To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #95
--------
VIRUS-L Digest   Monday, 21 Jun 1993    Volume 6 : Issue 95

Today's Topics:

Re: Computer Crimes Unit: Scotland Yard
Writing virus protection into software
Re: Virus as extortion
Re: Digital Enterprises $5,000 challenge! $$$ $$$
100 Mb Disk became 32 Mb (PC)
PCTOOLS for Windows bug-beware (PC)
Re: Re[2]: NAV Updates (was CPAV updates) (PC)
Norton antivirus: How to get new virus definitions? (PC)
Re: Anti-Virus Techniques and direct Port Writes (PC)
Re: HELP.. my B: drive is dead ??? (PC)
Query (PC)
RE Yankee Doodle (PC)
Are there any viruses known that McAffee can't detect? (PC)
challenge-amoeba virus (PC)
CPAV updates? (PC)
Re: How a floppy is accessed. (was "DIR" infection). (PC)
Re: CPAV updates? (PC)
Viruses that cost $$$ (PC)
Monkey virus! HELP! (PC)
Maltese Amoeba Virus in PKUNZIP (PC)
Flip atack again. Terminal message (PC)
Re: Virus Scanners compared (PC)
Re: New anti-virus package available via ftp (PC)
Evaluation of change detectors (CVP)
New version of TBAV (6.03) (pc)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform - diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on cert.org or upon request.)  Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).

Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@AGARNE.IMS.DISA.MIL.

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Ken van Wyk

----------------------------------------------------------------------

Date:    Mon, 14 Jun 93 13:40:49 -0400
From:    duck@nuustak.csir.co.za
Subject: Re: Computer Crimes Unit: Scotland Yard

Thus spake S.M.Baines@sheffield.ac.uk:

>           It could help if with Anti Virus software there was a
>mention of it in the documentation, and a DOS text file that can be
>printed for the report form. If they made it clear that reports are
>dealt with in strictest confidence, and that it can all help to build
>up a case against people if they are ever caught, and that it IS a
>crime that has been perpetrated against them, then maybe reports may
>be more frequently made. Also, it may be worthwhile from time to time
>to put an advert in some of the computer press with details of what
>to do if you are infected and want to report it. What does anyone
>else think about this for an idea?

I have a similar sort of pipe dream for South African computer users.
Presently, we have nothing quite like the Computer Misuse Act here,
so it's not clear to me just what a virus writer might be guilty of --
Malicious Injury to Property is one suggested offence. 

If I were to saunter into a police station and say to the constable on 
duty "Yo, I'd like to report a case of Stoned", I might get very 
little joy [or he might radio for the Narcs and some sniffer dogs].

So, how about this: a "fill-in-the-blanks" virus report card which I 
complete, in front of the officer of the law. Then I tick a block to
indicate whether I want to make it an affidavit or a declaration, and
this law officer, as a Commisioner of Oaths, certifies it and stores
it carefully. Much like the previsou poster's scheme -- but more 
formal, as legal evidence goes. Those completing such reports would
be unlikely to have to commit themselves to "be exposed" in court -- 
their affidavits/declarations would merely be "extra weight" evidence
in any virus-related prosecution.

Also, such evidence could be used across national boundaries. So, 
although a country like SA doesn't [yet] have a Computer Misuse Act,
evidence of things like virus attacks here might be useable in the
courts of countries [like Britain] which do.

Paul

    /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
    \  Paul Ducklin                         duck@nuustak.csir.co.za  /
    /  CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa  \
    \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

------------------------------

Date:    Mon, 14 Jun 93 22:27:21 +0000
From:    vacante@CS.ColoState.EDU (robert chris vacante)
Subject: Writing virus protection into software

I am in the process of writing a piece of utility software for the pc,
and would like to include automatic virus scanning whenever an
operation requiring a complete read of a diskette is performed. (ie
disk copy etc.)  Is there a library which I can link into my code? Has
anybody out there done anything similar? If I must write the whole
thing, where do I begin?  Can I legally use somebody elses virus
definition library?

Any help would be greatly appreciated.

Robert

------------------------------

Date:    Tue, 15 Jun 93 06:25:02 -0400
From:    wouter@stack.urc.tue.nl (Wouter Slegers)
Subject: Re: Virus as extortion

x92jinnah@gw.wmich.edu wrote:
: wouter@stack.urc.tue.nl (Wouter Slegers) writes:
: > This may not be common for this group, but as this is about virusses...
: > A friend of mine who programs a up/download-protocol got a threath (sp?)
: > from Russia: Either he sold the program to them for $5 (normally $15) or
: > they would release a virus with his name in it (maybe even with the
: > protocol, I don't know for sure). He didn't comply and changed the
: > coding/protection of his program radically to make it more difficult to
: > hack/infect it. 
: > How do you feel about this? Can you give us advise as to how to handle this
?
: > Do you have tips to prevent deliberate infections and hacks? (Although this
: > program is already quite protected with encryption e.g. ideas are always
: > welcome).

