Return-Path: Received: from csmes.ncsl.nist.gov ([129.6.54.2]) by first.org (4.1/NIST) id AA16295; Wed, 28 Oct 92 15:56:37 EST Posted-Date: Wed, 28 Oct 1992 15:37:40 -0500 Received-Date: Wed, 28 Oct 92 15:56:37 EST Errors-To: krvw@cert.org Received: from Fidoii.CC.Lehigh.EDU by csmes.ncsl.nist.gov (4.1/NIST(rbj/dougm)) id AA00361; Wed, 28 Oct 92 15:51:06 EST Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA26417 (5.65c/IDA-1.4.4); Wed, 28 Oct 1992 15:37:40 -0500 Date: Wed, 28 Oct 1992 15:37:40 -0500 Message-Id: <9210281923.AA20912@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V5 #169 Status: R VIRUS-L Digest Wednesday, 28 Oct 1992 Volume 5 : Issue 169 Today's Topics: Re: Flip (PC) Re: KEY Press virus & McAfee v97 (PC) VCL? (PC) Re: Request info on FORM (PC) Re: SCAN 95b doesn't find MtE in EXE files (PC) Need PC Anti-Virus Comparison (PC) Checking high memory with VSCAN (PC) MBR Viruses and FDISK /MBR (PC) Infection density (was: SCAN 95b doesn't...) (PC) Damage from Stoned and FORM (PC); Comment on Recent Postings McAfee Scan and F-prot (PC) MtE ?? (PC) Re: V-Sign virus struck again!!!!!!!!!! (PC) Re: VirusCURE impressions (PC) strange trojan... (PC) files truncated (PC) Virus Demo? (PC) Re: Key Press Virus & scan97 again (PC) Re: WSCANV97 will not work in OS/2 (OS/2) Questions about the "Batman Virus" (Atari ST) Call for Papers - 6th Computer Security & Virus Conf. VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 27 Oct 92 08:04:26 -0500 >From: "David M. Chess" Subject: Re: Flip (PC) > From: Ron_V.d.rest@f307.n310.z9.virnet.bad.se (Ron V.d.rest) > Systems infected FLIP may experience file allocation errors resulting > in file linkage error. Really? Does anyone know of any evidence for this, or is it just a quote from some commercial virus info list? I don't recall ever seeing this in a FLIP infection, or seeing any code in the virus that would cause this. A few publicly-available virus lists make this claim for every third or fourth virus, and I've always wondered why. Does anyone know any technical reason this should occur? DC ------------------------------ Date: 27 Oct 92 13:04:44 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: KEY Press virus & McAfee v97 (PC) 739chan1@gw.wmich.edu (LEMMING) writes: > I am also getting some discrepencies about the Keypress virus. > Running Scan97 on a sample of the virus, it reported that the file was > infected 3 times. (i.e. The message "Found Keypress Virus..." appeared > 3 times.) This was reported again on a variant as well as some other > files I tested with the same virus. I know that the files have been > infected only once. I can confirm this. The scanning engine of SCAN has a minor bug - it does not always stop scanning after a virus is found, so it can report more than one virus in the file, if more than one scan signature is found. This would be correct, if it used to scan the entire file - because then it would be able to detect ALL viruses that are eventually present in it. However, SCAN uses a method, known as top-and-tail scanning - it scans part of the beginning of the file, part of the end of the file, and part of the file after the entry point. The general idea is that normally a virus wants to get control as soon as the file is executed, so it should intercept the control at one of these three places... Unfortunately, this is not always the case, which explains why SCAN does not detect Commander Bomber infections reliably - the virus can reside just anywhere in the file and control is transferred to it in a non-trivial way... Well, in the particular case of the Keypress virus, it seems that SCAN contains a scan string for it, which is encountered up to three times in the virus. The bug mentioned above (that scanning does not always stop after the first virus is found), makes the scanner report the virus three times when only one virus is present in the file. In fact, it seems that SCAN 97 always reports most of the Keypress variants three times in the infected EXE files and two times in the infected COM files. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 27 Oct 92 09:01:29 -0600 >From: bsw5148@zeus.tamu.edu (WADSWORTH, BRANDON SCOTT) Subject: VCL? (PC) Could someone out there explain what VCL is. I keep seeing it listed in several places. Thanks from the newcomers around this place. =:-Q Brandon Scott Wadsworth bsw5148@zeus.tamu.edu ------------------------------ Date: 27 Oct 92 14:54:30 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Request info on FORM (PC) gscobie@castle.edinburgh.ac.uk (G J Scobie) writes: > > 3) OK, I give up, here's the answer: On 24th of every month the virus > > makes the keys on the keyboard to "click" when you press them. > We have had the FORM virus in a big way around the University this > year. I have no idea why this virus should become so widespread but > there have been previous reports on this board concerned with an > apparent increase in the number of sightings this year. There is some strong suspicion that a large diskette producing company has shipped a large batch of pre-formatted diskettes, infected with this virus. I would strongly advise anyone who is buying pre-formatted diskettes, to open a package at random, to select one diskette at random, to WRITE-PROTECT it (this is important!), and to scan it. If it happens to be infected, PLEASE DO NOT USE ANY OTHER DISKETTE from the package. Send the whole package (if possible - accompanied with another one, without the shrink wrap removed) to an anti-virus researcher. > The version we have here triggers on the 18th of the month. Students It is possible that somebody has re-compiled a disassembly of the virus and has forgot to put a ".radix 16" directive. Note that 24 decimal is the same as 18 hexadecimal. > have reported corrupt files on their floppies though this only seems > to happen if the disk was nearly full before the infection took place. Yes, this can happen. The virus stores a copy of the original boot sector on the last sector of the disk. If this sector happens to be occupied by a file, this file will be damaged. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 27 Oct 92 15:04:28 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: SCAN 95b doesn't find MtE in EXE files (PC) mcafee@netcom.com (McAfee Associates) writes: > VIRUSCAN Version 97 was released on the evening of Friday, October 16, > so your preliminary testing of VIRUSCAN did not involve the most > latest version of SCAN available. Version 95-B was released on August When the preliminary tests were done, the latest available version of SCAN was 95b. Since the results were alarming, I decided that it is my duty to inform the users about a particular deficency in the then latest version of the product. Even if a newer version of the product were available (which it wasn't then), and even if it were able to detect the MtE-based viruses reliably (which it still isn't, see below), my message would alarm the users to urgently upgrade to the newer version. I still think that there is nothing incorrect in what I have done. > .EXE-infecting viruses based on the Dark Avenger Mutation Engine. > Naturally, it is included in the current release of SCAN. Naturally. I downloaded the newest (still newest, as I am typing this message) version of SCAN - version 97, just two days after I have posted the message. I received an announcement from Simtel20 that it is available the day before, but our ftp connection was out of order. Anyway, as soon as it was physically possible for us, I downloaded the newest version. In fact, parts of the package were still downloading, when one of our students took SCAN 97 and repeated the test with this version. I posted the results as soon as they were available. The results are rather poor - they clearly show that version 97 of SCAN is not able to detect reliably ANY of the MtE-based viruses too. I have proven this to you, by sending you a batch of examples that SCAN 97 was unable to detect. I have also offered to help you fixing the problem and even suggested an easy solution for the other 284 missed samples. What do you want more? > I can understand your desire to provide the readers of comp.virus with > timely, accurate information about the efficacy of different anti-viral > packages, however, posting one message decrying the deficiencies of > one brand of software with an endnote about other packages sounds less > like a genuine attempt at impartial research and more like alarmist scare > tactics, or even worse, marketing :-) It's very strange to see the above posted by someone from McAfee Associates... Even if we don't pay attention to the fact that it does not correspond to the truth (as I explained above), I still remember an article posted somewhere (maybe even here), which described how McAfee Associates sponsored a particular set of anti-virus product evaluations and insisted that only old versions of the scanners of their main competitors were tested. > I note that several other anti-viral > packages such as NAV, CPAV, Untouchable, Novi are not mentioned at all. I don't have a copy of Novi. And, unlike your product, all the products mentioned above are not shareware - they are all commercial, so I obviously cannot easily get the latest versions as quickly as with your product. Besides, I am only a human and cannot do everything at once. In fact, the MtE tests even of your product were made possible mainly because two visiting students from Rostok spent a lot of time to