To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #75
--------
VIRUS-L Digest   Monday, 10 May 1993    Volume 6 : Issue 75

Today's Topics:

List/group outages, moderator address update
Virus Copyright
Re: Sharing info
Virus in a .GIF file?
Re: Antivirus Software Distribution
re: unix viruses? (UNIX)
Re: CyberSoft UNIX scanner (UNIX)
UNIX intrusion detection in real time (UNIX)
German Message from English Computer (PC)
Re: New variety of Stoned virus? (PC)
Re: VIRUS-L Digest V6 #73: VSUM Thread (PC)
Re: MSAV and text-files (PC)
Re: New variety of Stoned virus? (PC)
F-Prot False alarm? (PC)
Re: F-Prot 2.08 (PC)
F-PROT 2.08 (PC)
Re: Copyright of Virus Signatures (PC)
New McAfee programs available (PC)
Possible new virus (PC)
stoned virus (PC)
Mich on Sun? (PC)
FP-208A.ZIP - F-PROT 2.08a: Virus detection/removal software (PC)
McAfee VIRUSCAN V104 uploaded to SIMTEL20 (PC)
Evaluation standards - open ended (CVP)
Legal Net News
YAEMA! (Yet Another Errant Magazine Article)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name.  Send contributions to VIRUS-L@LEHIGH.EDU.  Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list.  A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5).  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@FIRST.ORG>.

   Ken van Wyk, krvw@first.org

----------------------------------------------------------------------

Date:    Mon, 10 May 93 09:48:14 -0400
From:    "Kenneth R. van Wyk" <krvw@agarne.ims.disa.mil>
Subject: List/group outages, moderator address update

VIRUS-L/comp.virus readers:

Over the past couple of weeks, we've experienced a couple of network,
computer, and power outages that have caused several delays in getting
VIRUS-L postings out to you all.  As a result, I have several messages
in the queue that are somewhat dated; I will get those out ASAP.  My
apologies for any inconveniences.

In an attempt to improve the reliability of the list/group, I've moved
the moderator account here to my office system.  Please continue to
address all submissions to virus-l@lehigh.edu, however.

Again, sorry for the inconvenience.

Cheers,

Ken

Kenneth R. van Wyk
Division Chief, Operations
Center for Information Systems Security (CISS)
Moderator, VIRUS-L/comp.virus
krvw@Agarne.IMS.DISA.MIL

------------------------------

Date:    Wed, 05 May 93 20:49:06 -0400
From:    radatti@cyber.com (Pete Radatti)
Subject: Virus Copyright

>	When a virus is found, it does not usually contain a copyright, because
>as far as I can tell, to claim copyright your real name must appear with it.  
>Obviously, most virus writers dont want to do this. However, if sometime did
>extract a piece of code (signature) from the virus, and included it in their
>virus scanner, and recieved a fanancial advantage from this inclusion, and the
>author came forth to claim copyright, would such a case be legal?

Under the Berne Convention all material is copyright the moment it is
created by the author.  The author's name and copyright notice need
not appear.  The Berne Convention is held to in most of the world
including US and Europe.

It would, of course, be stupid for the author to claim copyright in
the same way that it would be stupid to demand a deposit refund on the
truck used to bomb the World Trade Center...

Pete Radatti

------------------------------

Date:    Wed, 05 May 93 22:27:22 -0400
From:    AMN@UBIK.DEMON.CO.UK
Subject: Re: Sharing info

Roberto Reymond, <RREYMOND@vnet.ibm.com>, writes:
> ... For example, the Great Britain: since the net is accessible
> from UK, then I must be very careful to not post here anything is
> forbidden in UK, isn't?  ...

I find great difficulty in understanding this statement.


> ... If I was British, I
> was aware that it's illegal for me to write a virus, so if here
> somebody shows some virus code, or point out where get a copy of
> 40-Hex, I simply ignore those info. ...

It is exceedingly difficult to "be aware that it's illegal", as it
is not illegal in Britain to write or possess computer viruses.

You seem to have misunderstood part the British "Computer Misuse Act",
which makes it illegal to:
*   cause damage or alteration to computer data, (regardless of the means
    used).

It is quite probable that supplying, or producing, viruses expecting
that they will be used for such a purpose is also illegal.


I am quite happy that the current rules enforced by the moderator of
virus-l/comp.virus prohibit the distribution of viruses here.  And
ethically I endorse the rules prohibiting the use of this forum to
advertise or exchange viruses.

Information about viruses is a cloudier issue.  Knowing that virus
writers (such as phalcon/skism in the US) follow this forum, I urge
all contributors to judge carefully the balance between informing
users and educating the virus writers.


