To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #76
--------
VIRUS-L Digest   Monday, 10 May 1993    Volume 6 : Issue 76

Today's Topics:

Anti-virus planning
Help Student Computer Virus Project?
Re: need help removing flip virus (PC)
Re: Port Writes (PC)
Re: Copyright of Virus Signatures (PC)
Re: Anti-virus planning (PC)
Re: Anti-virus planning (PC)
Re: DOS 6.0 and Scan (McAfee) Interaction (PC)
NetShield (NLM) bugs? (PC)
XPEH4 Virus Information wanted (PC)
McAfee NETSCAN question (PC)
Re: info about new virus (PC)
Re: NAV Updates (was Central Point Anti-Virus Updates) (PC)
Can a virus infect NOVELL? (PC)
COMMAND.COM Vaccination (PC)
ARCV Viruses (PC)
Re: Port Writes (PC)
TBAV anti-virus software (complete pkg v6.00) (PC)
Anyone have something like this? (PC)
Anyone have something like this? (PC)
Port Writes (PC)
Can a virus infect NOVELL? (PC)
integrity master 1.43 (PC)
Types of Antivirals (CVP)
Evaluation Standard - Numbers again (CVP)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name.  Send contributions to VIRUS-L@LEHIGH.EDU.  Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list.  A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5).  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@FIRST.ORG>.

   Ken van Wyk, krvw@first.org

----------------------------------------------------------------------

Date:    Mon, 10 May 93 02:45:29 +0000
From:    rob.borek@rose.com (rob borek)
Subject: Anti-virus planning

  
V >       a) Let's have one workstation assigned only for virus detection and
V >          cleaning. As users come into our site, they would be led to this
V >          workstation to have their diskettes checked for virus.
V > 
V >       b) Each time a new user uses a workstation, as soon as he logs into
V >          the server (automatically), we would check the workstation for
V >          virus. If it is infected, we would clean or "rebuild" it from the
V >          server, in order not to have an user diskette infecting another
V >          user's one.
V > 
V >    What do you think of this?

You could do both... for b), just insert the virus scanner in the 
startup files for the workstation.

V > 
V >    We thought of using a TSR virus scanner, but I'm a bit worried of having
V >    it together with the LAN communications TSRs.
V > 
V >    Do you think that (or know if) it works? Would you consider another
V >    options?
V > 

I have never heard of any problems or conflicts with using a TSR virus 
detenction program... McAffee's Virus Shield supposedly works quite 
well, and loads into upper memory. I've never heard of any problems 
with using it on a LAN.

Rob Borek       Internet: 
                rob.borek@integral.on.ca 
                
 * Tagline Bad or Missing  NO CARRIER
- ---
   RoseReader 2.10  P004797 Entered at [POWERNET]
   RoseMail 2.10 : <Usenet> PowerNET/Sarnia, ONT. (519) 336-5863


------------------------------

Date:    Sun, 09 May 93 05:17:34 -0400
From:    tomw@ccadfa.cc.adfa.oz.au (Tom Worthington)
Subject: Help Student Computer Virus Project?

The ACS receives many letters from students asking for information to
help with computer projects. I thought you might like to help, so here
is one frequently asked question to start off with:

"I am currently attending TAFE studying my accounting degree. One of
the subjects I study is computer applications. I have to complete an
assignment on computer viruses and their social implications.

If you have any information on the following I would greatly appreciate it
if you could send it to me as soon as possible:

* How viruses originated

* How viruses effect businesses and people

* How viruses are combated

* Examples of viruses and their cures

* The cost of viruses"


Please send e-mail replies to me (tomw@adfa.oz.au) or paper replies to:

"Virus Question" 
c/o: Peter Horwood
ACS National Office
Suite 1, 200 Riley Street
Darlinghurst NSW 2010
fax: 02 2811208

Posted by Tom Worthington, Director of the Community Affairs Board,
Australian Computer Society Inc.


------------------------------

Date:    Sun, 09 May 93 20:30:02 -0400
From:    stevet@news.fai.com (Steve Tamanaha)
Subject: Re: need help removing flip virus (PC)

Either use an entivirus progra , or:
NDD c: /rebuild.
A more riskier way would be to do FDISK C: /MBR
To backup the fat, use norton Image or Msdos 5,or Pctool's Mirror:
image c:
mirror c:

------------------------------

Date:    Sun, 09 May 93 20:53:29 -0400
From:    trimm@netcom.com (Trimm Industries)
Subject: Re: Port Writes (PC)

> > Yes. Most modern hard disk controllers issue a hardware interrupt to
>
>STOP. Do you really think that THIS is a barrier? I mean, if someone already 
>takes the trouble to learn and implement Port-Write disk access, what is it 
>for him to add a Vector Change before and after? Besides, I haven't checked it
 
>yet, but I think it might be possible to tell the IDE NOT to generate this 
>interrupt.

