Return-Path: <
[email protected]>
Received: from csmes.ncsl.nist.gov (MACBETH.NCSL.NIST.GOV) by csrc.ncsl.nist.gov (4.1/NIST)
id AA21440; Fri, 18 Sep 92 11:09:50 EDT
Posted-Date: Fri, 18 Sep 1992 10:58:19 -0400
Received-Date: Fri, 18 Sep 92 11:09:50 EDT
Errors-To:
[email protected]
Received: from Fidoii.CC.Lehigh.EDU by csmes.ncsl.nist.gov (4.1/NIST(rbj/dougm))
id AA00829; Fri, 18 Sep 92 11:03:57 EDT
Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA14650
(5.65c/IDA-1.4.4); Fri, 18 Sep 1992 10:58:19 -0400
Date: Fri, 18 Sep 1992 10:58:19 -0400
Message-Id: <
[email protected]>
Comment: Virus Discussion List
Originator:
[email protected]
Errors-To:
[email protected]
Reply-To: <
[email protected]>
Sender:
[email protected]
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: Kenneth R. van Wyk <
[email protected]>
To: Multiple recipients of list <
[email protected]>
Subject: VIRUS-L Digest V5 #153
Status: R
VIRUS-L Digest Friday, 18 Sep 1992 Volume 5 : Issue 153
Today's Topics:
Re: Now I know I have something. (PC)
Re: new virus found (PC)
Re: Bug in F-PROT? (PC)
Castlewoflenstein (PC)
Re: Problems with F-PROT (V2.05) (PC)
Jerusalem and Netware (PC)
Problem w' booting C: then A: (PC)
Re: Problem with Vshield 5.1B95 (PC)
Information on CPAV and McAfee (PC)
Virus Analysis of BootExe Virus (PC)
Re: NAVSCAN (PC)
Maltese Amoeba virus (PC)
Which detect/protect s/w? (PC)
Information on CPAV vs McAfee (PC)
Re: "New" 1530 virus ? (PC)
Re: F-prot false alarm? (PC)
Re: PC Guardian contact info? (PC)
Re: Amiga virus info (Amiga)
Re: Apple IIgs virus program? (Apple ][)
Re: self-checking programs
I-M124.ZIP available (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with
your real name. Send contributions to
[email protected].
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<
[email protected]>.
Ken van Wyk
----------------------------------------------------------------------
Date: 14 Sep 92 09:07:13 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: Now I know I have something. (PC)
[email protected] (Matthew Campbell 'The Fire Fox') writes:
> wuarchive. Is F-PROT supposed to have -AV with the files when
> unzipped? Mine doesn't.
No, F-Prot does not come in an archive with -AV codes. The -AV codes
are essentially useless to protect from tampering. DON'T RELY ON THEM!
There is a short (under 50 lines) C program that can fake any -AV code
used by PKZip. For instance, here is a short archive, which looks like
if it is packaged by McAfee Associates, but of course it isn't:
section 1 of uuencode 5.15 of file ttt.zip by R.E.M.
begin 644 ttt.zip
M4$L#!`H``"```*=9+AF6L!A>.````#@````#````5%145&AI<R!F:6QE(&AA
M<R!.3U0@8F5E;B!P86-K86=E9"!B>2!-8T%F964@07-S;V-I871E<RX-"AI0
M2P$""P`*```@``"G62X9EK`87C@````X`````P`N```````!`"``````````
M5%14!P`J`"5P@E1+-F)T]B&8+[
[email protected]#,D8_`E`XCH2W$VB69V^DCX5`K9&
:,;9UN5!+!08``````0`!`%\```!9````````
`
end
sum -r/size 45901/310 section (from "begin" to "end")
sum -r/size 61006/206 entire input file
> Message: This is either a corrupted program or one which contains
> instructions wich do not exist on all 80x86 processors.
> It will crash on some machines.
> -- text files were noted as suspicious such as NEW.205, SCAN.DOC,
> LANGUAGE.DOC, CONFIG.SYS, AUTOEXEC.BAT, and all scan.crc files.
