. I am simply stating my opinion on a heavily flawed, and overused analogy. karsten johansson - --- ksaj@pcscav.com (OS R & D) PC Scavenger -- Computer Virus Research, Toronto CANADA (416)463-8384 Free services: send EMAIL to info@pcscav.com or virus.list@pcscav.com ------------------------------ Date: Wed, 01 Dec 93 13:41:45 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Article available (General) Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) writes: > ftp.informatik.uni-hamburg.de:/pub/virus/texts/revguide.zip Ooopss! :-( As several people have noticed, it is actually ftp.informatik.uni-hamburg.de:/pub/virus/texts/viruses/revguide.zip Sorry for the confusion. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 01 Dec 93 14:13:50 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Liabilities ktark@src4src.linet.org (Karl Tarhk) writes: >I am a gun manufacturer and inventor. Should I be held liable for the >uses and misuses of such weapon, if I am not able to control who gets >it and who does not? Absolutely, positively NOT! Well, that is your opinion - I know a few people that would disagree with you. However - this analogy is no good, as the sale and distribution of weapons is considered "acceptable" in most "civilized" societies. Assume instead that you have invented a new type of poiseon, nerve gas or a biological virus - something that most people would agree that unauthorized persons should not be playing around with or creating.. Then, yes....I would say it was certainly your responsibility to make sure it did not fall into the wrong hands, and if it did, then some people would certainly like to hold you personally responsible. >And we all know that there is a few CARO virus collections floating We do ? Unfortuantely, there is no such thing as a "CARO virus collection". There are several different collections in existense - some of which happen to be owned by a caro member. If you have any evidence any of those collections are "floating around in the wrong places", please prove that - or consult a lawyer before you make claims like this again. (This does not mean that there have never been "leaks" from the research community to the "underground"...but they seem (fortunately) to be a thing of the past). >You are assuming something that can NOT be proven: Computer viruses >are inherently destructive. This is false; It is ? Please prove it. By my definition, a computer virus has to modify something in order to spread. The modified object may no longer work properly - so even if the virus is intended to be harmless, that is unfortunately never the case. - -frisk ------------------------------ Date: Wed, 01 Dec 93 14:21:21 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Freeware distribution of anti-virus software halew@jupiter.sun.csd.unb.ca (R. Wallace Hale) writes: >It seems to be working quite well for Frisk et al... Well....I'm not complaining. $1 per machine (and free for private use) may not seem likely to generate much income, but well...there are just so many computers out there ... :-) However - I must admit that when this started I never expected to celebrate the registration of the millionth copy :-) - -frisk ------------------------------ Date: Wed, 01 Dec 93 11:58:27 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Commercial Virus Scanners in the dark??? (PC) kevin marcus (datadec@ucrengr.ucr.edu) writes: > >I am using my brains to figure it out. Don't you? > >Maybe you shouldn't judge something that you don't know. But, of > Did I miss somethig here? It seems to me that you did. > Sometimes you are allowed to use your brain > to figure out something, and other times you're not allowed to? First, I didn't use the word "allow". I just said "maybe". Second, using your brain to figure out or imagine something is one thing and judging something that you don't know just on the basis of your immagination is a completely different thing, especially when it concerns technical matters. Third, this discussion has run completely out of topic and I propose you to take it to private e-mail. > If I use my brain here, I would say there is a contradiction. Try again, having in mind what I wrote above. > BTW, do you have more than one brain? No, but my computer has a German keyboard and my typing is horrible. :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 01 Dec 93 12:05:49 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Another false positive with SCAN (PC) Hello, everybody! SCAN 9.20 V109, when used with the /A option, reports the program MODE.COM from the German version of MS-DOS 3.30 as containing the "1008-B Dropper [1008Drop] Virus". This is a false positive; the program is not infected. I am not certain what exactly causes the false positive - the program looks pretty normal. You should avoid using the /A option, unless an infection is found in "normal" mode. A copy of the file causing the false positive has been sent to McAfee Associates. