From lehigh.edu!virus-l  Thu Apr 15 03:44:57 1993 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Thu, 15 Apr 93 16:37:57 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2)
	id AA23850; Thu, 15 Apr 1993 13:55:08 +0200
Received: from  (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA01721
  (5.67a/IDA-1.5 for <mikael@vhc.se>); Thu, 15 Apr 1993 07:44:57 -0400
Date: Thu, 15 Apr 1993 07:44:57 -0400
Message-Id: <9304151053.AA13078@first.org>
Comment: Virus Discussion List
Originator: virus-l@lehigh.edu
Errors-To: krvw@first.org
Reply-To: <virus-l@lehigh.edu>
Sender: virus-l@lehigh.edu
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <krvw@first.org>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V6 #63

VIRUS-L Digest   Thursday, 15 Apr 1993    Volume 6 : Issue 63

Today's Topics:

Scanners getting bigger and slower
Scanners getting bigger and slower
Re: Virus vectors of infection
AIUTO! HELP! (PC)
RE: Is "Untouchable" (V-ANALYST) Effective (PC)
Optimum Strategy for Virus Checking (PC)
Novell & Virstop (PC)
That's not a bug, its a Feature (was re: Vshield) (PC)
Viruses and Canada (PC)
Re: Catch from DIR? (PC)
Re: Port Writes (PC)
Re:Boot-virus or false positive? (PC)
re: viruses and compression (PC)
Re: ANSI viruses and things that go bump in the night (mostly PC)
Re: Unknown little virus? (PC)
Re: Unknown little virus? (PC)
Re: Censoship/40-Hex (PC)
Re: Help wanted with Dir-II virus (PC)
Re: Terminator 2 and Bert virus ?? (PC)
Re: Virus Data Base (PC)
Re: viruses and compression (PC)
Re: Windows 3.1 virus (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name.  Send contributions to VIRUS-L@LEHIGH.EDU.  Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list.  A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5).  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@FIRST.ORG>.

   Ken van Wyk, krvw@first.org

----------------------------------------------------------------------

Date:    Fri, 09 Apr 93 00:20:13 +0100
From:    Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: Scanners getting bigger and slower

Amir Netiv writes:

Inbar Raz said that chances of big companies of getting infected are small.

Amir replied:

 > I wish it was so. If it was, then they wouldn't need an Anti Virus in
 > the first place, and the PC's/Networks etc' would work fine.

 > But take notice that *people* use these PCs, and
 > wherevere people are envolved anything could happened.

I work as a programmer, as you probably know, and the main field I work in is 
Data Security. More than once I had a meeting with Bank representatives, and
even a Hospital representative, which wanted to know more information. All of
them came to a point where they said - "But what good is a SmartCard, if
people can lose it just as well as they can lose/give away their password?"

There is no reply to that. The human factor will always exist, and this is 
really a matter of being loyal, obedient and trustful, not to mention that the 
human kind is known for making mistakes.

 > Someone can get a floppy from home and run it on the
 > network, or you can buy a *NEW* "clean" software package to be used at
 > work only (but the company that sold it to you also has employees that
 > jurk-around with thair PC at work), so eventually, a virus can find its
 > way in your PC by many ways, and you cannot assume anything for a fact
 > (unfortunately).

Exactly - if you don't trust your people, there is no software in the world 
that can solve this. Maybe if you combine voice-recognition, or pupil 
recognition, then you may get a high level of security, but these solutions 
are not practical at all, at least not in our filed - the home/company 
computers for personal everyday use.

 > Just to remind you of the magazine in France that gave away
 > thousends of copies of infected floppies (FRODO virus), or several
 > *major* companies in Israel that *SOLD* infected software....

Not to mention the rumors that some Anti Virus writers used to spread viruses 
in order to create/enlarge a market for their merchandise... I wouldn't be 
suprised to hear that an Anti-Virus company directly, or indirectly, caused 
the big boom about the Michaelangelo virus last year.

Frisk wrote to Inbar that the number of viruses should not affect the speed
significantly.

Amir wrote:

 > That is true, if the scanner is designed properly the number of viruses
 > will have small affect on the speed: Suppose your method of chacking a
 > file for virus presence in based on an algorithm which generates the
 > pointer to the data concerning the virus in your scanner, so there is
 > always but *ONE* process per tested-file running and a second cpecific
 > process for verification... whatever the number of viruses known at that
 > time.

But still, the more viruses there are, the more time you'll have to spend 
searching, or, to put it in other words, there are more things to search for. (
in every scanned file, that is, exclusive of various 'Turbo Scanning' 
techniques...)

 > As for memory requirements, programs are converted more and
 > more into DPMI programs, so in Protected Mode the memory
 > problem is smaller...

This is true, but the least program of all to EVER announce - "Sorry, 386 and 
up" is an Anti-Virus program. This program is always guarenteed to have a 
market, no matter what new chip Intel is announcing or what old chips people 
laugh about - as long as it runs MS-DOS :-)

 > Besides: most programs are becoming GENBERIC programs, thus minimizing
 > the need of huge database for more and more viruses.

