VIRUS-L Digest Friday, 6 Sep 1991 Volume 4 : Issue 158
Today's Topics:
Administrivia
More about F-PROT 2.00 (PC)
Official word from Mcafee (was: can't load vshield into high mem) (PC)
Hoffman's List or Similar (PC)
NFS security query - msdos virus
Re: Experiment with virus
Re: Viruses more common in Mac environment?
re: FPROT 2.0/MIRROR conflict (PC)
Virus Simulator (long) (PC)
Re: McAfee question (PC)
Re: scan (PC)
Re: Computer Abuse Amendments Act of 1991
Jerusalem help needed (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Fri, 06 Sep 91 12:08:06 -0400
>From: "Kenneth R. van Wyk" <
[email protected]>
Subject: Administrivia
I will be out of town next week, so VIRUS-L/comp.virus activity will
be intermittent at best. If I can get to a terminal with network
access, then I will make every effort to send out a couple digests.
Otherwise, activity will resume next weekend. Sorry for any
inconvenience.
Ken
Kenneth R. van Wyk
Moderator VIRUS-L/comp.virus
Technical Coordinator, Computer Emergency Response Team
Software Engineering Institute
Carnegie Mellon University
[email protected] (work)
[email protected] (home)
(412) 268-7090 (CERT 24 hour hotline)
------------------------------
Date: Thu, 05 Sep 91 17:17:06 +0000
>From: Fridrik Skulason <
[email protected]>
Subject: More about F-PROT 2.00 (PC)
It now seems that there are a few bugs in version 2.00 of F-PROT -
which means that 2.01 will be released earlier than expected.
The problems are:
Inability to scan for boot sector viruses on large (>32M) partitions
under Zenith DOS 3.30 Plus. The program does not have any problems
with DOS 4 or DOS 5, however.
F2.EXE does not work in interactive mode on machines with an
XGA-adapter, and only displays a blank screen. The same happens
on certain machines with a colour adapter, but B/W displays.
If used in the DOS box under OS/2 to scan the active swap file, the
program will crash.
VIRSTOP.EXE seems to conflict somehow with MIRROR from Central Point.
I hope I will have a new version ready before I go on vacation on the 7th.
- -frisk
------------------------------
Date: Fri, 06 Sep 91 14:32:23 +0000
>From:
[email protected] (Doug Barlow)
Subject: Official word from Mcafee (was: can't load vshield into high mem) (PC)
Here is the answer I received from Mcafee, the makers of Vshield:
- -------------------------------------------------------------------
To: dbarlow
>From:
[email protected]
Subject: Re: can't load vshield into
Date: 09-05-91 Time: 12:29a
Hello Mr Barlow,
We're currently "experimenting" with loading VSHIELD in high memory in the
office. However, it is not something that is officially supported or
universally tested. But, if you feel like experimenting, here's what we've
found out:
You need to have a contigious block of 112Kb free to load VSHIELD into.
When VSHIELD installs itself, it decompresses its code which takes up this
much space. >From then on, it's the normal 34Kb of memory used up, though.
While loaded high, VSHIELD can not be removed with the /REMOVE option, and
you will be able to load it into conventional memory if you try to.
We have tested this on several 386/25's with OPTi chipsets and AMI BIOSes.
You're mileage may vary :-) Seriously, though, if you have any different
results, I'd appreciated hearing about them.
Regards,
Aryeh Goretsky
McAfee Associates Technical Support
PS: Remember, this isn't "officially" supported currently. If any problems
arise, you may have to go back to loading VSHIELD into conventional memory.
Did I mention that the steps I previously outlined to you were using MS-DOS
5.00? I haven't had a chance to check with DR-DOS 5.00 or DR-DOS 6.0Beta.
- --------------------------------------------------------------------------
Doug Barlow Email:
[email protected]
Software Testing
Novell, Inc. Provo, UT
Standard Disclaimer applies......
- --------------------------------------------------------------------------
------------------------------
Date: 06 Sep 91 13:43:30 +0000
>From:
[email protected] (Avron Welgemoed)
Subject: Hoffman's List or Similar (PC)
I'm trying to get hold of a copy of the latest Patricia Hoffman Virus
List, or similar detailed Virus listing.
I din't yet have FTP access, so am looking for a copy through Email.
Thanx
Avron
- ---------------------------------------------------------------------------
Avron Welgemoed - Computer Science - Rhodes University
Grahamstown - South Africa
Internet:
[email protected]
------------------------------
Date: Fri, 06 Sep 91 11:24:48 -0500
>From: Joe Simpson <JSIMPSON%
[email protected]>
Subject: NFS security query - msdos virus
Miami University operates a mixed Macintosh, Ms-Dos, Unix, VMS
network in support of office automation and instruction. Recently
a serious virus infection disrupted this network. Every MS-DOS
machine on the network was infected with the Sunday virus. Applications
on the NFS file server were infected. This has led to an exploration
of file protection and security options on NFS servers.