Well, that's normal. All those are text files and therefore really
don't contain valid 80x86 CPU instructions... :-) Please, be sure to
perfectly understand the limitations of the heuristic scanners, before
using one...
> A disk editor revealed extra garbage added to the ends of the
> suspicious files as named by F-PROT v205. The extra stuff held two
Doesn't matter. The slack space in the last cluster (after the end of
the files) is not used by DOS and does not receive control. At least
three viruses (Number_of_the_Beast, Int13, and Necropilis) make use of
it, but they store there the overwritten -origianal- part of the file,
not th virus body. If you are still worried, you could wipe out the
slack space, by using e.g. WipeInfo from the Norton Utilities package.
> For the next two sectors it had something that looked like a data file
> containing names of viruses like: Violator, Stoned, Vienna, Hydra, and
> had names of the current scanners, characteristics of viruses, the
> months of the year, and some names of some countries.
Don't worry, this is just some garbage left in the slack space.
> What should I do?
First, you must prove that you really have a virus. Try creating
several large files, containing only NOPs and try to infect them.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail:
[email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 14 Sep 92 09:47:20 +0000
>From:
[email protected] (Fridrik Skulason)
Subject: Re: new virus found (PC)
[email protected] (Otto Stolz) writes:
>> * FREDDY
>> Freddy was made by one of a student in a academy of
>> computer in Indonesia. It infected the program, not a boot
>I fear, this name has already been given to another virus (cf. thee
>above quote from an old VIRUS-L posting). If I'm right, you'd better
>choose another name for the new beast, otherwise please tell us which
>name the Indonesioan virus has acquired, meanwhile.
Ah...I had forgotten about that one. However, I am not sure if it
matters, as that "Indonesian Freddy" never materialized - that is, no
virus researcher seems to have a copy of it. Maybe it existed, maybe
it did not, but for now, I'll consider it to belong to the "rumored"
category.
- -frisk
------------------------------
Date: 14 Sep 92 10:01:28 +0000
>From:
[email protected] (Fridrik Skulason)
Subject: Re: Bug in F-PROT? (PC)
[email protected] writes:
>I was using F-PROT 2.04c from a bootable DOS 5.0 diskette. After
>booting from the A: drive, I wanted to scan another diskette in the A:
>drive. F-PROT produced unintelligible messages, such as "cotaaly
>tanmcyng, ico staro%Nnurta...". Another user here reported the same
>phenomenon. Does anyone have an explanation and/or fix for this
>problem?
Well, the explanation is quite simple. All text messages F-PROT uses
are stored on disk, and only read into memory when necessary. So, if
you run F-PROT from a diskette, and then remove/replace that diskette,
you will get unpredictable behaviour.
I am sorry, but there is simply no way this can be fixed. If you only
have a one-disk machine, you can usually bypass the problem by
creating a RAMDISK and move the program there.
- -frisk
------------------------------
Date: Tue, 08 Sep 92 23:11:08 -0400
>From:
[email protected] (Rick Schryvers)
Subject: Castlewoflenstein (PC)
This is just a friendly little warning to all in echoland. Seems as
if some generous "programmer" has taken upon himself to construct a
virus and attach it to a hacked game. The game is called "CASTLE
WOLFENSTEIN" , the virus is in a file called "wolfchet.exe" its
basically a cheat program that allows you to have unlimited lives and
unlimited ammunition in the game. However, it also infects your boot
track of your hard disk. McCaffee v.91b identified this virus as the
"Wolf" virus, however others have mentioned it may be a variant of the
"Whale" virus. I aquired this game from a local BBS and like any good
pc owner should, was scanning my recent downloads and POOF there it
was. It hadn't become active yet so I didn't loose anything.
However, I did realize one thing, this program sat on my hard disk for
9 days before I found it. Why you might ask? Well it seems that I
didn't realize that many virus scanners cannot/don't look into zipped
files. I had kept the file zipped for awhile before I unzipped it.
In fact, I almost ran the cheat program when it hit me that I hadn't
scanned in a day or so and it might be a good time to do it....(I must
have a gaurdian angel).
