To: VIRUS-L@LEHIGH.EDU Subject: VIRUS-L Digest V6 #159 -------- VIRUS-L Digest Thursday, 16 Dec 1993 Volume 6 : Issue 159 Today's Topics: Are virii taking over the world..? Virus/gun analogy doesn't work Re: Liabilities Re: Liabilities Re: Freeware distribution of anti-virus software Re: Liabilities re: Any reviews of InVircible/V-Care ? (PC) Re: Any reviews of InVircible/V-Care ? (PC) Re: Scanning archives with F-PROT (PC) Re: McAfee VSHIELD vs Frisk VIRSTOP ??? (PC) Scanning archives with F (PC) QUESTION: F-PROT virs (PC) MSAV Strings Being Picked Up By SCAN (PC) Re: Windows viruses? (PC) Re: F-PROT 2.10c is out (PC) Re: 'Anti-viral' Viruses (PC). MegaLoad (PC) Nice Day Virus (PC) Monkey business (PC) Re: Windows viruses? (PC) Re: New (?) variant of Stoned virus (PC) Re: Removing the Moctezuma virus (PC) Re: HELP! Filler/Swedish Disaster Attack. (PC) Announcing HS v3.5, Anti-boot virus program (PC) New anti-virus package announcement (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Sat, 11 Dec 93 11:33:51 -0500 From: djk@netcom.com (Daniel J. Karnes) Subject: Are virii taking over the world..? What is going on? In the period between 1987-1992 I was heavily involved with the computer virus issue through my job and personal interests. At that time, I was seeing an average of two virus infections a month in a customer base of 13000 installations. Now, with a company in the same line of business, and a customer base of 2000 installations, I am seeing an average of TWO INFECTIONS A DAY! Stoned, Stealth, HBD Joshi, Musicbug, some Jerusalem, and an occasional disk-killer. Have incidences of infection generally increased? Or do I just happen to work for a company in VERY infected straights?!? - -djk - ----------------------------------------------------------------- Daniel J. Karnes / WA6NDT -- djk@netcom.com / djk@TASP.NET ------ - ----------------------------------------------------------------- - -- Infinitely inconclusive.. -djk ------------------------------- - ----------------------------------------------------------------- ------------------------------ Date: Sat, 11 Dec 93 17:12:32 -0500 From: src4src!ktark@imageek.york.cuny.edu (Karl Tarhk) Subject: Virus/gun analogy doesn't work In reply to:ksaj@pcscav.com (OS R & D) >Most virus writers I have met are fairly cunning people. I think that >if an argument is to be made to validate the writing of viruses, the >'gun' analogy must go. A more 'cunning' argument is needed. No one here is trying to 'validate' the writing of viruses, I am just pointing out the warped logic used to against virus writing. >The problem is this: You must have a *license* to sell guns, and you >must have a *license* to buy guns. Taking that into consideration, >the argument then becomes: wrong! there are a lot of places in the world where you DON'T need a license to buy or sell guns. To go from general to specific does not help matters in this case. >'If I was a *certified* gunsalesperson [politically correct, I guess], >and I *legally* sold a gun to someone who was *legally* entitled to >use one, and they shot somebody with it, I cannot be charged for their >wrongdoing.' Of course not. The point here is not distribution, the point here is the making and creating of viruses. Distribution of viruses is another story. >This is still true, but, put this into virus terms, and we have a >problem. >'If I was a *certified* virus-writer, and I *legally* sold a virus to >someone who was *legally* ... ' The finish isn't necessary. It is >painfully obvious that this argument needs revision. Not really, you are just viewing things from the wrong angle! There is no such thing as a 'certified virus-writer'! , there will never be!! This scenario is far off from the deed of just writing viruses and being responsible about their distribution. >How about if I 'legally installed', ummm, 'legally spread'. This just >doesnt' work for me. > [deleted] >I am simply stating my opinion >on a heavily flawed, and overused analogy. NO, this is a favorite analogy preferred by 'AntiVirus' types as they often stigmatize viruses as dangerous things, much like weapons. As i said it has yet to be proven that viruses are inherently destructive! ktark@src4src.linet.org ------------------------------ Date: Sun, 12 Dec 93 19:56:25 -0500 From: mikehan@kaiwan.com (Mike Hanewinckel) Subject: Re: Liabilities : >And we all know that there is a few CARO virus collections floating : We do ? Unfortuantely, there is no such thing as a "CARO virus collection". : There are several different collections in existense - some of which happen : to be owned by a caro member. If you have any evidence any of those : collections are "floating around in the wrong places", please prove that - or : consult a lawyer before you make claims like this again. (This does not mean : that there have never been "leaks" from the research community to the : "underground"...but they seem (fortunately) to be a thing of the past). Well, I think most of us have seen or own a copy of a certain collection, known as "the Goat Collection" which claims to have originally belonged to a certain well-known member CARO. - -MH ------------------------------ Date: 14 Dec 93 09:50:10 -0800 From: seank@nermal.santarosa.edu (Sean Kirkpatrick) Subject: Re: Liabilities Fridrik Skulason (frisk@complex.is) wrote: [Fridrik is responding to another poster, whose name I should have preserved, but didn't. Mea Culpa.] : >You are assuming something that can NOT be proven: Computer viruses : >are inherently destructive. This is false; viruses are not inherently destructive. It is only the application of malicious code within the virus that causes it to be destuctive. That history shows that most viruses to date does not prove the point that all viruses are malicious. : It is ? Please prove it. : By my definition, a computer virus has to modify something in order to spread. : The modified object may no longer work properly - so even if the virus is : intended to be harmless, that is unfortunately never the case. That a virus spreads by modifying some other program is not debatable. That the resulting changes to the infected program are good or bad can be discussed only in the context of the behaviour of that newly infected program, and in the way that the infection was carried out. If the infection causes deliberate or accidental destruction or otherwise interfers with the system, then I think one could safely say that the infection is destructive. On the other hand, if the infection causes some benefit to system operation, such as compressing or decompressing executables to free up disk space, then I doubt that anyone could claim that the behaviour was destructive provided, however, that it was not done in a way that obscured what was happening from the user. Of course, there could be bugs in a beneficial virus which could cause malicious results; i.e., loss of functionality. Does this mean that the virus is destructive? I'm not sure; all software has bugs. Are problems caused by buggy software destructive? Perhaps not for my word processor, perhaps so for a Boeing 757 Flight Control System. Cheers! Sean ------------------------------ Date: 14 Dec 93 09:55:54 -0800 From: seank@nermal.santarosa.edu (Sean Kirkpatrick) Subject: Re: Freeware distribution of anti-virus software Fridrik Skulason (frisk@complex.is) wrote: : halew@jupiter.sun.csd.unb.ca (R. Wallace Hale) writes: : >It seems to be working quite well for Frisk et al... : Well....I'm not complaining. $1 per machine (and free for private use) : may not seem likely to generate much income, but well...there are just so : many computers out there ... :-) : However - I must admit that when this started I never expected to celebrate : the registration of the millionth copy :-) By the way Frisk, I want to thank you for the way in which you are addressing this problem. Unlike others in the business, your policy of distribution is, I think, one of the finest examples of users helping users that I have ever seen. Your efforts are commendable, and I wish there was an award that you could receive for your contributions. Last year about this time, I did some research for a Bank that I was consulting for, and discovered that the FPROT engine was used in about 6 or 7 of the top 10 commercial virus scanners. Based on my own testing for the Bank, FPROT compared favorably in terms of performance. But your product stood heads above *any* other package in terms of your licensing policies. I sincecerly hope that my recommendation that they license your product was taken. Cheers! Sean ------------------------------ Date: Tue, 14 Dec 93 14:38:13 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Liabilities Fridrik Skulason (frisk@complex.is) writes: > By my definition, a computer virus has to modify something in order to spread. > The modified object may no longer work properly - so even if the virus is > intended to be harmless, that is unfortunately never the