WARNING FOR ThunderByte USERS
-----------------------------

If you run the ThunderByte virus scanner you MAY see one or more files
flagged by TBAV as 'probably' or 'might' be infected.

This is a known 'FALSE ALARM'. Please see the attached email from Frans
Veldman from ESaSS confirming this.

The 'FALSE ALARM' only appears with the huerustic setting set to HIGH (using
the 'hr' switch on the TBAV command line. It can also be changed from the
TBAV.EXE menus.

CHEKMATE.EXE, MD5.EXE and SETUP.EXE are ALL protected by a polymorphic 
security envelope system .(Protect! COM/EXE from Jeremy Lilley.) 
This program is what TBAV is flagging as it does use polymorphic code to
thwart hackers.  

If this continues to be a problem, then I will probably remove that 'extra'
level of protection as it appears to be causing more harm than good.

I apologise if this is causing you any annoyance.

Regards,
Martin Overton

PS No other virus scanner I have tested has ever flagged ANY file in this
ZIP as infected. These include:

F-Prot 2.18, McAfee Scan 2.2.0, Dr Solomon AVTK 7.12 etc.

When TBAV is run in AUTO hueristic mode (without the 'hr' switch).
You SHOULD see the details below.
----------------------------------------------------------------------------
Thunderbyte virus detector v6.35 - (C) Copyright 1989-1995, Thunderbyte B.V.

TbScan report,  06-09-1995  10:54:49

Parameters:  c:\temp\cm105d  lo ln=c:\temp\cm105d\auto.log

** Unregistered evaluation version. Do not forget to register! **



Found 23 files in 1 directories, 8 files seem to be executable.
0 files were checked for changes, 0 files have been changed.

0 files are infected by one or more viruses
-----------------------------------------------------------------------------

When TBAV is run in HIGH hueristic mode (with the 'hr' switch).
You SHOULD see the details below.
-----------------------------------------------------------------------------
Thunderbyte virus detector v6.35 - (C) Copyright 1989-1995, Thunderbyte B.V.

TbScan report,  06-09-1995  10:54:24

Parameters:  c:\temp\cm105d hr lo ln=c:\temp\cm105d\high.log

** Unregistered evaluation version. Do not forget to register! **

C:\TEMP\CM105D\1001.EXE might be infected by an unknown virus
c  No checksum / recovery information (Anti-Vir.Dat) available.
1  Found instructions which require a 80186 processor or above.
@  Encountered instructions which are not likely to be generated by
   an assembler, but by some code generator like a polymorphic virus.

C:\TEMP\CM105D\4001.EXE might be infected by an unknown virus
c  No checksum / recovery information (Anti-Vir.Dat) available.
1  Found instructions which require a 80186 processor or above.
@  Encountered instructions which are not likely to be generated by
   an assembler, but by some code generator like a polymorphic virus.

C:\TEMP\CM105D\CHEKMATE.EXE might be infected by an unknown virus
c  No checksum / recovery information (Anti-Vir.Dat) available.
K  Unusual stack.  The program has a suspicious stack or an odd stack.
@  Encountered instructions which are not likely to be generated by
   an assembler, but by some code generator like a polymorphic virus.

C:\TEMP\CM105D\SETUP.EXE might be infected by an unknown virus
c  No checksum / recovery information (Anti-Vir.Dat) available.
K  Unusual stack.  The program has a suspicious stack or an odd stack.
@  Encountered instructions which are not likely to be generated by
   an assembler, but by some code generator like a polymorphic virus.

C:\TEMP\CM105D\MD5.EXE might be infected by an unknown virus
c  No checksum / recovery information (Anti-Vir.Dat) available.
G  Garbage instructions.  Contains code that seems to have no purpose
   other than encryption or avoiding recognition by virus scanners.
K  Unusual stack.  The program has a suspicious stack or an odd stack.
@  Encountered instructions which are not likely to be generated by
   an assembler, but by some code generator like a polymorphic virus.

C:\TEMP\CM105D\1001.COM might be infected by an unknown virus
c  No checksum / recovery information (Anti-Vir.Dat) available.
1  Found instructions which require a 80186 processor or above.
@  Encountered instructions which are not likely to be generated by
   an assembler, but by some code generator like a polymorphic virus.

C:\TEMP\CM105D\101.COM might be infected by an unknown virus
c  No checksum / recovery information (Anti-Vir.Dat) available.
1  Found instructions which require a 80186 processor or above.
@  Encountered instructions which are not likely to be generated by
   an assembler, but by some code generator like a polymorphic virus.

C:\TEMP\CM105D\4001.COM might be infected by an unknown virus
c  No checksum / recovery information (Anti-Vir.Dat) available.
1  Found instructions which require a 80186 processor or above.
@  Encountered instructions which are not likely to be generated by
   an assembler, but by some code generator like a polymorphic virus.



