Received: from fidoii.CC.Lehigh.EDU by abacus.hgs.se (5.65c/1.5)
	id AA03820; Wed, 3 Mar 1993 13:47:55 +0100
Received: from  (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA02468
  (5.67a/IDA-1.5 for <mikael@abacus.hgs.se>); Wed, 3 Mar 1993 07:28:36 -0500
Date: Wed, 3 Mar 1993 07:28:36 -0500
Message-Id: <9303031221.AA09531@first.org>
Comment: Virus Discussion List
Originator: virus-l@lehigh.edu
Errors-To: krvw@first.org
Reply-To: <virus-l@lehigh.edu>
Sender: virus-l@lehigh.edu
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <krvw@first.org>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V6 #38
Status: RO

VIRUS-L Digest   Wednesday,  3 Mar 1993    Volume 6 : Issue 38

Today's Topics:

Re: your opinions on virus legality
Why only PCs?
Sources of virus information
Re: your opinions on virus legality
PC Magazine reviews virus (PC)
Re: EXE/COM switch (PC)
Re: New Virus (PC)
Re: PC Magazine on Anti-Virus Software (PC)
Re: Michelangelo or STONED? (PC)
Signitures (PC)
problems with f-prot's virstop. (PC)
Re: PD Virus Detect/Clean (PC)
Re: standardization (PC)
CHKDSK (PC)
new mcafee progams available (PC)
New files on risc (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name.  Send contributions to VIRUS-L@LEHIGH.EDU.  Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list.  A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5).  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@FIRST.ORG>.

   Ken van Wyk, krvw@first.org

----------------------------------------------------------------------

Date:    Tue, 02 Mar 93 15:29:44 +0000
From:    antkow@eclipse.sheridanc.on.ca (Chris Antkow)
Subject: Re: your opinions on virus legality

 Posession of a handgun is NOT illegal in Canada so long as you have an
FAC (Firearms aquisition certificate). Are you perhaps hinting that the
global computing community should be issuing VAPC's (Virus Aquisition
and Posession Certificates) ?

 This is getting quite interesting. I think I'll get in touch (whenever
I find time) with the local Mississauga, Ontario constabulary in charge
of computer crimes and pick his brain on this matter...

 I could see the point if a firearm is mistakenly discharged, the owner
is held personally liable, but a virus? As stated before in this
conference, some people just plainly DON'T KNOW that they are infected
and innocently and unbeknownst introduce it on another system whenever
new software is installed. Are they to be shot down and held liable for
"doing their job" or for being a "good samaritan". Sure copying of
software is illegal, but people do it all the time... Could this perhaps
be a detterant in order to get people to stop copying programs?

 The plot thickens...

 Cheers...
	Chris
	antkow@eclipse.sheridanc.on.ca


------------------------------

Date:    Tue, 02 Mar 93 15:38:23 +0000
From:    Jason.Price@lambada.oit.unc.edu (Jason Price)
Subject: Why only PCs?

I have a question.  Why is it that all the virus discussions are about
PC's and Mac's?  There ARE other computers out there.  What about NeXt,
C-64, Amiga's.  I never see hardly anything on those types of computers. 
Is it possible those types don't have as many virus problems as PC's?


Jason

- --
   The opinions expressed are not necessarily those of the University of
     North Carolina at Chapel Hill, the Campus Office for Information
        Technology, or the Experimental Bulletin Board Service.
           internet:  laUNChpad.unc.edu or 152.2.22.80

------------------------------

Date:    Tue, 02 Mar 93 11:33:35 -0500
From:    David Stang <75300.2673@compuserve.com>
Subject: Sources of virus information

Hello, faithful readers of Virus-L. I'm sure all of you join me in
congratulating our moderator, Ken van Wyk, on his new job down here in
Washington and in thanking him for continuing his efforts with
Virus-L.

I'd also like to thank Vesselin for mentioning our newest product, 
V-Base:

sbonds@jarthur.Calremont.EDU (007) writes:

>>Currently, MSDOSVIR is the only list I know of that contains accurate
>>or nearly accurate virus info.  Frisk also has good information, but
>>it is rather brief.

Vesselin responds:
>There are two other alternatives. First, we are working on a browsing
>program for the Computer Virus Catalog (of which MSDOSVIR is only a
>part). The package, called CVBASE is available via anonymous ftp from
>our site.

>The second alternative is produced by ICSA and is called V-Base. A
>demo version of it (supporting only the viruses with names beginning
>with A, B, and C) is also available from our ftp site.

