Received: from fidoii.CC.Lehigh.EDU by abacus.hgs.se (5.65c/1.5)
id AA04490; Tue, 2 Mar 1993 14:06:31 +0100
Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA43686
(5.67a/IDA-1.5 for <
[email protected]>); Tue, 2 Mar 1993 07:08:25 -0500
Date: Tue, 2 Mar 1993 07:08:25 -0500
Message-Id: <
[email protected]>
Comment: Virus Discussion List
Originator:
[email protected]
Errors-To:
[email protected]
Reply-To: <
[email protected]>
Sender:
[email protected]
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <
[email protected]>
To: Multiple recipients of list <
[email protected]>
Subject: VIRUS-L Digest V6 #37
Status: RO
VIRUS-L Digest Tuesday, 2 Mar 1993 Volume 6 : Issue 37
Today's Topics:
Re: polymorphic compiler
Re: your opinions on virus legality
Virus Development Programs
Help - Windows Virus (!?!?!) (PC)
Re: EXE/COM switch (PC)
Re: standardization (PC)
Re: New Virus (PC)
Re: PC Magazine on Anti-Virus Software (PC)
Re: Request for virus tools (PC)
Re: FPROT, Thunderbyte, & DataCrime II (PC)
Need info on whale. (PC)
1591/1575 (PC)
False Power Pump (2) w/F-Prot207? (PC)
Re: Rebuilding partition tables (PC)
Re: KRNL386.EXE erased (PC)
Re: NAV questions (PC)
Re: CMOS virus (PC)
Re: Norton buggy??? (or I have a PROBLEM!) (PC)
CLEAN 102 (PC)
McAfee VIRUSCAN V102 uploaded to SIMTEL20 and OAK (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name. Send contributions to
[email protected]. Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list. A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<
[email protected]>.
Ken van Wyk,
[email protected]
----------------------------------------------------------------------
Date: Sun, 28 Feb 93 19:22:01 +0000
From:
[email protected] (Paul Houle)
Subject: Re: polymorphic compiler
[email protected] (Paul D. Bradshaw) writes:
>Am I missing something important about this polymorphic compiler? If
>the good guys have GOOD polymorphic compilers then won't the bad guys
>have quality polymorphic compilers as well? Wouldn't this mean that a
>virus writer could write one simple virus, and compile it n times to
>release n copies into the wild? It seems to me that virus writers
>would benefit more from a polymorphic compiler than anti-virus
>software writers would. Afterall not that many viruses target
>specific anti-virus software.
Well, my original point was that such a polymorphic compiler would be
a superior method of implementation of polymorphism than, say, MtE. I
also mentioned that polymorphism might be a good feature for antivirus
software, but I especially wanted to say that the polymorphic compiler
used in viruses would be a threat that antivirus people will
eventually have to face, although I don't think I got that across very
well. Fortunately, I've got better things to do than try to write
one, and if this turns out to be true, I've got about as much to do
with it as Arthur C. Clarke had to do with the communications
satellite.
>What if this compiler were applied to the code for an existing
>successful virus like stoned?
My idea for the polymorphic compiler is for it to compile some
kind of intermediate representation into polymorphic code.
Conceivibly you could put it together with the right parts and make a
C-like language, or a FORTH-like language, or whatever. The thing I
have in mind wouldn't be able to "polymorph" existing assembly code,
although such a thing is certainly possible if you don't care about
code quality (but you do with successful viruses).
The architecture that I'd see for a polymorphic compiler virus could
be broken down into at least four parts.
I. TEXT segment - this contains fixed data, displayed text strings, etc and
is encryped by the PC (polymorphic compiler), prehaps using
a one-time pad.
II. DNA segment - this contains the intermediate representation of the code
that the polymorphic compiler will "polymorph" occasionally
or whenever the virus writer wants it. Also encrypted.
III. PC segment - the actual polymorphic compiler, for which the intermediate
code is stored in the DNA segment itself. As such, the PC
can be shipped with the virus and is also variable, so it
is not a simple attack point for antivirus software.
IV. VIRUS segment - code for the virus, includes payload (if any) and
infection logic and all that other stuff.
