Return-Path: <virus-l@lehigh.edu>

Return-Path: <[email protected]>
Received: from csmes.ncsl.nist.gov (MACBETH.NCSL.NIST.GOV) by csrc.ncsl.nist.gov (4.1/NIST)
id AA06860; Mon, 31 Aug 92 17:01:28 EDT
Posted-Date: Mon, 31 Aug 1992 16:36:15 -0400
Received-Date: Mon, 31 Aug 92 17:01:28 EDT
Errors-To: [email protected]
Received: from CS2.CC.Lehigh.EDU by csmes.ncsl.nist.gov (4.1/NIST(rbj/dougm))
id AA17279; Mon, 31 Aug 92 16:56:28 EDT
Received: from (localhost) by CS2.CC.Lehigh.EDU with SMTP id AA17698
(5.65c/IDA-1.4.4); Mon, 31 Aug 1992 16:36:15 -0400
Date: Mon, 31 Aug 1992 16:36:15 -0400
Message-Id: <[email protected]>
Comment: Virus Discussion List
Originator: [email protected]
Errors-To: [email protected]
Reply-To: <[email protected]>
Sender: [email protected]
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: Kenneth R. van Wyk <[email protected]>
To: Multiple recipients of list <[email protected]>
Subject: VIRUS-L Digest V5 #143
Status: R
VIRUS-L Digest Monday, 31 Aug 1992 Volume 5 : Issue 143

Today's Topics:

Possible Virus Infection - info pls (PC)
Re: 4096 (frodo) false alarm? (PC)
Comments on Untouchable... (PC)
hardware protection against PC viruses (PC)
VACSINA Information Wanted (PC)
Re: help, high weirdness (PC)
Re: Stoned/Azusa haunting (PC)
Re: Unix servers and DOS viruses (PC) (UNIX)
re: V-SIGN virus (PC)
re: On integrity checking (PC)
McAfee's 95 series (PC)
Re: new virus found (PC)
Re: Anyone for a Feist ??? (PC)
Re: What is the best anti-virus program??? (PC)
CPAV and Windows (PC)
OS/2 boot sectors (OS/2)
BBS listing
Products for review - shipping
Re: Jerusalem virus (CVP)
Symantec announces NAVSCAN (freeware) (PC)
McAfee VIRUSCAN V95 uploaded to WSMR-SIMTEL20.Army.Mil (PC)
F-PROT new version announcement (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with
your real name. Send contributions to [email protected].
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<[email protected]>.

Ken van Wyk

----------------------------------------------------------------------

Date: Mon, 24 Aug 92 12:57:06 +0000
>From: [email protected]
Subject: Possible Virus Infection - info pls (PC)

Readers,

I am not sure whether this is an occurrence of a virus, but it does
seem strange.

On Sunday, 23/8/92 (not US date format folks), a young 11 y.o. friend
called me and asked me for my advice. He owns a clone 286 PC and was
attempting to copy a file from a floppy to the hard disk. When using
the copy command, the machine would hang.

Earle (your author), being a smarty, said, no worries. I obtained their
DOS disk, write protected, and did a file compare between the
COMMAND.COM on the DOS disk and the hard disk. The two files were
the same size but contained different info. I did not retain the
comparison or the old COMMAND.COM.

Other problems experienced at the same time:-
- - files and directories have disappeared.
- - SCAN 80(?) reports no virus (I know, it is an old version but
I didn't have my toolkit with me).

I have quarantined the machine and post this for thoughts, requests,
advice ....

The problem seems!! to have stopped but I think that the solution was
too easy.

Earle ORENSTEIN
Student Nbr 11188707
GR Dip Comp
Monash University Faculty of Computing
[email protected]

------------------------------

Date: Mon, 24 Aug 92 16:57:45 -0400
>From: [email protected]
Subject: Re: 4096 (frodo) false alarm? (PC)

In VIRUS-L Digest V5 #140 [email protected], Nadav Har'El writes.

stuff deleted ---

>didn't help. Does anyone know of a program to clear every unused
>portion of the disk (i.e. parts of sectors after eof, and totally
>unused sectors)?

stuff deleted ----

Yes. There is a real handy public domain utility called Prune v2.1.
Prune will clear the unused space in a cluster after EOF and all
unused clusters. It will also do subdirectories and allows a user
definable fill pattern. The program is available from the authors on
their BBS.

