Return-Path: <wack>
Received: by csrc.ncsl.nist.gov (4.1/NIST)
       id AA16764; Thu, 23 Jul 92 08:16:05 EDT
Date: Thu, 23 Jul 92 08:16:05 EDT
From: John P. Wack <wack>
Posted-Date: Thu, 23 Jul 92 08:16:05 EDT
Received-Date: Thu, 23 Jul 92 08:16:05 EDT
Message-Id: <[email protected]>
To: csrc-virusl
Status: R
VIRUS-L Digest   Thursday, 16 Jul 1992    Volume 5 : Issue 130

Today's Topics:

Various Qs (VirusCure, F-PROT, DIR II, UNIX) (PC) (UNIX)
Request - PS10 virus info (PC)
Re: 696/Scr2/Enemy (PC)
Re: Methods for virus defense (PC)
Re: Rapid rise of the FORM virus; why? (PC)
Re: F-PROT 2.04b (PC)
Re: Warning: dangerous bug in SCAN 93 (PC)
spanish telecom (PC)
McAfee Products (PC)
Re: Disinfectant 2.9 vs ChinaTalk (Mac)
Re: GateKeeper (Mac)
Re: GateKeeper (Mac)
Resolution of 'what to do about virus distributors
Book Review
Quick antiviral comparison

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with
your real name.  Send contributions to [email protected].
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5).  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<[email protected]>.

  Ken van Wyk

----------------------------------------------------------------------

Date:    Mon, 13 Jul 92 14:16:08 -0400
>From:    Fabio Esquivel Chacon <[email protected]>
Subject: Various Qs (VirusCure, F-PROT, DIR II, UNIX) (PC) (UNIX)

Hi, everybody.  This is the first message I send to you.

Just some questions:

 -  Has anyone in the net ever heard of the IMSI antivirus product
    VirusCURE PLUS 2.37 (march 4th, 1992)?  It's documentation
    says that it is developed in association with McAfee, but
    VirusCURE detect less strains than ViruSCAN.  VirusCURE
    detects the DIR-II -"Creeping Death"- virus, which is widely
    spread here in Costa Rica, but is yet unable to disinfect it.
    Fortunately, since Clean89 release, it is getting under
    control.

 -  I've tried Fridrik's F-PROT 2.02D & 2.03A but it cannot scan
    the infected files ("Error reading <filename>"), so the virus
    is not detected.  Using Norton's DiskEdit I made a copy of the
    virus code into a new file called DIR2.COM in the same floppy
    disk and ran F-PROT again.  I got the same result with the
    infected files, but F-PROT identified the virus in the new
    file; however "Virus could not be removed".  OK, but F-PROT
    did not try to do so:  there were no more disk access after I
    answered 'Y' when asked "Disinfect (Y/N) ?".  Is it fixed in
    newer versions?

    I've studied DIR-II code with some detail.  Amazing.  Do you
    know that DIR-II cannot activate in MS-DOS 5.0?  I've heard
    that DOS 5.0 was totally rewritten from scratch in order to
    eliminate many bugs and make it more efficient.  When an
    infected file is run, DIR-II reuses some code in low memory
    (DOS kernel, I think), but returns to the prompt if DOS is
    loaded low (by means of Int 20h), or crashes the computer when
    DOS is loaded high.

    However, I think that the disinfection procedure is relatively
    simple, in comparison with those viruses that attach to the
    executable files, once the file first-cluster number decoding
    formula is known.

 -  I need information about Unix viruses and antivirus products.
    Could anyone give me information about, or tell me where can
    I find it?

 -  Finally, has anyone heard of Windows-specific viruses?

Thanks a lot,
Fabio Esquivel - [email protected]

------------------------------

Date:    11 Jul 92 21:29:02 +0000
>From:    [email protected] (Steve Kirkland)
Subject: Request - PS10 virus info (PC)

I am using a ibm compat with dos5 the system is protected with vshield93
when i tryed to run xtgold i recieved a message that the xtgold.com
was infected with PS10 virus I then scanned the disk with vscan93 which
reported no infection Mcafees virus list does not say any thing about
ps10 yet vshield picked something up
if any body has any information on this could you please drop a line
regards Steve Kirkland

- --- Maximus 2.01wb
* Origin: The Big Apple , Sydney Australia (3:712/533)

------------------------------

Date:    Wed, 15 Jul 92 02:27:02 +0000
>From:    [email protected] (Mike J. Brown)
Subject: Re: 696/Scr2/Enemy (PC)

>  [tale of woe, wrapped up by this, deleted ]

uh-oh... I feel a flame coming on...