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Wed, 01 Dec 93 21:11:29 +0300 From: eugene Subject: Re: Removing the Moctezuma virus (PC) >> I was trying to get rid of the Moctezuma virus. The virus infected just the >> three .exe files on the disk. > Conclusion: Get AVP 1.07b from our ftp site (beware, it's more than a > meg). It will be able to repair the infected files. Stop! Wait a moment! I found a bug in Moctezuma removing procedure. It can cause incorrect restoring CS and SS fields in EXE header in some cases. Next update (next week, I hope) will disinfect all curable viruses (including polymorphic MtE, TPE, Tremor ....) without errors. BTW, in some cases Moctezuma encrypts original EXE header fields (which are stored in virus body) incorrectly. These files are not curable :-( Regards, Eugene - --- - -- Eugene Kaspersky, KAMI Group, Moscow, Russia - -- eugene@kamis.msk.su +7 (095)278-9949 ------------------------------ Date: Wed, 01 Dec 93 14:44:00 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Strange Behavoiur of F-PROT, possible boot sector virus? (PC) eastwood@unbsj.ca (Eric Eastwood) writes: >2) 09:30 Have the virus located on one machine in lab and get reports > from F-PROT 2.09f saying that is the "TELECOM virus" is in > memory. Only if you boot the machine using the hard drive and > letting autoexec.bat be run. (loadhigh, mouse, doskey, msav Please, please keep in mind that MSAV is incompatible with other anti-virus programs, in particular F-PROT (which is a bit paranoid about searching memory for viruses). MSAV simply leaves a fragment of the virus in memory, which F-PROT later finds. This is an old and well-known false alarm. - -frisk ------------------------------ Date: Wed, 01 Dec 93 15:37:22 -0500 From: greve@wharton.upenn.edu Subject: HELP! Filler/Swedish Disaster Attack. (PC) I need some help. Yesterday when I started up my office machine VI-SPY detected two viruses FILLER and SWEDISH DISASTER. I checked the machine with SCAN109, it told me I had the FILLER virus but didn't say anything about SWEDISH DISASTER. Both programs told be to boot with a clean disk and rescan. I did this and rescaned but both programs failed to detect ANY viruses. When I start the machine from the hard disk I get the virus warnings again. Can anybody tell me anything about these two viruses. I printed out the scan109 virus list text file and SWEDISH DISASTER isn't on the list. VISPY may call it SWEDISH DISASTER but what does SCAN call it? Why aren't these viruses detected when I boot from a clean floppy and scan my hard drive. How can I get rid of these viruses. Windows no longer runs on my machine and I don't know if it's related to these viruses or not. Any help will be appreciated. Michael Greve University of Pa. The Wharton School greve@wharton.upenn.edu ------------------------------ Date: Wed, 01 Dec 93 16:20:59 -0500 From: johnboyd@ocdis01.tinker.af.mil (John Boyd) Subject: Inconsistent virus reporting (PC) I recently purchased some pre-formatted 3.5 diskettes, I believe that they were 3M brand, but can't be sure right this second, and I saved a spreadsheet file from my home machine to the diskette. When I took the diskette to the office the next day, and tried to load the file at work, I got a warning from the virus software that the diskette was infected with the 'Form virus'. The virus protection software that I use at home is F-prot, and I have always used the latest versions direct from the net since I found it roughly eighteen months ago. The virus protection that we use on the office net is Norton. Why wasn't the virus detected on my home machine when I initially saved the file , and is this a false alarm from Norton, even tho' it said it 'repaired' the disk when I answered yes to the prompt? Anybody have a clue as to what's going on? Any assist would be