Regards,
Anthony Naggs                 Email:                  Paper mail:
 Software/Electronics Engineer amn@ubik.demon.co.uk    P O Box 1080, Peacehaven
 & Computer Virus Researcher   [or xa329@city.ac.uk]   East Sussex  BN10 8PZ
 Phone: +44 273 589701                                 Great Britain


------------------------------

Date:    Thu, 06 May 93 01:22:49 -0400
From:    dbarber@crash.cts.com
Subject: Virus in a .GIF file?

While reading alt.supermodels (if you have to ask why, *don't)
there was a discussion about someone finding a virus in a .GIF
file.  Seems to me that if there's a virus in a .GIF file -- SO WHAT?
Outside if it being a novel way to convey a virus across the internet
to someone looking for it, I can't see how it could actually infect
ones machine, since a .GIF file is not "executed".  Unless someone
has written a well distributed .GIF viewer with a hook to run viri
from selected .GIF files (and therefore avoid detection as an infected
program), it would seem there is nothing to worry about from a .GIF
file.

If I'm wrong, will someone please tell me just where?

Thanks!


Without change,                         *David Barber*
   nothing can ever get better.            @}-->----

UUCP: ucsd!crash!dbarber
INET: dbarber@crash.cts.com

------------------------------

Date:    Thu, 06 May 93 11:46:56 -0400
From:    mha@baka.ithaca.ny.us (Mark Anbinder)
Subject: Re: Antivirus Software Distribution

Dave Millar asks...

> Can anyone point me to procedures for safe distribution of antiviral
> sofware - addressing use of FTP as well as diskettes?

The safest way to obtain an antiviral utility is from the author or
publisher directly.  That's the only way you can be reasonably certain
you're getting clean software.

In the case of commercial software, that means obtaining updates on a
distribution disk from the publisher, or obtaining from the company's own
online bulletin board or their own FTP site, if one or both is provided.  In
the case of freeware or shareware, it means selecting a "trusted" FTP site
or online service.  For example, John Norstad makes his Macintosh
Disinfectant utility available on his own FTP server; that's the safest
place to get each version from, though of course there are other FTP sites
that can be trusted with respect to Disinfectant and other antivirals.

I provide antiviral utilities on my own bulletin board, but I grant that
only people who know me well can really be sure that my BBS is a "safe"
source for this software.  In your situation, there are undoubtedly
facilities on Penn's campus, or dealers nearby, where you can obtain safe
copies of the free and shareware utilities.


- -------------------------------------------------------------------------
 Mark H. Anbinder                  |       Technical Support Coordinator
 BAKA Computers Inc.               |               mha@baka.ithaca.ny.us
 200 Pleasant Grove Road           |                (or) mha@tidbits.com
 Ithaca, New York 14850 USA        |    Phone 607-257-2070  Fax 257-2657
- -------------------------------------------------------------------------
 BAKA Technical Support e-mail "hotline": tech_support@baka.ithaca.ny.us
- -------------------------------------------------------------------------

------------------------------

Date:    Thu, 06 May 93 09:40:48 -0400
From:    "David M. Chess" <chess@watson.ibm.com>
Subject: re: unix viruses? (UNIX)

>From:    schardt@acc.vf.ge.com (James A. Schardt)

>I have been told that there are UNIX viruses (not talking about
>worms or Trojan horses).  Is there a place on the net where
>UNIX viruses are documented?

The three things I know of that might fit your description are:

  - A shell-script virus that was written up in a USENIX
    Proceedings awhile back (I don't have a ref, I'm afraid);
    it worked, and escaped to one or two other machines
    during test, but isn't known to be in the wild at present.

  - A technical description of a library virus that was put
    out as a hoax just to show that it was possible.  The
    virus itself was never written, but the account sounded
    quite plausible.  Don't know if it's archived anywhere.

  - The virus that Fred Cohen used for his experiments
    documented in his "Computer Viruses: Theory and
    Experiment", Computers & Security, Vol. 6 (1987) pp. 22-35".
    This was of course never released outside the
    experiment.

There are no UNIX viruses known to be in the wild at present.

>Is it true that a virus would find the UNIX environment very
>inhospitable because of the protection the OS puts around its
>own memory space and the confinment of the users memory space.

No.  Computer viruses don't have to do anything nefarious with
memory spaces to operate; as the Cohen paper cited above shows,
they can spread in many typical environments by flowing only
along channels that are authorized for writing.  They don't
have to subvert security, or exploit a lack of security, to
spread.  On the other hand, they do seem to require a degree of
interconnectivity and software sharing that so far only happens
in the microcomputer area...

- - -- -
David M. Chess                     \    Femmes aux tetes de fleurs
High Integrity Computing Lab       \     retrouvant sur la plage la
IBM Watson Research                \     depouille d'un piano a queue


------------------------------

Date:    Thu, 06 May 93 13:05:59 -0400
From:    Albert-Lunde@nwu.edu (Albert Lunde)
Subject: Re: CyberSoft UNIX scanner (UNIX)

radatti@cyber.com (Pete Radatti) writes:
>CyberSoft, Inc is a company that produces virus scanners for Unix and
>other operating systems.  It uses its own parsing language called
>CVDL.  CVDL is copyright and published for use by end users of
>CyberSoft's VFind product.

