Return-Path: <
[email protected]>
Received: from csmes.ncsl.nist.gov ([129.6.54.2]) by first.org (4.1/NIST)
id AA16295; Wed, 28 Oct 92 15:56:37 EST
Posted-Date: Wed, 28 Oct 1992 15:37:40 -0500
Received-Date: Wed, 28 Oct 92 15:56:37 EST
Errors-To:
[email protected]
Received: from Fidoii.CC.Lehigh.EDU by csmes.ncsl.nist.gov (4.1/NIST(rbj/dougm))
id AA00361; Wed, 28 Oct 92 15:51:06 EST
Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA26417
(5.65c/IDA-1.4.4); Wed, 28 Oct 1992 15:37:40 -0500
Date: Wed, 28 Oct 1992 15:37:40 -0500
Message-Id: <
[email protected]>
Comment: Virus Discussion List
Originator:
[email protected]
Errors-To:
[email protected]
Reply-To: <
[email protected]>
Sender:
[email protected]
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <
[email protected]>
To: Multiple recipients of list <
[email protected]>
Subject: VIRUS-L Digest V5 #169
Status: R
VIRUS-L Digest Wednesday, 28 Oct 1992 Volume 5 : Issue 169
Today's Topics:
Re: Flip (PC)
Re: KEY Press virus & McAfee v97 (PC)
VCL? (PC)
Re: Request info on FORM (PC)
Re: SCAN 95b doesn't find MtE in EXE files (PC)
Need PC Anti-Virus Comparison (PC)
Checking high memory with VSCAN (PC)
MBR Viruses and FDISK /MBR (PC)
Infection density (was: SCAN 95b doesn't...) (PC)
Damage from Stoned and FORM (PC); Comment on Recent Postings
McAfee Scan and F-prot (PC)
MtE ?? (PC)
Re: V-Sign virus struck again!!!!!!!!!! (PC)
Re: VirusCURE impressions (PC)
strange trojan... (PC)
files truncated (PC)
Virus Demo? (PC)
Re: Key Press Virus & scan97 again (PC)
Re: WSCANV97 will not work in OS/2 (OS/2)
Questions about the "Batman Virus" (Atari ST)
Call for Papers - 6th Computer Security & Virus Conf.
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with
your real name. Send contributions to
[email protected].
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<
[email protected]>.
Ken van Wyk
----------------------------------------------------------------------
Date: Tue, 27 Oct 92 08:04:26 -0500
>From: "David M. Chess" <
[email protected]>
Subject: Re: Flip (PC)
> From:
[email protected] (Ron V.d.rest)
> Systems infected FLIP may experience file allocation errors resulting
> in file linkage error.
Really? Does anyone know of any evidence for this, or is it just a
quote from some commercial virus info list? I don't recall ever
seeing this in a FLIP infection, or seeing any code in the virus that
would cause this. A few publicly-available virus lists make this
claim for every third or fourth virus, and I've always wondered why.
Does anyone know any technical reason this should occur?
DC
------------------------------
Date: 27 Oct 92 13:04:44 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: KEY Press virus & McAfee v97 (PC)
[email protected] (LEMMING) writes:
> I am also getting some discrepencies about the Keypress virus.
> Running Scan97 on a sample of the virus, it reported that the file was
> infected 3 times. (i.e. The message "Found Keypress Virus..." appeared
> 3 times.) This was reported again on a variant as well as some other
> files I tested with the same virus. I know that the files have been
> infected only once.
I can confirm this. The scanning engine of SCAN has a minor bug - it
does not always stop scanning after a virus is found, so it can report
more than one virus in the file, if more than one scan signature is
found.
This would be correct, if it used to scan the entire file - because
then it would be able to detect ALL viruses that are eventually
present in it. However, SCAN uses a method, known as top-and-tail
scanning - it scans part of the beginning of the file, part of the end
of the file, and part of the file after the entry point. The general
idea is that normally a virus wants to get control as soon as the file
is executed, so it should intercept the control at one of these three
places... Unfortunately, this is not always the case, which explains
why SCAN does not detect Commander Bomber infections reliably - the
virus can reside just anywhere in the file and control is transferred
to it in a non-trivial way...