We request references on NFS file permissions and security.
I would also be interested in a brief correspondence with someone
using NFS to share MS-DOS applications. I am interested in the
protection strategies used at such sites. I am also interested
in applications that can run from a read only subdirectory.
Thank you
------------------------------
Date: Fri, 06 Sep 91 13:50:24 +0000
>From:
[email protected] (Gary Heston)
Subject: Re: Experiment with virus
[email protected] (Mark Aitchison, U of Canty; Physics) writes:
> [ .... ] wipe all the diskettes with a magnet* [ .... ]
Better yet, run by Radio Shack and pick up a degausser, normally used on
audio cassettes. My experiences with magnets has been disappointing.
Seems like they cost less than $20, which is cheap insurance.
- --
Gary Heston System Mismanager and technoflunky uunet!sci34hub!gary or
My opinions, not theirs. SCI Systems, Inc.
[email protected]
Become a pheresis donor. Loan your blood to the Red Cross for a couple
of hours. They, and cancer patients, will appreciate it.
------------------------------
Date: 05 Sep 91 20:03:09 +0000
>From:
[email protected] (Barry T. Drake)
Subject: Re: Viruses more common in Mac environment?
Viruses spread more easily in the Mac environment because a program is run
every time a diskette is inserted: the desktop. On our campus there is an
extremely high contamination of viruses among students (and their floppies)
because they swap and share diskettes fairly freely. Our faculty members
are more likely to use anti-virus software because they can get the college
to pay for it :-).
In six years of working with primarily IBM PC's, I have seen *one* diskette
infected (with Stone-B and Ping Pong-B); it came from off campus via a
research assistant (from her workplace).
So, in my experience, Mac viruses are more common.
- --Barry (
[email protected])
------------------------------
Date: Thu, 05 Sep 91 15:29:23 -0400
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: re: FPROT 2.0/MIRROR conflict (PC)
>From: Diskmuncher <
[email protected]>
> There are other conflicts that VIRSTOP sseems to have with
>Central Point Software's PC Tools Deluxe programs. During the
>beta-test phase (I haven't tried it since receiving the official
>release) I discovered that if VIRSTOP is loaded AFTER PC-SHELL goes
>resident (TSR), the PC will crash when you load a program of any
>significant size (i.e. FORMAT worked, but DOSSHELL (DOS 5.0) crashed).
Afraid this is not a conflict but rather a DOS charactoristic that
most Netware administators are aware of: there are many programs such
as PC-SHELL and LOGIN.EXE that shell other executable files during
their operation then, when operation is complete, remove themselves
from memory and release the memory they were using to DOS. Unfortunately,
if a program went TSR from the shell, DOS cannot de-allocate the memory.
In the case of PC-SHELL, I suspect that the spawning process examines
the requested program to determine if there is sufficient memory
to run the request. If there is, PC-SHELL just spawns a new CLI
to run the program. If the program is larger, PC-SHELL will swap
itself out before running the new program.
Consequently, VIRSTOP must be small enough that PC-SHELL does not
swap out and once VIRSTOP is resident, PC-SHELL is no longer able
to swap, hence the problem.
I suspect that somewhere in the PC-SHELL documentation there is a
warning about loading all TSRs prior to loading PC-SHELL.
Padgett
------------------------------
Date: Thu, 05 Sep 91 15:29:50 -0400
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: Virus Simulator (long) (PC)
[email protected] (Fred Waller) writes:
(hope I have the author correct, this is getting confusing)
> Currently, there is no independent means of testing and verifying
> virus software. Simply having the word of a seller/producer has, of
> course, never been enough, and is not likely to ever be; the danger
> of collusion is simply too great for any reasonably-cautious
> consumer to accept it blindly.
Well, this is not quite true, the means are redily available, it is having
a good sample of viruses to test that is the problem for most people.
Personally, I have a write protected Bernoulli disk that is chock full of
viruses (I have a policy of not distributing them so please do not ask)
and an XT with a 10 MB ST-412 disk (street value >$300) that is used for
infection.
To test a new anti-viral product, the detection part is run against my
infected disk to see how many it finds (what they are called is often
both entertaining and informative). Next, I go through a series of
infections of the XT to see what happens. Other than starting with easy
ones like Jerusalem and Sunday then working my way up, there is no particular
pattern other than all of the "common" ones are tried plus a random mix
of other classes.
Other than the viral collection, a duplicate could be assembled by anyone
for under $1000 in equipment and the Bernoullis make restoration easy.
This has been effective for several years but lately, I am starting to
wonder if something more is needed since there are apparantely high memory
and network specific viruses around. Probably to stay current, will have
to add a 386 with 4 MB & Netware (less than $1000 including another ST-412)
and a PPI for the Bernoulli) - think I have most of what is needed lying
around.