Sydex BBS
Eugene, Oregon
USA
503-683-1385

Keith R. Watson
Georgia Institute of Technology, Atlanta Georgia, 30332
uucp: ...!{decvax,hplabs,ncar,purdue,rutgers}!gatech!prism!kw3
Internet: [email protected]

------------------------------

Date: Sat, 22 Aug 92 02:04:17 +0000
>From: [email protected] (SW International)
Subject: Comments on Untouchable... (PC)

The company has just purchased a whole batch of spanking brand new PCs
for a major project. As luck would strike it, I've been choosen as one
of the guys to look after its "Virginity" against viruses.

I would very much like to hear your worthy comments of the following
Virus detection/terminator software on the market:

* Untouchable (by Fifth Generation Systems),
* Turbo-Anti virus (by CARMEL Software Engineering),
* McAFee

Thank you in advance...

Regards,

Alvino...

- --
SW International Systems Pte Ltd | "I've got a plan so cunning
14, Science Park Drive | you could put a tail on it and
Singapore Science Park | call it a weasel".. Black Adder
Singapore 0511 |
Tel: (65) 778-0066 |
Fax: (65) 777-9401 | [email protected]

------------------------------

Date: Mon, 24 Aug 92 16:49:47 +0000
>From: [email protected] (Barry S. Fagin)
Subject: hardware protection against PC viruses (PC)

I have recently seen some literature on ViruGuard, a PC expansion card
that claims to defeat all IBM PC viruses. Does anybody know anything
about this? Is it all it's cracked up to be? Please reply to this
account; any help would be much appreciated. Thanks.

- --BF

------------------------------

Date: Wed, 26 Aug 92 06:24:20 -0400
>From: G J Scobie <[email protected]>
Subject: VACSINA Information Wanted (PC)

I have found the VACSINA virus on a student laptop which came in for
repairs. Using the following software produced these results:

Bates Anti-Virus Utilities v3.37

TREE.COM Found Vacsina - TP05 <1206>
MEM.EXE Found Vacsina - TP05 <1206>

F-PROT v2.04

TREE.COM Infection: Vacsina (TP-5)
MEM.EXE Infection: Vacsina (TP-5)
CHKDSK.EXE Infection: Vacsina-loader

I am interested in the result of F-PROT indicating CHKDSK. Is this
file infected - probably but to what extent? Is it important that one
utility recognised CHKDSK while the other did not?

As always thanks in advance.

Garry Scobie
Senior Computing Officer
Edinburgh University Computing Services
Scotland
e-mail: [email protected]

------------------------------

Date: 26 Aug 92 07:48:37 -0500
>From: [email protected] (William Hobson)
Subject: Re: help, high weirdness (PC)

Keyboard problems - what fun!! After having done battle recently,
here are a few observations and solutions I have used:

1) If it is WordPerfect you are having the problem with, use the /nc /nk
command line switches.
2) Bios problems seem to really jump forward when networking these faulty
BIOSes.
3) Also be aware that other problems can look like this one: we had a PC
that had the fan go out on the power supply that created these symptoms
(I have seen a LOT of fan failures recently :-( )

------------------------------

Date: Wed, 26 Aug 92 08:57:49 -0400
>From: [email protected] (A. Padgett Peterson)
Subject: Re: Stoned/Azusa haunting (PC)

>From: [email protected] (David Taylor)
>
>Anyone know if these two virii mutate when they're together?

Nyet, comes under the thories of simularity and contagion. Bet the
system will not boot by itself either.

Used to be that we got reports of Joshi/Stoned allatime but then the
PC would still boot since they didn't fight.

What has happened is as follows: The machine was infected by Stoned.
This put the Stoned code in sector 1 and the *real* MBR in sector
seven. Since Stoned is non-stealth it copied a copy of the partition
table into itself. Then the machine was infected by Azusa which moved
the Stoned code into *another sector but not 7* (I forget which) and
itself into sector 1 also copying the P-Table into itself.

Now when a boot occured, the Azusa ran & went resident at the TOM. It
then loaded the Stoned which, being obliging went resident itself just
under the Azusa. Then it loaded the *real* MBR and booted.