:    I would suggest you keep the letter (or email) you received as
: proof, in case they really carry out the threat. Don't worry about
: having your name in a virus; some of the most famous virus-busters
: (including Bontchev and Frisk, I believe) have had their name inserted
: into a virus. It won't fool anyone because it's obvious no-one's that
: dumb to be associated with a virus. No author would put his name in to
: be traced.
True, but it's still a possible problem for my friend. Should he warn his
users and face the problem of being avoided?

:    Perhaps you could arrange with the local authorities to plan some
: kind of "sting" operation to grab these guys and put them away. It's
: quite a clear case of extortion.
Not much of a chance in Russia I'm afraid..
BTW: does anyone know how to say 'F*ck off' in russian?

Regards,
Wouter

- --
Wouter Slegers, 1st year CS at TUE (nl), wouter@stack.urc.tue.nl.
Disclaimer: If the above sounds plausible, reread it several times!
Religion and sex are powerplays*manipulate the people for the money they pay
Selling skin, selling god* the numbers are the same on their creditcards!

------------------------------

Date:    Wed, 09 Jun 93 21:45:00 +0200
From:    Robert_Hoerner@f2170.n492.z9.virnet.bad.se (Robert Hoerner)
Subject: Re: Digital Enterprises $5,000 challenge! $$$ $$$

Hello Vesselin,

 VB> 3) It is possible to change the logical contents of a file by just
 VB> manipulating the FAT and/or the directory entries. However, a
 VB> protection card cannot just deny access to those areas, because DOS
 VB> itself is modifying them. Therefore, the card is either storing the
 VB> "protected" files on some write-protected area (and keeps a list of
 VB> the sectors write to which is forbidden), or attempts to determine
 VB> whether the request to modify the FAT and/or the directory entry comes
 VB> from DOS or not. Unfortunately, there is NO WAY this can be determined
 VB> safely enough. A virus could patch part of the DOS kernel and call it;
 VB> it could use device driver requests (like the Dir_II virus), and so
 VB> on.

This is one of the problems that we have had with NEMESIS, and we solved it 
relativly smart. One thing I can say is, that you cannot decide this by 
watching the cables. And I cannot believe that you could commercially write 
such a program (I know how many hours we needed for nemesis..) and burn it 
into eproms. Frans veldman built such a card (thunderbyte-card), he should 
know about the possibilities and limits of a hardware solution.
I've heard about tbav 6.02, but never I heard about thunderbyte 5.x.

 VB> 4) There is a remote possibility that the card requires some kind of
 VB> TSR program to be present - for instance to display messages, to
 VB> request the Yes/No response from the user, and so on. In some cases,
 VB> it is possible patch this program and make it always tell the card
 VB> "everything's fine, just go on".

if there exists any utility program then there exists an interface :-)
If you know the ports you probably can switch the card "off".

If it allows to modify the config.sys you can insert a "stop-booting"-device.
It has to work with doubldisk,stacker and so on. So it has to allow remapping 
of sectors, and it doesn't have control about which sector belongs to which 
file.

Some outs, and the computer will not boot from c:.

greetings from karlsruhe,
      Robert

- ---
 * Origin: Virus Help Service Karlsruhe, 49-721-821355 (9:492/2170)

------------------------------

Date:    Mon, 14 Jun 93 10:13:07 -0400
From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: 100 Mb Disk became 32 Mb (PC)

From:    SALVA@vm.cpd.ua.es
>Hi, I have a 386 pc computer with 120 Mb of HD and 4Mb of MMemory.
>This compute r was infected by te Flip. The Flip was cleaned, but the
>100 Mb was transform to 32 Mb (the fdisk detect 120 Mb), but DOS 5.0
>detect 32.  Any idea to recover the information above 32 mb thru 120?

What has happened is that you now have a corrupt partition table. FDISK
is reading the information from the BIOS which was not damaged. What you
need is either (and before any other changes occur on the disk !) to restore
the original MBR to the correct values or to rebult the partition table 
manually.

If what you had was a single partition for the whole disk, then three
changes will need to be made:
1) The partition "type" may need to be changed from "04" to "06"
2) The word containing ending track/sector/head information may need to
   be corrected.
3) The doubleword containing the total number of sectors may need to be 
   corrected.

Note: not all of these will be necessarily be bad but from the symptoms,
      at least one is.

For more complete documentation of the partition table and BIOS disk 
parameters (Int 13h fn 08h - dx must be loaded with the drive number -
80h for the first disk, 81h for the second if present), I would suggest
either the QUE book, "DOS Programmer's Guide", or the documentation
for my freeware FixMBR program contained in FixUtil5 at most sites.

				Warmly,
					Padgett

------------------------------

Date:    Mon, 14 Jun 93 13:50:27 -0400
From:    Dimitrius Tzimas <morass@BOURBAKI.mit.edu>
Subject: PCTOOLS for Windows bug-beware (PC)

I own PC TOOLS for windows and I run into an interesting problem a few 
days ago. When running PC Tools as the desktop at some point I
noticed an icon which looked like a gas pump with the caption

"NOT a bug! Do NOT destroy"

A scan with msav pctav and scan showed no viruses. The icon remained in the 
desktop for a few hours and then disappeared by itself. When the icon was 
there, it could not be enlarged to a window or removed.

