VIRUS-L Digest Thursday, 14 Nov 1991 Volume 4 : Issue 218

VIRUS-L Digest Thursday, 14 Nov 1991 Volume 4 : Issue 218

Today's Topics:

Re: Hardware? How about software...?
Re: F-Prot 2.01 (PC)
Re: PC Soft (PC)
Re: Organ music/black monitor-Mac (Mac)
Re: Only Scan Floppies? (general)
SCAN & VSUM questions (PC)
DIR-2 found in USA (PC)
McAfee84 fails on Stone, Azusa and Joshi? (PC)
Re: VShield problem with DOS 5.0 & QEMM? (PC)
Re: VSHIELD w/ MODEMS (PC)
Re: Problem with Stoned virus and SCAN (PC)
Re: Questions about VIRLIST.TXT (PC)
Call for Papers - Fifth Annual Computer Virus & Security Conference

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Mon, 11 Nov 91 18:31:11 +0000
>From: Fridrik Skulason <[email protected]>
Subject: Re: Hardware? How about software...?

In Message 7 Nov 91 04:55:56 GMT, [email protected] (Fred Waller) writes:

> Fascinating. That's exactly how Mark Washburn's SECURE program
> works under MS DOS, only I was led to believe here that SECURE
> wasn't useful.

The usefulness of SECURE is subject to debate. My opinion is however
that the simple fact that is written by Mark Washburn is a pretty good
reason to ignore the program - as well as all other programs written by
known virus authors.

- -frisk

------------------------------

Date: Mon, 11 Nov 91 18:46:14 +0000
>From: Fridrik Skulason <[email protected]>
Subject: Re: F-Prot 2.01 (PC)

Instead of just answeing by private mail, I decided to post the answers,
hoping they will be of general interest.

In Message 7 Nov 91 16:06:37 GMT, MONAT%[email protected] writes:
>
>1. I have a lot of clients who work on their stand-alone computer
> for quite some time and then decide to access a network. They
> load virstop.exe at boot time but then at network time, the load
> gets rejected with an "already installed" message.

This problem is not solvable with the current version of VIRSTOP. There are
some advantages to loading the program from CONFIG.SYS or AUTOEXEC.BAT,
but if that is done the program will be disabled if certain network
products are run afterwards. (Or for that matter any program which takes
over INT 21H, 4BH and does not call the original handler). DesqView,
PC-NFS and Novell-Netware are such programs.

This is not only a problem for VIRSTOP - all other anti-virus programs
that monitor this function and check programs on-the-fly face the same
problem.

In version 1.16 this was solved by running F-NET.EXE after the network
software was loaded. There were som minor compatibility problems, but
I think I have them solved now, and a fix should appear in 2.02 - where
you can re-run VIRSTOP, and it will simply rehook INT 21.

>2. What are we suppose to do with the file virstop.bin? It's exactly
> identical to virstop.exe and both can be loaded at boot time.

It will be dropped in 2.02. It is only identical to VIRSTOP.EXE in the
"English-only" version of F-PROT, but is used as a "skeleton file" in the
multi-lingual versions.

>3. I would like a new f-test.exe so that I can test if virstop.exe
> worksa once installed in memory.

Use old F-TEST.COM from 1.16 - it will be stopped if the package is
installed correctly. I am writing a replacement program, however - it
will (also) appear in 2.02.

>4. What's the command line switch to remove virstop.exe from memory?
> (It's useful if you want to detach yourself from Novell without
> rebooting).

There is no such switch. If I had provided one, I would have opened a
"loophole" that a virus could exploit to throw remove or disable the
program.

- -frisk

------------------------------

Date: Mon, 11 Nov 91 19:05:28 +0000
>From: Fridrik Skulason <[email protected]>
Subject: Re: PC Soft (PC)

In Message 7 Nov 91 16:34:15 GMT, [email protected] (Chris Jones) writes:

>As a matter of fact, the emulation is good enough that viruses *are* able to
>infect and transmit.