Next, the Stoned resident portion looked at sector one and observed
that it was *not Stoned* and reinfected, moving the Azusa MBR into
sector seven. At this point we have Stoned in sectors 1 & *some other
sector* , Azusa in sector 7, and the *real* MBR is just a memory.

The machine now refuses to boot except from floppy and the user
notices *something* amiss. (Viruses and Trojans, and Worms - Oh My !)

SCAN is exectuted from floppy. Even if the /M is used, nothing will be
detected since neither of these viruses (original flavour) survives a
re-boot.

SCAN runs & finds whichever infected last in the MBR (say Azusa).
CLEAN comes along and cleans [AZUSA] by retrieving the sector AZUSA
stores the *real* MBR in except that this contains not the *real* MBR
but Stoned.

SCAN now reports [STONED]. CLEAN having the [STONED] reported verifies
that it is in sector 1 and replaces sector 7 into sector 1. Except 7
contains not the *real* MBR but AZUSA.

SCAN now reports AZUSA. etc etc etc. You get the idea.

Answer: Well, you could use my FixMBR, select *any* sector with a
valid p-table and let it install the *Safe* code, or you could just
use DOS 5.0 FDISK /MBR Either will work.

Breezily,

Padgett

------------------------------

Date: Wed, 26 Aug 92 09:04:41 -0400
>From: [email protected] (A. Padgett Peterson)
Subject: Re: Unix servers and DOS viruses (PC) (UNIX)

>From: [email protected] (Mr Fred Cohen)
>
> Which brings me to one last point. I got a lot of complaints,
>but only one person wanted to perform similar experiments to confirm
>our results.

Next week if all goes well and the crik don't rise, we will be setting
up a Novell 3.11 LAN (Netware - Intel based) for some testing &
validation. Suggestions for experiments (please be explicit),
uuencoded cracker programs (or name & archive site), as well as
general encouragement would be welcome. To keep the bandwidth down,
please reply to [email protected] (I'net) and not Virus-L.

Breezily,

Padgett

------------------------------

Date: Wed, 26 Aug 92 10:30:46 -0400
>From: "David M. Chess" <[email protected]>
Subject: re: V-SIGN virus (PC)

Originally reported in Turkey, where it's called CANSU, this virus
seems to have reached the U.S. recently. It's a relatively simple
master-boot-record infector. Here's what I posted to VIRUS-L last
time someone asked...

The virus is indeed a master boot infector that takes 2K and does a
simple self-modification. Of the three signatures that you give, only
the first will ever appear in the master boot record, and it will
appear in only about one-third of infections. The other two
signatures are in the non-boot-sector part of the virus, but they will
be visible in memory if the virus is active in the system. Here are
three better signatures for the virus; at least one will be found in
every infected MBR, and in memory if the virus is active:

31C0 8ED0 8ED8 8EC0 48 89C4 30E4 CD13 72FA
%s the Cansu virus.
Boot records. No mutants.
31C0 8ED8 8EC0 8ED0 48 89C4 30E4 CD13 72FA
%s the Cansu virus.
Boot records. No mutants.
31C0 8EC0 8ED0 8ED8 48 89C4 30E4 CD13 72FA
%s the Cansu virus.
Boot records. No mutants.

(This is the format that the IBM Virus Scanning Program uses, but it
should be readily convertible.) If you have the IBM Virus Scanning
Program version 2.2.1 or better, it will detect the virus. The Cansu
doesn't seem to have any destructive effects; it will sometimes
display a sort of "logo" when booting an infected machine, but this
shouldn't be counted on for detection.

As for disinfection, since it's a normal master-boot-record infector,
you can use FDISK /MBR, or anything else that can fix the master boot
record code without altering the partition table data (see previous
talk in VIRUS-L about this).

DC

------------------------------

Date: Wed, 26 Aug 92 10:36:16 -0400
>From: "David M. Chess" <[email protected]>
Subject: re: On integrity checking (PC)

[email protected] (Kevin Marcus) asks whether a disinfect-on-the-fly
virus wouldn't escape notice from an integrity checker if it was
active while the checker was running. Yes and no! The same applies
for any other stealth technique; it will fool an integrity checker
*if* it is active when the checker is running *and* the checker
doesn't defeat the particular kind of stealth. The various integrity
checkers that don't require a cold trusted boot before running all
incorporate some sort of anti-stealth hacks to prevent the most common
kinds of stealthing. The kind you mention would be reasonably easy to
detect (an open-for-read shouldn't cause a write!).