appreciated!! - ---------------------------------------------------------------------------- johnboyd@ocdis01.tinker.af.mil johnboyd@aol.com 'There are two things that a grown man should never see; sausage being made, and legislation being passed' - Benjamin Franklin Disclaimer: My opinion represents only me, and sometimes not even that. ------------------------------ Date: Wed, 01 Dec 93 16:21:07 -0500 From: Doc Cottle Subject: The _new_ stoned virus (PC) Hello all, Quick question. Will the newer version of FDISK (the one that includes the /MBR option) run under DOS 3.x?? We've gotten hit with the new stoned that can't be cleaned yet and are considering that as one of several options to get around the problem. aTdHvAaNnKcSe Doc Cottle ps. This is posted for our programmer who is too busy to do it herself. (Yep, she's THAT good!) ------------------------------ Date: Wed, 01 Dec 93 17:07:29 -0500 From: "Roger Riordan" Subject: False positive : SCAN thought VET infected with Invisible Man (PC) (PC) A.APPLEYARD@fs1.mt.umist.ac.uk wrote > "S.Manifould" wrote to pc-cluster-ops@umist.ac.uk > on 22 Nov 93 16:35:52 GMT (Subject: virus hoax), and it was forwarded to me: > Everyone, Just a quick note to tell you all about a virus problem I thought > I had today (Mon 22 Nov) A student had left me a message that " All the 386 > and 486's have been infected with the Invisible Man virus [IMF]". He had run > the lastest version of McAffee scan (9.19 V108) on the machines and it had > reported the infection. However Vet 7.4 did not report any infection. Upon > investigation it appears that VET_RES was causing the McAffee scan to report > an infection. ie once VET_RES was removed from memory the McAffee scan didnt > find anything. Cheers, Steve M. This false alarm turned out to have been caused by Scan finding our procedure to find Invisible Man, despite the fact that the only connection between it and the virus was that the same two constants appeared in each, in the same order. We have taken steps to further camouflage this section, and this false alarm will no longer occur. A copy of VET 7.52, containing this change, was sent to Manchester on Nov 26th. Cheers! Roger Riordan Author of the VET Anti-Viral Software. riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Wed, 01 Dec 93 19:14:23 -0500 From: Karen Pulliam Subject: New version of stoned virus & DOS 3.3 (PC) We have been hit with a new version of stoned (detected with f-prot 2.10). Unfortunatedly, f-prot is unable to disinfect it. I tried using DOS 5.0 fdisk /mbr, but received the expected wrong dos version error (the computer is a 286 running DOS 3.3). Deleting the partitions leaves the virus in the MBR. I used Norton's disk editor and entered the generic master boot record as suggested in the User's Guide, but the virus still remains. Do you know how to get this virus out of the MBR? Thanks. ------------------------------ Date: Wed, 01 Dec 93 22:09:02 -0500 From: howard@ccu1.auckland.ac.nz (Howard Ross) Subject: Any reviews of InVircible/V-Care ? (PC) We have recently been approached by someone selling InVircible by NetZ Computing Ltd. of Israel. I understand that this product was previously marketed as V-Care by CSA Interprint of Israel. I am searching for a reputable review. The Virus Bulletin publication from Great Britain hasn't reviewed it and there is only a passing reference in an article about the virus/antivirus situation in Israel. I can't find any reviews in various ftp archives. I have one review from the Capital PC Monitor, the organ of the Capital PC User Group in Washington DC USA, but would like something a bit weightier. InVircible looks very attractive because it employs generic defences against viral attack. Because it does not use scanning, it doesn't fall into obsolescence. It boasts high speed, easy-of-use, inobtrusiveness, and a high rate of restoration/disinfection. Can the labelling on the package be believed? - - Howard - -- + Howard Ross, + + Computer Centre, University of Auckland, + + Private Bag 92019, Auckland, New Zealand FAX: +64 9 373-7425 + + e-mail : H.Ross@auckland.ac.nz Phone : +64 9 373-7999 ext. 5830 + ------------------------------ Date: Thu, 02 Dec 93 03:21:43 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Monkey is not cute! (PC) sullivan@cobra.uni.edu writes: >Actually, 2.10 (which is now out) does detect and identify this properly now, >but Frisk said that VIRSTOP still doesn't intercept correctly. They