Return-Path: Received: from csmes.ncsl.nist.gov ([129.6.54.2]) by first.org (4.1/NIST) id AA00775; Mon, 19 Oct 92 15:12:44 EDT Posted-Date: Mon, 19 Oct 1992 14:41:07 -0400 Received-Date: Mon, 19 Oct 92 15:12:44 EDT Errors-To: krvw@cert.org Received: from Fidoii.CC.Lehigh.EDU by csmes.ncsl.nist.gov (4.1/NIST(rbj/dougm)) id AA06421; Mon, 19 Oct 92 15:07:18 EDT Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA42890 (5.65c/IDA-1.4.4); Mon, 19 Oct 1992 14:41:07 -0400 Date: Mon, 19 Oct 1992 14:41:07 -0400 Message-Id: <9210191727.AA08046@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V5 #165 Status: R VIRUS-L Digest Monday, 19 Oct 1992 Volume 5 : Issue 165 Today's Topics: Re: MtE? No problem! ... but problem... (PC) Virus slowing down PC and causing beeps at boot? (PC) VIRSCAN and Joshi virus (PC) WordPerfect Mutant Files & Novell (PC) Michaelangelo on Driver Disks (PC) HELP! (Re: IBM password) (PC) V-Sign virus (PC) FProt (PC) SCAN 95b doesn't find MtE in EXE files (PC) C: vs A: boot selection (PC) Re: VCL operation (PC) Re: Virus alert: "Larry on a Screen" (PC) Anti-virus public domain softwares (PC) Re: VCL operation (PC) Pkzip 3.05 (PC) Re: self-checking programs (PC) FORM on an OS/2 system (OS/2) Intergrity Checkers DOK-V 1.00 Alpha-A test engine ready to FTP. How do I do it? computer security in libraries McAfee VIRUSCAN V97 uploaded to SIMTEL20 (PC) mcafee's `97' available (PC) Memoirs of a (cross border) virus researcher (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 07 Oct 92 09:18:46 +0000 >From: eugene@kami.npimsu.msk.su (Kaspersky Eugene Valentinovitch) Subject: Re: MtE? No problem! ... but problem... (PC) Hi all! I just wrote the 'void MtE(int Len)' subroutine. It's my old subroutine Emulator_86() but it is very optimized. This subr is maked on Borland-C, I know that it's better to write this on Assembler, but the time ... :-( . I erased the analyse of all instructions which are not generated by MtE and add the 286 MtE instructions. This routine decrypts 'Len' or more bytes of MtE-encrypted code. It works not fast - up to 1/2 seconds per file infected by MtE-based virus on AT-286/16Mz. It removes the virus very slowly, may be 1-2-4-8 seconds per infected file, but the all the files are cured OK! The noninfected files are checked very fast. I also use the next method: I try to MtE-decrypt every file for 80h bytes of the virus body. After this procedure I (my antivirus) check the decoded codes for the first bytes of the MtE-viruses, if the some bytes are equal to virus' bytes then I decrypt more bytes (if it's needed). So it's needed several minutes to append a new MtE-based virus to my anti-viral database. This routine is ready, but it needs some optimization and checking for several thousends of MtE. A problem: I try to infect the files on the 'sartifical XT' - and some files (about 1/3) are infected incorrectly! and these files are infected OK on 'sartifical AT'. Why? Where are the bugs of MtE algorithm? The question: Are some of the MtE-based viruses 'wild' in the West? In Russia these viruses are not wild. The MTE090.ZIP and magazine 40Hex are not available in Russia (it's very good), but the russian wirus-vriters tries to make polymorphic viruses. For example, the "ABC" virus and the viruses from "Mutant" family. I think that they are Russian because they are not known to western antiviral programs. These viruses uses the algorithms of en/decryption which are more difficult that the "V2P6" and "Amoeba" algorithms, nor that MtE. The best MtE-regards, Eugene Kaspersky - -- - -- Eugene Kaspersky, KAMI Group, Moscow, Russia - -- eugene@kami.npimsu.msk.su, +7 (095) 499-1500 ------------------------------ Date: Tue, 13 Oct 92 18:09:56 +0000 >From: marvo@asl.uni-bielefeld.de (Markus Vogt) Subject: Virus slowing down PC and causing beeps at boot? (PC) Does anybody know a virus which slows down the system and causes a beep sequences if one reboots the computer? I have this problem when I work with WordPerfect5.1 on my 386. I think it's not because of swapping and system memory management that it takes so much time to move the cursor in the WP51 document. It's the same strange behaviour in big as in small documents. Additionally I sometimes have difficulties in using the printer from inside WordPerfect5.1. That means sometimes one can print and sometimes the print job's just stuck in the printer queue whereas the printer is ready and idle. If you try to change printer setup one can sometimes read "cannot find WP.FIL" and as soon as one changes to 'printer control' the program locks up. Its occurence still is unpredictable. Although I did several different ways of new installation I always got this printer problem since around 21./22. of September '92. If there's anybody who could help me or give me any hint, his reply would be really appreciated! Thanks in advance, Markus. - ---------------------------------------------------------------------- __ __ __ |\_\ /\_\ /\_\ University of Bielefeld || \/ / |/ / / Room-Nr. C6-141 || \ \/ / | / / PO Box 100131 || |\__/| |/ / W-4800 Bielefeld 1 || | || | / Tel.: +49 521-106-3518 \|_| \|__/ Markus Vogt or +49 521-109765 uteca008@Unibi.HRZ.Uni-Bielefeld.DE or marvo@asl.Uni-Bielefeld.DE - ---------------------------------------------------------------------- ------------------------------ Date: Tue, 13 Oct 92 14:59:47 -0400 >From: LKHGC%CUNYVM.BITNET@mitvma.mit.edu Subject: VIRSCAN and Joshi virus (PC) Can the 1992 version of VIRSCAN detect the Joshi virus? Karina Hui bitnet: LKHGC at CUNYVM internet: LKHGC AT CUNYVM.CUNY.EDU ------------------------------ Date: Tue, 13 Oct 92 16:31:34 -0400 >From: Subject: WordPerfect Mutant Files & Novell (PC) There has been a recurring problem here that I am hoping someone else has had and can give me a few pointers about. I am new to this newsgroup, so I apologize if you have discussed this ad infinitum and I missed it. Some background, I work in an University computer lab. We are open 24 hours/day, 7 days/week. There are 120 or so IBMs and compatibles using NetWare 3.11. True, this is not the most secure environment, but we take as many precautions as possible. (McAffee Vshield, and scan as many incoming disks as possible). The problem is that for the past year or so (maybe longer), every so often one of our WordPerfect files "goes mutant" on us. This hasn't happened on a regular basis by any means, but it has occurred often enough for us to pin down the problem. What happens is that one of the User's temporary files .BV1 .TV1, will grow to be over 1 meg or more of disk space. All computers will get the System message "Server Almost Out Of Disk Space". The "mutant" files will not show up on the server until the person's computer has already locked up and they have rebooted their system already. Too make the situation more interesting, we keep about 100 megs free on the server. Once the mutant file is deleted, all the disk space frees up. If any of you have seen this problem, please e-mail me. If anyone would like to know more details, I'll get 'em. I would like to think there may be an explanation for the problem. But that may be wishful thinking. Thank You In Advance Colleen McGlone Internet: MCGLONE@AMERICAN.EDU Anderson Computer Lab Bitnet: MCGLONE@AUVM The American University Washington, DC 20016-8134 ------------------------------ Date: 13 Oct 92 14:20:03 +0000 >From: mcdchg!ast!melka@gatech.edu (John F. Melka) Subject: Michaelangelo on Driver Disks (PC) An infection of Michaelangelo has been found on some factory sealed diskettes owned by an associate of mine. They were discovered during a routine scan of floppies originating from his machine. Once the infection was discovered, he ran F-PROT V205 against the disk and his entire collection of floppies, including the factory sealed (write - protect tab is under the factory provided label or has no write protect notch). His hard disk, of course, showed infection as did the VGA driver floppies (these are factory sealed). Identification on the floppies was: PVGA 1024x no manufacturer. As the VGA card and floppies were obtained from a Pacific Rim distributer, it is assumed that these diskettes are of similar origin. Sorry if this is a repeat of an old posting, but if it is, then there appears to still be a crop of these babies out there. BTW, my associate sends many thanks to "frisk" for the use of his program. (It kept him out of hot water with his 6 year old who "shares" the computer with him.) - ---------------------------------------+--------------------------------------- John F. Melka | Trucks are the plaque in the arteries Technical Advisor | of transportation. - ---------------------------------------+--------------------------------------- Any Opinions Expressed By The Speaker/Management, May Not Necessarily Be Those of the Management/Speaker. ------------------------------ Date: Wed, 14 Oct 92 20:00:35 +0000 >From: doug@cc.ysu.edu (Doug Sewell) Subject: HELP! (Re: IBM password) (PC) I just posted this to comp.security.misc, but I figure I'll post it here for anyone else that has suggestions: We have just installed a new lab of Gateway 486-33 machines with IDE hard drives. The BIOS (Phoenix 4.03 00) doesn't have a documented way of password protecting the machine. A student has installed some form of password protection on the machine. If you boot from a floppy disk, the machine hangs. If you boot from the hard-drive, the screen clears and the word 'Password:' is displayed. We suspect it's some form of commercial or shareware password protection that imbeds itself in the partition table or some other place where it will be activated during power-on self test. Do you have any suggestions (besides removing the hard drives - which we're considering ?) Incidentally, it's quite likely that the student responsible is