Found 23 files in 1 directories, 8 files seem to be executable.
0 files were checked for changes, 0 files have been changed.

8 files are infected by one or more viruses
-----------------------------------------------------------------------------

Below is the response from Frans Veldman of ESaSS:
-----------------------------------------------------------------------------
From @linux4nn.iaf.nl:Veldman@esass.iaf.nl Mon Jun 05 08:46:00 1995
Received: from punt.demon.co.uk by salig.demon.co.uk with SMTP 
        id AA802341960 ; Mon, 05 Jun 95 08:46:00 BST
Received: from punt.demon.co.uk via puntmail for ChekMate@salig.demon.co.uk;
          Mon, 05 Jun 95 05:17:18 GMT
Received: from linux4nn.iaf.nl by punt.demon.co.uk id aa23614;
          5 Jun 95 6:16 +0100
Received: from uni4nn.iaf.nl (root@uni4nn.iaf.nl [193.67.144.33]) by linux4nn.iaf.nl (8.6.9/8.6.9) with SMTP id HAA02674 for <ChekMate@salig.demon.co.uk>; Mon, 5 Jun 1995 07:23:59 +0200
Received: by uni4nn.iaf.nl with UUCP id AA08573
  (5.67b/IDA-1.5 for ChekMate@salig.demon.co.uk); Mon, 5 Jun 1995 07:16:45 +0100
Received: from esass.iaf.nl by iafnl.iaf.nl with UUCP id AA12194
  (5.65c/IDA-1.4.4); Mon, 5 Jun 1995 06:51:32 +0200
Received:  by esass.iaf.nl (UUPC/extended 1.11n);
           Sun, 04 Jun 1995 12:17:26 dst
Date:      Sun, 04 Jun 1995 12:17:25 dst
From: Frans Veldman <Veldman@esass.iaf.nl>
Message-Id: <2fd18837.esass@esass.iaf.nl>
Organization: Thunderbyte anti-virus (TBAV) support HQ
To: ChekMate@salig.demon.co.uk
Subject:   Re: URGENT - Why is TBSCAN Flagging Clean Files!?
Status: R

On Fri, 2 Jun 1995 10:25:11 GMT, "ChekMate Support" <ChekMate@salig.demon.co.uk> wrote:
> Hi Frans,
> 
Hi!

[Snip!]

The problem is known to us. It is also known to Jeremy Lilley. Protect!
encrypts the files using a VARIABLE encryption scheme. The decryptor looks
different all the times. If you run Protect! twice on the same identical file,
the final result is different. Because the result of Protect! is different
every time you use it, it sometimes creates a decryptor that is exactly the
same as a decryptor found in a certain polymorphic virus. The result is that
some anti-virus program(s) detect the protected file as a virus. Sometimes
by name, but sometimes it just looks very virus alike. Because the result of
Protect! is different all the times, it is not possible for us to recognize
any Protect!ed file in advance and hence avoid false alarming.

[Snip!]

In case you are wondering about the direct cause of the heuristic flags
of TbScan:

> #  Found a code decryption routine or debugger trap.  This is common
>    for viruses but also for some copy-protected software.

Isn't this the truth? It applies perfectly to Protect!ed files.

> G  Garbage instructions.  Contains code that seems to have no purpose
>    other than encryption or avoiding recognition by virus scanners.

This is also understandable.

> K  Unusual stack.  The program has a suspicious stack or an odd stack.

This requires a little more knowledge to understand it, but it is caused
by Protect! and it can easily be avoided by its author.

> @  Encountered instructions which are not likely to be generated by
>    an assembler, but by some code generator like a polymorphic virus.

Since the code that Protect! adds to the protected files is not created
by an assembler program or compiler but dynamically generated by Protect!
this is also logically that TbScan raises this flag.

All of the above is *VERY COMMON* for viruses, about 50% of the viruses
raise these flags, but very few innocent programs raise the same flags.
This is why TbScan says 'probably a virus', and not 'definitely a virus'.

[Snip!]
-- 

Thunderbye,
Frans Veldman

    =   veldman@esass.iaf.nl            Phone (ESaSS)  + 31 - 8894 22282   =
    =   2:282/222.0@fidonet             Fax   (ESaSS)  + 31 - 8894 50899   =
    =                                   Fax   (VirLab) + 31 - 59 182 714   =
    =   Ham radio: PE1PVX @ 430.050MHz NFM, 145.600MHz NFM DTMF-page 789   =
    =   PGP fingerprint: 8A 0F 36 90 29 6D 19 42 B7 8D 74 9A A7 E5 28 4E   =
-----------------------------------------------------------------------------
*** END OF DOCUMENT ***
