From lehigh.edu!virus-l  Thu May 27 08:12:08 1993 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Thu, 27 May 93 20:41:34 1
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2)
	id AA24534; Thu, 27 May 1993 18:30:55 +0200
Received: from  (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA17655
  (5.67a/IDA-1.5 for <mikael@vhc.se>); Thu, 27 May 1993 12:12:08 -0400
Date: Thu, 27 May 1993 12:12:08 -0400
Message-Id: <9305271510.AA15923@agarne.ims.disa.mil>
Comment: Virus Discussion List
Originator: virus-l@lehigh.edu
Errors-To: virus-l@agarne.ims.disa.mil
Reply-To: <virus-l@lehigh.edu>
Sender: virus-l@lehigh.edu
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: VIRUS-L Moderator <virus-l@agarne.ims.disa.mil>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V6 #86

VIRUS-L Digest   Thursday, 27 May 1993    Volume 6 : Issue 86

Today's Topics:

EICAR'93 Call for Papers
re: VMag Issues 1 & 2
Re: VMag Issues 1 & 2
IDES-of-March Virus Conference
Battery Backuped Virus ? (PC)
re: Cansu or V-Sign virus (PC)
Re: Macafee v104 reported virus in memory (PC)
Re: F-Prot 2.07 (PC)
Ghost of Lacatedral? (virus?) (PC)
help needed with Stoned [Michaelangelo A] in partition table (PC)
re: Haifa (PC)
"DIR" infection, or "Can internal commands infect" (PC)
DOS6 Double Space and DOS Boot Sector Viruses (PC)
Catalogger v0.9 (PC) is ready.
Gotta Monkey on My Back!!! (PC)
Re: Cure against Tremor available? (PC)
The Anti-Viral Software of MS-DOS 6 (PC)
Macfee v104 reported virus in memory (PC)
Re: The Anti-Viral Software of MS-DOS 6 (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform - diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on cert.org or upon request.)  Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).

Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@AGARNE.IMS.DISA.MIL.

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Ken van Wyk


----------------------------------------------------------------------

Date:    Thu, 29 Apr 93 11:19:07 +0100
From:    amn@ubik.demon.co.uk (Anthony Naggs)
Subject: EICAR'93 Call for Papers

           CALL FOR CONFERENCE PAPERS AND PARTICIPATION

                       eicar CONFERENCE '93


When?                 December, 1st - 3rd 1993

Where?                St. Albans, Hertfordshire, England

The Occasion:         4th Annual Eicar Conference

Submission Deadline:  31st May 1993

Following a successful event in Munich last year, the European
Institute for Computer Anti-Virus Research (eicar), is holding
its 1993 Conference on 1st - 3rd December.

Eicar is an independent organisation supporting and co-ordinating
European activities in the areas of research, control and
prevention of computer viruses and related security compromising
sabotage software.

The conference will bring together users of computers and the
world's leading experts and authorities in the anti-virus field
along with the writers of anti-virus products that you are using
such as Fridrik Skulason of Frisk - F-Prot, Joe Wells of Symantec
- - Norton Anti-Virus and Alan Solomon of S&S International -
Dr Solomon's Anti-Virus Toolkit.

The conference covers all aspects of computer viruses and other
malicious software including the following:-

- - virus trends                  - anti-virus technology
- - infection recovery tools      - anti-virus product selection
- - network security              - system security
- - backup measures               - risk assessment
- - corporate strategies          - disaster recovery plans
- - case studies                  - educational tasks
- - impact on technology          - epidemiology
- - forensic procedures           - legal aspects
- - social implications           - ethics

Tutorial Day - is an optional tutorial on computer viruses and
               similar software threats
Day One      - will carry two tracks covering state-of-the-
               art information
Day Two      - continues the two tracks and concludes with a
               panel discussion


Call for Exhibitors

Whether or not you are considering speaking at the conference,
you should at least be investigating the sales and marketing
opportunities available at the exhibition.  For further
information on exhibiting at the conference, please contact
Rebecca Pitt at the address below.


Submissions of draft papers and panel proposals should be
received by Friday, 31st May 1993.