patched it >and e-mailed me a copy of VIRSTOP 2.10a and it works perfectly. Thank you, a >million times. This new version of F-PROT will be made publically available as soon as one small problem has been fixed - a false alarm in a program called EMSLOAD. - -frisk ------------------------------ Date: Thu, 02 Dec 93 03:28:42 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Re[2]: November 17th virus at Manchester England? (PC) cjkuo@symantec.com (Jimmy Kuo) writes: >The fact that your report indicates the "November 17th" but not quite would >lead me to point you in this direction. The 855 strain is the most popular >and the repairs for this virus is most likely based on the virus having a >length of 855. Any virus cleaner that does not identify the variants sufficiently is IMHO more dangerous than most viruses... - -frisk ------------------------------ Date: Thu, 02 Dec 93 03:32:12 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: McAfee VSHIELD vs Frisk VIRSTOP ??? (PC) mramey@stein2.u.washington.edu (Mike Ramey) writes: >(Unfortunately that was a year or so ago, and I don't remember the >details.) It seemed less thorough. One example: it did not check for a >boot-sector-infected diskette in the A: drive on CTL-ALT-DEL reboot. It now does - not by default, though ... you have to use the /WARM command-line switch. - -frisk ------------------------------ Date: Thu, 02 Dec 93 03:42:36 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: S-Bug info?? (PC) gbock@yorick.umd.edu (Glenn Bock) writes: > I just spend the past few hours removing a virus that fp-209f >called S-Bug (?) as it called it, a particularly ichy com,exe,ovl >infecting program virus. I have no information on this virus >ans was wondering if anyone has any info on it. I've reptedly >tried re-infecting a 'protected' machine 'virstop.exe loaded as >a device driver' and found the machine became masively reinfected As described in the documentation, VIRSTOP will not detect many polymorphic viruses at all....I could change it to do so, but that would add nearly 100K to the memory requirements, and slow it down considerably. S-bug is quite polymorphic, so unfortunately VIRSTOP will not be of much help. The scanner finds the virus 100% (as far as I know), but disinfection has not yet been implemented. - -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ Date: Thu, 02 Dec 93 04:40:45 -0500 From: latim912@crow.csrv.uidaho.edu (Jerry E. Latimer) Subject: Re: MS-DOS 6.2 is not a virus (it just acts that way) (PC) A. Padgett Peterson (padgett@tccslr.dnet.mmc.com) wrote: : Downloaded the upgrade for MS-DOS 6.2 from the MS bulletin board. : Curiously enough the README states that the files are not to be : posted on BBSs (right) and installed on my test machine. A few caveats: : 1) Between the Del_Old_Dos.1 and the STEPUP directory (which must be on C if : you use the defaults) and the new files, make sure you have at least : 6-7 Mb free before you start. I saw no check for this. : 2) Machine seemed to hang for a very long time at about the 81% mark : (5% note in lower right of screen). At this point the new IO.SYS and : MS-DOS.SYS files have been copied but the new COMMAND.COM is not yet : present. If you abort here, I suspect the PC will not boot properly. : Eventually it does continue but that particular sequence is very slow. : 3) The installation found *something* wrong with mode.com and memmaker.exe : & refused to update them (told the setup to continue anyway & would : suggest this - see last two sentances in (2). (Both were originals dated : 3-10-93) : 4) If you have downloaded the "supplemental" files for DOS 6.0, these are not : included and will probaby whine "incorrect version". Skilled use of : Ben Capstricum's UNP (UNP312.zip) plus DEBUG (look for the string 30 cd 21 : and change the CMP AX,0006 that follows closely to CMP AX,1406) "fixed" : this without using SETVER (no garentees at all 8*). Curiously while most : DOS programs use Packed files, CHKDSK used PKLITE. The very annoying : disclaimer about using SCANDISK instead can also be removed with DEBUG. : 5) The NOVELL NETX332.EXE for MS-DOS 6.0 had the same problem - not liking : the 6.20 version number. I just do not like SETVER - Note: of the : multi-screen default SETVER load, NONE of the entries were what I use. : 6) HIMEM.SYS now has a lengthy (10+ seconds on 286 with 4 Mb extended) check : of extended memory but at least it