You could simply use the interrupt controller to mask the IRQ of the
disk drive.  But yes, the disk can be operated in purely a polling
mode.  The unit atn interrupts are an option.  I think a lot of people
don't understand how disk controllers in the PC environment work at a
port level.  The original interface was the WD1003, which is what 
virtually all MFM, RLL, ESDI and IDE (ATA) disk drives respond to.  
There are two 8 bit regs you load up with the cylinder, one for the
head, one for the sector, and one for the count.  Then by writing
an opcode into the control register, the operation begins.  I've
posted at length on this issue on Fido Virus_Info, should I cross-
post it here?

Gary M. Watson
Electronic Engineer
trimm@netcom.com

------------------------------

Date:    Mon, 10 May 93 02:22:53 -0400
From:    alan@saturn.cs.swin.OZ.AU (Alan Christiansen)
Subject: Re: Copyright of Virus Signatures (PC)

dudleyh@redgum.ucnv.edu.au (Dudley Horque) writes:

>CS193560223@lusta.latrobe.edu.au (ENRIQUEZ,L) writes:
>>	When a virus is found, it does not usually contain a copyright, because
>>as far as I can tell, to claim copyright your real name must appear with it. 
 
>>Obviously, most virus writers dont want to do this. However, if sometime did
>>extract a piece of code (signature) from the virus, and included it in their
>>virus scanner, and recieved a fanancial advantage from this inclusion, and th
e
>>author came forth to claim copyright, would such a case be legal?

>Well... the inclusion of the copyright owner's name (and the year of
>copyright) is only necessary in the U.S. of A. (where they're backward
>enough not to have fully adopted the internationally recognised
>copyright laws devised at the Bourne convention).

>Secondly, if the virus author could prove that (s)he wrote the virus,
>AND the virus scanner contained a substantial piece of the author's
>creative effort, then the author WOULD (not could) claim copyright if
>(s)he so wished. (S)he could then attempt to sue the trousers off the
>parties who infringed their copyright. In the process, however, I would
>hope that the author also had their lower garments sued off them for the
>grief that the virus caused, AND had the potential to cause.

Just to be difficult.
I dont believe it is illegal to write a virus. Just to spread it around
deliberately. Now If I had written a virus for experimental (mental)
purposes and had it on some disks on my desk.
Then if someone stole my disks and and computer (a housebreaking.)
Then could I claim copyright on any signitures that scanners used
to recognise my inadvertantly released virus. ;-}

I actually think I couldnt. Sue for copyright.

Because any signature used by the virus writers. did not utilise my
                                            execute      ^^^^^^^
code sequence and the algorithm it represents. The sequence
is short and hence not subject to copyright in the same way that
a previous post suggested that you cant copyright "A Sheep"


------------------------------

Date:    Mon, 10 May 93 06:44:17 -0400
From:    duck@nuustak.csir.co.za
Subject: Re: Anti-virus planning (PC)

Thus spake villas@ax.apc.org:

>      a) Let's have one workstation assigned only for virus detection and
>         cleaning. As users come into our site, they would be led to this
>	 workstation to have their diskettes checked for virus.

Nothing wrong with this. If you can get a Flash-RAM board set up to be
bootable, and install your a-v software there too, then you need not 
worry about anybody subverting a clean boot [unless they open up the
PC], nor need you worry about your a-v modules getting infected. That
would be ideal: a PC that basically boots from firmware and does nothing
but offer to scan discs.

Paint it red and put it next to the coffee machine. Your delegates are
then unlikely to miss it..

>      b) Each time a new user uses a workstation, as soon as he logs into
>         the server (automatically), we would check the workstation for
>	 virus. If it is infected, we would clean or "rebuild" it from the
>	 server, in order not to have an user diskette infecting another
>	 user's one.

The problem here is that you'd be breaking a basic rule of virus clean-up:
Boot From a Clean DOS Floppy. Whilst some (indeed many) viruses can be
cleaned up without a clean boot, others may delude you into believing they're
gone when they're not. IMO, whilst you might want to handle the reporting
of infected workstations automatically, you should arrange for your tech
support gurus (aka Emergency Response Team) to handle clean-ups manually.