After a few hours of trying to piece together the puzzle, I found the
string embedded in the file wnfsvt.exe. You can see it through the 
file viewer in hex dump in line 002470. Since the string was there in the
ORIGINAL disks as well I figured that a phone call to the PC Tools was
in order. The customer service was buffled. Their own disks also have
the same string. The gave me an "issue number 4177" and noted that this
was the first report that they've received where a sequence of events
led to the appearance of that icon.

Having wasted a few hours tracking down the problem, I told PC Tools that
it is utterly stupid to have something like that embedded in the code. 
	

If you experience the same problem, let them know.  

------------------------------

Date:    Tue, 15 Jun 93 00:26:31 -0400
From:    amason@cs.uct.ac.za (Ashton Mason)
Subject: Re: Re[2]: NAV Updates (was CPAV updates) (PC)

I missed the original article, nontheless I'd like to know
where the FTP-site is, please (if it exists!)

Could those in-the-know LET US WHO DON'T KNOW ?!?!

Thanx

------------------------------

Date:    Tue, 15 Jun 93 09:21:46 -0400
From:    H1O@ezinfo.vmsmail.ethz.ch (HEINZ,STEFAN OLIVER)
Subject: Norton antivirus: How to get new virus definitions? (PC)

How and where can I get definitions for new viruses for my scanner, the norton
antivirus? I couldn't find any informations in the user's guide. 

------------------------------

Date:    Tue, 15 Jun 93 11:51:04 -0400
From:    duck@nuustak.csir.co.za
Subject: Re: Anti-Virus Techniques and direct Port Writes (PC)

Thus spake padgett@tccslr.dnet.mmc.com (A. Padgett Peterson):
>involve any code in segment F000h but the problem is still how to know
>*when* to do those INs and OUTs. For this reason the technique is
>useful for user- initiated actions such as data recovery and not much
>use by themselves to a virus writer 8*). In particular, heuristic
>scanners might find it a good idea to scan for INs and OUTs since few
>programs would have any to use them.

I just plucked a very nice little routine off the Net [DUG_IDE by an
Oztralian called Doug Merrett; dcm@mincom.oz.au] which reports all
sorts of useful status info from your IDE drive. Naturally, like
the stuff Inbar has been talking about, it's all polled -- just sends
a command to the controller, waits for the stuff to be ready and INs
it in.

So there will be useful [very useful!] little programs which get 
harrassed for INs and OUTs to the HDD I/O zone.

Paul

    /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
    \  Paul Ducklin                         duck@nuustak.csir.co.za  /
    /  CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa  \
    \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

------------------------------

Date:    Tue, 15 Jun 93 17:20:09 -0400
From:    korpela@sdp1.cea.berkeley.edu (Eric J. Korpela)
Subject: Re: HELP.. my B: drive is dead ??? (PC)

UC532838@mizzou1.missouri.edu (handy) writes:
>Help...
>my B: drive (1.44) is not working anymore.. a couple of days ago
>it was fine.. now that I needed to retrieve some files from floppy
>it's dead. I checked & run CMOS set up & CMOS diagnostics, & all
>CMOS data looks OK to me.. I also cleaned that drive w/ cleaner disk
>'cos I thought there was some dust in the way.. but it didnt help..
>Please anybody help..
>What might cause this.. & how to fix it ?
> I've tried a dozen of disks & it still gave me General Failure Error..
> 

Someone on comp.virus recently reported similar behavior.  It has also
happened to me and one of my coworkers quite recently.  No virus
scanner has reported anything.  Anyone have any ideas?

Eric

- -- 
Eric Korpela                                    |  The two most common things
korpela@cea.berkeley.edu              Internet  |  in the universe are
BKYAST::KORPELA    42215::KORPELA     DecNet    |  Hydrogen and stupidity.
korpela%bkyast@ucbjade                Bitnet    |       -Harlan Ellison

------------------------------

Date:    Wed, 16 Jun 93 09:24:53 -0400
From:    brown@sra.com (Ed Brown)
Subject: Query (PC)

Hello, I'm new to the PC world and bb's. I would like to know what are your
top 3 anti-virus program choices. Thanks

- --

Ed Brown	brown@sraverdi.iisd.sra.com

I REFUSE TO GROW UP UNTIL SOMEONE TELLS ME WHY I HAVE TO GIVE UP MY TOYS!!!

Ed Brown                   
Systems Research and Applications Corp (SRA)
2000 15th St
North Arlington, VA 22201
(703)-558-7591 (work)

------------------------------

Date:    Wed, 16 Jun 93 10:22:08 -0400
From:    DDV5213@tntech.edu
Subject: RE Yankee Doodle (PC)

>      I found the Yankee Doodle virus on a floppy disk one of my users
>brought in.  I have eradicated it and it did not infect any of our computers
>or network.
>     I am curious as to WHEN and WHAT the Yankee Doodle virus would do if I
>had not caught it.      ^^^^.    ^^^^
>     Any and all replies are welcome!