Please send your conference papers in ascii or Word for Windows,
to the following address:-

Miss Alison Sweeney            Tel:   +44 442 877877
Conference Manager             Fax:   +44 442 877882
S&S International Limited      CIX:   Sands@cix.compulink.co.uk
Berkley Court, Mill Street
Berkhamsted, Herts
HP2 4HW, England

------------------------------

Date:    Wed, 26 May 93 14:21:05 -0400
From:    96scsc@dylan.af.mil (Henry B. Tindall)
Subject: re: VMag Issues 1 & 2

THE GAR <GLWARNER@samford.bitnet> writes:

>the bomb.  He suggested I contact an agent in my area, but told me the

Good idea.  Even if the FBI can't stop this type of activity, it is 
a red flag of sorts.  Their computer crime division is a lot more active
than you'd think.  I'd be willing to bet that while you're reading this,
an agent is checking the background of subscribers....

>attorney general's office would have to decide whether there was a
>case, but he didn't think there was.  The editor of Chaos Digest is a
>member of the EFF, (the electronic version of the ACLU), so I would
>bet that anyone who messes with him would get a lawsuit.

The editor is not the worry.  It's the bozos in the field who put this
kind of information to use that scare the %^&*@# out of me.  If one 
subscriber gets caught, though, the rest will get the idea that big 
brother IS watching.  Without a demand for his service, he'll fall by
the wayside (hopefully). <:^)

/------------------------------------------------------------------------\
|Henry B. Tindall, Jr.                | "Intuition is Logic without the  |
|NCOIC, Small Computer Support Center |  confines of Language"           |
|Dyess AFB, TX  79607-1266            |                   -- Henry B.    |
\------------------------------------------------------------------------/

------------------------------

Date:    Thu, 27 May 93 03:44:32 -0400
From:    rol@grasp1.univ-lyon1.fr (Paul Rolland)
Subject: Re: VMag Issues 1 & 2

bontchev@rzsun2.informatik.uni-hamburg.de (Vesselin Bontchev) wrote:
> 
> THE GAR (GLWARNER@samford.bitnet) writes:
> 
> [Stuff Deleted]
> 
> As I mentioned, he lives in France and I bet that he doesn't give a
> dime about the US laws, be them Federal or not... However, the French
> have some laws limiting the user of encryption (anybody from France
> care to comment?). One could try to argue that the published documents
> contain encrypted stuff (the debug scripts, the encrypted viruses) and
> try to make the French government take some action, but I'm not
> holding by breath...
> 

Well, I've found the Chaos Digest mentionned, and had a look at it...
Too bad, but the only things that could be considered as encrypted are
some source of viruses in a debug form.  Concerning encryption, if my
memory is good (you can doubt about it if you want), you can't
transfer encrypted data on a public media (phone lines for example)
without an authorization from the government. Of course, they never
controled what is exchanged by BBS, and for sure people are mainly
transferring ZIPped files... but this is not encrypted.  However, I
don't think that it could be possible to prevent the diffusion and the
publication of such a magazine in France.

Paul Rolland

A bug can be changed to a feature by documenting it. Developpers know !



------------------------------

Date:    Thu, 27 May 93 04:08:13 -0400
From:    "Roger Riordan" <riordan@tmxmelb.mhs.oz.au>
Subject: IDES-of-March Virus Conference

On 7th April dklefkon@well.sf.ca.us (Richard W. Lefkon) wrote

> ........
> As some know, the way the conference is run is being reorganized
> from the ground up.  This process is not yet finished.  When it
> is, the overall plan for March 1994 in New York will be made
> available to interested parties.  

On 13th April he wrote to me

> ... When you receive your Proceedings in a few weeks, .....

> ... As you have probably been told, I will most likely not be 
> the person organizing the program for 1994.  

On 16 April jsb@well.sf.ca.us (Judy S. Brand) wrote

> It appears that someone who had been on the 1993 New York
> "Ides of March" program committee mistakenly reported to 
> Virus-L that there were no significant changes for 1994.
> 
> The person does not seem to have read my letter last week
> to "Ides of March" attendees.  It contained this announcement:
> 
>     "Next year, for the first time, the specialists
>      on our greatly expanded Program Committee will
>      take complete charge of organizing the presen-
>      tations and sessions."

