To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #117
--------
VIRUS-L Digest   Thursday,  2 Sep 1993    Volume 6 : Issue 117

Today's Topics:

Dark Avenger Update?
Marketoids
observation
Flash EPROMs, EEROMS, & EAROMS
Viruses and Genetic Algorithms
Virus Def binaries
Needed: Info on Viruses on Novell Networks (Novell) (PC)
re: just wondering... os/2... (PC) (OS/2)
Re: Information on the 'Trident' Virus (PC)
Re: Form Virus (PC)
retaliator viruses (PC)
Re: Any good anti-viral shareware out there (PC)
virusses in .ARJ & .ZIP (PC)
MONKEY variant? (PC)
Re: SPORT21C.ZIP (PC)
Butterfly (Crusades) (PC)
SmartDrv (PC)
Datacrime (PC)
Re: E-Rillutanza virus? (PC)
Anthrax PT Virus (PC)
New version of F-PROT released (PC)
Multipartite - con (CVP)
Quick reference antiviral review chart

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform - diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CERT.org or upon request.)  Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).

Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@ASSIST.IMS.DISA.MIL.

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Ken van Wyk

----------------------------------------------------------------------

Date:    Fri, 27 Aug 93 16:42:51 -0400
From:    mvjma2@cbnewsb.cb.att.com (jenny.m.abar)
Subject: Dark Avenger Update?

Just wondering if anyone has heard anything about Dark Avenger
lately, any new viruses, mutation engines, has he been caught,
etc.  

Jenny Abar

------------------------------

Date:    Sat, 28 Aug 93 06:08:09 -0400
From:    fernando@ubik.satlink.net (Fernando Bonsembiante)
Subject: Marketoids

Jueves 19 de Agosto de 1993, A. Padgett Peterson writes to All:

 APP> Quarterdeck (probably kept in a cage and fed twinkies) is an absolutely
 APP> BRILLIANT programmer who can make a 386/486 do incredible things. We talk
 APP> about viruses "tunnelling" and "hiding" but they are all crude in
 APP> comparison to QEMM 7.0 "stealth".

    A couple of months ago I had the idea of thinking about what would
happen if some crazy millionaire buys Quarterdeck and starts to make
viruses... We have a lot of different viruses, but we don't have
proffessional quality viruses yet... It would be a nightmare....

    Of course, it seems impossible... No one would think in producing
viruses commercially...

[Moderator's note: Sounds like a James Bond plot in the making...  :-)]

Saludos, Fernando (fernando@ubik.satlink.net)

{                        Fernando Bonsembiante                         }
{ Guemes 160 dto 2                                Tel: (54-1) 654-0459 }
{ Ramos Mejia (1704)                                Fidonet: 4:901/303 }
{ Republica Argentina              Internet: fernando@ubik.satlink.net }

------------------------------

Date:    Sun, 29 Aug 93 21:49:47 -0400
From:    hobbit@ftp.com (*Hobbit*)
Subject: observation

Central Point was giving away a great anti-virus product at Interop --
refrigerator magnets.

_H*

------------------------------

Date:    Mon, 30 Aug 93 12:05:14 -0400
From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: Flash EPROMs, EEROMS, & EAROMS

>From:    nigelm@ohm.york.ac.uk (Nigel Metheringham)
>Subject: Re: Flash EPROMS

>How about this as a senario for protecting your Flash ROM.  You have
>a keyswitch which will presumably have the standard keyboard lock
>function on it, but would also have a 3rd position which is spring
>loaded (ie like a car ignition switch).
>The PC contains circuitary which enables and disables writing to the
>Flash ROM.  This circuit can only be armed if it is prodded by
>software while the key is twisted into the spring loaded position. 
>Once armed the Flash ROM can be written to.  The circuit can be
>disarmed by software.  The circuit is always disarmed on power up
>and if the key switch is put to the locked position.

Good concept but has two major problems (either or):
1) Using a "self latching relay" to maintain configuration after you
   release the "ignition switch" - really expen$ive.
2) Using software to maitain the write enable - possible to bypass unless
   built into the ROM. (switch still expensive - priced one for a car lately 
   - and still may be possible for software to bypass: on a 386 just swap ROM
   to RAM (shadow) & "fix"...)

What I was thinking of was much like (2) but why use an expensive switch ?
Just have a position that enables a specific "write_enable" *hardware* line
that also prevents a real boot - executed ROM does just this but is powerless
to run without hardware setting.

If the PC will not boot in the "update" position, no one can accidently
leave it there & run a virus.

					Warmly,
						Padgett

Hardware is the only real protection but software alone is probably "good 
enough". Software is always cheaper than hardware. (Just look at the market).

