VIRUS-L Digest Tuesday, 5 Nov 1991 Volume 4 : Issue 210 Today's Topics: VIRUS WARNING - Form Virus on Demo Disk (PC) from fidonet: listing of conferences re computer security Gosia false positive (PC) Re: Hardware forever! "Stoned" virus information sought Re: UNIX anti-virus program (UNIX) Re: Scanning inside ZIPPED files (PC) Re: NCSA (Was: Request for standards) Re: Can I Load FPROT's VIRSTOP High? (PC) Re: question about viruses (UNIX) (PC) Re: Request for Standards Re: Organ music/black monitor-Mac (Mac) Re: nVIR question (Mac) F-PROT 2.01 is available (PC) Change detection VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 04 Nov 91 13:27:29 -0700 >From: John Kida (Vienna) Subject: VIRUS WARNING - Form Virus on Demo Disk (PC) VIRUS WARNING !!!!!!!!!!!!!!!!!!!!!1 FORM VIRUS Shipped on DEMO DISK by Company. Source : Software Perspectives Toronto, Canada (416) 481-1355 Demo rec'd in mail from company. Program / DEMO name: The Clip/++ Extension for Cliper copyright 1991 media: 5.25 DS/DD This virus will infect Hard Drive Boot sectors display a profane message. System infected will on the 24th of every month will make a clicking noise. CLEANUP (removal) done by folowing the steps needed to remove a boot sector virus. They are: Boot from a CLEAN write-protected disk MS-DOS disk. Issue the MS-DOS "SYS X:" command. Remove Boot Disk. COLD Boot the CPU Test for virus. if clean count your blessings... ------------------------------ Date: Sun, 03 Nov 91 08:06:00 -0500 >From: HAYES@urvax.urich.edu Subject: from fidonet: listing of conferences re computer security Forwarded from the FidoNet Virus Conference. - ---------- begin forwarded message --- >From: Paul Ferguson Submitted: 01 Nov 91 17:02:00 Subject: Events 1/5 Status: Public Received: No Group: VIRUS (30) * Crossposted in FidoNet VIRUS Conference * Crossposted in FidoNet VIRUS_INFO Conference The following information is presented for your information. I pulled it off of the National Institute of Standards and Technology (NIST) BBS yesterday... -Paul Last update: 10/30/91 COMPUTER SECURITY EVENTS CALENDAR This file contains a list of upcoming computer security events. Because of the nature of this material and how it is obtained, it is impossible to include every event. The absence or inclusion of any particular event does not imply criticism or endorsement by the National Institute of Standards and Technology or the sysop. If you know of computer security events that are not listed, please send the conference/course literature to the following: Marianne Swanson National Institute of Standards and Technology Room A-216, Bldg. 225 Gaithersburg, MD 20899 - ----- DATE: 10/30/91 LOCATION: Westminster, London SPONSOR: Elsevier Technology TITLE: Compsec 91' CONTACT: Kay Russell ADDRESS: Mayfield House, 256 Bandbury Oxford OX 2 7DH, UK PHONE: 44 0 865512242 DATE: 11/04/91 LOCATION: Sheperdstown, WV SPONSOR: IFIP TITLE: 5th IFIP WG 11.3 Working Conference on Database Security CONTACT: Sushil Jajodia, GMU ADDRESS: 4400 University Dr., SW Fairfax, VA 22030-4444 PHONE: (703)764-6192 DATE: 11/11/91 LOCATION: Miami, FL SPONSOR: CSI TITLE: 18th Annual Computer Security Conference & Exhibition CONTACT: Computer Security Institute ADDRESS: 600 Harrison Street San Francisco, CA 94107 PHONE: (415)905-2626 DATE: 11/11/91 LOCATION: Miami, FL SPONSOR: CS Institute TITLE: 18th Annual Computer Security Conference & Nat'l Exhibition CONTACT: CSI Conference Registration ADDRESS: 17300 SW Upper Boones Ferry RD Portland, OR 97224 PHONE: (503) 624-2118 DATE: 11/14/91 LOCATION: Washington,DC SPONSOR: Amer. Tech. Assoc. TITLE: Surveillance Expo '91 CONTACT: Marilyn Roseberry ADDRESS: PO Box 20254 Washington,DC 20041 PHONE: (800) 873-3284 DATE: 11/18/91 LOCATION: Gaithersburg, MD SPONSOR: ACM TITLE: Computer Security Awareness Seminar CONTACT: Chuck Dinkel ADDRESS: NIST, Bldg. 225/A216 Gaithersburg, MD 20899 PHONE: (301) 975-3367 DATE: 11/20/91 LOCATION: Paris, France SPONSOR: EDP TITLE: 6th European Conference on Information Systems Security. CONTACT: Conference Department ADDRESS: P.O. Box 88180 Carol