This sort of virus will probably be the next generation of
polymorphic viruses. One would hope that it isn't coming soon to a
computer near you, because this sort of thing could make both file and
memory scanning obsolete, or at least orders of magntiude harder,
particularly if it were combined with the technology from Commander
Bomber. Since it would also allow viable stealth viruses (can protect
in-memory section from scanners), it may even be able to thwart
integrity scanners. It's the kind of thing that I don't really want
intellectual priority on if I happen to have it.
------------------------------
Date: Mon, 01 Mar 93 16:12:38 +0000
From:
[email protected] (Gary Heston)
Subject: Re: your opinions on virus legality
[email protected] (Luis Gamero) writes:
>No. If you keep it in your OWN posession how could it be illegal?
>You can own a gun and not use it. That's not illegal.
This varies depending upon local law somewhat more than virus
possession. And, with the ignorance and hysteria pervading the
various legal systems where computers, software, and viruses are
concerned, it seems to be a matter of proving oneself innocent rather
than being proven guilty.
>Canada Remote Systems - Toronto, Ontario
BTW, possession of a handgun is a crime in any part of Canada. Not a
good analogy for you to use....
- --
Gary Heston SCI Systems, Inc.
[email protected] site admin
The Chairman of the Board and the CFO speak for SCI. I'm neither.
Remember: A majority of the American people voted against *all* of the
Presidential Candidates. How encouraging....
------------------------------
Date: Sun, 28 Feb 93 11:48:51 -0500
From:
[email protected] (Sgt Rock)
Subject: Virus Development Programs
I just picked up the March 16th 93 issue of PC Magazine and was quite
interested in the article on antivirus software. It discussed some virus
development programs: The Phalcon/Skism Mass-Produced Code Generator, the
Virus Construction Set, and the Virus Construction Laboratory.
These programs sound scarey to me. Does anyone out there know anything
about them? Where do they originate and are they available for general
use or are they controlled as they should be?
------------------------------
Date: Sun, 28 Feb 93 11:40:27 +0000
From:
[email protected]
Subject: Help - Windows Virus (!?!?!) (PC)
One of my friends has a problem when printing out in MSWord 2.
When she goes to print, she seems to get a "Falling Letters" type virus
attack her printer.
Since I'm no technical or mathematical wiz could someone give me a hand here.
I have no idea (besides formatting the entire hard disk) of how to get rid
of it. McAfee's V100 does not pick it up, so this makes me wonder what it is.
It could be attacking anything (that's the worst part).
Print Manager
Word
Stylesheets
Printer Drivers
(I know that only exe com and overlay files usually hold viruses,
but it does not mean they have to attack the exe file they are in
to cause damage)
Well I'm just puzzeled!
Could someone give us a hand here?!??
Jase.
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
/* jason lowder */
/*
[email protected] */
/* */
/* ~zeros and ones will take us there~jesus jones~ */
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
------------------------------
Date: 01 Mar 93 13:18:52 +0000
From:
[email protected] (Vesselin Bontchev)
Subject: Re: EXE/COM switch (PC)
[email protected] (Donald G Peters) writes:
> Here is an idea I have cooked up to defend against some types
> of viruses. It has not (to my knowledge) been in print before.
I am seeing this proposed averagely once every couple of months. Ah,
you mean in print? In print, there was an article in Virus News
International, explaining why this is not a good idea, or more exactly
why it doesn't work and shouldn't be relied on.
> Viruses which infect files often *look* for the extensions
> EXE and COM.
A more exact way to say this is "Some viruses look at the file
extensions". Because:
1) Some viruses (most) don't look at the file extensions at all.
2) Some viruses look not exactly for EXE and COM, but for *.CO?, *.*M,
and other weird things.
> If no such files exist, the virus will not
> replicate.
If it is one of the silly viruses of the above type. But, the viruses
of this type are usually non-resident, and non-resident viruses don't
replicate well anyway...
> >From what I have read, many viruses are *either* EXE or COM
> infectors, but not both.
And many are both, and some even infect SYS files too, and some infect
boot sectors, master boot sectors, COM, EXE, and SYS files.
> And even for viruses that infect
> both types, the following defense may work against them.
Most probably it won't, see below.
