VIRUS-L Digest Tuesday, 5 Nov 1991 Volume 4 : Issue 210

VIRUS-L Digest Tuesday, 5 Nov 1991 Volume 4 : Issue 210

Today's Topics:

VIRUS WARNING - Form Virus on Demo Disk (PC)
from fidonet: listing of conferences re computer security
Gosia false positive (PC)
Re: Hardware forever!
"Stoned" virus information sought
Re: UNIX anti-virus program (UNIX)
Re: Scanning inside ZIPPED files (PC)
Re: NCSA (Was: Request for standards)
Re: Can I Load FPROT's VIRSTOP High? (PC)
Re: question about viruses (UNIX) (PC)
Re: Request for Standards
Re: Organ music/black monitor-Mac (Mac)
Re: nVIR question (Mac)
F-PROT 2.01 is available (PC)
Change detection

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Mon, 04 Nov 91 13:27:29 -0700
>From: John Kida (Vienna) <[email protected]>
Subject: VIRUS WARNING - Form Virus on Demo Disk (PC)

VIRUS WARNING !!!!!!!!!!!!!!!!!!!!!1

FORM VIRUS Shipped on DEMO DISK by Company.

Source : Software Perspectives
Toronto, Canada
(416) 481-1355

Demo rec'd in mail from company.

Program / DEMO name: The Clip/++ Extension for Cliper
copyright 1991
media: 5.25 DS/DD

This virus will infect Hard Drive Boot sectors display a profane
message. System infected will on the 24th of every month will make a
clicking noise. CLEANUP (removal) done by folowing the steps needed
to remove a boot sector virus.

They are:

Boot from a CLEAN write-protected disk MS-DOS disk.
Issue the MS-DOS "SYS X:" command.
Remove Boot Disk.
COLD Boot the CPU
Test for virus.
if clean count your blessings...

------------------------------

Date: Sun, 03 Nov 91 08:06:00 -0500
>From: [email protected]
Subject: from fidonet: listing of conferences re computer security

Forwarded from the FidoNet Virus Conference.

- ---------- begin forwarded message ---

>From: Paul Ferguson Submitted: 01 Nov 91 17:02:00
Subject: Events 1/5 Status: Public
Received: No Group: VIRUS (30)

* Crossposted in FidoNet VIRUS Conference
* Crossposted in FidoNet VIRUS_INFO Conference

The following information is presented for your information.
I pulled it off of the National Institute of Standards and
Technology
(NIST) BBS yesterday... -Paul

Last update: 10/30/91

COMPUTER SECURITY EVENTS CALENDAR

This file contains a list of upcoming computer security events.
Because of the nature of this material and how it is obtained, it
is impossible to include every event. The absence or inclusion of
any particular event does not imply criticism or endorsement by the
National Institute of Standards and Technology or the sysop. If
you know of computer security events that are not listed, please
send the conference/course literature to the following:

Marianne Swanson
National Institute of Standards and Technology
Room A-216, Bldg. 225
Gaithersburg, MD 20899

- -----

DATE: 10/30/91
LOCATION: Westminster, London
SPONSOR: Elsevier Technology
TITLE: Compsec 91'
CONTACT: Kay Russell
ADDRESS: Mayfield House, 256 Bandbury
Oxford OX 2 7DH, UK
PHONE: 44 0 865512242

DATE: 11/04/91
LOCATION: Sheperdstown, WV
SPONSOR: IFIP
TITLE: 5th IFIP WG 11.3 Working Conference on Database Security
CONTACT: Sushil Jajodia, GMU
ADDRESS: 4400 University Dr., SW
Fairfax, VA 22030-4444
PHONE: (703)764-6192

DATE: 11/11/91
LOCATION: Miami, FL
SPONSOR: CSI
TITLE: 18th Annual Computer Security Conference & Exhibition
CONTACT: Computer Security Institute
ADDRESS: 600 Harrison Street
San Francisco, CA 94107
PHONE: (415)905-2626

DATE: 11/11/91
LOCATION: Miami, FL
SPONSOR: CS Institute
TITLE: 18th Annual Computer Security Conference & Nat'l
Exhibition
CONTACT: CSI Conference Registration
ADDRESS: 17300 SW Upper Boones Ferry RD
Portland, OR 97224
PHONE: (503) 624-2118