case. Ummm, I kinda disagree with the above. Not every program that causes modifications is harmful - otherwise you'll rule out as such almost any program on my disk. I would put the emphasis on *authorization*. That is, every program that causes *unauthorized* modifications AND/OR interruptions is harmful. The "and/or" part is needed for those viruses that ask for permission befor infecting a file. They *can* cause harm, for instance in a real-time application that controls some life-critical installation. Interrupting the application with the question "May I infect that file? (Y/N)" might have desastrous consequences. And, the word "unauthorized" in the above definition applies *both* to "modifications" and "interruptions", in case this is not clear from the context. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Sat, 11 Dec 93 14:06:08 -0500 From: Chua Keng Ngee Subject: re: Any reviews of InVircible/V-Care ? (PC) From: howard@ccu1.auckland.ac.nz (Howard Ross) > We have recently been approached by someone selling InVircible by NetZ > Computing Ltd. of Israel. I understand that this product was previously > marketed as V-Care by CSA Interprint of Israel. [ Talk about search for a reputable review DELETED ] > InVircible looks very attractive because it employs generic defences > against viral attack. Because it does not use scanning, it doesn't fall > into obsolescence. It boasts high speed, easy-of-use, inobtrusiveness, > and a high rate of restoration/disinfection. > Can the labelling on the package be believed? Well, I can only point out an oddity I discovered after install.exe has finished the installation. The size of files inoculated by CPAV were decreased by 5 bytes. Is this normal ? I use Stacker 3.0, Dos 5.0, and InVircible version 5.01. Untouchable reported , for example: -------------------------------------------------------------------- File: C:\PCTOOLS\cpav.exe * File size decreased by 5 bytes (from 198,865 to 198,860 bytes). * WARNING: Last modification date was not changed!! ACTION: Alert ignored. This alert will be generated again. File: C:\PCTOOLS\vwatch.com * File size decreased by 5 bytes (from 32,155 to 32,150 bytes). * WARNING: Last modification date was not changed!! ACTION: Alert ignored. This alert will be generated again. -------------------------------------------------------------------- By the way, has anyone done a good/detailed review on Invircible yet and is 5.01 the latest version ? TIA. > -- Howard > - -- > + Howard Ross, + > + Computer Centre, University of Auckland, + > + Private Bag 92019, Auckland, New Zealand FAX: +64 9 373-7425 + > + e-mail : H.Ross@auckland.ac.nz Phone : +64 9 373-7999 ext. 5830 + Chua Keng Ngee aka KENNY, KENG NGEE e-mail : isc00272@leonis.nus.sg ------------------------------ Date: Sat, 11 Dec 93 22:15:49 -0500 From: Allen Taylor Subject: Re: Any reviews of InVircible/V-Care ? (PC) I also am skeptical of the claims made by Netz; No virus infection on any machine that is protected with their package and no updates in the last three years [??]. I also am looking for a solid review. My questions to McAfee about Adaptive expert Systems [and to Patricia Hoffman of VSUM fame] have gone unanswered, so far. ------------------------------ Date: Sat, 11 Dec 93 23:29:48 -0500 From: al026@yfn.ysu.edu (Joe Norton) Subject: Re: Scanning archives with F-PROT (PC) There is a program called ZZAP which is 100% configurable. It allows any scanner, any archiver including new ones, etc... It is avalible many places as ZZAP66a.ZIP, though a newer version may be out by now. ------------------------------ Date: Sun, 12 Dec 93 13:22:21 -0500 From: Allen Taylor Subject: Re: McAfee VSHIELD vs Frisk VIRSTOP ??? (PC) why not use ThunderByte? I find it's options are more than enough to accomodate highmem concerns. ------------------------------ Date: Mon, 13 Dec 93 00:43:26 -0500 From: uttsbbs!steven.hoke@pacbell.com (Steven Hoke) Subject: Scanning archives with F (PC) TO:ALL alm@sotona.phys.soton.ac.uk was heard to say on 12-10-93: A>I am looking for a program which will allow me to scan inside A>archives (ZIP, ARJ, ZOO etc.) with F_PROT. I have found a number A>which will use McAfee's SCAN, but are not configurable. Shez will do that. I have mine configured to use F-Prot rather than Scan. If you want to scan more than standard executables, such as .DLL, 386, or whatever, select "A" for all in SHEZCFG under which files to scan, and specify your desired extensions with /EXT= in the