Generic programs were more of effect in the days where all the viruses were 
leaching - adding to file. Today, you have a lot of new techniques, that are 
hard to detect, and virus writers invest a lot of time and effort making sure 
each virus is different than the others, just so you can't use a generic 
disinfector. Maybe a generic scanner, but what good is a scanner without a 
disinfector?

Inbar Raz
- - --
Inbar Raz                  5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il

- --- FMail 0.94
 * Origin: Inbar's Point - Home of the UnTinyProg. (9:9721/210)

------------------------------

Date:    Sun, 11 Apr 93 12:45:00 +0100
From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: Scanners getting bigger and slower

Inbar Raz writes to Amir Netiv:

IR:
 > I work in is Data Security. More than once I had a meeting with
 > Bank representatives, and even a Hospital representative, which
 > wanted to know more information. All of them came to a point where
 > they said - "But what good is a SmartCard, if people can lose it
 > just as well as they can lose/give away their password?"

 > There is no reply to that. The human factor will
 > always exist, and this is really a matter of being
 > loyal, obedient and trustful, not to mention that the
 > human kind is known for making mistakes.
...
 > if you don't trust your people, there is no software in the world
 > that can solve this. Maybe if you combine voice-recognition, or
 > pupil recognition, then you may get a high level of security, but these
 > solutions are not practical at all, at least not in our filed -
 > the home/company computers for personal everyday use.
Just as I said: If you can't trust your people you need a stronger solution to 
the virus probleb... However if you *DO* trust them... You don't need an anti 
virus, do you? ;-)

Anir Netiv:
 >> Just to remind you of the magazine in France that gave away
 >> thousends of copies of infected floppies (FRODO virus), or several
 >> *major* companies in Israel that *SOLD* infected software....

Inbar Raz:
 > Not to mention the rumors that some Anti Virus writers used to spread
 > viruses in order to create/enlarge a market for their merchandise...
 > I wouldn't be suprised to hear that an Anti-Virus company directly, or
 > indirectly, caused the big boom about the Michaelangelo virus last year.
I wouldn't also... Is it just one company?

Do you remember who published the first GENERIC method of
how to clean the 1963 virus without an Anti-Virus program ?

Amir Netiv:
 >> If the scanner is designed properly the number of viruses
 >> will have small affect on the speed: Suppose your method of chacking a
 >> file for virus presence in based on an algorithm which generates the
 >> pointer to the data concerning the virus in your scanner, so there is
 >> always but *ONE* process per tested-file running and a second cpecific
 >> process for verification... whatever the number of viruses known at that
 >> time.

Inbar Raz:
 > But still, the more viruses there are, the more time you'll have to spend
 > searching, or, to put it in other words, there are more things to search
 > for. (in every scanned file, that is, exclusive of various 'Turbo
 > Scanning' techniques...)
You didn't get my point: (Sorry I cant be more specific due to understandable 
reasons, but I'll try to explain better)...
As I said: Suppose you've discovered that when a specific virus
infects a program the result is such that if you do a certain process on the 
file the result will always be the same... for example lets say that the 
Jerusalem virus allways adds 1800 bytes to the file and the 170th word of the 
end of the file - 1800 equals 1800 (NOT THAT IT IS REALLY SO).
So if you take ANY file and do: (FileSize-(FileSize-1800))-170 the result will 
always be 1800 (if the file is infected).

Now suppose the result is 1704, this will indicate a Cascade virus etc... the 
next step is to verify  that the virus is really there and you didn't just get 
a random true result, and again, you might build a structure in your program 
that is built like this: Base tructure adress + offset. Each offset (say in 
multiples of 50) contains the verification
data for each virus, and the offset is calculated so that the result (1800 !?) 
is the pointer to the right offset.

You spent only 2 cycles to verify each virus on your list...

Amir Netiv:
 >> As for memory requirements, programs are converted more and
 >> more into DPMI programs, so in Protected Mode the memory
 >> problem is smaller...

Inbar Raz:
 > This is true, but the least program of all to EVER announce - "Sorry,
 > 386 and up" is an Anti-Virus program. This program is always guarenteed
 > to have a market, no matter what new chip Intel is announcing or
 > what old chips people laugh about - as long as it runs MS-DOS :-)
True. I didn't say DPMI is the best solution for it, however I do claim (and 
you see it on most memory consumers today) that programs know how to use EMS 
or XMS if available, or use overlays if too big. I myself think that programs 
should use as little memory as possible, and I think that Windows has 
introduced a problem that soon will hit us all, of using memory with no care 
to other programs reqirements.

Amir Netiv:
 >> Besides: most programs are becoming GENBERIC programs, thus minimizing
 >> the need of huge database for more and more viruses.

Inbar Raz:
 > Generic programs were more of effect in the days where all the viruses
 > were leaching - adding to file.
Sure, but they are even more important today.
Ask Nemrod about the generic methods in McAfee's package...

Inbar Raz:
 > Today, you have a lot of new techniques, that are hard to detect,
 > and virus writers invest a lot of time and effort making sure each
 > virus is different than the others, just so you can't use a generic
 > disinfector.
Some infection methods are harder to disinfect then others, However there are 
Generic disinfection techniques for all viruses today (except the distructive 
viruses), generally: if a file works after infection that means that the 
information for it's recovery exists and one should only look in the right 
place.