DATE: 11/14/91
LOCATION: Washington,DC
SPONSOR: Amer. Tech. Assoc.
TITLE: Surveillance Expo '91
CONTACT: Marilyn Roseberry
ADDRESS: PO Box 20254
Washington,DC 20041
PHONE: (800) 873-3284

DATE: 11/18/91
LOCATION: Gaithersburg, MD
SPONSOR: ACM
TITLE: Computer Security Awareness Seminar
CONTACT: Chuck Dinkel
ADDRESS: NIST, Bldg. 225/A216
Gaithersburg, MD 20899
PHONE: (301) 975-3367

DATE: 11/20/91
LOCATION: Paris, France
SPONSOR: EDP
TITLE: 6th European Conference on Information Systems Security.
CONTACT: Conference Department
ADDRESS: P.O. Box 88180
Carol Streams, IL 60188-0180
PHONE: (708)682-1200

DATE: 11/25/91
LOCATION: Washington,DC
SPONSOR: append
TITLE: Anti-Virus Product Developers Conference
CONTACT: NCSA Administrative Office
ADDRESS: 227 W. Main St.
Mechanicsburg, PA 17055
PHONE: (717) 258-1816

DATE: 12/02/91
LOCATION: San Antonio, TX
SPONSOR:
TITLE: 7th Annual Computer Security Applications Conference
CONTACT: Dr. Ronald Gove
ADDRESS: 4330 East-West Highway
Bethesda, MD 20814
PHONE: (301)951-2395

DATE: 12/04/91
LOCATION: California
SPONSOR: SRI International
TITLE: ACM SIGSOFT '91 Confrence on Software for Critical
Systems
CONTACT: Mark Moriconi, SRI Int'l.
ADDRESS: 333 Ravenswood Ave.
Menlo Park, CA 94025
PHONE: @csl.sri.com

DATE: 03/18/92
LOCATION: Washington, DC
SPONSOR: ACM
TITLE: The 2nd Conference on Computers, Feedom and Privacy
CONTACT: George Washington University
ADDRESS: 2003 G St.
Washington, DC 20052
PHONE: (202) 994-7238

DATE: 03/22/92
LOCATION: Houston, TX
SPONSOR: ISSA
TITLE: 9th Annual Working Conference for Info. Sec.
Professionals
CONTACT: ISSA
ADDRESS: PO Box 9457
Newport Beach, CA 92658
PHONE: (714) 250-ISSA

DATE: 04/27/92
LOCATION: Philadelphia, PA
SPONSOR: EDP
TITLE: 22nd Computer Audit, Control and Security Conference.
CONTACT: Confercnce Department
ADDRESS: P.O. Box 88180
Carol Streams, IL 60180-0180
PHONE: (708)682-1200

DATE: 05/04/92
LOCATION: Oakland, CA
SPONSOR: IEEE
TITLE: IEEE Symposium on Research in Security and Privacy
CONTACT: John Mclean
ADDRESS: Naval Research Lab
Washington, DC 20375
PHONE: (202)767-3852

DATE: 05/12/92
LOCATION: Ottawa, Ontario
SPONSOR: Gov. of Canada
TITLE: 1992 4th Annual Canadian Computer Security Symposium
CONTACT: Canadian System Security Off.
ADDRESS: PO Box 9703, Terminal
Ottawa, Ontario K1G 3Z4
PHONE:

DATE: 05/27/92
LOCATION: Singapore, China
SPONSOR: IFIP/SEC 1992
TITLE: International Conference on Computer Security
CONTACT: Guy G. Gable
ADDRESS: Nat'l University of Singapore
Singapore 0511
PHONE: 65772-2864

DATE: 06/15/92
LOCATION: Gaithersburg, MD
SPONSOR: IEEE, IEEE Aerospace, Electronics Systems Soc.
TITLE: 7th Annual Conference on Computer Assurance
CONTACT: Robert Ayers
ADDRESS: 2551 Riva Rd.
Annapolis, MD 21401
PHONE: (301) 266-4040