>   We thought of using a TSR virus scanner, but I'm a bit worried of having
>   it together with the LAN communications TSRs.

A TSR virus scanner would be great. "On demand" scanners can help tremendously.
For instance, if delegates stick in floppies and try to run infected
programs, they won't just be alterted to the virus -- the virus will be
prevented from actuating. LAN coexistence won't be a problem.

I also suggest that if the PCs you're using as workstations permit their
boot sequence to be altered to inhibit floppy boot-up that you utilise
this "feature" to help suppress boot sector viruses. This won't stop someone
who wants to infect a PC from doing so maliciously, but it will help
stop accidents.

Lastly, I'd suggest that you don't use any "active monitor" a-v software.
Active monitors are resident utilities (also known as "behaviour blockers")
which watch for apparently virus-like behavious and attempt to prevent it.
I think you'll find that the false alarms will probably waste your tech
support people's time -- and possibly focus attention on viruses, to the
exclusion of other PC issues.

Paul

    /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
    \  Paul Ducklin                         duck@nuustak.csir.co.za  /
    /  CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa  \
    \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/


------------------------------

Date:    Mon, 10 May 93 06:45:22 -0400
From:    duck@nuustak.csir.co.za
Subject: Re: Anti-virus planning (PC)

Thus spake villas@ax.apc.org:

>      a) Let's have one workstation assigned only for virus detection and
>         cleaning. As users come into our site, they would be led to this
>	 workstation to have their diskettes checked for virus.

Nothing wrong with this. If you can get a Flash-RAM board set up to be
bootable, and install your a-v software there too, then you need not 
worry about anybody subverting a clean boot [unless they open up the
PC], nor need you worry about your a-v modules getting infected. That
would be ideal: a PC that basically boots from firmware and does nothing
but offer to scan discs.

Paint it red and put it next to the coffee machine. Your delegates are
then unlikely to miss it..

>      b) Each time a new user uses a workstation, as soon as he logs into
>         the server (automatically), we would check the workstation for
>	 virus. If it is infected, we would clean or "rebuild" it from the
>	 server, in order not to have an user diskette infecting another
>	 user's one.

The problem here is that you'd be breaking a basic rule of virus clean-up:
Boot From a Clean DOS Floppy. Whilst some (indeed many) viruses can be
cleaned up without a clean boot, others may delude you into believing they're
gone when they're not. IMO, whilst you might want to handle the reporting
of infected workstations automatically, you should arrange for your tech
support gurus (aka Emergency Response Team) to handle clean-ups manually.

>   We thought of using a TSR virus scanner, but I'm a bit worried of having
>   it together with the LAN communications TSRs.

A TSR virus scanner would be great. "On demand" scanners can help tremendously.
For instance, if delegates stick in floppies and try to run infected
programs, they won't just be alterted to the virus -- the virus will be
prevented from actuating. LAN coexistence won't be a problem.

I also suggest that if the PCs you're using as workstations permit their
boot sequence to be altered to inhibit floppy boot-up that you utilise
this "feature" to help suppress boot sector viruses. This won't stop someone
who wants to infect a PC from doing so maliciously, but it will help
stop accidents.

Lastly, I'd suggest that you don't use any "active monitor" a-v software.
Active monitors are resident utilities (also known as "behaviour blockers")
which watch for apparently virus-like behavious and attempt to prevent it.
I think you'll find that the false alarms will probably waste your tech
support people's time -- and possibly focus attention on viruses, to the
exclusion of other PC issues.

Paul

    /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
    \  Paul Ducklin                         duck@nuustak.csir.co.za  /
    /  CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa  \
    \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/


------------------------------

Date:    Sun, 25 Apr 93 22:03:22 -0500
From:    Josh Panar <FCTY7045@ryevm.ryerson.ca>
Subject: Re: DOS 6.0 and Scan (McAfee) Interaction (PC)

Donald Gingrich reports:
>I am on a dial up help list for viruses among other things.  A user group
>member rang with the following report.
>
>1. he booted the machine with the MS DOS 6.0 VSAFE in the autoexec (config?)
>   (I haven't seen DOS 6.0 yet)
>2. he ran McAfee scan with the /chkhi option twice (don't ask why)
>3. on the second pass it reported the "filler" virus
>4. he has scanned the hard disk with the /chkhi /a options after a cold boot
>   on a known clean floppy -- nothing found
>
>seems like a false positive to me.