There is of course much room for an arms race here, with viruses being
written to escape detection by existing anti-stealth methods,
anti-virus programs getting cleverer anti-stealth, and so on. I'd
advise Ken not to let the discussion of possible methods get too
detailed here in public! *8)

A cold trusted boot is still the best idea; that's what I use...

DC

------------------------------

Date: Wed, 26 Aug 92 11:17:41 -0400
>From: [email protected]
Subject: McAfee's 95 series (PC)

Hi fellows.

In reply to my query about the authenticity of McAfee Associates "95"
serie of programs i got a message from a Belgian user who mentionned
that the files were on the GARBO server. It seemed to me that US
programs should also been made available from a US site <grin>, so I
fetched the files which are now available from us too.

- -----
files: CLEAN95C.ZIP NETSCN95B.ZIP SCANV95B.ZIP VSHLD95C.ZIP
- -----
Site: urvax.urich.edu, [141.166.1.6] (VAX/VMS using Multinet)
Directory: [anonymous.msdos.antivirus]

FTP to urvax.urich.edu with username anonymous and your email address
as password. You are in the [anonymous] directory when you connect.
cd msdos.antivirus, and remember to use binary mode for the zip files.

- -----
PLEASE!!! Do not overload our small site and start FTP'ing after 21:00 Eastern
time.

Best to all, Claude.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET)
University of Richmond [email protected] (Bitnet or Internet)
Richmond, VA 23173

------------------------------

Date: 26 Aug 92 15:33:10 +0000
>From: [email protected] (Fridrik Skulason)
Subject: Re: new virus found (PC)

[email protected] writes:

>A new virus not detected by McAfee's Scan93 nor Virx version 2.3 was
>found in Brazil. F-prot said it's a new variant of jerusalem.

Well, it turned out that it is not. This virus belongs to a separate
family. It contains an encrypted text string "Freddy Krg", so I have
proposed the name "Freddy" for it.

F-PROT version 2.04d (a semmi-official version I just uploaded to
SIMTEL20) can detect and disinfect this virus. However, there is no
need to hurry and download this version, as I will upload 2.05
tomorrow, just before I leave for the virus conference in Scotland.

- -frisk

------------------------------

Date: 26 Aug 92 15:43:06 +0000
>From: [email protected] (Fridrik Skulason)
Subject: Re: Anyone for a Feist ??? (PC)

[email protected] (Did somebody say Coffee ??????) writes:

>A few days ago I came across a machine absolutely
>covered by the feist virus..

Hm - strange. As fas as I know, Feist is unknown outside Russia.

>Clean 93 wouldn't remove it, although it was in F-Prot 2.04a's
>database, wouldn't even recoginise it !!

In that case there are two possibilities:

1) This is a false alarm - F-PROT detects Feist without problems,
I just checked.

2) This is a new virus, that (whatever other program you used)
just happens to mis-identify as Feist. In this case I would
need a sample of it to update F-PROT.

However, It might also be interesting to see what other scanners report, or
what F-PROT's Quick and Heuristic scan report.

- -frisk

------------------------------

Date: 26 Aug 92 12:07:59 -0800
>From: "[email protected]"@BIIVAX.DP.BECKMAN.COM
Subject: Re: What is the best anti-virus program??? (PC)

[email protected] (A.A.Buykx) writes:

>Hello,

>I recently downloaded f-prot.exe and I downloaded earlier virscan. Now my
>question is (I am a novice in *anti* virus programs):
> Which one of these, or which other program should I use to
> protect my beloved computer from being crunched by some virus.

You can try posting on the group comp.virus, and get more responses
than you want, but the quick answer is .... get more than one (except
Central Point, which is incompatible with all other anti-virals).
- --
Arthur L. Rubin: [email protected] (work) Beckman Instruments/Brea
[email protected] [email protected] [email protected] (personal)
My opinions are my own, and do not represent those of my employer.
My interaction with our news system is unstable; if you want to be sure I see a
post, mail it.