------------------------------

Date:    Mon, 30 Aug 93 20:34:39 -0400
From:    <akctai@acs.ucalgary.ca>
Subject: Viruses and Genetic Algorithms

Sorry if this has already been discussed.  Allow me to post what
is probably an ignorant question:

What is the implication of genetic algorithms for viruses and
anti-virus software?
- -- 
- ---------  Alan K.-C. Tai  --------|\^/|--------  Internet:  ----------------
 Dept Biological Sciences       _|\|   |/|_       akctai@acs.ucalgary.ca
    University of Calgary       >         <       Voice: (403) 220-3552
- ------  AB CANADA T2N 1N4  ------>_./|\._<------  Fax: (403) 289-9311  ------

------------------------------

Date:    Mon, 30 Aug 93 15:49:48 -0400
From:    gk1@acpub.duke.edu (Gavin Kistner)
Subject: Virus Def binaries

After looking through the FAQ, I can't find mention of sites or
(preferably) newsgroups which have virus definitions files for those
virus scanners which support "plug-in" updating.

Specifically I am looking for the def's for SAM.  Anyone know where
the latest are?

Please e-mail responses to gk1@acpub.duke.edu (which is what you'll
get if you reply to this.)

Thanks,
   Gavin

------------------------------

Date:    Mon, 30 Aug 93 14:56:09 -0400
From:    hwhalen@unb.ca (Hugh Whalen)
Subject: Needed: Info on Viruses on Novell Networks (Novell) (PC)

My wife is looking for information on virus propagation on Novell networks. I 
asked about this a few months ago on the novell newsgroup and got about a 
dozen replies but I didn't keep them. Sigh.

My recollection was that the Novell software could not be infected but that if 
an administrator allowed users to store and shared executeable files on 
the server that a virus could be propagated this way. (Thus allowing 
individuals to upload and share executables was not wise.) The consensus was 
that barring this it was difficult for a virus to propagate across a network. 

Is my recollection correct? Does anyone have anything to add to this.

Hugh Whalen                     | Where all men think alike, no one
Faculty of Administration       | thinks very much.
University of New Brunswick     |               - Walter Lippmann	
		

DISCLAIMER: Neither UNB nor I care what the other thinks.

------------------------------

Date:    Tue, 31 Aug 93 08:13:44 -0400
From:    "David M. Chess" <chess@watson.ibm.com>
Subject: re: just wondering... os/2... (PC) (OS/2)

From:    IZZYOY9@mvs.oac.ucla.edu

>                                                     What percentage
>do you think would be able to infect a system using OS/2 and the HPFS
>instead of FAT?  Are there any OS/2 specific virii?

Short answers: many DOS file-infectors can run and spread in
OS/2 VDMs (Virtual DOS Machines; DOS Sessions).  I don't have an
estimate of the percentage, though.  The filesystem doesn't
matter (but see below).  There are no known OS/2-specific viruses.

Long answer (perhaps a candidate for the FAQ if it isn't
already there):

Many (how many? hard to say) DOS file-infectors are "well-behaved",
and will run and spread just fine in OS/2 DOS VDM's.  Others are
very DOS-version dependent, and may not run correctly there.  No
known DOS file-infector can run under OS/2 itself; they all use
either DOS or BIOS interrupt calls to do their thing, and neither
of those work correctly in OS/2 sessions.  OS/2 executables actually
contain two programs; one that runs if the program is invoked under
DOS, and one that runs if the program is invoked under OS/2.  Some
DOS file-infectors may be able to correctly infect the DOS "fork"
of an OS/2 executable (EXE file), if the EXE file is available when
an infected program is run in a DOS session; if the OS/2 program is then
accidentally run under DOS, the virus might run, load into memory,
spread, and so on (only under DOS or an OS/2 DOS session, though,
not under OS/2 itself).  If a virus tries to do damage in an OS/2
DOS session by doing things that a DOS session isn't allowed to do
(certain direct disk writes, for instance), the damage will not
happen.  On the other hand, if a DOS virus tries to do damage
that a DOS session *is* allowed to do (erasing or altering files,
for instance), the damage will occur.

Since programs running in DOS VDMs can only see files that have
names fitting in the 8.3 namespace, files with longer (HPFS)
names, or on longer paths, aren't visible from there, and can't
be infected by a DOS program.  This doesn't mean that HPFS
disks are completely invisible, of course!  If you have a
FOO.COM on an HPFS disk, it's visible to DOS VDM's, and
therefore infectable by a well-behaved DOS virus run from
a VDM.  But if you have a directory called long.dir.name,
nothing in the tree under it will be visible from DOS
(of course,  you can accidentally copy an infected file
into the tree yourself, while in OS/2).

Boot viruses are another matter, since they run *before* the
operating system loads, and don't use operating system calls.
If you boot an OS/2 system (or any other system that has a
compatible CPU and real-mode BIOS and disk architecture) from
an infected diskette, the virus will probably be able to run,
write itself to the hard disk, and load into memory just as
it would on a DOS system.  When the system is later booted
from the infected hard disk, the virus will again be able to
run and load into memory before OS/2 gets control.  Because of
the way OS/2 controls diskettes, though, no known boot virus
can spread *from* an OS/2 machine (OS/2 doesn't ever use the
interrupt calls that the virus depends on to spread to
diskettes).  So an OS/2 system can become infected, and can
be damaged by a virus, but can't generally spread the
infection further.  (And of course some viruses have
built-in assumptions that are only true on DOS systems,
and so malfunction when infecting an OS/2 system, sometimes
killing the virus, the system, or both.)