As far as I know, which isn't real far, the Yankee Doodle virus is destructive
in the sense that it infects COM files with its code.  Any time you modify a
file you stand the chance that it will not run properly and therefore it is
ruined.  Other that infection the only other thing I know the virus will do is
play the song Yankee Doodle.  I think it is date dependent and will only play o
n
July 4.  Hope this helps.

	---------------------------------------------------------------
	| Donald Viar			Internet:  DDV5213@TNTECH.EDU |
	| Tennessee Tech. Univ.         Voice: (615) 372-3684         |
	| College of Bus. Admin.        Mail:  TTU Box 5025           |
	| Microcomputer Specialist             Cookeville, TN   38505 |
	---------------------------------------------------------------

------------------------------

Date:    Wed, 16 Jun 93 14:01:21 -0400
From:    <mgt@willard.atl.ga.us>
Subject: Are there any viruses known that McAffee can't detect? (PC)

Are there any viruses known that McAffee can't detect, and if there are
any, what are the signs?

- --
mgt@willard.atl.ga.us (Matthew Trembley)
gatech!kd4nc!vdbsan!willard!mgt
emory!uumind!willard!mgt
Willard's House BBS, Atlanta, GA -- +1 (404) 664 8814

------------------------------

Date:    Wed, 16 Jun 93 14:47:59 -0400
From:    H1O@ezinfo.vmsmail.ethz.ch (HEINZ,STEFAN OLIVER)
Subject: challenge-amoeba virus (PC)

The challenge amoeba virus has appeared in switzerland.
By the way: does anybody know what it does?
I found it in some files I got from switch.ch.

------------------------------

Date:    Thu, 10 Jun 93 12:36:01 +0200
From:    Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: CPAV updates? (PC)

Amir Netiv writes:

 > Alan Boon writes:
 >> With Bootsafe and Vsafe running, your system is well
 >> protected provided you update the signature files.
 > Yeah sure, and your system is also 5 times slower then usual. Did you
 > ever stopped to check the performance of your PC with or without these
 > programs in memory?

I am not justifying __Safe, but you must make some kind of compromise if you 
want this kind of on-line protection. Some even go as far as hardware 
components intercepting the write commands to the drives. This is probably the 
most efficient protection, but I doubt that the non-expert user knows when a 
write command is due and when is not.

To my opinion, if you keep yourself a rescue diskette with, say, your MBR, 
Boot Sector and other important stuff, you may as well skip BootSafe, because 
if you ever identify a virus (needless to say, you DO scan regularly), or have 
a virus damage any of those areas, you can restore it. However, you might want 
to use TSR such as Vshield, that intercept the execution of infected programs. 
This WILL slow down your computer, but, like I said, you have to make some 
kind of compromise.

Inbar Raz
Chief Data Recovery
- - --
Inbar Raz                 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660
Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210            Fax:   +972-8-403295

- --- FMail 0.94
 * Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210)

------------------------------

Date:    Wed, 09 Jun 93 21:45:00 +0200
From:    Robert_Hoerner@f2170.n492.z9.virnet.bad.se (Robert Hoerner)
Subject: Re: How a floppy is accessed. (was "DIR" infection). (PC)

Hello Amir,

 >> Thus, in the normal state of affairs, the boot sector of each
 >> floppy is read just once. This READ is usually preceded by an
 >> attempt to read the FAT and this is preceded by a call to
 >> Int 13 to check the door opened status.

 AN> If what you sujjest is right, whay is it necessary to acess the boot 
sector
 AN> every time?

this code came to us from microsoft, you should not think about.
fact is, that dos DOES always read the bootsector of the current drive.
(at least dos 5.0 and dos 6.0)

start debug, dump the data at 70:14E
quit debug,
type DIR A:
then start debug again and look at this data. you will see the bootsector of 
drive A:
do it again with any other drive.

greetings from karlsruhe, frgdr
      Robert

- ---
 * Origin: Virus Help Service Karlsruhe, 49-721-821355 (9:492/2170)

------------------------------

Date:    Wed, 09 Jun 93 21:45:00 +0200
From:    Robert_Hoerner@f2170.n492.z9.virnet.bad.se (Robert Hoerner)
Subject: Re: CPAV updates? (PC)

Hello Vesselin,

[tremor]

 >> Both DOS and Windows versions can also detect changes to "system" files
 >> (.exe, .com, .dll, .ov?, etc.) which seems to cover just about everything
 >> one is likely to meet in everyday home use.

 VB> Funny, I don't know about any virus that can infect .DLL files...

just for information : tremor does not try to infect files with NE-header (
windows-files, OS/2-files and so on.).

Greetings,
      Robert

- ---
 * Origin: Virus Help Service Karlsruhe, 49-721-821355 (9:492/2170)

------------------------------

Date:    Thu, 10 Jun 93 16:19:09 +0200
From:    Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert)
Subject: Viruses that cost $$$ (PC)

Hello Fabio!

 > Vesselin:  Did Burner work?  Still testing?  No interest?

 > I just have curiousity in knowing if you are convinced that it
 > is perfectly possible to destroy hardware by software...