Well, in the particular case of the Keypress virus, it seems that SCAN
contains a scan string for it, which is encountered up to three times
in the virus. The bug mentioned above (that scanning does not always
stop after the first virus is found), makes the scanner report the
virus three times when only one virus is present in the file.
In fact, it seems that SCAN 97 always reports most of the Keypress
variants three times in the infected EXE files and two times in the
infected COM files.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail:
[email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 27 Oct 92 09:01:29 -0600
>From:
[email protected] (WADSWORTH, BRANDON SCOTT)
Subject: VCL? (PC)
Could someone out there explain what VCL is. I keep seeing it listed
in several places. Thanks from the newcomers around this place.
=:-Q
Brandon Scott Wadsworth
[email protected]
------------------------------
Date: 27 Oct 92 14:54:30 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: Request info on FORM (PC)
[email protected] (G J Scobie) writes:
> > 3) OK, I give up, here's the answer: On 24th of every month the virus
> > makes the keys on the keyboard to "click" when you press them.
> We have had the FORM virus in a big way around the University this
> year. I have no idea why this virus should become so widespread but
> there have been previous reports on this board concerned with an
> apparent increase in the number of sightings this year.
There is some strong suspicion that a large diskette producing company
has shipped a large batch of pre-formatted diskettes, infected with
this virus. I would strongly advise anyone who is buying pre-formatted
diskettes, to open a package at random, to select one diskette at
random, to WRITE-PROTECT it (this is important!), and to scan it. If
it happens to be infected, PLEASE DO NOT USE ANY OTHER DISKETTE from
the package. Send the whole package (if possible - accompanied with
another one, without the shrink wrap removed) to an anti-virus
researcher.
> The version we have here triggers on the 18th of the month. Students
It is possible that somebody has re-compiled a disassembly of the
virus and has forgot to put a ".radix 16" directive. Note that 24
decimal is the same as 18 hexadecimal.
> have reported corrupt files on their floppies though this only seems
> to happen if the disk was nearly full before the infection took place.
Yes, this can happen. The virus stores a copy of the original boot
sector on the last sector of the disk. If this sector happens to be
occupied by a file, this file will be damaged.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail:
[email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 27 Oct 92 15:04:28 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: SCAN 95b doesn't find MtE in EXE files (PC)
[email protected] (McAfee Associates) writes:
> VIRUSCAN Version 97 was released on the evening of Friday, October 16,
> so your preliminary testing of VIRUSCAN did not involve the most
> latest version of SCAN available. Version 95-B was released on August
When the preliminary tests were done, the latest available version of
SCAN was 95b. Since the results were alarming, I decided that it is my
duty to inform the users about a particular deficency in the then
latest version of the product. Even if a newer version of the product
were available (which it wasn't then), and even if it were able to
detect the MtE-based viruses reliably (which it still isn't, see
below), my message would alarm the users to urgently upgrade to the
newer version. I still think that there is nothing incorrect in what I
have done.
> .EXE-infecting viruses based on the Dark Avenger Mutation Engine.
> Naturally, it is included in the current release of SCAN.
Naturally. I downloaded the newest (still newest, as I am typing this
message) version of SCAN - version 97, just two days after I have
posted the message. I received an announcement from Simtel20 that it
is available the day before, but our ftp connection was out of order.
Anyway, as soon as it was physically possible for us, I downloaded the
newest version. In fact, parts of the package were still downloading,
when one of our students took SCAN 97 and repeated the test with this
version. I posted the results as soon as they were available.
The results are rather poor - they clearly show that version 97 of
SCAN is not able to detect reliably ANY of the MtE-based viruses too.
I have proven this to you, by sending you a batch of examples that
SCAN 97 was unable to detect. I have also offered to help you fixing
the problem and even suggested an easy solution for the other 284
missed samples. What do you want more?
