To: VIRUS-L@LEHIGH.EDU Subject: VIRUS-L Digest V6 #157 -------- VIRUS-L Digest Friday, 10 Dec 1993 Volume 6 : Issue 157 Today's Topics: Re: Liabilities Re[2]: Liabilities reply Michael Lafaro Re: Virus at an atomic power station Server based protection (Novell) F-Prot v210 and multiple HDs (PC) Re: STONED 3 as broken my floppy !!! (PC) swiss variant (PC) Re: Help against Freddy Krueger ! (PC) Re: Thunderbyte's reply about danger of TbClean (PC) Satan bug on 500 user lan (PC) PC virus that dumps to PRINT QUEUES?? (PC) Flip false +ve in DOS 6 VSafe by VET (PC) I think I have a virus (PC) Clicking sound from PC speaker but can't find virus?? (PC) Day of the week (PC) False +ve for Invisible Man in VET by SCAN (PC) Power Pump infections (PC) "Perry" Virus found on PC with tnt-virusscan (PC) A New Virus? (PC) Re: Has anyone heard of the the reaper virus V Cpav (PC) Re: New (?) variant of Stoned virus (PC) Microsoft or McAffe (PC) Antiviral Toolkit Pro (AVP) update (PC) New file on risc (PC) Getting help (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 06 Dec 93 09:15:34 -0500 From: src4src!ktark@imageek.york.cuny.edu (Karl Tarhk) Subject: Re: Liabilities bontchev@fbihh.informatik.uni-hamburg.de writes: >> Viruses are not living entities that can 'escape' unless helped by >> humans with secondary intentions. >While they are indeed not living organisms, they can very well >"escape" against the will of the person who has them, if this person >it not knowledgeable and/or no careful enough. I am certain that many >readers of Virus-L/comp.virus can confrim that, based on their own >experience. Heck, even I have once accidentally released a virus on my >computer and the sucker succeeded to infect al lot of four files, >before I figured out what's happening and was able to stop it. Agree. >> Viruses are just inanimated pieces >> of computer code. >That doesn't prevent them from spreading rather well. Shall we mention the percentage of the ones that DO NOT replicate at all, i.e. cannot 'escape' in newer / exotic DOS systems?? >> By attributing non existent powers to computer code >> using such analogies is a dangerous thing. >The main properties of computer viruses I was refering to were >"spreading" and "causing damage". Is *this* what you are calling >".non-existent properties"? Wrong! The real properties, mathematically speaking, are 'reproduction' of the virus and 'modification' of the system. Equating 'modifying' with 'causing damage' is wrong, in specific scientific terms, (We are not discussing the ethics behind here.) These properties hardly equate to the properties of a lion!!!! A lion is a predator by nature, a computer virus isn't. >> If you take a couple of >> preventive measures no computer virus can escape like a 'tiger'. >If you take the proper preventive measures, you can prevent even a >tiger from escaping. You have completely missed my point. My point was >that *if* the tiger (or the virus) escapes and causes damage, then you >are liable for it. I did not miss your point, I just pointed out that the analogy is flawed from the ground up. The comparison does not hold therefore your point is not valid. >> Lets look at the following counter analogy: >> I am a gun manufacturer and inventor. Should I be held liable for the >> uses and misuses of such weapon, if I am not able to control who gets >> it and who does not? Absolutely, positively NOT! >Your analogy is flawed too. You are standing on US-centric positions. >The world is wide and there are many countries in which owning, >buying, or selling a weapon *is* illegal, regardless of whether you >misuse it or not. How does this, make the manufacturers / inventors of guns etc. LIABLE for the use of their products?? The illegality of it has nothing to do with LIABILITY. So, let the owning, buying, etc. of weapons be illegal.. so what? Are the MAKERS of the guns LIABLE? NO! >(Please, folks, it is not my intention to start a gun/anti-gun >flamewar here. I just want to point out that just because something is >allowed in your country, you should not assume that it is also allowed >everywhere else in the world. Also, unlike guns, computer viruses >*are* able to spread and to cross national boundaries.) The 'assumption' has nothing to do with the manufacturers LIABILITY! >> The bottom of the line here is not whether to write viruses or not to >> write viruses