Inbar Raz:
 > Maybe a generic scanner, but what good is a scanner without
 > a disinfector?
Please recall the method of renaming files to clean the DIR-II virus, (as well 
as meny other methods), wouldn't you call a program that uses it a "GENERIC 
DISINFECTOR" ?

Inbar Raz:
 > Just thought you'd like to know - I once talked with Zvi
I know...

Warmly

* Amir Netiv. V-CARE Anti-Virus, head team *

- ---
 * Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date:    Wed, 14 Apr 93 11:03:21 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Virus vectors of infection

bediger@nugget.rmnug.org (Bruce Ediger) writes:

> There are two likely, but unacceptable, answers to the question and its
> followup.

> 1. Thundering silence.

Silence, from me?! You must be kidding... :-))

> 2. An insistence that Fred Cohen's original papers demonstrate that viruses
>    spread due to information transitivity.

That's true, but it answers to a different question - *why* do the
viruses spread, not how...

> A. Networks.

Correct, although I think that it is less important for the global
virus spread than B. It might be more important, however, for the
virus spread within a local, highly networked place.

> B. Media transfer from infected machine to uninfected machine.
>    It may be necessary to break this down into two classes: "informal
>    transfer", such as bringing a diskette full of games to work, and
>    "formal transfer", when a vendor ships mass-produced media with a
>    viral passenger.

> C. "Virus Exchange" bulletin boards.

C. is actually a form of A.

> D. Source code published in books.

This is a form of B., if you consider books as media.

> E. Malicious individuals gain access to computers and insert viruses manually.

If they bring the virus on a diskette, that's a form of B. I think you
mean when they create the virus manually, using the
editor/compiler/assembler/debugger of the attacked computer.

> The November, 1988 worm and the DECnet worms used network related methods
> to spread.  The geography of the spreading is irrelevant because of network
> connections, but based on the public reports, it appears fairly easy to 
> determine that the worms spread via network protocols.  The also seem to be
> of short duration and low number of hosts infected.  According to the
> GAO/IMTEC-89-57 report, the Nov 88 worm infected 1000-3000 hosts. RFC 1135
> says that within 48-72 hours, all instances of the worm had disappeared.
> In the report SPAN-027, the "Father Christmas" DECnet worm is said to have
> been on the loose approximately one day, and infected around 40 hosts.
> According to CIAC Advisory A-4, the "OILZ" variant of the WANK DECnet worm
> "attacked 60 hosts".  This compares to estimates of tens of thousands of
> PCs infected with the Michelangelo virus a year ago.

There are several reasons for this. Worms usually spread between
highly interconnected and similar environments. This helps them to
spread extremely quickly, but also makes them relatively easy to
detect and remove from all attacked hosts. With viruses like
Michelangelo, the things are not so easy. They can attack MS-DOS and
Xenix machines, lay dormant on a diskette forgotten in a drawer, and
it's kinda difficult to send an e-mail message to all system
administrators of PCs with information how to detect and remove the
virus... Especially having in mind that some of these "system
administrators" have never made a backup and may not know how to boot
from a diskette or how to use DEBUG.

> It would seem that if "Virus Exchange bulletin boards" are important,
> then outbreaks of new viruses would be contemporary, yet widely spread
> geographically. 

Not quite. There are not so many VX BBSes around - of course, even one
is one too much, but nevertheless they are not so many to make a BIG
difference. Furthermore, if the VX BBSes were important, we would see
more -exotic- viruses appearing in the wild. And indeed, we are seeing
such things happen from time to time. The DataLock.920.A virus was
detected in the Technical University of Sofia just a few weeks after
it has appeared in California. A few obscure Russian viruses like
SVC.6_0 and Vacsina.Multi are in the wild in England. Starship has
been seen in the wild in Germany. Such viruses are unlikely to spread
so far in a "natural" way, at least so quickly. Probably the VX BBSes
have helped much in those cases...

> If a malicious individual gains access to computers and inserts
> viruses manually, there should be a series of geographically localized
> outbreaks of nearly identical viruses.  I suppose "series" presumes that the
> malicious individual performs the act several times.

This does happen too. For instance, the Kamikaze virus has been
detected in the wild only once - in the Institute for Mathematics at
the Bulgarian Academy of Sciences. It is extremely unlikely that a
virus like it will be able to spread in a "natural" way.

> Infection via media transfer would look very different if some vendor provided
> distribution media that was already infected than if someone just brings
> an infected disk home from a user group meeting, or to his/her office. 
> Depending on the scale of the vendor's distribution, outbreaks might be
> provincial, national, continental or international.  The virus itself should
> be identical everywhere.

This happens a lot, indeed. The vendors distribute viruses very
rarely, but on a very wide scale. And from the computers that are
infected this way, the viruses continue to spread further, usually via
floppy disks. BTW, maybe this is one explanation why boot sector
infectors are more widespread than the file infectors - in the
diskette copying process a boot sector infector is much more like to
"slip" on a vendor's diskette than a file infector - because the
executable programs are well-known to the vendor and usually generated
in place, while the boot sector virus might just be present on the
formatted diskette...