DATE: 06/16/92
LOCATION: Franconia, NH
SPONSOR: IEEE Computer Soc.
TITLE: Computer Security Foundations Workshop V
CONTACT: Leonard J. LaPadula
ADDRESS: Mitre Corporation
Bedford, MA 01730-0208
PHONE: (617) 271-3261

DATE: 09/14/92
LOCATION: Sicily, Italy
SPONSOR: IFIP
TITLE: 3rd Working Conference on Dependable Computing
CONTACT: Carl Landwehr
ADDRESS: Naval Research Lab
Washington, DC 20375-5000
PHONE: (202)767-3381

DATE: 10/13/92
LOCATION: Baltimore, MD
SPONSOR: NIST & NCSC
TITLE: 15th National Computer Security Conference
CONTACT: NCS Confrence Committee
ADDRESS: 9800 Savage Rd.
Fort George G. Meade, MD 20755-6000
PHONE: (301) 850-0272

DATE: 11/23/92
LOCATION: Toulouse, France
SPONSOR: AFCET
TITLE: European Symposium on Research in Computer Security
CONTACT: Yves Deswarte
ADDRESS: LAAS-CNRS & INRIA
Toulouse, FRANCE 31077
PHONE: +33/61336288

- -------------------
Hope some of you find this of interest.

Cheers,
Paul
- ---
* Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)

- ---------- end forwarded message ---

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET)
University of Richmond [email protected] (Bitnet or Internet)
Richmond, VA 23173

------------------------------

>From: [email protected] (Fridrik Skulason)
Subject: Gosia false positive (PC)

One of the new viruses listed in the November edition of the Virus
Bulletin is named "Gosia". The search pattern provided there is
invalid, as it causes a serious false alarm - it can be found in all
versions of COMMAND.COM.

Please ignore this pattern. A replacement will be published next month.

- -frisk

------------------------------

Date: 04 Nov 91 15:07:41 +0000
>From: [email protected] (Henk de Groot)
Subject: Re: Hardware forever!

[email protected] (Fridrik Skulason) writes:
>In Message 31 Oct 91 06:27:30 GMT, [email protected] (Fred Waller) writes:
>> There is NO software defense that's fully reliable.

>Correct.

Incorrect, exchange your BIOS to include the following
processor-start-up *software* (though its as drastic as the "off
switch" but it is software :-) ):

1) Disable all interrupts.
2) Redirect NMI vector to a "reti" instruction.
2) Execute a "Halt" instruction which stops the processor.

>> There IS hardware defense that is fully reliable.

>Only the "off switch". :-)

>- -frisk

We have UNIX systems with a Software-switch-off function. If an
"Antiviral" package immediately activates this function the system
will be switched off and can not be infected. Is this Hardware
protection? No, because Hardware alone can not do it (it will not
switch off by itself). Is this Software protection? No software alone
can not do it (after software triggered the hardware, the hardware
will switch the system off).

I don't know any Hardware protection boards but I assume that a board
like the "Thunderbyte" board will contain *software* (are there
(E)PROM's on it?), and I guess its the *software* on that board that
prevents from viruses, not the hardware! (but like I said, I don't
know the board).

I think the power in these applications is that its a *combination* of
hardware and software. Think of what software can do if I had a very
fast RISC processor with 80486 emulating software. This emuation
software could easely track suspicous acticvity, but could not be
changed by software running on the emulator! This has the potential
equal to any hardware solution. (Note that your "hardware" CPU is also
running a *software* micro-program inside it and no one is able to
change that program with any virus either).

Henk.

- --
/ / Henk de Groot | Department: PG 9000i - System Services
/---/ __ __ / V2/A12-A13 | Internet : [email protected]
/ / (-_ / / /( Tel: +31 55 432099 | == PHILIPS INFORMATION SYSTEMS ==
Disclaimer: I only speak for myself, not for my employer!

------------------------------

Date: 04 Nov 91 16:09:56 +0000
>From: [email protected] (Shag)
Subject: "Stoned" virus information sought

I'm looking for information on the "Stoned" virus. Included:
How it attaches itself to disks
How it copies itself (through RAM, etc)
What it does to the system
Where it came from
Likely sources

One of our clients (where I work) thinks they got it from us. Our
site is completely virus-free, and we are trying to get a better
understanding of the virus so that we can prove that we are not liable
(and possibly help them determine who is.)