You can also download the demo version of V-Base from the ICSA's BBS
(202-364-0644 - filename VBASEABC.ZIP). We're trying very hard to be
accurate and welcome any comments and certainly additional
information. If you do send us information, we'll investigate it and
cite you as a source. We're also including general information on
prevention, detection and removal, along with articles that are of
interest to both users and managers. V-Base is updated monthly and is
available both in single user licenses and site licenses. (end plug)

On another topic:

Next week marks this industry's annual Ides of March conference in
New York. As in the past, there will doubtless be some stimulating
talks and valuable catching-up with each other.

- -- The following statements are *not* meant as a flame against the
coordinators of the event - rather, it's an attempt to avoid potential
confusion.--

Some of you saw my picture in an ad for the conference in Computerworld
and are probably assuming that I'll be speaking. And some of you didn't
see the ad but are expecting me to speak because I've done so in the
past. However, I'd like to make clear that I was never invited to
speak, and I did not give permission for my picture to be used in
promotional material. A truly unfortunate turn of events, and I regret
that I won't be seeing all of you this year. I hope all who attend have
a good time.
 

David Stang
Director of Research
International Computer Security Association
voice: 202-364-8252
fax: 202-364-1320
BBS: 202-364-0644

------------------------------

Date:    02 Mar 93 22:32:55 +0000
From:    dudleyh@redgum.ucnv.edu.au (Dudley Horque)
Subject: Re: your opinions on virus legality

bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:
>
>You see, there are BIG differences between the local laws in the
>different countries. You shouldn't assume that something is legal or
>illegal (and should remain so) just because it is so in your
>particular country. On the other side, computer viruses do not
>recognize country boundaries...

That's USAns for you. But everyone else gets the last laugh... many of
their kids in secondary education cannot even point out where USA is on
a map. They also insist on calling USA America, thus insulting the
Canadians, Mexicans, et al.

Still, this does cut down on the number of dangerous viruses that the
USAns can write.
- -- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Ciao4niao                                 My philosophy on life is far too deep
Dudley Arthur Horque                   to fit into two lines... I'd need three.

------------------------------

Date:    27 Feb 93 15:41:00 +0000
From:    bill.lambdin%acc1bbs@ssr.com (Bill Lambdin)
Subject: PC Magazine reviews virus (PC)

Quoting from Christopher Yoong-meng Wo to All About PC Magazine reviews 
virus on 02-26-93

CY> Somehow, this review seems out of sync with almost everything I've re
CY> here about virus scanners. Opinions? It seems to me a letter to the
CY> letters page signed by a major virus researcher (or ten :-) ) would c
CY> a lot of weight.

I read that article, and I don't like it at all.
 
11 viruses is not a large enough sample to test anti-viral software when 
there are around 2,000 known specimens.
 
If they had tested these products against the viruses known to be in the 
wild, the tests would have a lot more validity.

Bill

- ---
 * WinQwk 2.0 a#383 * Hacked version of LHarc released as LHice 1.14
                                                                 

------------------------------

Date:    Tue, 02 Mar 93 15:37:08 +0000
From:    antkow@eclipse.sheridanc.on.ca (Chris Antkow)
Subject: Re: EXE/COM switch (PC)

 The fact of the matter is, that any resident virus that monitors
function 4Bh, subfunction 00h (Int 21h) WILL be able to infect a file,
even if the extention has been renamed... (Provided the virus is written
"correctly"... Gack).

 Whenever a file is executed, it is immediately passed to AX,4B00h/INT
21h. The rest is at the mercy of the viral code... If the file can't be
executed, then it's never passed to AX,4B00h/INT 21h...

 (Someone correct me if I'm wrong...)

 Cheers...
	Chris
	antkow@eclipse.sheridanc.on.ca


------------------------------

Date:    Tue, 02 Mar 93 15:52:04 +0000
From:    antkow@eclipse.sheridanc.on.ca (Chris Antkow)
Subject: Re: New Virus (PC)

 Well, if it is a Sourcer-Generated disassembly, it's a damn good one. I
don't know German, but it compiles into a working copy and you are able
to make modifications to it and the pointers are flexible, unlike
Sourcer's static, rigid offsets...

 As far as I know, Sourcer does not let you EASILY change a disassembly
becuase of the EQUates and static values it generates. This disassembly
has a VSTART EQU $ and a VEND EQU $ that makes for flexible code length
finding and changes the relative offsets based on actual code length and
not "what sourcer wants to be in a certain location".

 I'll double check, as I've only looked it over on about 2 occasions,
but It sure looked like the real think...

 Cheers...