> If viruses spread via publishing of source code, then inevitable typographical
> errors would creep into the code during transcription.  Multiple similar,

Not necessarily. Any such error is quite likely to make the virus
non-functional. Such virus will either not spread at all, or be
corrected by some hacker and the "corrected" variant will spread. This
is exactly what happened with the Vienna variant published in Ralf
Burger's book.

> the persistent nature of reference books.  The geographic spread should
> be mostly coincident with the languages the reference book is published in.

Not necessarily, because once the virus is translated into
electronical form, it will continue to spread via all other means -
media, networks, VX BBSes, etc., therefore making its distribution
more fuzzy than the distribution of the book itself. People tend to
copy diskettes/files much more often than they are copying (or buying)
books.

> The DECnet worms may illustrate a case of publishing of source code.
> I gather from SPAN report SPAN-027, CERT Advisory CA-89:04, and CIAC
> Advisory Notice A-4, the DECnet worms were all quite similar, and all were
> written in DCL.  Thus each infected site had full source to them.  The WANK
> worm also happened about a year after the Father Christmas worm.

Nevertheless, the sources for the WANK/OILZ worms are very rare - we
could obtain only the source of WANK and with a great effort. We still
have not the sources of the Internet worm (except the incomplete
discompilation that has been published in 2600). And, the WANK/OILZ
worms are -totally- different from the Father Christmas worm.

> A counter-example might be Mark Ludwig's "Little Black Book of Computer
> Viruses."  Source code for several viruses is provided.  If the "timid"
> virus is made into several variations, publication of source code might
> be considered an effective vector of infection.  If the "Little Black Book"
> viruses don't collect imitations over the years, publication should not be
> considered a threat.  Since Ludwig's book is more accessible that Burger's,
> the "Vienna" virus variation would have to be considered in a different light.

That's why we are already seeing Timid variants - much more than
Vienna variants for the same amount of time after the publication of
the respective books... Currently we have the following Timid variants
in our collection:

	Timid.290
	Timid.297
	Timid.305.A
	Timid.305.B
	Timid.306.A
	Timid.306.B
	Timid.320
	Timid.371
	Timid.382

This includes the original, I don't recall its infective length right
now. In a private message to me Mark Ludwig wrote that he would be
convinced that his book has caused damage if he receives reports about
some of his viruses being found in the wild. We (the VTC-Hamburg) do
not collect such statistics; maybe those of you who do (especially the
guys from IBM have some very good statistics on this) should watch out
for Mark Ludwig's viruses (or their variants) and send him copies of
the relevant reports.

And, since we were talking about ways for infection, you should
consider also the combination of the methods listed by you - e.g. a
virus writer creates a virus, posts it to a VX BBS, a disgruntled
employee downloads it, infects a vendor's master copy, the vendor
ships thousands of copies of the virus, hundreds of users get
infected, from them the virus spreads to the local area networks, etc.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Sat, 10 Apr 93 20:49:00 +0100
From:    Paolo_Rossi_Tiller@f419.n332.z2.fidonet.org (Paolo Rossi Tiller)
Subject: AIUTO! HELP! (PC)

Hello All,

Now are the  02:54 and I am working on my BBS.

I have a problem. Diagnosis programs report that I have my Partition Table 
corrupted, and, during the Autoexec.bat the system is generating a music and:


> I'm the invisible man,
> I'm the invisible man,
> Incredible how you can
> See right through me.

> I'm the invisible man,
> I'm the invisible man,
> It's criminal how I can
> See right through you.

appear on my video.

For some programs like Scan V.102, F-Prot, CPAV there are NO virus in my 
system.

Do you know some virus that affect the Partition Table and produce this song?
How can I remove it without reformat my HD?

Sorry for my English... :-)

Bye

Paolo Rossi Tiller, The Underground CoSysOp of 2:332/419

- --- GoldED 2.41+
 * Origin: It's Time for Ragnarok.. (2:332/419)

------------------------------

Date:    Tue, 13 Apr 93 23:29:25 -0400
From:    <jmolini@nasamail.nasa.gov>
Subject: RE: Is "Untouchable" (V-ANALYST) Effective (PC)

chermesh@chen.bgu.ac.il (Ran Chermesh) writes:

> Our department considers buying an anti virus package. High in the list is
> an Israeli product, sold in Israel under the name V-analyst-3 and in the US
> as Untouchable. The feature of most interest to us is the way this package
> claims to deal with future viruses. Since this feature can't be tested
> experimentally, the best way is to learn from the experience of other.

At the last company I worked for, we evaluated several packages.
We spent about 2 months evaluating Untouchable from every angle and found
it to be the best at what it does.  Unfortunately "best" tends to fluctuate
as each vendor releases a new version of their program.

One example of the recovery feature.  One of our people compiled a Pascal
program and ran it through the package.  Then he recompiled after changing
a data variable in the program.  Untouchable flagged the change (of
course) but it also managed to restore the executable file to its original 
form.  That is pretty good file recovery in my book.  We found that
it always recovered simple infections in other executable files as
well.