- - -- -
David M. Chess                    |    "This chicken has a *very*
High Integrity Computing Lab      |        small opening book!"
IBM Watson Research               |

------------------------------

Date:    Thu, 26 Aug 93 15:44:14 +0000
From:    dharatz@informatik.uni-rostock.de (Dirk Haratz)
Subject: Re: Information on the 'Trident' Virus (PC)

Hi there!

Some time ago ...
| >Brenda Parsons (parson@coulomb.pcc.oz.au) wrote:
| >: We've recently had an attack of the 'Trident' virus, and seemed to
| >: have gotten rid of it, but no one was able to supply us with information
| >: as to what it would do when activated.

Well, we had in July a virus which SCAN called 'TridenT' but CLEAN wasn't
able to remove it. No other scanner was able to locate this virus. And
indeed is it not related to Trident/TPE. I sent the results of my
investigations to CARO and frisk. So I think the next F-PROT release
should be able to find and remove it (frisk?)...

Here is a short review:
only infects EXE-files
length: 756-771 byte
simple XOR-based encryption with variable key
indirect action (or you may say memory resident :-) )
memory allocation: via MCB-Manipulation at top of RAM
infection trigger: program execution (DOS-Fn. 4B00 and 4B02) and a few other
  conditions
damage trigger: Oct. 11. (and some other conditions)
damage: mirrors screen horizontally and vertically
quick & (very) dirty scan string (the short decryption routine):
  BE 10 01 B9 E4 02 2E 80 34 ?? 46 E2 F9
there is a short ascii string inside the encrypted body: 'GNAT 1.0' - the
  name for it I think

The new Computer-Virus-Catalog (VTC Hamburg) includes a more detailed
report about this.

If you have any infected files left somewhere you could check this signature
or send me an sample (please use PGP-encryption) to verify this.

Hope this helps,
                 Dirk
- --
dharatz@informatik.uni-rostock.de
"Microsoft proudly presents: The worlds first object oriented BASIC-
interpreter running on CP/M, MSDOS and Windows/NT!"

------------------------------

Date:    Thu, 26 Aug 93 14:23:02 -0400
From:    "William H. Lambdin" <73044.2573@compuserve.com>
Subject: Re: Form Virus (PC)

From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)

>The virus cannot infect from a LAN by itself but a "dropper" is almost
>trivial to write & unfortunately few scanners are of much use with
>"droppers" (have been saying this for years now but so far only
>Frisk has made a stab at it with his heuristic scan. The real answer

I agree 100% Padgett:

the scanner authors should add the ability to detect droppers. Even though 
they themselves aren't viruses, they should be detected. Some have replied 
to me with " Why? the scanner will detect the virus after it is laid on the 
boot sector." The idea is to detect the dropper before infection takes 
place. It is always best to prevent a user from running a dropper than to 
have the user remove the virus later.

Bill

------------------------------

Date:    Thu, 26 Aug 93 14:23:00 -0400
From:    "William H. Lambdin" <73044.2573@compuserve.com>
Subject: retaliator viruses (PC)

Does anyone have experience with retaliator viruses?
 
I have read several messages about them, and would appreciate some info.
 
It the information is of a sensitive nature, please respond via E-Mail.
 
Bill Lambdin

------------------------------

Date:    Fri, 27 Aug 93 05:28:27 +0000
From:    Eugen_Woiwod@mindlink.bc.ca (Eugen Woiwod)
Subject: Re: Any good anti-viral shareware out there (PC)

MAL@NETCOM.COM writes:

Msg-ID: <0007.9308261238.AA11418@agarne.ims.disa.mil>
Posted: 19 Aug 93 17:08:23 GMT

dk010b@uhura.cc.rochester.edu wrote:
: I'm looking for a good anti-viral program that is available as
: shareware. If you know af a good one (and how I can easily get it) or
: if you have one you wouldn't mind sharing I'd really appreciate it.

Shareware, is not free-ware it means try before you buy. Try
Mcafee.com ftp site the best for me.

regards,

Michael

Try ThunderByte Anti-Virus v6.04. Better everything then Mcafee. You can get
the latest copy via modem at ThunderByte USA. Number is 1-302-732-6399.

Ttul

------------------------------

Date:    Fri, 27 Aug 93 07:27:37 -0400
From:    C.J.Leune@kub.nl (Kees Leune)
Subject: virusses in .ARJ & .ZIP (PC)

Can anyone help me out? I am the sysop of a BBS running WWIV software 
under MS-DOS 5.0 and we have lots of .ARJ en .ZIP software in our transfer 
areas. Last night I was running a virus checker over the software and 
since most of those programs have their default values set to only 
checking executables, these archives where not checked.