Please do not reply via follow-up, as I do not read this group
frequently.

- -Shag (work phone 609/267/9131)
- --
+----------------------------------------------------------------------+
| Dan "Shag" Birchall, Official Random, NJ Intercampus Network. +-+
| The NJ Intercampus Network is not responsible for me. They're glad. | |
| For further disclaimers, contact information, and lyrics, finger me. | |
+-+--------------------------------------------------------------------+ |
+----------------------------------------------------------------------+

------------------------------

Date: Mon, 04 Nov 91 17:09:53 +0000
>From: [email protected] (Brian D. Howard (CS))
Subject: Re: UNIX anti-virus program (UNIX)

[email protected] (Peter da Silva) writes:

>Are there any viruses on UNIX to actually *check* for?

No. But that never stopped nobody from selling.
- --
Dallas,TX "Where we shoot Presidents and shoot people who shoot Presidents."

------------------------------

Date: Mon, 04 Nov 91 09:31:12 -0800
>From: [email protected]
Subject: Re: Scanning inside ZIPPED files (PC)

In #208, Jeff Johnson asks:

>>Are there any programs which will scan inside of Zipped files?<<

Sure are, Jeff. MacAfee's SCAN is useable (and callable) from inside a
program I've been trying called SHEZ. SHEZ will allow you to look
inside any format you like; ARC, ZIP ARJ, PAK, or what have you.

It won't look inside self extractors, but then you knew that I'd guess.

------------------------------

Date: 04 Nov 91 17:39:47 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: NCSA (Was: Request for standards)

[email protected] (Fridrik Skulason) writes:

> Well, they have been running my scanner against their "collection" for
> some time now - I received a disk full of stuff that I did not detect
> - - most of it for the simple reason that it was not infected, contained
> Trojans, not viruses but there were two new viruses in there.
^^^^^^^^^^^^^^^^^^^^^^^^^^
This is partly why I got so upset... :-) I knew that there is
something new there, so I couldn't just drop all the mess and forget
about it. No, I had to analyze everything... :-((

> In their latest set they have done quite a bit of "cleaning-up" -
> gotten rid of most of the duplicates, the non standard samples
> (Vienna-infected files, which have been "inoculated" against Jerusalem
> after infection) and so on.

Glad to hear that they do at least this...

> The problem is just that they accept collections of infected (?) files
> from a lot of people, and combine them all, instead of analysing and
> classifying..

Well, this certainly cannot be called research...

> But well, I find this quite useful - after I sort out the "garbage"....

It's, of course, a matter of taste, but does it worth the effort?

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN
Tel.:+49-40-54715-224, Fax: -246 Vogt-Koeln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date: Mon, 04 Nov 91 18:03:24 +0000
>From: [email protected] (Eric N. Lipscomb)
Subject: Re: Can I Load FPROT's VIRSTOP High? (PC)

[email protected] (Rich Travsky) writes:

>Can I load FPROT 2.0's VIRSTOP high under dos 5.0 (and still have it
>functional)? I don't have much in the way of viruses to test with nor
>a machine to dedicate to same.

I've had trouble loading VIRSTOP high under DOS 5. I simply haven't been
able to get it to *load* high at all. It loads low and runs fine, but I'm
apparently missing something. :)

I had a problem with loading VIRSTOP under QEMM v5.13 as well, but that
problem has gone away with QEMM 6.0. Loads and runs very nicely now, thank
you.

>Rich Travsky [email protected]

}lips
- --
Eric N. Lipscomb, Lab/Network Manager Academic Computing Services
Email: [email protected] "Golf is something you do to make
[email protected] the rest of your life look good."
[email protected] -- Phil Baczewski

------------------------------

Date: 04 Nov 91 18:04:09 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: question about viruses (UNIX) (PC)

[email protected] (Gene Spafford) writes:

> The only true viruses around for Unix systems are research-oriented.
> Cohen has written some, Duff has written a very well-known one, and
> many other people have written simple examples to describe them.
> However, none of these appear to exist outside isolated research
> machines (if they still exist there).