An obvious question is what/how many Unix viruses does it "scan" for.

I was under the impression that there were few to none Unix viruses
"in the wild" and thus most of the potential market was for security/
integrity software rather than known virus scanners. If this is not
the case, tell us about it.

- -- 
    Albert Lunde                      Albert-Lunde@nwu.edu

------------------------------

Date:    Thu, 06 May 93 19:26:18 -0400
From:    QMDKDL@GSUVM1.GSU.EDU
Subject: UNIX intrusion detection in real time (UNIX)

A student of mine is doing work in the area of law enforcement /
computer security.  He recently found a dissertation abstract which
talks about a security system capable of identifying attackers in
realtime.  It's based on typing metrics and developed for for Sun
workstations running UNIX.  We are trying to find some additional
information on the product but have been unsuccessful.  Is any one
familiar with the product or have suggestions as to where / whom we
might look?  Feel free to respond directly to my id
(qmdkdl@gsuvm1.gsu.edu) Thanks in advance.

kdl
kdl


------------------------------

Date:    Wed, 05 May 93 17:40:18 -0400
From:    "William Walker C60223 x4570" <WALKER@aedc-vax.af.mil>
Subject: German Message from English Computer (PC)

Interesting problem:

I've had a user report that his machine has displayed a German message twice:
once a month ago and once two days ago.  His machine locked up after the one
two days ago.  The message is "Kein system oder laufwerksfehler.  Wechseln
und taste drucken."  This translates roughly to "No system or DOS error.
Replace and press a key."  It sounds to me like he had a diskette formatted
with a German version of DOS in his drive when he rebooted; however, I 
checked all of his diskettes with Norton Utilities and did not find this
message on any of them.  Neither did I find it anywhere on his hard disk.

The user insists that there was no diskette in the drive at the time (he
even called their "computer expert" over, who says the same thing).  He also
says that no one has used a foreign diskette on his system recently, and he
has not exchanged diskettes with anyone.  Sounds like famous last words to
me.  ;-)  The only stray diskette on his system was one which had some data
files which he converted for someone last month, but they kept the diskette,
he did not make a diskcopy, and they haven't been back since, especially not
two days ago.  

There is no memory missing on the machine.  Booting from a clean DOS 5.0 
floppy and running F-PROT 2.07 and 2.08 revealed nothing, even with a
heuristic scan.  The MBR and boot sector of the hard drive are normal.

I seriously doubt that this is a virus, but I can't find another reason
for it, either.  Does anyone have a clue as to what's happening?

Thanks in advance.

Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | "Simply do not ask me what this is
OAO Corporation                        |  all about, parce que je ne sais
Arnold Engineering Development Center  |  pas, mes chers."
1103 Avenue B                          |       -- Holly Golightly, 
Arnold Air Force Base, TN  37389-1200  |       "Breakfast at Tiffany's"



------------------------------

Date:    Wed, 05 May 93 22:27:35 -0400
From:    AMN@UBIK.DEMON.CO.UK
Subject: Re: New variety of Stoned virus? (PC)

Kate Wilson, <sph0301@utsph.sph.uth.tmc.edu>, wrote:
> Yesterday we had (yet another!) hit from the Stoned virus.  ...
>
> Both floppy drives stopped reading high-density diskettes at the same
> time the PC was infected although I suspect that was coincidence and not
> virus-related...

This is -THE- biggest possible clue that you have a variant of Stoned.

For the technically minded: MSDOS uses a data block (called the BIOS Parameter
Block - BPB) in the boot sector to recognise a diskette's format.  Most Stoned
variants destroy this when they infect.  If the data block is invalid DOS
typically assumes the disk is 360k, though this seems to vary a little with
machine configuration and DOS version.

Hope this helps,
Anthony Naggs                 Email:                  Paper mail:
 Software/Electronics Engineer amn@ubik.demon.co.uk    P O Box 1080, Peacehaven
 & Computer Virus Researcher   [or xa329@city.ac.uk]   East Sussex  BN10 8PZ
 Phone: +44 273 589701                                 Great Britain


------------------------------

Date:    Thu, 06 May 93 01:05:38 -0400
From:    vmk@rand.mel.cocam.oz.au (Victor Kay)
Subject: Re: VIRUS-L Digest V6 #73: VSUM Thread (PC)

For some time now I've been following the thread about VSUM. Now don't
get me wrong, I'm neither for or against it (although I must admit
that since following the thread I'm very unsure of its worth and don't
refer to it). The point is that the argument seems very one-sided. At
any time I've been expecting Ms Hoffman to respond to the allegations
- - but no show!! Don't you think it would be a good idea to invite her
to respond to the issues raised?