> I can understand your desire to provide the readers of comp.virus with
> timely, accurate information about the efficacy of different anti-viral
> packages, however, posting one message decrying the deficiencies of
> one brand of software with an endnote about other packages sounds less
> like a genuine attempt at impartial research and more like alarmist scare
> tactics, or even worse, marketing :-)
It's very strange to see the above posted by someone from McAfee
Associates... Even if we don't pay attention to the fact that it does
not correspond to the truth (as I explained above), I still remember
an article posted somewhere (maybe even here), which described how
McAfee Associates sponsored a particular set of anti-virus product
evaluations and insisted that only old versions of the scanners of
their main competitors were tested.
> I note that several other anti-viral
> packages such as NAV, CPAV, Untouchable, Novi are not mentioned at all.
I don't have a copy of Novi. And, unlike your product, all the
products mentioned above are not shareware - they are all commercial,
so I obviously cannot easily get the latest versions as quickly as
with your product. Besides, I am only a human and cannot do everything
at once. In fact, the MtE tests even of your product were made
possible mainly because two visiting students from Rostok spent a lot
of time to generate 16,000 naturally infected samples (do you
understand what all this means, having in mind that some of the
MtE-based viruses infect only 2-3 samples in the current directory and
do not go resident?), and one of our students urgently ran two tests
(with version 95b and 97 of SCAN) and summarized the results...
I -will- publish MtE detection data for 17 scanners, each of which
claims (like yours) that it is able to detect all MtE-based viruses
with 100% reliability... As I said, I don't know about Novi, because
I don't have it, but NAV 2.1, CPAV 1.3, and UTScan 23.00.12 (the
scanner part of the Untouchable, since Untouchable is mainly an
integrity-based product) all failed the test - just like SCAN 97, they
turned out to be unable to detect all MtE-based viruses used during
the test reliably.
> In any case, I would strongly suggest that you complete your research in
> the future before posting incomplete results.
I am doing my best to provide the most complete data possible to the
users. So does the rest of the VTC-Hamburg. What has been observed in
SCAN 95b was a BUG, that's why I was precipitated to publish the
information about it. Or do you want to hide from your users that a
particular (even if not the latest) version of your program is buggy
and provides a false sense of security?
I will post the complete summary of the tests when it is ready.
Meanwhile, the results for SCAN 97 are ready and I already posted
them. They do not speak well for SCAN's ability to detect the
MtE-based viruses - NONE of them was detected reliably.
[Moderator's note: Gentlemen, please keep any follow-ups civil, or
else take them off-line.]
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail:
[email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: Tue, 27 Oct 92 07:07:00 -0700
>From: cup.portal.com!amc%
[email protected]
Subject: Need PC Anti-Virus Comparison (PC)
I would like to post a request for information and experiences with
commercial PC Anti-Virus hunter/killer software that are available as
a site license product.
Also, I would like a referal to any performance comparisons of various
anti-virus systems without regard to the above.
Can you help me?
Regards,
Alan Crawley
[Moderator's note: You might want to take a look at the independent
reviews by Chris McDonald and Rob Slade, available by anonymous FTP on
cert.org (192.88.209.5) in pub/virus-l/docs/reviews]
------------------------------
Date: Tue, 27 Oct 92 17:53:09 +0000
>From:
[email protected] (Rob Coenen)
Subject: Checking high memory with VSCAN (PC)
When I use VSACN and specify the /CKHIGH (I think) option
to check high memory I notice it only checks the first 1 Meg
of memory. (I have 4 Megs) Is it unnessesary to check the rest
or is something wrong?
Rob Coenen.
[email protected]
My .sig isn't back from the cleaners yet.
------------------------------
Date: Tue, 27 Oct 92 13:31:48 -0500
>From:
[email protected] (A. Padgett Peterson)
Subject: MBR Viruses and FDISK /MBR (PC)
[email protected] (G J Scobie) writes:
>Is there a list of which boot sector viruses can be disinfected from a
>hard disk using FDISK /MBR?