         Chris
	 antkow@eclipse.sheridanc.on.ca

------------------------------

Date:    02 Mar 93 12:08:23
From:    smd@hrt216.brooks.af.mil (Sten M. Drescher)
Subject: Re: PC Magazine on Anti-Virus Software (PC)

On 1 Mar 93 17:28:42 GMT, frisk@complex.is (Fridrik Skulason) said:

 Fridrik> Joe.George@nd.edu writes:

>Hello:

>Do people in this group support Pc Mag's Editor's Choice Awards to
>Central Point Anti-Virus and Norton's Anti-Virus?  I thought the best
>protection was McAfee's SCAN backed up by F-PROT or vice-versa.

>In the review, F-PROT received a honorable mention because it correctly
>removed all of the virus's it found.  The review did not test McAfee's
>SCAN.

 Fridrik> Well, they did not want to include any shareware programs at
 Fridrik> all (quite silly, because they are the most popular ones) -
 Fridrik> therefore no SCAN, and F-PROT only got included because we
 Fridrik> have an expanded, commercial version available.  I am not
	Incorrect - McAfee was represented by an expanded, commercial
version called Pro-Scan.  I agree that excluding shareware programs from
review was silly, but they did mention the shareware parallels of both
packages.  Of course, F-Prot Pro was (probably justifyably) as superior
to F-Prot, while Pro-Scan was portrayed as lacking in comparison to the
SCAN/CLEAN/VSHIELD trio.
 Fridrik> terribly happy with the review, of course - well, it was nice
 Fridrik> to see that I had one of the 13 (out of 24) scanners that
 Fridrik> detected all the 11 (!!!) viruses, and that F-PROT was the
 Fridrik> only program that could remove them all correctly, but the
 Fridrik> basic problem with the review, from my point of view is that
 Fridrik> they did not ask any virus "experts" for advice, and relied on
 Fridrik> incorrect or incomplete information (for example they say that
 Fridrik> 57 variants of Jerusalem exist, where the correct number is at
 Fridrik> least 125). So, basically it is a good review of anti-virus
 Fridrik> program interfaces - their virus collection is far too small
	That's been what I've seen from all of the anti-virus reviews in
the mass-market magazines.  Don't worry about accuracy if you want to
get a good review - just put on those bells and whistles!
 Fridrik> (11 viruses is silly...they should have used at lest the
 Fridrik> 50-100 that are in the wild), the viruses they used are old,
 Fridrik> so a program that had not been updated for 18 months would
 Fridrik> have detected all but one or two....and so on...

 Fridrik> Anyhow, I wrote them a 4-page letter about this...
	I hope that they have the balls to print an accurate portion of
your letter.
- --
+---------------------------+--------------------------------------------+
| Sten Drescher             | "My country, right or wrong.  When right,  |
| 2709 13th St #1248        |  to be kept right.  When wrong, to be put  |
| Brooks AFB, TX 78235-5224 |  right."                                   |
|---------------------------+----+---------------------------------------+
| sdrescher@animal.brooks.af.mil |                                       |
+--------------------------------+---------------------------------------+

------------------------------

Date:    02 Mar 93 14:40:33 +0000
From:    "G.Randolph Bickerton" <grb@rbyte.proteus.qc.CA>
Subject: Re: Michelangelo or STONED? (PC)


bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) writes:

> Quoting from Leprican~~~ to All About Michelangelo or STONED? ( on 
> 02-21-93
> 
> L > Reformatting it from a write-protected floppy didn't remove it, eithe
> L > Does anyone have any suggestions on how to combat this virus?
> L > thanks,
> 
> You should be able to repove Michelangelo with Clean with the following 
> from the command line.
>  
> CLEAN C:[MICH]
> 
> [Moderator's note: See the recent discussions on the potential
> problems with using this command.]
> 
> Maybe you have a new variant of Michelangelo.
>  
> The reason the format didn't remove the virus is because viruses like 
> michelangelo and stoned hides in the partition table of the hard drive, 
> and Format never touches this area.
>  
> Bill
> 
> - ---
>  * WinQwk 2.0 a#383 * JERUSALEM (Arnakia) activates Tuesday the 13th
>                                                                              

Isn't the correct procedure to repartition the hard disk then reformat?

G. Randolph Bickerton              GRB@rbyte.proteus.qc.ca
P.O. Box 781                       TEL (514)744-5524
Pte-Claire Dorval, PQ  H9S 2L5     FAX (514)748-8109

------------------------------

Date:    03 Mar 93 00:37:31 +0000
From:    motazev@hobo.ECE.ORST.EDU ( )
Subject: Signitures (PC)

To check for an executable file a virus will read in the appropriate bytes
and check to see if it is "MZ".

Why do some viruses check for "ZM"? What kind of file does this denote?


- --

Vahid
motazev@hobo.ece.orst.edu 

------------------------------

Date:    Tue, 02 Mar 93 21:14:07 -0500
From:    ed <TAWED@etsu.bitnet>
Subject: problems with f-prot's virstop. (PC)

Here is a common problem that I have detected with f-prots virstop...
When a program loads and virstop finds a virus it doesn't remove that program
from memory and thus leads to further infection unless rebooted..