Hmm, with the amount of personal Unix boxes selled nowdays, I guess
that in the near future we'll see at least attempts to spread Unix
viruses. For instance viruses that run only on a single Unix platform
(e.g., 80386)...

> The topic of Unix viruses has come up again and again at conferences
> and in mailing lists. Many people wonder why we haven't seen any "in
> the wild." The general conclusion is that because of the user
> community, the usual forms of software sharing, and the possible
> motives behind writing viruses, it is extremely unlikely that a virus
> would be written for Unix and spread very far.

This is, of course, true, but the situation is changing, IMHO...

> Any products that *charge money* for scanning for a virus in a Unix
> environment (as opposed to a worm or a trojan horse) is a waste of
> money. You might as well have spend money on a program to warn you
> when a meteorite is about to strike your computer.

Sure. But I have seen advertisements for products that were advertized
as anti-virus programs, while in fact they were integrity checkers -
they computer checksums. This will, of course, catch viruses as well,
but it is also a useful tool for any kind of integrity corruption.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN
Tel.:+49-40-54715-224, Fax: -246 Vogt-Koeln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date: 04 Nov 91 18:13:01 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Request for Standards

[email protected] writes:

> I believe the reason that the files were numbered as opposed to named,
> Vesselin, is that they are trying to avoid the problem that seems to
> be cropping up more and more recently: that of different names for the
> same virus in different parts of the world. The NCSA scanner report

Yes, that's true, there is indeed a major naming confusion between the
different researchers. When I started to organize the virus collection
at the VTC I found a virus present twice even in it! But usually I was
able to cope with the different names that the different researchers
from whom we get viruses use. This confusion cannot be even compared
with the confusion that 1775 unnamed files caused! (Again, I'm
speaking only about myself here. Probably the others are cleverer than
me.) The files that had nothing to do with viruses (as Fridrik
Skulason pointed out) just added more to the confusion... :-(

> in the infected files. The results are interesting, to say the least:
> different scanners called the same file many different names.

Is it interesting? It only confirms the (well-known) name confusion,
IMHO...

> Therefore, I believe (I've not talked to Stang about this recently)
> that they are going to hold off putting names on the files at least
> until the anti-virus product developers conference next month. At the

Oh, well, that's good. So we probably got their collection in an
unfinished state...

> conference, they are going to try to work out some common names among
> the vendors and researchers present.

Are you aware about the NIST proposal for standard virus naming?

> As for the organization of the "collection", I haven't had to deal
> with it myself...so you may be quite right about the fact that it is

Lucky you... :-)

> unwieldy. I can say, however, that Stang has always been able to pick
> out the virus I needed in a matter of seconds. So, I can only es
> infer that it must make sense to someone :).

Oh, I assumed that. Obviously it should make sense to someone.
However, if it is supplied to other, it should try to make sense to
- -most- of the people, IMHO.

> Finally, you commented on the fact that you feel the people at NCSA do
> not have the expertise necessary to reliable and careful testing.
> Once again, you may be right. IMHO, however, the past research

My (personal) oppinion was based on the state of the virus collection
that we received, I think that I clearly stated that. I continue to
think that this state was horrible and that -it- didn't show good
level of expertize in the anti-virus research. That's the only reason
why I expressed my doubts that the people who call this "virus
collection" are able to test anti-virus products reliably. Imagine a
report that says "F-Prot was not able to detect 30 % of the files in
our virus collection"... Sure, if they don't contain any viruses...
:-) Anyway, I'm glad to hear that Mr. Stang is improving the state of
NCSA's collection.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN
Tel.:+49-40-54715-224, Fax: -246 Vogt-Koeln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date: Mon, 04 Nov 91 10:41:11 -0900
>From: "Jo Knox - UAF Academic Computing" <FXJWK@ALASKA>
Subject: Re: Organ music/black monitor-Mac (Mac)

[email protected] (Alan J Rosenthal) writes:
>[email protected] (Fran Holtsberry) writes:
>>We have two systems playing organ music and no monitor response.
>
>I don't know exactly what you mean by "organ music", but if it's a mac II, and

>the sound is something like this: like "do, mi, soh, do", with the last "do"
>being higher than the other notes, with the initial sound the mac makes when
>being turned on somewhere around "la", then this is the normal sound made by a

>mac failing certain hardware tests at power-on. I've experienced this from ba
d

>memory boards and from memory boards not being seated properly, but I believe
>that there are other possible causes for this particular sound.

