Return-Path: <
[email protected]>
Received: from csmes.ncsl.nist.gov (MACBETH.NCSL.NIST.GOV) by csrc.ncsl.nist.gov (4.1/NIST)
id AA11771; Wed, 19 Aug 92 13:58:31 EDT
Posted-Date: Wed, 19 Aug 1992 13:21:48 -0400
Received-Date: Wed, 19 Aug 92 13:58:31 EDT
Errors-To:
[email protected]
Received: from CS2.CC.Lehigh.EDU by csmes.ncsl.nist.gov (4.1/NIST(rbj/dougm))
id AA05756; Wed, 19 Aug 92 13:53:29 EDT
Received: from (localhost) by CS2.CC.Lehigh.EDU with SMTP id AA12391
(5.65c/IDA-1.4.4); Wed, 19 Aug 1992 13:21:48 -0400
Date: Wed, 19 Aug 1992 13:21:48 -0400
Message-Id: <
[email protected]>
Comment: Virus Discussion List
Originator:
[email protected]
Errors-To:
[email protected]
Reply-To: <
[email protected]>
Sender:
[email protected]
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: Kenneth R. van Wyk <
[email protected]>
To: Multiple recipients of list <
[email protected]>
Subject: VIRUS-L Digest V5 #141
Status: R
VIRUS-L Digest Wednesday, 19 Aug 1992 Volume 5 : Issue 141
Today's Topics:
Re: Waldo ?? (PC)
Where's Waldo?! Was: Re: Waldo ?? (PC)
Re: I Need an unattended scanner (PC)
Re: Is "Bloody" a virus? (PC)
Re: McAfee GENP/GENY identification (PC)
Re: Scan93 Calls Michangelo "Stoned" (PC)
Re: Strange MBR (PC)
Re: victor charlie (PC)
Netware and viruses - some new results (PC)
Re: help, high weirdness (PC)
Re: 4096 (frodo) false alarm? (PC)
Need Advice on Evaluating and Ordering Antivirus Software (PC)
Re: F-Prot 2.04c (PC)
os/2 changes to boot sector (OS/2)
Virus questionnaire, pls
Re: Jerusalem virus (CVP)
New Uploads on risc (PC)
Preliminary Conference Announcement
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with
your real name. Send contributions to
[email protected].
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<
[email protected]>.
Ken van Wyk
----------------------------------------------------------------------
Date: 18 Aug 92 03:09:37 +0000
>From:
[email protected] (George Ferenc)
Subject: Re: Waldo ?? (PC)
[email protected] (Terry N Reeves) writes:
> Anyone know of a virus/trojan/joke/ etc that self-identifies as Waldo?
>
> I have not seen it, unfortunately I have only a sketchy report of a
> message seen periodically on a pc running windows 3.1 & corel draw
> 2.0. I ma told a "waldo virus" is identified. Unfortunately I can't
> even be sure the word virus was in the actual message.
>
> f-prot 2.04c finds nothing not even with heuristic scan. (two false +
> only) scan 93 ditto.
Hi,
This is not a virus. If you are runing an old (i.e. not the latest)
version of Corel Draw under Windows 3.1, the program will crash when
you use the 'Blend' function. It worked fine under Windows 3.0.
Hope it helps,
George.
- --
o*****************************************************************************o
* George Ferenc Information Technology Services, Melbourne University *
* Analyst/Prog... No, Software Engineer. At least it's trendy. *
* E-Mail address
[email protected] *
* Tel. (B/H) (03) 344 6393 *
* Tel. (A/H) Are you kidding ? *
o*****************************************************************************o
* Trying to establish voice contact. Please talk to your keyboard. *
o*****************************************************************************o
------------------------------
Date: Tue, 18 Aug 92 07:07:50 +0000
>From:
[email protected] (McAfee Associates)
Subject: Where's Waldo?! Was: Re: Waldo ?? (PC)
Hello Mr. Reeves,
The "Waldo" message is an error message from Windows version of CorelDraw.
I was under the impression that this error message only appeared in beta
test versions of the software (which would be usually limited to a few
beta test sites) but it may have been present in the production version.
You should be able to contact the manufacturer for a patch.
Regards,
Aryeh Goretsky
Technical Support
/in reply to/
[email protected] (Terry N Reeves) writes:
>Anyone know of a virus/trojan/joke/ etc that self-identifies as Waldo?