------------------------------

Date: Wed, 26 Aug 92 20:13:39 +0000
>From: [email protected] (Robert Slade)
Subject: CPAV and Windows (PC)

Cleaning out the desk today. :-)

The rumours of parts of Central Point's Anti Virus being included with
the next release of MS-DOS, discussed here previously, would seem to
be confirmed by now. This prompted, in my mind, the possibility that
Windows would have some such capability in its next release as well.

This was brought home to me as I tried to install the Logo computer
language on a machine recently. I was installing two versions, one
for DOS and one for Windows (both based upon the LSRHS version.) Both
versions contained files named LOGO.EXE. For reasons of the path and
environment requirements of the files, they were extracted into
different directories, and the Windows version copied into the main
directory as WLOGO.EXE.

In attempting to install the program within Windows, both LOGO.EXE
files were found, even though one was not a Windows program. Both
files prompted an alert window from CPAV. Neither program was
identified by the full path name. The filename alone was given. It
is reasonable that a "new" file should be flagged by change detection.
However, the WLOGO.EXE file never generated an alert.

The alert generated was very terse. It simply stated that the file
LOGO.EXE had changed. It did not indicate that this was a new file.
The only options were "OK" and "Cancel". "OK" what? OK to kill the
file? "cancel" my Windows session completely? OK appeared to let the
Windows installation procedure proceed. However, sometimes (I tried
the installation more than once) the CPAV window was not removed.
Activity "behind" it would "show through", but the original screen was
not redrawn. Although the "OK" allowed the operation to proceed,
subsequent runs still did not "know" about the LOGO.EXE file.

=============
Vancouver [email protected] | Life is
Institute for [email protected] | unpredictable:
Research into [email protected] | eat dessert
User [email protected] | first.
Security Canada V7K 2G6 |

------------------------------

Date: Mon, 24 Aug 92 09:28:11 -0400
>From: [email protected]
Subject: OS/2 boot sectors (OS/2)

Yaron Goland asks
>My Question is as follows:Does os/2 change the boot sector of
>drives under it's control? In addition, I understand why my first 1
>meg, boot manager, partition would have a self booting program in it
>but why should my D drive have one? Os/2 does NOT boot from D drive
>and dos boots from C drive! So should there be a self running
>program on my D drive? I'm very concerned as this sort of activity
>is standard viral activity. And finally, is there any known virus
>which targets cmos and clears out sections of it?

Yes, if you have a dual boot machine, the boot sector is changed from
an OS/2 boot sector back to a DOS boot sector when you execute the
BOOT command, and vice versa when you go back to OS/2. Nothing
abnormal there. Concerning the detection of a supposedly "self
booting program", I would surmize that the integrity program you use,
like almost all DOS programs, wasn't written to take into account the
fact that it could also be run on an OS/2 machine. The OS/2 boot
record is different than the DOS boot record, albeit similar in
structure, so this is probably what is producing your message, since
the OS/2 boot program could very well be described as self-booting.

About the possibility of a CMOS virus, as far as I know, the CMOS
memory is not in the address range of 80x86 processors, so a program
usually cannot access this memory directly or change it. Not to say
that it's impossible, but I have heard of no viruses that target CMOS.
It is far more likely that this problem is the result of a bad battery
or motherboard problem. The CMOS memory chip itself can also go bad.

Kevin Haney
Internet: khv%[email protected]

------------------------------

Date: Wed, 26 Aug 92 19:37:04 +0000
>From: [email protected] (Robert Slade)
Subject: BBS listing

On the basis of some past requests, I have undertaken to compile a
listing of BBSes with a major antiviral emphasis. The following is
the result so far:

Yes, boys and girls, two calls over the three virus related echoes
have produced exactly nothing. Very discouraging.

I may attempt a compilation of the phone numbers contained in
"taglines" on messages. there are two problems with this: I cannot
give any indication of the status or stature of the boards so
identified, only the number and the fact that they carry a virus
related echo, and not all taglines contain the phone number of the
board.

There is a third possibility in the longer term. The Cyberstore
online service is preparing to offer editorial "feeds" to BBSes and
other information services. The first to be offered will be a "Virus
Doctor" feed, which I am preparing for them. I should be able to
obtain information about the boards which carry the service, and
therefore build a base of BBS numbers from that.