generate 16,000 naturally infected samples (do you understand what all this means, having in mind that some of the MtE-based viruses infect only 2-3 samples in the current directory and do not go resident?), and one of our students urgently ran two tests (with version 95b and 97 of SCAN) and summarized the results... I -will- publish MtE detection data for 17 scanners, each of which claims (like yours) that it is able to detect all MtE-based viruses with 100% reliability... As I said, I don't know about Novi, because I don't have it, but NAV 2.1, CPAV 1.3, and UTScan 23.00.12 (the scanner part of the Untouchable, since Untouchable is mainly an integrity-based product) all failed the test - just like SCAN 97, they turned out to be unable to detect all MtE-based viruses used during the test reliably. > In any case, I would strongly suggest that you complete your research in > the future before posting incomplete results. I am doing my best to provide the most complete data possible to the users. So does the rest of the VTC-Hamburg. What has been observed in SCAN 95b was a BUG, that's why I was precipitated to publish the information about it. Or do you want to hide from your users that a particular (even if not the latest) version of your program is buggy and provides a false sense of security? I will post the complete summary of the tests when it is ready. Meanwhile, the results for SCAN 97 are ready and I already posted them. They do not speak well for SCAN's ability to detect the MtE-based viruses - NONE of them was detected reliably. [Moderator's note: Gentlemen, please keep any follow-ups civil, or else take them off-line.] Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Tue, 27 Oct 92 07:07:00 -0700 >From: cup.portal.com!amc%portal@uunet.UU.NET Subject: Need PC Anti-Virus Comparison (PC) I would like to post a request for information and experiences with commercial PC Anti-Virus hunter/killer software that are available as a site license product. Also, I would like a referal to any performance comparisons of various anti-virus systems without regard to the above. Can you help me? Regards, Alan Crawley [Moderator's note: You might want to take a look at the independent reviews by Chris McDonald and Rob Slade, available by anonymous FTP on cert.org (192.88.209.5) in pub/virus-l/docs/reviews] ------------------------------ Date: Tue, 27 Oct 92 17:53:09 +0000 >From: rcoenen@phonon.uwaterloo.ca (Rob Coenen) Subject: Checking high memory with VSCAN (PC) When I use VSACN and specify the /CKHIGH (I think) option to check high memory I notice it only checks the first 1 Meg of memory. (I have 4 Megs) Is it unnessesary to check the rest or is something wrong? Rob Coenen. rcoenen@phonon.uwaterloo.ca My .sig isn't back from the cleaners yet. ------------------------------ Date: Tue, 27 Oct 92 13:31:48 -0500 >From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: MBR Viruses and FDISK /MBR (PC) gscobie@castle.edinburgh.ac.uk (G J Scobie) writes: >Is there a list of which boot sector viruses can be disinfected from a >hard disk using FDISK /MBR? Not per se, but *almost* any disk infected with an MBR virus that can be properly cold booted with a floppy is a likely candidate. All of those that meet the above criteria which I know of can. (was that English ?) >Will FDISK /MBR work for them all or are there any interesting "gotchas" >using this method? An easy test is to boot from a floppy and first use the *documented* DOS 5.0 command "UNFORMAT/PARTN/TEST/L" & do a reasonableness test on the result. If it looks good, try FDISK /MBR. A "plain vanilla" disk should report a DOS12 or DOS 16 Boot starting on cyl 0 Head 1 Sector 1. Since FDISK /MBR simply replaces the MBR code and does not touch the partition table, even if it does not cure the problem, it is *usually* safe to use. My FixMBR combines features to a large extent with the addition of being able to "walk the disk" if a good partition table is not found in sector 1 and will install the *FreeWare* SafeMBR code if requested. In addition it is compatable with DOS 2.0 up, allows saving the original MBR "just in case", and asks for confirmation before making any changes. chess@watson.ibm.com (David M. Chess) writes: >As long as your copyright notice says that you've >reserved all rights to yourself, no one who works for a company that >has lawyers is going to be able to make a copy of it Well I do not work under grants from anyone (except my wife 8*) nor do I have any equipment supplied by either not-for-profits or a university. (offers to change this condition are welcome 8*). For that as for other reasons (my wife again), I do "reserve rights" to my original work. However, of the elements contained in the FixUtils, only two (FixMBR