Received: from fidoii.CC.Lehigh.EDU by abacus.hgs.se (5.65c/1.5)
	id AA05183; Mon, 8 Feb 1993 22:46:43 +0100
Received: from  (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA29307
  (5.67a/IDA-1.5 for <mikael@abacus.hgs.se>); Mon, 8 Feb 1993 15:55:50 -0500
Date: Mon, 8 Feb 1993 15:55:50 -0500
Message-Id: <9302082003.AA03078@barnabas.cert.org>
Comment: Virus Discussion List
Originator: virus-l@lehigh.edu
Errors-To: krvw@cert.org
Reply-To: <virus-l@lehigh.edu>
Sender: virus-l@lehigh.edu
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <krvw@cert.org>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V6 #21
Status: R

VIRUS-L Digest   Monday,  8 Feb 1993    Volume 6 : Issue 21

Today's Topics:

re. Patriotic Virus Writers
general entertainment
Re: On the definition of viruses
Re: scanners.
Viral antivirals - one vote against
Re: scanners.
Re: Sale of Viri
Re: What is a virus ?
Re: scanners.
Virus Stats Wanted
Re: + - viuses
Virus Friendly AV Software (PC)
Micheangelo Virus (PC)
Zerotime/Slow virus (PC)
Virus scan on a compressed drive (PC)
Re: Virus scan on a compressed drive (PC)
Re: NAV questions (PC)
CMOS virus? (PC)
New files on phil (PC)
Worm wannabe - "WANK" (CVP)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with
your real name.  Send contributions to VIRUS-L@LEHIGH.EDU.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5).  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@CERT.ORG>.

   Ken van Wyk

----------------------------------------------------------------------

Date:    Thu, 04 Feb 93 07:33:11 -0500
From:    Jagdev Panesar <ada01jsp@scorpio.gold.ac.uk>
Subject: re. Patriotic Virus Writers

Regarding the item in the Digest V6 #16, it was reported in the
British press on 3-feb-93 that 6 members of this 'ARCV' group have
been arrested.  The report says that the group may have written 30-50
relatively harmless viruses, distributed via bulletin boards, some of
which have spread e.g. to Ohio.

No charges have been made as yet, but the equipment has been seized
and the viruses are being analyzed.

------------------------------

Date:    Thu, 04 Feb 93 13:39:04 +0000
From:    kelty_h@aci_1.aci.ns.ca (KELTY HAMILTON)
Subject: general entertainment

	Just mentioning a good virus article in the February "Discover"
magazine.  Thought you virus fanatics would be interested in its coverage
of virus origins.

------------------------------

Date:    Thu, 04 Feb 93 12:54:20 -0500
From:    Y. Radai <RADAI@vms.huji.ac.il>
Subject: Re: On the definition of viruses

  Concerning the alternative argument which I gave for undecidability
of virushood (? virality?) of a program, Jerry Leichter writes:

>There are at least two problems with this approach:
>
>	- It has nothing to do with viruses!  Suppose I attempt to recognize
>		"programs that print the number 4".  What does "print the
>		number 4" mean?  Well, it might mean "ALWAYS prints 4" or
>		"SOMETIMES prints 4" or "in some well-defined circumstances
>		prints 4".  But the program
>			if <condition> then print 4
>		cannot be computably tested under ANY of these definitions.
>		The non-computability is in the <condition>; the fact that
>		you can attach it to just about any predicate says nothing
>		about the predicate.

Correct, but my argument was proposed as an alternative to Fred's
informal proof of undecidability, which goes something like this:
  Suppose there were a function D which inputs a program file p and
which always halts, correctly outputting 'true' whenever p is a virus
and 'false' whenever it isn't.  Then let P be a program consisting of
only the following code:
                       If not D(P) then infect
Now (1) if D(P) = true, then P does nothing, so P is not a virus, so D
has erred.  (2) If D(P) = false, then P infects, i.e. P is a virus, so
again D has erred.
  My point is that the same comment which you made above, Jerry, ap-
plies just as well to Fred's proof.  So maybe you should redirect that
comment to him.