reading this forum. Also, apologies if this is a FAQ, I'm constructing a data- base job to search the archives now. - -- Doug Sewell, Tech Support, Computer Center, Youngstown State University doug@cc.ysu.edu doug@ysub.bitnet !cc.ysu.edu!doug Family Values: the sexist, racist, homophobic, classist, "Christian" values of the 50's. ------------------------------ Date: Wed, 14 Oct 92 17:20:00 -0600 >From: KIT@VAX1.Mankato.MSUS.EDU Subject: V-Sign virus (PC) Hello, When I run the F-prot anti-virus program on my IBM PS/2 PC, it gives me a warning, "V-Sign virus found in memory". The version of the F-prot program is 2.05b - October 1992 by Fridrik Skulason. Does anybody know what V-Sign virus is? How to get rid of it? Thank you for your reply in advance. Kakit ------------------------------ Date: 16 Oct 92 08:38:48 +0000 >From: ygoland@edison.SEAS.UCLA.EDU (The Jester) Subject: FProt (PC) Some questions: 1.Fritz said hes comming out with a new version and then I heard that there was some things he was still doing. Is there a date for release? When its released, where can I be sure of finding it? 2.Right now when I try to use fprot on an hpfs drive it just says 'error reading drive'. Are there plans to make fprot os/2 compatible? Yaron (The Jester) Goland - -- "Only the blind see in color." "Any union based upon pigment is foolish ignorance designed to give power to those few who enjoy power's taste above the common welfare." ------------------------------ Date: 16 Oct 92 14:42:27 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: SCAN 95b doesn't find MtE in EXE files (PC) Hello, everybody! I was preparing an updated review of the ability of the popular scanners to detect the MtE-based viruses. The tests are not finished yet, but the very preliminary results showed that VIRUSCAN version 95b from McAfee Associates NEVER detects EXE files infected with these viruses. ALL of the generated 4,000 infected EXE files were missed! Currently there are two MtE-based viruses that infect EXE files - CoffeeShop (infects only EXE files) and Groove (infects both COM and EXE files). The scanner also missed hundreds of infected COM files, but this is another story... Having in mind how popular this scanner is, I thought that I should post an urgent warning: DON'T RELY ON SCAN FOR DETECTION OF MtE-BASED VIRUSES! If you suspect that you are infected with a MtE-based virus, try the program CatchMtE. This program detects MtE-based viruses ONLY and is freeware. If you need a scanner that is able to detect other viruses too, try F-Prot (shareware, free for individual use). Version 2.05 (might not be the latest) was able to detect ALL MtE-infected samples in our tests. Both programs can be obtained from our ftp site, ftp.informatik.uni-hamburg.de (IP=134.100.4.42), directory pub/virus/progs, files catchm14.zip and fp-205.zip. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Fri, 16 Oct 92 13:38:06 -0400 >From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: C: vs A: boot selection (PC) >From: duck@nuustak.csir.co.za (Paul Ducklin) > Once you've chosen, you get no feedback >during subsequent bootups to remind you of the configuration. If you go >back to the "A: C:" sequence in order to let yourself boot from floppy, >you need to remember to reselect "C: A:" next time. Actually you have two options: The first is since the bootup selection is stored in CMOS, all that is necessary is a) knowlege of which byte makes selection and b) a small (c.a. 10h byte + ASCII) .COM to check that it has not changed. Just for one source (more kudos) AMI maintains on their bulletin board a number of technical documents (albeit in WP format 8*( that describe the CMOS addresses and meanings), that how I found mine. The second is my FREEWARE program NoFBoot (found inside the FixUtil3.Zip) that will protect against warm boots from floppy. IMHO such a three layer protection is probably enough. As a sidelight, in another lifetime when I was involved in the design of digital flight controls for the F-16 and F-111 one of the major elements was failure and redundancy management. As a general rule, flight critical systems were designed to two-fail-operational, third-fail-safe (the last was aka "Land It Now !"). Among other things, the failure to detect a failure was considerd an automatic second-failure (of course detecting the failure to detect was Yet Another problem. Such considerations color many of my V-L postings). Warmly, Padgett ps Finally bit the bullet and bought a 14.4 Fax/Modem (Under US300 + US20 for the Caller-Id ROM from a mail order house, abt 3/4 list price) and the difference over my old 2400 unit is amazing. Should pay for itself in short order (I get a volume discount from Sprint). (Does this make a 300 baud TI Silent 700 a collectable ?). What seems really incredible is that some people are still selling data- only modems and trying to get the same price and