Not per se, but *almost* any disk infected with an MBR virus that can
be properly cold booted with a floppy is a likely candidate. All of
those that meet the above criteria which I know of can. (was that
English ?)
>Will FDISK /MBR work for them all or are there any interesting "gotchas"
>using this method?
An easy test is to boot from a floppy and first use the *documented*
DOS 5.0 command "UNFORMAT/PARTN/TEST/L" & do a reasonableness test on
the result. If it looks good, try FDISK /MBR. A "plain vanilla" disk
should report a DOS12 or DOS 16 Boot starting on cyl 0 Head 1 Sector
1.
Since FDISK /MBR simply replaces the MBR code and does not touch the
partition table, even if it does not cure the problem, it is *usually*
safe to use.
My FixMBR combines features to a large extent with the addition of
being able to "walk the disk" if a good partition table is not found
in sector 1 and will install the *FreeWare* SafeMBR code if requested.
In addition it is compatable with DOS 2.0 up, allows saving the
original MBR "just in case", and asks for confirmation before making
any changes.
[email protected] (David M. Chess) writes:
>As long as your copyright notice says that you've
>reserved all rights to yourself, no one who works for a company that
>has lawyers is going to be able to make a copy of it
Well I do not work under grants from anyone (except my wife 8*) nor do
I have any equipment supplied by either not-for-profits or a
university. (offers to change this condition are welcome 8*). For
that as for other reasons (my wife again), I do "reserve rights" to my
original work.
However, of the elements contained in the FixUtils, only two (FixMBR
and FixFBR) are ShareWare, other utilities are all FreeWare including
the new MBR/DBR code which is written by FixMBR/FixDBR.
This is *not* public domain, however for many individuals the postage
would be higher than the registration fee. Since none use scanning,
there is no need for periodic updates.
For that matter the .DOCs contain all of the information necessary for
a agile mind to duplicate my work (the .DOCs are larger than the
programs).
For any lawyers concerned about this there are two alternatives:
1) Shareware automatically has a "30 day free trial"
2) Send me a "no-cost-30 day evaluation PO" *with* a SASE & I'll return it
forthwith (fifthwith even). The address in in the .DOCs.
Warmly,
Padgett
ps according to the IRS, my anti-virus work is *definately* a hobby.
------------------------------
Date: Tue, 27 Oct 92 14:03:22 -0500
>From: "David M. Chess" <
[email protected]>
Subject: Infection density (was: SCAN 95b doesn't...) (PC)
[email protected] (Vesselin Bontchev) writes
in passing:
> The missed samples occur relatively often - a set of 2,000 files is
> not very large and is what the average user normally has on his/her
> disk. (Just for comparison - I have ~15,000 files on my hard disk.)
> Therefore, in a case of a serious infection (when the virus has
> infected most files on the disk), SCAN 97 is likely to miss at least
> one of the infected files, which is likely to cause re-infection.
I'd like to start a brief tangent on the question of how many files
are generally infected in a file-infector incident. Does anyone have
any interesting experience of insights to share? Some viruses, of
course, spread much faster than others; the DIR II infects whole
directories at once, the Dark Avenger can spread very fast if you GREP
a bunch of executables, and so on. But from my experience, I have the
general impression that in a typical 1813 incident (say) the number of
infected files on a single machine is under 100. Even a Dark Avenger
incident is usually about that size, with the obvious occasional
severe exceptions.
Does that sound reasonable or unreasonable to anyone? (This isn't
intended as a disagreement with Vesselin; his words just struck the
thought in my mind, and I thought I'd ask...)
DC
------------------------------
Date: Tue, 27 Oct 92 14:16:17 -0500
>From: "William Walker C60223 x4570" <
[email protected]>
Subject: Damage from Stoned and FORM (PC); Comment on Recent Postings
>From:
[email protected] (Vesselin Bontchev)
>
[email protected] (Paul D. Bradshaw) writes:
> > ... But, when I try to disinfect a disk infected with michaelangelo
> > with the command Clean [stoned] it butchers the boot sector.