>	- None of the definitions that Radai gives really tell us what we
>		really want to know about a program.  If the <condition> in
>			if <condition> then <infect>
>		can be satisfied, then certainly we don't want the program
>		around (assuming <infect> is an operation we don't ever want
>		carried out).  If we can prove that <condition> CAN'T be
>		satisfied, then perhaps the thing isn't "really" a virus, but
>		it's still dead code, and we'd prefer that it not be there.
>		However, we can live with it.  (Such code can actually arise
>		as the result of a successful disinfection.)  If we can't
>		prove either that <condition> IS satisfiable, or that it is
>		not, then I can't imagine any circumstances in which we would
>		treat this as anything BUT a virus.

Again, I was writing under the influence of Fred's paper, where the
problem is treated as a theoretical one.  As soon as we turn to
*practical* considerations, the picture changes.  As I've said
previously, if a detector produces no false negatives, and if the
only false positives which it produces are of the above type (i.e.
declaring the program to be a virus even though <condition> is never
satisfied), we would have a very valuable detector indeed.  If you
wish to redefine 'virus' so that these are not even considered false
positives, I won't object too strongly.

                                     Y. Radai
                                     Hebrew Univ. of Jerusalem, Israel
                                     RADAI@HUJIVMS.BITNET
                                     RADAI@VMS.HUJI.AC.IL

------------------------------

Date:    04 Feb 93 22:23:40 -0500
From:    ac999512@umbc.edu (ac999512)
Subject: Re: scanners.

>I know this is probably a dumn question but I was wondering about the
>realistic aspects of scanners like do they really protect as much as
>some of the people that I have talked to seem to think?  In my opinion
>they are just merely an aid to problem solving and should not be used
>as a general "cure-all"
 
  Well, scanners are fantastic for determining how wide-spread a virus
is on your system, and great for determining just what you've been infected 
with, but you must already be infected for them to aid you in any way. 
They also cannot handle new and unknown viruses. For this reason they
don't make an effective front-line defense. 
 
  Active Monitor TSR prgorams can help catch a virus in the act, but 
often drastically reduce system performance and memory space. If you are
in a high-risk environment, it can be worth the loss. HOWEVER- Some of
the newer ones are getting more efficient in both speed and size.
 
  It really is a controversial topic as to which virus utilities are
better than others. Just remember that the sheer number of viruses a 
scanner can detect is not the only important factor. You also need to
know how fast it is, how accurately it identifies the virus, how many
false positives you get, how many false negatives you get, whether
or not it can detect the 10% or so of the viruses that are actually
out 'in the wild', etc..
 
  Hope that helps!  :-)
 
 
 
+--------------------------------------------------------+
|  Ed T. Toton III   |  The viruses are coming, Hooray!  |
|  Virus Researcher  |  Hooray! The Viruses are coming,  |
|                    |  Hooray! Hooray!   :-)            |
+--------------------------------------------------------+
 
------------------------------

Date:    Thu, 04 Feb 93 20:49:25 -0800
From:    rslade@sfu.ca
Subject: Viral antivirals - one vote against

There have been discussions on the advisability of using viral programs to
search out other viral programs.  While there are certainly advantages to
using the power of viral replication and propagation, most are unwilling
to risk the possible consequences should the "antiviral virus" develop
bugs or run into an unexpected environment or situation.

I have recently come into contact with a viral antiviral program.  An
Atari lab that I am working with has most of the disks "infected" with 
a program that checks for "executable" boot sectors.  If one is found, it
is replaced with the "antiviral" code.  This is all done "automatically"
without any reference to the user.

(I have not yet been able to identify the specific program.  The only
identificationis the message given at boot time:
     "This Anti Virus beeps and flashes
      if the actual bootsector is executable,
      then that might be a Virus:
      Remove this Anti-Virus by reset:")

To date I have not found any way to remove it (not being familiar with
Atari internals), nor has the person who initially installed it. It is
now interferring with some of the systems we need to run: particularly
an MS-DOS emulator.  The "bootable" MS-DOS disks keep getting killed.