> The trouble with the XXX idea above is that the programs
> cannot be found and cannot be run with such a name. My idea
This is trivial to be fixed by just changing 6 bytes in the command
interpreter.
> is to rename all your EXE files as COM and rename all your
> COM files as EXE.
This is even worse than to rename the files to non-executable
extensions. If you just swap the extensions, many of the viruses that
would be fooled by the above scheme won't be fooled any more.
> Believe it or not, DOS is still able to
> run your programs after you make this switch. DOS does not
Believe it or not, but most viruses are just as smart as DOS in this
case... :-)
> rely on the extension to determine if the program is
> relocatable (a la EXE) or not (a la COM), rather it looks
> for the file signature ("MZ", the initials of the early
> Microsoft employee who developed this scheme) and takes
> action upon that.
"ZM" instead of "MZ" also works... Anyway, many viruses are doing just
that - infecting anything that DOS Execs (via INT 21h/AX=4B00h), and
determining the file type from the first two bytes of the file.
> Now any virus which is tailored to work specifically on
> one type of program is not very likely to work when you
> pull this trick on it. I will leave it to the experts on
> this forum to determine the details of that.
Any virus which is silly enough to rely on the file extension (like
Jerusalem), will infect such files incorrectly, so that they will
crash, I agree. But, this still will not prevent dozens of more
intelligently designed viruses to infect the files correctly...
> I will also leave it to an enterprising individual to
> determine wither COMMAND.COM will run if it is renamed
> to COMMAND.EXE (with the appropriate change to the COMSPEC
> variable in CONFIG.SYS). Personally, I doubt it, but
No need to doubt it - DOS can run just anything as a command
interpreter, if you put the appropriate line in CONFIG.SYS.
> perhaps a simple modification to the boot sector may make
> this possible.
The boot sector contains the names of the DOS files, not the name of
the command interpreter.
> In the future, viruses WILL be able to defeat this approach,
It's not in the future, sorry. Such viruses exist since 1988. The
first one was Cascade, I think...
> are vulnerable to viruses. I would appreciate comments from
> the experts on this forum who know *exactly* how various
> viruses work (or who can simply test this idea with
> viruses that they contain in safe keeping.)
In short - the idea of changing the executable extensions works in the
following cases:
1) It stops all non-resident viruses I've seen so far.
2) It stops the "fast infection" capability of the fast infectors.
That is, such viruses will still infect when you execute a file, but
not any more when you are copying it. However, it is possible to
design a virus that will still infect EXE files when they are copied,
even if their extension is different.
Note that the above points apply only in the general case, when you
are changing the executable extensions to something completely
different, not when you are just swapping them. The modification that
you are proposing will stop fewer viruses.
In general, changing the executable extensions is something like the
ReadOnly attribute - doesn't harm a lot and stops some silly viruses,
but by no means is a reliable protection scheme.
Speaking about changing the names, there is yet another thing you can
do at almost no cost and achieve some (not much) additional protection.
You should keep a hidden spare copy of the command interpreter and
have something like that:
CONFIG.SYS:
shell=c:\foo\bar\spare.cpy
AUTOEXEC.BAT:
copy c:\foo\bar\spare.cpy c:\command.com >nul
set comspec=c:\command.com
This way, viruses that infect the command interpreter as the first
thing they do when executed, will be fooled to infect C:\COMMAND.COM.
However, at boot time (when the virus is not yet in memory), this file
will be restored automatically from the image C:\FOO\BAR\SPARE.CPY.
Again, don't rely too much on the above - it is by no means fool
proof. It just helps a bit.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail:
[email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 01 Mar 93 13:53:19 +0000
From:
[email protected] (Vesselin Bontchev)
Subject: Re: standardization (PC)
[email protected] (Micke Larsson) writes:
> Solomon's FindVirus have a /EICAR switch which outputs the Eicar code for
> viruses found. These codes are a part of the CARO naming standard.