tells you what it is doing. : 7) As previously mentioned, no update to MSAV appeared to be performed : (files still dated 3-10-93) : 8) Like on a full instalation, DELOLDOS will remove the "old" DOS directory : but does not remove the STEPUP directory - you'll have to do that manually. : 9) Do not use DBLSPACE on this machine so have not tried as yet. SCANDISK is : nice but take a coffee break. : Warmly, : Padgett Regarding (9): I have been using MS-DOS 6.0 for several months now. Recently, I upgraded to to MS-DOS 6.2 and have found no problems with DoubleSpace or anything else (I have also used Dblspace for several months. Forutnately, I have not experience any of the problems stated above or any others. (But my fingers are crossed...) Jerry E. Latimer ( latim912@crow.csrv.uidaho.edu ) ------------------------------ Date: Thu, 02 Dec 93 00:26:16 -0500 From: Joe Wells <0004886415@mcimail.com> Subject: FreqList =========================================================================== Frequency of PC Viruses Confirmed in the Wild Based on the December 1, 1993 WildList. =========================================================================== This list adds currency and frequency factors to the WildList. For the currency factor a base date of September 1, 1992 has been chosen. How often a virus has been reported (the frequency factor) is indicated by a number from 1 to 4 that represents a "feel" for how often each virus has been found in the wild. So far 6 of the WildList participants have provided their frequency information. Here are the frequency factors: =========================================================================== 4=Very Frequent. 3=Fairly Frequent. 2=Barely Frequent. 1=Rarely found. =========================================================================== The 48 viruses listed below have a mean frequency of .5 or above. This means each virus has been found by at least three participants if the virus is rarely found, by two participants if one has found it on more occasions, or by one participant who has found it fairly often. Other viruses (50) on the WildList, found less frequently, are here omitted. =========================================================================== The section below gives the names of participants, along with their organization, antivirus product (if any), and geographic location. Key Participant Organization Product Location =========================================================================== AS Alan Solomon S&S Int'l Toolkit UK DC Dave Chess IBM IBM AntiVirus USA FS Fridrik Skulason Frisk Int'l F-Prot Iceland JW Joe Wells Symantec NAV USA RF Richard Ford Virus Bulletin None UK VB Vesselin Bontchev U of Hamburg None Germany =========================================================================== CARO Name of Virus AS DC FS JW RF VB Aliases =========================================================================== Form ........................| 4 4 4 4 4 4 | Stoned.Standard.B ...........| 4 4 1 3 4 3 | New Zealand, Marijuana Stoned.Michelangelo .........| 2 3 4 3 2 3 | March 6 Kampana.3700:Boot ...........| 2 2 4 3 3 . | Telecom, Drug, Telefonica V-Sign ......................| 2 3 3 3 3 . | Cansu,Sigalit Tequila .....................| 2 3 2 2 3 1 | Yankee Doodle.TP-44.A .......| 2 3 2 1 2 2 | RCE-2885, TP-44, Doodle Joshi.A .....................| 2 4 1 2 3 . | Jerusalem.1808.Standard .....| 3 4 1 2 1 . | 1808, Israeli, Friday 13 Stoned.NoINT ................| 1 3 1 3 3 . | Stoned 3, Bloomington Cascade.1701.A ..............| 2 3 1 . 3 1 | 1701, Falling Letters Flip.2153.A .................| 2 3 2 1 2 . | Omicron Green Caterpillar ...........| 2 3 1 2 2 . | Find, 1591, 1575 Parity_Boot.B ...............| 1 2 . 2 1 4 | Stoned.Empire.Monkey ........| . 2 3 3 . 2 | Dir-II.A ....................| 1 2 1 1 2 1 | CreepingDeath, FAT Vacsina.TP-05 ...............| 2 2 1 1 2 . | RCE-1206, TP-05 Stoned.Azusa ................| 1 3 3 1 . . | Hong Kong Tremor ......................| . . 3 . 1 4 | Dark_Avenger.1800.A .........| 2 2 1 1 1 . | Eddie Cascade.1704.A ..............| 1 1 4 1 . . | 1704 Maltese Amoeba ..............| 2 1 1 1 1 . | Irish, Grain of Sand Liberty .....................| . 3 1 1 1 . | Mystic, Magic November_17th.855.A .........| 2 1 1 2 . . | V855 EXE_Bug.A ...................| 2 . . 3 1 . | CMOS 1 Quox ........................| . 2 1 3 . . | DiskInfect, Stealth 2 Helloween.1376 ..............