==============
Vancouver      ROBERTS@decus.ca         | "Don't buy a
Institute for  Robert_Slade@sfu.ca      |     computer."
Research into  rslade@cue.bc.ca         | Jeff Richards'
User           p1@CyberStore.ca         | First Law of
Security       Canada V7K 2G6           | Data Security


------------------------------

Date:    05 Feb 93 07:45:52 +0000
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: scanners.

TAWED@etsu.bitnet (Ed Street) writes:

>I know this is probably a dumn question but I was wondering about the
>realistic aspects of scanners like do they really protect as much as
>some of the people that I have talked to seem to think? 

A scanner does not "protect" you, unless it is actively used to scan all
incoming software before it is used...and even then it cannot "protect" you
against a brand new virus.

However, the authors of scanners, such as myself, are generally able to stay
one step ahead of the virus authors...partly because it takes a less time
to distribute a new scanner world-wide, than for a virus to become widespread
by normal means.

Also, as people tend to get hit only by 100 or so of the 2000 PC viruses that
exist, and as those 100 viruses are generally detected by most scanners,
they do, yes, provide a certain degree of protection...if properly used.

- -frisk


- -- 
- --
Fridrik Skulason      Frisk Software International     phone: +354-1-694749
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-28801

------------------------------

Date:    05 Feb 93 14:22:47 +0000
From:    Sam Wilson <ercm20@festival.edinburgh.ac.uk>
Subject: Re: Sale of Viri

johan@blade.stack.urc.tue.nl (Johan Wevers) writes:
> frisk@complex.is (Fridrik Skulason) writes:
> >As I have said before - the lack of any action against virus writers
> >is the primary reason why viruses are a problem today.
> 
> Really? Then tell me, how would you take any legal action against virus
> writers? How would you even find them?

>From the front page of 'Computing', a UK weekly trade paper (the one
which gave us the recent article on supposed 'mainframe viruses'), 4
February 1993:


"Apache scalps virus cowboys

  "Police raided the homes of suspected computer virus authors across
the country last week, arresting five poeple and seizing equipment. 
  "The raids were carried out last Wednesdau by police in Manchester,
Cumbria, Staffordshire and Devon and Cornwall. 
  "Scotland Yard's computer crimes unit co-ordinated the raids under the
codename Operation Apache. 
  " A spokeswoman for the Greater Manchester Police said: 'The
investigation began in the Mancheter area following the arrest of the
self-styled president of the virus writing group in Salford last
December.'
  "Police would not reveal the man's name, but said he had been released
on bail. 
  "Last week's raids led to the the arrest of a further two people in
Manchester.  Three other suspects were also arrested in Staffordshire,
Cumbria and Cornwall. 
  "PCs and floppy disks were seized in all the raids. 
  "All those arrested have been released on police bail pending further
investigations."


Sam Wilson
Network Services Division
Computing Services, The University of Edinburgh
Edinburgh, Scotland, UK


------------------------------

Date:    Fri, 05 Feb 93 11:22:41 -0500
From:    "William Walker C60223 x4570" <WALKER@aedc-vax.af.mil>
Subject: Re: What is a virus ?

Referring to my attempt at a natural-language virus definition,
Vesselin Bontchev writes:

> 1) As Dr. Cohen pointed out, "instructions" is not an appropriate
> term. Use "symbols" instead.

> 2) After "certain conditions" I would add " or in a certain
> environment".

Okay.

> 3) Don't like the term "functional duplicate". As you explain further
> in your message, you mean "a copy that might not look the same as the
> original, but which does the same things". What if it doesn't do the
> same things? I would argue that it is possible to make it do more
> things and it is obvious that it is trivial to make it fewer things...
> That's why I would prefer the term "possibly evolved copy" instead of 
> "functional duplicate".