Regards

Victor Kay
Co-Cam Computer Group , Melbourne, Australia

E-Mail: vmk@rand.mel.cocam.oz.au

------------------------------

Date:    Thu, 06 May 93 06:08:19 -0400
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: MSAV and text-files (PC)

v922340@herzberg.si.hhs.nl (Ivar Snaaijer) writes:

>It says on page 79 something about a virus that is known to infect datafiles.
>infect a datafile ? , don't they mean that there is some code that could be
>a firus that is stored in a file witch is not executable ?

I don't have the book, so I don't know what they are dalking about, but there
are indeed a few viruses that can "infect" a datafile - for example some
stupid overwriting viruses that overwrite all files in the current directory.

However, you would not be able to *execute* the "infected" datafile.

The most common methods to select which files to infect are:

   1) Seletct files with .COM and/or .EXE extensions

   2) Select files that are loaded/executed with INT 21H, fuction 4BH.

>How can a non-exacutable be a threath to you ?

It cannot - not unless you rename it and run.  However, a much more serious
problem is that some viruses *corrupt* datafiles - 

>an other thin about MS (CP) AV is that it default scans ALL files on disk.
>(this takes a lot of time on a 213Mb HDD). Is this realy neccesery or
>is huristic scanning stupid ? ....

Uh, I don't understand what you mean...CPAV/MSAV does not do any heuristic
scanning at all.

One note about MSAV - The May 93 Virus Bulletin just reviewed it - and one
interesting observation is that it performed much worse than the CPAV scanner
which was tested in January - missed more than twice as many viruses from
the "small" set.

- -frisk

- -- 
Fridrik Skulason      Frisk Software International     phone: +354-1-694749
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-28801


------------------------------

Date:    Thu, 06 May 93 06:27:20 -0400
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: New variety of Stoned virus? (PC)

sph0301@utsph.sph.uth.tmc.edu (Kate Wilson) writes:

>Yesterday we had (yet another!) hit from the Stoned virus.  Surprisingly,
>the latest version (2.08) of F-Prot wouldn't clean it

Right. It seems 2.08 has problems removing some boot sector viruses, which coul
d
be disinfected with 2.07.  We have how found and fixed the problem, and a new
version - 2.08a is being tested right now - we will announce it when it is
ready for release - hopefully later today.

- -frisk

- -- 
Fridrik Skulason      Frisk Software International     phone: +354-1-694749
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-28801


------------------------------

Date:    Thu, 06 May 93 10:44:54 -0400
From:    fergp@sytex.com (Paul Ferguson)
Subject: F-Prot False alarm? (PC)

This message is forwarded from the FidoNet VIRUS_INFO Conference -
 
8<----- Begin forwarded message ---------
 
Date: 05-02-93 (01:54)
From: ARIE ZILBERSTEIN
  To: ALL
Subj: F-Prot 2.08
 
Y'hello All!
 
F-Prot 2.08 reported this on its Heuristics scan:
 
- -------------
C:\CPAV\VWATCH.COM seems to be infected with an unknown virus.
Please contact Frisk Software International or send us a copy for 
analysis.
- -------------
 
VWATCH.COM is a memory resident program that comes with the CPAV package.
It checks whenever you load a file for viruses.  If you can, please
notify Frederick of this case -- VWATCH.COM is -not- infected by any
virus.
 
Bye
AZ
 
 
.. "No, I never did it before, but how hard can it be?" - Last RPG words
- --- FMail 0.95a4 beta+
 * Origin: Beyond Tomorrow * 972-3-544-4488/3746 * 24h * 14Kbps 
(2:403/159.0)
 
8<------ End of forwarded message -----------
 
Cheers.
 

Paul Ferguson                  |  Uncle Sam wants to read
Network Integrator             |       your e-mail...
Centreville, Virginia USA      | Just say "NO" to the Clipper
fergp@sytex.com                |          Chip...
- -------------------------------+------------------------------
         I love my country, but I fear it's government.


------------------------------

Date:    Thu, 06 May 93 13:17:45 -0400
From:    Albert-Lunde@nwu.edu (Albert Lunde)
Subject: Re: F-Prot 2.08 (PC)

gj9@prism.gatech.edu (georgia deakin) writes:
>I just obtained a copy of F-prot 2.08 and started to install it on one 
>machine here.  Seems this computer is infected with the Stoned virus.  This
>is the one virus we seem to have problems with here - I have been told by
>campus technicians that it floats around on our net. [...]

Not literally -- Stoned is a boot infector, so it mainly spreads by
infecting diskettes -- it won't spread by infecting files on a file
server or over any network I know of.

I think the FAQ has more to say about this...