>
>I have not seen it, unfortunately I have only a sketchy report of a
>message seen periodically on a pc running windows 3.1 & corel draw
>2.0. I ma told a "waldo virus" is identified. Unfortunately I can't
>even be sure the word virus was in the actual message.
>
>f-prot 2.04c finds nothing not even with heuristic scan. (two false +
>only) scan 93 ditto.
>
>Anyone??
- --
- - - -
McAfee Associates | Voice (408) 988-3832 |
[email protected] (business)
3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | ObQuote: "Log... from Blammo"
Santa Clara, California | |
95054-3107 USA | BBS (408) 988-4004 | CompuServe ID: 76702,1714
ViruScan/CleanUp/VShield | USR Courier DS 14.4Kb| or GO VIRUSFORUM
------------------------------
Date: 18 Aug 92 10:31:44 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: I Need an unattended scanner (PC)
[email protected] (KYLE CASSIDY) writes:
> I'm using V-shield93 right now, and i'm wondering if i should use
> this in conjunction with a more sophisticated scan program, but i'd like one
> that i can set to scan the disk when i'm not around (like at 3 in the
> morning) i'm running windows and i leave the machine on 24 hours. are there
> programs that do this?
What you actually need is not a special scanner - any off-line scanner
like SCAN or F-Prot will do the job. What you need is a scheduler for
Windows - a program that starts another program at a prescribed time.
I don't know about such program (I am not using Windows myself), but
it should exist - several such programs exist for DOS. I advise you to
check at Simtel20 or ask in one of the Windows-related newsgroups.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C
e-mail:
[email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 18 Aug 92 10:41:46 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: Is "Bloody" a virus? (PC)
[email protected] (Jonathan Lewin) writes:
> My PC has begun to display the words "Bloody" and "Jun 4, 1989" on
> boot-up. Is this a known virus?
Yes, it is. It is a Stoned variant and infects in a similar way. There
are at least 4 different known variants.
> If it is, could someone PLEASE tell
> me, and advise me how to get rid of it?
Since it is a master boot sector infector, to remove it from your hard
disk it is enough to boot from a DOS 5.0 system diskette and execute
FDISK /MBR. After that you can boot from your hard disk and examine
all diskettes. The virus can be removed from the infected ones - just
copy the files from them somewhere else, then reformat the diskette
and copy the files back. Make sure that the virus is not memory
resident and active, otherwise it will re-infect the diskettes. Most
popular scanner/removers like F-Prot and CLEAN are able to remove this
virus.
> The PC it is on is vital to a
> small company, and I don't want it to start losing files.
Due to way it infects disks, it may damage some hard disks and
high-capacity diskettes when it infects them. Therefore, the damage is
noticed at once. If it has not damaged your hard disk, it means that
it won't do it in the future. However, diskettes with strange formats
(e.g., backups made by some backup programs) might be irreparably
damaged.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C
e-mail:
[email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 18 Aug 92 11:18:03 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: McAfee GENP/GENY identification (PC)
[email protected] writes:
> I certainly agree that IDEALLY one would like to identify the exact
> virus and be able read up about it and also have a utility to clean it
> out of the system.
> However, in practice, there are too many viruses coming out for any
> anti-virus company to keep up, you risk not getting updates in time even
> if available, cleaning is not 100%, new polymorphic viruses are
> self-mutating and as they improve will become invisible to scanners and
> other heuristic techniques.
> Rather than look for the perfect scanner, one should accept their
> limitations and only use them as gross filters for incoming software.
The above is, of course, true in general. However, some scanners ARE
better than others. The fact that a particular scanner (SCAN in this
case) is not able to provide good virus identification, does not mean
that good virus identification is impossible. It just means that this
particular scanner is a rather poor tool for identifying viruses. For
instance, Dr. Solomon's Anti-Virus ToolKit provides MUCH better
identification than McAfee's SCAN (I am not comparing the other
features), regardless that both products exist in one and the same
virus population.
> Generic protection virus control is essential in a modern computing
They are just one line of defense. I would refrain from calling it
"essential", but I agree that it is useful.
> Our firm distributes Victor Charlie which can deal with all known and
> unknown viruses.
My deep regards to your company and to the product (greetings to Alan
Dawson if you happen to see him), but please refrain from claims that
it can deal with unknown viruses. I have seen the product about two
years ago. It had the same claims associated with it, yet it miserably
failed to deal even with some of the existing viruses. Polymorphism
and advanced stealth were serious obstacles against it then.