[Moderator's note: Please take any flames to another mailing
list/newsgroup.]

>So, Mike, you're saying you had a disc full of pirated software, and a
>virus burned you? Didn't even back it up after you bought it, or clean
>it off?

Yes.  No.  No.  Seriously intended to do both, but "twas too much trouble"
or so I thought.  I did wipe out everything I knew I wouldn't use, but
left intact Norton, WordPerfect, Procomm Plus, and a couple others I thought
I ought to keep because I might use them someday (Microsoft C...).

>It's quite possible that something on the system was infected when you
>bought it.

Quite.  Probably will never know.

>Did you scan it immediately upon purchase?

Yes.  F-Prot (Feb. 1992 version) said no problems.

>Did you ask the seller for the manuals and originals for all that neat
>stuff on it?

Yes.  The thing is, he got most of his stuff from work.

>Did you happen to run any of that stuff for the first time right before
>the problems showed up? No telling what was on there....at least, not
>any more.

The only things that I ran for the first time right before the
problems were two freebies: one was a graphics demo I got from garbo,
the other was the Screaming MeMe Hypertext magazine I got from a
friend, who got that from a bbs in his area.  The demo checked out
okay, but the Hypertext viewer HYPE.EXE *was* infected... it could
have just been passing the infection back to me...I had given him a
bunch of text files and LIST.COM a long time ago.  He didn't get
around to using it until the day he gave me MeMe.  He ran and then
Zipped MeMe *after* running LIST so I could have passed the virus to
him via LIST first, or perhaps he had the virus beforehand and I got
it from him.  Both of our systems had problems at the same time.
- --
Mike Brown
[email protected]
"The Universe is a spheroid region 705 meters in diameter."

------------------------------

Date:    15 Jul 92 08:40:07 +0000
>From:    [email protected] (Fridrik Skulason)
Subject: Re: Methods for virus defense (PC)

[email protected] (007) writes:

>  + A TSR virus scanner that starts up whenever the computer is turned on.
>    I recommend Frisk's F-Prot, a free* program available via ftp.

Thanks for the recommendation, but I would like to point out that F-PROT is
not exactly free.  The english language shareware version is free of charge
for PRIVATE USE ONLY.  I ask a very modest fee in other cases, but there is a
significant difference between a low fee and no fee at all.

Then of course there are several translated, commercial versions available
in several European countries, which are just distributed as regular
"shrinkwrap" software.

- -frisk

------------------------------

Date:    15 Jul 92 08:44:49 +0000
>From:    [email protected] (Fridrik Skulason)
Subject: Re: Rapid rise of the FORM virus; why? (PC)

[email protected] (David M. Chess) writes:

>seems to have taken off in the last six months or so.  Does anyone
>know of a massive shipment of FORM-infected diskettes or anything
>similar that could help account for it?

I have no proof, co I cannot name the company yet, but I suspect that
pre-formatted 3.5" 1.44MB disks from a *major* diskette producer are
to blame.

This cannot be proven until a sealed box, with infected diskettes is
located, however.

- -frisk

------------------------------

Date:    15 Jul 92 08:47:22 +0000
>From:    [email protected] (Fridrik Skulason)
Subject: Re: F-PROT 2.04b (PC)

[email protected] (Grant Getz) writes:

>I've been watching on OAK.OAKLAND.EDU, one of the usual sites for
>F-PROT I believe, and have not seen this version yet.  Is it available
>at any other sites?

No, I delayed the release of 2.04B, because of an enormous flood of
new viruses - I plan to cover around more (in addition to the 50 or
so, that I have already added).  I sent out one single copy of 2.04b
to a person who needed it to disinfect a virus that 2.04a could only
detect, but not remove, but 2.04b has not been officially released
yet.