So the significant changes are that:

   1. We will have a bigger committee, with even greater 
      potential for chaos.
      
   2. Dick Lefkon will no longer officially be in charge, but 
      Judy Brand (who we understand is Dick's wife) will 
      continue to act as Conference Chair.  
      
Each delegate to the recent conference paid a registration fee 
ranging from $325 to $425.  If we add a conservative $200 for 
accomodation and travel, and $400 for two days pay, and we assume 
that there were 500 paying delegates (in the absense of any 
reliable information on the subject) the total cost of this 
conference was almost certainly well in excess of $500,000.

If any individual had paid this amount for a service which failed 
as spectacularly as this conference did they would certainly take 
legal action.  Unfortunately it would be difficult to establish 
just how much loss the delegates had suffered, and difficult for 
any individual to take action.  However the registration form 
clearly stated "Registration includes Proceedings, ... ".  As 
these are valued (by the organisers) at $100 per copy, the 
organisers are in clear breach of contract to the tune of 
something like $50,000.

It is now 11 weeks since the conference, when we were promised we 
would receive them "Tomorrow", then "they will be posted first 
thing next week", and 7 weeks since I was promised them "in a 
few weeks", but still no one has received them.

Despite all this Ms Brand appears to think that the organisers 
can make a few cosmetic changes and continue as before.  Is  
there anyone, or any organisation, who/which is in a position 
to ensure firstly that the organisers meet their legal obligations 
with respect to the Proceedings, and secondly that they are not 
permitted to attempt to repeat this fiasco?

Roger Riordan                 Author of the VET Anti-Viral Software.
riordan.cybec@tmxmelb.mhs.oz.au

CYBEC Pty Ltd.                                 Tel: +613 521 0655
PO Box 205, Hampton Vic 3188   AUSTRALIA       Fax: +613 521 0727

------------------------------

Date:    Wed, 26 May 93 09:38:45 -0400
From:    tyjori@uta.fi (Johan Rimminen)
Subject: Battery Backuped Virus ? (PC)

I thought ; is that possible to have battery backupped virus ?
As I know there are some unallocated memory for setups and
chipset use. 
Moreover, as I recall Chip&Techs chipset have over 30 kb 
"free"memory.

	 Just for curiosity.

	-jr

	tyjori@uta.fi

------------------------------

Date:    Wed, 26 May 93 10:44:52 -0400
From:    "David M. Chess" <chess@watson.ibm.com>
Subject: re: Cansu or V-Sign virus (PC)

>From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)

>unlike other BOOT or
>MBR infectors this virus does not keep a backup of the original sector.
>Therefore in some cases an infected disk will not boot, and it will not be
>possible to access it with normal means.

Perhaps you're thinking of the Azusa virus?   The CANSU keeps a copy
of the original boot record (more specifically, of the 40 bytes of
it that it alters), and uses it to boot the machine normally once
it has run.  The main oddish thing about CANSU is that it's slightly
polymorphic ("oligomorphic"), which is unusual for a boot virus.

DC


------------------------------

Date:    Wed, 26 May 93 12:11:17 -0400
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: Macafee v104 reported virus in memory (PC)

davids@software.mitel.com (David So) writes:

>How can I clean up these virus? Shutdwon the system does not seem
>to work.

You probably don't have a virus.  Removing VSAFE will do the trick -
it leaves various virus fragments in memory, and one of them just
happens to match the search pattern SCAN uses.  I suggest you complain
to Microsoft about the problem, as this is entirely their (and Central
Point's) fault.

- -frisk

- -- 
Fridrik Skulason      Frisk Software International     phone: +354-1-694749
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-28801


------------------------------

Date:    Wed, 26 May 93 12:13:31 -0400
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: F-Prot 2.07 (PC)

bontchev@rzsun2.informatik.uni-hamburg.de (Vesselin Bontchev) writes:

>But it's a cute idea to veirfy both the compressed and uncompressed
>image of the file and to accept any of them - maybe more producers of
>anti-virus software should become to implement it.