I do not doubt that it has been much improved since then, yet I am
pretty sure that it won't be able to deal with all unknown viruses...
The virus authors out there are pretty ingenious, you know... I
strongly doubt that a single company is able to thinks of and prevent
all kinds of attacks, let alone of all possible but still unknown
attacks.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C
e-mail:
[email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 18 Aug 92 12:33:50 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: Scan93 Calls Michangelo "Stoned" (PC)
[email protected] (Adrienne Voorhis) writes:
> There has been some discussion recently about how (unnamed
> versions of) McAfee's Scan program are announcing an infection by
> Stoned when other virus scanners are calling it Michelangelo.
> A copy of Michaelangeo that I have saved from April 1992 is
> detected by Scan89 as Michaelangeo, but is detected by Scan93 as
> Stoned. My guess is that other posters that have reported this
> phenomenon are not dealing with a new variant of Michaelangelo. It's
> just that the newest version of Scan got sloppy and detects all
> Michealangeo infections as Stoned. (I haven't heard that
> Michaelangelo has any other strains detected.)
Your guess is correct. SCAN has become significantly worse in virus
identification since version 89. Since Michelangelo is indeed a Stoned
variant, it is not surprising that SCAN detects it as such.
> Not knowing the actual virus that has infected your machine can be
> a real problem. Previous posts, for example, have described the
> special problems that users face when disinfecting a computer that has
> been infected by both Stoned and Michelangelo. If the scanner does
> not even distinguish between the two, how is the user supposed to know
> why he or she is having no luck disinfecting the computer?
A very good argument why exact virus identification is very important!
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C
e-mail:
[email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 18 Aug 92 12:39:36 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: Strange MBR (PC)
[email protected] (Philip Smolen) writes:
> I noticed a machine with a strange MBR at work recently. The first 16
> bytes look like this:
> EA 05 00 C0 07 E9 99 00 02 6F 79 00 F0 E4 00 80
> Has anyone seen anything like this? Does anyone know what could have
> caused this?
Yup. The first few bytes are typical for a Stoned-infected boot
sector. Either a variant of Stoned failed to infect this particular
disk properly, or (less probably) some "clever" program tried to
vaccinate your hard disk. It is, indeed, immune against Stoned
infections now, but unfortunately, it has also become non-bootable.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C
e-mail:
[email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 18 Aug 92 12:47:18 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: victor charlie (PC)
[email protected] (James Roy) writes:
> It takes a radically different approach to virus control than McAfee's
> products. It is a generic product which looks for virus activity and
> can detect all viruses even those previously unknown.
It is very dangerous to make claims that a single anti-virus program
is able (in its current state) to detect any possible viruses -
including the currently unknown ones... In all cases I have seen,
programs which made such claims could be easily bypassed just by a
combination of the currently existing virus techniques. Some of them
could be bypassed even by some of the existing viruses...
> - a quick (3 second) routine which runs bait files and checks key
> files and areas to detect active viruses.
This can be circumvented in different ways:
1) The "bait file" technique is not able to detect boot sector
infectors, non-resident, or companion viruses.
2) If the names of the generated bait files are easily predictable, a
targeted virus can easily avoid to infect them.
3) A virus which infects only sometimes, or only files with particular
properties, may just not want to infect the bait files.
> Once detected the signature
> of the virus is captured in real time and a reboot is forced to purge
> it from memory. Because of this feature you do not have to depend on
> updates from the developer nor risk extensive damage to your files due
> to a virus unknown to the version of the scanner you have;
This method (on-the-fly scan string capturing) fails miserably with
polymorphic viruses. As to the damage - if the user is "lucky" enough,
the payload of the virus may trigger and cause significant damage -
which would not happen, had the virus been previously detected by a
scanner.
> - an audit routine that allows you to record encrypted checksums of
> all your executable files and later run a comparison. This will
> detect all changes to files and allow you to track down elusive
> viruses;
An integrity checker, that is. This is a very powerful tool for virus
detection, but there are some pitfalls:
1) If an intelligent stealth virus is active in memory during the
integrity check, the integrity checker will be unable to spot the
modifications.
2) There are several possible virus attacks against integrity checking
programs, that a virus could use. Companion viruses and DOS-file
fragmentation are two of them. Most of these attacks can be easily
stopped by the integrity checking software, but the producers of this
software must know about them and take some steps to stop them.