and FixFBR) are ShareWare, other utilities are all FreeWare including the new MBR/DBR code which is written by FixMBR/FixDBR. This is *not* public domain, however for many individuals the postage would be higher than the registration fee. Since none use scanning, there is no need for periodic updates. For that matter the .DOCs contain all of the information necessary for a agile mind to duplicate my work (the .DOCs are larger than the programs). For any lawyers concerned about this there are two alternatives: 1) Shareware automatically has a "30 day free trial" 2) Send me a "no-cost-30 day evaluation PO" *with* a SASE & I'll return it forthwith (fifthwith even). The address in in the .DOCs. Warmly, Padgett ps according to the IRS, my anti-virus work is *definately* a hobby. ------------------------------ Date: Tue, 27 Oct 92 14:03:22 -0500 >From: "David M. Chess" Subject: Infection density (was: SCAN 95b doesn't...) (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes in passing: > The missed samples occur relatively often - a set of 2,000 files is > not very large and is what the average user normally has on his/her > disk. (Just for comparison - I have ~15,000 files on my hard disk.) > Therefore, in a case of a serious infection (when the virus has > infected most files on the disk), SCAN 97 is likely to miss at least > one of the infected files, which is likely to cause re-infection. I'd like to start a brief tangent on the question of how many files are generally infected in a file-infector incident. Does anyone have any interesting experience of insights to share? Some viruses, of course, spread much faster than others; the DIR II infects whole directories at once, the Dark Avenger can spread very fast if you GREP a bunch of executables, and so on. But from my experience, I have the general impression that in a typical 1813 incident (say) the number of infected files on a single machine is under 100. Even a Dark Avenger incident is usually about that size, with the obvious occasional severe exceptions. Does that sound reasonable or unreasonable to anyone? (This isn't intended as a disagreement with Vesselin; his words just struck the thought in my mind, and I thought I'd ask...) DC ------------------------------ Date: Tue, 27 Oct 92 14:16:17 -0500 >From: "William Walker C60223 x4570" Subject: Damage from Stoned and FORM (PC); Comment on Recent Postings >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) > ACDPAUL@vm.uoguelph.ca (Paul D. Bradshaw) writes: > > ... But, when I try to disinfect a disk infected with michaelangelo > > with the command Clean [stoned] it butchers the boot sector. > Could you please provide some more information. I had very strong > reports that Clean destroys the boot sectors of the 1.2 Mb diskettes > infected with Michelangelo, when it tries to disinfect them. However, > I was unable to reproduce the problem. I see from your message that > you have used indeed a 1.2 Mb diskette, so obviously you are observing > the same problem. Could you please repeat your experiments with a 360 > Kb diskette (Michelangelo does not infect 720 Kb diskettes and damages > 1.44 Mb diskettes)? "Stoned" and "Michelangelo" both relocate the original boot sector to Side 1 Sector 3 on a floppy diskette. On 1.2 MB and 1.44 MB diskettes, this is Sector 3 of the root directory (directory entries for files 33-48). If the diskette has more than 32 files on it, the entries for files 33-48 will get wiped out, and files 49-224 will not be accessible by DOS. Also, a small number of files with strange names may appear, depending on the contents of the boot sector (this is a result of DOS trying to interpret the boot sector code as directory entries). Now, if files in excess of 32 are written to the diskette, their entries will be written over the misplaced boot sector code. Then, if the diskette is disinfected, the boot sector will get trashed, or more correctly, has already been trashed. I have seen this happen a number of times, and have had to recover the damage. This might be the problem that Mr. Bradshaw is having. >From: G J Scobie > We have had the FORM virus in a big way around the University this > year. ... The version we have here triggers on the 18th of the month. > Students have reported corrupt files on their floppies though this only > seems to happen if the disk was nearly full before the infection took > place. The sample of Form that I have is the variant that triggers on the 18th of the month. When it infects a 360 KB floppy (I haven't tried it with other densities), it allocates Cluster 34 (Sectors 76 and 77) to itself and marks it as a bad block. It may be possible that, if Cluster 34 is in use, the file which used it would then be damaged. However, if