but who gets them. >Nope. The bottom line is whether damage is caused. And spreading >computer viruses *is* causing damage. Yes, sure. But it cannot be proven that the deed of writing viruses causes such things. The ones that should be held liable are the ones that introduce viruses in computer systems without authorization, (which is against the law in many countries.) >> And we all know that there is a few CARO virus collections floating >> around in the wrong places, so that should answer the question of who >> is responsible or who is not. >Each CARO member is maintaining his own virus collection. >Second, anybody can claim whatever they want (e.g. "I have the CARO >virus collection", or "I wrote the K-4 virus", or "I know who killed >JFK", or whatever). However, irresponsible claims tend to lower the >reputation of the person who is making them. In point 1 - I stand corrected: A few 'CARO-member' virus collections. In point 2 - The disassemblies speak for themselves. :) > >I don't think that virus creation should be forbidden per se. But I do > >think that if a virus is found somewhere where it is unwanted, the > >author of the virus should share the responsability, even if he has > >not introduced the virus into that system. >> By the same token, the manufacturers of firecrackers should be held >> liable when someone uses their product in a malicious way? >> NO! >If this "someone" manifactures firecrackers and distributes them to >children, telling them "look how great it will be to put some fire on >that building" - yes, such person should be held liable. Agree. But this is an specific case where the manufacturer is taking another role not implied by the act of being just a manufacturer. Sure you can find a million specific examples, but in general terms if we refer to a manufacturer in the broad sense of the word the answer is still :NO! Have you ever heard of disclaimers? That takes care of any implied secondary intentions you might want to give to the manufacturer. To complete my point: If the product has a proper disclaimer notice the manufacturer cannot be held liable for the proper / improper use of whatever the product is. Computer viruses included. >Besides, there are many *useful* applications for firecrackers. I have >yet to see *one* useful application of a computer virus (as most >people understand it, not as Dr. Cohen undertsands it) that cannot be >performed (often much better) by a non-viral program. Well, I predicted you reply, :) and I stated below in the original posting: "While a million of you will argue that a good use for a computer virus is yet to be found, there is yet to be proven that there isn't a good use for a computer virus." >> You are assuming something that can NOT be proven: Computer viruses >> are inherently destructive. >Not quite. All I am saying is that the computer viruses as we have >seen them -can- and -are- destructive. I don't think that anybody >thinks otherwise. If you do, you are seriously fooling yourself. Agree, but a new generation of 'good' viruses will come along, such as Cruncher and KOH (whether they work or not is another story), then you will not be able to make such statement. >Whether computer viruses are inherently destructive in theory is a >different question and I will be glad to do some research in this >direction, but we are not talking about the theory now. We are talking >about the viruses that exist *now* and that destroy data *now*. What about the viruses that don't destroy data? I will say that more than 60% (approximately) of all known viruses don't carry any destructive or malicious code. Are they destructive? No! at least not in theory, unless you tag them as destructive by the mere fact that they are 'viruses.' If they cause damage accidentally, is besides the point, as there is plenty of commercial software (Example: MS DOS's original Chkdsk.exe) that causes unwanted destruction, so if you apply your thinking to commercial software you could say that there is software that exists *now* that destroys your data *now*. Let's face it, software uncompatibilities and data destruction are not exclusive to viruses.. on the contrary I have seen -some- viruses that have less compatibility problems than a lot of commercial products, (AntiViral ones included.) ktark@src4src.linet.org ------------------------------ Date: Mon, 06 Dec 93 