command line field. If you want to scan more than what SHEZ considers standard executables, and don't tell SHEZCFG to extract all, it won't extract them for F-Prot to scan. steven.hoke%uttsbbs@ness.com - -=Steve=- - --- CmpQwk 1.31 #408 . Erg - unit of work. Argh - unit of frustration. - ---- +------------------------------------------------------------------------+ | The Transfer Station BBS (510) 837-4610 & 837-5591 (V.32bis both lines)| | Danville, California, USA. 1.5 GIG Files & FREE public Internet Access | +------------------------------------------------------------------------+ ------------------------------ Date: Mon, 13 Dec 93 00:43:42 -0500 From: uttsbbs!steven.hoke@pacbell.com (Steven Hoke) Subject: QUESTION: F-PROT virs (PC) TO:ALL VESSELIN BONTCHEV was heard to say on 12-10-93: VB>> I run in MS Windows most of the time. I know that F-PROT's virstop VB>> scanning utility won't pop infection alerts into Windows. I'm VB>The VirStop that comes with the commercial (professional) version VB>will. It would be really nice if this could be included in the VB>shareware version too. However, this particular feature has been VB>developped not by Frisk, but by his Finnish distributor (Data VB>Fellows), so I guess the decision does not depend only on him. I called the U.S. rep about that a few weeks ago, and found out that unfortunately they don't have free monthly updates for the professional version. You either have to pay for each monthly update, or get a yearly subscription service (cheaper than ordering each monthly update). I continue to use NAV (3.0 now that I have NDW 3) resident to get any infection report while I'm in Windows, which is most of the time (they have free monthly signature updates on their BBS). It won't find as many viruses as F-Prot can, but getting a strange beep (if you even notice it) that wasn't passed to a Window's dialog box doesn't help either because you're unlikely to know what caused it and will usually continue working (and possibly infecting). Since I still scan all incoming files with F-Prot using SHEZ for automated scanning of archives, I'm not too worried about anything that NAV 3.0 would miss. If the Virstop with the professional version is like the regular version (in what it will identify), it wouldn't find everything that F-Prot normally would anyway (since I think you mentioned that it uses the same scanning as F-Prot in Quick mode rather than in Secure mode), so I don't think I've lost much in my trade-off. Everything is a trade-off between convience and ease of use and absolute protection anyway. VB>VirStop is a resident scanner, and as such it raises an alert when VB>and infected object is accessed or about to be executed. Windows VB>probably "steals" control from it, or just prevents the alerts from VB>being displayed, but when you exit from Windows, everything should be VB>as before. If you do most of your work in Windows (like I do), it might be a very long time before you exit Windows and see that message though. You could have been infected all day, while you continued along in your work, infecting more files as you went, and possibly spreading the infection to another machine through a floppy. OTOH, if you don't work in Windows much, I imagine it wouldn't be much of a concern. steven.hoke%uttsbbs@ness.com - -=Steve=- - --- CmpQwk 1.31 #408 . Enter any eleven digit prime number to continue... - ---- +------------------------------------------------------------------------+ | The Transfer Station BBS (510) 837-4610 & 837-5591 (V.32bis both lines)| | Danville, California, USA. 1.5 GIG Files & FREE public Internet Access | +------------------------------------------------------------------------+ ------------------------------ Date: Mon, 13 Dec 93 14:05:40 -0500 From: aniello@remus.rutgers.edu (Vin Anielo) Subject: MSAV Strings Being Picked Up By SCAN (PC) I use posted this in a virus conference that I read on a local BBS... - ------------------------------------------------------------------------------- Is anybody out there aware of the virus which is embedded in MS-DOS 6.00 and later? It's some kind of WeIrD modification of an older boot sector virus known as "1226". I could only isolate it in MWAV.EXE and MWAVSCAN.DLL. As far as I can tell, neither file was altered performance-wise(MWAV saved me from many disks infected with stoned.NoInt). Another odd feature of the virus is that I have found NO way to detect and remove this virus EXCEPT with an old version of