Any suggestion as to how to effictively remove the bug from memory???

ed.


------------------------------

Date:    03 Mar 93 09:43:37 +0000
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: PD Virus Detect/Clean (PC)


Carpenter@Fwva.Saic.Com (Apprentice Wizard) writes:

>I'm looking for opinions on the best public domain virus
>detectors/cleaners.  Any help would be greatly appreciated. Thanks -

Simple.  There are none.

There are several good *Freeware* programs, at least for the Mac, as well as
several good *Shareware* scanners/cleaners available, but no public domain
ones - at least that I know of.

- -frisk
- -- 
Fridrik Skulason      Frisk Software International     phone: +354-1-694749
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-28801

------------------------------

Date:    03 Mar 93 09:52:45 +0000
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: standardization (PC)


bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) writes:

>I'm glad that scanner authors are using the CARO naming system. 

Unfortunately not all of them are - which is what is causing the confusion.

>Occasionally I run into new or modified soecimens. How can I send these 
>specimens directly to CARO?

You cannot.  CARO maintains several mailing lists, for various purposes - one
of which is supposed to be an "open channel" for "outsiders", but it is not
for virus samples...just questions.

>Up to now, I have be sending them to Glenn Jordan, Wolfgang Siller. or
>yourself. 

yep...thanks... :-)

The best way is actually just to do that...send us, or other CARO members
like Vesselin Bontchev the viruses, either on a diskette or by E-mail
(encrypted, please, and send the password via fax or by phone).  If you have
FTP access, you can also upload the samples to /incoming (which is write-only)
on my personal machine (complex.is).  Once I (or one of the other CARO members)
get the viruses, they will be distributed to the rest of the group.

- -frisk

- -- 
Fridrik Skulason      Frisk Software International     phone: +354-1-694749
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-28801

------------------------------

Date:    Tue, 02 Mar 93 03:42:25 -0500
From:    A.APPLEYARD@fs1.mt.umist.ac.uk
Subject: CHKDSK (PC)

Ref these messages this year so far about CHKSDK:-

[Chkdsk / undelete fix from Microsoft. (PC)]				002
[MS-DOS CHKDSK & VER /R (PC)]						003
[Re: MS-DOS CHKDSK & VER /R (PC)]					004
[DOS CHKDSK bug: How to show it with a small hard disk (PC)]		015
[DOS CHKDSK bug: a first (?) victim (PC)]spoilt hard disk root directory016

My only experience of CHKDSK so far is running CHKDSK /f today. On my PC just
now it found and recovered over SIXTEEN MILLION bytes of hard disk storage in
40 lost chains. Many of them were work files left by (interrupted?) runs of an
old Fortran compiler called WATFOR, which I had to use to prepare programs for
running on some old PC's with 286 processors in that my department has.


------------------------------

Date:    Mon, 01 Mar 93 22:39:51 -0500
From:    HAYES@urvax.urich.edu
Subject: new mcafee progams available (PC)

Hi gang.

Just received and fetched the new 102 serie of programs from McAfee Associates.

Many thanks to Aryeh for mentionning their availability.

Best, Claude.

==========
Site:       urvax.urich.edu,  [141.166.36.6]    (VAX/VMS using Multinet)
Directory:  [anonymous.msdos.antivirus]

FTP to urvax.urich.edu with username anonymous and your email address
as password.  You are in the [anonymous] directory when you connect.
cd msdos.antivirus, and remember to use binary mode for the zip files.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes     HAYES @ URVAX                 (Vanilla BITNET)
University of Richmond   hayes@urvax.urich.edu     (Bitnet or Internet)
Richmond, VA  23173


------------------------------

Date:    Mon, 01 Mar 93 22:55:49 -0500
From:    James Ford <JFORD@UA1VM.UA.EDU>
Subject: New files on risc (PC)

The v1.02 series of McAfee files (scan, clean, netscan, OS/2 scan, OS/2
clean, etc) are now available via anonymous FTP from risc.ua.edu
(130.160.4.7) in the directory /pub/ibm-antivirus.  Also included is
nshld111.zip (Novell NLM), allmsg.zip and the latest validate.crc.
- ----------
A consultant may be defined as an unemployed practitioner.
- ----------
James Ford -  Consultant II, Seebeck Computer Center
              The University of Alabama (in Tuscaloosa, Alabama)
              jford@ua1vm.ua.edu, jford@seebeck.ua.edu
              Work (205)348-3968  fax (205)348-3993


------------------------------

End of VIRUS-L Digest [Volume 6 Issue 38]
*****************************************