> Could you please provide some more information. I had very strong
> reports that Clean destroys the boot sectors of the 1.2 Mb diskettes
> infected with Michelangelo, when it tries to disinfect them. However,
> I was unable to reproduce the problem. I see from your message that
> you have used indeed a 1.2 Mb diskette, so obviously you are observing
> the same problem. Could you please repeat your experiments with a 360
> Kb diskette (Michelangelo does not infect 720 Kb diskettes and damages
> 1.44 Mb diskettes)?
"Stoned" and "Michelangelo" both relocate the original boot sector to
Side 1 Sector 3 on a floppy diskette. On 1.2 MB and 1.44 MB
diskettes, this is Sector 3 of the root directory (directory entries
for files 33-48). If the diskette has more than 32 files on it, the
entries for files 33-48 will get wiped out, and files 49-224 will not
be accessible by DOS. Also, a small number of files with strange
names may appear, depending on the contents of the boot sector (this
is a result of DOS trying to interpret the boot sector code as
directory entries). Now, if files in excess of 32 are written to the
diskette, their entries will be written over the misplaced boot sector
code. Then, if the diskette is disinfected, the boot sector will get
trashed, or more correctly, has already been trashed. I have seen
this happen a number of times, and have had to recover the damage.
This might be the problem that Mr. Bradshaw is having.
>From: G J Scobie <
[email protected]>
> We have had the FORM virus in a big way around the University this
> year. ... The version we have here triggers on the 18th of the month.
> Students have reported corrupt files on their floppies though this only
> seems to happen if the disk was nearly full before the infection took
> place.
The sample of Form that I have is the variant that triggers on the
18th of the month. When it infects a 360 KB floppy (I haven't tried
it with other densities), it allocates Cluster 34 (Sectors 76 and 77)
to itself and marks it as a bad block. It may be possible that, if
Cluster 34 is in use, the file which used it would then be damaged.
However, if the virus tries searching for an available cluster and the
diskette was full or nearly full, it could be possible that the virus
would go ahead and grab a used cluster. I haven't tested it enough to
see how it infects under these circumstances, but perhaps this is
enough to be of use to you.
<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*>
Now for something completely different ...
Ken (our fearless moderator) has said of VIRUS-L:
> Contributions should be relevant, concise, POLITE, etc. [my emphasis]
and
> It is not a place ... to flame other subscribers.
However, a recent exchange between two otherwise professional
subscribers seemed more like an unmerited mutual bashing contest than
a series of "relevant, concise, polite" contributions.
Aryeh Goretsky really pounced upon Vesselin Bontchev for using an
older version of McAfee's ViruScan (version 95B) in preparing his
review, so his testing "did not involve the most latest version of
SCAN available" (version 97, released on 16 October 1992). However,
Mr. Bontchev's testing was conducted before this version was released,
as evidenced by the fact that his posting was dated 16 October 1992.
Therefore, his testing DID INDEED involve the "most latest" [sic]
version available. Further, Mr. Bontchev replied to his own posting,
indicating that he had obtained and was testing version 97. So Mr.
Goretsky's attack was, in this respect, unwarranted (in my opinion).
On the other hand, I agree with Mr. Goretsky that Mr. Bontchev (or
anyone for that matter) should complete any testing before posting
results. Also, Mr. Bontchev's posting seemed to me (as well as Mr.
Goretsky) to specifically slam ViruScan. An independent review should
test all products equally, then objectively report the results against
each other or against some fixed rating. It should also include the
specific version tested (which Mr. Bontchev did, BTW), especially
considering how rapidly anti-viral programs are updated.
This, as well as other, similar exchanges, has caused VIRUS-L, a
discussion list I consider very valuable, to become increasingly
irritating to read. While there may be times that people need to
speak out against something (e.g. Virus Simulator or CPAV's causing
false positives), please keep the heat down and the professionalism
up.