Streams, IL 60188-0180 PHONE: (708)682-1200 DATE: 11/25/91 LOCATION: Washington,DC SPONSOR: append TITLE: Anti-Virus Product Developers Conference CONTACT: NCSA Administrative Office ADDRESS: 227 W. Main St. Mechanicsburg, PA 17055 PHONE: (717) 258-1816 DATE: 12/02/91 LOCATION: San Antonio, TX SPONSOR: TITLE: 7th Annual Computer Security Applications Conference CONTACT: Dr. Ronald Gove ADDRESS: 4330 East-West Highway Bethesda, MD 20814 PHONE: (301)951-2395 DATE: 12/04/91 LOCATION: California SPONSOR: SRI International TITLE: ACM SIGSOFT '91 Confrence on Software for Critical Systems CONTACT: Mark Moriconi, SRI Int'l. ADDRESS: 333 Ravenswood Ave. Menlo Park, CA 94025 PHONE: @csl.sri.com DATE: 03/18/92 LOCATION: Washington, DC SPONSOR: ACM TITLE: The 2nd Conference on Computers, Feedom and Privacy CONTACT: George Washington University ADDRESS: 2003 G St. Washington, DC 20052 PHONE: (202) 994-7238 DATE: 03/22/92 LOCATION: Houston, TX SPONSOR: ISSA TITLE: 9th Annual Working Conference for Info. Sec. Professionals CONTACT: ISSA ADDRESS: PO Box 9457 Newport Beach, CA 92658 PHONE: (714) 250-ISSA DATE: 04/27/92 LOCATION: Philadelphia, PA SPONSOR: EDP TITLE: 22nd Computer Audit, Control and Security Conference. CONTACT: Confercnce Department ADDRESS: P.O. Box 88180 Carol Streams, IL 60180-0180 PHONE: (708)682-1200 DATE: 05/04/92 LOCATION: Oakland, CA SPONSOR: IEEE TITLE: IEEE Symposium on Research in Security and Privacy CONTACT: John Mclean ADDRESS: Naval Research Lab Washington, DC 20375 PHONE: (202)767-3852 DATE: 05/12/92 LOCATION: Ottawa, Ontario SPONSOR: Gov. of Canada TITLE: 1992 4th Annual Canadian Computer Security Symposium CONTACT: Canadian System Security Off. ADDRESS: PO Box 9703, Terminal Ottawa, Ontario K1G 3Z4 PHONE: DATE: 05/27/92 LOCATION: Singapore, China SPONSOR: IFIP/SEC 1992 TITLE: International Conference on Computer Security CONTACT: Guy G. Gable ADDRESS: Nat'l University of Singapore Singapore 0511 PHONE: 65772-2864 DATE: 06/15/92 LOCATION: Gaithersburg, MD SPONSOR: IEEE, IEEE Aerospace, Electronics Systems Soc. TITLE: 7th Annual Conference on Computer Assurance CONTACT: Robert Ayers ADDRESS: 2551 Riva Rd. Annapolis, MD 21401 PHONE: (301) 266-4040 DATE: 06/16/92 LOCATION: Franconia, NH SPONSOR: IEEE Computer Soc. TITLE: Computer Security Foundations Workshop V CONTACT: Leonard J. LaPadula ADDRESS: Mitre Corporation Bedford, MA 01730-0208 PHONE: (617) 271-3261 DATE: 09/14/92 LOCATION: Sicily, Italy SPONSOR: IFIP TITLE: 3rd Working Conference on Dependable Computing CONTACT: Carl Landwehr ADDRESS: Naval Research Lab Washington, DC 20375-5000 PHONE: (202)767-3381 DATE: 10/13/92 LOCATION: Baltimore, MD SPONSOR: NIST & NCSC TITLE: 15th National Computer Security Conference CONTACT: NCS Confrence Committee ADDRESS: 9800 Savage Rd. Fort George G. Meade, MD 20755-6000 PHONE: (301) 850-0272 DATE: 11/23/92 LOCATION: Toulouse, France SPONSOR: AFCET TITLE: European Symposium on Research in Computer Security CONTACT: Yves Deswarte ADDRESS: LAAS-CNRS & INRIA Toulouse, FRANCE 31077 PHONE: +33/61336288 - ------------------- Hope some of you find this of interest. Cheers, Paul - --- * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229) - ---------- end forwarded message --- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ >From: frisk@complex.is (Fridrik Skulason) Subject: Gosia false positive (PC) One of the new viruses listed in the November edition of the Virus Bulletin is named "Gosia". The search pattern provided there is invalid, as it causes a serious false alarm - it can be found in all versions of COMMAND.COM. Please ignore this pattern. A replacement will be published next month. - -frisk ------------------------------ Date: 04 Nov 91 15:07:41 +0000 >From: groot@idca.tds.philips.nl (Henk de Groot) Subject: Re: Hardware forever! frisk@complex.is (Fridrik Skulason) writes: >In Message 31 Oct 91 06:27:30 GMT, turtle@darkside.com (Fred Waller) writes: >> There is NO software defense that's fully reliable. >Correct. Incorrect, exchange your BIOS to include the following processor-start-up *software* (though its as drastic as the "off switch" but it is software :-) ): 1) Disable all interrupts. 