the virus tries searching for an available cluster and the diskette was full or nearly full, it could be possible that the virus would go ahead and grab a used cluster. I haven't tested it enough to see how it infects under these circumstances, but perhaps this is enough to be of use to you. <*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*> Now for something completely different ... Ken (our fearless moderator) has said of VIRUS-L: > Contributions should be relevant, concise, POLITE, etc. [my emphasis] and > It is not a place ... to flame other subscribers. However, a recent exchange between two otherwise professional subscribers seemed more like an unmerited mutual bashing contest than a series of "relevant, concise, polite" contributions. Aryeh Goretsky really pounced upon Vesselin Bontchev for using an older version of McAfee's ViruScan (version 95B) in preparing his review, so his testing "did not involve the most latest version of SCAN available" (version 97, released on 16 October 1992). However, Mr. Bontchev's testing was conducted before this version was released, as evidenced by the fact that his posting was dated 16 October 1992. Therefore, his testing DID INDEED involve the "most latest" [sic] version available. Further, Mr. Bontchev replied to his own posting, indicating that he had obtained and was testing version 97. So Mr. Goretsky's attack was, in this respect, unwarranted (in my opinion). On the other hand, I agree with Mr. Goretsky that Mr. Bontchev (or anyone for that matter) should complete any testing before posting results. Also, Mr. Bontchev's posting seemed to me (as well as Mr. Goretsky) to specifically slam ViruScan. An independent review should test all products equally, then objectively report the results against each other or against some fixed rating. It should also include the specific version tested (which Mr. Bontchev did, BTW), especially considering how rapidly anti-viral programs are updated. This, as well as other, similar exchanges, has caused VIRUS-L, a discussion list I consider very valuable, to become increasingly irritating to read. While there may be times that people need to speak out against something (e.g. Virus Simulator or CPAV's causing false positives), please keep the heat down and the professionalism up. Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | OAO Corporation | This .signature does NOT contain Arnold Engineering Development Center | a stealth .signature virus! 1103 Avenue B | Arnold Air Force Base, TN 37389-1200 | ------------------------------ Date: Tue, 27 Oct 92 14:57:38 -0500 >From: Edward Rosales Bella Subject: McAfee Scan and F-prot (PC) I was just wondering which is the prefered virus scanner. What are the pros and cons of both. Also, are there any problems with running the TSRs such as Vshield and then scanning with F-Prot or vise versa with VirStop and scanning with scan. Send e-mail to: eb2b@andrew.cmu.edu or post them. Thanks, Ed ------------------------------ Date: Tue, 27 Oct 92 15:23:58 -0500 >From: A.J. Subject: MtE ?? (PC) Can anyone tell me What in the world MtE stand for and give more info... -aj. ------------------------------ Date: 27 Oct 92 22:00:28 +0000 >From: frisk@complex.is (Fridrik Skulason) Subject: Re: V-Sign virus struck again!!!!!!!!!! (PC) VXC15931@VAX1.Mankato.MSUS.EDU writes: >At this moment, my PC is also infected with V-sign. I tried to use >F-Prot 2-05a to remove the infection but all I'm getting is this >message: > Master Boot Sector Infection: V-Sign !! > This version of F-Prot cannot remove the virus! V-sign disinfection was added later - 2.05a could only detect it, not remove. The next version to be released should do the trick - but for now I guess the "FDISK /MBR" disinfection method is the best way to get rid of it. - -frisk ------------------------------ Date: Tue, 27 Oct 92 20:37:26 -0500 >From: FESQUIVE@ucrvm2.bitnet Subject: Re: VirusCURE impressions (PC) c_w@lawton.lonestar.org (Carl Wilson) writes: > I just purchased VirusCURE PLUS ver 2.37 severial days ago. Is this > considered a good virus detect/cure package? I just started a BBS > here about a week ago, and severial of the other boards have been > trashed by ANSI bombs and the like. I need some real security! Hi Carl. I'm a VirusCURE 2.37 user and I have some impressions about it: Maybe I haven't tested many a_v products (just McAfee's ViruScan, Fridrik's F-PROT, CPAV 1.0, AntiKot, etc.). VirusCure is the only product that is able to deactivate a living memory-resident virus. I got 15 (holy-few) viruses and I had tested VirusCure against all of them and got good results. By the way, VirusCure fails on disinfection of even well known viruses, like Ping-Pong, but it's not a frequent symptom. It just could