Really? I didn't know that the EICAR code is part of the CARO naming
standard. It shouldn't be, for two reasons. First, the CARO naming
scheme (which is not yet a standard, alas), does not rely on this
number. Second, FindVirus outputs an EICAR number only for those
viruses, which it is able to identify exactly. In practice, this means
almost all non-encrypted and some of the encrypted viruses. For
instance, try it with a few Cascade samples - you'll see that it
outputs one and the same EICAR number (665C6657) for ALL
Cascade.1701.* variants. Obviously, we cannot use for identification
an algorithm that produces one and the same output for -different-
viruses.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail:
[email protected] D-2000 Hamburg 54, Germany
------------------------------
Date: 01 Mar 93 17:19:17 +0000
From:
[email protected] (Fridrik Skulason)
Subject: Re: New Virus (PC)
[email protected] (Chris Antkow) writes:
> Actually, The Whale source code is posted on a few Canadian VX
>boards, however, it is in German, making any modifications by a
>"wannabe" virus writer a bit difficult.
Uh, I thought that was a commented Sourcer-generated disassembly - not the
actual source...a small, but VERY significant difference - are you sure it is
the actural source ?
- -frisk
- --
Fridrik Skulason Frisk Software International phone: +354-1-694749
Author of F-PROT E-mail:
[email protected] fax: +354-1-28801
------------------------------
Date: 01 Mar 93 17:28:42 +0000
From:
[email protected] (Fridrik Skulason)
Subject: Re: PC Magazine on Anti-Virus Software (PC)
[email protected] writes:
>Hello:
>Do people in this group support Pc Mag's Editor's Choice Awards to
>Central Point Anti-Virus and Norton's Anti-Virus? I thought the best
>protection was McAfee's SCAN backed up by F-PROT or vice-versa.
>In the review, F-PROT received a honorable mention because it
>correctly removed all of the virus's it found. The review did not
>test McAfee's SCAN.
Well, they did not want to include any shareware programs at all (quite silly,
because they are the most popular ones) - therefore no SCAN, and F-PROT
only got included because we have an expanded, commercial version available.
I am not terribly happy with the review, of course - well, it was nice
to see that I had one of the 13 (out of 24) scanners that detected all
the 11 (!!!) viruses, and that F-PROT was the only program that could
remove them all correctly, but the basic problem with the review, from my
point of view is that they did not ask any virus "experts" for advice, and
relied on incorrect or incomplete information (for example they say that 57
variants of Jerusalem exist, where the correct number is at least 125). So,
basically it is a good review of anti-virus program interfaces - their virus
collection is far too small (11 viruses is silly...they should have used at
lest the 50-100 that are in the wild), the viruses they used are old, so a
program that had not been updated for 18 months would have detected all but
one or two....and so on...
Anyhow, I wrote them a 4-page letter about this...
- -frisk
- --
Fridrik Skulason Frisk Software International phone: +354-1-694749
Author of F-PROT E-mail:
[email protected] fax: +354-1-28801
------------------------------
Date: 01 Mar 93 17:37:40 +0000
From:
[email protected] (Fridrik Skulason)
Subject: Re: Request for virus tools (PC)
[email protected] (G J Scobie) writes:
>Hi there,
>Over the years I have collected a wide range of tools to use when
>dealing with PC viruses. However, I'm interested in what other readers
>of this board use for disassembling code, inspecting memory, protection,
>eradication etc etc.
I guess I'm not a typical reader, but well.....
I use DEBUG for most of my analysis...I have been using that program for a
LONG time - started on a Victor 9000, before there was any IBM PC...and
I have not yet seen any need to switch.
I use Sourcer for some disassemblies - but not always - it has some problems.
Inspecting memory: Debug and my own old F-MMAP (those of you that ever got
a copy of F-PROT 1.x may remember it).
Protection, eradication...well, my own program, of course :-) ... however, I
have copies of SCAN and Dr Solomon's toolkit that I run for comparison - none
of the other programs are of any help to me.
- -frisk
- --
Fridrik Skulason Frisk Software International phone: +354-1-694749
Author of F-PROT E-mail:
[email protected] fax: +354-1-28801
------------------------------
Date: 01 Mar 93 17:53:53 +0000
From:
[email protected] (Fridrik Skulason)
Subject: Re: FPROT, Thunderbyte, & DataCrime II (PC)
[email protected] (Michael Harlos) writes:
>I've just run FPROT 2.07 for the first time, in a "real DOS" (not OS/2
>DOS) session, with several Thunderbyte TSR's loaded. One of the
>Thunderbyte TSR checks for suspiciuos activity.