Yes, but not all PC-viruses - only the "well behaved" ones. In practice
this means the same viruses as those which work withour problems in the
oldest versions of the DOS-compatibility box under OS/2.

Viruses which use undocumented functions, jump directly into DOS or use
other nasty tricks will usually not work.

- -frisk

------------------------------

Date: 11 Nov 91 06:19:37 +0000
>From: [email protected] (Scott Hinckley)
Subject: Re: Organ music/black monitor-Mac (Mac)

[email protected] (Fran Holtsberry) writes:
>We have two systems playing organ music and no monitor response. Any
>ideas about whether this is a virus or a prank? My first reaction is
>that it is a Halloween prank. But it still is debilitating two Macs.

Let me guess... You turn on the Mac, here 3 tones, and nothing else
happens?

If so, it is the dead mac dirge that those 'organs' are playing.

Take the machine to service.

Read your manual, it talks about the startup diagnostic tones.

- --
VoiceNet:Scott Hinckley | ATTnet:+1 205 461 2073 | I heart my VW
Internet:[email protected] | UUCP:...!uw-beaver!bcsaic!hsvaic!scott
US snail:110 Pine Ridge Rd / Apt# 608/ Huntsville / AL / 35801
DISCLAIMER: All contained herein are my opinions

------------------------------

Date: Mon, 11 Nov 91 19:53:07 +0000
>From: Fridrik Skulason <[email protected]>
Subject: Re: Only Scan Floppies? (general)

In Message 7 Nov 91 20:27:42 GMT,
[email protected] (Jesse Chisholm AAC-RjesseD) writes:

>It is a question of perception rather than actual effeciency. I 1 or 2
>minute check at power up time means there is time for a cup of coffee
>before throwing the brain in gear. A perceived delay every time the
>user runs a program is sand in the gearbox.

Well, the delay should barely be perceivable - I did a small test, and
a virus scan is possible in just below 1 second when a program is run from
a floppy and around 0.1 second when I run a program from the hard disk. As
a 0.1 second increase in loading time is not noticable, I see no reason
why the programs should not always be checked when run - assuming
the scanner is fast enough..... :-)

- -frisk

------------------------------

Date: Mon, 11 Nov 91 15:09:00 -0500
>From: [email protected]
Subject: SCAN & VSUM questions (PC)

Greetings all,

Could someone explain why SCAN goes over all .sys and all .prg files when
scanning a drive??? Also where can I find the latest VSUM?

Thanks,

Joseph...

------------------------------

Date: 11 Nov 91 23:57:15 +0000
>From: [email protected] (Michael Martin)
Subject: DIR-2 found in USA (PC)

At Rutgers University in New Jersey, we have experienced an outbreak of
the DIR-2 virus, identified by Macafee Version 7.9V84 as D2. I have not
had the opportunity to try everything I could think of, so here's a
summary.

In a lab of 20 386SX running DOS 3.30, 4 machines were found to be
infected. These machines showed more than 40 infected files, so I
elected to low level format and reload. That worked fine.

Applying a small amount of finesse, I attempted to clean an infected
diskette, and found that if I executed scan from the same drive as the
infected diskette "clean a: [D2] /many", that clean reported that it was
unable to clean, that this virus might be a variant, and that I should
contact Macafee associates.

Having talked through the process with John Macafee, I find that if I copy
clean to an uninfected C: drive, and "clean A:", that clean successfully
removes the infection.

John pointed out that after I booted from a known clean diskette, there
was no reason not to copy clean to the hard disk and execute it from
there. This works for floppy disks, I haven't tried it for a hard disk.

mike martin

------------------------------

Date: Tue, 12 Nov 91 02:03:05 -0800
>From: Tanu Kartawiria <[email protected]>
Subject: McAfee84 fails on Stone, Azusa and Joshi? (PC)

We are in the process of evaluating McAfee program, specifically the
VSHIELD84. We have vshield installed on all machines's autoexec.bat
with parameters '/m /chkhi /lock', however our computers are still
infected by those 3 viruses. The Clean program was able to remove
Stone and Azusa, but it failed to remove Joshi even though it reported
that it was successful in removing Joshi.