Sincerely, do you know what the DOS-file fragmentation attack consists
in, and does the integrity checking part of your product take care of
it?
3) A specific kind of viruses - the so-called slow viruses, cannot be
stopped by integrity checking programs. I mean, there is no practical
way to do it, not that they are theoretically unstoppable. More
exactly, I do not know about any practical way to stop them.
> VC is a highly secure product designed to foil viruses which may be
> specifically written to attack it.
Viruses, written to specifically attack a particular product, usually
do not spread very far, but they are particularly dangerous against
this product, if they are well implemented. Why do you think that your
product is so secure? What steps does it take to prevent a targeted
attack?
> It currently does not use a TSR due to the vulnerability of TSR virus
> monitors to such targeted viruses. VC's checks are easily put into your
> applications menu or batch files which allow it to be run automatically
> (and silently) frequently during your computing day.
A (rather stupid) targeted attack I can think of would be to inspect
the programs started from CONFIG.SYS and AUTOEXEC.BAT, "scan" them for
the "scan string" of your program, and delete them, or even better -
replace them with the virus.
BTW, how does your product react if the database of file checksums
suddenly disappears? There are at least two viruses, which attack
integrity checkers in this way, and they do it rather successfully...
> It is, one might say, a scanner in reverse. Rather than relying on
> scanning new files for viruses which the scanner knows about, VC is run
> after a new application is run to see if any viruses have gone active.
Problem is, this is quite unreliable, if the virus is already active
and smart enough...
> VC does have a scanner which it updates itself. One can use it for
> scanning new files but it is primarily for used for tracking down a
> virus once detected by the method described above.
> Given the stealth viruses and polymorphic viruses which are out there,
> scanners are becoming more and more limited in their effectiveness.
I wholeheartly agree with the second paragraph, but think that it is
in contradiction with the first. Scanning for a "captured" on-the-fly
signature is still scanning. OK, this is an "auto-updating" scanner,
but it still fails (even more often than the "normal" scanners) with
the polymorphic and with some stealth viruses.
Please, do not think that with the above criticisms I am trying to
underestimate your product. I agree that it is probably a stronger
line of defense against viruses than any scanner-only based defense.
However, I cannot agree with the claims that it can "detect all
viruses - known or unknown", although I can accept that it is able to
detect whole classes of unknown viruses.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C
e-mail:
[email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: Wed, 19 Aug 92 08:06:46 -0500
>From:
[email protected] (Mr Fred Cohen)
Subject: Netware and viruses - some new results (PC)
At QUT, we have set up an experimental network to test viruses in
networked environments, and the first results have just come in -
unbelievable!
I will be talking about this at length at the Virus Bulletin
conference in a few weeks, but I though Virus-L readers would like to
hear a bit before that.
Test 1: Exhaustive test of netware preotection setting on files and
directories against common viruses.
Result: Only 3 of the 15 bits provide any protection - Execute ONLY?
NO GOOD!!! Read ONLY? NO GOOD!!!
Result: Novell manuals are completely backwards in their depiction of
the rights granted through inheritance!!! If you follow the manual,
you get wiped out!
Test 2: Exhaustive testing of Unix based server - still underway Test
3: Same for OS/2 LAN Manager - to be reported at conference Other
tests? Let me know what you want to know, and I will try to do it
ASAP
Conclusion: It is almost impossible to manage netware for safety
against viruses, but it is probably possible if you are a GOOD ENOUGH
sys admin. More conclusions to follow as they come available.
FC
------------------------------
Date: Tue, 18 Aug 92 23:42:03 +0000
>From:
[email protected] (Robert Slade)
Subject: Re: help, high weirdness (PC)
[email protected] (Peter L. Hurd) writes:
>Hi, I've been having strange hassles with my machine lately, symptoms
>include;
>1) Inability to boot from a floppy. It boots from c: always, no error
>message if I leave a non-bootable floppy in there, and no booting from
>a bootable.
What kind of a computer do you have? Several models have CMOS/BIOS
options which allow you to disable floppy booting, or to "boot" from
the B: drive.
>2) Keyboard spaceyness, it gets to thinking that the shift is down, so
>even numbers show up as @#$%^, and the alt ,and ctrl keys don't quite
>do what I expect them to (usually happens in WP5.1)
This is very widely known and seen behaviour, and I see it myself more
often in Word Perfect than in other programs. (Mind you, I use WP a
*lot*.)