09:15:49 -0500 From: src4src!ktark@imageek.york.cuny.edu (Karl Tarhk) Subject: Re[2]: Liabilities reply cjkuo@symantec.com (Jimmy Kuo) writes: >>Lets look at the following counter analogy: >>I am a gun manufacturer and inventor. Should I be held liable for the >>uses and misuses of such weapon, if I am not able to control who gets >>it and who does not? Absolutely, positively NOT! >Yes! If you are negligent. There are laws which will charge a parent with >manslaughter if a child finds a gun that has not been properly secured and >shoots someone. Wrong! I am talking about the manufacturer, the 'maker' of the gun, not third parties. If a child misuses a gun, the parents may be liable, but the manufacturer isn't; so the answer still is: NO. >And if you want to still use this analogy, if I buy a >gun (a program) but the firing mechanism blows up in my face (trojan/viral >code), yes the gun manufacturer is liable. This example is flawed, since the manufacturer will be liable for a defect but NOT for the act of manufacturing a gun and its proper / improper uses, (providing that it works properly :) ) >Someone asked me today what I thought of Nuke. My whole answer was "They >don't understand the first amendment." Why should they? More than half of its members do not reside in the US. :) ktark@src4src.linet.org ------------------------------ Date: Mon, 06 Dec 93 16:23:43 -0500 From: THE GAR Subject: Michael Lafaro The 19NOV93 issue of Network World reports that a Michael Lafaro has been arraigned under the New York state law against computer tampering. The charge was "intentionally infecting a customer's network with a business-threatening virus". Nassau County Police say that one of Lafaro's employees was ordered to install the "virus" in an account-tracking program of a furniture company in Westbury NY. This will be a test-case of sorts, in that Michael Lafaro is the first person to be charged under this law. The penalties could be, if found guilty, up to 7 years prison and fines of $5-10k. I'm curious if anyone knows whether this was a "real" virus, or a "media/law-enforcement" virus. Sounds like it was probably just some form of trojan horse, but I am speculating now... /++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\ ! Later + Systems Programmer ! ! Gary Warner + Samford University Computer Services ! ! + II TIMOTHY 2:15 ! \+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/ ------------------------------ Date: 07 Dec 93 09:00:23 +0000 From: virusbtn@vax.oxford.ac.uk Subject: Re: Virus at an atomic power station >> VIRUS: A computer virus sparked a safety scare at Sizewell B nuclear power >>station, the latest Computer Weekly says. A man was later sacked for >>introducing unauthorized software. Hmmmmm.... well, my .02$ worth on this... Sizewell B is Nuclear Electric's newest and most up to date reactor site, and has cost an estimated 2 billion pounds to build. As yet, the site is yet to be commissioned, and therefore the reactor has not been loaded with fuel. The virus in question was the Yankee virus, which was discovered on the system on 29th June of this year. However, the virus did not pose any danger to the public (as implied in most of the stories printed on the incident). The reason for the concern stemmed from the controversial new reactor protection systems which are designed to shut the reactor down in case of an emergency. The Sizewell site has several different computing systems. The main two are an office network running OS/2 and the computers which are running the reactor. These two systems are completely seperate, and it was the office system which became infected. The reactor computer system is not PC-based, and has all of its code blown onto PROMs - it is, in effect, a Read-only system. Operators cannot add new code to the system , nor can the run their own programs. Therefore, it was never a target for virus infection. The whole event is such a non-story that IMHO it did not deserve anything like the coverage it got. Sigh. Yet another hype-driven piece of reporting. I went down to Sizewell to do a followup piece for Virus Bulletin. Their procedures are adequate for what is essentially an ordinary office system. Even if the reactor control computer blew a fuse or whatever, it is multiply backed up by hardware (ie switches, relays, transistors - not computers) so that the safety of