==============
Vancouver [email protected] | "Is it plugged in?"
Institute for [email protected] | "I can't see."
Research into [email protected] | "Why not?"
User [email protected] | "The power's off
Security Canada V7K 2G6 | here."

------------------------------

Date: Wed, 26 Aug 92 19:54:32 +0000
>From: [email protected] (Robert Slade)
Subject: Products for review - shipping

I have just completed a major mailing requesting submission of
antiviral products for review. I have sent this mailing to all those
for whom I have valid addresses, based upon the CONTACT.LST. If any
of you have not received a mailing from me, please consider this to be
the request, as well as sending me your address and contact info.

I have, in the past few days, started to receive some of the products
for review. Unfortunately, most have been very badly prepared for
shipping and customs. As I have no funding for the product reviews, I
am unable to receive packages which arrive COD, postage or customs
due.

Some tips:

Wherever possible, have a Canadian office or distributor forward the
package, thus eliminating the whole problem.

Don't use UPS. In two years I have never received an evaluation
package shipped via them without major problems.

Prepare the packages properly regarding customs documentation. As the
packages, after review, will be used in seminars, they may be declared
as educational material. However, please remember also to note that
the package is an evaluation copy, and has no resale value. for
purposes of the GST, please declare the "service value" at under $25.
Alternately, please prepay the duty and taxes.

As a side note, I had hoped, with this round of reviews, to include
some book reviews as well. Unfortunately, the response from
publishers has been very disappointing so far.

==============
Vancouver [email protected] | "Don't buy a
Institute for [email protected] | computer."
Research into [email protected] | Jeff Richards'
User [email protected] | First Law of
Security Canada V7K 2G6 | Data Security

------------------------------

Date: Mon, 24 Aug 92 08:46:07 -0400
>From: Y. Radai <[email protected]>
Subject: Re: Jerusalem virus (CVP)

Olivier M.J. Crepin-Leblond writes, concerning the Jerusalem virus:
> In fact, some pointers now show the origin of the
>virus to be Italy ....

I've seen this claim in several places, and I'm curious to know what
the evidence is for this "Italian Connection". In my opinion, it is
quite unlikely that the virus originated outside of Israel for the
following reason: Three other viruses were also discovered in Israel
shortly after the Jerusalem was discovered, and it's clear from an
analysis of them that they are *precursors* of the Jerusalem virus:
sURIV 1.01 infects only COM files, sURIV 2.01 only EXE files, sURIV
3.00 combines the two into one virus, and the Jerusalem is an improve-
ment over sURIV 3.00. Unless these viruses were also discovered in
Italy, it's much more likely that the Jerusalem spread from Israel to
Italy rather than the other way around.

Y. Radai
Hebrew Univ. of Jerusalem, Israel
[email protected]
[email protected]

------------------------------

Date: Tue, 25 Aug 92 20:04:55 -0400
>From: Jimmy Kuo <[email protected]>
Subject: Symantec announces NAVSCAN (freeware) (PC)

Symantec has made available as freeware, a detect/delete only version
of NAV. This program is made available through BBSes throughout the
world. We encourage people to try the program. The user interface of
NAVSCAN and NAV is similar throughout the Peter Norton line of
products.

NAVSCAN is a detection only version of NAV incorporating the August 1
update definitions set. (Files detected by NAVSCAN can be deleted
from within NAVSCAN.) The August definitions set has also been sent
to each of the BBSes so that full function NAV users can download and
update their programs from a variety of BBSes. (You can also bug your
sysop to start carrying each new month's update on that BBS.)
Information on how to purchase the full function The Norton AntiVirus
product is available in the NAVSCAN program.

Jimmy Kuo [email protected]
Norton AntiVirus Research

------------------------------

Date: Wed, 26 Aug 92 18:31:11 -0400
>From: [email protected] (McAfee Associates)
Subject: McAfee VIRUSCAN V95 uploaded to WSMR-SIMTEL20.Army.Mil (PC)

I have uploaded to WSMR-SIMTEL20.Army.Mil:

pd1<msdos.trojan-pro>:
SCANV95B.ZIP VIRUSCAN V95-B system scanner for PC's
WSCAN95B.ZIP SCAN for Windows 3.X V95-B Windows version of VIRUSCAN
NETSC95B.ZIP NETSCAN V95-B network file server scanner
VSHLD95C.ZIP VSHIELD V95-C virus infection prevention TSR
CLEAN95C.ZIP CLEAN-UP V95-C virus disinfection/removal tool

WHAT'S NEW WITH VERSION 95

Version 95 of the VIRUSCAN (SCAN, CLEAN, VSHIELD, NETSCAN, and
WSCAN) series has been released, adding 99 new viruses, for a total of
685 viruses, or counting strains, 1,401.