I think, however, that your decision should not be made based upon the
ability of Untouchable to recover unknown infections.  Your decision 
should be made based upon its ability to scan for all viruses and its
ability to provide reasonable protection without the need for constant
updates.  The likelihood that you will be infected by a completely new
virus is probably less than your chance of losing your drive to a 
hardware error.  So.... BACKUP, BACKUP, BACKUP.

After that, Untouchable should provide you with complete protection for
all of your machines.  I personally recommended that our customer buy
several thousand copies. (They did.)

But in my recommendation, I also told them that the real issue was not
the cost of the program.  It was the cost of changing the way people do
computing.  Computing should be integrity based.  Untouchable tries to
make people face the executable file integrity issue.  Unfortunately,
most low end packages and some operating systems do not care nearly
as much about integrity as we did.

IF your users are willing to deal with the messages that Untouchable
will give them on a routine basis.

IF your users are able to find out why these messages are there.  (i.e.
the software is self modifying, or a file was trashed, etc.)

IF your users are supported by a group that can go out and diagnose the
regular integrity problems that will be identified by Untouchable as
possible viruses.  (Remember "everything is a virus when a virus 
scanning package flags it.")   8-)

IF your management feels that system integrity is worth the price you
will pay for increased software support to users.

THEN and only then will Untouchable be worth the money you will spend
to get and support it.  Untouchable is well worth the price you pay if
you really want integrity on your machine.  You might say "Doesn't 
everyone want system integrity?" Unfortunately the answer is no.

If you aren't willing to argue with vendors that cut corners for a few
extra microseconds, and aren't willing to put up with the "false alarms"
that are generated when Untouchable finds a corrupted file, then you
may not be willing to have machine integrity.

In that case, you should probably get the cheapest scanner you can find
that works reasonably well on all your systems.  Then leave it there
because the chances are very high that most of your users will be
happy with the result and those that aren't probably will be a small
enough minority that it won't matter.

This may sound pessimistic, but I'm sure as I spend the next few weeks
arguing these points with the group, you will find out more about why
I say these things.

Good Luck,

Jim Molini     |  I believe that OS/2 will be the most important
               |  operating system and possibly program of all time.
               |                  --  Bill Gates

------------------------------

Date:    Wed, 14 Apr 93 03:45:18 -0400
From:    "Roger Riordan" <riordan@tmxmelb.mhs.oz.au>
Subject: Optimum Strategy for Virus Checking (PC)

bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes

>riordan@tmxmelb.mhs.oz.au (Roger Riordan) writes:

>> 5.  By default VET will check the first 50 executable files it 
>>     finds.  Most program viruses will spread rapidly, so this will 
>>     detect nearly all infections the next time the PC is booted.

>Uh, what do you mean exactly by "the first"? Because, for a
>non-resident virus that traverses the directory tree like Old_Yankee,
>"the first" files is one thing and for a non-resident virus that
>infects the files in the directories listed in the PATH variable (like
>the Vienna viruses), "the first" might mean something completely 
>different... Again, for a non-resident virus (like Pixel) that infects 
>all COM files in the current directory, "the first" could have a third, 
>again completely different meaning. Make the virus resident and the 
>picture changes again...

The strategy we use is to scan till we find a subdirectory, 
immediately dive into it, continue till we find another 
subdirectory, and so on.  This is certainly not ideal, from the 
theoretical point of view, but it is something which will work 
on any PC, and has a good chance of catching a real virus, 
without making the scan time so long that the test is disabled.  
If you are computer literate, and know which programs you use, 
you can devise a better strategy, or you can check the lot if you 
like, but an imperfect test which is performed is better than an 
ideal test which is disabled.

>> The author of the locally written Gingerbread virus went to 
>> inordinate lengths to hide it, but if it infected a PC with VET 
>> installed the user would be warned in the normal boot that the top 
>> of memory had been changed.  After a clean boot VET would also warn 
>> that the MBR and the VET file were corrupted. 
>
>You've had luck that the author has not used the method used by the
>Necropolis (1963) virus to remain resident...

There are viruses which do not visibly affect the memory map, but 
Necropolis, like Jerusalem, goes TSR, and changes the loading 
address.  VET displays, but by default does not check, this.  
Most of the recent viruses load at the top of memory where they 
are readily detected.

Roger Riordan                 Author of the VET Anti-Viral Software.
riordan.cybec@tmxmelb.mhs.oz.au

CYBEC Pty Ltd.                                 Tel: +613 521 0655
PO Box 205, Hampton Vic 3188   AUSTRALIA       Fax: +613 521 0727

------------------------------

Date:    Thu, 08 Apr 93 14:19:26 -0400
From:    Michael_Kessler.Hum@mailgate.sfsu.edu
Subject: Novell & Virstop (PC)

A while ago, I wrote about a problem I had with Novell and Virstop, needing 
to unload a Novell driver, but denied access because of Virstop which had 
been loaded after the driver.  I have received a solution, which I am 
passing along for those who might need it.  There is an NLM called 
NLIClear.NLM which disconnects any attached station with no one actually 
logeed into the network from the server side.  That user count is then 
available on other stations.  HOWEVER, some device must be used to force a 
reboot of the station because starting it from its disconnected state 
disables F-Prot.  In essence, the disconnected station must be 
automatically locked until restarted.