McAfee's CLEAN, specifically v67(it came packaged in a ZIP called CLEANP67.ZIP). This virus has occurred both on my computer, which is now DOS 6.20, and on some other computers I have access to with DOS 6.00. Does anybody know what this virus does? =============================================================================== I told him that it was probably just an old version of Scan picking up the unencrypted virus signatures of MSAV. Is my conclusion correct? Thanks. V/ (aniello@remus.rutgers.edu) ------------------------------ Date: Mon, 13 Dec 93 10:59:14 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: Windows viruses? (PC) cs05050@s1.csuhayward.edu (Bradley) writes: >What is the name of that one? The names that I was given are: > Winvir and Twitch. >I looked in the F-PROT definitions, but they weren't listed. The virus list in F-PROT only includes half of the viruses the program detects...there is a major revision of the virus database under development. We added detection of Winvir several versions ago...not sure about Twitch, I have to check what that is.... - -frisk ------------------------------ Date: Tue, 14 Dec 93 04:20:32 -0500 From: "Jorgen Olsen" Subject: Re: F-PROT 2.10c is out (PC) In Issue #158 Frisk writes : ______________________________ >Date: Thu, 09 Dec 93 13:09:09 -0500 >Subject: F-PROT 2.10c is out (PC) >I just released a new version. The main reason was to fix a false alarm in >2.10 (Keypress virus in a program called EMSLOAD.EXE), but we also added >identification/detection/disinfection of 50 new viruses or so. >I am right now uploading the program to the usual distribution sites (primarily >oak.oakland.edu). >- -frisk - -------------------------------- I just ftp'ed the thing home - the latest version is '210c' - Oakland does not seem to have reached further than version '210' (Dec 14) while risc.au.edu has '210b' as well as '210c' - available. Version 210c - gives the following 'non-error message' if you run it in a DOS-window under windows: Error opening C:\WINDOWS\SYSTEM\USER.EXE Error opening C:\WINDOWS\SYSTEM\USER.EXE .. .. etc (in my case a total of 12) It only means that the files are reserved (e.g. running) and thus not scanned! By the way Frisk - when will the 'virus data base be updated' ?? - - J Olsen ------------------------------ Date: Mon, 13 Dec 93 10:55:44 -0500 From: frisk@complex.is (Fridrik Skulason) Subject: Re: 'Anti-viral' Viruses (PC). csc2u2bn@sun.leeds.ac.uk writes: >I'm working on a final year research project investigating 'useful' >computer viruses. The project aims to assess the feasibility of >incorporating simple anti-virus tools into virus code. Well, to answer this question, one has to first define "virus"....if the definition is only based on the ability to replicate, then I can think of an working, semi-useful application - an anti-virus program that "spread" over a network, in order to make sure that all users were running the most up-to-date version. Of course, this would be called something different "Automantic updating" or whaever, but I guess Fred Cohen would still consider it a virus. However, regarding anti-virus technology included in more "traditional" viruses...infeasibple, impractical, and (in some countries) probably illegal as well.. - -frisk ------------------------------ Date: Mon, 13 Dec 93 21:40:36 +0000 From: andre@waterloo.hp.com (Andre Straker-Payne) Subject: MegaLoad (PC) Does anyone outhere know of a virus checker by the name of Megaload? Andre ------------------------------ Date: Tue, 14 Dec 93 00:39:18 +0000 From: byng@solomon.technet.sg (Ng Bee Yong) Subject: Nice Day Virus (PC) Has anyone come across Nice Day virus? Any info is appreciated. Thks. ------------------------------ Date: Tue, 14 Dec 93 04:27:20 -0500 From: "Jorgen Olsen" Subject: Monkey business (PC) The easiest way to get rid of Monkey is to use 'Killmonk' - a special program. Current version that has been announced here is KILLMNK3.ZIP - available from all site on the net that has anti-virus software! According to Frisk current version of f-prot (210c) is able to deal with the Monkey virus - if you believe differently after having tried - send him a mail. Personally we cannot verify it - enthusiastic people eradicated all infec- tions without leaving me a copy - No thanks, do NOT try to send me a copy!! J Olsen DOU, Odense ------------------------------ Date: Tue, 14 Dec 93 00:15:12 -0500 From: datadec@ucrengr.ucr.edu (kevin marcus) Subject: Re: Windows