The first time I heard this problem was after someone had stolen the
1M SIMMs out of a 5M Mac II (the remaining 256K SIMMs were left in the
"high" slots, which won't work for a 1M setup.) I've also heard it
from one machine we had in which the SIMMs needed to be reseated about
once a month...

jo

------------------------------

Date: Mon, 04 Nov 91 15:39:33 -0500
>From: Joe McMahon <[email protected]>
Subject: Re: nVIR question (Mac)

>My Symantec Anti-Virus program is BROKEN! Its not infected (according
>to Disinfect) but it is reported as "damaged or in an unknown format"

>Does nVIR A do this to SAM intentionally? Or is this coincidence?

Coincidence, because SAM didn't exist when nVIR was written. I would
guess that for some reason, you have only a partial infection. Get out
your locked backup disk and reload SAM. Also, make sure that you
install the SAM init, sounds like it might not have been running, or
that your machine was booted from an untested System disk. Tell
anybody who wants to use your Mac that they may, but only if they
disinfect their disks first. Leave SAM Virus Clinic running when you
go out of the office if you have to.

--- Joe M.

------------------------------

Date: Mon, 04 Nov 91 19:16:33 +0700
>From: [email protected] (Fridrik Skulason)
Subject: F-PROT 2.01 is available (PC)

Version 2.01 of F-PROT is now available. It is a few days behind
schedule, but look at the list of new viruses below, and you see why :-)

The program has been sent out by mail and E-mail, and should be
available on the major archive sites (such as Simtel20) now or within
a couple of days, but I have just uploaded it myself to
oak.oakland.edu (/pub/msdos/trojan-pro).

VIRSTOP.EXE from version 2.00 started to complain on Nov. 1. that it
was too old, and should be replaced - a minor bug, it should not have
done so until Dec. 1. Version 2.01 will start complaining in four
months or so.

No major new features were added in 2.01 - it just fixed some bugs in
2.00, and added detection/removal of a lot of now viruses - over 100.

Version 2.01 - corrections:

The name of the main program was changed from F2.EXE to F-PROT.EXE,
as several other programs (including a part of Microsoft's FORTRAN
compiler) were already named F2.EXE

Some problems regarding user-defined signatures have been fixed.

A false alarm of a "Whale" infection in the GMOUSE.COM (Genius Mouse
driver) and a program named XTRA.COM has been corrected.

Version 2.00 would not work in interactive mode on a machine with a XGA
or a Monochrome MCGA display. This has been corrected.

Some characters above 128 were corrupted if a report was saved to a
file.

If floppy drives were installed with other identifiers than A: and B:,
the program would try to access them on startup, which caused problems
if no disk was inserted.

The "Analysis" function now produces fewer false positives than before,
and known false positives are now listed in ANALYSE.DOC

The program should now work without problems on Zenith DOS 3.30 PLUS.

Some variants of the Vacsina virus were occasionally not disinfected
correctly - this has been fixed.

The Amoeba virus was not detected in .COM files with size above a
certain length, although it was always stopped by VIRSTOP. Fixed.

Version 2.01 - improvements:

VIRSTOP.EXE can now be loaded as a device-driver, with a DEVICE=
or DEVICEHIGH= command from CONFIG.SYS.

Two command-line switches were added:

/NOMEM skip the initial memory scan. It should only
be used if the computer is known to be "clean".

/USER scan for user-defined virus patterns.

The program used to scan subdirectories in "reverse" order - this has
now been changed.

F-PROT.EXE is now distributed in packed (run-time unpacking) form, so
that the the entire package fits on one 360K diskette after unpacking.