Version 95 replaces V93. A V94 was in beta-test, but we
discontinued it after reports of a Trojan horse "V94" from Monterrey,
Mexico. In order to prevent any confusion, we have skipped ahead to
Version 95.

The current versions of the various programs are:

VIRUSCAN, NETSCAN, and WSCAN Version 95-B
VSHIELD and CLEAN-UP Version 95-C

Older V95 (and 95-B) versions were NOT uploaded to SIMTEL20, Garbo, or
any other internet sites. V95 (the initial release) had a problem with
the /SAVE switch for all programs, and there were some message display
bugs in the VSHIELD and CLEAN-UP 95-B that required replacement with a
95-C release.

One new option has been added to VSHIELD, the /NI6510 switch. This
switch fixes a conflict that occurs when VSHIELD is run on a PC with a
Racal-Datacomm NI6510 network interface card. This fix is specific to the
NI6510 and does not apply to any other product.

Validation data for the above with VALIDATE.COM is as follows:

CLEAN-UP 95C (CLEAN.EXE) S:98,237 D:08-20-92 M1: BE92 M2: 02BB
NETSCAN B95 (NETSCAN.EXE) S:77,976 D:08-19-92 M1: 5CFA M2: 1DC6
SCAN FOR WINDOWS B95 (WINSTALL.EXE) S:13,269 D:08-19-92 M1: 3885 M2: 0813
SCAN FOR WINDOWS B95 (WSCAN95B.EXE) S:88,437 D:08-19-92 M1: 7FDC M2: 146A
VIRUSCAN SCANV95B (SCAN.EXE) S:80,073 D:08-19-92 M1: 3885 M2: 0813
VSHIELD VSHLD95C (VSHIELD.EXE) S:44,991 D:08-21-92 M1: E7AB M2: 0B78

Regards,

Aryeh Goretsky
McAfee Associates Technical Support

- --
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET:
3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | [email protected]
Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714
95054-3107 USA | USR HST Courier DS | or GO MCAFEE
Support for SENTRY/SCAN/NETSCAN/VSHIELD/CLEAN/NETSHIELD/TARGET/THE CONFIG MGR.

------------------------------

Date: Thu, 27 Aug 92 10:36:18 +0700
>From: [email protected] (Fridrik Skulason)
Subject: F-PROT new version announcement (PC)

I just released a new major version of F-PROT - 2.05. It has been
uploaded to WSMR-SIMTEL20.army.mil, and should be available on other
major archive sites, such as OAK and GARBO (in Finland) within a few
days.

Version 2.05 - major changes:

The number of encrypted viruses that F-PROT can now disinfect (without
harming the original program, of course) has been increased considerably.

Version 2.05 - the following problems were found and corrected.

If the SHARE program was loaded, version 2.04 would display an "error
opening ENGLISH.TX0" when that file was scanned. A similar error
message could also be produced during installation.

Version 2.04 would occasionally incorrectly report that a Dark Avenger
or SVC-infected file had been modified by adding some extra bytes.

The virus names reported by the scanner did not always agree 100%
with the virus information database - SADAM vs SADDAM, for example.

If the /NOPACKED switch is used, the program no longer produces
a warning about the files it skips.

Version 2.05 - minor improvements:

The following command line switches have been added to F-PROT:

/PAGE - used to make the program pause after each page of
output (only in command-line mode)

/OLD - disables the "This version of the program is rather old"
message. A corresponding switch was added to the virstop program.

A /DISK command-line switch has been added to the VIRSTOP program, to
allow it to swap signatures in from disk as necessary. Note: This
must not be used if VIRSTOP is run from a diskette, which is later
removed. This feature is new, and not fully tested yet - use with
care.