>3) My default settings in WP5.1 just reset, my Canadian WP expects US
>lexicon, and other things reset to original.
Again, this is a very common problem. All you have to do is go back
into the "initial setting" setup and tell it that you want to use the
UK langauge modules. (If it doesn't find this info, it "defaults" to
the US files.)
>4) QEMM sent me this error twice when loading F-PROT (or was it
>VIRSTOP?)
We've had a report about this type of thing, and I believe frisk is
working on it.
>5) VSHEILD sent me this once
>
>VSHEILD 4.9V93
>Sorry an impossible internal error occurred
>Error code is 8522
Only once? how often do you use it (ie. boot up)?
>6) F-PROT 2.04b and Scan 93 find nothing, although vshield found an
>[emp] on a floppy and f-prot concurred, but I think I got that one
>before it had a chance to do anything. F-prot heuristic search
>reports that the shareware utility Directory control DC106f.zip
>searches for executables.
Well, that sounds like a reasonable thing for a disk/program manager
to do.
>Is it viral? ( He asks the impossible to answer question )
>thanks for any help or advice.
Nothing you have said so far sounds like there is any viral activity.
>- -- Pete Hurd,
[email protected]
>Behavioural Ecology Research Group
>Dept.Biol.Sci., Simon Fraser Univ.
Check with Bill Kloubek or myself.
=============
Vancouver
[email protected] | "Remember, by the
Institute for
[email protected] | rules of the game, I
Research into
[email protected] | *must* lie. *Now* do
User
[email protected] | you believe me?"
Security Canada V7K 2G6 | Margaret Atwood
------------------------------
Date: 19 Aug 92 06:30:03 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: 4096 (frodo) false alarm? (PC)
[email protected] (Nadav Har'El) writes:
> I tryed using a disk optimizer like Aryeh Goretsky suggested, but it
> didn't help. Does anyone know of a program to clear every unused
> portion of the disk (i.e. parts of sectors after eof, and totally
Try the Norton Utilities package from Symantec. The program WipeInfo
from version 6.0 of the package has an option to "wipe the slack space
of the disk" (as opposed to wiping the non-allocated disk space, which
is also supported). It does exactly what you want.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C
e-mail:
[email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: Wed, 19 Aug 92 10:53:41 +0000
>From:
[email protected] (Yosef Branse)
Subject: Need Advice on Evaluating and Ordering Antivirus Software (PC)
I am not very knowledgeable about computer viruses, but I need some
advice regarding antivirus software from an administrative angle.
I want to install such software in the library's ATs, a number of
which are in a public area for searching CDROM databases. We have had
several incidents of viruses getting into the hard disks via the
diskettes used for downloading the results of searches. (I can't write
protect the hard disk, because then the CDROM search software falls;
it needs to write to the disk.)
I currently have McAfee's VSHIELD (version 89) installed at these
sites, and it works well, as far as I can tell. I know how to use SCAN
and CLEAN when an infection occurs.
I understand that in order to make the installation legal, I'll need a
site license. Since I am just a small cog in a large institution, that
means a formal purchase request, and I may need to justify the
selection.
This brings me to my main question: what evaluation criteria are used
in selecting antivirus software? Are there studies available - a la
Consumer Reports - of the various programs, recommending the best
ones? I am satisfied with the McAfee product, but I have access to
FPROT and could obtain others if need be.
Price, of course, is another concern. How do the various packages
compare in terms of their charges for site licensing? Do they offer
special rates for academic institutions?
Any information or references to previous material - whether in
published form, or available via E-mail or FTP - would be greatly
appreciated. I don't need an extensive technical analysis of any
program, just an overall evaluation of its efficacy and
price-worthiness.
Thank you
****************************************************************************
* Yosef (Jody) Branse University of Haifa Library *
* Mt. Carmel, Haifa 31905, Israel *
* Tel.: 972 4-240288 *
* FAX: 972 4-257753 *
* Israeli U. DECNET: HAIFAL::JODY *
* Internet/ILAN:
[email protected] *
****************************************************************************
------------------------------
Date: 19 Aug 92 15:18:56 +0000
>From:
[email protected] (Fridrik Skulason)
Subject: Re: F-Prot 2.04c (PC)
[email protected] (Gerald Pfeifer (Prak Gusti)) writes:
>Three days ago I downloaded F-Prot 2.04c (fp-204c.zip) from the net.