Just thought I would let you know...by the way...the virus made its
way to South Florida by way of a British sailor. As many people know,
the Port of Tampa is a stop off point for many British warships. One
of these warships had a sailor on it who with the use of his Laptop
computer brought over software from Europe and
posted it on Florida BBS's. I'm not accusing the sailor that he knew
what was going on, however, it does seem that alot of viruses seem to
orginate in places other than the USA.
Let me know VIA EMAIL if anyone else has had experience with this
virus as I don't post here often...(its long distance to my mail hub).
See ya
. OFFLINE 1.40 * We don't need no steenking tag lines...
- --
Internet:
[email protected]
UUCP: ...!myrddin!tct!psycho!Rick.Schryvers
Note:psycho is a free gateway between Usenet & Fidonet. For info write to
[email protected].
------------------------------
Date: 14 Sep 92 10:59:05 +0000
>From:
[email protected] (Fridrik Skulason)
Subject: Re: Problems with F-PROT (V2.05) (PC)
[email protected] (Ken De Cruyenaere 204-474-8340) writes:
> 1) It no longer has the "SCANNING MEMORY FOR VIRUSES" box
> come up at start-up time, though that is apparently what
> it is doing. Result is an span of several seconds where the
> menu appears ready for action but does not respond.
Hm...right - this was a side-effect of a small last-minute change I
made. Fixed now.
> 2) VIRSTOP no longer hangs up the boot when it notices that
> it has been changed. It still produces the warning message,
> with the recommendation to boot from a clean floppy, then
> allows the boot to continue.
This managed to slip through testing somehow...fixed now.
> 3) This might not be new to 2.05. When you define some
> signature strings a file called USER.DEF is created.
> When you INSTALL F-PROT, USER.DEF is NOT one of the files
> copied over.
(shrug) well, the original idea was that one would normally only use
"Install" from a write-protected floppy disk, where USER.DEF could not
be created, so I did not bother to copy this file, but maybe I should.
- -frisk
------------------------------
Date: Mon, 14 Sep 92 07:59:13 -0400
>From: G J Scobie <
[email protected]>
Subject: Jerusalem and Netware (PC)
>From:
[email protected] (A. Padgett Peterson)
Subject: Re: NetWare and viruses - some new results (PC)
>Unfortunately, many users (and some applications) become very unhappy
>if they do not have WRITE right in their own directories. This was the
>problem I had with one LAN last year, the custom MAIL facility
>demanded WRITE right to itself. JERUSALEM spread like mad.
I don't think this is on these days. If an application needs write
permission for users in an area where the executables are stored then
I will not allow it on a LAN I administer. However, enough of me :-)
My experience of the Jerusalem Virus on netware 3.11 is that an
infected station cannot infect a file on the server because of the use
of INT 21h by the netware shell and the virus itself. Workstations
just bomb out if an infected program is run from the workstations hard
disk before any infection can take place. I am assuming that the above
LAN was not netware or have I have just been lucky?
Thanks in advance for any info on this.
Cheers
Garry Scobie
Senior Computing Officer
Edinburgh University Computing Services
Edinburgh University
e-mail:
[email protected]
------------------------------
Date: Mon, 14 Sep 92 17:46:27 -0400
>From:
[email protected]
Subject: Problem w' booting C: then A: (PC)
Someone recently noted that there is a trend in BIOS for boot from C:
then A:. We have machines in use like this and have found a problem.
Systems that have a SCSI controller will boot from A: even though the
BIOS setup is set for C: then A:. I have been able to get it to work
once but when reseting to A: then C: and back again it wouldn't work.
SCSI controllers have built in BIOS so CMOS is set to no hard drives
installed. It is possible that the BIOS is timing out before the SCSI
controller generates a ready signal. This would result in BIOS
thinking there was no hard drive. I will be trying additional test to
see if there is a way to get the C: then A: option to work. If you
have any information that might help solve this please let me know. In
the mean time you may have a hole in your virus defense system.