viruses? (PC) Bradley wrote: >What is the name of that one? The names that I was given are: > Winvir and Twitch. Winvir is more like a Windows aware virus. It does not actually infect Windows executable files. Twitch is supposed to be able to ifnect Windows .EXE's, but I've yet to see it replicate. The sample I have seen was definitely a Windows file, though. - -- -- Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu CSLD Room Monitor, Thurs 10-12p, Sunday 5-10p (909)/787-2842. Computer Science, University of California, Riverside. ------------------------------ Date: Tue, 14 Dec 93 12:49:22 -0500 From: hstroem@ed.unit.no Subject: Re: New (?) variant of Stoned virus (PC) Ted Goldstein writes: >F-PROT 2.10 did see something, but mis-identified it as a new varient of stoned. The Monkey virus, as you reffered to it, is indeed a variant of stoned. Wether the monkey variants are new or not is more of a relative question. The full name (CARO-standard) for these viruses are Stoned.Empire.Monkey.A and Stoned.Empire.Monkey.B. I don't know if other Monkey viruses than these two exists. Conclusion: F-Prot 2.10 did not mis-identify the virus. It just failed to determine the exact variant of that virus-family. An other scanner might have called it Stoned, thus giving you a choice of over 100 variants to pick from ;-) Sincerely, Henrik Stroem Stroem System Soft ------------------------------ Date: Tue, 14 Dec 93 14:32:50 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Removing the Moctezuma virus (PC) eugene (eugene@kamis.msk.su) writes: > Stop! Wait a moment! I found a bug in Moctezuma removing procedure. It > can cause incorrect restoring CS and SS fields in EXE header in some > cases. Ooops. :-( The bug doesn't seem to occur often, because I did check the CS:IP fields of the disinfected files during my experiments and they were OK. I also checked whether the virus is removed from the file - it was. I did not check the SS:SP fields, though. > Next update (next week, I hope) will disinfect all curable > viruses (including polymorphic MtE, TPE, Tremor ....) without errors. I received the update from Eugene and it is now available from our anonymous ftp site. The full reference is ftp.informatik.uni-hamburg.de:/pub/virus/progs/avp_upd.zip Note: this is *only* the update. You still need to download the main package - 1.07b (in avp_107b.zip). This update updates it to 1.07c. The updates do not change the version numbers, and besides, the letters are not present in the version number. The letters in the version change when only the database with virus detection/removal information is updated, while the numbers change when the executables are updated too. In particular, version 1.07b means "version 1.07 of the executables, with the database updated once". Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Tue, 14 Dec 93 14:43:35 -0500 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: HELP! Filler/Swedish Disaster Attack. (PC) greve@wharton.upenn.edu (greve@wharton.upenn.edu) writes: > I need some help. Yesterday when I started up my office machine > VI-SPY detected two viruses FILLER and SWEDISH DISASTER. I checked the > machine with SCAN109, it told me I had the FILLER virus but didn't say > anything about SWEDISH DISASTER. Both programs told be to boot with > a clean disk and rescan. I did this and rescaned but both programs > failed to detect ANY viruses. When I start the machine from the > hard disk I get the virus warnings again. Sigh... This *ought* to go in the FAQ. Yes, I know that something like that is mentioned there, but it neads more straightforward explanation. In short: you very probably don't have a virus. Check your CONFIG.SYS and AUTOEXEC.BAT files. Very probably, you start a program from one of them. This program is called VSAFE. Remove it from those files and the problem will go away. This is called "ghost positive" and the term *is* explained in the FAQ. > Can anybody tell me anything about these two viruses. I printed out It doesn't really matter. You almost certainly don't have them. > the scan109 virus list text file and SWEDISH DISASTER isn't on the list. > VISPY may call it SWEDISH DISASTER but what does SCAN call it? Why SCAN 109 calls it "Stoned [Stoned]". That is - it doesn't distinguish it from the real Stoned virus, of which this is a variant. But you are not infected. > scan my hard drive. How can I get rid of these viruses. Windows Get rid of VSAFE and all the rest of the package that accompanies it, whether it is called CPAV or MSAV or TNTVIRUS or whatever. > no longer runs on my machine and I don't know if it's related to these > viruses or not. Any help will be appreciated. It is almost certainly not related to this problem. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany ------------------------------ Date: Mon, 13 Dec 93 05:01:59 -0500 From: hstroem@hood.ed.unit.no Subject: Announcing HS v3.5, Anti-boot virus program (PC) *** Announcing HS v3.5, Anti-boot virus program *** This is a major upgrade. The previous version released on the Internet was v3.2 (a year ago). Viruses like the russian Strange using hardware stealth, and Stoned.Empire.INT_10.A and B using a new un-named stealth technique, has made it necessary to implement some new lines of defense. Version 3.5 will after installation detect all known boot infectors as of today. Any boot infector will automatically be removed to bring the system back to a virus-free condition. HS will probably also detect and remove many future boot viruses. Loaded as a device driver from the CONFIG.SYS it uses approximately one second to check if the boot sectors are infected. No memory is used, as it does not need to be resident to ensure a boot virus free system. The main program, HS.SYS, is less than 5 KB in size. Speed and size are the result of writing everything in assembly language. This version of HS should be compatible with MS-DOS 3.2 --> 7.0, PC-DOS 3.2 --> 6.1, as well as with DR-DOS 6.0. Machines using the BootManager that comes with OS/2, as well as machines using Windows NT's Flexboot may also use HS, when booting DOS. Using this program together with one of the top virus scanners might be the ideal anti-virus setup for most personal computers. This is what I had in mind when I created it, and it has proven to be very successfull at the local university. Boot virus related problems only have to be fixed manually at times when a virus causes the machine to crash before the HS.SYS program has a chance to run. The recovery is then performed by inserting a DOS system disk containg a CONFIG.SYS that executes the HS.SYS from the floppy. HS v3.5 has been uploaded to several major anti-virus archives, and should be available by FTP and E-Mail shortly. Sincerely, Henrik Stroem Stroem System Soft ------------------------------ Date: Sat, 11 Dec 93 18:06:13 -0500 From: tyetiser@gl.umbc.edu (Mr. Tarkan Yetiser) Subject: New anti-virus package announcement (PC) Hello everyone, The new VDS (Virus Detection System) 3.0c Shareware Edition is uploaded to Oak and some of its mirrors; the file name is VDS30C.ZIP. This release of the package is intended to allow potential customers to evaluate the suitability of the product to their needs. It is a fully functional copy that lacks a few features of the Pro version (see the docs for details). Most of the package is re-written to address some of the compatibility issues that emerged within the last year. VDS is now Windows 3.x and DoubleSpace(TM) compatible, and it offers better network support. VDS 3.0c includes a fast virus scanner, a robust integrity checker with anti-stealth capability, a generic virus remover, external signature support, emergency diskette preparation, a very versatile decoy launcher, a low-level disk recovery tool, readable documentation, excellent Netware support (not just compatible), automatic and semi-automatic installation (with de-install feature), and a redesigned object-oriented (seriously) user interface. VDS 3.0 emphasizes integrity checking, but also provides known virus scanning. Its catalog-based integrity database supports both DOS drives and Novell volumes. Newly-added installation program simplifies protecting workstations by offering complete electronic distribution and configuration options. Once in place, VDS can perform periodic (user-definable) integrity checks and scans without further user intervention. System requirements: IBM PC compatible computer Hard disk (for integrity checker) with 512K free space 420K of memory available Optional 192K extended memory for large catalogs MS/PC-DOS 3.0 or later If you are looking for a comprehensive and up-to-date anti-virus package, we invite you to try VDS. It's only an FTP away! Let us know what you think. Regards, Tarkan Yetiser tyetiser@umbc8.umbc.edu VDS Advanced Research Group P.O. Box 9393 Baltimore, MD 21228, U.S.A. ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 159] ******************************************