- -- 
    Albert Lunde                      Albert-Lunde@nwu.edu


------------------------------

Date:    Thu, 06 May 93 15:34:29 -0400
From:    pessoa@dcc.ufmg.br
Subject: F-PROT 2.08 (PC)

   I got F-PROT 2.08 last friday. I was making some tests with it when I
discovered something strnge. This version couldn't remove the Michelangelo
virus from a disk. So I made some physical copies of the disk and  made tests
with other scanners. Everyone found the virus and could remove it. F-PROT 2.07
  did this too.  Well, anybody knows what is happening ? Would my program be
hacked or something like this ? Or is it a program error ?

                     Thanks
  
                                 Albener Esquirio Pessoa



------------------------------

Date:    Thu, 06 May 93 21:46:40 -0400
From:    dudleyh@redgum.ucnv.edu.au (Dudley Horque)
Subject: Re: Copyright of Virus Signatures (PC)

skank@leland.Stanford.EDU (Forked Tongue Redlich) writes:
>Well, I'm only a law student, but . . .
>Probably not.  Copyright protects expression of ideas, not the ideas.
>Thus, you couldn't copyright E=MC^2, though you could copyright
>a book explaining it.
>Also, generally speaking, the shorter the expression, the harder it is
>to copyright.  If you tried to copyright the  letter A, you'd lose, 
>because others are going to need to use it.
>
A couple of interesting points... a guy who lives about 30km from here
was on a national current affairs infotainment program on television
recently for having patented a formula which he claims (from what I can
remember) explains a lot of unknowns in the universe, much like the
young Albert Einstein did in the movie Young Einstein, with his formula
that you quoted (e=mC^2).

Secondly, you cannot, indeed, copyright the letter A, but you can
copyright a certain design of the letter A. Fonts (both computerised and
otherwise) are subject to copyright.

I know these points don't further any discussion points here, but I
thought that they might be everso slightly interesting.
- -- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Ciao4niao                                 My philosophy on life is far too deep
Dudley Arthur Horque                   to fit into two lines... I'd need three.


------------------------------

Date:    Thu, 06 May 93 22:16:42 -0400
From:    HAYES@urvax.urich.edu
Subject: New McAfee programs available (PC)

Hello.

Just to mention the availability for FTP processing of the new versions of
McAfee Associate programs.  They all contain the string "104" in the filename
(e.g. SCANV104.ZIP).

Enjoy, Claude.

==========

Site:       urvax.urich.edu,  [141.166.36.6]    (VAX/VMS using Multinet)
Directory:  [anonymous.msdos.antivirus]

FTP to urvax.urich.edu with username anonymous and your email address
as password.  You are in the [anonymous] directory when you connect.
cd msdos.antivirus, and remember to use binary mode for the zip files.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes     HAYES @ URVAX                 (Vanilla BITNET)
University of Richmond   hayes@urvax.urich.edu     (Bitnet or Internet)
Richmond, VA  23173


------------------------------

Date:    Fri, 07 May 93 05:55:01 -0400
From:    venzi@math.fu-berlin.de
Subject: Possible new virus (PC)

A couple of days ago I got scanv102. After my machine broke down
several times I decided to run scan, and I've got the following messages:

      Virus cannot be removed safely from the partition table

      Virus removed.

I scanned again after booting safe msdos - nothing happened. Then I tryed
with the "infected" msdos, and the "infected" scan - nothing. The
message came during the memory scan. Is this a new virus? How can I get
rid of it?

                                              Venzi

------------------------------

Date:    Fri, 07 May 93 11:03:20 -0400
From:    tsnow%vitronix@uunet.UU.NET (Tom Snow)
Subject: stoned virus (PC)

Hello All,

After scanning my hard drive with mcafees virus scanner ver 9.12 the 
[stoned] virus was found active in memory.

I rebooted with a diskette and reran Scan & Clean.  The [stoned] virus
still exists.  I pulled the battery and let the machine sit awhile but
to no avail the virus is still there.  I just can't get rid of this
virus.

Any suggestions.

Thanks,

Tom Snow  
- -- 
Tom  Snow					Phone:	(703) 704-ll84
Night Vision & Electronic Sensors Directorate	Fax:	(703) 704-1100
AMSEL-RD-NV-AOD-IAMT				E-mail:	tsnow@nvl.army.mil
Ft. Belvoir, VA 22060

------------------------------

Date:    Sat, 08 May 93 06:38:36 -0400
From:    Javier Fernandez Baldomero <jfernandez@ugr.es>
Subject: Mich on Sun? (PC)

	Hi!: I saw this on sun-managers, and thought that maybe somebody
in this list knew the answers. Please don't answer directly to
sun-managers (or you'll get flamed :-)

==================

Delivery-date: Sat,  8 May 1993 12:23:15 UTC+0200
Originator:    sun-managers-relay@ra.mcs.anl.gov
Send-date:     Fri,  7 May 1993  8:08:52 UTC-0400
From:              <sun-managers-relay@ra.mcs.anl.gov>
Authorizing-Users: <wyllys@axl.melpar.esys.com>
To:                <sun-managers@eecs.nwu.edu>
Reply-To:          <wyllys@axl.melpar.esys.com>
Message-ID:        <9305071208.AA19545@axl.gnr>
Subject:           PC Virus on Sun

>X-Envelope-to: jfernandez@ugr.es
>Precedence: bulk
>Followup-To: junk

What affect (if any) would a PC floppy infected with 
Michaelangelo virus have on a Sun if it was inserted in
a Floppy drive and mounted as a PCFS file system?