------------------------------

Date:    Fri, 27 Aug 93 16:12:41 -0400
From:    Chip Seymour <CHIP@bdso.cv.com>
Subject: MONKEY variant? (PC)

We have just been through a battle with the MONKEY virus, at least
as identified by SCAN 106. It may be a new variant, because of the
various messages we've received by the various A-V products.

We booted with a clean write-protected floppy and ran F-PROT 2.09 Professional,
which reported "Boot infection: New variant of Stoned
                No attempt made to disinfect the the new variant."

SCAN 9.17 v106 "Found the Monkey [Mon] Virus in boot sector." We haven't
tried CLEAN to get rid of it because during the sequence of events, we reduced
our copy to the original infecting floppy and want to keep it.

KILLMONK reported:
    *** Probably infected. A previously unidentified variant of
    *** the monkey virus is almost certainly on your hard disk.
    *** Get help: contact martin@cs.ualberta.ca

To get rid of the virus, we ran FDISK /MBR followed by a SYS C: from
a clean bootable floppy. Copies of the BOOT record are beaming to Frisk
as we speak. We believe the virus was brought back from Europe last week
by one of our users.

Chip Seymour
NetAdmin
Computervision Corp.
Bedford MA USA
(617) 275-1800 ext 3651

------------------------------

Date:    Sat, 28 Aug 93 00:14:21 +0000
From:    iolo@ibmpcug.co.uk (Iolo Davidson)
Subject: Re: SPORT21C.ZIP (PC)

A file called SPORT21C.ZIP was available for download for a
short time from the CIX online service in Britain at the end
of July.  It was found to contain a variant of Goddam
Butterflies virus (itself a variant of Civil War) with a
change to the virus text message.  The new message reads,
"Hooray The Crusades".
 
Both the uploader and the CIX system administrator checked
the file for viruses, but unfortunately both used the same
virus detector which did not detect this variant, so the
alarm was not sounded until a downloader ran a different
virus detector which did find the virus.
 
The file was quickly removed and all those known to have
downloaded it were contacted.  The CIX outbreak is believed
to have been contained at that point, but the virus
obviously had to have come from somewhere.  Goddam
Butterflies is said to have been accidentally released on
the Internet recently.
 
This virus is not a fast infector, and spreads slowly. It
adds 302 bytes to COM files.  There is no payload. The virus 
does not go memory resident.  It avoids infecting 
COMMAND.COM.
 
Iolo Davidson
S&S International
 
 

------------------------------

Date:    Sun, 29 Aug 93 14:35:05 -0400
From:    "William H. Lambdin" <73044.2573@compuserve.com>
Subject: Butterfly (Crusades) (PC)

I wish to thank Brian O'Sullivan for uploading SPORT21C.ZIP to The 
Metaverse BBS this morning.
 
Here are the contents of the archive.

Searching ZIP: SPORT21C.ZIP

 Length  Method   Size  Ratio   Date    Time    CRC-32  Attr  Name
 ------  ------   ----- -----   ----    ----   -------- ----  ----
   4853  Stored    4853   0%  07-11-93  14:01  70ff5aa6 --w-  DOCUMENT.CO_
   1037  Implode    933  11%  07-11-93  14:01  e7a47861 --w-  INSTALL.COM
  11407  Stored   11407   0%  07-11-93  14:01  0a9cd832 --w-  SPORT21C.EXE
   3153  Stored    3153   0%  07-11-93  14:01  ec985abb --w-  SPORTS.CO_
 ------          ------  ---                                  -------
  20450           20346   1%                                        4

INSTALL.COM is infected with a new variant of Butterfly.
 
This virus is 302 bytes in length like the original Butterfly, but this one 
has two major differences.
 
1. This variant contains the text string "Hurray the Crusades!"
2. This variant will infect .EXE files as well as .COM files.

F-Prot 2.09 detects this virus as Butterfly in .COM files, but misses it in 
EXE files. Add this signature to F-Prot or others scanners that allow the 
use of external signature file.
 
Name: Butterfly (Crusades)
Infects: .COM and .EXE files.
Signature: B4 4E 8D B6 50 02 8D 96 2C 02 52 EB 3C B4 1A BA 

Remove the spaces between the HEX values when adding the signature.
 
The second generation of this virus is also infectious.
 
I will be forwarding first and second generation specimens to Fridrik 
Skulason, Wolfgang Stiller, David Chess, and Glenn Jordan.
 
Bill Lambdin

------------------------------

Date:    Mon, 30 Aug 93 11:08:20 -0400
From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: SmartDrv (PC)

As is well known by now there are no defects in MicroSoft MS-DOS 6.0
and only .5% of the callers actually have a problem. Mr.Bill said so.

However, MicroSoft seems to have quietly slipstreamed in a revision to
SmartDrv in the form of v4.2 and can be found in many obscure places.
(oak.oakland.edu in pub/msdos/microsoft/pd0805.zip for one). As
everyone knows by now "pd" files are not "public domain" but
Mircrosoft's means to make quiet announcements. pd0645 contained the
CHKDSK fix for DOS 5.0.