more... Another interesting point is that the magazines cannot keep up with the rate of change anymore. A recent review includes this modem but since the review ROM changes added fall-forward and MNP-10, both impressive features. Anymore, you just about have to call the company to find out what the special-of-the-week is, I'm finding it nearly a full time hobby just staying current. Suspect 14.4 *might* be a limit for a while since the PC serial port hardware, particularly the 8450, is straining a bit at this level, the 16550AFN has a 16 byte buffer and is better but at 57,400 effective, the Windows overhead becomes excessive. Can see a market opening up for serial cards with 16k (32?, 64?) byte I/O buffers RSN particularly if VSUM gets any bigger ('09 is 700k). Enough ------------------------------ Date: 16 Oct 92 21:28:31 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: VCL operation (PC) fc@turing.duq.edu (Fred Cohen) writes: > I have been trying to get VCL to operate on my system, and I think the > authors don't know how to write compatible code. Does anyone know how Ha! This is an understatement - I would say that they don't know how to write any working code at all... If you manage to get their program running (which is not that trivial, as you have observed), you'll see that the viruses that they are generating are extremely buggy (besides being simplistic non-resident COM infectors). Most of them do not assemble, those that do hang the machine when executed and those that don't hang usually refuse to spread... Let's hope all virus writers will write code with this "quality"... It's just so boring to disassemble it... > to get it to work on a 286 with a black and white screen (HGA)? Or do Probably the routines for the flashy window interface do not know about this video adapter and write to the wrong address when accessing the video RAM. Try an EGA or even CGA adapter - it might work. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 16 Oct 92 21:35:37 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus alert: "Larry on a Screen" (PC) brian@probitas.cs.utas.edu.au (Brian Marriott) writes: > A virus has shown up in Tasmania, Australia, which we haven't seen > reported before, and which isn't known by name to F-Prot 205 or TBScan F-Prot 2.05b will detect it - I am just beta-testing it. > We have only analysed it far enough to get its name and an ID string; > we don't know potential damage. No permanent damage. Transient damage: every fourth time the virus infects a file, it displays the message "Larry on a Screen". > Name: Larry on a Screen > Infects: .EXE & .COM files (at least) > .COM files seem to grow by 491 bytes, .EXE files by a varying amount Correct, the virus infects them only on execution (not on copying) and the file type is recognized by the file extension (not by the magic number in the first two bytes. The virus uses an interesting trick to preserve the date of the infected files. It normally opens the file for reading and writing, without bothering to get the date & time. Then, just before closing the file it has written to, the virus consecutively does GetDateAndTime and SetDateAndTime. Seems that the trick works... Probably because DOS updates the time & date information during the Close operation, not during the Writes. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Sat, 17 Oct 92 11:13:06 +0000 >From: M.Rawidean1@lut.ac.uk (M Rawidean) Subject: Anti-virus public domain softwares (PC) Could someone out there please give me some pointers (if possible some public domain anti-virus softwares) on how to kill Joshi virus. Please e-mail replies to me. Any help would be highly appreciated. - -- dean, M.Rawidean@lut.ac.uk ------------------------------ Date: Sat, 17 Oct 92 21:54:18 +0000 >From: sbc@netcom.com (Spencer Clark) Subject: Re: VCL operation (PC) fc@turing.duq.edu (Fred Cohen) writes: >I have been trying to get VCL to operate on my system, and I think the >authors don't know how to write compatible code. Does anyone know how >to get it to work on a 286 with a black and white screen (HGA)? Or do >the virus creation lab people only design their VCL for those with >lots of money? I suppose it's only for elite virus writers, and not >for the rest of us. >From my experience, VCL needs a color monitor. I tried to install it on our mono 286 with no luck. Actually, we got it to install with difficulty on a color system. And they didn't even leave a tech support number :) Spencer Clark Programmer McAfee Associates - -- **************************************************************** \ "I am gross and pernicious, but you can't look away / / I make you think I'm delicious, with the stuff that I say \ \ I'm the best you can get, have you guessed me, yet? / / I'm the slime, oozin' out from your T.V. set!" - Frank Zappa\ **************************************************************** Hi! I'm a .signature