I thought about this almost immediately after I posted the message, 
but I decided to wait until after the first replies came back before I 
posted anything else.  There is a limit to how much a virus can change 
its functionality, since the "parent" must contain within itself the 
changes it is going to make in the "child," and if the "child" or some 
later generation is going to eventually produce a copy of the original 
"parent," it must contain all the functionality of the "parent" as 
well.  Take, for example, a bipartite (two-part) virus which infects 
files and boot sectors.  The file infector must contain not only the 
functions which infect the boot sector but those which will eventually 
infect files again.  Likewise, the boot infector must contain not only 
the file infector but what will again be the boot infector.  

In this example, neither the boot infector nor the file infector alone 
produce "functional duplicates" of themselves.  Together, though, the 
boot infector and the file infector are considered one virus, designed 
to go through two infection steps, and together as one virus they 
produce a "functional duplicate" of the pair.  With this example, I'll 
agree that my wording "functional duplicate" is poor, but I am at a 
loss to come up with a better term.  I don't think that "possibly 
evolved copy" is suitable, because "evolved" implies an involuntary 
change.  Any functional changes made in the copy will be those which 
have been intentionally coded for the original to make.  

> 4) What is "intercept program execution"? The non-resident viruses do
> not intercept anything; they get executed only when the user runs the
> infected program.

Oh, yes, they DO intercept program execution!  A non-resident virus 
may not intercept DOS interrupts or whatever, but it intercepts the 
call to the original program; otherwise, it would never get executed.  
If a virus doesn't intercept program execution in some way -- ANY 
way -- it would never be run, never spread, and thus not be a virus.

> 5) Don't like the term "executed". What about source files, macros,
> BASIC programs? I would use the term "interpreted" or at least
> "executed or interpreted" instead.

> 6) Since the virus may or may not return control to the original
> infected program, is it worth the effort to include this in the
> definition? Regardless whether it returns control to the program, it
> will be a virus, if it matches the other parts of the definition.

Okay.

> So, let's try again:

Here goes: 

     A computer virus is a sequence (or sequences) of symbols which, 
     when executed or interpreted under certain conditions or in 
     certain environments, will make a functional duplicate of this 
     sequence (or sequences) and will place this duplicate where it 
     will intercept program execution at a later time under certain 
     conditions.  This is called "replication" and the duplicate 
     retains at least the capability to recursively replicate further.  
     A virus may also have additional functions, but these functions 
     are necessary for something to be called a virus.  

I like your addition about 'replication."

> Hm, still doesn't sound perfect to me...

Me, either, but we'll keep working on it.

- - - - - - - - - -

From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)

> First, my opinion needs to be stated: A worm is not a virus. This is a
> matter of definition and proofs can be generated either way depending
> on definition.
> ...
> On the other hand, a process which copies itself onto a disk and modifies 
> AUTOEXEC.BAT to execute it through a simple append operation would be a worm:
> nothing was *replaced*. On the other hand, if AUTOEXEC.BAT were renamed A.BAT
> and replaced with the malicious code as AUTOEXEC.BAT and the final line 
> called A.BAT, this would be a virus - replacement occured. 

How many hands do you have?  ;-)

> In simplest terms, a worm propagates through *addition* a virus propagates
> though *replacement* (though it may reschedule the original to avoid 
> detection).

Hmmm... let's see... Suppose a hostile PC program locates a file like 
FUBAR.EXE and *adds* a program FUBAR.COM, which is a duplicate of 
itself, but doesn't *replace* anything.  Is it a "companion worm?"  Or 
suppose a hostile Macintosh program *adds* a WDEF resource, which is a 
duplicate of itself, to the Finder "Desktop" file, but doesn't 
*replace* anything.  Is it a "WDEF worm?"  I think that the boundaries 
have become sufficiently fuzzy to make continued separation between 
"worms" and "viri" purely academic.  But anyway, enough of this....

Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) |  "Windows is an excellent anti-
OAO Corporation                        |   virus tool.  As soon as you
Arnold Engineering Development Center  |   get infected, it crashes ...
1103 Avenue B                          |   sometimes even before."
Arnold Air Force Base, TN  37389-1200  |     -- Vesselin Bontchev



------------------------------

Date:    Fri, 05 Feb 93 19:20:47 +0000
From:    X0421DAA@helios.edvz.univie.ac.at
Subject: Re: scanners.