the plant does not rely on computers. Motto: don't fret. It is a shame that the press coverage of computer viruses is so lousy. However, that is another story. If people want to know more about the Sizewell thing, fell free to Email me. If there is enough interest I can post the VB piece on the plant. Kind Regards, Richard Ford Editor, Virus Bulletin. ------------------------------ Date: Tue, 07 Dec 93 04:03:38 -0500 From: David Hanson Subject: Server based protection (Novell) I am looking for virus protection for a Novell 4.x internetwork (ie. multiple servers). One suggestion was to use Intel LanDesk Virus Protect Ver.2.0. Does anyone have information on the effectiveness of this product? Any other suggestions for protection in this environment? Any general suggestions for network viral protection? Thanks! David Hanson ------------------------------ Date: Mon, 06 Dec 93 09:20:34 -0500 From: "John M. Clark" Subject: F-Prot v210 and multiple HDs (PC) I have just downloaded F-Prot v210. I have 2 physical hard drives, one of which is partitioned into 2 logical drives. F-Prot scans only the drive on which the executable is stored. How can I tell F-Prot to scan all 3 drives? I don't want to copy the executable onto all three drives and run F-Prot 3 times (this is a waste of time and disk space). John Clark c2mxcla@fre.fsu.umd.edu ------------------------------ Date: Mon, 06 Dec 93 09:20:21 -0500 From: eng35799@leonis.nus.sg (Seng Ching Hong) Subject: Re: STONED 3 as broken my floppy !!! (PC) Jean Laganiere (jean@cam.org) wrote: : One of my friend has detected STONED 3 on is PC a couple of day ago. : He says that he can not use is floppy drive since then. When he try : to read a disket, he always see the directory of the preceding one... Some software (not virus) can cause this sort of symptons. For example, when i use QEMM v7.01 with NCACHE2, this happen on a 386 but not a 486. Therefore, there isn't a need for alarm. Check your TSR program and drivers before blaming the poor STONE virus. : This seem very strange. Is that possible that the virus as broken : someting in is hardware ??? As far as i know, i haven't see i virus that attack the hardware of the computer. Maybe some causes the hardware as if it is mul-function, but not broken any of it. +---------------------------------------------+------------------------+ | Sender : James Seng Ching Hong | "What you see is not | | Handle : -=PiXeL=- | what you see. That's | | Location : National University of Singapore | just Virtual Reality" | | UNIX : eng35799@leonis.nus.sg | -=PiXeL=- | +---------------------------------------------+------------------------+ ------------------------------ Date: Mon, 06 Dec 93 15:18:25 +0000 From: s2973229@techst02.technion.ac.il (Ori Degani) Subject: swiss variant (PC) I don't know if this is the appropriate channel for my question, but i could not find a better place. The first syptoms noticed were on a friends computer (we work on the same subjects at the univ. so we have shared files, and disks mostly data files) the symptoms were that format did not work (reported "invalid media 0" or some sort of error), and trying to list the directory on drive a (3 1/2 floppy) would work for the first diskette and once you switched the diskette it would display the directory of the first diskette listed. we ran norton disk docto and it reported that the "switch disk" test failed. similar symptoms appeared later on my own computer, format did not work, and a similar switch disk problam ocured only on my computer once the diskette was switched the new directory would list only the free bytes on disk remained the same (the first disks free actual free bytes). we ran scan109 on both computers, on my friends computer it found exebug [swb] and on my computer it found the swiss variant [swiss]. on both computers clean109 would not clean. the clean prog. said it recognized the virus (exebug[swb], swiss variant [swiss ron each computer) and said it could not be removed form the partition safely. my question is how can i remove the viruses, are they the same and just strains?could it be that clean102 sees the swiss virus as swb? should i use fdisk with the /mbr option (what does this option do?)