Bill Walker (
[email protected] ) |
OAO Corporation | This .signature does NOT contain
Arnold Engineering Development Center | a stealth .signature virus!
1103 Avenue B |
Arnold Air Force Base, TN 37389-1200 |
------------------------------
Date: Tue, 27 Oct 92 14:57:38 -0500
>From: Edward Rosales Bella <
[email protected]>
Subject: McAfee Scan and F-prot (PC)
I was just wondering which is the prefered virus scanner. What are
the pros and cons of both. Also, are there any problems with running
the TSRs such as Vshield and then scanning with F-Prot or vise versa
with VirStop and scanning with scan. Send e-mail to:
[email protected] or post them.
Thanks,
Ed
------------------------------
Date: Tue, 27 Oct 92 15:23:58 -0500
>From: A.J. <
[email protected]>
Subject: MtE ?? (PC)
Can anyone tell me What in the world MtE stand for and give more
info... -aj.
------------------------------
Date: 27 Oct 92 22:00:28 +0000
>From:
[email protected] (Fridrik Skulason)
Subject: Re: V-Sign virus struck again!!!!!!!!!! (PC)
[email protected] writes:
>At this moment, my PC is also infected with V-sign. I tried to use
>F-Prot 2-05a to remove the infection but all I'm getting is this
>message:
> Master Boot Sector Infection: V-Sign !!
> This version of F-Prot cannot remove the virus!
V-sign disinfection was added later - 2.05a could only detect it, not remove.
The next version to be released should do the trick - but for now I guess
the "FDISK /MBR" disinfection method is the best way to get rid of it.
- -frisk
------------------------------
Date: Tue, 27 Oct 92 20:37:26 -0500
>From:
[email protected]
Subject: Re: VirusCURE impressions (PC)
[email protected] (Carl Wilson) writes:
> I just purchased VirusCURE PLUS ver 2.37 severial days ago. Is this
> considered a good virus detect/cure package? I just started a BBS
> here about a week ago, and severial of the other boards have been
> trashed by ANSI bombs and the like. I need some real security!
Hi Carl.
I'm a VirusCURE 2.37 user and I have some impressions about it:
Maybe I haven't tested many a_v products (just McAfee's ViruScan,
Fridrik's F-PROT, CPAV 1.0, AntiKot, etc.). VirusCure is the only
product that is able to deactivate a living memory-resident virus.
I got 15 (holy-few) viruses and I had tested VirusCure against all
of them and got good results.
By the way, VirusCure fails on disinfection of even well known viruses,
like Ping-Pong, but it's not a frequent symptom. It just could be a bug.
Documentation says VirusCure is developed together with John McAfee,
however IMSI doesn't release a new version since February or March...
I just trust on those products that update very frequently.
Hope this helps,
Fabio Esquivel -
[email protected]
San Jose, Costa Rica.
------------------------------
Date: Tue, 27 Oct 92 21:50:35 -0500
>From:
[email protected] (Glen Martin)
Subject: strange trojan... (PC)
It seems that I have some sort of problem here. I was running my
386-40 and all of a sudden I heard my hard drive stop. O.k. fine. I
rebooted, it happened again. It started up in a second but it kept
happening. When I rebooted, my memory-manager wouldn't load, so i made
a boot disk and when I scanned my HD using Norton Anti-Virus 2.0 it
said it had a couple of files with possible viruses. But knowing the
way Norton scans, I tried McAffee scan and it gave me nothing. I
deleted the files but I'm not sure if I should still be worried. Does
this sound like a virus or just a disk error?
- ---
Glen Martin -
[email protected]
C.R.I.M.E. BBS - (Chez Rob's Int'l Mail Exchange) 613/230-5307 (data)
------------------------------
Date: Wed, 28 Oct 92 08:05:04 +0000
>From:
[email protected] (Guenter Hoens)
Subject: files truncated (PC)
I found some files (.pk files for emtex) truncated to exactly 2048
bytes. do you think, that the reason was a virus, or do you think,
that there might be an error in emtex?