2) Redirect NMI vector to a "reti" instruction. 2) Execute a "Halt" instruction which stops the processor. >> There IS hardware defense that is fully reliable. >Only the "off switch". :-) >- -frisk We have UNIX systems with a Software-switch-off function. If an "Antiviral" package immediately activates this function the system will be switched off and can not be infected. Is this Hardware protection? No, because Hardware alone can not do it (it will not switch off by itself). Is this Software protection? No software alone can not do it (after software triggered the hardware, the hardware will switch the system off). I don't know any Hardware protection boards but I assume that a board like the "Thunderbyte" board will contain *software* (are there (E)PROM's on it?), and I guess its the *software* on that board that prevents from viruses, not the hardware! (but like I said, I don't know the board). I think the power in these applications is that its a *combination* of hardware and software. Think of what software can do if I had a very fast RISC processor with 80486 emulating software. This emuation software could easely track suspicous acticvity, but could not be changed by software running on the emulator! This has the potential equal to any hardware solution. (Note that your "hardware" CPU is also running a *software* micro-program inside it and no one is able to change that program with any virus either). Henk. - -- / / Henk de Groot | Department: PG 9000i - System Services /---/ __ __ / V2/A12-A13 | Internet : groot@idca.tds.philips.nl / / (-_ / / /( Tel: +31 55 432099 | == PHILIPS INFORMATION SYSTEMS == Disclaimer: I only speak for myself, not for my employer! ------------------------------ Date: 04 Nov 91 16:09:56 +0000 >From: birchall@pilot.njin.net (Shag) Subject: "Stoned" virus information sought I'm looking for information on the "Stoned" virus. Included: How it attaches itself to disks How it copies itself (through RAM, etc) What it does to the system Where it came from Likely sources One of our clients (where I work) thinks they got it from us. Our site is completely virus-free, and we are trying to get a better understanding of the virus so that we can prove that we are not liable (and possibly help them determine who is.) Please do not reply via follow-up, as I do not read this group frequently. - -Shag (work phone 609/267/9131) - -- +----------------------------------------------------------------------+ | Dan "Shag" Birchall, Official Random, NJ Intercampus Network. +-+ | The NJ Intercampus Network is not responsible for me. They're glad. | | | For further disclaimers, contact information, and lyrics, finger me. | | +-+--------------------------------------------------------------------+ | +----------------------------------------------------------------------+ ------------------------------ Date: Mon, 04 Nov 91 17:09:53 +0000 >From: bdh@gsbsun.uchicago.edu (Brian D. Howard (CS)) Subject: Re: UNIX anti-virus program (UNIX) peter@ficc.ferranti.com (Peter da Silva) writes: >Are there any viruses on UNIX to actually *check* for? No. But that never stopped nobody from selling. - -- Dallas,TX "Where we shoot Presidents and shoot people who shoot Presidents." ------------------------------ Date: Mon, 04 Nov 91 09:31:12 -0800 >From: Eric_Florack.Wbst311@xerox.com Subject: Re: Scanning inside ZIPPED files (PC) In #208, Jeff Johnson asks: >>Are there any programs which will scan inside of Zipped files?