From a quick look, the only difference with v4.2 is that there is now
a /X switch to turn off write-caching to all drives and that if write-
caching is used, the cache will be flushed before returning a command
prompt.

For those who like to live dangerously, there is also a /N (Nuke ?)
switch that will disable the prompt flushing (somebody in Redmond must
really like lazy writing 8*) and IMHO just about guarentee eventual
disk corruption.

					Warmly,
						Padgett

ps ANFSCD: Every Ethernet adapter card sold has a 6 byte hardware address
   burned into the firmware. For SMC/Western Digital it starts out 
   00:00:C0.xx.xx.xx, 3Com uses 02:60:8C.xx.xx.xx. Generally, the first 
   three bytes seem to indicate the manufacturer, the next three the serial
   number of the card. Obviously some manufacturers have more than one prefix
   (for DEC I show prefixes 08:00:2B, AA:00:00, 01, 02, 03, & 04. The question
   is: Does anyone have a really up to date & complete list (I have quite
   a few reporting 00:00:1D & 00:00:0C that are not on my list) or know where
   I can get one ?

------------------------------

Date:    Tue, 31 Aug 93 08:30:33 -0400
From:    "David M. Chess" <chess@watson.ibm.com>
Subject: Datacrime (PC)

>From:    jbunting@gucis.cit.gu.edu.au (James Bunting)
>
> I was wondering if anyone has information on the datacrime virus.  My
>friends computer has got a case of it that does not show up with...

I'd say this is at least as likely to be a false alarm as an
actual Datacrime infection.  Despite some hype at the time, the
Datacrime was never a widespread virus, and it's currently
just about extinct.  If the file(s) that your scanner accuses
are non-critical, you could erase or rename them, and see if
the "infection" ever shows up again.  If the files are
important, compare them to known-good originals and/or
contact your scanner's supplier about them and/or have
a guru take a look at them in DEBUG.  (Another possibility
is a new virus that your scanner happens to pick up
with its Datacrime scan-signature.)

DC

------------------------------

Date:    Tue, 31 Aug 93 11:19:00 -0400
From:    "William H. Lambdin" <73044.2573@compuserve.com>
Subject: Re: E-Rillutanza virus? (PC)

From:    sci00019@leonis.nus.sg (CHENG MUN WAI)

William H. Lambdin (73044.2573@compuserve.com) wrote:
: Date:    Wed, 11 Aug 93 04:44:02 -0400
: From:    sci00019@leonis.nus.sg (CHENG MUN WAI)

> What is this LAT that I see mentioned. I've also had F-Prot report the
>E-Rillutanza virus.

LAT is an acronym that means Lambdin's Accuracy tests where I test 
anti-virus software on my collection of viruses.
 
Here is the August 1993 LAT.

Bill
- ---------------------------------------------------------------------- 
                       LAT 9308   August 14, 1993

 +--------------------------+----------+---------+-----------+-----+
 | SCANNER                  |  COMMON  |  POLY-  |    ZOO    |FLAGS|
 |                          |          | MORPHIC |           |     |
 |                          |          |         |           |     |
 |                          |36        |56       |1502   1454|     |
 +--------------------------+----------+---------+-----------+-----+
 | F-Prot 2.09              |36   100% |56  100% |1480  98.5%| S   |
 | TBAV 604                 |36   100% |55  98.2%|1462  97.3%| GS  |
 | Scan 106                 |35   97.2%|52  92.9%|1376  91.6%| S   |
 |                          |          |         |           |     |
 | Integrity Master 2.01    |36   100% |54  96.4%|1351  90.0%| GS  |
 | Dr Sol A-V toolkit 6.18  |34   94.4%|29  51.8%|1346  89.6%| C   |
 | VIRx 2.9                 |34   94.4%|34  60.1%|1300  86.6%| S   |
 |                          |          |         |           |     |
 | UT Scan 25.1 June 93 SIGS|29   80.1%|33  58.9%|1074  73.9%| CDG |
 | NAV 2.1 Aug 93 SIGS      |29   80.1%|24  42.9%|1014  67.5%| C   |
 | MSAV w/DOS 6.0           |28   77.7%|17  30.4%| 913  62.8%| D   |
 +--------------------------+----------+---------+-----------+-----+

      C- Commercial software

      D- This product does not scan for boot sector viruses inside
         droppers. This is why scanners that detect droppers were tested
         against 1335 viruses. Scanners that fail to detect droppers were
         tested against 1303 viruses. I tried to be fair.

      G- Generic Virus detector. The other utilities with this product may
         detect viruses that this scanner misses, so don't judge this
         product too harshly because the scanner isn't as effective as you
         would like.

      S- Share Ware or Free Ware procuct.

      I Removed HTSCAN, and the Share Ware release of CPAV because the 
      signatures were getting old. 
 ========================================================================
      I have tested the following generic products, and
      recommend them.