I had this happen with scanv102 and v99.  The first time scan was run
after a cold boot, no viruses were reported.  Thereafter, running scan
results in a Filler report in memory.  I also spotted Iboot a
couple of times (also as a memory virus).
A complete scan of my hard drive (6188 files) with /A reported no
viruses.
This was causing considerable consternation until I checked the
Internet and found these reports.  I hope the assumptions
of false positives are correct.
Tnx,
J. Panar       (416) 959-5079
School of Computer Science, Ryerson Polytechnical Institute
Toronto, Ontario, Canada  M5B-2K3


------------------------------

Date:    Mon, 10 May 93 13:01:25 +0000
From:    wdf2@ns1.cc.lehigh.edu (WILLIAM D FINLEY)
Subject: NetShield (NLM) bugs? (PC)

Has anyone else installed the latest version of McAfee NetShield (104---150)
on their Novell File Servers and noticed a problem with the "On-Access"
scanning options.  I configured it with "in-coming only" on-access scanning,
yet the display indicated all files were being scanned (out-going as well).
Has anyone else noticed this???  Is it a bug with the NLM???

It also appear to eat up much more utilization than the previous versions of
NetShield.

Any feedback would be welcome!
- -- 

/s/ W. D. Finley
    Dept. of Mathematics
    wdf2@Lehigh.EDU

------------------------------

Date:    Fri, 07 May 93 11:27:03 -0400
From:    Garry J Scobie Ext 3360 <GSCOBIE@ml0.ucs.edinburgh.ac.uk>
Subject: XPEH4 Virus Information wanted (PC)

Hi there,

A PC virus has been discovered within the University which 
Solomons Findviru v6.12 with drivers dated 23/2/93 identifies as 
XPEH4.4752. The Eicar ID is F77616D4. 

There appears to be very little information on this virus and I do not 
recall any discussion on this board.  All information gratefully 
received.

Thanks in advance

Garry Scobie LAN Support Officer Edinburgh University Computing 
Services Scotland e-mail: g.j.scobie@ed.ac.uk


------------------------------

Date:    Fri, 07 May 93 17:40:13 +0000
From:    "Craig.Williamson" <craig@cadzook.columbiasc.NCR.COM>
Subject: McAfee NETSCAN question (PC)

I am having a problem getting McAfee netscan to scan a complete network disk.
I am using V102 of scan and Wollongong NFS to access the net drive.  The
disks I need to scan are 1.2GB and 660MB and it just stops at random places
every time I try.  Does netscan handle drives this large?  Is my nfs causing
the problem?  Is there another way I can scan these drives?

Any help would be appreciated since we just found Scream2 [696] and I would
like to make sure it's not on the net drives.

Thanks,
Craig

- -- 
                                           "Would you like to surrender now,
- -Craig Williamson                                Captain?"
 Craig.Williamson@ColumbiaSC.NCR.COM           -William Riker,  STTNG
 craig@toontown.ColumbiaSC.NCR.COM (home)

------------------------------

Date:    Sat, 08 May 93 11:23:04 -0400
From:    al026@YFN.YSU.EDU (Joe Norton)
Subject: Re: info about new virus (PC)

   I have played with a copy of EXEBUG-][, and while it will jump
off of the floppy onto my hard drive, I can't get it to infect
another floppy.  Is it just buggy, not even a virus, or what?
I recieved it as a TD0 file that when restored is a 360k disk
with a german? copy of DOS system files on it..
- -- 

------------------------------

Date:    Sun, 09 May 93 17:08:13 -0400
From:    yh1@Isis.MsState.Edu (Yi Hong)
Subject: Re: NAV Updates (was Central Point Anti-Virus Updates) (PC)

	I wonder what is the best anti-virus scanner/remover/shield
package.  I have f-prot and mcafee's scan/vshield/clean, but I wonder
which is better or newer or have more virus database.  One of my
friend also have NAV, and I don't know much about it.  CAn you
guys tell me about the best or some of the best anti-virus software
avaliable by 1. shareware 2. commercial software,etc.



------------------------------

Date:    Fri, 23 Apr 93 16:24:09 +0100
From:    Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert)
Subject: Can a virus infect NOVELL? (PC)

Hi Kam!