TAWED@etsu.bitnet (Ed Street) wrote

> I know this is probably a dumn question but I was wondering about the
> realistic aspects of scanners like do they really protect as much as
> some of the people that I have talked to seem to think?  In my opinion
> they are just merely an aid to problem solving and should not be used
> as a general "cure-all"

I don't know what the people you talked to think, but a scanner *can not*
and is not intended to be a general "cure-all". A scanner can only
assist you in detecting those computer viruses known to its programmer
at the time when the version of the scanner you are using was released.
Some time ago I asked the manufacturer of a scanner (don't remember who
it was) why most companies highlight their scanners and talk much less
about their checksumming products? He told me that users seem to like
scanners (maybe because it is easier for them to grasp how a scanner
works than a checksumming product).
The big advantage of a checksummer is that it protects you against many
more things than just computer viruses. Disadvantage: Checksumming takes
longer than scanning (at least now; if there is more polymorphic viruses
around, checksumming will be faster at one point)...

Michael Weiner (x0421daa@vm.univie.ac.at, *temporary*)


------------------------------

Date:    Fri, 05 Feb 93 20:01:14 +0000
From:    Eriq_Neale@unt.edu (Eriq Oliver Neale, ACS)
Subject: Virus Stats Wanted

>From the "I don't know where else to look" department:

Is there anyone or any place that is a repository for virus stats, as in 
estimated numbers of computers infected, that kind of thing, for 1992 or the 
few years previous? I've been asked to give my virus presentation for 
another class at the University in a few weeks, and since I've not updated 
the presentation in a couple of years (and I have a few weeks to prepare), I 
thought I'd try to get some more up-to-date numbers. 1992 is particlarly 
interesting to me because of the Michelangelo scare, but I'd be happy for 
anything more recent than 1989.

The class I'm giving this presentation to is an information retrieval class, 
and the instructor has told me that the general attitude of the class 
towards viruses and the seriousness therof is rather "pooh-poohed." Needless 
to say, I'd like to try to change their minds for good.

Though I've been pretty good of late keeping up with reading news, anything 
could change and I might not get back to read responses on the net, so 
please post them here, but e-mail me also.

Thanks so much for the valuable pointers!

- -Eriq

 Eriq O. Neale                              BITNET : LIPS@UNTVAX
 Lab/Network Manager                      Internet : neale@unt.edu
 Academic Computing Services               Ma Bell : (817) 565-4808
 University of North Texas                  finger @lipsmac.acs.unt.edu
"If I got paid for what I say, I'd either be very rich, or very quiet!"

------------------------------

Date:    05 Feb 93 17:35:18 -0500
From:    ac999512@umbc.edu (ac999512)
Subject: Re: + - viuses

Ok, I've been reading the messages going back and forth for quite a while
here about what is the best definition for a virus. Well, here's one for
you all to look at...


     A computer virus is a sequence of instructions or symbols which,
   when executed or interpreted under certain conditions and in 
   certain environments, will be capable of producing a functional 
   offspring, with possible evolution and/or modification, which is 
   also capable of replication and propogation, and will be capable 
   of placing this offspring where it will have a possible chance of 
   being executed and/or interpreted at a later time under the same 
   or different conditions and/or environments. Viruses must also 
   have been constructed/designed with the original intent (unless
   designed by something other than a human being) and functional 
   capability to replicate and propogate within a certain environment
   and under certain conditions without the consent or knowledge of 
   any user, beyond the initial release of the virus into said 
   environment. A virus may also have additional functions or 
   processes, but only the above functions and processes are 
   necessary for something to be considered a virus.  


Ok, now it's time for me to go run, duck, and
hide before I get hit with a barrage of scrutiny! :-)


+-------------------------------------------+
|  Ed T. Toton III,  Virus Researcher       |  
|- - - - - - - - - - - - - - - - - - - - - -|  
|  "SENILE.COM" found, insufficient memory  |
+-------------------------------------------+

------------------------------

Date:    Thu, 04 Feb 93 02:19:33 -0500
From:    "Roger Riordan" <riordan@tmxmelb.mhs.oz.au>
Subject: Virus Friendly AV Software (PC)

             Another Virus Protection Program!