| 1 . . 2 3 . | 1376 Ping_Pong.B .................| 2 2 . . 2 . | Italian Chinese Fish ................| 1 . 1 3 . . | Fish Boot Keypress.1232.A .............| 2 2 . . 1 . | Turku, Twins Screaming_Fist.696 ..........| 1 2 . 2 . . | Screamer 2B, 696 Stoned.16 ...................| 1 3 . 1 . . | Brunswick Datalock.920 ................| 1 2 . 1 . . | V920 Stoned.June_4th .............| 2 . . 1 . 1 | Bloody!, Beijing Fichv.2_1 ...................| 1 . 3 . . . | 905 Vacsina.TP-16 ...............| 2 . 2 . . . | RCE-1339, TP-16 Yankee Doodle.TP-39 .........| 2 . 2 . . . | RCE-2772, TP-39,Doodle Barrotes.A ..................| 1 1 . 1 . . | Barrotos Disk_Killer.A ...............| 1 . . 1 1 . | Ogre Frodo.Frodo.A ...............| 1 . 1 1 . . | 4k, 4096, 100 Years Print_Screen ................| 1 1 . 1 . . | PrnScn AntiEXE .....................| . . . 1 . 2 | Flip.2343 ...................| 1 . 2 . . . | Omicron Jerusalem.Zerotime.Australia | 2 1 . . . . | Slow Stardot.789 .................| . 2 . 1 . . | 805 Stoned.Manitoba .............| . . 1 2 . . | Monitoba WXYC ........................| . 1 . 2 . . | Swiss_Boot ..................| . . 3 . . . | =========================================================================== The collation of this material is done by Joe Wells, Virus Specialist at Symantec, Peter Norton Group, who is solely responsible for its contents. The material presented is implicitly copyrighted under various laws, but may be freely quoted or cited. However, its source and cooperative nature should be duly referenced. Other antivirus product developers are invited to participate. If you wish to do so, please contact me. =========================================================================== The FreqList by Joe Wells -- jwells@symantec.com -- 70750,3457 -- Vol1.12a =========================================================================== ------------------------------ Date: Thu, 02 Dec 93 00:19:21 -0500 From: Joe Wells <0004886415@mcimail.com> Subject: WildList 9312 ============================================================================ PC Viruses in the Wild - December 1, 1993 ============================================================================ This is a cooperative listing of viruses reported as being in the wild by 14 virus information professionals. The basis for these reports are virus incidents where a sample was received, and positively identified by the participant. Rumors and unverified reports have been excluded. The list should not be considered a list of "currently common" viruses however. No provision is made for currency or commonness. Therefore it should be viewed only as a report of viruses verified as in-the-wild. ============================================================================ This list adds information provided from EliaShim and Virus Bulletin. A companion list includes frequency information from some participants. ============================================================================ The section below gives the names of participants, along with their organization, antivirus product (if any), and geographic location. Key Participant Organization Product Location ============================================================================ As Alan Solomon S&S Int'l Toolkit UK Dc Dave Chess IBM IBM AntiVirus USA Ek Eugene Kaspersky KAMI AVP Russia Fs Fridrik Skulason Frisk Int'l F-Prot Iceland Gj Glenn Jordan Datawatch VirexPC USA Jw Joe Wells Symantec NAV USA Pd Paul Ducklin CSIR Virus Lab None So Africa Pp Padgett Peterson Hobbyist DiskSecure USA Rf Richard Ford Virus Bulletin None UK Rr Roger Riordan CYBEC VET Australia Sg Shimon Gruper EliaShim ViruSafe Israel Vb Vesselin Bontchev U of Hamburg None Germany Ws Wolfgang Stiller Stiller Research Integ Master USA Yr Yuval Rakavi BRM Untouchable Israel ============================================================================ The first chart is based on two or more participants reporting a virus. Therefore, these viruses are probably more geographically scattered. CARO Name of Virus AsDcEkFsGjJwPdPpRfRrSgVbWsYr Alias(s) ============================================================================ AntiEXE .....................| . . . . . x . . . . . x . . | Barrotes.A ..................| x . . . . x x . . . . . . . | Barrotos Brasil ......................| . . . . . x . x . . . . . . | Butterfly ...................