 >         "set executable files read only = on"

 > Yes, I know the set command is wrong, but what it does is makes
 > *every* executable file read only and will not allow *any* file to be
 > writen too, so the only way to upgrade a file is to first delete it and
 > then copy a new one!

That's why this protection is not very effective. Image a virus implementing 
the following pseudo-code idea:

copy to-infect.com temp.moc
infect temp.moc
del to-infect.com
copy temp.moc to-infect.com
del temp.moc

and your 'protected' executable is straight infected. Such a virus is not 
likely to be very effective, the only thing I want to show is that some on-the-
first-look-bullet-proof methods can be circumvented. You also could 'use' 
companion-type infectors, or... :-|

cu!
eppi

- --- GEcho 1.00
 * Origin: No Point for Viruses - Eppi's Point (9:491/6051)


------------------------------

Date:    Fri, 23 Apr 93 16:05:08 +0100
From:    Malte.Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert)
Subject: COMMAND.COM Vaccination (PC)

Hi Jani!

 > Executables that have been compressed with PKLITE are basically
 > immune to infection by viruses that infect executables, including
 > COMMAND.COM in this case.

Uh... a very dangerous statement. In fact it's wrong. See why:

 > The PKLITE file can still be infected externally
 > (as reported by McAfee's SCAN), but the actual executable cannot be
 > infected in this form.

The problem is, most viruses don't care if they infect COMMAND.COM internally 
or externally. They will go resident anyway after the next boot.
BTW, if you define "infecting" by "virally change the runtime behaviour of an 
executable", the executable is infected too, just at another level. For 
example, you can infect an executable directly by attaching code to or putting 
into it, and indirectly via exploiting OS capabilities (e.g. companion attack) 
or its directory file handle (filesystem infection, e.g. DIR-II alias MG 
Series II alias Creeping Death). Viruses using these infection techniques don'
t care about compressing.

cu!
eppi

- --- GEcho 1.00
 * Origin: No Point for Viruses - Eppi's Point (9:491/6051)


------------------------------

Date:    Tue, 27 Apr 93 12:22:19 -0700
From:    aryeh@mcafee.com (McAfee Associates)
Subject: ARCV Viruses (PC)

Hello All,

I've recently received two comments about my posting in comp.virus
about the ARCV viruses and would like to clear a couple of points
up:

1.      The viruses were *ALLEDGEDLY* written by ARCV.  There
        has been no legal determination that ARCV wrote any of
        the viruses listed.

2.      All viruses were for MS-DOS (no Mac, Unix, etcetera).

Regards,

Aryeh Goretsky
McAfee Associates Technical Support

- -- 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
McAfee Associates, Inc.  | Voice (408) 988-3832 | INTERNET: aryeh@mcafee.COM
3350 Scott Blvd, Bldg 14 | FAX   (408) 970-9727 | IP# 192.187.128.1
Santa Clara, California  | BBS   (408) 988-4004 | CompuServe ID: 76702,1714
95054-3107  USA          | USR HST Courier DS   | or GO MCAFEE


------------------------------

Date:    28 Apr 93 00:13:44 -0000
From:    phys169@cantva.canterbury.ac.nz
Subject: Re: Port Writes (PC)

Yes, it is difficult to stop viruses that use direct port writes. There are
things an a-v program can do to spot direct-writes from an unintelligent
virus writer, but you can't count on them.  Something like OS/2 can spot
them, unless the virus gets control first.  Hardware alarms would probably
be the safest and cheapest long-term solution.

Of course viruses with direct writes have to be that much bigger, but that
isn't enough to make them obvious now, except in the case of one designed
to take control at boot time yet let OS/2 run. The fact that code contains
port I-O instructions is the best clue, but it would take the next generation
of a-v software to spot it (unless the virus writer didn't bother to encrypt
it). I could say more, but there might be a virus writer watching! :-)

Mark Aitchison.


------------------------------

Date:    Wed, 21 Apr 93 08:07:00 +0200
From:    Piet_De_Bondt@f0.n462.z9.virnet.bad.se (Piet De Bondt)
Subject: TBAV anti-virus software (complete pkg v6.00) (PC)

From: bondt@dutiws.TWI.TUDelft.NL (Piet de Bondt)

I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu:

pd1:<msdos.virus>
TBAV600.ZIP     TBAV anti-virus software (complete pkg v6.00)

Thunderbyte Anti-Virus (TBAV) is a toolkit designed to protect against,
and recover from computer viruses.  It is claimed to be the most
complete anti-virus system available.  Included are TbScan, TbScanX,
TbSetup, TbClean, TbDisk, TbFile, TbMem, TbCheck, and TbUtil.