Michael_Kessler@HUM.SFSU.EDU


------------------------------

Date:    Tue, 13 Apr 93 11:50:52 -0400
From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: That's not a bug, its a Feature (was re: Vshield) (PC)

>From:    sbarber@bach.udel.edu (Scott Allen Barber)
>Subject: Vshield V102 Bug? (PC)

>It seems that if I load VSHIELD, when I go to do a warm boot
>(ctrl-alt-del) it will cause my computer to access the A: drive and
>restart the cold-boot memory check.

In this case it really is a feature. What is happening is that when
VSHIELD goes resident it intercepts the "warm boot" function in memory
and, when a warm boot is requested first checks for a disk in A: (why
the light goes on) and if one is found, performs a scan for boot sector
infectors before the boot is allowed to continue. 

For some reason McAfee decided to trigger a full cold boot sequence 
rather than trusting a warm boot (while I have seen some viruses that
can trap/simulate a warm boot and remain in memory on a three finger
salute, I do not know of anything that can survive a jump to FFFF:0000h).

If you find it annoying, load my NoFBoot (freeware) after VSHIELD.

					Warmly,
						Padgett

------------------------------

Date:    Tue, 13 Apr 93 16:11:48 +0000
From:    aparker@mach1.wlu.ca (alan parker S)
Subject: Viruses and Canada (PC)

	Perchance now is the time for me to raise a couple of little
queries; firstly as the buck stopper at a Canadian University I find that
the majority of viruses that cuase hits here are variants of Stoned.  The
software in general use is from Leprechaun, Virus Buster; now the latest hit
is of a new variant of Stoned which is detected by Scanv102, and F-prot-207
as new variants, but I haven't seen or read anything about a new variant..
The trend seems to be turning msdos/io.sys files as non-hidden, and
increasing io.sys for example to 40470 under dos 5.  The norm also seems to
be DD floppies becoming 1.3+Gigabytes of storage space with the obviously
dubious file names it creates.  I note also that stoned appears to have dos
3.x as part of its make up.  I realise that this is probably something much
asked, but I'm not aware of anything relating directly to this in FAQ or in
recent posting.  
	I've read recently much about the wonders of Untouchable(tm); now
I've had 3 different suites of programs from them, Untouchable 1.3, Search
and Destroy, and Untouchable NLM, I'm not at all impressed.  The evaluation
copies sucked.  As I've said the we normally suffer from stoned, although we
have had a single hit from Form(ouch nasty beastie), and a little something
from the Mte which proved to be very spreadable.  The Untouchable software
(all of it) failed miserably with all but the oldest variants of
Stoned(Manitoba being our most frequent), also the safe disk it had made
didn't seem to allow corrupted files to be restored from the information
saved about them, which Virus Buster was able to do.  
	Anyone care to comment, 
				Alan

------------------------------

Date:    Wed, 14 Apr 93 10:39:12 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Catch from DIR? (PC)

louis_rs@bruny.cc.utas.edu.au (Louis *grin* siuoL) writes:

> That may be one way.  A method that I KNOW WILL WORK is, to trap DOSs
> findfirst and findnext services, and infect any files that are
> returned via thos services. Is as easy as traping DOSs Exec services,
> which is what a large number of virii do.

That's a completely different matter. It explains how a virus active
in the memory of the PC can infect a -clean- diskette when you do a 
DIR on it. So far we are speaking about the possibility to infect a
- -clean- PC when doing a DIR on an -infected- (or otherwise prepared)
diskette.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Wed, 14 Apr 93 10:42:12 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Port Writes (PC)

Sorry to post a follow-up to my own message, but I just learned
something important related to "port writes" that I thought I should
share with you.

In his previous message, Inbar proposed a method of attack (via direct
control of the hard disk through the ports) and in my reply I proposed
a possible defense against it, using the "device ready" interrupts.

It turns out that a new, Russian virus has appeared, which works
exactly "the other way around" to achieve something that the Russian
anti-virus expert Eugene Kaspersky calls "hardware-level stealth". I
am referring to a method, described in the April issue of Virus
Bulletin. Maybe, if Eugene is reading comp.virus, he would like to
re-publish his article here. I'll describe only in short what the
method consists in.

You see, the "tunneling attack" proposed by Inbar can be used by the
anti-virus software to "tunnel" beneath the stealth viruses, i.e. as
an anti-stealth technique. Indeed, if you are using direct port
addressing to read and write to the disk, it seems that you will be
able to bypass all possible stealth viruses that might be active in
memory, right? Wrong!

The Russian virus (its name is Strange, BTW, and it is a MBR infector)
uses the "device ready" interrupt trick (described by me as a form of
anti-virus defense!) to achieve an yet unseen level of
"stealthiness"... Indeed, as Dr. Solomon says, in the virus field
black is white and white is black...

In short, the trick consists of intercepting the "device ready
interrupts" (differently for XT and AT class machines) to detect that
the disk has been or is about to be read, and then modifies the result
of the read request to "stealth" its presence... Therefore, even if
you are using "clean" (unintercepted) INT 13h, or direct calls to the
controller BIOS, or even access the controller through the ports, the
virus will be able to fool you that it is not present...