| . . . . . x . . . . . x . . | Cascade.1701.A ..............| x x . x . . . . x . x x . . | 1701 Cascade.1704.A ..............| x x x x . x . . . . x . . x | 1704 Changsha ....................| . . . . . x . . . x . . . . | Centry Chinese Fish ................| x x . x x x x . . x . . . x | Fish Boot Dark_Avenger.1800.A .........| x x . x x x . . x x . . x . | Eddie Dark_Avenger.2100.SI.A ......| x . . . . x . . . . . . . . | V2100 Datalock.920 ................| x x . . . x . . . . x . . x | V920 Dir-II.A ....................| x x x x . x x . x x x x x . | CreepingDeath Disk_Killer.A ...............| x . x . . x . x x . x . . . | Ogre Even_Beeper .................| x x . . . . . . . . . . . . | EXE_Bug.A ...................| x . . . . x x . x . x . x . | CMOS 1 EXE_Bug.C ...................| . . . . . . x . . . x . x . | Fichv.2_1 ...................| x . . x . . . . . . x . . x | 905 Filler ......................| . . . . x x . . . . . . . . | Flip.2153.A .................| x x . x . x . . x . x . . . | Omicron Flip.2343 ...................| x . . x . . . . . . . . . . | Omicron Form ........................| x x . x x x . x x . x x x x | Frodo.Frodo.A ...............| x x . x . x . . . x x . . . | 4096,100 Year Green Caterpillar ...........| x x . x x x . . x x x . x x | Find,1591,1575 Helloween.1376 ..............| x . . . . x . . x x . . x x | 1376 Jerusalem.1244 ..............| x x . . . . . . . . . . . . | 1244 Jerusalem.1808.Standard......| x x . x x x x x x . x . x . | 1808,Israeli Jerusalem.Anticad.4096 ......| x . . x . . . . . . x . . . | Invader Jerusalem.Fu_Manchu .........| x . . . . x . . . . x . . . | Jerusalem.Mummy.2_1 .........| x . . x . . x . . . x . . . | Jerusalem.Zerotime.Australia.| x x . . . . . . . x x . x . | Slow Joshi.A .....................| x x . x x x . x x x x . x . | Kampana.3700:Boot ...........| x x . x x x . . x . . . x . | Telecom,Drug Keypress.1232.A .............| x x . . . . x . x x x . x x | Turku,Twins Liberty .....................| . x . x . x . . x . . . x x | Mystic,Magic Maltese Amoeba ..............| x x . x . x . x x . x . x x | Irish Music_Bug ...................| . . . x x . . x . . . . x . | Necros ......................| x . . . . x . . . . . . . . | Gnose,Irish3 No_Frills.Dudley ............| x . . . . . . . . x . . . . | Oi Dudley No_Frills.No_Frills .........| . . . . . x . . . x . . . . | Nomenklatura ................| x x . . . . . . . . . . . . | Nomen November_17th.855.A .........| x x . x . x . . . . . . . . | V855 NPox.963.A ..................| . . . x . x . . . . . . . x | Evil Genius Ontario.1024 ................| . x . . . . . . . x x . . . | SBC,1024 Parity_Boot.B ...............| x . . . . x x . x . . x . . | Ping_Pong.B .................| x x . . . . . . x . x . x . | Italian Print_Screen ................| x x . . . x . . . . . . . x | PrnScn Quit.A ......................| x x . . . . . . . . . . . . | 555,Dutch Quox ........................| . x . x . x . . . . . . . . | Stealth 2 Screaming_Fist.696 ..........| x x . . x x . . . . . . x . | 696 Stealth.B ...................| . x . . . x . x . . . . . . | STB Stoned.16 ...................| x x . . . x . . . . . . . x | Brunswick Stoned.Azusa ................| x x . x . x x x . x x . x . | Hong Kong Stoned.Empire.Monkey ........| . . . x x x . x . x . x x . | Stoned.Flame ................| . . . . . x . . . x . x . . | Stoned(3C) Stoned.June_4th .............| x . . . x x . . . x . x x . | Bloody! Stoned.Manitoba .............| . . . x . x . . . . . . . . | Monitoba Stoned.Michelangelo .........| x x x x x x x x x x x x x . | March 6 Stoned.NoINT ................| x x . x x x x . x x . . x . | Stoned 3 Stoned.NOP ..................| . . . . . x . . . . . . x . | Stoned.Standard.B ...........| x . x x x x x x x x x x x . | New Zealand Stoned.Swedish_Disaster......| x . . . x . . . . . . . . . | Stoned.W-Boot ...............| . . . . . x . . . x . . . . | W-Boot Stardot.789 .................| . x . . . x . . . . . . . . | 805 SVC.3103 ....................| x . x . . x . . . . x . . . | SVC 5.0 Swiss_Phoenix ...............| . . . . . x . . . . . . . x | Tequila .....................| x x . x . x x . x . x x x x | Tremor ......................| . . . x . . . . x . . x x . | V-Sign ......................| x x . x x x . . x x x . x . | Cansu,Sigalit Vacsina.TP-05 ...............| x x . x x x . . x . . . x . | RCE-1206 Vacsina.TP-16 ...............