                                                      FLAGS
                                                     +------+
      F-Prot Professional (Command Software Systems) | IV   |
      Integrity Master (Stiller Research)            |*ISV  |
      PC-cillin (Trend Micro Devices)                | ASV  |
      PC-Rx (Trend Micro Devices)                    | ASV  |
      TBAV (Thunderbyte)                             |*ISV  |
      Untouchable (Fifth Generation Systems)         | ISV  |
      Victor Charlie (Bangkok Security Associates)   |*BEISV|
                                                     +------+
             *-Share ware product
             A-Activity Monitor
             B-Uses Bait files that try to get infected by unknown viruses
             E-extract the signatures for unknown viruses
             I-uses integrity checking
             S-Stores System areas. Boot sector, and Partition table
             V-comes with a Virus scanner.

      I placed the generic virus detectors in alphabetical order. I do not
      recommend one product over another. All of them work differently and
      may not fit the way you use a computer, so request information on
      several before you decide.
 ========================================================================
      I would like to thank most of these companies for providing me with
      evaluation copies of their software to test.

      If your company produces anti-viral software, and would like for me
      to test it in LAT, contact me at either of the addresses below.
 ========================================================================
      These tests were performed on a 33 MHZ 486

                        Bill Lambdin
                        102 Jones Lane
                        P.O. Box 577
                        East Bernstadt, Ky. 40729

                 Internet address> 73044.2573@compuserve.com
                    Compuserve ID> 73044,2573

------------------------------

Date:    Tue, 31 Aug 93 22:14:45 -0400
From:    Frank Carrick <frankc@a4420ux.esr.hp.com>
Subject: Anthrax PT Virus (PC)

What is the Anthrax PT virus?  I just detected/cleaned it off my
hard drive, and I am worried about its side effects.  Does anyone
have any information on this?

Frank Carrick

------------------------------

Date:    Tue, 31 Aug 93 11:42:34 -0400
From:    frisk@complex.is (Fridrik Skulason)
Subject: New version of F-PROT released (PC)

I just uploaded to oak.oakland.edu a new version of F-PROT, named 2.09d.

It detects several new viruses, including one (SatanBug), which has been
reported "in the wild", and also disinfects a few viruses that 2.09 could
only detect, in particular the Chinese Fish.

Finally, it corrects a problem when disinfecting an infected MBR, where 2.09
would sometimes say it was unable to locate the original MBR.

- -frisk

P.S.  I haven't seen any postings on comp.virus for more than a week - I am
wondering if this is the same problem as earlier this summer, where VIRUS-L
worked OK, but comp.virus didn't make it properly across the Atlantic.

[Moderator's note: The admins of the mail to news gateway have been
notified, and are checking into the problem.]

(by the way, a totally non-virus-related subject - I am wondering if there
is anybody in the Sausalito area reading this, who could do me a small favour
..please email)

- --

Fridrik Skulason      Frisk Software International     phone: +354-1-617273
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-617274

------------------------------

Date:    Fri, 27 Aug 93 14:25:35 -0400
From:    "Rob Slade" <roberts@decus.ca>
Subject: Multipartite - con (CVP)

DEFGEN8.CVP   930817
 
                        Multipartite - con
 
Multipartite, or "dual infection", viral programs have the potential
to infect both program files and boot sectors.  This expands the
range of possible vectors.  Multipartite infections can
theoretically travel on any disk, and multiple copies may travel on
a disk if program files are present.  Dual infectors can also travel
on networks, and via files passed over bulletin board systems and
other communications channels.
 
Are multipartite infectors a terrible new threat?  Well, no. 
They've been around for a few years now.  Why haven't they "taken
over the world"?
 
There are disadvantages to multipartite viral programs as well as
advantages.  One of the major ones is complexity.  In file
infectors, one sees a number of viri which only infect one type of
program files, an MS-DOS COM file, for example.  A virus which
infects both COM and EXE files must generally have more than twice
the code of one which infects COM files alone.  The virus must not
only know how to deal with both file types, but also how to
distinguish between the target files.  The same logic holds true for
multipartite infectors.  The virus must carry with it the means to
infect two radically different types of targets, and the means to
identify two very different types of potential hosts.  The potential
size of the program is much larger, as is the requirement for
processing.  The multipartite virus can be reduced in size, but this
generally means a reduction in function as well.
 
The "choice" of targets might seem to be an easy matter, but the
reality is slightly more complex.  The most effective means of
spreading would be a "get everything" policy, but this might also
lead to conflicts and detection.  Some programs might choose to
alternate:  a program infection would infect boot sectors, and a
boot sector infection would infect program files.  Seems reasonable,
until you realize the this merely makes the virus sequentially a BSI
*or* a file infector, in alternating generations.  Statistically,
this means that it will be slightly less effective than a boot
virus, rather than more.
 