>The 'Program - Performance' info in the interactive shell boosts a
>much higher number of viruses and virus-families to be detected than
>under version 2.04a. The documentation, however, does *not* mention
>any advances/extensions/... (The documentation files seem to be
>nearly unchanged since 2.04a)
It is unchanged - I only change the "new.xxx" file for the major
versions - that is, it will be changed for 2.05. However, please note
that 2.04c is not an official release, and was not supposed to be
widely distributed.
And yes, I have indeed added over 100 new viruses since 2.04..
- -frisk
------------------------------
Date: 18 Aug 92 19:41:43 +0000
>From:
[email protected] (The Jester)
Subject: os/2 changes to boot sector (OS/2)
(Note:This post is being crossposted to comp.os.os2.apps and
comp.virus in the hopes that one,or both, of the two groups can be of
service)
I currently run a program called 'Integrity Master' by Wolfgang
Stiller. Among other things, this program checks the boot sector of
each partition against a copy it made of the partition,
to detect any changes. My harddrive is a 210 western digital
pyranna(sp) which is currently set up with three partitions:
OS/2 Boot Manager Partition-A 1 meg partition
Dos Partition-A 1 meg partition
FAT/HPFS-I have one last partition which is 200 or so megs
and is then subdivided into two logical partition,
the first is fat and the second is hpfs.
For further reference paritions and logical partitions will be
refered to as follows:
C Drive-The 1 meg dos partition
D Drive-The first logical drive in the last partition, it is
of type FAT.
E Drive-The second logical drive in the last partition, it
is of type HPFS.
My Problem is as follows:When I run IM (Integrity Master) under os/2
to initialize the boot sector, I don't have any problems. However if
I then change to dos, dos will say that the D drive boot sector
has changed! In addition it will say that there is a self executing
program in my D drive dos boot sector! In addition if I then do NOT
re-initalize my data (i.e. its still comparing my current boot
sector to the picture it has in it's memory) and return to os/2,
IM will still say that there is a problem! Matters are further
complicated by the fact that I just had a cmos failure. The specific
failure was that my harddrive and both my disk drives settings were
set to 'disabled'. This could very well be a battery failure (even
though I'v only had the mother board for 6 months) and I am getting
a batter pack to take care of that eventuality. Finally, thinking
that this was all very strange, I ran scan 93 which reported that
everything was fine. In addition, other than my mysterious cmos
erasures, I have not had any problems running dos, os/2, or any of
my applications.
My Question is as follows:Does os/2 change the boot sector of
drives under it's control? In addition, I understand why my first 1
meg, boot manager, partition would have a self booting program in it
but why should my D drive have one? Os/2 does NOT boot from D drive
and dos boots from C drive! So should there be a self running
program on my D drive? I'm very concerned as this sort of activity
is standard viral activity. And finally, is there any known virus
which targets cmos and clears out sections of it?
Thank you for all help, answers can be posted or mailed to me as I
am an avid reader of both groups and I regularly read my mail.
Thanks again,
Yaron (The Jester) Goland
- --
"Only the blind see in color."
"Any union based upon pigment is foolish ignorance designed to
give power to those few who enjoy power's taste above the common
welfare."
------------------------------
Date: Wed, 19 Aug 92 05:15:31 -0400
>From: Stefano Toria <
[email protected]>
Subject: Virus questionnaire, pls
I am planning to set up a survey to obtain some information on the
extension and characteristics of the virus problem in Italy.
The idea would be to gather figures on facts such as:
- - number of reported events
- - number of affected PCs
- - means of identification of the viral nature of the event
- - reported strain and variant
- - nature, extension and cost of the cure
- - etc.
Putting into practice one of Rob Slade's sound advices on prevention,
I have already assumed that I am going to fail :-) i.e. that I am
going to have a response rate <= 0.1% after the third poll. But I wish
to go on anyway; the question is where can I obtain (by e-mail or ftp,
if possible) information that I can use to set up a good questionnaire
without having to start from scratch and re-invent the wheel. I know
for sure that this kind of surveys are being regularly performed
somewhere in the world; the ideal thing would be to lay my hands on a
question sheet for one of the latest issues.
My total, eternal gratitude :-) shall go to anyone who shall provide
even the leanest shred of help on the subject.