? any help would be greatly appreciated. toker@marvin.technion.ac.il itamar degani ------------------------------ Date: Mon, 06 Dec 93 16:24:07 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Help against Freddy Krueger ! (PC) ibaminformat@ax.apc.org (ibaminformat@ax.apc.org) writes: > Can anyone help me on a anti-virus that removes Freddy Krueger. Of all the anti-virus programs I have here, only three ever attempted to disinfect this virus. Results: FindVirus 6.51 (from Dr. Solomon's AVTK) - correctly disinfects both COM and EXE files, except some garbage left at the end (up to 16 bytes), which cannot be removed. The program is commercial. AntiVirus Pro - correctly disinfects COM files and damages EXE files. TbClean (from TBAV) - correctly disinfects both COM and EXE files, but is *very* inconvenient to use - can disinfect only one file each time you start it. My advice: if you can afford it, get Dr. Solomon's AVTK. If you can afford only shareware programs, get TBAV and use some gind of GLOBAL utility, which will run TbClean on all your infected files. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 06 Dec 93 16:31:50 -0500 From: mikehan@kaiwan.com (Mike Hanewinckel) Subject: Re: Thunderbyte's reply about danger of TbClean (PC) : > whereby, infact the varicella virus went resident and is now infecting : > the system. and to advice you, the varicella virus is fairly a stealth : > virus that disinfects files on the file, when opened and reinfects them : > when closed, and it hides its virus length very well! such a virus can : > easily get out of control on a huge level. all because we trusted : > heuristic scanning! : Heuristic scanning? Heuristic cleaning you mean! There is absolutely nothing : dangerous with heuristic *scanning*. The person who made the original post OBVIOUSLY doesnt seem to know the difference between heuristic scanning and a disinfection routine which employs the emulated running of the virus in order to trick it into supplying the original bytes of the infected program. There was a probelem with TBCLean in this one instance, and the author immeadiately remedied the problem. : > so before you think "heuristic" is the best method of : > scanning/cleaning think again! the rate of false positives is WAY TOO : > HIGH! and remember that the average computer user is not a geniusssis : ??? How do you mean 'Too high'? According to what standard? The default : heuristic mode of TbScan does not cause any false alarm. : > heuritics may have a future, but not for a while, not till it is : > perfected! : Heuristic is already perfect. It detects about 90% of the new viruses. : This means that 9 out of 10 completely new viruses are detected before : we, the authors of TBAV, even have seen the virus. I must say that when used properly heuristics is an excellent workable solution. I use it with the highest possible setting active. I do get an occasional false positive, but when I do, I analyze the program that triggered and ask myself does it have a reason to do these things that caused it to activate?? If I dont think it does, I will load a hard disk locker before running it. You do not get that many false positives with TBSCAN because once you do it the first time you VALIDATE all the false postives. Then TBSCAN knows to only trigger if the file has been changed. I would like to say that TB is the BEST anti-virus product available, commercial or otherwise. And that is why so many of the other AV products have adopted the innovative ideas created by Frans Veldman. I applaud his fine product. My only gripe about is that I find too many "no entry in TB lang." or whatever it is for the heuristic flag description. Mike Hanewinckel ------------------------------ Date: Mon, 06 Dec 93 20:04:59 -0500 From: wej-ddj@wyvern.wyvern.com (William and Delinda Johnson) Subject: Satan bug on 500 user lan (PC) The satan bug has infected our 500 user lan. Scanning software does not see the bug in all cases. McAfee 109 and F-PROT were tried without sucess. A combination of check date and McAfee appears to catch all the infected files but we do not know for sure. We are cleaning our machines using the above combination of software but need a scanning package which will catch all files which contain the satan bug. I am looking for ideas for cleaning and restoring our lan and any products guranteed to detect all infected files. Any comments and ideas are welcome. - -- __________________________________________________________________________ "Don't let adverse facts