This shows once more how futile all so-called "anti-stealth" tricks
are and how important it is to boot from an uninfected,
write-protected system diskette (the "magic object"), in order to
ensure that no virus is active in memory... Unfortunately, since the
trick to fake clean boot by altering the CMOS has been discovered by
the Exe_Bug virus, using the "magic object" correctly has become not
so easy to describe... Fortunately, the CMOS trick works only on some
computers...

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Wed, 14 Apr 93 11:07:01 +0000
From:    eliza@tigern.nvg.unit.no (Elisabeth Bull)
Subject: Re:Boot-virus or false positive? (PC)

I wrote some time before easter and asked for help on a possible
boot-virus. I have received many letters from helpful netters. One thing I
did not mention in my original letter was that my Hd is Stacked with
Stacker (v.3.0). This turned out to be the source of my problems - the
scanner checked the integrity of my stacked drive. This is useless, and in
my case it produced a false positive. 

To summarize: Don't scan a stacked drives boot-sector. Or more general
(quoted from Vesselin Bontchev's letter): "An integrity checker should not
check the boot sectors of volumes that are accessed via a user-installed
device driver."

- --------------------------------------------------------------------------
   Elisabeth Bull                       e_mail: eliza@swix.nvg.unit.no
- --------------------------------------------------------------------------

------------------------------

Date:    Wed, 14 Apr 93 08:53:56 -0400
From:    sgr4211@ggr.co.uk
Subject: re: viruses and compression (PC)

>  From:    sosc1043@wc05.writer.yorku.ca (Colin Beckmann)
>
>  Greetings
>  	I was wondering if anybody could tell me if it is possible for a
>  scanner to detect a virus in a compressed file or on a stacked hard drive

On a Stacked drive, yes - the reading of files from a stacked drive
involves Stacker uncompressing them "on the fly", so a scanner would be
"seeing" a normal file and would probably be unaware that they had been
stored in a compressed form.

In the case of files that are simply compressed using a utility program
such as PKLITE, most scanners should detect viruses if they attach after
the compression is carried out (because the virus itself will not be
compressed) but if the virus was present when the file was compressed,
it would only be detected if the scanner used the appropriate algorithm
to uncompress the file before scanning.  F-Prot has such capabilities -
I'm sure Frisk won't mind the following plug, which is an extract from
one of the "read me" files he provides with his excellent scanner:

   "F-PROT  can scan inside most PKLITE, LZEXE, ICE, DIET and EXEPACK
   compressed  files,  and  support  for  the  remaining  compression
   program  will  be  added in the near future, if necessary.  Please
   keep in mind that if a file is  infected  after  compression,  the
   virus  is always detected normally.  Finally, F-PROT will not scan
   inside self-unpacking archives, or .ZIP, .ARJ or similar files."

I don't know of any scanner that scans inside archive files (such as
.ZIP, .LZH etc.).

>  or if the virus can be detected on a file that has been backed up using
>  DOS  or Norton backup.  Some how I doubt it but I am asking to be sure.

I  don't  know  of  one that will check inside these.  Presumably in the
case of Norton backup the scanner would need to employ  the  appropriate
uncompression  algorithm.   In the case of DOS backups, as far as I know
they were not compressed prior to  version  6.0.   With  v6.0,  however,
Microsoft  have  included  what  appears to be a cut-down version of the
Backup utility from Norton's Desktop for Windows.  This will compress if
as it backs up, but you can disable this feature if you wish.

A thought - the full-featured Norton backup used to support a
"proprietary disk format" option which apparently allowed faster writing
to disk.  As this would be a non-DOS format, scanners would presumably
not even recognise that such disks contained any data unless they
specifically "knew" about Norton's proprietary format.  The cut-down
version bundled with DOS v6.0 appears to have had this feature removed
(along with one or two other nice features).

If any product is likely to "know" about the compression algorithms or
proprietary format used by Norton, it would be Norton Anti-Virus -
however, I have no knowledge of this product.  If no-one else answers,
try contacting Symantec.

Regards,

Steve Richards.


------------------------------

Date:    14 Apr 93 08:25:39
From:    smd@hrt216.brooks.af.mil (Sten Drescher)
Subject: Re: ANSI viruses and things that go bump in the night (mostly PC)

On 6 Apr 93 19:50:08 GMT, padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) sai
d:

 Padgett> a) If you have the stock ANSI.SYS loaded, have demonstrated
 Padgett> that it is possible to construct a mechanism that will cause
 Padgett> an infection to occur on execution of a DIR command on a
 Padgett> "prepared" floppy.
	Agreed.

 Padgett> b) There is no real need for anyone to have ANSI.SYS loaded.
	Well, yes, no need for the DOS ANSI.SYS.