This file has replaced TBAV504.ZIP.

Greetings,

Piet de Bondt                   E-mail: bondt@dutiws.twi.tudelft.nl
- - - -
FTP-Admin for the MSDOS Anti-virus software, @dutiws.twi.tudelft.nl
- --- OD 0.0.1
 * Origin: C.C.C. (9:462/121.0@VirNet)

====> OverDose Gateway Notice <====
Message is actually from bondt@dutiws.TWI.TUDelft.NL
Reply to 9:462/121.0 Internet Gateway with first line of message body beeing:
TO: bondt@dutiws.TWI.TUDelft.NL


------------------------------

Date:    Tue, 27 Apr 93 11:05:09 +0200
From:    Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert)
Subject: Anyone have something like this? (PC)

Hi Hans!

 > Is it possible that you can get bad sectors because of a virus ?

Logically yes (e.g. old DISK-KILLER marks three blocks as bad in the FAT), 
physically NO.

cu!
eppi

- --- GEcho 1.00
 * Origin: No Point for Viruses - Eppi's Point (9:491/6051)


------------------------------

Date:    Fri, 23 Apr 93 23:46:32 +0200
From:    Hans_Govaarts@f10.n317.z9.virnet.bad.se (Hans Govaarts)
Subject: Anyone have something like this? (PC)

 > From: sali@undergrad.math.uwaterloo.ca (Sayf Ali)
Hello Sayf,

 > Here's the problem:

 > I just installed DOS V6 on my pc. Now the problem I'm having is
 > that parts of the disk I have written to are becoming bad
 > sectors

 > Has anyone had similar problems? Remedy?

It happens more often that a HD gets more bad sectors in it's life, and that 
doesn't say that your problem is because of a virus infection. Your problem 
sounds similar to the problem I had with a Kalok HD. There was no virus on it, 
but after I while I had to format the HD, because of the growth of bad-sectors.
After the low-level format I still had the same problems.

Is it possible that you can get bad sectors because of a virus ?

 > Please Help!

Greetings Hans.

- --- FMail 0.94
 * Origin: Orion BBS - Emmen 05910-34151 - 24 uur per dag. (9:317/10)


------------------------------

Date:    Sun, 25 Apr 93 11:50:00 +0200
From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: Port Writes (PC)

bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:

VB:
 > By a natural way to write to the disk I mean - using the DOS file
 > system. After all, all DOS manuals are telling you that this is the
 > way to write to the disk.
The question was realy supposed to be "what happeneds at the end when the disk 
is accessed?" how does the BIOS int-13 access the disk (how does the machine 
do it in hardware ?).

So if you are doing a "natural" int-21 file access request, mabe it starts a 
long process envolving the board's port- addressing chip? (SCSI is an 
exeptional here).

VB:
 > The only programs that usually go that low are the programs
 > from the Norton Utilities and the similar packages - disk organizers,
 > directory sorters, disk editors. Oh, yes, and CHKDSK uses INT
 > 26h too - when it needs to fix the FAT(s).
And Windows, and some Disk-Doublers, and Disk-Manager, and some programs that 
swap with the disk, and Anti-Viruses, and ... Well isn't that enogh? What does 
your common user uses, only a word processor? ;-)

VB:
 > Regarding the DMA, the abbreviation stands for Direct
 > Memory Access and, as the name suggests, is used to access the
 > memory in a fast way (bypassing the CPU) - not the disk.
The DMA's definition is: Access any combination of I/O and memory !!! So not 
so surprizingly *ALSO* the disk. Although I agree the disk is (on "normal" 
operation conditions) an exeptional device and the DMA is usually not assigned 
to treat it.

VB:
 > Oh yes - why I am not using the product any more.
 > Well, the Dark Avenger wrote the Number of the Beast viruses, and the
 > Phoenix viruses, and the two guys from Varna wrote the MG
 > viruses. All those viruses don't try to bypass INT 13h - instead they
 > intercept it at two levels and fake a read when they want to do a write -
 > so our nice protection program sees a read request, tells the
 > "device ready" watching program "it's OK, buddy, let it pass", but
 > here comes the virus again and turns the request back to write...
A. Just my point. This method is not usefull against many    viruses.
B. The viruses you've mentioned and the method of replacing Read with Write 
are not new, there are other old viruses that do that.