- --
- -----------------------------------------------------------------
* Guenter Hoens, GMD - I8,
* German National Research Center for Computer Science
*
[email protected] (02241) 14-2408
------------------------------
Date: 28 Oct 92 09:29:36 +0000
>From:
[email protected]
Subject: Virus Demo? (PC)
A while ago I saw a program that showed the behaviour of a number of
viruses. I'd like to get a copy if this, if possible. Can anyone
point me in the right direction?
Thanks
- ---------------------------------------------------------------------
Jeremy Laidman, Computer Support Officer
Department of Computer Science Phone: (61 9) 370 6648
Edith Cowan University Fax: (61 9) 370 2910
Perth, Western Australia
[email protected]
- ---------------------------------------------------------------------
------------------------------
Date: Wed, 28 Oct 92 08:56:07 +0000
>From:
[email protected] (McAfee Associates)
Subject: Re: Key Press Virus & scan97 again (PC)
Hullo again, Kevin,
[email protected] (KEVIN PRATER) writes:
<...use/installation of CLEAN and VSHIELD V97 deleted...>
>My hard disk was cleaned with the last key press going with
>whereis.exe as clean could not remove it. Two days later I used norton
It could be that the WHEREIS.EXE file was damaged. It is always
possible for even the most benign computer virus to cause damage by
incorrectly infecting a file, either due to bugs in its own code or
conflicts with other programs on the system.
>disk doctor V5 to have vsheild cut in and say that the file was
>infected and could not run it. So I powered down, rebooted and
Hmm.. have you run CLEAN against your hard disk with the /A switch?
If so, then there could be a remnant of code at the end of the file
between the true end of the file, expressed in bytes, and the space
allocated for the file on the disk, expressed in clusters. If a file
does not fill up the entire last cluster, then DOS pads it with
garbage from memory--which could be a segment of viral code. This
should not cause problems with VSHIELD, however. In any case, try
defragmenting the disk with a disk optimizing program or running the
WIPEFILE or WIPEINFO program from Norton (can't remember which one is
included with Norton 5.0) with the option used to erase the "slack"
space at the end of the file--BE VERY CAREFUL with this as you can
erase everything on your hard disk if you do not use the right switch.
<...deleted for brevity...>
>And it's not a false alarm as if I run any other program after the exe, it
>also gets infected but scan97 does find and remove this. It almost seems
>that the virus is dorment and hidden in disk doctor and is activated on
>running the exe.
Interesting. That pretty much rules out my comments above about
defragging the disk. I would guess, then, that you (1) have a variant
of the virus; (2) have an .EXE file with an unusual structure [which
doesn't account for why SCAN and CLEAN missed it]; (3) didn't run
CLEAN with the /A switch the first time around and NDD is loading as
an overlay some file that was skipped; or (4) SCAN & CLEAN are broken
[unlikely, given that VSHIELD's working].
<...deleted for brevity...>
>Has anyone had a similar virus?
<...rest of message deleted...>
Nope.
If you've tried the above and are still having problems, please
contact me by email and we'll see can be done to get the virus off of
your PC once and for all.
Regards,
Aryeh Goretsky
Technical Support
- --
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET:
3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 |
[email protected]
Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714
95054-3107 USA | USR HST Courier DS | or GO MCAFEE
Support for SENTRY/SCAN/NETSCAN/VSHIELD/CLEAN/WSCAN/NETSHIELD/TARGET/CONFIG MGR
------------------------------
Date: 27 Oct 92 18:59:26 +0000
>From:
[email protected] (Andrew Pickrell)
Subject: Re: WSCANV97 will not work in OS/2 (OS/2)
[email protected] (Nikolaj Kolte) writes:
>I recently got the McFee Scanv97 for Windows. I'm running OS/2, but
>when I want to run WSCAN I get the message that I cann't run the
>program in a WINOS2 session.....