The point is that for less than $3000 (under $2000 if you want to scrounge)
all of the equipment necessary for an effective virus analysis lab (PC) can
be had. Add a few bucks for software and all of the tools are in place. The
hard part is to find the experience necessary to perform the testing and
accurately analyze the data.
Padgett
------------------------------
Date: Thu, 05 Sep 91 19:48:48 +0000
>From:
[email protected] (McAfee Associates)
Subject: Re: McAfee question (PC)
[email protected] (Tom Laughner) writes:
>We are currently evaluating the McAfee anti-virus program. Specifically,
>I know that the Norton TSR will detect infected files as they are being
>copied. Is there any way to get the McAfee TSR to do this? I've been
>testing with ver. 8.0 and had used VSHIELD and VSHIELD1.
The current (Version 80-B) version of VSHIELD does not check files as
they are being copied. The next release (should be going into beta
today) will.
>Anyone done side-by-side testing of both Norton and McAfee? What are
>your impressions?
I think the January 7, 1991 edition of PC Week had a comparison, as well
as the August, 1991 edition of Byte.
>Tom Laughner
>Consultant/Analyst
Regards,
Aryeh Goretsky
McAfee Associates Technical Support
- --
McAfee Associates | Voice (408) 988-3832 |
[email protected] (business)
4423 Cheeney Street | FAX (408) 970-9727 |
[email protected](personal)
Santa Clara, California | BBS (408) 988-4004 |
95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714
ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM
------------------------------
Date: Thu, 05 Sep 91 19:55:00 +0000
>From:
[email protected] (McAfee Associates)
Subject: Re: scan (PC)
[email protected] writes:
<some of message deleted>
>We had someone come in the other day with a disk infected with the
>Keypress virus, the infected files had been renamed to .BAD.
>
>So I renamed them to .COM and scanned them, no virus. When we checked
>they were .EXE files, so we renamed them and guess what, scan found
>the keypress virus.
Since the KeyPress virus only infects .EXE files only, we do not, by
default look for it in .COM files. If you wish to force VIRUSCAN to
look inside of files with non-standard extensions, either use the /E
option to add the extension to the default list of extensions scanned
or use the /A option to force VIRUSCAN to search through all files
on the disk (lengthy, but useful).
<more of message deleted>
>+--------------------------------------+------------------------------+
>| Mark G. P. Cramer. | Sig!, /\_|\ |
>| Operations Manager, CBE Section | Sig a sog!, / QUT>\ |
>| Queensland University of Technology. | Sig it loud!, ( __ | |
>| Australia. | Sig it strog! -- \/ |
>| Ph. 07 8642073. Fax 07 8641525. | Karen Carpenter v |
>|
[email protected] | with a cold! |
>+--------------------------------------+------------------------------+
Aryeh Goretsky
McAfee Associates Technical Support
- --
McAfee Associates | Voice (408) 988-3832 |
[email protected] (business)
4423 Cheeney Street | FAX (408) 970-9727 |
[email protected](personal)
Santa Clara, California | BBS (408) 988-4004 |
95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714
ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM
------------------------------
Date: 05 Sep 91 20:43:37 +0000
>From:
[email protected] (Kent Borg)
Subject: Re: Computer Abuse Amendments Act of 1991
In reading the bill, it occured to me that it might outlaw some copy
protection schemes, and that that might be a good thing.
Imagine a copy protection scheme. It installs itself on your hard
disk, does secret things you don't know about. Now imagine it goes
bad and causes some trouble. Say the computer refuses to boot because
of something in the copy protection scheme. Say a company is without
their computer for a day as a result. That could easily cause lots of
damage, easily over the $1,000 limit I saw in the bill. The copy
protection didn't *intend* to do damage, but it had a bug.
Compare that to a virus. It installs itself on your hard disk, does
secret things you don't know about, but that is all it intends to do
(Mac viruses are like that, none of the current crop try to erase
disks or anything nasty like that). Now imagine it goes bad and
causes some trouble. Say the comuter refuses to boot because of
something in the virus. Say a company is without their computer for a
day as a result. That could easily cause lots of damage, easily over
the $1,000 limit I saw in the bill. The virus didn't *intend* to do
damage, but it had a bug.
How do you write a bill which outlaws one behavior but not the other?
It seems that they are doing very similar things. Maybe an antivirus
law should outlaw some forms of copy protection??
- --
Kent Borg internet:
[email protected] AOL: kent borg
H:(617) 776-6899 W:(617) 426-3577
"Conservatives rarely think beyond their own experiences." - my Mom
------------------------------
Date: 06 Sep 91 05:58:01 +0000
>From:
[email protected] (Scott Marks)
Subject: Jerusalem help needed (PC)
Does anyone know of the Jeru. virus HELP!
- --- Opus-CBCS 1.14
* Origin: Universal Electronics, Inc. [714 939-1041] (1:103/208.0)
- --
Scott Marks
Internet:
[email protected]
Compuserve: >internet:
[email protected]
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 158]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