<< Sure are, Jeff. MacAfee's SCAN is useable (and callable) from inside a program I've been trying called SHEZ. SHEZ will allow you to look inside any format you like; ARC, ZIP ARJ, PAK, or what have you. It won't look inside self extractors, but then you knew that I'd guess. ------------------------------ Date: 04 Nov 91 17:39:47 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: NCSA (Was: Request for standards) frisk@complex.is (Fridrik Skulason) writes: > Well, they have been running my scanner against their "collection" for > some time now - I received a disk full of stuff that I did not detect > - - most of it for the simple reason that it was not infected, contained > Trojans, not viruses but there were two new viruses in there. ^^^^^^^^^^^^^^^^^^^^^^^^^^ This is partly why I got so upset... :-) I knew that there is something new there, so I couldn't just drop all the mess and forget about it. No, I had to analyze everything... :-(( > In their latest set they have done quite a bit of "cleaning-up" - > gotten rid of most of the duplicates, the non standard samples > (Vienna-infected files, which have been "inoculated" against Jerusalem > after infection) and so on. Glad to hear that they do at least this... > The problem is just that they accept collections of infected (?) files > from a lot of people, and combine them all, instead of analysing and > classifying.. Well, this certainly cannot be called research... > But well, I find this quite useful - after I sort out the "garbage".... It's, of course, a matter of taste, but does it worth the effort? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN Tel.:+49-40-54715-224, Fax: -246 Vogt-Koeln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Mon, 04 Nov 91 18:03:24 +0000 >From: comb@sol.acs.unt.edu (Eric N. Lipscomb) Subject: Re: Can I Load FPROT's VIRSTOP High? (PC) RTRAVSKY@corral.uwyo.edu (Rich Travsky) writes: >Can I load FPROT 2.0's VIRSTOP high under dos 5.0 (and still have it >functional)? I don't have much in the way of viruses to test with nor >a machine to dedicate to same. I've had trouble loading VIRSTOP high under DOS 5. I simply haven't been able to get it to *load* high at all. It loads low and runs fine, but I'm apparently missing something. :) I had a problem with loading VIRSTOP under QEMM v5.13 as well, but that problem has gone away with QEMM 6.0. Loads and runs very nicely now, thank you. >Rich Travsky rtravsky@corral.uwyo.edu }lips - -- Eric N. Lipscomb, Lab/Network Manager Academic Computing Services Email: comb@sol.acs.unt.edu "Golf is something you do to make lips@vaxb.acs.unt.edu the rest of your life look good." lipscomb@cc1.acs.unt.edu -- Phil Baczewski ------------------------------ Date: 04 Nov 91 18:04:09 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: question about viruses (UNIX) (PC) spaf@cs.purdue.edu (Gene Spafford) writes: > The only true viruses around for Unix systems are research-oriented. > Cohen has written some, Duff has written a very well-known one, and > many other people have written simple examples to describe them. > However, none of these appear to exist outside isolated research > machines (if they still exist there). Hmm, with the amount of personal Unix boxes selled nowdays, I guess that in the near future we'll see at least attempts to spread Unix viruses. For instance viruses that run only on a single Unix platform (e.g., 80386)... > The topic of Unix viruses has come up again and again at conferences > and in mailing lists. Many people wonder why we haven't seen any "in > the wild." The general conclusion is that because of the user > community, the usual forms of software sharing, and the possible > motives behind writing viruses, it is extremely unlikely that a virus > would be written for Unix and spread very far. This is, of course, true, but the situation is changing, IMHO... > Any products that *charge money* for scanning for a virus in a Unix > environment (as opposed to a worm or a trojan horse) is a waste of > money. You might as well have spend money on a program to warn you > when a meteorite is about to strike your computer. Sure. But I have seen advertisements for products that were advertized as anti-virus programs, while in fact they were integrity checkers - they computer checksums. This will, of course, catch viruses as well, but it is also a useful tool for any kind of integrity corruption. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN Tel.:+49-40-54715-224, Fax: -246 Vogt-Koeln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 04 Nov 91 18:13:01 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Request for Standards RUTSTEIN@HWS.BITNET writes: > I believe the reason that the files were numbered as opposed to named, > Vesselin, is that they are trying to avoid the problem that seems to > be cropping up more and more recently: that of different names for the > same virus in different parts of the world. The NCSA scanner report Yes, that's true, there is indeed a major naming confusion between the different researchers. When I started to organize the virus collection at the VTC I found a virus present twice even in it! But usually I was able to cope with the different names that the different researchers from whom we get viruses use. This confusion cannot be even compared with the confusion that 1775 unnamed files caused! (Again, I'm speaking only about myself here. Probably the others are cleverer than me.) The files that had nothing to do with viruses (as Fridrik Skulason pointed out) just added more to the confusion... :-( > in the infected files. The results are interesting, to say the least: > different scanners called the same file many different names. Is it interesting? It only confirms the (well-known) name confusion, IMHO... > Therefore, I believe (I've not talked to Stang about this recently) > that they are going to hold off putting names on the files at least > until the anti-virus product developers conference next month. At the Oh, well, that's good. So we probably got their collection in an unfinished state... > conference, they are going to try to work out some common names among > the vendors and researchers present. Are you aware about the NIST proposal for standard virus naming? > As for the organization of the "collection", I haven't had to deal > with it myself...so you may be quite right about the fact that it is Lucky you... :-) > unwieldy. I can say, however, that Stang has always been able to pick > out the virus I needed in a matter of seconds. So, I can only es > infer that it must make sense to someone :). Oh, I assumed that. Obviously it should make sense to someone. However, if it is supplied to other, it should try to make sense to - -most- of the people, IMHO. > Finally, you commented on the fact that you feel the people at NCSA do > not have the expertise necessary to reliable and careful testing. > Once again, you may be right. IMHO, however, the past research My (personal) oppinion was based on the state of the virus collection that we received, I think that I clearly stated that. I continue to think that this state was horrible and that -it- didn't show good level of expertize in the anti-virus research. That's the only reason why I expressed my doubts that the people who call this "virus collection" are able to test anti-virus products reliably. Imagine a report that says "F-Prot was not able to detect 30 % of the files in our virus collection"... Sure, if they don't contain any viruses... :-) Anyway, I'm glad to hear that Mr. Stang is improving the state of NCSA's collection. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN Tel.:+49-40-54715-224, Fax: -246 Vogt-Koeln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Mon, 04 Nov 91 10:41:11 -0900 >From: "Jo Knox - UAF Academic Computing" Subject: Re: Organ music/black monitor-Mac (Mac) flaps@dgp.toronto.edu (Alan J Rosenthal) writes: >Fran_Holtsberry@msmailgw.csuchico.edu (Fran Holtsberry) writes: >>We have two systems playing organ music and no monitor response. > >I don't know exactly what you mean by "organ music", but if it's a mac II, and >the sound is something like this: like "do, mi, soh, do", with the last "do" >being higher than the other notes, with the initial sound the mac makes when >being turned on somewhere around "la", then this is the normal sound made by a >mac failing certain hardware tests at power-on. I've experienced this from ba d >memory boards and from memory boards not being seated properly, but I believe >that there are other possible causes for this particular sound. The first time I heard this problem was after someone had stolen the 1M SIMMs out of a 5M Mac II (the remaining 256K SIMMs were left in the "high" slots, which won't work for