Version 2.01 - new viruses:

The following 89 new viruses (or new variants of old viruses) can be
detected and removed with version 2.01

864, 1876, Akuku-Copmpl, AT-144, Backtime (Blinker, Joker and Shaker),
Big Joke, Bulgarian 123, Cascade 1704-D, CSL (Microelephant),
Copyright, DM-400, Eddie-1530, Europe '92, F709, Fake VirX,
Gergana (222, 300, 450 and 512), Gosia, Gotcha (A, B and C), Hary Anto,
Hey You-928, Hungarian-482, Iron Maiden, Jabberwocky,
Jerusalem (4 minor suMsDos variants, Messina, Nemesis, P and B-3)
Jerusalem-Frere Jacques-C, Jerusalem-Plastique-4096-D, Jihuu,
Kuku, Leningrad (543 and 600), Little Brother, Lozinsky-1018, Milous
Minimal-30-B, Mono-1063, MPS-OPC (1.1, 3.1 and 3.2), MSTU,
Murphy-Brothers, Old Yankee-Black Wizard, Omega, Path, PC-Flu,
Pixel (Polish-457, Polish-550, 897, 899-A, 899-B and 905),
Plovdiv (New Bulgarian 800), Polish Color, Polish Minimal-45, Semtex,
Seventh son, Spanz, Socha, Something, StinkFoot, SVC-1740, Tony, Traveller,
Twin, Vienna (634, 656, 726 and 776 byte variants, Violator B/B3),
Voronezh-370, W13 (C, 377 and REQ!), Words (1069, 1085, 1387 and 1503),
Yankee (1150 and 1202 byte variants)

The following 13 new viruses can now be detected but not removed.

Best Wishes-970, DIR II, Eddie-Ps!ko, Hero-394, Possessed-2446,
Simulate, Squeaker, StinkFoot-2, SVC (5.0 and 6.0), Vacsina-Rybka,
Virdem-1542, W13-361

"Variant identification" of the following viruses has been improved:

Cascade (14 variants), Sentinel (5 variants)

------------------------------

Date: Fri, 01 Nov 91 23:29:50 -0800
>From: Robert Slade <[email protected]>
Subject: Change detection

FUNGEN6.CVP 911101

Change detection

A virus has to change *something*.

This fact is absolutely fundamental to the operation of computer
viral programs, and therefore, in a sense, provides a guaranteed
form of virus prevention or detection. If we make a machine
that cannot change anything (and the disadvantages of this have
been thoroughly discussed) we can prevent infection. If any
change made can be detected, then any infection can be detected,
although discriminating between an infection and a valid change
remains problematic.

It is interesting to note that the early antiviral programs, at
least the most widely used ones, relied first upon activity
monitoring and then signature scanning. Nowadays almost all
antiviral programs implement some version of automated change
detection. The detection of the first viri, and the ongoing
research into new strains, relies almost entirely on "manual"
methods of change detection.

This method of detection is available to anyone who has a
computer and the most basic tools of the operating system. It
is, of course, made somewhat easier with the more advanced
"utility" programs available on the market, but the best defence
remains a thorough knowledge of your computer, and what it is
supposed to be doing.

A knowledge of what programs are on the computer, and a list of
file sizes and creation dates is a simple piece of protection
requiring no special programs whatsoever. This one simple tool,
however, can provide detection of most file infecting viri. It
will even detect "stealth" viri if the computer is booted from a
clean system disk before the check is made.

DEBUG is provided with every copy of MS-DOS, and can be used to
view, and make a copy of, the boot record of every disk.
(Partition boot records of hard disks are beyond the reach of
DEBUG, but within the reach of F-PBR, from 1.xx versions of
FPROT.)

Memory maps (and hex dumps of boot sectors) are not easy to
read, even for experienced, but non-programming, users.
However, it is not necessary that the user understand all the
entries in a boot sector or memory map. It is only necessary
that the user have a printout of a run of, say, MEM/C in an
initially clean state, and then be able to spot a difference in
a subsequent run of the program.

In reality, of course, most users will not take the time and
trouble to check for changes in the system. Most users want a
program which will do it for them, and preferably one which will
do the checking automatically, and alert them to anything wrong.

copyright Robert M. Slade, 1991 FUNGEN6.CVP 911101

================

To those who have been corresponding with me via [email protected], I am not
there any longer.

=============
Vancouver [email protected] | "Metabolically
Institute for [email protected] | challenged"
Research into CyberStore |
User (Datapac 3020 8530 1030)| politically correct
Security Canada V7K 2G6 | term for "dead"

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 210]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253