VIRUS-L Digest Thursday, 4 May 1989 Volume 2 : Issue 106 Today's Topics: SecureINIT (Mac) Sentry Program (PC) Virus Protection Programs for IBM PCs Virus testing at Social Security Administration Bouncing Ball Virus (PC) --------------------------------------------------------------------------- Date: Thu, 04 May 89 10:05:50 EDT From: Joe McMahon Subject: SecureINIT (Mac) I downloaded a copy of this baby from CIS the other day (too bad I didn't wait for the Clone to get it ... sigh), and I've been fooling with it a bit on an isolated system. First, the "documentation" (I hesitate to call it that) is incorrect. It does not create invisible INIT files. If they were invisible, they wouldn't work under System 6.0.x anyway (a new feature in 6.0, BTW). It creates a "SecureINIT" file with its own little icon. There is no "show me the icon" option at startup. Most of the things which SecureInit does are on the elementary side, and can be done (or undone) with a little ResEdit hacking. Making the files in the System folder locked, making the System folder invisible, and locking applications are all very simple and no help against viruses. The features which allow the auotmatic removal of "alien" files and INITs in the System folder are VERY inconvenient. If you customize this wrong, you will TRASH your system. Yucko. Anything saved in the System folder (like Word preferences files, etc.) will get clobbered. The other features (exclusion of applications from other disks, prevention of switch launches, and a couple others) might be of some help in preventing invasions, but won't help if you've copied something nasty onto your startup disk yourself. There is nothing there to keep viruses from undoing any of the actions that this INIT takes. All of the "legal" files are stored in resources in the INIT in plain STR# resources. Let's see, unlock the INIT, add me to the resource list, and now I'm labelled as an "OK file" Cute. Since there's no trapping of accesses like VAccine of GateKeeper, that's easy. As a final note, the unimplemented (in the demo version) feature which puts INITs into the system file ... aack! Don't be messin' with my System file! Final recommendation? Run away! Run away! Do NOT use this package, unless you want a false sense of security and things happening behing your back. --- Joe M. ------------------------------ Date: Thu, 04 May 89 10:25:53 EDT From: Claude Goldman Subject: Sentry Program (PC) I have seen several referemces to the SENTRY program which checks the boot sector of IBM PCs. I have several questions. 1. What else does it do, if anything. 2. What kind of program is it, i.e pd, shareware, commercial? 3. How would I get I copy. Acknowledge-To: ------------------------------ Date: Thu, 04 May 89 10:29:20 EDT From: Claude Goldman Subject: Virus Protection Programs for IBM PCs I am trying to put together a list of programs to help IBM PC users at Brown protect their PCs from Virus. I have found a few pd/shareware programs in the Sintel20 and Lehigh archives. Are there are severs I can access via mail, messages or ftp I should be looking at? Programs I have seen so far seem to either do checksums of varios kinds and/or stay in memory to check for attempts to be nasty. The ones I have found so far that offer at least sone protection are: CHK4BOMB, TRAPDISK, ALERT, CHECKUP, DETECT, FLUSHOT +. Are there others I should be looking at? Any comments about the value and/or usefulness of these programs? Acknowledge-To: ------------------------------ Date: Sun, 30-Apr-89 23:48:25 PDT From: portal!cup.portal.com!garyt@Sun.COM Subject: Virus testing at Social Security Administration Lynn McLean (on Homebase) has asked me to forward this message: Original-Date: 04/28/89 17:19:42 Original-From: LYNN MCLEAN My co-worker and his colleague in the microcomputer support center at the Social Security Administration have just finished a review of anti-virus products. They tested against 14 viruses (which I helped obtain from a nefarious member of the Homebase board) and collected over 20 products to review. The viruses were a subset of Goodwin's collection and, supposedly, the most common ones. The results of the review were that none of the products were effective. The Tracer program (I understand it's been renamed Sentry and placed in public domain) was able to detect them all, but only if the system was re-booted every day or so. Most of our network systems are never re-booted, or booted only every few months, and many of the test viruses activated after only a few weeks in the system. So it doesn't do any good to detect a virus a month after it's destroyed the system. The rest of the products could not even detect half of the viruses, at any time. I don't know of any other review that has used any more viruses than we did, but the results couldn't come out much different if they included some of the same viruses that we used. I hope this information is useful to some of the users. Lynn McLean [Ed. I think that a list of viruses tested, along with a list of the test procedures would be of great interest here.] ------------------------------ Date: Thu, 4 May 89 12:44 EDT From: "David Ward, Computer Support Centre" Subject: Bouncing Ball Virus (PC) We appear to have been infected by a virus in two of our teaching labs. The worst affected lab is used for teaching WordPerfect on MS-DOS machines with hard drives. About 3/4 of the machines have shown symptoms but only intermittantly so it is hard to tell how serious it is. It appears as a bouncing ball which moves up and down diagonally across the screen. We can continue working on the machine with the bouncing ball but must re-boot to get rid of it. I have recently joined the VIRUS-L listserver (didn't talk to doctors before 'cause I wasn't sick) and have been trying to find out as much as I could about this virus. My request for help on the PCSUPT listserver generated a few leads toward getting a program to destroy this virus. One of the best suggestions was to check the VIRUS-L list. If anyone has more information on this particular virus, please contact me. The limit on downloads from the VIRUS-L listserver proved to be a source of delay yesterday (like the accident victim whose dipstick shows blood down four pints -- 'Sorry sir, the limit is one pint per day! Have to control the vampires you know.'). Perhaps some mechanism could be set up for bypassing this limit for those with urgent needs. - ---------------------------------------------------------------------- David Ward BITNET: WARD@SENECA Computer Support Center Seneca College PHONE: 416-491-5050 x2620 Toronto (home of the Boo-Jays) - ---------------------------------------------------------------------- ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253