>FPROT warned me that "DataCrime II virus search activity was found in memory".
"virus search pattern", actually...well, this sounds like a false alarm to me
Don't worry about it. I'll give the thunderbyte authors a call and see if we
happen to use the same pattern, or what is going on...
- -frisk
- --
Fridrik Skulason Frisk Software International phone: +354-1-694749
Author of F-PROT E-mail:
[email protected] fax: +354-1-28801
------------------------------
Date: Mon, 01 Mar 93 14:40:24 -0500
From: ed street <
[email protected]>
Subject: Need info on whale. (PC)
I have just recently isolated a strain of the whale virus and I havn't
figured out how it mulitplies yet, it only seems to go resident and
slow things down.
does anyone know how it works and what it does cause f-prot doesn't
give that much of a description of it..
thanks.
ed.
------------------------------
Date: 01 Mar 93 21:54:25 +0000
From:
[email protected] (Brian Cooper)
Subject: 1591/1575 (PC)
Ok, some friends of mine in another department were having a network card
(and software) installed. The Norton Antivirus Program (NAV)
on their computer picked up the 1591 virus when the bonehead
network support individual installed the network files. Two network
files were infected as well as command.com and nav.exe (the norton
program). He (the network bonehead) proceeded by removing the virus
using NAV (I don't know how he did it; I assume NAV provided some
instruction when the virus was detected.
A couple of days later, my friend called me to take a look at their computer.
I ran McAfee's SCAN v 100 and it detected the 1575 virus in himem. SCAN
would only detect the virus when I used the /chkhi parameter. I powered down
the computer and rebooted from a clean floppy to determine the extent of the
hard disk infection. SCAN reported that no files were infected; yet SCAN
continued to report a virus when I booted from the computers hard disk.
When I renamed the autoexec.bat and config.sys files to *.bak, I rebooted.
SCAN no longer reported a virus. I isolated the problem to the fact
that one of the files originally reported to have the 1591 virus by NAV
was being loaded in the autoexec.bat. When this occurred, scan would
report a virus in memory.
My questions: What are the 1591 and 1575 viruses?
Why would SCAN report the 1575 in himem but not
detect it's presence in the file?
What should I do? I am no longer loading the questionable
file, but I have not yet deleted it.
Please respond via email. Thanks!!
Brian Cooper
------------------------------
Date: Tue, 02 Mar 93 01:47:00 +0000
From:
[email protected] (Walter Dence)
Subject: False Power Pump (2) w/F-Prot207? (PC)
We just found what we hope is a false positive. It occurs
on "power.exe" of Jul92. F-Prot207 calls it a "Power Pump (2)".
Is this a false positive? "New.207" indicates that "Power
Pump (1)" is a false positive, but that it has been fixed with
F-Prot version 207. For now, we are assuming that it is a false
positive.
Thanks,
Walt Dence
=====================================================================
WALTER E. DENCE, JR.
Data Acquisition Specialist
Influence Mechanisms Branch, G95
Commander, Dahlgren Division
Naval Surface Warfare Center Office: (301) 394-1707/1960
Dahlgren Division Detachment Fax: (301) 394-4510/4727
White Oak, G95 (W. Dence) DSN (AutoVoN): 290-1707/1960
10901 New Hampshire Ave. MilNet:
[email protected]
Silver Spring, MD 20903-5000 Home: (301) 229-7394
(This is personal opinion, not official opinion.)
=====================================================================
------------------------------
Date: Mon, 01 Mar 93 21:01:59 -0500
From:
[email protected] (A. Padgett Peterson)
Subject: Re: Rebuilding partition tables (PC)
>From:
[email protected] (Charles Howes)
>I'd like to see a program that will tell me what these four sources are
>saying the hard disk should be, allow me to pick the one I think I picked
>when I first partitioned my hard disk, and lay down a brand new set of
>sectors.
Actually, there is one more source - opening the PC up and reading the
manufacturer and drive number info off the label.
IMHO it should not be difficult to detect the disk configuration &/or
validate the CMOS information simply by "walking the disk" e.g.
"validating" the sectors (would try Int 13 Fn 4) until an error occurs
to find the total sectors/track, number of heads, and total tracks.