I cannot do that and will not - I append certain information to F-PROT.EXE
after it is compressed, and I need to be able to change it later.  I am not
willing to open up what I consider a loophole, by allowing F-PROT to be run
uncompressed.

- -frisk

- -- 
Fridrik Skulason      Frisk Software International     phone: +354-1-694749
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-28801


------------------------------

Date:    Wed, 26 May 93 15:27:08 -0400
From:    ma@id.com (Mary Anne Walters)
Subject: Ghost of Lacatedral? (virus?) (PC)

Anyone have any info/experience with a Colombian virus called Lacatedral (or  
maybe La Catedral?)

Thanks

Mary Anne
******************************************************************************

------------------------------

Date:    Wed, 26 May 93 22:49:55 -0400
From:    robert@arbo.microbiol.uwa.oz.au (Robert Coelen)
Subject: help needed with Stoned [Michaelangelo A] in partition table (PC)

The problem:

f-prot (2.08) reports Stoned [Michaelangelo A] in the partition table
and says this version cannot remove the virus machine: 486, Award Bios
(i think 1991), Caviar 120 Mb HD (Seagate)

I have tried a range of things, such as fdisk, delete partition,
reestablish partition, etc : all to no avail

I need some help !!

*---------------------------------------------------------------------*
Robert Coelen                        |     from the land   d        r  
Dept of Microbiology                 |                      o      e
The University of Western Australia  |                       w    d
Nedlands, 6009                       |                        n  n
robert@arbo.microbiol.uwa.edu.au     |                         u
*---------------------------------------------------------------------*

------------------------------

Date:    Thu, 27 May 93 07:44:20 +0000
From:    wolfgang.stiller@rose.com (wolfgang stiller)
Subject: re: Haifa (PC)

 REYNOLAP@snybufva.bitnet (Paul Reynolds) writes:

PR>We have several PC labs here at Buffalo State College.  Yesterday one
PR>lab with 10 machines was infected with Haifa-Family2(w)G.

PR>This virus was in the Printer.sys file in the DOS subdirectory. I was
PR>able to clean the 10 machines using the latest version of Virex.  Does
PR>anyone know what this virus does?

I'm not sure exactly which variant of Haifa VIRx is annoucning but Haifa
and it's variants are polymorphic file file infectors with a destructive
activation. (Polymorhpic means that Haifa hides from scanners by using
the variable encryption technique now made more famous in the MTE and
initially seen in Casper and the V2Px series). I'll describe the
original Haifa here in some detail. It is a resident infector of .COM
and .EXE files.  It will not infect overlay or .BIN or .SYS files. Haifa
appears to add between 2350 and 2400 bytes to each file.    Its first
action is to locate the command interpreter (eg. COMMAND.COM) via the
COMPSPEC= environment variable.  Haifa is memory resident but no change
to available memory will be visible using MEM or CHKDSK.  If a large
program is loaded, the PC will probably hang because the virus code is
overlaid. After infecting the command interpreter, Haifa will infect
files in the current directory and files in directories on the DOS path.
On Aug 24th or Apr 8th, the virus will display several lines of text
begining with:

  HAIFA VIRUS V1.12
  WRITEN BY ........

The PC will then hang.  The virus will overwrite the first 76 bytes of
any .ASM file with code to overwrite track zero of the first hard drive.
Any .PAS files with have the first 23 bytes overwritten by:

CONST VIRUS= "HAIFA";

.TXT or .DOC files will have the following text planted near their center:

 OOPS! Hope I didn't ruin anything!!!
 Well, nobody reads those stupied DOCS anyway!

(note the spelling of stupid;)

When executed, the virus seems to infect from two to four programs, but will
eventually infect all programs.

This virus has no stealth capabilities and can be picked out quickly by using
any directory listing program.  When Haifa infects a file, it will set the
minutes field of the time stamp to an even value (it clears the 0 bit) and it
will set the seconds field to 38.  Unusual numbers of progarms with seconds
set to 38 are a possible indication of this virus.