be a bug. Documentation says VirusCure is developed together with John McAfee, however IMSI doesn't release a new version since February or March... I just trust on those products that update very frequently. Hope this helps, Fabio Esquivel - fesquive@ucrvm2.bitnet San Jose, Costa Rica. ------------------------------ Date: Tue, 27 Oct 92 21:50:35 -0500 >From: ice-t@chezrob.pinetree.org (Glen Martin) Subject: strange trojan... (PC) It seems that I have some sort of problem here. I was running my 386-40 and all of a sudden I heard my hard drive stop. O.k. fine. I rebooted, it happened again. It started up in a second but it kept happening. When I rebooted, my memory-manager wouldn't load, so i made a boot disk and when I scanned my HD using Norton Anti-Virus 2.0 it said it had a couple of files with possible viruses. But knowing the way Norton scans, I tried McAffee scan and it gave me nothing. I deleted the files but I'm not sure if I should still be worried. Does this sound like a virus or just a disk error? - --- Glen Martin - ice-t@chezrob.pinetree.org C.R.I.M.E. BBS - (Chez Rob's Int'l Mail Exchange) 613/230-5307 (data) ------------------------------ Date: Wed, 28 Oct 92 08:05:04 +0000 >From: hoens@gmd.de (Guenter Hoens) Subject: files truncated (PC) I found some files (.pk files for emtex) truncated to exactly 2048 bytes. do you think, that the reason was a virus, or do you think, that there might be an error in emtex? - -- - ----------------------------------------------------------------- * Guenter Hoens, GMD - I8, * German National Research Center for Computer Science * hoens@gmd.de (02241) 14-2408 ------------------------------ Date: 28 Oct 92 09:29:36 +0000 >From: j.laidman@cowan.edu.au Subject: Virus Demo? (PC) A while ago I saw a program that showed the behaviour of a number of viruses. I'd like to get a copy if this, if possible. Can anyone point me in the right direction? Thanks - --------------------------------------------------------------------- Jeremy Laidman, Computer Support Officer Department of Computer Science Phone: (61 9) 370 6648 Edith Cowan University Fax: (61 9) 370 2910 Perth, Western Australia j.laidman@cowan.edu.au - --------------------------------------------------------------------- ------------------------------ Date: Wed, 28 Oct 92 08:56:07 +0000 >From: mcafee@netcom.com (McAfee Associates) Subject: Re: Key Press Virus & scan97 again (PC) Hullo again, Kevin, 10666281@eng2.eng.monash.edu.au (KEVIN PRATER) writes: <...use/installation of CLEAN and VSHIELD V97 deleted...> >My hard disk was cleaned with the last key press going with >whereis.exe as clean could not remove it. Two days later I used norton It could be that the WHEREIS.EXE file was damaged. It is always possible for even the most benign computer virus to cause damage by incorrectly infecting a file, either due to bugs in its own code or conflicts with other programs on the system. >disk doctor V5 to have vsheild cut in and say that the file was >infected and could not run it. So I powered down, rebooted and Hmm.. have you run CLEAN against your hard disk with the /A switch? If so, then there could be a remnant of code at the end of the file between the true end of the file, expressed in bytes, and the space allocated for the file on the disk, expressed in clusters. If a file does not fill up the entire last cluster, then DOS pads it with garbage from memory--which could be a segment of viral code. This should not cause problems with VSHIELD, however. In any case, try defragmenting the disk with a disk optimizing program or running the WIPEFILE or WIPEINFO program from Norton (can't remember which one is included with Norton 5.0) with the option used to erase the "slack" space at the end of the file--BE VERY CAREFUL with this as you can erase everything on your hard disk if you do not use the right switch. <...deleted for brevity...> >And it's not a false alarm as if I run any other program after the exe, it >also gets infected but scan97 does find and remove this. It almost seems >that the virus is dorment and hidden in disk doctor and is activated on >running the exe. Interesting. That pretty much rules out my comments above about defragging the disk. I would guess, then, that you (1) have a variant of the virus; (2) have an .EXE file with an unusual structure [which doesn't account for why SCAN and CLEAN missed it]; (3) didn't run CLEAN with the /A switch the first time around and NDD is loading as an overlay some file that was skipped; or (4) SCAN & CLEAN are broken [unlikely, given that VSHIELD's working]. <...deleted for brevity...> >Has anyone had a similar virus? <...rest of message deleted...