Keith R. Watson
Georgia Institute of Technology, Atlanta Georgia, 30332
uucp: ...!{decvax,hplabs,ncar,purdue,rutgers}!gatech!prism!kw3
Internet:
[email protected]
------------------------------
Date: Mon, 14 Sep 92 22:23:43 +0000
>From:
[email protected] (McAfee Associates)
Subject: Re: Problem with Vshield 5.1B95 (PC)
Hello Mr. Seymour,
The "blem wit" is a message from inside your NETX file, if memory
serves. Older versions of NETX substitute part of the "...proBLEM
WITh..." error message for the filename. Upgrading to current
versions of the drivers should make this go away.
Regards,
Aryeh Goretsky
Technical Support
/IN REPLY TO/
[email protected] (Chip Seymour, Information Resources) writes:
>I believe I am having a problem with VSHIELD. It loads ok, but when I
>do a MEM/C, it produces "blem wit" as the program name. Anybody else
>come across this? (v5.1B95)
>
>=============================================================================
>Conventional Memory :
>
> Name Size in Decimal Size in Hex
>- ------------- --------------------- -------------
> MSDOS 19472 ( 19.0K) 4C10
> SETVER 544 ( 0.5K) 220
> ANSI 4192 ( 4.1K) 1060
> HIMEM 1184 ( 1.2K) 4A0
> SMARTDRV 18592 ( 18.2K) 48A0
> RAMDRIVE 1184 ( 1.2K) 4A0
> ATDOSXL 9520 ( 9.3K) 2530
> MOUSE 14816 ( 14.5K) 39E0
> ETHDEV 30400 ( 29.7K) 76C0
> TCPIP 16480 ( 16.1K) 4060
> COMMAND 4416 ( 4.3K) 1140
> 3C503 3936 ( 3.8K) F60
> DOSKEY 4128 ( 4.0K) 1020
> IPX 16960 ( 16.6K) 4240
> NET5 42112 ( 41.1K) A480
> blem wit 38832 ( 37.9K) 97B0 <---------
> FREE 64 ( 0.1K) 40
> FREE 144 ( 0.1K) 90
> FREE 426944 (416.9K) 683C0
>
>Total FREE : 427152 (417.1K)
>
>Total bytes available to programs : 427152 (417.1K
)
>Largest executable program size : 426688 (416.7K
)
>
> 5242880 bytes total contiguous extended memory
> 0 bytes available contiguous extended memory
> 2293760 bytes available XMS memory
> MS-DOS resident in High Memory Area
- --
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET:
3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 |
[email protected]
Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714
95054-3107 USA | USR HST Courier DS | or GO MCAFEE
Support for SENTRY/SCAN/NETSCAN/VSHIELD/CLEAN/NETSHIELD/TARGET/THE CONFIG MGR.
------------------------------
Date: Tue, 15 Sep 92 03:06:43 +0000
>From:
[email protected] (Chua Seng Teik (RC))
Subject: Information on CPAV and McAfee (PC)
I am doing an evaluation on some Anti-Virus packages and I have
narrowed down to 2 products namely Central Point AntiVirus and
McAfee's suite of products. I wonder if anyone out there have done a
similar comparison and is there any writeup that I can reference and
use as supporting material.
Cheers
- --
Chua Seng Teik | Information Technology Institute
internet :
[email protected] | National Computer Board
bitnet :
[email protected] | 71 Science Park Drive
voice : (65)772-0439 | Singapore 0511
------------------------------
Date: Tue, 15 Sep 92 17:11:58 -0400
>From: Roger Thompson <
[email protected]>
Subject: Virus Analysis of BootExe Virus (PC)
Boot Exe Virus
A multipartite virus with a difference.
The BootExe (temporary name) virus is an extremely efficient infector.
It infects fixed disks, floppy diskettes, and certain EXE files. It's
most unusual characteristic is that it infects during execution of the
BIOS interrupt 13 (disk functions) rather than intercepting the DOS
int 21 (file functions). By doing this it can avoid many monitor-type
anti-virus interceptors.
* BOOT RECORD EXECUTION
When executed as a boot record, it acts as a conventional boot record
virus. It reserves 4K of memory at the top of conventional memory,
copies itself into this area, and intercepts int 13, redirecting it to
it's own handler. The virus then checks for the presence of a hard
disk and infects the partition table if one is found.
