VIRUS-L Digest Thursday, 15 Aug 1991 Volume 4 : Issue 141
Today's Topics:
re: infected files with nonstandard extension (PC)
Re: New Anti-Virus Consortium Announced
SAM Exceptions crashes my Mac (Mac)
WANTED: Master Index of IBM-PC Viruses (PC)
Viruses in Weapons Systems
Bus Error, Teenager Abuse (Mac)
re: Virus Implants in DoD Weapons
8 tunes virus
DOS memory mangement (PC)
NetWare boot process (PC)
Revised Product Test - - Virucide, Version 2.24
Product Test - - TbScan
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: 12 Aug 91 16:40:15 -0400
>From: "David.M.Chess" <
[email protected]>
Subject: re: infected files with nonstandard extension (PC)
>From:
[email protected] (Warren Burstein)
> ...
>How common is this? Should a virus scanner scan all files regardless
>of extension against the chance that they might be executed by some
>other program?
We advise users of the IBM Virus Scanning Program to use the -a
option during cleanup; that says to scan all files. (We also
advise the use of -g, which says to report all signatures
everywhere, boot signatures in files, EXE signatures in COM-format
files, and so on; during cleanup.)
In general, unless you have a very critical system, I think this
is the right balance. If you have an active infection, it's
going to infect *some* *.EXE or *.COM file (or one of the other
extensions we scan for by default), and then you'll know that
you should scan everything else, too.
DC
------------------------------
Date: Mon, 12 Aug 91 20:36:16
>From:
[email protected]
Subject: Re: New Anti-Virus Consortium Announced
>From: "Rich Travsky (307) 766-3663/3668" <
[email protected]>
>
>The August 5th Network World has an article on a new consortium: The
>AntiVirus Product Developers Consortium (AVPD).....
> Members currently are:
>Central Point Software, Certus International, Symantec/Peter Norton,
>and XTree Co. Membership is open to all other vendors.
There was a meeting held very recently of a so-called "steering
committee". I believe the members of the steering committee include
Central Point, Certus, McAfee, Microcom and Symantec.
>AVPD will rely on a virus database operated and maintained by the NCSA.
>This database currently has about 900 viruses.
I would be interested in finding out what viruses they have. The best
I can consider is that they are counting COM's and EXE's as different
viruses and counting minor varients of viruses as new/different ones,
two.
Ross
------------------------------
Date: 13 Aug 91 16:15:48 +1100
>From:
[email protected] (Nick Guoth)
Subject: SAM Exceptions crashes my Mac (Mac)
Hi,
We have just received our update to SAM 3.0.1 and have found a problem.
If we try to look at the 'exceptions' in the SAM Intercept then the
Macintosh crashes. Also, we have another copy on a IIsi, and because of
this crash (IMO), it continues to ask por permission to allow the
Moire cdev on startup - i.e. it ignores the Learn button. This does not
happen on the other Macs.
Someone mentioned that there is now a version upgrade of 3.0.3. Is
this true?
Any help would be greatly appreciated.
Please e-mail to me on either of the addresses below.
/-----------------------------------------------------------------\
nick guoth
[email protected] or
[email protected]
Research School of Chemistry Computing Unit
Australian National University Canberra, AUSTRALIA
"Happiness is a piece of fudge caught on the first bounce" - Snoopy
\-----------------------------------------------------------------/
------------------------------
Date: Tue, 13 Aug 91 04:29:28 +0000
>From:
[email protected]
Subject: WANTED: Master Index of IBM-PC Viruses (PC)
Greetings! Is there a "master index" of all the viruses ever made for
the IBM-PC's (and compatibles)? I'm preparing a report on different virus
strains created for IBM-compatible machines, and I'd like to use the info-
rmation to add to my report.
If such a "master index" is not available, could someone lead me to an
FTP site w/ virus reports (and descriptions of what the viruses affect/
destroy/change)?
Thanx!
Tom Claydon
------------------------------
Date: Tue, 13 Aug 91 15:59:39 -0400
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: Viruses in Weapons Systems
>From the August 1991 "Armed Forces Journal International"
>"A draft Pentagon directive that called for implanting a
>computer "virus" or software disabling mechanism in every major
>new US weapon system - one that could be remotely triggered if
>the weapon fell into enemy hands
Sounds like media hype - there are lots better ways to deactivate
a system than with a virus. A few years ago I was involved in a
program to allow high-tech (for the time) system to be sold to
people we had reason to believe would try to "reverse engineer"
the software. Some special hardware was used to prevent this. A
virus is software and is only effective if executed, something a
professional can detect and avoid.