Well, I'm not convinced. You can 'burn' old Hercules monitors, okay. You may 
also be able to 'burn' SOME kinds of floppy drives by dejusting them (
headbanging ;-) ). You may 'burn' a standard VGA monitor if using together 
with a super-VESA-1280x1024-non-interlaced-VGA-card.
Anyway you can 'burn' non-together-fitting hardware.

I guess that's all :-) What does your program try to do? We had more 
postulations in the past like this one. But still no one sent any program 
being able to kill hardware in other ways then described above. You do?

cu!
eppi

- --- GEcho 1.00
 * Origin: No Point for Viruses - Eppi's Point (9:491/6051)

------------------------------

Date:    17 Jun 93 12:31:15 -0600
From:    a_beddoerj@ccsvax.sfasu.edu
Subject: Monkey virus! HELP! (PC)

Hello all,

I seem to have collected a virus, from where, well, I don't know.  That is not 
really the problem.

The first clue that something was wrong was when I tried to run Windows this
morning.  I was given the message the the address that MS-DOS uses to address
the hard drive had been changed.  The message said that some disk caching
programs do this, and if I weren't using one of those, I should check for
viruses.  It then said that I could use Windows without 32-bit disk access.

I checked my config.sys and autoexec.bat, and discovered that no one had
changed them, to add a disk cacher, and then FTP'd scanv100 and cleanv100 to
check out my hard drive.

Scan reported a virus called "Monkey" [mon] in critical memory, and instructed
me to power down and reboot from a clean, uninfected disk, and run scan again
to determine damamge to the hard drive.

When I did this, scan couldn't find drive c:!  

I think I'm in trouble. :-)

Does anyone have any ideas on how to combat this virus?  What is this Monkey
virus, anyways?  I need to know how to remove it from my machine, if possible.

Many thanks in advance!

Joe.
a_beddoerj@ccsvax.sfasu.edu

------------------------------

Date:    Thu, 17 Jun 93 13:40:40 -0400
From:    H1O@ezinfo.vmsmail.ethz.ch (HEINZ,STEFAN OLIVER)
Subject: Maltese Amoeba Virus in PKUNZIP (PC)

Recently, my virusscanner, the Norton Antivirus, detected the Maltese Amoeba
Virus in pkunzip.exe. I got a "new" unzip, again, it seemed to be affected,
though the friend i got it from was sure it couldn't be. Later, we found out
that the McAffee Scan didn't find any virus in the fil. Now, I'm asking myself
whether it was false alarm by the Norton AV or wether "Scan" just didn't
recognize the virus. BTW: What would Maltese Amoeba do if it were present?
Anydody?

[Moderator's note: This is almost undoubtedly a well-known false
positive that was discussed here in detail a couple months ago.]

------------------------------

Date:    Thu, 17 Jun 93 18:53:29 -0400
From:    SALVA@vm.cpd.ua.es
Subject: Flip atack again. Terminal message (PC)

Thanks to all people who help me in the recover the 66% of the HD
infected with Flip. Specially thanks to

Ramon.Martinez@po.f5.n346.z2.fidonet.org
padgett@tccslr.dnet.mcc.com
mtppepim@lg.ehu.es
mpetit@dit.upm.es

Efectivily, Changing in boot sector the bytes FA FF to 00 00, and
reboot, the 120 Mb show....

Thanks to all.
     ____________________________________________________________
    >                                                            <
    |   Salvador P. Sanchez    Salva@ealiun11.bitnet             |
    |   University of Alicante Salva@vm.cpd.ua.es                |
    |   Spain                  Fax 34-6-5903464                  |
    >____________________________________________________________<

------------------------------

Date:    Thu, 17 Jun 93 22:15:36 -0000
From:    phys169@cantva.canterbury.ac.nz
Subject: Re: Virus Scanners compared (PC)

bill@solaria (Bill Neisius) writes:
> Fridrik Skulason (frisk@complex.is) wrote:
> : bill@solaria (Bill Neisius) writes:
> : 
> : >Some comparisons of several virus scanners, using test viruses
> : >generated by virsim.com (garbo.uwasa.fi:/pc/virus/virsim2c.zip):
> : 
> : There is one serious problem with the test - it is absolutely meaningless.
> : The files that VIRSIM generates are NOT viruses, so a perfect scanner should
> : not detect a single one of those files...however, this does not imply
> : that a scanner that detects nothing, as NAV did is perfect :-).  In practice a
> : scanner may generate a few false positives, because the files contain fragments
> : of viruses, but that does not give any indication whatsoever regarding
> : the scanner's ability to actually detect viruses.
> 
> Unfortunately, I don't have a large collection of live viruses to test with...
> Other than checking the scanners ability to recognize known virus signatures,
> how else can we know that the scanner is doing it's job? 

Good question, but to start with you need a really good collection of real
viruses, not just snippets from viruses which some scanners may consider to
be enough to say "the virus is here" and others don't.  You also have to
understand that there are different types of virus detector, of which the 
"scan for known virus signatures" type is just one - albeit a very (too?)
popular one. There are also scanners that look for general virus-like clues,
ones that spot activities (like modifying an executable) that viruses tend to
do, and so on.  