virus! Add me to your .signature and join in the fun! ------------------------------ Date: 18 Oct 92 17:13:53 +0000 >From: jwfernyc@THUNDER.LakeheadU.CA (JASON W FERNYC) Subject: Pkzip 3.05 (PC) Does anyone know if Pkzip 3.05(I know it is bogus) is infected with some kind of new virus? I noticed it on one of the network computers at school and didnt notice it before using my disks in the drives for quite some time, I scanned the computer and everything checks out but I dont want to take any chances! [Moderator's note: To my knowledge, no official PKZIP 3.05 exists; numerous unofficial PKZIP versions have been released over the past several months, most/all of which have contained malicious code. Be wary of strangers bearing PKZIPs.] ------------------------------ Date: 18 Oct 92 16:54:57 -0400 >From: Kevin Dean <76336.3114@CompuServe.COM> Subject: Re: self-checking programs (PC) >From Vesselin Bontchev: > 76336.3114@CompuServe.COM (Kevin Dean) writes: KD > ... Stealth Bomber is a set of C- and Pascal-callable KD > routines that perform a CRC check on the running program and do a KD > system check for any suspicious behaviour related to stealth viruses. > Have you actually tried it against Dir_II? No, I haven't. My statement above is misleading and I apologize. Neither Stealth Bomber nor any other virus detection package, present or future, will detect all possible viruses. In addition to doing a CRC check (which will catch any non-stealth file virus) Stealth Bomber looks for suspicious behaviour in DOS related to stealth viruses. Unfortunately, some versions of DOS exhibit virus-like symptoms (DR-DOS 6.0 comes to mind) and I have the same problem with false alarms that Fridrik Skaluson has with the heuristic virus search in F-Prot. Because of the nature of my package, false alarms are unacceptable and I have to specifically exclude such behaviour from my tests. My resources are somewhat limited, so if anyone can provide me with details on exactly what DIR-II and other stealth viruses that Stealth Bomber misses do, I will gladly try to check for them as well. Stealth Bomber is a public domain package, and any help in maintaining it will be greatly appreciated. Kevin Dean ------------------------------ Date: Mon, 19 Oct 92 09:09:25 -0400 >From: Kevin_Haney@nihcr31.bitnet Subject: FORM on an OS/2 system (OS/2) Dr. Bill Peel asks, >A colleague has a PC which can dual boot to either DOS or OS/2. Both >Jim Bates's VISCAN and F-PROT v2.05 report that the file BOOT.DOS in >C:\OS2\SYSTEM contains a FORM image...My colleague says (I haven't >had time to check this) that she cannot find BOOT.DOS on any of the >original OS/2 disks... Could any of the experts say whether this is a >real infection and if so how to recover from it. We have had >infestations of FORM on both floppy disks and DOS-only hard disks. The file BOOT.DOS is one which OS/2 creates upon installation on your hard disk (which is why it isn't on any of the OS/2 distribution diskettes). It contains an image of your original DOS boot sector, allowing you to dual boot to DOS. When you dual boot to DOS, the BOOT program copies this image file back to the boot sector location and changes your CONFIG.SYS and AUTOEXEC.BAT back to their DOS versions, so DOS can boot. If you have a DOS virus in your boot sector, OS/2 will make an image of that virus when it creates BOOT.DOS. The way to get rid of it is to dual boot to DOS, reboot using a clean DOS diskette so that FORM isn't active, and then run a disinfection program on your hard disk. Kevin Haney Internet: khv%nihcr31.bitnet@cu.nih.gov ------------------------------ Date: Fri, 16 Oct 92 18:35:28 +0000 >From: mechalas@mentor.cc.purdue.edu (John Mechalas) Subject: Intergrity Checkers What program(s) (PB or shareware) would you recommend for Integrity Checking? - -- John Mechalas [This space intentionally left blank] mechalas@mentor.cc.purdue.edu Purdue University Computing Center Help put a ban on censorship General Consulting #include disclaimer.h ------------------------------ Date: Sat, 17 Oct 92 13:56:03 -0400 >From: MCHLG%CUNYVM.BITNET@mitvma.mit.edu Subject: DOK-V 1.00 Alpha-A test engine ready to FTP. How do I do it? Hi Everybody! :) A while ago, I had posted a notice requesting information on virus signatures, and and relevant information on PC Based viruses, I would like to thank all the people who have helped me thus far in obtaining, verifying, & in some cases re- obtaining and verifying the information for my humungous project. I believe the largest stumbling block was the development of the actual database engine. but through much patience, perseverence, and good ol' plain stubborness, I believe I actually now have something worth using as a research tool for the process of identifying viruses. it's called: DOK-V DATABASE OF KNOWN VIRUSES -- PC EDITION VERSION 1.00000A1 ALPHA - LEVEL A Copyright (c) 1992 Bits-N-Bytes Computer