Padgett
-----------------------------------------------------------------------
To: Virus-L
Fm: Padgett Peterson <padgett%
[email protected]>
Da: 13 Aug. 1991
Su: infected files with nonstandard extension (PC)
>From:
[email protected] (Warren Burstein)
>I had a recurring Sunday infection. I couldn't figure out how Sunday
>could be hiding, it turned out that it had latched onto files that did
>not end in .COM or .EXE.
What the virus is looking for is an MSDOS "spawn" action, not a
particular extension so it can infect anything that executes.
Just because COMMAND.COM will only execute .EXE & .COM files does
not mean that the CPU will not. The good news is that I have
never seen an infection that had not infected at least some .COM
or .EXE files so intitial scanning may be confined to these
(plus .SYS and .OV*). Once detected though, the only way to be
sure of eradication is to check everything.
Padgett
-------------------------------------------------------------------------
To: Virus-L
Fm: Padgett Peterson <padgett%
[email protected]>
Da: 13 Aug. 1991
Su: Problem cleaning "LIBERTY" virus? (PC)
>From: Ken De Cruyenaere 204-474-8340 <
[email protected]>
>CLEAN V80 was unable to clean it though. I beleive the message
>was something like "Unable to clean this file, delete ? y/n "
>(Over a dozen infected files and none of them could be cleaned.)
>We next tried Central Point's ANTIVIRUS and it cleaned it up
>quickly.
This is a good reason not to rely on just one product - my
preference is a layered approach with at least three levels, one
normal and two dis-similar backups. If a product is not sure
that a file can be cleaned, it is often better for it not to try.
Padgett
-----------------------------------------------------------------
To: Virus-L
Fm: Padgett Peterson <padgett%
[email protected]>
Da: 13 Aug. 1991
Su: Stoned at EPO (PC)
>From:
[email protected]
>New Scientist 10 August 1991, p. 24 under byline "Computers Get Stoned
>On Patent Discs" reports that the European Patent Office in Munich has
>been sending clients a floppy disc containing the Stoned virus.
This type of thing just keeps happening both here and abroad -
where are all the lawyers when we need them ?
Padgett
-----------------------------------------------------------------------
To: Virus-L
Fm: Padgett Peterson <padgett%
[email protected]>
Da: 13 Aug. 1991
Su: New Anti-Virus Consortium Announced
><
[email protected]>
>The August 5th Network World has an article on a new consortium:
>The AntiVirus Product Developers Consortium (AVPD)...
>Members currently are: Central Point Software, Certus
>International, Symantec/Peter Norton, and XTree Co. Membership
>is open to all other vendors.
Haven't heard of it but the membership sounds more related to
advertising budgets if more details are available, would like to
know. On the subject, I was told last week that the next release
of NAV will just use a single checksum file (like Engima-Logic)
rather than the innumerable 77 byte _whatevers.
Padgett
------------------------------
Date: 13 Aug 91 23:15:27 -0400
>From: "Robert McClenon" <
[email protected]>
Subject: Bus Error, Teenager Abuse (Mac)
A message was posted on a customer's bulletin board system (of
which I am the sysop) asking about a problem on a member's Macintosh.
The author's daughter had complained that the Macintosh reported a
"Bus Error". She then switched off the Macintosh. When the author
turned it on, he had problems with the various options of the Control
Panel. He also noticed that the System file had increased in size by
2.6M from its previous size on a backup diskette. Both I and another
knowledgable participant in the bulletin board suggested that the most
likely cause of this behavior (growth in System file, altered behavior
of displays) was a virus. The author said that he had used Apple's
virus scanner and did not think he had a virus. He then added that
his daughter had been copying some sound at the time of the "Bus
Error". Since sound effects and sound recordings are installable into
the System file, this explains almost everything. The growth in the
System file is not a virus-like anomaly but an adolescent anomaly,
caused by the daughter installing sound.
What caused the "Bus Error"? Is this a hardware error with the
SCSI bus (which could have messed up the Control Panel)? Should he
have his machine checked out?
Robert McClenon
Neither my employer nor anyone else paid me to say this.
------------------------------
Date: Wed, 14 Aug 91 04:40:00 +0000
>From: William Hugh Murray <
[email protected]>
Subject: re: Virus Implants in DoD Weapons
>The article goes on to say that this would be great for weapons
>exports and that EEPROMS could carry such "Trojan Horses" that could
>be activated using electrical signals.
>Hmmmmmm. Comments?
Since, you would not likely know which instance of such a weapon was
aimed at you, and since you might have little time to react, they
would all have to be triggered the same. Since you would not have
much time to react, the triggering value would have to be widely
disseminated. Such a widely disseminated value would be disclosed and
could then be used by an enemy to disarm weapons still in your hands.