I think that since the virus is said to affect the boot block(s)
of PC disks,  the disk probably would not be readable by the
Sun since it is somewhat corrupt, but maybe not.  

If it fooled my SPARC 10 and mounted correctly would the virus be 
able to harm any of my local SPARC disks or files ?

( These are not really hypothetical questions, this already happened. )

I will summarize if there is interest...
- ---------------------------------------------------------------
Wyllys Ingersoll   E-Systems, Melpar Div.   Ashburn, VA

Internet: wyllys@axl.melpar.esys.com   
UUCP: uunet!melpar.esys.com!axl!wyllys

------------------------------

Date:    Sat, 08 May 93 16:51:15 -0400
From:    frisk@complex.is (Fridrik Skulason)
Subject: FP-208A.ZIP - F-PROT 2.08a: Virus detection/removal software (PC)

I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu:

pd1:<msdos.virus>
FP-208A.ZIP     F-PROT 2.08a: Virus detection/removal software

This version, (2.08a) corrects one significant problem with 2.08 as well
as two minor ones.

 - Version 2.08 was not always able to disinfect boot sector viruses that
   2.07 could handle without problems

 - Not all samples of the Azusa virus were identified properly - some were
   identified as "new or modified variant of Stoned".

 - One false alarm in a file named DOS400.TSG

I apologize for any inconvenience caused by this.

frisk
- - -
Fridrik Skulason
frisk@complex.is


------------------------------

Date:    Sat, 08 May 93 16:51:28 -0400
From:    aryeh@mcafee.com (McAfee Associates)
Subject: McAfee VIRUSCAN V104 uploaded to SIMTEL20 (PC)

I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu:

pd1:<msdos.virus>
CLEAN104.ZIP    CLEAN-UP V104 virus remover for PC's & LAN's
NSHLD104.ZIP    NETSHIELD 1.5 Novell 3.11 NLM virus prevention
SCANV104.ZIP    VIRUSCAN V104 virus scanner for PC's & LAN's
VSHLD104.ZIP    VSHIELD virus prevention program for PC's
WSCAN104.ZIP    WSCAN V104 Windows version of VIRUSCAN


WHAT'S NEW

     Version 104 of the VIRUSCAN (SCAN, CLEAN, VSHIELD
and WSCAN) series has been released.  Perhaps the most immediate
and obvious change is that there is no longer a separate program
for scanning network drives (NETSCAN).  All of NETSCAN's
functionality has been added to SCAN, along with some changes to
make SCAN easier to use in networked environments (see below for
details).
     Version 104 adds detection of 219 new viruses, bringing the
total number of known viruses to 1,353, or counting variants,
2,049 viruses.
     Version 103 was skipped due to a Trojan horse bearing
that version number reported from Arizona.

VIRUSCAN

     SCAN has three new options and one change added to it:
Since SCAN is capable of checking both local and network drives,
there are now switches to check all local drives (/ADL), all
network drives (/ADN), and both local and networked drives (/AD).
Additionally, a new switch (/BMP) has been added to check OS/2
Boot Manager partitions for master boot record (partition table)
and boot sector viruses.  Also, the /UNATTEND switch is now a
default option.  This switch was required for use in a multi-
tasking environment such as DesqView, Windows, or OS/2.

CLEAN-UP

     CLEAN adds removers for the 1757, Barrotes, Coahuila, Math
Test, Monkey, and XTAC viruses.  Additionally, during the course
of adding the OS/2 Boot Manager capability, the code for handling
boot sector viruses was completely re-worked.  CLEAN-UP also has
the new switches that SCAN has (/AD, /ADL, /ADN, and /BMP).

VSHIELD

     VSHIELD now displays messages in Windows with a Windows
dialogue box (previous versions displayed messages in windowed
DOS session opened on the desktop).  This is done through a new
program, VSHWIN.EXE, which is INSTALLED by the /WINDOWS switch.
Once VSHIELD is run with the /WINDOWS switch, it is not necessary
to use the switch again.
     The CHKSHLD program now displays the options VSHIELD is using.
     Due to changes in this version of VSHIELD, it is no longer
compatible with MS-DOS 2.0.  MS-DOS 3.0 or greater is required to
run VSHIELD.

WSCAN

     WSCAN supports all new features added to SCAN.  Additionally,
WINSTALL has been updated to allow installation on a network drive.