- -frisk

------------------------------

Date:    15 Jul 92 08:52:16 +0000
>From:    [email protected] (Fridrik Skulason)
Subject: Re: Warning: dangerous bug in SCAN 93 (PC)

[email protected] (Vesselin Bontchev) writes:

>2) With the Whale virus SCAN misses mutant #33.

Well, I'm not surprised - I miss it too. :-)

Actually, I am not convinced this is a legitimate mutant of Whale -
this is just a single sample floating around under the name of
WHALE#33.COM, but structurally it is different from all the others.

However, the reason I have not added detection of it is simple - I
just cannot get it to work, and I have a suspicion this may simply be
a damaged file.

- -frisk

------------------------------

Date:    Wed, 15 Jul 92 12:47:31 +0000
>From:    [email protected] (Peter Beaman)
Subject: spanish telecom (PC)

I would like to know what exactly the Spanish Telecom virus does.  I
have found an infested laptop computer (Toshiba) with it on.  As I
work in a large University Department I would especially like to hear
from other people who may have experienced this virus.  Does The
Dr.Solomon Tool kit deal adequately with this particular virus?  I
have just sent of for the latest version.  Any general advise to try
and track this virus down too?  I have at least 2 infested floppy
which are hit too.

Yours anticipatorily

Peter Beaman

------------------------------

Date:    Thu, 16 Jul 92 08:28:27 -0400
>From:    [email protected] (A. Padgett Peterson)
Subject: McAfee Products (PC)

       Lately I have been seeing a number of questions involving
McAfee Associates use of the [GEN-P] and [GEN-B] identifiers with
reguards to low-level viruses. Earlier we were greeted by such cryptic
identifiers as NO-INT [STONED]. The reason is that the identifier in
brackets merely indicates to CLEAN what method it is to use to remove
the virus. If an MBR virus stores the original MBR in sector 7, the
STONED removal method is apt.

       Lately, there has been a more disturbing trend to leave off
the explicit identification and identify whole families of viruses
simply as [GEN-P] (GENeric-Partition). Since IMHO it is important for
those cleaning up after infections to know what it is they are dealing
with once an infection has been identified, I sincerely hope that this
trend will not continue.

                                       Warmly,
                                               Padgett

------------------------------

Date:    Tue, 14 Jul 92 19:02:18 +0000
>From:    [email protected] (John Norstad)
Subject: Re: Disinfectant 2.9 vs ChinaTalk (Mac)

[email protected] (Andreas Holmberg) wrote:
>       Does anybody know if Disinfectant 2.9 detects the ChinaTalk
>       virus or can we expect yet another Disinfectant update in the
>       near future (when?) ?

ChinaTalk is a Trojan Horse, not a virus.

Disinfectant does not attempt to deal with Trojan Horses, only viruses.

There will be no new Disinfectant release to deal with ChinaTalk.

John Norstad
Academic Computing and Network Services
Northwestern University
[email protected]

------------------------------

Date:    Wed, 15 Jul 92 06:26:22 -0400
>From:    [email protected]
Subject: Re: GateKeeper (Mac)

A colleague who uses Gatekeeper 1.2 recently upgraded to System 7.
GateKeeper started reporting that Finder needed Res (Self) privileges.
Is this right?  If so, why are these privileges not the default?

- -Norman Paterson

------------------------------

Date:    Wed, 15 Jul 92 11:16:17 -0400
>From:    Ephraim Vishniac <[email protected]>
Subject: Re: GateKeeper (Mac)

  A colleague who uses Gatekeeper 1.2 recently upgraded to System 7.
  GateKeeper started reporting that Finder needed Res (Self) privileges.
  Is this right?  If so, why are these privileges not the default?

  --Norman Paterson

The current version of Gatekeeper is 1.2.6, released 9 July 1992.
Version 1.2.2 (released 26 January 1992) introduced some changes for
compatibility with System 7 Tune-Up.

To get the most benefit from the use of anti-viral software, it's
extremely important to use the latest versions. Gatekeeper 1.2.6 is
available by anonymous ftp from all the usual places, including rascal
and sumex-aim.

Ephraim Vishniac    [email protected]   [email protected]
Thinking Machines Corporation / 245 First Street / Cambridge, MA 02142
       One of the flaws in the anarchic bopper society was
       the ease with which such crazed rumors could spread.