Services All Rights Reserved The information compiled in this database, comes from at least a dozen or so different sources. However being that the database engine in the first level of alpha testing i'd like to get opinions from the the other professionals in the field as well as any other poeple who deal with viruses on a day-to-day basis, on what they think of it. To try to make things as easy as possible, the database used is a .dbf format which means any program which can read the Dbase (R)(TM) .DBF Format (ex. Dbase, Paradox, Quattro Pro, Lotus 1-2-3, etc...) will be able to read and manipulate this database. I believe there are still quite a few problems that will need working out being that this is the 1st stand-alone operational version of DOK-V. For right now, I only ask this; That you try DOK-V and if tell me what you think of it; meaning what yo thin of the arrangement of the information in the program, how easy it is fo you to get to the info you need, and to tell me about any problems you have w th DOK-V while you are using it. as a side note, I've been trying to set DOK-V so that I could upload it to an FTP site but I've had no luck. Could someone help me out set up my virus data- base program DOK-V so that I could upload it to an FTP site. What I have been doing is using PKzip to compress it. then using uuexe 5.10 to set it up so It could be uploaded in ZIP format to the mainframe center here, somewhere between using these two to set it up things go screwy. ( I think I got a bad copy of uu encode ) :'( Can someone who more proficient at PC to Mainframe uploading\ dow loading of binary files please give me a hand? - ------- ____________________________________________________________________________ | Christopher Mateja (PRES. / OWNER) |Bitnet: | | Bits-N-Bytes Computer Services |Internet: | | 333 15th street, Suite #2 |Compu$erve: Disabled Due To Conflict | | Brooklyn, NY 11215-5005 ( USA ) |FIDONET: ( COMING SOON ) | |======================================++ voice: (718) 788-3096 | | As Someone's already said, ABSOLUTELY +------------------------------------| | NOTHING'S impossible for the person who doesn't have to do it! :) | |____________________________________________________________________________| ------------------------------ Date: Sun, 18 Oct 92 21:19:13 +0000 >From: leonard@alexia.lis.uiuc.edu (Patt Leonard) Subject: computer security in libraries As a class assignment, I started the following bibliography of works related to protecting library computer systems from viruses, trojan horses, etc. I hope that you find it of interest. Please send me references for any titles you would recommend. Thank you. Patt Leonard leonard@alexia.lis.uiuc.edu Grad. Sch. of Lib. & Info. Sci., Univ. of Illinois at Urbana-Champaign * * * * * * * * *** * * * * * * * * Bibliography of works related to software protection in libraries -------------------------------------------- Aucoin, Roger F. "Computer Viruses: Checklist for Recovery," _Computers in Libraries_, (Feb. 1989): pp. 4, 6-7. Practical, step-by-step instructions for recovering from an infection on an IBM-compatible microcomputer, and making back-ups. Balas, Janet. "Telecommunications [column]: Computer Security Revisited," _Computers in Libraries_, (Feb. 1991): p. 34. Introduction to the National Computer Systems Laboratory Computer Security BBS, which is sponsored by the National Institute of Standards and Technology. Barry, Maria C. "Computer Viruses: Interview with Frederick Cohen," _Special Libraries_, vol. 81 (Fall 1990): pp. 365-7. Cohen is with Advanced Software Protection, Inc. Butzen, Frederick, and Francine Furler. "Computer Security: A Necessary Element of Integrated Information Systems," _Bulletin of the Medical Library Association_, vol. 74 (July 1986): pp. 210-16. Drewes, Jeanne. "Computers: Planning for Disaster," _Law Library Journal_, vol. 81, no. 1 (Winter 1989): pp. 103-116. Article is about recovery from natural disasters, such as fires and floods, but includes advice about making backups and storing them off-site. Includes bibliography on recovering from natural disasters. Flanders, Bruce. "Protecting the Vulnerable CD-ROM Workstation: Safe Computing in an Age of Computer Viruses," _CD-ROM Librarian_, vol. 7, no. 1 (Jan. 1992): pp. 26-29. Describes the Norton Anti-Virus and Central Point Anti-Virus programs for protection against DOS viruses. Helsing, Cheryl, Marianne Swanson, and Mary Anne Todd. "Computer User's Guide to the Protection of Information Resources," _Information Reports and Bibliographies_, vol. 20, no. 2 (1991): pp. 13-16. Jaffe, Lee. "Reader's Soapbox [column]: Libraries Without Walls," _Technicalities_, vol. 10, no. 9 (Sept. 1990): pp. 5-7. Article for the most part summarizes a discussion which took place on the PACS-L list in Spring 1990 about the dangers/merits of providing dial-up access to library OPACS. Some non-technical remarks about the danger of unauthorized access to and use of the computer on which the library OPAC (online public-access catalog) runs. Johnson, D. _The Future of Electronic Educational Networks: Some Ethical Issues_. ERIC, May 1991. 