>Any sugestions...
>Nikolaj
Try scan_os2. It is currently in beta. Version 97 is on
ftp-os2.nmsu.edu in the pub/uploads directory.
- --
===========================================================================
Andrew Pickrell | My opinions are my own,
UNL Dept. of Chemical Engineering | but they could be yours too
EMail :
[email protected] | for the low price of 5 bucks...
------------------------------
Date: Tue, 27 Oct 92 05:38:24 -0500
>From: Trantor The Last Stormtrooper <
[email protected]>
Subject: Questions about the "Batman Virus" (Atari ST)
Usually the Atari ST requires the bootsector to have a checksum of
$1234, if the bootsector is to be able to execute. This includes
Viruses, Virus Protectors, Games Disks etc.
There is a(UK Computer Mag), it can execute without having the
neccessary checksum! it can execute without the bootsector having the
neccessary checksum
How is this possible?
If it is possible, how is it done?
------------------------------
Date: Tue, 27 Oct 92 18:33:51 -0800
>From: Judy S. Brand <
[email protected]>
Subject: Call for Papers - 6th Computer Security & Virus Conf.
SIXTH INTERNATIONAL COMPUTER SECURITY & VIRUS CONFERENCE and Exposition
sponsored by DPMA Fin.Ind.Chapter in cooperation with
ACM-SIGSAC, BCS, CMA, COS, EDPAAph, ISSAny, NUInypc, IEEE Computer Society
C A L L F O R P A P E R S
Approximately 500 attendees will hear 90 speakers and 53 vendors over 3 days
Wednesday thru Friday - March 10-12, 1993 - New York Ramada Madison Square
YOUR AUDIENCE: Past attendees have represented industry, military
government, forensic and academic settings -
creators and users of related software and hardware.
They travel from U.S. and many international locations
and have titles such as MIS Director, Security Analyst,
Operations Manager, Investigator, Programming Leader
TOPICS OF INTEREST INCLUDE (but are not limited to):
- prevention, detection, and recovery from viruses,
crackers, and other unauthorized usage
- oritinal research in these and related topics
- survey of products and techniques available
- particulars of LSN, UNIX, cryptography, military use
- Computer crime, law, data liability, related contexts
= US/international sharing of research & techniques
- case studies of mainframe, pc &/or network security, e.g.,
- 1992 hurricane, flood, fire disaster recovery
- recent court decisions
- security implementation and user awareness in industry
PAPER SUBMISSION:
Send a draft final paper for receipt by Wednesday, 11/11/92.
Address to Judy Brand, Conference Chair, box 6313 FDR Station,
New York, NY 10150, USA. Please include a small photo and
introductory bio not exceeding 50 words. Successful submittors
or co-authors are expected to present in person. Presenters
receive the Conference Proceedings and complimentary admission.
PAPER FORMAT: Send one original and three copies. When making the copies,
please cover over the author name(s) and other identifying data.
Each paper goes to three revieweers.
Type double spaced, with page# below bottom line (may be
handwritten): TITLE (caps); Name; Position, Affiliation;
Telephone, City/State/Zip, Electronic Address (optional).
NOTIFICATION: Written and (where practicable) telephoned confirmation will
be initiated by Monday, 1/13/93, to facilitate low cost travel.
Those needing earlier notification should attach a note.
You may be asked to perform specific revisions to be accepted.
Nobody can guarantee you a place without an acceptable paper.
AT THE CONFERENCE: There are five tracks. Time your presentation to last
40 minutes and have clear relation to your paper. A committee
member will preside over your assigned room and adhere to schedule.
Don't hesitate to submit a presentation you've given elsewhere
to a more specialized audience. Most attendees will find it
new - and necessary. On-site schedule is duplicated early on
first day. If you may have a work emergency you can reschedule
or substitute your co-author.
------------------------------
End of VIRUS-L Digest [Volume 5 Issue 169]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