Regards, Wolfgang

Stiller Research, 2625 Ridgeway St., Tallahassee, FL 32310  U.S.A.
- ---
   SLMR 2.1a  
   RoseMail 2.10 :


------------------------------

Date:    Thu, 27 May 93 04:08:46 -0400
From:    "Roger Riordan" <riordan@tmxmelb.mhs.oz.au>
Subject: "DIR" infection, or "Can internal commands infect" (PC)

Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) wrote, in 
reply to Vesselin Bontchev:

 >> Finally, the DIR command causes various parts of the examined disk(s)
 >> to be read in memory, and in particular - the boot sector.

> Just add here:
> On the *first* time a floppy is accessed the bios attempts to read 
> the boot sector sometimes for several times if the read has 
> failed (reseting the floppy drive between attempts).
> Later the Boot-sector is read once (or not at all) on each floppy access.
> The aim of this is to read the BPB (Bios Parameter Block) holding the 
> information of how to read this floppy.

Whenever you attempt to access a disk drive DOS first checks the 
status of the door open line. If the door has been opened since 
the last disk access DOS then reads the FAT.  If this does not 
match the last disk read (or if the read fails) DOS then reads 
the disk boot sector.  If this fails DOS will reset the drive and 
try again several times.

Thus, in the normal state of affairs, the boot sector of each 
floppy is read just once.  This READ is usually preceded by an 
attempt to read the FAT and this is preceded by a call to 
Int 13 to check the door opened status.

I think this sequence is followed for DOS 3 on (but won't swear 
to the door status call for DOS 3).  




Roger Riordan                 Author of the VET Anti-Viral Software.
riordan.cybec@tmxmelb.mhs.oz.au

CYBEC Pty Ltd.                                 Tel: +613 521 0655
PO Box 205, Hampton Vic 3188   AUSTRALIA       Fax: +613 521 0727



------------------------------

Date:    Thu, 27 May 93 04:09:29 -0400
From:    "Roger Riordan" <riordan@tmxmelb.mhs.oz.au>
Subject: DOS6 Double Space and DOS Boot Sector Viruses (PC)

Other writers have reported that MBR infectors behave normally 
under DOS 6, but it was not clear what effect Double Space would 
have on viruses which infect the DOS Boot Sector on the hard 
disk.

First we established

  1. Under Double Space the original drive C is normally 
     accessible as drive H.

  2. Int 13 Sect 1, Head 1, Track zero will always return the 
     true DOS boot sector.

  3. Int 25 sect 0, Drive H will return the true (standard DOS 5) 
     boot sector.
     
  4. Int 25 sect 0, Drive C will return a dummy boot sector.  
     This contains a copy of the size info, and is also standard 
     DOS 5, but contains the text MSDSP6.0 in the OEM field, and 
     DBLSPACE as the volume label.

For our tests we used AntiCad, which infects both files and DOS 
boot sector.  We were only able to infect the hard disk DOS boot 
sector by running a file on drive H, after running an infected 
file (from floppy), so the virus was in memory.  If we checked 
the boot sector on drive C, using Int 25, we got the standard 
(clean) DOS dummy, but we were able to detect the virus in the 
drive H boot sector.  We were able to recover and replace the 
original boot sector in the normal way, after disabling the virus 
in memory.

AntiCad infected executable files in the normal way, but the 
system crashed quite often when we first ran an infected file.  
We could not establish a pattern (though at one stage I thought 
it was every 2nd boot!)  The crash probably occurred when the 
virus attempted to infect the DOS BS, as it only occurred when 
the first file was run.

Once the boot sector was infected the virus was activated 
normally when the PC was rebooted.

In summary Double Space will signicantly reduce the risk of 
multi-partite viruses infecting the hard disk DOS boot sector (as 
relatively few files will be run from drive H), but may confuse 
attempts to check the boot sector using Int 25.  (All this is 
somewhat academic, as not many viruses infect the DOS boot 
sector. Form is the only one I can think of that is at all 
common.)