15 pg. (ED 332 689) Considers issues of privacy and equal access to information on computer networks; includes some discussion of viruses on networks. Author recommends increased security balanced with user needs in e-mail, academic library services, and international networks. Koga, James S. "Security and the PC-Based Public Workstation," _Online_, vol. 14, no. 5 (Sept. 1990): pp. 63-70. Erratum, vol. 15 (Jan. 1991). Concerned with computer crimes and microcomputers for public use. Lincoln, Alan Jay. "Computer Security," _Library & Archival Security_, vol. 11, no. 1 (1991): pp. 157-171. Primarily summarizes general computer security literature, with some emphasis on government publications in the field. Describes security threats, and measures to preserve security, such as educating system users, and preventing unauthorized access to hardware. Machalow, Robert. "Security for LOTUS Files," _Computers in Libraries_, vol. 9 (Feb. 1989). Primich, T. "Coping with Computer Viruses: General Discussion and Review of Symantec Anti-Virus for the Macintosh," _Library Software Review_, vol. 11, no. 2 (March 1992): pp. 9-12. Describes two viruses which affect Macintosh: Scores and n VIR B. Also describes the SAM Virus Clinic and SAM Intercept anti-virus programs, and their applications in libraries. Soon, Ang, and Detmar W. Straub. "Securing CD-ROMs and the Microcomputer Environment," _Laserdisk Professional_, vol. 2 (July 1989): pp. 18-23. Stover, Mark. "Issues in CD-ROM Security," _CD-ROM Librarian_, vol. 4, no. 6 (June 1989): pp. 16-20. Valauskas, Ed. "Viruses and the Role of Responsibility," _Library Workstation and PC Report_, (Jan. 1989): pp. 6-10. Concerned with Macintosh viruses. Includes bibliography of works on Mac viruses. Vasi, J. "Setting Up CD-ROM Work Areas. Part 2: Integrating CD-ROM Functions into Library Services," CD-ROM Professional_, vol. 5, no. 3 (May 1992): pp. 38-43. Discusses how to integrate CD-ROM functions into library services; includes some discussion of security issues. Wilkinson, David W. "CD-ROM Public Workstation Security: Reducing the Risk Factor," _Library Software Review_, vol. 10 (Nov./Dec. 1991): p. 407. Presented at the CIL Conference 1991. Wilkinson, David W. "Public CD-ROM Workstation Security: Contexts of Risk and Appropriate Responses," _CD-ROM Librarian_ (Jan. 1992): pp. 20-29. Describes measures taken at JFK Memorial Library, Calif. State Univ., Los Angeles, to secure the hardware and software of the CD-ROM end-user workstations, to protect against theft, piracy, misuse, and vandalism. Yerkey, A. Neil. "Password Protection for dBASE Applications," _Microcomputers for Information Management_, vol. 6, no. 1 (March, 1989): pp. 33-45. [From the abstract:] "This paper discusses the differences between security and privacy, and then describes several data security categories, such as physical protection of storage media, hardware-based system access control devices, DOS-level access control, function-specific password protection, and data encryption." "Unshielded Terminals Can Knock Out Security," _Library Journal_, vol. 110 (March 1, 1985): p. 30. "Viruses: No Small Pox" _OCLC Micro_, vol. 5, no. 1 (Feb. 1989): pp. 17, 28. Introduction to viruses and preventative measures, written for novices. Includes references to general computer virus literature. ------------------------------ Date: Sat, 17 Oct 92 04:37:29 -0400 >From: mcafee@netcom.com (McAfee Associates) Subject: McAfee VIRUSCAN V97 uploaded to SIMTEL20 (PC) I have uploaded to WSMR-SIMTEL20.Army.Mil: pd1: CLEAN97.ZIP CLEAN-UP V97 virus disinfector for PC's, LAN's NETSCN97.ZIP NETSCAN V97 network scanner, checks file servers for viruses SCANV97.ZIP VIRUSCAN V97 system scanner, checks PC's for viruses WSCAN97.ZIP WSCAN V97 Windows 3.x version of VIRUSCAN VSHLD97.ZIP VSHIELD V97 virus prevention TSR WHAT'S NEW Version 97 of the VIRUSCAN (SCAN, CLEAN, VSHIELD, NETSCAN, WSCAN) series adds detection of 70 new viruses, bringing the total number of known viruses to 755, or counting variants, 1,471. CLEAN-UP adds disinfection routines for three new viruses: Cansu, a floppy disk boot sector and hard disk partition table infector, the 644 virus, a memory-resident .COM and .EXE infector, and another file-infecting virus called Creeper. WSCAN has been updated so the VIRUSCAN, WSCAN, and data files created by WSCAN can be kept in seperate directories. VALIDATE values for Version 97: CLEAN-UP V97 (CLEAN.EXE) S:104,976 D:10-16-92 M1: 2EF8 M2: 0190 NETSCAN V97 (NETSCAN.EXE) S:79,325 D:10-16-92 M1: CFA8 M2: 0C8F SCAN FOR WINDOWS V97 (WINSTALL.EXE) S:17,066 D:10-15-92 M1: E4CF M2: 0AF9 SCAN FOR WINDOWS V97 (WSCAN97.EXE) S:90,128 D:10-15-92 