Recently contacted by a user with a number of Mitac PCs.  He reported
that if he ran VET on the PCs, after booting from the hard disk, it
reported top of memory was 9F80, & Stoned virus was active in memory,
but MBR was "unknown, but seems OK".  However if he booted from clean
DOS disk there was no sign of virus.

At first I thought he must have had a new strain, but then he
mentioned "Mitac Antivirus", so I got him to install VET, and send me
the reference disk, which has copies of both boot sectors.

The MBR was clearly highly non standard, with "ANTIVRUSSYS" at offset
4 and messages about this being invalid at the end.  The partition
information appeared to be intact (apart from one sector having been
reserved) and the sector was almost completely full of code.

The program appears to start by loading part of the directory, and
looking for the entry ANTIVRUS.SYS.  If it finds this it loads three
more sectors (presumably this file), starting at 8000. It checks that
each starts with a particular word before loading the next.

If it is happy it jumps to the start of the file.  Otherwise it loads
a sector from one past the last sector of the partition, writes it to
the MBR and warns "File C:\ANTIVRUS.SYS is invalid or not found!
Press a key!"  When the user replies it runs the rewritten sector.
Presumably this is a copy of the original MBR.

It is not clear whether the program ANTIVRUS.SYS includes a copy of
the MBR, or whether it loads it from the end of the partition.  What
is clear is that it does not bother to check it for viruses before
saving it, and that if it is installed on an infected PC it hides the
virus very effectively!

Roger Riordan                 Author of the VET Anti-Viral Software.
riordan.cybec@tmxmelb.mhs.oz.au

CYBEC Pty Ltd.                                 Tel: +613 521 0655
PO Box 205, Hampton Vic 3188   AUSTRALIA       Fax: +613 521 0727

------------------------------

Date:    04 Feb 93 13:40:00 -0600
From:    "WEINBERG RAINA" <MCSWEINBERG@memstvx1.memst.edu>
Subject: Micheangelo Virus (PC)

I am writing an article for our Campus Paper on the Micheangelo Virus
could someone please send me any inforamtion they have on this.

Thank You,
Rai.


- -- 
_______________________________________________________________________________

"Hold on tight you know she's a little                  R A I
bit dangerous, She's got what it takes              Raina Weinberg 
to make ends meet the eyes of a lover        _Memphis State University_
that hit like heat. You know she's                Memphis, Tn USA
a little bit dangerous." 
   _ROXETTE_                                MCSWEINBERG@MSUVX1.MEMST.EDU
_______________________________________________________________________________


------------------------------

Date:    04 Feb 93 23:23:57 +0000
From:    bgroen@metz.une.edu.au (Bernie Groen)
Subject: Zerotime/Slow virus (PC)

Need help,have a virus Norton antivirus 2.1 calls it SLOW, Fprot 2.07
calls it a varient of Zerotime neither one will remove it.

Scan 100 does not see it at all.

Anyone have any idears on how to get rid of this problem.

So far 4 machines have been infected.

Thanks for any help.


*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
- -  Bernie Groen               - 
*  University of New England  * 
- -  Armidale NSW 2351          - 
*  Australia.                 * 
- -                             * 
*  bgroen@metz.une.edu.au     -
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*


------------------------------

Date:    Fri, 05 Feb 93 09:20:49 -0500
From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: Virus scan on a compressed drive (PC)

>From:    wongja@ecf.toronto.edu (WONG JIMMY PAK-YEN)

>I'm considering getting some sort of disk compression utility for my
>PC (such as Stacker).  Are virus scan programs still able to detect a
>virus on a compressed hard drive?  Presently, when I download some ZIP
>files, I SCAN the disk containing the zipfile, unzip the files onto my
>hard disk, and scan the unzipped files.  Will this still work on a
>compressed drive? 