Isn't Vshield supposed to block those viruses from getting to our
computer in the first place? Are we missing something? Or are we
doing something wrong? I'd appreciate your comments and expertise.
Or should I use different program?

Thank you,

[email protected]
Library Computer Lab, Cal State Univ. Long Beach.

------------------------------

Date: Tue, 12 Nov 91 05:19:18 +0000
>From: [email protected] (McAfee Associates)
Subject: Re: VShield problem with DOS 5.0 & QEMM? (PC)

[email protected] (Robert Yung) writes:
>Huh?????
> I have MS-DOS 5 and QEMM 6.0 and VSHIELD/LH works fine for me. Are
>you sure QEMM does not work with VSHIELD? I don't want to have set off
>a time bomb...

If you have a large enough contiguous block of upper memory, VSHIELD
will load itself high with both QEMM and the /LH parameter being used.
However, most people using QEMM don't. This is something that our
programmers are looking into

> BTW, when I use the /LH parameter, VSHIELD left a 0.4K stub in
>conventional memory. Is that normal? Can I not have it???

416 bytes, actually :-) This is a normal function of VSHIELD.

> How about making VSHIELD device loadable so it gets to memory
>first.

You could run it as the first command in your AUTOEXEC.BAT.

> How about packaging a dummy virus w/ the VIRUSCAN products to
>test if everything is working. I'm not all that confident about VSHIELD
>since I can never tell if it's working or not. The PC-MAG virus
>seems nice... it fooled SCAN v70 (I think).

You can check VSHIELD by running it with the /CV option to check
validation codes and then modifying a validation coded file with a
sector editor and trying to run it. If VSHIELD says that the file nas
been modified and an infection may have occurred, well, then, you know
that it's working.

> THANKS!

You're welcome.

Regards,

Aryeh Goretsky
McAfee Associates Technical Support

- --
- - - -
McAfee Associates | Voice (408) 988-3832 | [email protected] (business)
4423 Cheeney Street | FAX (408) 970-9727 | [email protected](personal)
Santa Clara, California | BBS (408) 988-4004 |
95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714
ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM

------------------------------

Date: Tue, 12 Nov 91 05:29:14 +0000
>From: [email protected] (McAfee Associates)
Subject: Re: VSHIELD w/ MODEMS (PC)

[email protected] (Robert Yung) writes:
>Is it possible to get a virus by just connecting to a BBS?

Not unless there was some special operation between the host computer
and your terminal to automatically download and execute program code.

> How about when I download?

You could download a file infected with a virus, but you would still
have to execute it. You could, of course, always run the VIRUSCAN
program against anything you download before executing it to confirm
that it is free of viruses (at least those that the SCAN program
recognizes, of course).

> Can Vshield check stuff as it downloads as with the /V
(This should be /COPY (?))
>parameter (check copying for virus)? THANKS.

Most files that are transmitted these days are in comrpessed form
(e.g. ARC, ZIP, ZOO, LZH, etcetera). A file would have to be
decompressed before it was scanned for a virus. This would be more a
function of the VIRUSCAN program then VSHIELD.

Regards,

Aryeh Goretsky
McAfee Associates Technical Support

- --
- - - -
McAfee Associates | Voice (408) 988-3832 | [email protected] (business)
4423 Cheeney Street | FAX (408) 970-9727 | [email protected](personal)
Santa Clara, California | BBS (408) 988-4004 |
95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714
ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM

------------------------------

Date: Tue, 12 Nov 91 05:05:27 +0000
>From: [email protected] (McAfee Associates)
Subject: Re: Problem with Stoned virus and SCAN (PC)

[email protected] (Cezar Cichocki) writes:
>Small (?|||) problems with STONED virus. SCAN detect it, I used CLEAN
>program, it raport me that CLEANED and... STONED was on disk again ||
>I killed him with NoStoned programm (Polish cure for this virus).