IDE drives can be interrogated directly.
Given that, next you could go on a scouting expedition for partitions
making sure that the info makes sense e.g. the BPB in a tentatively
identified DBR actually points to the right sector. Of course you need
to do a bit of checking to determine which OS is in use, usually you
can tell by the presence of hidden sectors and (for DOS) the size of
IO.SYS or IBMBIO.COM with the date as a crosscheck.
Of course now you need to find a root directory but the algorithm for
detecting this is not difficult, people do it all the time by eyeball.
Sure, it is not going to be 100% effective in every case, but you could
hit 95% right now (I do better than that by hand) and by v3 should be
as close as you could get.
(unfortunately am working 60 hours a week & still need to paint my
house 8*( - ever notice that we spend 80%+ of our time doing things we
are not good at because we have no choice...
>What does fdisk do? I had hoped it replaced the entire sector that has the
>MBR and partition table in it, and leave the rest alone, but that does not
>seem to be the case. Am I wrong?
FDISK alone will build a P-table (*not* rebuild it) and place it in a
sector with new MBR code *if the sector is zeroed first* otherwise,
depending on the version, it may leave the original MBR code in place.
FDISK/MBR (DOS 5.0 and 6.0 only) will replace the MBR code and leave
the P-table alone.
>Is format in charge of the DBR's? Does sys diddle with it too?
Both of these can replace the DBR code. SYS *might* not (version
again) load the Boot Partition Block found inside the DBR. FORMAT will
build the FATs and a root directory, SYS will not.
Probably the reason no-one has built a full replacement (yet) utility
yet is the sheer mind-boggling number of OS varients out there - I
just made a quick count of my DOS box and came up with 27 individual
DOSes for the IBM-PC ranging from 1.25 to 6.00.0560 (revision "A"
naturally).
Unfortunately, if you pick the wrong one and leave the registers with
the wrong values following the DBR execution, POP goes the weasel.
Warmly,
Padgett
------------------------------
Date: Mon, 01 Mar 93 22:08:30 -0500
From: Jimmy Kuo <
[email protected]>
Subject: Re: KRNL386.EXE erased (PC)
[email protected] writes:
>In comp.os.ms-windows.misc I was told that it is possible that
>the reason I lost KRNL.EXE from my windows\system directory was
>due to a virus. If anyone knows of a virus that does this please
>tell me. I have scanned with Norton Desktop Antivirus and found
>nothing.
>Should I get another scanner or is Norton AV good enough.
While it's true that it's "possible" you have a virus, the chance of a
single file being lost being due to a virus is sooooooo smalllllll...
And in the face of no other strangeness occurring on your system, your
chance drops to nil.
You should look to something other than viruses to explain your problem.
Jimmy Kuo
[email protected]
Norton AntiVirus Research
------------------------------
Date: Mon, 01 Mar 93 22:08:32 -0500
From: Jimmy Kuo <
[email protected]>
Subject: Re: NAV questions (PC)
Eric J Balog writes:
>1) I have NAV 2.0 (included w/ NDW 2.0), and I just downloaded
>nav20a10.exe from dorm.rutgers.edu. Does my version of NAV now check
>for all of the viruses that NAV 2.1 checks for? (mine checks for 451
>viruses/1159 strains)
No. NAV 2.1 checks for high 1400 to low 1500 strains. And in order
to get that many, you must have NAV 2.1.
NAV 2.0 users may upgrade to NAV 2.1 through a number of programs.
Depending on your date of purchase of the product, the upgrade may be
free. Call 1-800-343-3714, x738 for details. Be sure to specify that
you got NAV by buying NDW 2.0.
Jimmy Kuo
[email protected]
Norton AntiVirus Research
------------------------------
Date: Mon, 01 Mar 93 22:08:34 -0500
From: Jimmy Kuo <
[email protected]>
Subject: Re: CMOS virus (PC)
V Menayang writes:
>I wonder if a virus can erase the information stored in CMOS?
Yes. But there's a difference between erase (reset) and erase
(corrupt).
>If it can, what virus/viri known to work this way?
Many viruses fiddle with CMOS bits, some fiddle with it
incorrectly and corrupt certain values. But none that I
am aware of deliberately go and reset all the CMOS values.