------------------------------

Date:    Tue, 14 Jul 92 10:25:54 -0400
>From:    [email protected]
Subject: Resolution of 'what to do about virus distributors'

about a month ago I posted a message asking for input on how to deal
with a BBS system that was distributing viruses.

Legal recourse was essentially a dead end.  The problem was resolved
by applying peer pressure :-) Running a BBS system is, for many, an
ego oriented experience and this is one of those cases.  Finding that
several of the places he frequented no longer consider him a
worthwhile human being apparently caused him to rethink things.  (Or
at least make his indescretions private and unadvertised...)

Cheers,
Jan ([email protected] / [email protected])

------------------------------

Date:    Tue, 14 Jul 92 09:43:34 -0400
>From:    Ian Leitch <[email protected]>
Subject: Book Review

Publications about viruses and other computer crime often seem either
to be technical material designed to assist professionals or to be
popular "hype" which mis-leads the general public. I was pleasantly
surprised recently to read a new book written in simple, non-technical
language to give the layman a comprehensive view of data crime.

It is called "Approaching Zero" (the subtitle of "Data Crime and the
Computer Underworld" is more meaningful) by Bryan Clough & Paul Mungo,
Faber & Faber, ISBN: 0-571-16546-X, cover price of 14.99 pounds
sterling.

This readable book presents detailed accounts of actual incidents of
phreaking, hacking, virus writing, and other keyboard crime. Although,
the main purpose is to describe the actions and motivations of the
perpetrators, these are interwoven with the reactions of the victims,
the police and legal authorities, and the "good guys" (such as some of
virus experts who contribute regularly to this list).

Although written like a popular novel, it conveys many factual
details. In illuminating the largely unknown world of the computer
underground, it dispels many of the widespread myths about it. The
authors show a healthy sceptism for many of the claims that are
commonly heard; they see their mission to describe (rather than to
propose remedies). However, they issue an extreme warning about the
direction events are taking: the expanding volume of computer crime,
particularly the growth and diversity of computer viruses, will cause
huge numbers of computers to "Zero out"; after all, the technology and
means to wipe out computer systems already exist.

The table of Contents is:

   Phreaking for Fun
   Breaking and Entering
   Data Crime
   Viruses, Worms, Trojans, Bombs
   The Bulgarian Threat
   Hacking for Profit
   The Illuminati Conspiracy
   Crackdown

Finally, for those who like to read such books in their native tongue,
the publisher's blurb says that editions are being prepared in Spanish
and American English.

- --------------------------------------------------------------
Ian Leitch                  E-mail (JANET): [email protected]
London School of Hygiene and Tropical Medicine
Keppel St                               Tel: (+44) 71 927 2260
London WC1E 7HT                         Fax: (+44) 71 436 5389
- --------------------------------------------------------------

------------------------------

Date:    Thu, 16 Jul 92 09:53:35 -0700
>From:    [email protected] (Robert Slade)
Subject: Quick antiviral comparison

QUICKREF.RVW   920714
             Antiviral software and utilities "quick" reference

Product            Ver   Type   UI Doc Ease Ovrl Price Comments
                       SDRIMOE  CG 1-4  I U  1-4
                 |    |       |   |   |    |    |     |
Amiga

Computer Virus Cat.9201  info        4         4  Free
CARO, cert

VirusChecker       5.40
ab20.larc.nasa.gov

VirusX
s.tibbett on BIX

ZeroVirus


Atari

Computer Virus Cat.9201  info        4         4  Free
CARO, cert

VKILLER            3.84
[email protected]


Mac

Advanced Security (see MS-DOS)

Computer Virus Cat.9201  info        4         4  Free
CARO, cert

Disinfectant       2.8  SDR
nwu

Gatekeeper       1.2.6
Chris Johnson

Rival
Microseeds Publishing

SAM                3.0.8SD  M                     $99
Symantec/Norton

Virex (see MS-DOS, product not by same author)

VirusDetective
Jeff Shulman


MS-DOS

Advanced Security          I OE  C   2   2 3   1
Advanced Gravis

Antivirus (IRIS)        SDR M    C   2   2 4   2   $49
Fink Enterprises

Antivirus-Plus          SDR M    C   2   2 4   2   $99
Trend Micro

Anti-Virus Toolkit      SDRIMO   CG  3   2 3   4
S&S International Ltd., [email protected], perComp Verlag, Ontrack