To try to answer your question properly, it is obvious that finding a very
large list of know viruses is onlyt a beginning. Using the same list of known
viruses for the test that the author of the scanner used is not a good idea,
and there are some collections around the world that are good enough to test
a claim that a scanner of teh type you're talking about is doing what it claims
(which is still a far cry from doing what it needs to do).  The test of a good
scanner is when on old version detects viruses that were written after it, even
ones written with some knowledge of how the scanner works.

> While I was looking for scanners to compare, I found vsig9305.zip on
> oak.oakland.edu:/pub/msdos/virus, which contains the virus signatures of
> more than 500 viruses.  Actually, I thought that virus signatures were
> publicly available and not the proprietary interest of any particular
> scanner...

Virus signatures are fragments of viruses which some person considers
always exists in the virus but (hopefully) never in good programs.
Different virus scanners (should) use different signatures, and keep
them secret, since virus writters have a habit of looking at what part
of their virus the scanners are after and making a byte ot two of
difference as a quick and easy way of prolonging the life of the
virus.  The more freely available a set of signatures becomes, the
less value it has. Sure, it might mean you can spot the common old
viruses, but too many people start thinking they can create their own
viruses by a simple hack of one of the old ones, changing some of
those bytes. This is a worse problem than the original author patching
it because, even though it is often spotted by serious virus scanners
as "possibly a new variant of...", all the variants have to be checked
and enterred as individual viruses since some might cause new
side-effects and not distinguishing them from the original when
treating them could lead to problems.

I'm still trying to answer the question "How do you test a scanner" -
it isn't easy because there are so many tests that aren't good enough.
That is why reviewers like to give them points for documentation and
speed (which are very worthwhile things to consider), but rarely do a
good job of testing their ability to find any virus your computer
might have (even if magaizines with a collection of a dozen viruses
claim to!).

Perhaps the best way to test antivirus/security systems is with "paper
viruses", ones that are designed but not built, by people who didn't
write the system, but with enough knowledge of it to work out if the
virus would get around it if built. Of course hardly anybody has the
time to do that - just keeping up with the zillion of moronic
variations of viruses that come in all the time is enough, and
consumers tend to shop purely on the basis of the number of known
viruses detected.  It is still fun to grab an old heuristic virus
detector, e.g. a 1990 version of scanboot or F-Prot from 1991 and see
what they will detect. Remember that it takes a while to spot and
study a new virus; scanners of today are there trying to detect a
range of viruses which includes viruses that will be "known" in a year
or so.

Mark Aitchison.

------------------------------

Date:    Sat, 19 Jun 93 13:19:02 -0400
From:    vfr@netcom.com (sOciaLly AdePt)
Subject: Re: New anti-virus package available via ftp (PC)

bontchev@rzsun2.informatik.uni-hamburg.de (Vesselin Bontchev) writes:

>P.P.S. I am using the opportunity to transfer a request from the
>author. If there are any VirNet users who also have access to
>anonymous ftp, please download the package from our site and transfer
>it to VirNet. I don't have access to VirNet myself, so I am not able
>to do it. Thanks.

Wait!! VirNet does not hatch out files it gets from users!! Well,
maybe some certain trusted users, but please, remember VirNet files are
obtained from the authors or via a very few sources (trusted), and
we do not want/need users to send anti-virus software generally.  The
programs are hatched -only- by Mikael Larsson, so we especially hope
no VirNet user gets this file and hatches it!!

Please, if you are a VirNet user, do -not- hatch any files into the
net!

------------------------------

Date:    Wed, 16 Jun 93 15:16:32 -0400
From:    "Rob Slade" <roberts@decus.ca>
Subject: Evaluation of change detectors (CVP)

PRTAVSD.CVP   930522
 
                  Evaluation of Change Detectors
 
There are numerous implementations of change detection software. 
Some versions of this software run only at "boot time", others check
each program as it is run.  Some of these programs attach a small
piece of code to the programs they are "protecting", and this may
cause programs which have their own change detection features, or
non-standard internal structures, to fail.  Some programs only
protect system software, others only protect program files.  Some
change detectors keep the "signature" file in the root directory,
some in the "local" directories, and some allow you the option of
keeping the file on a diskette "offline" and out of the reach of
viral programs which might try to damage it.  (One notable product
at one time created 77 byte hidden files for each program on the
disk, causing no end of grief to the research community by continual
calls for information on this 77 byte virus.  The answer was, of
course, "You don't have a virus, you have the ______ Antivirus.")
 
A major factor in judging change detection systems is that of
installation and operation time.  Since the system will be
calculating "signatures" of all (or all selected) programs on your
system (sometimes with very sophisticated algorithms), it may take
some time to install, and to "re-install" each time you make a
change to your system.  It may also take an unacceptable amount of
time to boot or to check out a program before it will allow it to
run.  You may find that a change detection system with a "weaker"
calculation algorithm is more effective for your situation given the
time savings.
 
The answers to these questions should actually be available to you
in the documentation.  You shouldn't actually need to run the
program to test it out.  Unlike activity monitoring software, there
is no need for the producer of change detection software to hide
anything from either you or virus writers.  A truly complete change
detection package is unbeatable (dependent, of course, on a "clean
start"), and does not require any hidden "tricks".  A package with
documentation that does *not* answer all of your questions is a sign
of lack of confidence on the part of the author, and possible
weakness in the program.
 