M1: 3786 M2: 17C9 VIRUSCAN SCANV97 (SCAN.EXE) S:81,681 D:10-15-92 M1: 86AD M2: 16B6 VSHIELD VSHLD97 (VSHIELD.EXE) S:44,735 D:10-15-92 M1: 44FF M2: 15A7 Regards, Aryeh Goretsky McAfee Associates Technical Support - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | mcafee@netcom.COM Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95054-3107 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/NETSCAN/VSHIELD/CLEAN/WSCAN/NETSHIELD/TARGET/CONFIG MGR ------------------------------ Date: Sat, 17 Oct 92 11:31:00 -0400 >From: HAYES@urvax.urich.edu Subject: mcafee's `97' available (PC) Hello. just to report the availability for FTP processsing of the new 97 serie of programs from McAfee Associates: CLEAN97.ZIP NETSCN97.ZIP SCANV97.ZIP VSHLD97.ZIP WSCAN97.ZIP - ----- Site: urvax.urich.edu, [141.166.36.6] (VAX/VMS using Multinet) Directory: [anonymous.msdos.antivirus] FTP to urvax.urich.edu with username anonymous and your email address as password. You are in the [anonymous] directory when you connect. cd msdos.antivirus, and remember to use binary mode for the zip files. - ----- Enjoy, Claude. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: Fri, 16 Oct 92 15:54:29 -0700 >From: rslade@sfu.ca Subject: Memoirs of a (cross border) virus researcher (CVP) MEMOIR2.CVP 920930 Memoirs of a (cross-border) virus researcher I suppose different people see me differently. Some might only notice my weekly columns. Some might be more interested in the antiviral contacts list, or the BBS list. Some people definitely do not like the quick reference list of antiviral software. Many might disagree, but I see the series of antiviral software reviews as my most important contribution. There isn't any budget for this. I do not charge developers for reviewing their products, and I don't (so far) receive any payment from users. However, the costs are not high. Developers send free copies of their product, and my only outlay is for the occasional mailing to request antiviral materials, software and products. Plus my time. At least, that's the theory. Bear with me while I digress into politics for the moment. Since I started all this, the "Chin-That-Walks-Like-a-PM" has foisted upon us something called the "Free Trade Agreement". This is supposed to make cross border dealing much easier. In fact, just recently the government has extended this deal to become the "North American Free Trade Agreement", covering more ground, doncha know. This means that importing and customs are going to be much easier to deal with, as well as cheaper. At least, that's the theory. So how come this has recently become so very much more difficult and costly? It used to be that my only worry was someone sending a package via UPS. (UPS seems to be congenitally unable to deal with national boundaries.) Most courier services seemed to be able to handle it, although the good old national mail service was often the best bet. All the developer or publisher had to do was write "evaluation copy, no commercial value" on the package, and all was well. I got the software, and the reviews went forth. Then we got the GST, and in spite of there being no commercial value a "service value" had to be charged. (What "service value"? I'm the one providing the service here, and *I'm* not charging anyone.) So a fictional (low) service value has to be put on it, generally reflecting the price of the blank disks. No longer. I have here a package from a software developer. Via US Mail and then Canada Post. He has been very careful. The package has a customs declaration. The material is described as "two diskettes and printed material". It is described internally as an "evaluation copy, not for resale or use". A value of $2 is declared. I had to pay $7.98 to receive it. $2.98 is the GST. GST is seven percent. Seven percent of $2 is $0.14. Ah, but the value for tax is not the $2 declared. The value for tax is $42.53. Where did they get $42.53 from? I have no idea. Even so, there is still $5 unaccounted for. Ah, no, here we are. $5 "handling fee". "Handling fee?" This is the *post office*! They are supposed to handle mail! Or maybe it's the $2.98 GST that they are charging $5 to handle. In that case, I didn't ask them to handle it. If Revenue Canada wants them to handle the GST, let Revenue Canada pay the $5 handling fee to collect the $2.98. Or, since the $2.98 is a result of "mishandling", the $0.14 that they should be handling. So much for "free trade". But then, like the man said, be grateful you don't get all the government you pay for. copyright Robert M. Slade, 1992 MEMOIR2.CVP 920930 ============= Vancouver ROBERTS@decus.ca | Life is Institute for Robert_Slade@sfu.ca | unpredictable: Research into rslade@cue.bc.ca | eat dessert User p1@CyberStore.ca | first. Security Canada V7K 2G6 | ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 165] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253