stand | William E. Johnson in the way of a good decision" | Delinda D. Johnson --General Colin Powell | wej-ddj@wyvern.com ------------------------------ Date: 07 Dec 93 00:20:59 -0600 From: williaj4212@cobra.uni.edu Subject: PC virus that dumps to PRINT QUEUES?? (PC) I work in our school's computer labs. Recently, we have been having problems with system crashes (its finals week.) The strange thing is that after the crash, large (as in several hundred page) documents have been dumped into the print buffer. If it matters, were are using Novell network software with Lan for controling the printers. Is there a virus that would cause this, or is it just a network problem? Thanks Jon Williams University of Northern Iowa willia00@iscssun.uni.edu ------------------------------ Date: Thu, 09 Dec 93 10:24:04 -0500 From: A.APPLEYARD@fs1.mt.umist.ac.uk Subject: Flip false +ve in DOS 6 VSafe by VET (PC) Margaret Irvine wrote to virus-info@mcc.ac.uk on 7 Dec 93 12:59:04 GMT (Subject: DOS 6 VSafe & Flip virus) and it came to me:- I've just spent most of the morning on a wild goose chase after the Flip virus. When I Vetted a student's disk it reported the Flip virus already in memory. Other anti-virus software (Dos 6 & CPAV) didn't detect anything. After rebooting, all was OK, but on checking disks or my own PC subsequently the virus message recurred. There was no way the infection could have been spreading as virulently as reported - Flip is a boot / partition sector virus which remains memory-resident. The only recent change I'd made was to activate Dos 6 VSafe, & this appears to be the problem, producing a spurious message by VET. With VSafe loaded, I get the Vet virus message; without it all is well. Has anyone else hit this problem? I'm pretty sure of the diagnosis but it would be useful to have it confirmed. If it really IS a virus we've got problems! ------------------------------ Date: Thu, 09 Dec 93 10:06:26 -0500 From: acsys@crl.com (Acsys Inc.) Subject: I think I have a virus (PC) My machine is acting funny, the mouse works on and off, and the floppy disk drives don't detect a disk change. When I do a mem /P I get a "blem wit" as one of the loaded programs. I had a virus that acted simalar a year ago called the michoangelo or something like that which I exterminated. but this one seems to evade scanning programs. Anyone have any help? mycal ------------------------------ Date: Thu, 09 Dec 93 10:20:59 -0500 From: reczek@acsu.buffalo.edu (Tim Reczek) Subject: Clicking sound from PC speaker but can't find virus?? (PC) I work under Windows 3.1 almost exclusively, and have vshield installed at boot-time and when in Windows. Recently I have had intermittent clicking/ringing from my PC speaker. The sounds only occur when I delete or move files in the FileManager or some other program that allows file deletetion or moving. I noticed the sound for the first time around the begining/middle of November (can't remember the exact date). It only occurred once or twice on the day I used it, and scanning for viruses using scan V108B indicated all was clean. I thought it might be the FORM virus or a variant thereof, because I had been infected with FORM a few weeks earlier (safely removed, and everything scanned as clean). However, the clicking noise was not in any way associated with the keyboard, the date was off (definitely NOT the 18th), and I haven't heard of FORM producing a ringing noise from the PC speaker (sounds like a cheesey electronic phone). The sounds reocurred several times on December 2nd, but not since. I have vshield V109 installed, but it never reported anything. Scanning for viruses using scan V109 also turns up nothing. There have been no apparent changes in memory (with mem /c), and when the noises occurred, I was using only programs that I have had on my system for several months. Any help is appreciated, Tim - -- reczek@autarch.acsu.buffalo.edu - --- In cyberspace, no one can hear you scream... ------------------------------ Date: Thu, 09 Dec 93 10:09:15 -0500 From: knudson@cs.und.nodak.edu (Chad Knudson) Subject: Day of the week (PC) I wrote a little program that places the day of the week in an environment variable TODAY. That way, programs can be executed only on the day I specify: - ----- GETDAY if not %TODAY%==THURSDAY goto skipscan Echo Scanning for virii... :skipscan - -- Chad Knudson