| x x . x . . . . . . . . . . | RCE-1339 Vienna.648.Reboot ...........| x x x . . . . . . . . . . . | DOS-62 WXYC ........................| . x . . . x . . . . . . . . | Yankee Doodle.TP-39 .........| x . . x . . . . . . . . . . | RCE-2772 Yankee Doodle.TP-44.A .......| x . x x . x . . x . . x . x | RCE-2885 Yankee Doodle.XPEH.4928......| . . . x . . . . . . . . . x | Micropox Yeke.1076 ...................| . x . . . x . . . . . . . . | ============================================================================ The second chart is based on a single participant noting more than one infection site and may signify limited regional virus outbreaks. CARO Name of Virus AsDcEkFsGjJwPdPpRfRrSgVbWsYr Aliases ============================================================================ Athens ......................| . . . . . x . . . . . . . . | 10_Past_3.748 ...............| . . . . . . x . . . . . . . | BootEXE .....................| . . . . . . . . x . . . . . | BFD-451 Brain .......................| . . . . . . . x . . . . . . | Cascade.1701.G ..............| . . . . . . . . . . . x . . | 1701 Chile .......................| . . . . . x . x . . . . . . | VIVA,Meirda Coffeeshop:MtE_090 ..........| . . . . . . x . . . . . . . | Darth_Vader.3.A .............| . . . . . . . . . . . . x . | Datalock.828 ................| . . . . . . . . . . . . . x | Den_Zuko.A ..................| x . . . . . . . . . . . . . | Den Zuk DosHunter ...................| . x . . . . . . . . . . . . | Emmie.3097 ..................| . . . . . . . . . . . . . x | EXE_Engine ..................| . . . . . . . . . . . x . . | Freddy ......................| . . . . . x . . . . . . . . | Ginger ......................| . . . . . . . . . x . . . . | Gingerbread Grower ......................| . . . . . x . . . . . . . . | V270x,268+ Hafenstrasse ................| . . . . . . . . . . . x . . | Hafen Involuntary.A ...............| . . . . . x . . . . . . . . | Invol Jerusalem.1808.CT ...........| . x . . . . . . . . . . . . | Capt Trips Jerusalem.1808.Null .... ....| . x . . . . . . . . . . . . | Jerusalem.Carfield ..........| x . . . . . . . . . . . . . | Jerusalem.Moctezuma .... ....| . x . . . . . . . . . . . . | Jerusalem.Mummy.1_2 .... ....| . . . . . . x . . . . . . . | Jerusalem.Sunday.A ..........| . . . . . . x . . . . . . . | Sunday Jerusalem.Sunday.II .... ....| . x . . . . . . . . . . . . | Sunday 2 Joshi.B .....................| . x . . . . . . . . . . . . | Kampana.Galicia:Boot ........| . . . . . x . . . . . . . . | Telecom,Drug Little Brother.307 ..........| . . . x . . . . . . . . . . | Lyceum.1788 .................| . . x . . . . . . . . . . . | Murphy.Smack.1841 ...........| . . . . . x . . . . . . . . | Smack NJH-LBC .....................| x . . . . . . . . . . . . . | Korea Boot Parity_Boot.A ...............| . . . . . . . . . . . . x . | Sat_Bug .....................| . . . . . x . . . . . . . . | Satan Bug Screaming_Fist.NuWay ........| . . . . . x . . . . . . . . | Sticky Sleepwalker .................| . . . . . . . . . x . . . . | Stinkfoot ...................| . . . . . . x . . . . . . . | Stoned.Bunny.A ..............| . . . . . . x . . . . . x . | Stoned.Empire.In_Love .......| . . . . . x . . . . . . . . | SVC.2936 ....................| . . . . . x . . . . . . . . | Stoned.Empire.Int_10.........| . . . . . . . x . . . . . . | Swiss_Boot ..................| . . . x . . . . . . . . . . | Syslock.Syslock.A ...........| x . . . . . . . . . . . . . | Voronezh.1600 ...............| . . x . . . . . . . . . . . | RCE-1600 Yale ........................| . x . . . . . . . . . . . . | Alameda ============================================================================ The collation of this material is done by Joe Wells, Virus Specialist at Symantec, Peter Norton Group, who is solely responsible for its contents. The material presented is implicitly copyrighted under various laws, but may be freely quoted or cited. However, its source and cooperative nature should be duly referenced. Other antivirus product developers are invited to participate. If you wish to do so, please contact me. ============================================================================ The WILDList by Joe Wells -- jwells@symantec.com -- 70750,3457 -- Vol1.12a ============================================================================ ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 155] ******************************************