Ultimately the failure (perhaps "non-success" would be more
accurate) of multipartite viral programs points out a very
interesting fact.  None of the new viral technologies; stealth,
polymorphism, spawning, etc. seem to have much "survival value". 
The successful infectors tend to be the older ones, simple and
basic.  This is not to say that the virus threat is dying.  Stoned
has been around since 1988, and is still infecting more systems each
year.  Simple.  But effective.
 
copyright Robert M. Slade, 1993   DEFGEN8.CVP   930817

==============
Vancouver      ROBERTS@decus.ca         | "My son, beware ... of the
Institute for  Robert_Slade@sfu.ca      |  making of books there is
Research into  rslade@cue.bc.ca         |  no end, and much study is
User           p1@CyberStore.ca         |  a weariness of the flesh."
Security       Canada V7K 2G6           |          Ecclesiastes 12:12

------------------------------

Date:    Fri, 27 Aug 93 14:52:24 -0400
From:    "Rob Slade" <roberts@decus.ca>
Subject: Quick reference antiviral review chart

QUICKREF.RVW   930827
              Antiviral software and utilities "quick" reference
 
Product            Ver   Type   UI Doc Ease Ovrl Price Comments
                        SDRIMOE  CG 1-4  I U  1-4
                  |    |       |   |   |    |    |     |
Amiga
 
BootX (discontined)5.23  SDRM     G               free
amiga.physik.unizh.ch, ux1.cso.uiuc.edu 
or wuarchive.wustl.edu /mirrors2/amiga.physik.unizh.ch/util/virus
 
Computer Virus Cat.9308  info        4         4  Free
CARO, cert
 
LDV                1.73
 
VirusChecker       6.26                           free
amiga.physik.unizh.ch, ux1.cso.uiuc.edu or wuarchive.wustl.edu
 
VirusX             (outdated?)
s.tibbett on BIX
 
VirusZ             3.06
 
Virus Tracker      2.45
 
ZeroVirus
 
 
Atari
 
Chasseur II              D                              ATCHSSR2.RVW
atari.archive.umich.edu 
 
FCHECK             25      I                            ATFCHECK.RVW
atari.archive.umich.edu 
 
Protect6                 DR                             ATPROTCT.RVW
atari.archive.umich.edu or larserio@ifi.uio.no
 
Sagrotan           4.12 S                               ATSAGRTN.RVW
atari.archive.umich.edu 
 
VIRUSDIE                S                               ATVIRDIE.RVW
atari.archive.umich.edu 
 
Computer Virus Cat.9308  info        4         4  Free
CARO, cert
 
VKILLER            3.84 SD                              ATVKILLR.RVW
woodside@ttidca.com or atari.archive.umich.edu /atari/Utilities/Virus
 
 
Mac
 
Advanced Security (see MS-DOS)
 
Computer Virus Cat.9308  info        4         4  Free
CARO, cert
 
Disinfectant       3.2  SDR                       Free
nwu, sumex-aim.stanford.edu, mac.archive.umich.edu
 
Gatekeeper       1.2.7    R MO                    Free
Chris Johnson
 
Rival
Microseeds Publishing
 
SAM                3.0.8SD  M                     $99
Symantec/Norton
 
Virex (see MS-DOS, product not by same author)
 
VirusDetective     5.05
Jeff Shulman
 
 
MS-DOS
 
Advanced Security          I OE  C   2   2 3   1        PCADVGRV.RVW
Advanced Gravis (no longer supported)
 
Antivirus (IRIS)        SDR M    C   2   2 4   2   $49  PCANTIVR.RVW
Fink Enterprises
 
Antivirus-Plus          SDR M    C   2   2 4   2   $99  PCANTIVP.RVW
Trend Micro
 
Anti-Virus Toolkit 6.0? SDRIMO   CG  3   2 3   4        PCDSAVT.RVW
S&S International Ltd., sands@cix.compulink.co.uk, perComp Verlag, Ontrack
 
Central Point Anti-virusSDRI O    G  3   2 2   2        not coexist with others
Central Point                                           PCCPAV.RVW
 
Certus LAN         2.0  SD I O   CG  2   1 3   2        PCCERTUS.RVW
Certus
 
Computer Virus Cat.9308  info        4         4  Free
CARO, cert
 
Control Room               I      G  2   4 4   2        PCCTRLRM.RVW
Borland
 
Data Physician +  3.1A  SDRIM    C   2   2 2   2        PCDATPHS.RVW
Digital Dispatch
 
DISKSECURE        1.15A    IM    C   2   3 3   4        BSIs only
risc, urvax, eugene cf also FixMBR, FixUTIL             PCDSKSEC.RVW
SafeMBR, CHKSMBR, CHKMEM, CHKBOOT in FixUtil etc. are free
 
Eliminator         1.17 SDR      C   3   2 3   2        PCELMNTR.RVW
British Computer Virus Research Centre
 
F-PROT            2.09  SDR      CG  3   3 3   4 home - free, bus. - $1/CPU
frisk@complex.is, risc, urvax, eugene, garbo            PCFPROT.RVW
 
Hoffman Summary    307    info    G  3         3  $35
risc, urvax, eugene
 
HTScan             2.0  S        C   2   3 3   3  Free (non-comm.)
(also VSIG         9303)
risc, urvax, eugene, garbo
 