This is a common concern and the answer is that compressing a drive using 
those compression mechanisms I have seen (Stacker, SuperStor) does not
pose a problem to virus scanners with two exceptions:

a) If the scanner uses Int 25 to examine the DOS Boot Record (not the MBR)
   it may pick up the special BR that the compression routine attaches to
   its "phantom" drive. If this occurs, a DBR virus such as the MusicBug
   could be missed (but a good scanner would find it in memory and booting
   from floppy without the compression driver would also).

b) If the scanner bypasses DOS (using direct BIOS reads) to defeat stealth
   viruses, this will not work on a compressed drive. I have only seen one
   scanner with this feature and you can turn it off - in operation it
   is obvious since it only reports a limited number of files.

Otherwise, scanners using DOS to open and examine the files will work just
fine since the drive redirection is handled below the DOS level.

Incidently, I regularly use disk compression on some of my PCs and it works
very well.

					Warmly,
						Padgett


------------------------------

Date:    Fri, 05 Feb 93 18:47:40 +0000
From:    mcafee@netcom.com (McAfee Associates)
Subject: Re: Virus scan on a compressed drive (PC)

Hello Jim,

You write:

>Hi,
>
>I'm considering getting some sort of disk compression utility for my
>PC (such as Stacker).  Are virus scan programs still able to detect a
>virus on a compressed hard drive?  

As long as you have the device driver(s) necessary to access the Stacker
compressed volume running on your PC you should have no problems checking
the volume for viruses.  This should apply to all anti-viral software,
not just VIRUSCAN.

>                                   Presently, when I download some ZIP
>files, I SCAN the disk containing the zipfile, unzip the files onto my

You do not need to run VIRUSCAN until after you have unzipped the .ZIP
file.

>hard disk, and scan the unzipped files.  Will this still work on a
>compressed drive?  

Yes.

>                   Besides uncompressing onto a floppy first and
>scanning the floppy(too inconvenient!), what other options are there?

You could set up a RAM disk and uncompress to that.  It is much faster
to scan a RAM disk then a floppy disk.

>
>Thanks in advance,
>Jim

Regards,

Aryeh Goretsky
Technical Support
- -- 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
McAfee Associates, Inc.  | Voice (408) 988-3832 | INTERNET:
3350 Scott Blvd, Bldg 14 | FAX   (408) 970-9727 | mcafee@netcom.COM
Santa Clara, California  | BBS   (408) 988-4004 | CompuServe ID: 76702,1714
95054-3107  USA          | USR HST Courier DS   | or GO MCAFEE
Support for SENTRY/SCAN/NETSCAN/VSHIELD/CLEAN/WSCAN/NETSHIELD/TARGET/CONFIG MGR


------------------------------

Date:    Fri, 05 Feb 93 23:01:17 +0000
From:    rflood@cis.umassd.edu (Richard M. Flood)
Subject: Re: NAV questions (PC)

balog@eniac.seas.upenn.edu (Eric J Balog) writes:

>Hi! I have two questions:

>1) I have NAV 2.0 (included w/ NDW 2.0), and I just downloaded
>nav20a10.exe from dorm.rutgers.edu. Does my version of NAV now check
>for all of the viruses that NAV 2.1 checks for? (mine checks for 451
>viruses/1159 strains)

>2) Last week, someone posted a message comparing the effectiveness of
>several anti-virus programs. Can anyone tell me how NAV rates as
>compared to other anti-virus programs?

	Their is a hypertext program that is all about viruses. It
conyains a list of most of the known viruses, how to find them, how to
get rid of them, andit has a section of how all the diffrent virus
programs rate. As far as I know Macafee SCAN gets a score of 90% and
NAV gets a score of 65%, this is just from memory but you can find out
yourself by ftping vsumx###.zip ( the numbers are the most current
version I think it is 212 ) from most of the better ftp sites.

------------------------------

Date:    05 Feb 93 23:38:54 +0000
From:    victor@ccwf.cc.utexas.edu (V Menayang)
Subject: CMOS virus? (PC)

I wonder if a virus can erase the information stored in
CMOS?  If it can, what virus/viri known to work this way?
The reason I am asking these questions is that the computer
repair person we took our Grid system machine to claimed
that our problem (floppy drive wouldn't refresh) is caused
by a virus.  I don't know much about virus but the claim
sounds suspicious because he said that the virus is [stoned].