a 1M setup.) I've also heard it from one machine we had in which the SIMMs needed to be reseated about once a month... jo ------------------------------ Date: Mon, 04 Nov 91 15:39:33 -0500 >From: Joe McMahon Subject: Re: nVIR question (Mac) >My Symantec Anti-Virus program is BROKEN! Its not infected (according >to Disinfect) but it is reported as "damaged or in an unknown format" >Does nVIR A do this to SAM intentionally? Or is this coincidence? Coincidence, because SAM didn't exist when nVIR was written. I would guess that for some reason, you have only a partial infection. Get out your locked backup disk and reload SAM. Also, make sure that you install the SAM init, sounds like it might not have been running, or that your machine was booted from an untested System disk. Tell anybody who wants to use your Mac that they may, but only if they disinfect their disks first. Leave SAM Virus Clinic running when you go out of the office if you have to. --- Joe M. ------------------------------ Date: Mon, 04 Nov 91 19:16:33 +0700 >From: frisk@complex.is (Fridrik Skulason) Subject: F-PROT 2.01 is available (PC) Version 2.01 of F-PROT is now available. It is a few days behind schedule, but look at the list of new viruses below, and you see why :-) The program has been sent out by mail and E-mail, and should be available on the major archive sites (such as Simtel20) now or within a couple of days, but I have just uploaded it myself to oak.oakland.edu (/pub/msdos/trojan-pro). VIRSTOP.EXE from version 2.00 started to complain on Nov. 1. that it was too old, and should be replaced - a minor bug, it should not have done so until Dec. 1. Version 2.01 will start complaining in four months or so. No major new features were added in 2.01 - it just fixed some bugs in 2.00, and added detection/removal of a lot of now viruses - over 100. Version 2.01 - corrections: The name of the main program was changed from F2.EXE to F-PROT.EXE, as several other programs (including a part of Microsoft's FORTRAN compiler) were already named F2.EXE Some problems regarding user-defined signatures have been fixed. A false alarm of a "Whale" infection in the GMOUSE.COM (Genius Mouse driver) and a program named XTRA.COM has been corrected. Version 2.00 would not work in interactive mode on a machine with a XGA or a Monochrome MCGA display. This has been corrected. Some characters above 128 were corrupted if a report was saved to a file. If floppy drives were installed with other identifiers than A: and B:, the program would try to access them on startup, which caused problems if no disk was inserted. The "Analysis" function now produces fewer false positives than before, and known false positives are now listed in ANALYSE.DOC The program should now work without problems on Zenith DOS 3.30 PLUS. Some variants of the Vacsina virus were occasionally not disinfected correctly - this has been fixed. The Amoeba virus was not detected in .COM files with size above a certain length, although it was always stopped by VIRSTOP. Fixed. Version 2.01 - improvements: VIRSTOP.EXE can now be loaded as a device-driver, with a DEVICE= or DEVICEHIGH= command from CONFIG.SYS. Two command-line switches were added: /NOMEM skip the initial memory scan. It should only be used if the computer is known to be "clean". /USER scan for user-defined virus patterns. The program used to scan subdirectories in "reverse" order - this has now been changed. F-PROT.EXE is now distributed in packed (run-time unpacking) form, so that the the entire package fits on one 360K diskette after unpacking. Version 2.01 - new viruses: The following 89 new viruses (or new variants of old viruses) can be detected and removed with version 2.01 864, 1876, Akuku-Copmpl, AT-144, Backtime (Blinker, Joker and Shaker), Big Joke, Bulgarian 123, Cascade 1704-D, CSL (Microelephant), Copyright, DM-400, Eddie-1530, Europe '92, F709, Fake VirX, Gergana (222, 300, 450 and 512), Gosia, Gotcha (A, B and C), Hary Anto, Hey You-928, Hungarian-482, Iron Maiden, Jabberwocky, Jerusalem (4 minor suMsDos variants, Messina, Nemesis, P and