VB:
 > If you are an anti-virus researcher worth your salt, you should be
 > able to understand what I am talking about by looking at the viruses I
 > mentioned...
Thanks for the appreciation.

AN:
 >> Usually the Hardware Anti-Virus products are installed ON the system-bus
VB:
 > Some are, some are not.
If you know Central-Point's Option Board (do you?) you'l know what I mean. It 
is connected in another slot and chains to the flat cable going from the disk (
floppy) controller to the drive. In many cases the floppy will have lots of 
write problems, Try it on several computers you will see.

My opinion is that the viral protection system should be:
With minimal overhead, Minimal interference with system operation,
Minimal reductionin computer performance, Minimal memory consumption,
Minimal changes to the files and system and a lot more... In other words: The 
computer is a user's working tool, not an Anti-Virus machine. And what you are 
suggesting has gone far beyond that, it may be good for a virus researcher.

AN:
 >> (in one of the slots), if one does as you suggest (between disk and bus)
 >> I'd expect "some"  8-) problems (to say the least).
VB:
 > You'd expect? Then you'd expect wrong - as I said, ExVira is installed
 > exactly in this way.
[ excellent installation manual deleted ... ]
I say it out of experiance with lots of commercial products that do that,
Some users had to reinstall the disk due to Hardware Anti-Virus products.

Warmly

* Amir Netiv. V-CARE Anti-Virus, head team *

- ---
 * Origin: <<< NSE Software >>> Israel (9:9721/120)


------------------------------

Date:    Sat, 17 Apr 93 06:20:00 +0200
From:    Xianyow@f0.n462.z9.virnet.bad.se
Subject: Can a virus infect NOVELL? (PC)

   I have a question, can a virus infect NOVELL system?  Since there are
many read-only files in NOVELL, how can it write into that file?  If it can't
, how can it live when the power turned off?
   But I really heard some viruses can infect NOVELL.  Can anyone answer me?
   Thanks in advance!
                                               Victor
- --- OD 0.0.1
 * Origin: C.C.C. (9:462/121.0@VirNet)

====> OverDose Gateway Notice <====
Message is actually from sywu@csie.nctu.edu.tw
Reply to 9:462/121.0 Internet Gateway with first line of message body beeing:
TO: sywu@csie.nctu.edu.tw


------------------------------

Date:    Mon, 10 May 93 07:24:19 -0400
From:    HAYES@urvax.urich.edu
Subject: integrity master 1.43 (PC)

Now available for FTP:  Integrity Master 1.43 as I-M143.ZIP.  Enjoy, Claude.

==========
Site:       urvax.urich.edu,  [141.166.36.6]    (VAX/VMS using Multinet)
Directory:  [anonymous.msdos.antivirus]

FTP to urvax.urich.edu with username anonymous and your email address
as password.  You are in the [anonymous] directory when you connect.
cd msdos.antivirus, and remember to use binary mode for the zip files.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes     HAYES @ URVAX                 (Vanilla BITNET)
University of Richmond   hayes@urvax.urich.edu     (Bitnet or Internet)
Richmond, VA  23173


------------------------------

Date:    07 May 93 15:22:00 -0600
From:    "Rob Slade" <roberts@decus.arc.ab.ca>
Subject: Types of Antivirals (CVP)

PRTAVS7.CVP   930425
 
                        Types of Antivirals
 
The foregoing is not to say that a standard for the judging of
antiviral software cannot be achieved.  It is, however, an extremely
difficult task and one which we may not be able to complete at this
time.  One of the consistent barriers to judging software is that
antiviral software comes in many types.  I would now like to
elucidate *my* list of what those types are.
 
(I am fully aware that there is going to be debate about the number
of types of antiviral software.  The numbers are not all that
important.  As we proceed in more depth through the various
categories of antiviral systems, you will note that almost endless
permutations can be made by a combination of the various features. 
Hopefully the following will simply allow you to build your own
categories and to judge the software that might be best for your
situation.)
 
The first commercial antiviral systems to appear, interestingly
enough, relied upon encryption.  This was likely a hold-over from
the fact that most "serious" security types come from a mainframe or
communications environment.  Encryption is, of course, a good way to
ensure that people cannot gain unauthorized access to your
information.  While it does have some potential for protection of
existing software, few systems primarily targeted at viral
infections now use encryption at all.
 
Those early encryption systems were often paired with operation
restricting software.  Restrictive software has continued to be a
reasonably popular means of defence, probably because it *does*
defend systems and prevent the infection of programs and disks.
 