Thank you for any advice/information on this.

Victor Menayang
- -- 

- -------------------------------------------------------------
Victor Menayang                     victor@ccwf.cc.utexas.edu 
=============================================================

------------------------------

Date:    Fri, 05 Feb 93 08:20:20 -0600
From:    John Perry <perry@phil.utmb.edu>
Subject: New files on phil (PC)



- -----BEGIN PGP SIGNED MESSAGE-----

Hello Everyone!

	FP207.ZIP has been made available on phil.utmb.edu
(129.109.9.23). It is located in the pub/virus-software/pc directory.
If you have any problems or questions, contact me by email at
perry@phil.utmb.edu

- - -- 

 John Perry - perry@phil.utmb.edu (129.109.9.22)

 PGP Public Key available by fingering perry@phil.utmb.edu


- -----BEGIN PGP SIGNATURE-----
Version: 2.1

iQCVAgUBK3J3gFoWmV4X/7GZAQEQDQQAqLX46WW7KiFgCvtv3LGCikDOoLSg8QoV
7uJtlUwCa/CLiS+5e2MTPppJa4o7Tb6EZLjOapnbukhSnblzjJpPXHvF79g1Audv
9AugLycWLbKniZaRTQctB9UZMsl6GUG9li2Jp5I9tfADeVtQioIj0bErOzPL/Bzq
D3ug1VkUbuU=
=93To
- -----END PGP SIGNATURE-----

------------------------------

Date:    Fri, 05 Feb 93 16:31:43 -0800
From:    rslade@sfu.ca
Subject: Worm wannabe - "WANK" (CVP)

HISVIRU.CVP   921215
 
                       Worm Wannabe - "WANK"
 
In October of 1989, another network worm was found to be making the
rounds -- on VMS machines connected through DECnet.  While even to
this day there is considerable debate as to Morris' intentions with
regard to the Internet Worm, for the "WANK Worm", as it is known,
there is no such ambiguity.  WANK was intended for propaganda, plain
and simple.
 
WANK used a number of features similar to those of the Internet
Worm.  Mail was used to spread the worm from system to system, and
"standard defaults" (in this case "system" and "field service"
accounts and passwords) were used to try to get the worm running on
a new machine.
 
In addition to guessing system passwords, the WANK worm also
attempted to change them.  As the program would have no further use
for them, once started, this would appear to have been directed at
inconveniencing the system operator.
 
The message carried by the worm spoke of "Worms Against Nuclear
Killers" and announced that the infected system had been "WANKed",
as well as displaying a "text graphic" of WANK.  It also contains
the quotation "You talk of times of peace for all, and then prepare
for war".  Obviously the author had believed the reports of the
Internet Worm which had spoken of massive numbers of military
computers being affected.  Ironically, few, if any, of the people
who saw the WANK worm's message would have had anything to do with
the military.
 
Some aspects of the worm were just plain obnoxious, such as
appearing to delete all of a user's files, and paging users with the
PHONE program.
 
A few weeks later, a second VMS/DECnet worm was released, with very
few changes from the original WANK.  This "knock-off of a knock-off
of a knock-off" tends be the more the rule than the exception in
virus research.  Of the thousands of MS-DOS viral programs, the vast
majority result from "bit twiddling" in an attempt (often less than
entirely successful) to fool scanners.  In the end it often means
nothing more than more, and more boring, work for the authors of
scanning programs.
 
copyright Robert M. Slade, 1992   HISVIRU.CVP   921215
 
============= 
Vancouver      ROBERTS@decus.ca         | Life is
Institute for  Robert_Slade@sfu.ca      | unpredictable:
Research into  rslade@cue.bc.ca         | eat dessert
User           p1@CyberStore.ca         | first.
Security       Canada V7K 2G6           | 


------------------------------

End of VIRUS-L Digest [Volume 6 Issue 21]
*****************************************