NETSHIELD

     The NETSHIELD NetWare Loadable Module engine had been updated
to version 1.5.  This release adds the ability to detect unknown
viruses by computing a cyclic redundancy check (CRC) value for files
and then comparing them against that stored value for changes.

OS/2 PROGRAMS

     SCAN and CLEAN for OS/2 are available by anonymous ftp from
the mcafee.com site (IP# 192.187.128.1).  They are located in the
pub/antivirus directory.

VALIDATE VALUES
CHECKSHIELD 0.4 (CHKSHLD.EXE)       S:8,075    D:04-19-93   M1: 85A5  M2: 0A4F
CLEAN FOR OS/2 V104 (OS2CLEAN.EXE)  S:279,624  D:05-03-93   M1:89D6B  M2: 105F
CLEAN-UP 9.15V104 (CLEAN.EXE)       S:144,637  D:05-03-93   M1: 6846  M2: 0EEE
NETSHIELD V1.5 (V104) (NETSHLD.NLM) S:117,895  D:05-03-93   M1: 650C  M2: 000F
NETSHIELD V1.5 (V104) (VIR.DAT)     S:42,720   D:05-03-93   M1: 2DE6  M2: 0F31
SCAN FOR OS/2 9.15V104 (OS2SCAN.EXE)S:206,064  D:05-03-93   M1: 0B56  M2: 108F
VIRUSCAN SCAN 9.15V104 (SCAN.EXE)   S:117,452  D:05-03-93   M1: 5771  M2: 1FC0
VSHIELD 5.4V104  (VSHIELD.EXE)      S:46,914   D:05-01-93   M1: 4A5F  M2: 132B
VSHIELD WINDOWS MODULE (VSHWIN.EXE) S:14,260   D:03-16-93   M1: 3151  M2: 054B
SCAN FOR WINDOWS 104 (WINSTALL.EXE) S:19,606   D:05-03-93   M1: FBF4  M2: 0438
SCAN FOR WINDOWS 104 (WSCAN104.EXE) S:76,882   D:05-03-93   M1: B007  M2: 1CBF


Regards,

Aryeh Goretsky
McAfee Associates Technical Support
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
McAfee Associates, Inc.  | Voice (408) 988-3832 | INTERNET: aryeh@mcafee.COM
3350 Scott Blvd, Bldg 14 | FAX   (408) 970-9727 | IP# 192.187.128.1
Santa Clara, California  | BBS   (408) 988-4004 | CompuServe ID: 76702,1714
95054-3107  USA          | USR HST Courier DS   | or GO MCAFEE


------------------------------

Date:    01 May 93 16:17:00 -0600
From:    "Rob Slade, DECrypt Editor" <roberts@decus.arc.ab.ca>
Subject: Evaluation standards - open ended (CVP)

PRTAVS6.CVP   930425
 
                 Evaluation Standards - Open ended
 
As viral programs are constantly developing new methods of attacking
files and avoiding detecting, so too antiviral software is
constantly developing new methods, or at least new twists on old
methods.
 
The problem here is similar to that of the application of a single
standard to diverse types of antiviral software.  It is, however,
complicated by the fact that we do not know what the new features of
antiviral software may be, until such time as they appear.  Thus,
while it might be possible to gather a series of criteria, broadly
applicable to the wide variety of antiviral software, and to balance
and "weight" the various gauges in order to come up with a "fair"
assessment, it is impossible to so judge some feature that you have
never considered.
 
As examples, let us consider the recent rise of three new forms of
"generic" antiviral software: "heuristic" scanning, checksum
"generic" disinfection and "heuristic" "generic" disinfection.
 
"Heuristic" scanning is nowhere near being a dependable form of
viral detection.  A great many programs, including antiviral
software and other powerful utilities, are all accused (falsely) of
being "suspicious".  At the same time, a number of viral and trojan
programs are not "caught".  Thus "heuristic" scanning would fail
miserably at criteria set up to judge signature scanning software.
 
It would, though, be a great pity to inhibit the development of
heuristic scanning software.  This field is really the application
of "expert systems" to antiviral software: an "expert" antiviral
disassembler is checking the code for you.  Along with hoped for
advances in change detection, this bodes well to hold the greatest
promise for the future of antiviral software.  Indeed, not only will
it identify suspect viral programs, but, with only minor additions,
trojans and other "malware" as well.
 
If you know that you have a virus infection, don't bother purchasing
a "checksum" disinfector.  The checksum, CRC, hamming or "image"
calculations *must* be done while the software is "clean", since it
only tries to return it to an "original" state.  Even then, checksum
disinfectors have a very low success rate with disinfection, and
would undoubtedly fail any test set up to measure a set of
"cleaning" programs.  Heuristic disinfectors are even worse: they
sometimes harm "good" programs.  While disinfection is often
recommended against, there are situations where you want to keep an
existing program rather than replacing it with an original copy
which may not contain "set up" information.  In this case, you may
need the services of a disinfection program which does not rely on a
data base of "known" viral programs.
 
copyright Robert M. Slade, 1993   PRTAVS6.CVP   930425

==============
Vancouver      ROBERTS@decus.ca         | "Is it plugged in?"
Institute for  Robert_Slade@sfu.ca      | "I can't see."
Research into  rslade@cue.bc.ca         | "Why not?"
User           p1@CyberStore.ca         | "The power's off
Security       Canada V7K 2G6           |  here."