>The reason I am asking these questions is that the computer
>repair person we took our Grid system machine to claimed
>that our problem (floppy drive wouldn't refresh) is caused
>by a virus. I don't know much about virus but the claim
>sounds suspicious because he said that the virus is [stoned].
In this case, trust your judgment against the computer repair
person. Since he brought up "Stoned," you should scan your
other machines and diskettes. But you should also insist that
the computer repair person scan his machines and diskettes.
Not to blame the repair person but he generally has fewer machines
to check than you do.
>Thank you for any advice/information on this.
You're welcome.
Jimmy Kuo
[email protected]
Norton AntiVirus Research
------------------------------
Date: Mon, 01 Mar 93 22:08:48 -0500
From: Jimmy Kuo <
[email protected]>
Subject: Re: Norton buggy??? (or I have a PROBLEM!) (PC)
[Alan Mead describes what looks to be a false id of CVIR.]
Please send me a copy of your program electronically. I would
like to verify the false id and see why... Also, please specify
which C compiler and version you are using.
Our definition for CVIR has not changed since its inception in July
of 1991. This is the first case of false id I've heard regarding
that definition. Usually, cries concerning false ids happen right
away. We usually don't have to wait this long to hear about it.
>Also, I should think Norton would want to know about this.
Thank you for reporting this.
Jimmy Kuo
[email protected]
Norton AntiVirus Research
------------------------------
Date: Mon, 01 Mar 93 22:10:53 -0500
From:
[email protected] (A. Padgett Peterson)
Subject: CLEAN 102 (PC)
Tonight (March 1st) McAfee released version 102 of SCAN, CLEAN, & all.
The documentation states that the removal routines for several of the
viruses including MICHELANGELO have been re-written. Accordingly the
trusty VP-1600 was cranked up once more.
Like last time SCAN properly recognized the [Mich] lurking in the MBR
but this time CLEAN properly, correctly, and safely removed the virus.
What ever the bug in V100 was, it is now corrected within two weeks of
its isolation. That is a quick turnaround and shows that they are
concerned.
Sh*t happens. *Everyone* makes mistakes particularly in complex code
(heck, the last time I looked DEC still hadn't gotten FORTRAN right
8*). The true measure of a company is whether they admit it publicly
(see last week's VALERTs) and how fast it gets fixed.
Warmly,
Padgett
------------------------------
Date: Mon, 01 Mar 93 23:41:07 -0500
From:
[email protected] (McAfee Associates)
Subject: McAfee VIRUSCAN V102 uploaded to SIMTEL20 and OAK (PC)
I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu:
pd1:<msdos.virus>
ALLMSG.ZIP Foreign language support files for McAfee 9.14
CLEAN102.ZIP CLEAN-UP 9.14V102 cleans viruses from PC & LAN
NETSC102.ZIP NETSCAN 9.14V102 scans LAN's for viruses
NETSH102.ZIP NETSHIELD scans Novell file server for viruses
SCANV102.ZIP VIRUSCAN 9.14V102 scans PC's for viruses
VSHLD102.ZIP VSHIELD5.22V102 virus infection prevention TSR
WSCAN102.ZIP WSCAN V102 Windows 3.X version of VIRUSCAN
WHAT'S NEW
VIRUSCAN, NETSCAN, and SCAN for Windows
Version 102 of the VIRUSCAN series adds detection of 74 new
viruses, bringing the total number of known viruses to 1,134, or
counting variants, 1,830.
Version 101 gave a false alarm on the Parity virus [Pvar] and
was recalled from distribution. It was not released on the Internet.
CLEAN-UP
Disinfectors for the VirDem-824 and Barrotes viruses have been
added. Disinfectors for the 1575, FORM, KeyPress, and Michelangelo
virus have been re-written.
VSHIELD
VSHIELD Version 5.22V102 has had several changes made internally
to the program, most notably in the /ACCESS, /COPY, and /SWAP switches.
The CHKSHLD program has been re-written to work with all versions of
VSHIELD.