Note that the above is presuming that you are protecting a single
computer or a local office.  Change detection has other uses,
including authentication of material sent via email or retrieved
from an archive site.  The calculation algorithms used on those
situations must be much stronger.  Delays of mere seconds caused by
trying to "crack" protection will be detectable locally: it would be
no problem to spend three days cracking the security of an archived
file.
 
copyright Robert M. Slade, 1993   PRTAVSD.CVP   930522

==============
Vancouver      ROBERTS@decus.ca         | "A ship in a harbour
Institute for  Robert_Slade@sfu.ca      |  is safe, but that is
Research into  rslade@cue.bc.ca         |  not what ships are
User           p1@CyberStore.ca         |  built for."
Security       Canada V7K 2G6           |           John Parks

------------------------------

Date:    Thu, 17 Jun 93 05:06:27 -0400
From:    v922340@presser.si.hhs.nl (Ivar Snaaijer)
Subject: New version of TBAV (6.03) (pc)

File whatsnew.603 from the TBAV603.ZIP file. Sorry, but i can't upload it to
SIMTEL20 because i don't have direct ftp access.

Ivar.

- -------- begin included message ---------

Update report of Thunderbyte Anti-Virus utilities.
    Prefixes:
    '-'     indicates a change that does not require user attention.
    '->'    indicates a modification that requires user attention, such as a
            change in program invocation, etc.

*** NOTE ***
NetWork administrators, read the Intro.Doc file for information about a
fast and reliable way to update all workstations automatically!

6.03 Product update
- -------------------

- ->  Full configuration file support! TBAV, TbScan, TbClean and TbSetup now
    use a configuration file named TBAV.INI.

- ->  Key system has been changed! Read the info below!

- -   New agents added for several countries.

- ->  New cost schedule. Most prices have been changed.

- ->  The Register.* files have been replaced by a menu controlled
    register program. This saves disk space, download time, and last but
    not least, makes it more easy for you to register!

TBAV:
    -   The TBAV menu shell will no longer save configuration options in
        TBAV.CFG, but in a TBAV.INI file. This file has an ASCII format,
        so you can also edit this file manually.

    ->  All TBAV utilities will now read the TBAV.INI configuration file
        also when invoked from the command line. So, options enabled and
        saved withing the TBAV menu-shell remain enabled, even if you
        invoke a TBAV utility later on from the command line!

    ->  The menu layout of TBAV has been changed slightly to make it
        more intuitive to use.

    -   The TBAV menu shell will now display the name of the registered
        user.

TbScan:
    ->  The log-file command line options have been changed. Previously,
        some options had a double functionality, like the LOG option
        which enabled the log file AND specified the logfile name.

        Option 'LogName' can now be used to configure the name of the
        log file. Option 'Log' enables output to the log file. Option
        'Append' causes TbScan to append a log file rather than
        overwriting it. Option 'session' is not supported anymore
        (although it still functions for backward compatibility).

        Don't get confused by it: If you want TbScan to output results
        to a log file, just specify option 'Log'. This will probably do
        exactly what you want.

    ->  It is no longer possible to move infected files to another
        directory. Moving infected files caused a lot of problems: What
        if TbScan scans the directory containing the moved viruses? How
        should TbClean know which Anti-Vir.Dat records belong to the
        moved file? And last but not least, how was the user supposed to
        know where a moved file came from?

    ->  Option 'move' and 'path' have been removed.

    -   TbScan now displays the number of changed files in the status
        window.

    -   Automatic detection of bootsector virus droppers enhanced.

    -   TbScan now uses the TBAV.INI file.

    ->  TbScan no longer accepts TBSCAN.KEY or old TBAV.KEYs. Registered
        users have received a new key.

    -   Eliminated some false heuristic positives.

TbScanX:
    ->  TbScanX no longer accepts TBSCAN.KEY or old TBAV.KEYs. Registered
        users have received a new key.

    -   TbScanX now also works with DOS XCOPY! Previous versions of TbScanX
        worked with every utility except XCOPY.

    -   Solved a DOS 6.0 compatibility problem. Scanning while copying did
        not always work with DOS 6.0 as expected.

TbCheck:
    ->  TbCheck no longer accepts old TBAV.KEYs. Registered users have
        received a new key.

TbSetup:
    -   Removed a minor bug: some SYS and BIN files might have been
        reported as being changed after a directory sort...

    -   TbSetup now uses the TBAV.INI file.

TbClean:
    -   Enhanced the emulator of TbClean. Removed a few bugs of the
        emulator. TbClean is now able to clean more viruses heuristically!

    -   When heuristically cleaning, TbClean now initializes the
        contents of the pseudo registers with the same values DOS
        does. This was necessary to clean some tricky viruses.

    -   TbClean now uses the TBAV.INI file.

    ->  TbClean no longer accepts old TBAV.KEYs. Registered users have
        received a new key.