> Nope. If you've tried the above and are still having problems, please contact me by email and we'll see can be done to get the virus off of your PC once and for all. Regards, Aryeh Goretsky Technical Support - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | mcafee@netcom.COM Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95054-3107 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/NETSCAN/VSHIELD/CLEAN/WSCAN/NETSHIELD/TARGET/CONFIG MGR ------------------------------ Date: 27 Oct 92 18:59:26 +0000 >From: pickrell@hoss.unl.edu (Andrew Pickrell) Subject: Re: WSCANV97 will not work in OS/2 (OS/2) nkolte@daimi.aau.dk (Nikolaj Kolte) writes: >I recently got the McFee Scanv97 for Windows. I'm running OS/2, but >when I want to run WSCAN I get the message that I cann't run the >program in a WINOS2 session..... >Any sugestions... >Nikolaj Try scan_os2. It is currently in beta. Version 97 is on ftp-os2.nmsu.edu in the pub/uploads directory. - -- =========================================================================== Andrew Pickrell | My opinions are my own, UNL Dept. of Chemical Engineering | but they could be yours too EMail :pickrell@hoss.unl.edu | for the low price of 5 bucks... ------------------------------ Date: Tue, 27 Oct 92 05:38:24 -0500 >From: Trantor The Last Stormtrooper Subject: Questions about the "Batman Virus" (Atari ST) Usually the Atari ST requires the bootsector to have a checksum of $1234, if the bootsector is to be able to execute. This includes Viruses, Virus Protectors, Games Disks etc. There is a(UK Computer Mag), it can execute without having the neccessary checksum! it can execute without the bootsector having the neccessary checksum How is this possible? If it is possible, how is it done? ------------------------------ Date: Tue, 27 Oct 92 18:33:51 -0800 >From: Judy S. Brand Subject: Call for Papers - 6th Computer Security & Virus Conf. SIXTH INTERNATIONAL COMPUTER SECURITY & VIRUS CONFERENCE and Exposition sponsored by DPMA Fin.Ind.Chapter in cooperation with ACM-SIGSAC, BCS, CMA, COS, EDPAAph, ISSAny, NUInypc, IEEE Computer Society C A L L F O R P A P E R S Approximately 500 attendees will hear 90 speakers and 53 vendors over 3 days Wednesday thru Friday - March 10-12, 1993 - New York Ramada Madison Square YOUR AUDIENCE: Past attendees have represented industry, military government, forensic and academic settings - creators and users of related software and hardware. They travel from U.S. and many international locations and have titles such as MIS Director, Security Analyst, Operations Manager, Investigator, Programming Leader TOPICS OF INTEREST INCLUDE (but are not limited to): - prevention, detection, and recovery from viruses, crackers, and other unauthorized usage - oritinal research in these and related topics - survey of products and techniques available - particulars of LSN, UNIX, cryptography, military use - Computer crime, law, data liability, related contexts = US/international sharing of research & techniques - case studies of mainframe, pc &/or network security, e.g., - 1992 hurricane, flood, fire disaster recovery - recent court decisions - security implementation and user awareness in industry PAPER SUBMISSION: Send a draft final paper for receipt by Wednesday, 11/11/92. Address to Judy Brand, Conference Chair, box 6313 FDR Station, New York, NY 10150, USA. Please include a small photo and introductory bio not exceeding 50 words. Successful submittors or co-authors are expected to present in person. Presenters receive the Conference Proceedings and complimentary admission. PAPER FORMAT: Send one original and three copies. When making the copies, please cover over the author name(s) and other identifying data. Each paper goes to three revieweers. Type double spaced, with page# below bottom line (may be handwritten): TITLE (caps); Name; Position, Affiliation; Telephone, City/State/Zip, Electronic Address (optional). NOTIFICATION: Written and (where practicable) telephoned confirmation will be initiated by Monday, 1/13/93, to facilitate low cost travel. Those needing earlier notification should attach a note. You may be asked to perform specific revisions to be accepted. Nobody can guarantee you a place without an acceptable paper. AT THE CONFERENCE: There are five tracks. Time your presentation to last 40 minutes and have clear relation to your paper. A committee member will preside over your assigned room and adhere to schedule. Don't hesitate to submit a presentation you've given elsewhere to a more specialized audience. Most attendees will find it new - and necessary. On-site schedule is duplicated early on first day. If you may have a work emergency you can reschedule or substitute your co-author. ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 169] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253