Finally, the virus loads the original boot record and passes control
to it.
* EXE FILE EXECUTION
As explained later, infected EXE files are executed by DOS as a COM
file.
The virus first relocates itself into the top of the allocated
program memory. It then performs an "Am I Here" call. If it
returns false (virus not present), it infects memory, and revectors
int 13 to itself.
Finally, the virus adjusts all relocatable references in the EXE
file, sets the stack, and jumps to the original EXE entry point.
These actions are normally performed by DOS when the EXE file is
loaded. Now it is a COM file, the virus needs to perform them.
* INTERRUPT 13 HANDLING
The int 13 functions 0F and 02 are intercepted. All other functions
are ignored.
-Int 13 fn 0Fh
The 0F function is to write a test buffer. Normally this function
is rarely used, and it may only be applicable to an XT BIOS.
The virus uses this function as an "Am I Here" call. Presumably
this allows the function call to be recognized as a legitimate
function (in case anyone is watching). If the virus is already
resident it returns 19 in AH.
-Int 13 fn 02h
Function 2 is to read between 0 and 17 disk sectors (depending on
the drive). The virus takes the following action before allowing
the function to proceed.
It reads the first of the target sectors to an internal buffer. It
then tests the buffer to see if it is the header of an EXE file
suitable for infection. If any of the following tests fail, it
proceeds to the next stage.
- - The sector must begin with the EXE file header of "MZ".
- - The file size (according to the EXE header) must be less than 64K
(so it will run as a COM file).
- - The table of relocatable items must be 512 bytes in length and
must contain at least 453 bytes of unused space.
- - The program must request all available memory when it is run (most
EXE programs do).
When all these conditions are met, the virus inserts itself into the
unused area of the relocatable table, converts the "MZ" to a short
jump to itself and rewrites the sector to disk. This in effect
converts the file to COM format. Unfortunately DOS will execute it
as a COM, despite it having an EXE header, without warning.
The next stage is to test if the disk request is for a diskette. If
it is, and it is a read of the first cylinder, the virus checks to
see if the diskette is already infected. If not, it inserts itself
in the boot record of the diskette.
* TRIGGERS
The virus does not appear to contain any triggers.
* DESTRUCTIVE ACTIONS
The virus does not appear to contain any deliberately destructive
code other than to infect disks and EXE files.
* DETECTION
Infected boot records and EXE files will contain the following byte
sequence:
BB 92 01 EB 21 10? A1 13 04 48 48 83 2E 13 04 04 04? BB 7A 01 8E C0 FC
------------------------------
Date: Wed, 16 Sep 92 03:45:59 +0000
>From:
[email protected] (Robert Slade)
Subject: Re: NAVSCAN (PC)
[email protected] (Jesus Miguel Garcia Rodriguez) writes:
>
> Where can i get NAVSCAN? or When its gonna be out?
It's on Compuserve. As far as when it will get out, don't hold your
breath.
Jimmy has stated that Compuserve is the best the company can do right
now. It will *not* be posted to BBSes "around the world". If anyone
has acces to it on CompuServe, they are allowed to repost it. Perhaps
some kind soul will download it, and send xxencoded copies to site
maintainers.
=============
Vancouver
[email protected] | "Remember, by the
Institute for
[email protected] | rules of the game, I
Research into
[email protected] | *must* lie. *Now* do
User
[email protected] | you believe me?"
Security Canada V7K 2G6 | Margaret Atwood
------------------------------
Date: Wed, 16 Sep 92 18:34:54 +0000
>From:
[email protected] (Gerald L Jr Reno)
Subject: Maltese Amoeba virus (PC)
Does anyone know anything about the Maltese Amoeba virus? I've
been out of it for a bit, and just got a memo from a software
company (John Wiley & Sons) informing me that some of their disks
were infected.
The letter only suggests that the virus "may, unfortunately,
affect files on your hard drive" and that it is only detectable
by the Norton Anti-Virus (Version 2.0).
Being from a department (MSU Dept. of Statistics) that does not
have acces to NAV, I'd really like to know if anyone has more
information.....