------------------------------

Date:    Thu, 06 May 93 22:43:01 -0400
From:    fergp@sytex.com (Paul Ferguson)
Subject: Legal Net News

Due to the increasing demands of external activities, Legal Net News
will discontinue being sent on a mailing list. My apologies go out to
all of you who sent subscription requests.
 
Legal Net News will, however, continue to be compiled, produced,
released and archived on a regular basis.
 
It can be found at the following locations:
 
                Publicly Accessable BBS's
                -------------------------
 
The SENTRY Net BBS             Arlington Software Exchange
Centreville, Virginia  USA     Arlington, Virginia  USA
+1-703-815-3244                +1-703-532-7143
To 9,600 bps                   To 9,600 bps
 
                       The Internet
                       ------------
 
Legal Net News is available at the following archive site(s)-
 
tstc.edu   (161.109.128.2)  Directory: /pub/legal-net-news
 
Login as ANONYMOUS and use your net ID (for example: fergp@sytex.com)
as the password.
 
The most recently released issue was volume 1, issue 4 dated 6 May,
1993 and is in the following formmat:
 
                   Filename          Filename
                  Compressed          ASCII
 
Vol 1, Issue 1    LNM0493.ZIP       LNM0493.TXT
Vol 1, Issue 2    LNN0102.ZIP       LNN1.002
Vol 1, Issue 3    LNN0103.ZIP       LNN1.003
Vol 1, Issue 4    LNN0104.ZIP       LNN1.004
 
 
Thanks for the interest.
 
Cheers.
 

Paul Ferguson                  |  Uncle Sam wants to read
Network Integrator             |       your e-mail...
Centreville, Virginia USA      | Just say "NO" to the Clipper
fergp@sytex.com                |          Chip...
- -------------------------------+------------------------------
         I love my country, but I fear it's government.


------------------------------

Date:    07 May 93 14:53:00 -0600
From:    "Rob Slade" <roberts@decus.arc.ab.ca>
Subject: YAEMA! (Yet Another Errant Magazine Article)

Datamation, May 1, 1993 edition, has an article entitled "How to Kill
a Mutant Virus".  As is often the case, the "article" seems to be more
akin to an extended advertisement for commercial antiviral software.
I'd like to quote, and comment on, a few lines.

The piece starts out with "A smarter and more malicious breed of
computer virus is ready to seek out and destroy your ... data".  The
author (one Rick Cook) goes on to deal reasonably well with stealth
and polymorphism, but he neglects to mention that this technology is
already "old", in viral terms, and has not proven to be terribly
successful.  What *is* successful?  Stoned and Jerusalem; two pretty
"stupid" viri.

The CPAV development manager states that "I don't know a single
corporation that is not looking into or doesn't have virus protection
of some kind".  I'll just let that one lie.

The following paragraph states that "Because the new viruses are so
potent, there is considerable interest in hardware to exterminate
them".  (Send in the Daleks!  :-) Aha!  we come to the reason for the
article!  Western Digital's Immunizer!  Therefore, I shall be
releasing my review of the Immunizer immediately.

"The Immunizer works only on some of the newest ... microprocessors (a
list ...  is available from Western Digital)".  While, strictly
speaking, this statement is syntactically true, it is desperately
misleading.  The "Immunizer" must be "built in" to the machine, with a
specialized controller and BIOS.  At the time I tested it, there were
only two: I got to see one and Ken got to see the other.  They may
have built some other prototypes since, and there have been some
announcements that certain companies were going to build "Immunizer
ready" machines, but I haven't seen any ads yet.

The piece quotes Robert Lee, of WD, as saying that the Immunizer gets
fewer false positives than "the popular antivirus software".
Whichever software he is referring to, and I have tested some dillies,
that is a *terrible* thing to say about them.  I have never had so
many false positives with *anything* as I had with Immunizer.

The piece ends with another quote from the CPAV guy that "The virus
writers have tried to come up with something that could not be caught,
and they have failed".  Well, yes.  Vesselin, how well is CPAV doing
on the MtE tests?  :-)
 
============= 
Vancouver      ROBERTS@decus.ca         | "The client interface
Institute for  Robert_Slade@sfu.ca      |  is the boundary of
Research into  rslade@cue.bc.ca         |  trustworthiness."
User           p1@CyberStore.ca         |    - Tony Buckland, UBC
Security       Canada V7K 2G6           | 
s pcimmnzr.rvw

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 75]
*****************************************