This could be compensated for in part by distributing the disabling
value in a secure smart card. This could discourage its replication,
and possibly even prevent its unauthorized use.
Any country known to be employing such a mechanism, even thought to be
employing such a mechanism, would be considered an unreliable source
for arms. The very idea must already have had a chilling effect on
the arms trade.
William H. Murray
------------------------------
Date: Wed, 14 Aug 91 13:07:14 +0000
>From:
[email protected] (Lee Ritter)
Subject: 8 tunes virus
Anybody know what the 8 tunes virus does?. I Have found this on some
software that I have.
Lee
------------------------------
Date: 13 Aug 91 17:28:07 -0400
>From: Kevin Dean <
[email protected]>
Subject: DOS memory mangement (PC)
Would there be any reason (apart from Frodo/4096 and its ilk) for
there to be a difference between the amount of memory reported by BIOS
and the amount of memory calculated by walking the DOS MCB chain? Are
there any utilities that would have a (legitimate) reason to take over
a portion of high memory and fiddle with the DOS MCB chain?
------------------------------
Date: Wed, 14 Aug 91 14:16:42 -0600
>From:
[email protected] (Kevin Hemsley)
Subject: NetWare boot process (PC)
I am doing research for a paper on virus protection for LANs. I need
information on booting under NetWare. I haven't been able to find any
information about the boot record and if/how it is different from a
normal DOS boot record. Also, if anyone has any information on
previously published papers dealing with virus protection on a LAN, I
would appreciate hearing from you. Thanks in advance.
-
-------------------------------------------------------------------------------
Kevin Hemsley |
Information & Technical Security | If you think that you have someone
Idaho National Engineering Laboratory | eating out of your hand, it's a
(208) 526-9322 | good idea to count your fingers!
[email protected] |
-
-------------------------------------------------------------------------------
------------------------------
Date: Thu, 01 Aug 91 10:28:29 -0600
>From: Chris McDonald ASQNC-TWS-R-SO <
[email protected]>
Subject: Revised Product Test - - Virucide, Version 2.24
******************************************************************************
PT-12
June 1990
Revised August 1991
*******************************************************************************
1. Product Description: VIRUCIDE is a commercial anti-virus program to detect
and to repair known computer viruses for the MS-DOS computer environment. The
report addresses version 2.24, released 21 May 1991.
2. Product Acquisition: The product is available from Parsons Technology, Inc.
The address is Parsons Technology, Inc., 375 Collins Road NE, Cedar Rapids,
Iowa 52401. The company has a toll free number for orders, 1-800-223-6925.
The cost of a single copy, as of 31 July 1991, was $49.00. Each of three
program upgrades , to include version 2.24, have been $15.00 which includes
shipping and handling.
3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information
Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN:
[email protected] or
[email protected].
[Ed. The remainder of this review, and other reviews by Chris McDonald
and Robert Slade, is available by anonymous FTP from cert.sei.cmu.edu
(ip#=192.88.209.5) in the pub/virus-l/docs/reviews directory.]
------------------------------
Date: Wed, 14 Aug 91 12:28:26 -0600
>From: Chris McDonald ASQNC-TWS-R-SO <
[email protected]>
Subject: Product Test - - TbScan
*******************************************************************************
PT-39
August 1991
*******************************************************************************
1. Product Description: TbScan is a copyrighted program written to detect
computer viruses and malicious programs for MS-DOS environments.
2. Product Acquisition: The program documentation states that TbScan
"can be used for free in non-commercial organisations and by private users.
Government and commercial organisations have to register the usage of TbScan".
There is a registration form included which describes costs, to include
multiple copy acquisitions. Frans Veldman is the program author. The
documentation gives the following address for more information: ESaSS B.V,
P.O. Box 1380, 6501 BJ Nijmegen, The Netherlands. The author has registered
the copyright and made the program available on many bulletin boards and
software repositories, to include the MS-DOS repository on simtel20 [192.88.
110.20]. The current path on simtel20 is pd1:<msdos.trojan-pro>tbscan28.zip.
On simtel20 the number "28" in the zipped file denotes version 2.8. One will
also require a virus signature data file supplied by Jan Terpstra. The path on
simtel20 is pd1:<msdos.trojan-pro>vs910731.zip. This denotes a signature file
of 31 July 1991. Since the signature file is updated frequently, users should
recognize that the path can change.
3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information
Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN:
[email protected] or
[email protected].
[Ed. The remainder of this review, and other reviews by Chris McDonald
and Robert Slade, is available by anonymous FTP from cert.sei.cmu.edu
(ip#=192.88.209.5) in the pub/virus-l/docs/reviews directory.]
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 141]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