Roger Riordan                 Author of the VET Anti-Viral Software.
riordan.cybec@tmxmelb.mhs.oz.au

CYBEC Pty Ltd.                                 Tel: +613 521 0655
PO Box 205, Hampton Vic 3188   AUSTRALIA       Fax: +613 521 0727



------------------------------

Date:    Thu, 27 May 93 08:35:53 +0000
From:    steinael@ifi.uio.no (Steinar Eliassen)
Subject: Catalogger v0.9 (PC) is ready.

The last testversion of Catalogger, v0.9, is now ready. Catalogger
generates a catalogg of all the files on the harddisk, together with a
checksum calculated using all bytes in the file. It can also compare
this catalogg with files on the hardisk, and will detect any changes
in the files. This program, is ofcourse, free, and v1.0 will come with
sourcecode in BC/C++ v3.1. The program is maily made to stop unknown
viruses. If you leave me a note, I will send you this program in
uuencoded format.

	/Steinar.

------------------------------

Date:    Thu, 27 May 93 05:33:31 -0400
From:    cxf12@po.CWRU.Edu (Christopher Fenton)
Subject: Gotta Monkey on My Back!!! (PC)

	Has anyone dealt with the "Monkey" virus before???? It 
has taken up residence in the boot sector of several of my machine
and I'm trying to establish an appropriate cure, but I can't find
any referances to it in the literature.

	Any help would be greatly apreciated.  Pertinent e-mail
is always welcome.

	C. H. Fenton


- -- 
Christopher H. Fenton     "Aw, Tipper come on,
cxf12@po.cwru.edu            Ain't ya' been getin' it on???
AIS  Computer Operations       Ask Ozzie, Zappa or me
Case Western Resevre Univ.       We'll show what it's like to be free"


------------------------------

Date:    Wed, 19 May 93 21:34:00 +0200
From:    Robert.Hoerner@f2170.n492.z9.virnet.bad.se (Robert Hoerner)
Subject: Re: Cure against Tremor available? (PC)

 DE> is there any new development re: disinfection of the Tremor virus? Are
 DE> there antiviral programs by now which can handle this beast?

TBCLEAN from TBAV-package is able to clean TREMOR-infected files.
F-PROT 2.08 finds it.

I myself wrote a finder+cleaner : ANTISER.ZIP, frequestable. It desinfects 
TREMOR-infected files just at the moment, they are started. No danger for re-
infection anymore. Does not work on packed files !

If you need more information : ask.

Ciao, und viele Gruesse,
      Robert

- ---
 * Origin: Virus Help Service Karlsruhe, 49-721-821355 (9:492/2170)

------------------------------

Date:    Thu, 27 May 93 08:36:21 -0400
From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: The Anti-Viral Software of MS-DOS 6 (PC)

I am not going to try to improve on Mr. Radai's masterful evaluation of
MSAV, rather I would like to point out that its shortcomings represent
an opportunity rather than a problem.

First, the lack of any boot sector checking in MSAV. I would like to 
point out that my FREEWARE (if I can't get rich, I'll settle for glory 8*)
FixMBR with the SafeMBR code is entirely compatable with MS-DOS 6.0/MSAV.

True this does not protect 100% since the boot record is still exposed (I
bogged down on a "universal" boot record but SMBR type checking for DOS 4-5-6
boot records would be easy, possibly in FixUtil6 (once I get the bottom
six inches of stucco off my house, finish painting it, and get the a/c
working in the Judge).

As far as the easy disable in memory as documented widely, a tiny TSR
(uses no free RAM) could disable the disabler just as easily.

Finally, given that the signatures are distributed separately, what is to
stop an enterprising person from distributing their own signature update
for use with MSAV having a much higher detection rate (for a suitable fee 
of course) ?

Thus the question must be not "whether MSAV is the One True Answer" but
"*could* it be ..." e.g. is the engine robust enough ? Certainly, Windows
is not without its share of problems but still is used by many as a "start".