Thanks,
Jerry Reno (
[email protected])
------------------------------
Date: 16 Sep 92 17:38:56 -0500
>From: "J. Douglas Works" <
[email protected]>
Subject: Which detect/protect s/w? (PC)
Could someone E-mail or post what combinations of virus
detection/protection programs are generally recommended? I have
McAfee's SCAN and CLEAN (BTW, what IS the latest version # out
there?), but are these two sufficient for detection?
What do most people recommend for hard disk protection? F-Prot?
Sentry? Any help would be appreciated. Thanks.
- Doug
.............................................................................
.............................................................................
.. | "He is no fool who gives what he cannot keep, ...
.. --+-- to gain what he cannot lose." ...
.. | - Jim Elliot ...
.. | ...
..................... Internet:
[email protected] ............................
.............................................................................
J. Douglas Works * HRB Systems, Inc. * State College, PA 16804 USA
------------------------------
Date: Fri, 18 Sep 92 01:33:34 +0000
>From:
[email protected] (Chua Seng Teik (RC))
Subject: Information on CPAV vs McAfee (PC)
Just like to find out if any of you has done any comparisons between
CPAV (Central Point Anti-Virus) and McAfee. In particular features
that are unique to either of these products. I would appreciate if you
could e-mail me any relevant information on these 2 products.
Thanks in advance.
Cheers
- --
Chua Seng Teik | Information Technology Institute
internet :
[email protected] | National Computer Board
bitnet :
[email protected] | 71 Science Park Drive
voice : (65)772-0439 | Singapore 0511
------------------------------
Date: 18 Sep 92 09:06:54 +0000
>From:
[email protected] (Fridrik Skulason)
Subject: Re: "New" 1530 virus ? (PC)
[email protected] (Vesselin Bontchev) writes:
>
[email protected] (Ken De Cruyenaere 204-474-8340) writes:
>> A new virus has turned up on our campus.
>> McAfee v95 identifies it as "1530" but will not clean it.
>> F-PROT (V2.05) does not detect it (even in HEURISTICS) (!)
>Hmm, F-Prot 2.05 detects all of the above... Seems that you have a new
>variant. I suggest that you send a copy to Frisk.
He did = I got it and it turned out to be a new virus, which I propose
to call Alexander. It bears some resemblance to the Dark Avenger
series, but I have not yet been able to determine how closely they are
related. There is an indication that the virus is of East-European
origin (written in Romania).
Anyhow, I have updated F-PROT to find and disinfect it - look for
version 2.05a (to be released on Monday).
- -frisk
------------------------------
Date: 18 Sep 92 09:11:26 +0000
>From:
[email protected] (Fridrik Skulason)
Subject: Re: F-prot false alarm? (PC)
[email protected] (Francesco Dalla Libera) writes:
>
[email protected] writes:
>>Just obtained F-prot 2.05 from simtel. Unpacked it and did a secure
>>scan. To my surprise backup.exe (from dos 5.0) was reported as being
>>infected with the Stanco virus.
False alarm - sorry folks. I did some (ehem) improvements in 2.05
regarding handling of the few viruses that actually spread in
compressed form, such as Stanco, Happy Monday and Even Beeper.
Unfortunately this caused some false alarms, so I changed back to my
old, (but slower) method in 2.05a.
I will upload 2.05a right after this weekend - I just want to include
as many as possible of the 100+ new viruses that I just got - most of
which were from Russia.
- -frisk
------------------------------
Date: 18 Sep 92 09:15:15 +0000
>From:
[email protected] (Fridrik Skulason)
Subject: Re: PC Guardian contact info? (PC)
[email protected] (Robert Slade) writes:
>A recent report in Computing Canada says that the Ontario government
>has switched from McAfee to a company called PC Guardian out of San
>Rafael, CA.
But what the report probably did not say was that the virus scanner
included in the package deal was F-PROT. :-)
- -frisk
------------------------------
Date: Mon, 14 Sep 92 19:38:41 -0400
>From: Anthony Naggs <
[email protected]>
Subject: Re: Amiga virus info (Amiga)
Red Dragon, <cmontoya%
[email protected]>, asks:
> Where can I get Amiga virus information?