TbUtil:
    -   Although TbUtil cleaned bootsectors infected by 'Stoned'
        correctly, parts of Stoned were left in the 'reserved area' of
        the MicroSoft bootsector. Unfortunately, TbScan detects this
        leftover of the virus and reports a cleaned disk as still
        infected. Now TbUtil also overwrites these reserved areas of the
        bootsector (sorry MicroSoft) so TbScan will not cause a false
        alarm anymore.

    -   The TbUtil 'patch' option has been removed. The format utility
        of DOS 6 is compressed with PkLite, so it can not be patched
        anymore.

TbKey:
    ->  The key system has been changed! The keys are now more secure.
        Single User keys can now no longer be used on multiple machines.
        All registered users have received a letter with the new keycodes.

        Warning! The new key system has many hidden 'features' and
        memory pointers. Illegal keys which happen to work on one
        version of TBAV will produce unpredictable results on other
        versions! If you use an invalid key you are on your own: TBAV
        may fail to detect viruses, fail completely, or even cause
        damage due to random memory pointers.

    -   TbKey will no longer create an invalid key when the entered
        information is invalid. The key codes are tailed by a checksum
        and if the checksum doesn't match no key will be generated.

        Warning! If you 'play' with TbKey it might be possible that you
        accidentially enter information with a correct checksum which
        will be accepted by TbKey. However, it is almost certain that
        the resulted key is NOT correct. Using such an invalid key
        causes unpredictable results.

    -   If you are not registered, and TBAV doesn't behave as expected,
        make sure that no TBAV.KEY file exists in your directory!

TbMon:
    ->  The monitor utilities TbMem, TbFile, TbDisk and TbGarble now
        only accept the new key file.

Upgrade.Bat:
    This batch file will delete files from previous TBAV versions which
    will not be supported anymore.

Viruses:
    -   Removed signatures:

        LZ-2            No virus found with this signature in any collection
        Yeager          This was not a virus but a copy protected program

    -   Changed signatures:

        _889            Now detects the EXE samples too.
        ACME            Now actually detects viruses.
        Arcv.X-2        Now detects the COM samples too.
        CSSR 528        Renamed to Vienna.528
        Dash-em         Now detects the EXE variants too.
        Ear             Now detects additional variants.
        Einstein        Renamed to Jerusalem.Einstein. Improved detection.
        Flash           Now detects the .0695 and .1000 variants too.
        Gotcha          Now detects the Gotcha.Legalize variant too.
        JD              Now detects additional variants.
        Jerusalem.Mule  Improved detection.
        Red_Diavolyata  Now detects some additional variants.
        Screaming_Fist  Now detects some additional variants.

    -   Added detection algorithms:

        NED (Nuke Encryption Device)

    -   Added signatures:

        _2Kb_I          New bootsector virus, no name assigned yet
        _2Kb_II         New bootsector virus, no name assigned yet
        _1022           New virus, no name assigned yet
        _1092           New virus, no name assigned yet
        _1689           New virus, no name assigned yet
        _1798           New virus, no name assigned yet
        _2389           New virus, no name assigned yet
        4870_Overwriting
        Aragon
        Arcv.965
        Arcv.C
        Arcv.Slime
        Atomic.1
        Atomic.2
        Catman (Trojan)
        Cinderella_II
        Code_Zero
        CoffeeShop
        Coldir (Trojan)
        Companion.16850
        Crunch
        _Cyber
        Dark_End
        Deranged
        Dreamer
        _Flagyll
        Forger
        Haddock
        Happy
        Heevahava
        Heevahava.Encrypted
        Highland
        Hitchcock
        Horse.2248
        Icelandic.PassGrab
        Int-86
        IVP
        Jerusalem.Glory
        Jerusalem.Miky
        Jihuu
        Kohntark
        Leningrad
        Leprosy.Wake
        Little_Pieces
        Lokinator
        Loren
        LV
        Madismo
        Maffy.323
        Maffy_II
        Mannequin
        Mithrandir
        _Mut_Int
        Mystic
        Orion
        Oscar
        PCBB.1129
        Phalcon.Joshua
        Phalcon.SmallExe
        Piter.C
        _PopSci
        Proto-T
        PowerPump.2
        Quake
        Relzfu
        Satanic_Warrior
        Sathanyc
        SD-123
        Shifter
        Simple.2
        Sinep
        Smile
        Stanco
        SVS
        Sybille
        Tack
        Tankard
        Terminator-B
        _Texas
        Tiny.97
        Tiny.122/124
        Tiny.Ghost
        Tolbuhin
        Tolbuhin.Cracky
        Toxic.1
        Toxic.2
        TP-Worm_Companion
        Traceback.3029
        Trivial.44
        Urfydus
        Uruk-Hai.300
        Uruk-Hai.361
        Uruk-Hai.394
        VCL.Dome
        Vienna.962
        Voodoo
        Wonder
        ZigZag

- -----------------------------------------------------------------------------
Rule one in program optimization : Don't do it.
Rule two in program optimization (for experts only) : Don't do it yet.
Rule three in program optimization (for athlets only) : Just do it.
- -- 
E-mail : v922340@si.hhs.nl    ... i can't help it, i'm born this way ...
- -----------------------------------------------------------------------------

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 95]
*****************************************