Now let's look on the positive side: MSAV is at least trivially integrated
into DOS. I haven't tried it yet but would expect it to be compatable with
disk compression and Windows 32BitDiskAccess (possibly why the boot sector
component is disabled in VSAFE). One would have expected MS to have checked
it against necessary functions that we do not know about (yet 8*). In
other words, the hard part (nice human interface & it works) is done and the 
a-v people can concentrate on improving the detection rate plus the low 
level add-ons.

There are some drawbacks that I know of. For instance you can take a looong
coffee break while waiting for the memory scan on a 4.77 Mhz PC or XT but
this is fixable or possibly no-one will care.

Already I can see this happening. STAC (mfr of STACKER) has announced a
set of tools for DBLSPACE (which desperately needs help) & I expect they'll
make a bundle. To me MSAV represents the same opportunity & the only question
is: "Who will it be" ?

				Warmly,
					Padgett

ps STAC also quietly announced availability of STACKER for OS/2 on p 170
   of the May 24 PC-Week. Did anyone else notice ?



------------------------------

Date:    Thu, 27 May 93 09:48:05 -0400
From:    davids@software.mitel.com (David So)
Subject: Macfee v104 reported virus in memory (PC)

Macafee v104 scan does not recognize the DOS 6.0 vsafe (dos vshield).
When I unloaded it from the memroy, everything is fine.

Thanks/david

- -- 
David Y. So			
Mitel Corporation		Phone: 613-592-2122 x3018
350 Legget Drive, Kanata	Fax  : 613-592-4784
Ontario, Canada K2K 1X3		Email: david.so@Software.Mitel.COM


------------------------------

Date:    Thu, 27 May 93 10:26:10 -0400
From:    Y. Radai <RADAI@vms.huji.ac.il>
Subject: Re: The Anti-Viral Software of MS-DOS 6 (PC)

  In connection with the following passage in my article:
>>                                             For years users complained that
>>they could not use any other scanner after CPAV, since it did not bother to
>>encrypt its scan strings, thus causing other scanners to detect its strings i
n
>>memory buffers or in the CPAV.EXE and VSAFE.COM files themselves, and produci
ng
>>false alarms.  My tests indicate that this problem has finally been corrected
,
>>but it has taken much too long.

Frisk writes:
>Unfortunately no...Here is for example one report I received yesterday from
>one of my largest users:
>
>>I have encountered interaction between DOS V6.0's VSAFE and McAfee V104 and
>>F-Prot 2.08a
>>
>>If I have VSAFE loaded McAfee says
>>	Found the Israeli Boot [Iboot] Virus active in memory
>>
>>F-Prot says
>>	Stoned
>>
>>DOS V6 Antivirus show no viruses. (Fine I know the DOS V6 is the 'weakest'
>>scanner of the bunch)
>
>A similar problem happens with Turbo Anti-Virus and CPAV.  In MSAV's case it
>seems to depend only on *how* VSAFE is loaded into memory.

I do not notice any behavior like that described above when I use McAfee's
Scan V102, S&S's FindViru 6.18, or UTScan 28.  I find it only when I run
F-PROT after running MSAV.  I then get the message "The xxxxxx virus search
pattern has been found in memory" (where xxxxxx is "Telecom", unless VSafe is
loaded in extended memory, in which case xxxxxx is "Stoned").  I therefore
think that the problem lies with F-PROT rather than with MSAV or VSafe in this
particular case.


  I would like to take this opportunity to mention an error and a few typos in
my article as published here on Tuesday:
  Section "MSAV", paragraph 2, lines 5-6: "main menu" should be "Options menu".
  Section heading "SECURTTY HOLES" should obviously be "SECURITY HOLES".
  Section "MSAV", paragraph 5, delete the right parenthesis at the end of the
paragraph (after "Anthrax").
  In the section "CONCLUSIONS AND CONJECTURES", entry "INTEGRITY CHECKING",
line 2, please delete the blank before the words "On files,".

                                     Y. Radai
                                     Hebrew Univ. of Jerusalem, Israel
                                     RADAI@HUJIVMS.BITNET
                                     RADAI@VMS.HUJI.AC.IL

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 86]
*****************************************