Sorry this is so late, I thought some other Amiga users would have
answered this.
The Virus Test Centre in Hamburg produces some material, which may not
be comprehensive. It is available by anonymous ftp, and I think Ken
has copies at cert.org for US access.
system: ftp.informatik.uni-hamburg.de
directory: /pub/virus/texts/catalog
files: bytes date name
44234 Feb 10 1992 amiga.zip
16325 Jul 25 10:01 AmigaVir.792
user name: anonymous
password: [your e-mail address]
As this site only has a low volume modem link it is best to use a net
copy program to fetch the file. (I have used the following copy
programs, VAX/VMS: 'transfer', SUN Unix: 'hhcp'). Note the '.zip'
file is binary and must be copied in binary mode, and may need to be
decompressed with PKZIP on a MS-DOS system.
The documentation for the better Amiga anti-virus software includes
short descriptions of viruses. For ftp access try, (from Jim Wright's
helpful postings), one of:
system: ms.uky.edu (IP address is 128.163.128.6)
directory: /pub/amiga/Antivirus
system: eugene.utmb.edu (IP address is 129.109.1.21)
directory: /pub/virus-software/amiga
backup site to eugene
system: beach.utmb.edu (IP address 129.109.1.207)
directory: [ANONYMOUS.PUB.VIRUS.AMIGA]
Hope this helps,
Anthony Naggs
Software/Electronics Engineer P O Box 1080, Peacehaven
(and virus researcher) East Sussex BN10 8PZ
Phone: +44 273 589701 Great Britain
Email: (c/o Univ of Brighton)
[email protected] or
[email protected]
------------------------------
Date: Wed, 16 Sep 92 11:56:34 -0400
>From: <DBEHRENS%
[email protected]>
Subject: Re: Apple IIgs virus program? (Apple ][)
I'm wondering if there is such a thing as a virus detection program
available for the Apple IIgs computer. If it does exist please let me
know where I can get the program, and if there is any cost associated.
Thank you,
Dennis J. Behrens
------------------------------
Date: 14 Sep 92 09:39:49 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: self-checking programs
[email protected] (Christian Burger) writes:
> executable after compilation. This package will probably not protect
> against all stealth viruses but it will certainly provide a good
> protection against the most common viruses. The stealth bomber package
> is freely available via anonymous ftp from any simtel archive mirror
> as /msdos/trojan-pro/stealth.zip. I would be interested in comments
> of the virus gurus on this package.
Well, your suppositions are right. It is unable to provide protection
against some advanced stealth mechanisms, but it is able to catch all
simple viruses and even some of the stealth ones. Some protection is
better than no protection, just don't rely on it.
BTW, have in mind that programs which perform self-checking cannot be
disinfected from some of the existing viruses. The reason is that a
lot of viruses are padding the EXE files so that their length becomes
a multiple of 16 (completely unnecessary, but Jerusalem did it and
lots of virus authors copied it from there). Most of these viruses
don't keep a record of the actual file length, so this information is
lost. Therefore, all disinfectors will leave up to 16 bytes of
garbage, after disinfecting the file. Of course, the checksum of the
file will not match any more, so a self-checking program will refuse
to work. Yet another argument not to use disinfection but to replace
the infected file with a clean copy.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail:
[email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: Fri, 18 Sep 92 08:36:59 -0400
>From:
[email protected]
Subject: I-M124.ZIP available (PC)
Just to report the availability of an update for Integrity Master. It
is now available for FTP processing from us.
- -----
Site: urvax.urich.edu, [141.166.36.6] (VAX/VMS using Multinet)
Directory: [anonymous.msdos.antivirus]
FTP to urvax.urich.edu with username anonymous and your email address
as password. You are in the [anonymous] directory when you connect.
cd msdos.antivirus, and remember to use binary mode for the zip files.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET)
University of Richmond
[email protected] (Bitnet or Internet)
Richmond, VA 23173
------------------------------
End of VIRUS-L Digest [Volume 5 Issue 153]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