B-3) Jerusalem-Frere Jacques-C, Jerusalem-Plastique-4096-D, Jihuu, Kuku, Leningrad (543 and 600), Little Brother, Lozinsky-1018, Milous Minimal-30-B, Mono-1063, MPS-OPC (1.1, 3.1 and 3.2), MSTU, Murphy-Brothers, Old Yankee-Black Wizard, Omega, Path, PC-Flu, Pixel (Polish-457, Polish-550, 897, 899-A, 899-B and 905), Plovdiv (New Bulgarian 800), Polish Color, Polish Minimal-45, Semtex, Seventh son, Spanz, Socha, Something, StinkFoot, SVC-1740, Tony, Traveller, Twin, Vienna (634, 656, 726 and 776 byte variants, Violator B/B3), Voronezh-370, W13 (C, 377 and REQ!), Words (1069, 1085, 1387 and 1503), Yankee (1150 and 1202 byte variants) The following 13 new viruses can now be detected but not removed. Best Wishes-970, DIR II, Eddie-Ps!ko, Hero-394, Possessed-2446, Simulate, Squeaker, StinkFoot-2, SVC (5.0 and 6.0), Vacsina-Rybka, Virdem-1542, W13-361 "Variant identification" of the following viruses has been improved: Cascade (14 variants), Sentinel (5 variants) ------------------------------ Date: Fri, 01 Nov 91 23:29:50 -0800 >From: Robert Slade Subject: Change detection FUNGEN6.CVP 911101 Change detection A virus has to change *something*. This fact is absolutely fundamental to the operation of computer viral programs, and therefore, in a sense, provides a guaranteed form of virus prevention or detection. If we make a machine that cannot change anything (and the disadvantages of this have been thoroughly discussed) we can prevent infection. If any change made can be detected, then any infection can be detected, although discriminating between an infection and a valid change remains problematic. It is interesting to note that the early antiviral programs, at least the most widely used ones, relied first upon activity monitoring and then signature scanning. Nowadays almost all antiviral programs implement some version of automated change detection. The detection of the first viri, and the ongoing research into new strains, relies almost entirely on "manual" methods of change detection. This method of detection is available to anyone who has a computer and the most basic tools of the operating system. It is, of course, made somewhat easier with the more advanced "utility" programs available on the market, but the best defence remains a thorough knowledge of your computer, and what it is supposed to be doing. A knowledge of what programs are on the computer, and a list of file sizes and creation dates is a simple piece of protection requiring no special programs whatsoever. This one simple tool, however, can provide detection of most file infecting viri. It will even detect "stealth" viri if the computer is booted from a clean system disk before the check is made. DEBUG is provided with every copy of MS-DOS, and can be used to view, and make a copy of, the boot record of every disk. (Partition boot records of hard disks are beyond the reach of DEBUG, but within the reach of F-PBR, from 1.xx versions of FPROT.) Memory maps (and hex dumps of boot sectors) are not easy to read, even for experienced, but non-programming, users. However, it is not necessary that the user understand all the entries in a boot sector or memory map. It is only necessary that the user have a printout of a run of, say, MEM/C in an initially clean state, and then be able to spot a difference in a subsequent run of the program. In reality, of course, most users will not take the time and trouble to check for changes in the system. Most users want a program which will do it for them, and preferably one which will do the checking automatically, and alert them to anything wrong. copyright Robert M. Slade, 1991 FUNGEN6.CVP 911101 ================ To those who have been corresponding with me via rslade@kea.bc.ca, I am not there any longer. ============= Vancouver p1@arkham.wimsey.bc.ca | "Metabolically Institute for Robert_Slade@mtsg.sfu.ca | challenged" Research into CyberStore | User (Datapac 3020 8530 1030)| politically correct Security Canada V7K 2G6 | term for "dead" ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 210] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253