Hello Cezar,

What exactly happened is unclear, but it sounds like you ran CLEAN-UP
on a PC with the virus in memory, and after CLEAN-UP removed the virus
from the disk it transfered back to the disk from memory.. The
VIRUSCAN and CLEAN-UP programs will not check memory for the Stoned
virus unless you tell them to with the /M option which tells them to
check memory for prank/non-dangerous viruses.

Regards,

Aryeh Goretsky
McAfee Associates Technical Support
- --
- - - -
McAfee Associates | Voice (408) 988-3832 | [email protected] (business)
4423 Cheeney Street | FAX (408) 970-9727 | [email protected](personal)
Santa Clara, California | BBS (408) 988-4004 |
95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714
ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM

------------------------------

Date: Tue, 12 Nov 91 04:58:10 +0000
>From: [email protected] (McAfee Associates)
Subject: Re: Questions about VIRLIST.TXT (PC)

[email protected] (Vesselin Bontchev) writes:
>[email protected] (McAfee Associates) writes:
[some stuff deleted...]
>> The Horse, Invader, and V101 viruses are what's known as multipartite
>> ("multiple part") viruses. What that means is that they infect both
>> files and the boot area of disks when they are accessed once the virus
>> has become installed in memory.
>
>Sorry, but the Horse Boot virus is -NOT- a multi-partite virus!

Oops! You're right. Apparently there is a file named HORSBOOT.COM in
the library. A quick and dirty examination of it with Vern Berg's
LIST program reveals it to be boot code. Apparently someone saved off
the sector or compiled it...

Regards,

Aryeh Goretsky
McAfee Associates Technical Support

- --
- - - -
McAfee Associates | Voice (408) 988-3832 | [email protected] (business)
4423 Cheeney Street | FAX (408) 970-9727 | [email protected](personal)
Santa Clara, California | BBS (408) 988-4004 |
95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714
ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM

------------------------------

Date: Mon, 11 Nov 91 13:48:00 -0500
>From: Jack Holleran <[email protected]>
Subject: Call for Papers - Fifth Annual Computer Virus & Security Conference

Call for Papers

Fifth Annual Computer VIRUS & SECURITY Conference

Dates: March 11-13, 1992

Place: Marriott Marquis and Summit Hotel, New York City

TOPICS of Interest:
* Prevention, Detection, and Recovery from Viruses and other
Unauthorized Usage
* Case studies of mainframe, PC and/or network security
* Access control, accountability, audit, data recovery
* Surveys or demonstrations of products & techniques
* Particulars of LAN, UNIX, cryptology, military use
* Computer crime, law, data liability, related contexts
* US/International sharing of Research & Techniques

PAPER Submission requirements:
A submission may take the format of *EITHER* a long abstract (3-5
double spaced pages) *OR* a draft final paper. Final papers will
usually be 6-20 pages in length. Four copies of the submission should
be sent via regular Government Postal Service to the follow address:
Program Chairman
Computer VIRUS & SECURITY Conference
NYU, DPMA Fin. Ind. Ch.
609 West 114th Street
New York, New York 10025

The submission should be received by December 16, 1991.

Please include a small photo and introductory biography not exceeding
50 words. Successful submitters or co-authors are expected to present
in person. Presenters receive the Proceedings.

PAPER FORMAT:
Typed double spaced, with last name/page# below bottom line (may be
handwritten), brief (to 200 words) abstract following four centered
heading lines: TITLE (Caps); Name; Position Affiliation; Telephone,
City/State/Zip/Country, Electronic mail address (optional).

NOTIFICATION:
Written (and where practicable) telephoned conformation will be
initiated by Monday, January 27, 1992, to facilitate low cost travel.
Those needing earlier confirmation should submit papers sooner and
attach a note to this effect. You may be asked to perform specific
revisions to be accepted. Nobody can guarantee you a place without an
acceptable paper.

CONFERENCE: There are five tracks. Don't hesitate to submit a
presentation given elsewhere to a more specialized audience. Most of
our attendees will find it new, interesting, and necessary.

SPONSOR: DPMA Financial Industries Chapter
in cooperation with
ACM-SICSAC & IEEE-CS & ICCP

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 218]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253