Closely related to operation restricting software is activity
monitoring software.  This software, as the name implies, oversees
the operation of the computer and alerts the user when suspicious
activity takes place.  I differentiate it from operation restricting
software because control is left in the hands of the user. 
(Interestingly, a number of these programs are named "Vaccines",
even though their method of operation has nothing in common with a
biological vaccine.)
 
Change detection software, also known as integrity checking
software, determines whether the program, file, or system has
changed, as compared against a previously established data base.  If
a sufficiently broad overview of the system is taken, this will
provide 100% effective detection of a viral infection, but it also
may raise a number of false alarms.
 
Scanners, particularly signature scanners, are currently the most
popular of antiviral software.  This is likely due to three factors,
the fact that viral programs are specifically identified, the
inclusion of disinfecting software with most scanners, and the fact
that it's easy to play numbers games with signature scanning
programs.
 
copyright Robert M. Slade, 1993   PRTAVS7.CVP   930425

==============                      ______________________  
Vancouver      ROBERTS@decus.ca    |    |     /\     |    | swiped
Institute for  Robert_Slade@sfu.ca |    | __ |  | __ |    | from
Research into  rslade@cue.bc.ca    |    | \ \    / / |    | Mike
User           p1@CyberStore.ca    |    | /________\ |    | Church
Security       Canada V7K 2G6      |____|_____][_____|____| @sfu.ca
                                                            

------------------------------

Date:    25 Apr 93 23:17:00 -0600
From:    "Rob Slade" <roberts@decus.arc.ab.ca>
Subject: Evaluation Standard - Numbers again (CVP)

PRTAVS5.CVP   930425
 
               Evaluation Standards - Numbers again
 
We have tried to show some of the difficulties in choosing antiviral
software.  There are, of course, matters of the type, the test suite
against which the computer is effective, the user interface and the
"style" of the program or system.  Still, surely there must be
*some* standard by which to measure antiviral software?
 
In the computer world, the nice thing about standards is that there
are so many to choose from.
 
However you divide the different types of software, it is extremely
difficult to apply the same standards to various categories. 
Besides the problems of the "numbers game", in testing a given
program against a given suite of viral programs, the importance of
the test results are of different importance to a scanner, a change
detector, and an operation restrictor.  For operation restricting
software, it may be of no importance whatsoever that the program
does not "catch" infections; so long as the restricting software is
100% effective in preventing the spread of infection, it does not
matter whether it ever "identifies" any viri.  Change detection
software may "catch" all infections, and yet be less effective than
a scanner which catches only 90%, but effectively identifies them as
well.  (Unfortunately, one must also factor in the fact that change
detectors will generate a *lot* of "false positives", particularly
as software vendors continue to insist on writing programs which
modify themselves.)  Therefore, a single "numeric" standard, based
upon the use of a test suite, would be of little utility in
assessing the overall effectiveness of antiviral software.
 
In addition, the environment is constantly changing.  Not simply the
corporate or user environment, but the number, specific strains and
types of viral programs are increasing all the time.  One of the
newer types of viral programs, as of this writing, is the companion,
spawning or "precedence" virus, which, in order to prevent the
detection of a changed program, does not change the files on disk at
all, but rather takes advantage of the order in which programs are
"called for".  Thus those operation restricting programs which
prevent changes to program files become useless, as do change
detectors which peruse only those files in the database at the
previous "run".  Standards, therefore, which are based upon the
currently existing viral environment, will be very quickly outdated,
and mostly useless.
 
A single, or even multiple, numeric measure simply does not have
sufficient flexibility to gauge antiviral software.  It may be
possible to construct one, after considerable work.  However, even
if a criterion reference could be made broad enough to cover the
various types of antiviral software, the gauge would have to be a
moving one.  Thus, antiviral software tested at one point, would
have to be retested each time the standard was renewed: at a
minimum, that would likely be on a yearly basis.
 
copyright Robert M. Slade, 1993   PRTAVS5.CVP   930425

==============
Vancouver      p1@arkham.wimsey.bc.ca   | You realize, of
Institute for  Robert_Slade@sfu.ca      | course, that these
Research into  rslade@cue.bc.ca         | new facts do not 
User           p1@CyberStore.ca         | coincide with my
Security       Canada V7K 2G6           | preconceived ideas


------------------------------

End of VIRUS-L Digest [Volume 6 Issue 76]
*****************************************