Central Point Anti-virusSDRI O    G  3   2 2   2        not coexist with others
Central Point

Certus LAN         2.0  SD I O   CG  2   1 3   2
Certus

Computer Virus Cat.9201  info        4         4  Free
CARO, cert

Control Room               I      G  2   4 4   2
Borland

DISKSECURE        1.15A    IM    C   2   3 3   4        BSIs only
cf FixMBR, FixUTIL risc, urvax, eugene

Eliminator         1.17 SDR      C   3   2 3   2
British Computer Virus Research Centre

F-PROT            2.04B SDR      CG  3   3 3   4 home - free, bus. - $1/CPU
[email protected], risc, urvax, eugene, garbo

Hoffman Summary   206     info    G  3         3  $35
risc, urvax, eugene

HTScan             1.7  S        C   2   3 3   3  Free (non-comm.)
(also VSIG         9204)
risc, urvax, eugene, garbo

IBM Anti-Virus Prod2.19 S        C   3   3 3   3  $35/company
local IBM rep

Integrity Master   1.13 S  I
risc, urvax, eugene

Mace Vaccine       3.0      M     G  1   3 2   1
Fifth Generation

Norton AntiVirus        SDRI      G  2   3 2   3  $130
Symantec/Norton

PC-Cillin         2.95L SDRIM     G  3   3 3   2  $139
Trend Micro

SafeWord Virus-Safe1.12    I     C   2   3 4   3
Enigma Logic

Thunderbyte Scan   3.3  S        C   2   2 3   2  Free (non-comm.)
(also VSIG         9204)
risc, urvax, eugene, garbo

VACCINE (WWS)      4.30 SD IMO   C   2   1 2   2
Worldwide Software

Victor Charlie     5.0     IM    C   3   2 3   3  $99
Delta Base Enterprises

Virex-PC           2.2  SDRIM     G  4   2 4   4   $99
Microcom

ViruCide                SD        G  3   4 3   3   $49
Parsons Technology

Virus0Buster       3.75 SDRIMO   CG  3   3 3   4
Leprechaun Software ([email protected])

VIRUSCAN Suite     93   SDRIM    C   2   2 3   3  ~$25/module
risc, urvax, SIMTEL, garbo

VirusSafe LAN      4.01 SDRI O   CG  2   2 3   2
EliaShim Micro

VIRx               2.3  S        C   2   3 4   4  Free (non-comm.)
risc, urvax, eugene, SIMTEL, Microcom

Vi-Spy             9.0  SDR M    CG  2   2 3   3  $150
RG Software Systems

                 |    |       |   |   |    |    |     |

Key:

Type - S=scanner, D=disinfection (restoration of state), R=resident,
         I=integrity checking, M=activity monitor, O=operation restricting,
         E=encryption

UI - user interface - C=command line, G=menu or GUI

The following are based on a 1=poor - 4=excellent scale
Doc - documentation
Ease - I=installation, U=use
Ovrl - overall rating for general use

Sites:

CARO - ftp.informatik.uni-hamburg.de (134.100.4.42)
cert - cert.sei.cmu.edu  (or cert.org) 192.88.209.5
eugene - eugene.gal.utexas.edu
garbo - garbo.uwasa.fi
nwu - ftp.acns.nwu.edu (129.105.113.52)
risc - risc.ua.edu
simtel - wsmr-simtel20.army.mil
urvax - urvax.urich.edu

For others see Jim Wright's postings.
For more detailed reviews see /pub/virus-l/docs/reviews at cert
For general virus info see VIRUSFAQ.TXT at cert

copyright Robert M. Slade, 1992   QUICKREF.RVW   920714

==============
Vancouver      [email protected]         | "It says 'Hit any
Institute for  [email protected]      | key to continue.'
Research into  [email protected]         | I can't find the
User           [email protected]         | 'Any' key on my
Security       Canada V7K 2G6           | keyboard."

------------------------------

End of VIRUS-L Digest [Volume 5 Issue 130]
******************************************



Downloaded From P-80 International Information Systems 304-744-2253

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.