HyperACCESS/5           S        C   2   1 2   2        PCHA5.RVW, term program
Higraeve                                                 with scanner
 
IBM Antivirus/DOS  1.02 SRDI     CG  2   2 2   3  $35   PCIBMAV.RVW
local IBM rep
 
Integrity Master   1.51 S  I     CG  3   3 3      $35   PCIM.RVW
risc, urvax, eugene
 
LANProtect         1.1  S        CG  1   2 2   2
Intel
 
Mace Vaccine       3.0      M     G  1   3 2   1        PCMACE.RVW
Fifth Generation
 
Norton AntiVirus        SDRI      G  2   3 2   3  $130  PCNRTNAV.RVW
Symantec/Norton
 
PC-Cillin         2.95L SDRIM     G  3   3 3   2  $139  PCCILL2N.RVW
Trend Micro
 
SafeWord Virus-Safe1.12    I     C   2   3 4   3        PCSAFWRD.RVW
Enigma Logic
 
Thunderbyte Scan   6.04 S        C   2   2 3   3  $29   PCTBSCAN.RVW
risc, urvax, eugene, garbo
 
VACCINE (WWS)      5.00 SD IMO   C   2   1 2   2        PCWWSVCN.RVW
The Davidsohn Group
 
VACCINE (Sophos)   9111 S  I     CG  2   2 2   3        PCSOPHOS.RVW
 
Untouchable        1.1  SDRIM    CG  2   2 2   2        PCUNTUCH.RVW
Fifth Generation Systems
 
VDS                2.10T   I     CG  2   2 3   2        PCVDS.RVW
risc, urvax, eugene
 
VET                7.0? SDRIM    C                      PCVET (in process)
Cybec
 
Victor Charlie     5.0     IM    C   3   2 3   3  $99   PCVC.RVW
Delta Base Enterprises
 
Virex-PC           2.9  SDRIM     G  4   2 4   4   $99  PCVIREX.RVW
Microcom
 
ViruCide           2.41 SD        G  3   4 3   3   $49  PCVIRCID.RVW
Parsons Technology
 
Virus0Buster       3.75 SDRIMO   CG  3   3 3   4        PCVRBSTR.RVW
Leprechaun Software (70451.3621@compuserve.com)
 
VIRUSCAN Suite     106  SDRIM    C   2   2 2   3  ~$25/module
risc, urvax, SIMTEL, garbo, mcafee.com                  PCSCAN.RVW
 
VirusSafe LAN      4.01 SDRI O   CG  2   2 3   2        PCVIRSAF.RVW
EliaShim Micro
 
VIRx               2.9  S        C   2   3 4   4  Free (non-comm.)
risc, urvax, eugene, SIMTEL, Microcom
 
Vi-Spy             10.0 SDR M    CG  2   2 3   3  $150  PCVISPY.RVW
RG Software Systems
 
 
OS/2
 
HyperACCESS/5           S        C   2   1 2   2        PCHA5.RVW, term program
Higraeve                                                 with scanner
 
IBM Antivirus/OS/2 1.02 SRDI     CG  2   2 2   3  $35   PCIBMAV.RVW
local IBM rep
 
 
UNIX
 
Computer Virus Cat.9308  info        4         4  Free
CARO, cert
 
Tripwire                   I                      Free
ftp.cs.purdue.edu pub/spaf/COAST/Tripwire
 
 
                  |    |       |   |   |    |    |     |
 
Key:
 
Type - S=scanner, D=disinfection (restoration of state), R=resident,
          I=integrity checking, M=activity monitor, O=operation restricting,
          E=encryption
 
UI - user interface - C=command line, G=menu or GUI
 
The following are based on a 1=poor - 4=excellent scale
Doc - documentation
Ease - I=installation, U=use
Ovrl - overall rating for general use
 
Sites:
 
CARO - ftp.informatik.uni-hamburg.de (134.100.4.42)
cert - cert.org (192.88.209.5)
eugene - eugene.utmb.edu (129.109.9.21)
garbo - garbo.uwasa.fi (128.214.87.1)
nwu - ftp.acns.nwu.edu (129.105.113.52)
risc - risc.ua.edu (130.160.4.7)
simtel - wsmr-simtel20.army.mil
urvax - urvax.urich.edu (141.166.36.6)
 
For others see Jim Wright's postings.
For more detailed reviews see /pub/virus-l/docs/reviews at cert
For general virus info see VIRUSFAQ.TXT at cert
 
copyright Robert M. Slade, 1992, 1993   QUICKREF.RVW   930827

==============
Vancouver      ROBERTS@decus.ca         | Omne ignotum pro magnifico.
Institute for  Robert_Slade@sfu.ca      |  - Anything little known
Research into  rslade@cue.bc.ca         |    is assumed to be
User           p1@CyberStore.ca         |    wonderful.
Security       Canada V7K 2G6           |               - Tacitus

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 117]
******************************************