NOVELL NETWARE/386 3.11 PROGRAM
NETSHIELD Version 1.11 (V102) is a NLM (NetWare Loadable Module)
for Novell NetWare/386 Version 3.11. It checks network file servers
for all known computer viruses, including stealth and polymorphic
(mutation engine) viruses, using McAfee Associates' VIRUSCAN virus
scanning technology.
Key features of NETSHIELD include checking files for
viruses as they are accessed on the server, performing a
scheduled scan, and notifying users if a virus is found.
NETSHIELD does not changed the Last Accessed Date when
scanning files.
NETSHIELD runs on any Novell NetWare/386 3.11 file server
with a minimum of 560Kb of free memory and should utilize about
4% of the CPU. NETSHIELD is not compatible with version 3.10
of Novell NetWare/386.
OS/2 PROGRAMS
The OS/2 versions of VIRUSCAN, NETSCAN, and CLEAN-UP Version 102
are available by anonymous ftp from the mcafee.com site in the
pub/antivirus directory. They have all the same additions as their
DOS counterparts
FOREIGN LANGUAGE MODULES
New foreign language modules have been created. See the VALIDATE
VALUES below for specific languages now available.
VALIDATE VALUES
CHECKSHIELD 0.3 (CHKSHLD.EXE) S:8,009 D:02-11-93 M1: D7B0 M2: 0594
CLEAN-UP 9.14V102 (CLEAN.EXE) S:138,075 D:02-27-93 M1: 54A2 M2: 1631
LANGUAGE 9.14 (BULGARIAN.MSG) S:12,204 D:02-24-93 M1: 4E79 M2: 0625
LANGUAGE 9.14 (CATALAN.MSG) S:16,441 D:02-24-93 M1: FAE9 M2: 182C
LANGUAGE 9.14 (DUTCH.MSG) S:16,751 D:02-24-93 M1: E697 M2: 1287
LANGUAGE 9.14 (FINNISH.MSG) S:15,742 D:02-24-93 M1: 5197 M2: 1156
LANGUAGE 9.14 (FRENCH.MSG) S:16,060 D:02-24-93 M1: 2623 M2: 0831
LANGUAGE 9.14 (GERMAN.MSG) S:17,210 D:02-24-93 M1: A3B4 M2: 0688
LANGUAGE 9.14 (HUNGARIA.MSG) S:16,385 D:02-24-93 M1: BB10 M2: 1D6E
LANGUAGE 9.14 (ITALIAN.MSG) S:17,027 D:02-24-93 M1: 1EED M2: 16F8
LANGUAGE 9.14 (SPAN_SA.MSG) S.Amer S:16,271 D:02-24-93 M1: E8D0 M2: 12C1
LANGUAGE 9.14 (SPANISH.MSG) Europe S:17,019 D:02-24-93 M1: 579D M2: 04EF
LANGUAGE 9.14 (SWEDISH.MSG) S:15,870 D:02-24-93 M1: 2B46 M2: 1C9F
LANGUAGE 9.14 (SWGER.MSG) S:17,690 D:02-24-93 M1: 7AA6 M2: 12EA
NETSCAN 9.14V102 (NETSCAN.EXE) S:109,481 D:02-27-93 M1: A13D M2: 04CE
NETSHIELD 1.11V102 (NETSHLD.NLM) S:81,878 D:02-22-93 M1: FCE5 M2: 166F
NETSHIELD 1.11V102 (VIR.DAT) S:37,826 D:02-22-93 M1: FABC M2: 0C8C
VIRUSCAN SCAN 9.14V102 (SCAN.EXE) S:111,886 D:02-27-93 M1: 9FB2 M2: 0FD1
VSHIELD 5.22V102 (VSHIELD.EXE) S:45,724 D:02-27-93 M1: 06BB M2: 066C
SCAN FOR WINDOWS 102 (WINSTALL.EXE) S:17,378 D:02-25-93 M1: EB0C M2: 00D1
SCAN FOR WINDOWS 102 (WSCAN102.EXE) S:76,202 D:02-25-93 M1: E7EC M2: 174A
Regards,
Aryeh Goretsky
McAfee Associates Technical Support
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET:
[email protected]
3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | IP# 192.187.128.1
Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714
95054-3107 USA | USR HST Courier DS | or GO MCAFEE
------------------------------
End of VIRUS-L Digest [Volume 6 Issue 37]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