Stefano Toria
- - ------------------------------------------------------------------------
Stefano Toria <
[email protected]> |
MC-link, Rome, Italy | "Godi fanciullo mio: stato soave,
Voice: (+ 396) 4180300 | stagion lieta e' codesta"
Fax: (+ 396) 8413057 |
- - ------------------------------------------------------------------------
------------------------------
Date: Tue, 18 Aug 92 10:06:43 -0400
>From: "Olivier M.J. Crepin-Leblond" <
[email protected]>
Subject: Re: Jerusalem virus (CVP)
Y.Radai denies ever objecting to the name "Israeli" virus but
remembers objecting to the name PLO given to the virus by some people.
I remember his message regarding the above. The coincidence of dates
was due to the triggering of the virus on friday 13th. It was finally
agreed that political issues regarding Israel and the middle east in
particular were to be ignored in this case, because there was no
evidence (and there still isn't any) that the virus was written for
political purposes. In fact, some pointers now show the origin of the
virus to be Italy - not at all the same part of the world. Moral of
the story: a new virus can be isolated in a different country than
where it originated.
PS. I was indeed surprised when Padgett advanced the theory of
anti-semitism, which I had never heard of before. Maybe the ":-)" had
something to do with it...
O.
- --
Olivier M.J. Crepin-Leblond, Digital Comms. Section, Elec. Eng. Department
Imperial College of Science, Technology and Medicine, London SW7 2BT, UK
Internet/Bitnet: <
[email protected]> - Janet: <
[email protected]>
------------------------------
Date: Wed, 19 Aug 92 11:25:06 -0400
>From: James Ford <
[email protected]>
Subject: New Uploads on risc (PC)
Two files have been uploaded on risc.ua.edu (130.160.4.7) in the
directory /pub/ibm-antivirus:
File validation info: (size/date/val1/val2)
htscan18.zip 103,976 8-13-1992 2B21 1E71 (replaces htscan17.zip)
vsig9207.zip 29,352 8-2-1992 C16E 135D
(This VSIG9207.ZIP should just replace the previous vsig9207.zip, the
only difference being the 'forgotten' safety-checksum).
- ----------
If I had my life to live over again, I'd make the same mistakes sooner.
- ----------
James Ford - Consultant II, Seebeck Computer Center
The University of Alabama (in Tuscaloosa, Alabama)
[email protected],
[email protected]
Work (205)348-3968 fax (205)348-3993
------------------------------
Date: Tue, 18 Aug 92 13:49:43 -0700
>From: Richard W. Lefkon <
[email protected]>
Subject: Preliminary Conference Announcement
(preliminary announcement 8/92)
SIXTH INTERNATIONAL COMPUTER VIRUS & SEURITY cONFERENCE
WED-FRI MARCH 10-12, NEW YORK'S PENN STATION RAMADA AND THEATRE MARRIOTT
Spons. by DPMA Fin. Ind. Ch. in coop with ACM-SIGSAC,
BCS, CMA, Computerworld, COS, EDPAA/ph, ISSA/ny, IEEE-CS
GROUP PRICES:
$975 for FOUR registrants (one new)
$1185 for FOUR registrants (all first time attendees)
$178 on-site nightly lodging for FOUR (2 rooms)
(individual registration - divide by 3)
5 TRACKS - 53 VENDORS - 91 SPEAKERS - Learn the Latest Practical Expertise
Concentrations include CIO/SVP, LAN, Technical/Research, Justice, Telecom
Every Registrant Receives 800+ Page Complete Bound Proceedings
Session speakers and chairs include
Klaus Brunnstein (Hamburg), Fred Cohen (ASP), Tom Duff (AT&T),
Harold Highland (Compulit), Stuart Katzke (NIST), Karl Levitt (Davis),
Guillermo Mallen (Mexico), Bill Murray (Deloitte), Eiji Okamoto (Japan),
Jane Paradise (Apple), Donn Parker (SRI), Padgett Peterson (Martin-Marietta),
Gene Spafford (Purdue), Gail Thackeray (Phoenix), Ken van Wyk (CERT/CMU),
Bill Vance (IBM).
To learn about the other 74 speakers (papers are still arriving), please
WRITE: Ides of March Conference, Box 894, New York, NY 10268
CALL: (800) 835-2246 x190
FAX: (303) 825-9151
E-MAIL:
[email protected]
------------------------------
End of VIRUS-L Digest [Volume 5 Issue 141]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