F-PROT now identifies Jerusalem-inoculated virus samples as such,
instead of just reporting "Modified (5 bytes added)"

F-PROT will now exit, if a virus signature is found in memory. As this
might be a false alarm, it is possible to use the /NOMEM switch to
skip the memory scan.

The PRICING.DOC file has been renamed to ORDER.DOC, and includes
more information than before on how to order the program.

Version 2.05 - new viruses:

The following 11 new viruses can now be detected but not removed,
only deleted. This is because they overwrite infected files, or
damage them irreversibly.

FCB
Leprosy-Silver Dollar
MSK (Blaze and MSK)
Reboot Patcher
SHHS-B
Tiny Hunter
Trivial (16, 42, 50 and Hanger)

The following 109 new viruses can now be detected and removed.

_302
_334
_439
66A
Ash (280 and 743)
Astra-976
Atas (384 and 400)
Athens
Backfont-900
BFD (A and B)
Bljec-Sad
Baobab
Capital
Cascade-1701-D
CC-145
Chad
Cinderella-B
Cossiga-Friends-B
Cracky
Crooked
Dark Avenger-Father
DM-400-1.04
End of
Finnish-357
Flower
Freddy
Friday the 13th-ENET 37
Funeral
Fungus
Globe
Hafenstrasse-1191
Happy
Happy Monday (A, B and C)
Hellween-1182
Hi
Horror-1112
Irus
Jerusalem-Timor
Junior
Keypress-1232-B
Kinnison
Lazy-B
Lesson I
Lesson II (358 and 360)
Little Girl
Little Brother-300
Magnitogorsk (2048-B and 2560-C)
Mud
Nov 17-768
Npox
Number 1-Fiis
Old Yankee-Black Peter
Parity Boot
PCBB (1650, 1652, 1658 and 1701)
Pif-paf
Pixel (297 and 342)
Plutto
Prime
Protect (1157 and 1355)
PS-MPC (644)
Quake
Reboot
Russian Tiny-131
Screaming Fist (732, II-B and II-C)
Siskin (Goodbye, 948 and 1017)
Sistor-1000
Stanco
Stupid-SADAM-FF
Suicidal
Suriv 1-Dad
Sux
SVC (5.0-B and 6.01-4661)
Swiss Phoenix
Tired
Vacsina-Penza
VCL (Code Zero, Donatello, Earthday, Enun, Kinison, Venom and
Yankee-tune)
VCS-Post
Vienna (415, 744 and Vengeance)
Vote (A and B)
Yankee (1712 and 2968)
Youth (640 and Futhark)
ZZ

The following 14 new viruses can now be detected but not yet removed.

Andryushka (A and B)
Astra-1010
Ear (Quake and Suicide)
Emmie
MtE (Cryptlab and Groove)
Otto
Slovakia (2.02 and 3.0)
XPEH (3600, 3840 and 4048)
Youth-Silence

The following 47 viruses that could be detected but not removed with
earlier versions of F-PROT can now be disinfected.

Cheeba-(1.0 and 1.1)
Cod
Crew-2
Danish Tiny-Stigmata
Demolition
DM-330
Diskspoiler
Doomsday
Eastern Digital
Eddie (MIR and Ps!ko)
EMF
EUPM
Filedate 11
Hafenstrasse (781, 809, 818, 1641 and 1689)
HH&H
Horror (1137 and 1182)
Keyboard Bug (709, 1598 and 1722)
Lozinsky (1882, 1958, 2968 and 2970)
Marauder (560 and 860)
Mix-2
Munich
Pathhunt
Phalcon (Cloud and Ministry)
Rape-2.2
Screaming Fist-Stranger
Siskin-Resurrect
Stahlplatte
SVC-5.0-A
Syslock-Advent
Thursday 12
Vacsina TP-16 Multi
Vienna (Dr.Q-1161, Dr.Q-1028 and 712)

The following viruses have been renamed or re-classified.

Plaice --> PCBB
Russian Mutant --> Keyboard Bug-907
Resurrect --> Siskin-Resurrect
Hero-394 --> Siskin-394
Hero-506 --> Siskin-506
Scion --> Doomsday
Vacsina-Rybka --> Vacsina TP-16 Multi

------------------------------

End of VIRUS-L Digest [Volume 5 Issue 143]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253