knudson@cs.und.nodak.edu Center for Aerospace Sciences +1 701 777 4571 University of North Dakota ------------------------------ Date: Thu, 09 Dec 93 10:29:48 -0500 From: A.APPLEYARD@fs1.mt.umist.ac.uk Subject: False +ve for Invisible Man in VET by SCAN (PC) "S.Manifould" wrote to pc-cluster-ops@umist.ac.uk on 22 Nov 93 16:35:52 GMT and it came to me (Subject: virus hoax):- ... a virus problem I thought I had today (Mon 22 Nov) A student had left me a message that "All the 386 and 486's have been infected with the Invisible Man virus [IMF]". He had run the latest version of McAffee scan (9.19 V108) on the machines and it had reported the infection. However Vet 7.4 did not report any infection. Upon investigation it appears that VET_RES was causing the McAffee scan to report an infection. i.e. once VET_RES was removed from memory the McAffee scan didnt find anything. Cheers, Steve M. ------------------------------ Date: Thu, 09 Dec 93 11:16:42 -0500 From: peprbv@cfa0.harvard.edu (Bob Babcock) Subject: Power Pump infections (PC) > In the past 18 months, Power Pump has been distributed in the following > files. > XYPHR2.ZIP > XYPHR2.ZIP was accidentaly distributed on the SO MUCH SHAREWARE VOL II CD. As > you know CDs will last for years. F-Prot recently found Power Pump in XYPHR2.COM on the CD Deathstar Arcade Battles by Chestnut Software. At the time, I suspected that it was a false alarm, and I was going to check it more carefully before filing a report. I scanned the CD after the game Aquanoid, run under OS/2, displayed a message saying it was going to format the hard disk and then hung. I was going to give this CD to my son, but maybe it should become a frisbee instead. ------------------------------ Date: Thu, 09 Dec 93 11:21:15 -0500 From: r31d1412@rz.unibw-muenchen.de (Elmar Kreiss) Subject: "Perry" Virus found on PC with tnt-virusscan (PC) Hi, is there anybody here something about the "Perry-Virus"? It was found on diffrent PC in our uni and only verify with tnt-scanner. The effect -losing many files and perhaps destroyed FAT. I am happy it was not on my PC. Answers to: r31d1412@rz.unibw-muenchen.de Thanks Elmar so long - be clean ;-> ------------------------------ Date: Thu, 09 Dec 93 11:50:24 -0500 From: kapoor@vtaix.cc.vt.edu (Rajat Kapoor) Subject: A New Virus? (PC) Of late three of the PC's (386's and 486's) in my lab have been behaving oddly... The problem is thus: The screen blanks out, the keyboard and the mouse both freeze. The only way is to reboot the computer. This means that the application one may be working on dies, and data, unless saved regularly, is lost. The same thing happens even if no applications were being run. Though I may have had TSR's as Norton Commander or Windows open. I ran the latest F-PROT and SCAN, the results were negative. Any similar experiences? Rajat ------------------------------ Date: Thu, 09 Dec 93 12:33:36 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Has anyone heard of the the reaper virus V Cpav (PC) adam@lbs.lon.ac.uk (Adam S. Nealis) writes: >Can any tell me about the reaper virus? Center Point Anti-Virus software does >not seem to pick this one up. Reaper...Hmm..One of the viruses produced by the British ARCV group was named Reaper. This virus is 1072 bytes long, and attaches itself to the end of COM and .EXE files. I don't remmeber when I added detection/disinfection of this virus to F-PROT, but it has been around for a while. If you have a real problem with this virus, (instead of being just curious about it), you should really contact the computer crime unit of the police, as all the ARCV members were caught, but there is a certain lack of complaints against them :-) - -frisk ------------------------------ Date: Thu, 09 Dec 93 12:35:28 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: New (?) variant of Stoned virus (PC) du4@mace.cc.purdue.edu (Ted Goldstein) writes: >F-PROT 2.10 reports that it has found a new variant of the Stoned virus >on one my PC's. It does not try to disinfect it. >Mcaffee SCAN 109 does not see any infection at all. What you probably have is a partially disinfected disk, that was infected once, and then partially owerwritten with "clean" code. - -frisk ------------------------------ Date: Sat, 04 Dec 93 12:57:33 -0500 From: hexx@telerama.lm.com (Don Pellegrino) Subject: Microsoft or McAffe (PC) What is the best anti-virus software? How often should I run it? - -- SMM: hexx@telerama.lm.com or: don.pellegrino@jbjsys.sccsi.com ------------------------------ Date: Thu, 09 Dec 93 11:30:14 +0300 From: eugene Subject: Antiviral Toolkit Pro (AVP) update (PC) Hello! The latest update of Antiviral Toolkit Pro is available via anonymous ftp site: ftp.informatik.uni-hamburg.de:/pub/virus/progs/avp_107b.zip ftp.informatik.uni-hamburg.de:/pub/virus/progs/avp_upd.zip The first is the full package, updated once, the second is only the update to 1.07c. Who asked about Moctezuma and Freddy Krueger disinfection? This update does it. Regards, Eugene - --- - -- Eugene Kaspersky, KAMI Group, Moscow, Russia - -- eugene@kamis.msk.su +7 (095)278-9949 ------------------------------ Date: Thu, 09 Dec 93 10:05:22 -0500 From: James Ford Subject: New file on risc (PC) The file fp-210b.zip has placed on risc.ua.edu for anonymous FTP in the following directories: /pub/ibm-antivirus/fp-210b.zip /pub/ibm-antivirus/Mirrors/complex.is/fp-210b.zip This file was ftped directly from complex.is. - -- jf ------------------------------ Date: Mon, 06 Dec 93 09:18:59 -0500 From: "Rob Slade" Subject: Getting help (CVP) BEGPAN6.CVP 931103 Getting Help This is *very* difficult. Who do you turn to? Who do you trust? Who can help? Do not automatically trust your local repair shop. Computer retail, rental and repair outfits have become significant vectors for viral spread. They may very well have superlative skills in diagnosis and repair, but being able to put a computer together, or take it apart and find out why it isn't working, is not the same as study and research in the virus field. The number of experienced and knowledgeable virus researchers in the entire world is probably less than one hundred: the number of "instant experts" on the basis of possession of an out-of-date scanning program is in the hundreds of thousands. The preceding may be seen as a slap at computer repair people. It is in no way intended to be so. The point that I am trying to make is that knowledge about viral programs is extremely specialized. Computer repair is highly skilled and specialized itself--but not in the virus area. Nor is this to say that help desk personnel, computer consultants, systems integrators or even data security specialists, have any advantage in dealing with viral programs, unless they have made specific study in the field. Enough with the bad news. Where *can* you find help? The only place to get accurate and timely information, for most people, is from the virus discussion groups on computer networks. I am referring to the international networks; the Internet and Fidonet; rather than commercial systems, no matter how large. Compuserve has at least three "virus" related forums: all are merely technical support venues for specific commercial products. Of the various "virus" discussions on commercial systems I am only aware of two with any substance. Therefore, whoever you call on for help should have access to, and read regularly, VIRUS-L on the Internet, comp.virus on Usenet and either VIRUS, VIRUS_INFO or WARNINGS on Fidonet, or VirNet which uses Fidonet technology. It is, of course, very easy to *say* that you keep up with the latest research and not quite as easy to test the statement. Here is a quick check. At the risk of sounding like I have an ego the size of Manhattan: if they don't know me, it is highly unlikely that they know the field. No, I am not just a conceited windbag trying to blow my own horn. I could easily name a dozen people who are more expert than I (and would immediately get into trouble by *not* naming a dozen more, equally qualified, whose names momentarily escaped me). The point is that I post articles on a weekly basis (or better) to pretty well anywhere of any significance. On second thought, maybe the fact that I am *not* one of the big names is an advantage. If they know me, they really do read *all* of the information. copyright Robert M. Slade, 1993 BEGPAN6.CVP 931103 ============== Vancouver ROBERTS@decus.ca | Nam tua res agitur, paries Institute for Robert_Slade@sfu.ca | cum proximus ardet. Research into rslade@cue.bc.ca | - For it is your User p1@CyberStore.ca | business, when the wall Security Canada V7K 2G6 | next door catches fire. ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 157] ******************************************