 Padgett> IMHO while ANSI.SYS once had a real value for key redirection,
 Padgett> this is no longer true. Today the main reason is to set the
 Padgett> screen colors (a PROMPT string containing <esc>[37;44m will
 Padgett> produce a blue background with white letters). You can do the
 Padgett> same thing with a one byte change to COMMAND.COM (DOS 5.0 and
 Padgett> 6.0 COMMAND.COM contain on byte pair "B7 07".  The second byte
 Padgett> defines the screen colors on a CLS (07 is low white on black).
 Padgett> Using DEBUG you can change this byte (found at DEBUG offset
 Padgett> 4A53 in DOS 6.0) to 17 for a blue background or 0F for bright
 Padgett> white on black - - nice on older laptops - Note: you will need
 Padgett> to reboot after the change & COMSPEC must point to the new
 Padgett> COMMAND.COM.
	Hmmmmmm.  Now, tell me, how does this patch allow me to change
screen colors in my PROMPT string?  Answer: it doesn't.  A better
answer, rather than to tell people to make binary patches to their OS,
is to use one of the multitude of ANSI drivers that don't support, or
allow you to disable, key redirection.  Just off the top of my head I
can think of NANSI, NNANSI, ZANSI, ANSIPlus, and ANSI.COM (from PC Magazine).
- --
+---------------------------+--------------------------------------------+
| Sten Drescher             | "Jill's fourth grade class raised $200     |
| 2709 13th St #1248        |  from a bake sale to reduce the federal    |
| Brooks AFB, TX 78235-5224 |  deficit.  If the deficit is $4 trillion,  |
|---------------------------+  how many bake sales will they need to pay |
| smd@animal.brooks.af.mil  |  for a $30,000 jogging track?" R Limbaugh  |
+---------------------------+--------------------------------------------+
#include <disclaimer.h>

------------------------------

Date:    14 Apr 93 13:36:35 +0000
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: Unknown little virus? (PC)


gary@sci34hub.sci.com (Gary Heston) writes:

>32 bytes isn't enough to write an interrupt service routine, much less
>anything resembling a virus.

Eh, one can easily write a virus (well, a stupid overwriting one) in less than
32 bytes - I think 24 bytes is the minimum .... but not a memory resident one.

- -frisk
- -- 
Fridrik Skulason      Frisk Software International     phone: +354-1-694749
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-28801

------------------------------

Date:    Wed, 14 Apr 93 13:36:37 +0000
From:    s9106568@sandcastle.cosc.brocku.ca (PAUL NOLL)
Subject: Re: Unknown little virus? (PC)

Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) wrote:
: motreba@mat.torun.edu.pl (Maciej Otreba) writes:

: > Last time I had virus in my PC. It came from Internet probably with one
: > from shareware games.

: Uh, according to my experience, the executables on the net are usually
: virus-free... In fact, they are even more reliably virus-free than the
: files on a local BBS, which are known to be more reliably virus-free
: than the shrink-wrapped software distributed by some companies... :-)

: > The problem is that teh virus was not detected by any
: > program. I tried to find it by Scan 100, F-Prot 2.07 and Polish AV program
: > MkSVir (available at FUNET with on-line translator). This virus caused

: Scan and F-Prot can find almost even self-spreading nasty that is
: internationally know and MkSVir probably can find all local Polish
: nasties (haven't tested a recent version soon, but it seems to be
: rather good). Chances are that you don't have a virus problem.

: > Paintbrush, MS Word 2.0 and System Editor. It was probably very small. I
: > think it took 32 bytes of base memory (difference between memory with and
: > without virus).

: There's no way to fit a memory-resident virus into 32 bytes... Several
: cases of missing 16 bytes of memory are mentioned in the FAQ; I am not
: sure what exactly can cause 32 bytes of memory to be missing...

: > I throw it out by formatting HD and setting up system

: As usual, this is never necessary.

: > again. My question is: has anyone heard/seen anything about this virus? Is

: I would bet that the problem has not been caused by a virus.

: > Which programs in Internet might be infected?

: None, I guess...

Sounds like a bug in the person version of Windows.  I have had similar
 problems with my version of windows and a 486 when I had the 32-bit addressing
turned on.  I was getting programs that quit unexpectedly and I could not 
recover from them using control-alt-delete to have windows trap the problem and
shut down the application, but the machine locked up.  I took the 32-bit access
off and no futher problems.  The application that was giving me the problem 
was WordPerfect for windows (mainly).  If you are having problems with windows
for your sanity's sake put Dr. Watson in the startup.  Dr. Watson is an 
excellent program because it monitors your system while running windows and 
when an application quits unexpectedly it takes a snapshot of the current
state of your machine, memory, and registers.  It then writes this information 
to a file, along with the programs that were being run at the time of quiting
  You can then mail this file to MicroSoft and they will tell you why this
problem is occuring.  Reformating your disk for a virus that only "surfaces" 
in windows is really unnecessary because windows istill flaky, if it screws
up assigninresources to it self it will crash.  It does not sound like a
virus to me, but a bug in Windows.
- --

Be Seeing You.

###############################################################
        " We live on a placid island of ignorance,
          in the midst of black seas of infinity,
          and it was not meant that we should 
          voyage far ... !  "
            --  H. P. Lovecraft (1890 - 1937)

Paul Noll                   s9106568@sandcastle.cosc.BrockU.ca
###############################################################

------------------------------

Date:    Wed, 14 Apr 93 14:06:04 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Censoship/40-Hex (PC)

afrc-mis@augsburg-emh1.army.mil (David Hanson) writes:

> Vesselin says:
> > Burger's and Ludwig's books are crap

> After wasting my time on a couple of bogus virus books ("dangerous",
> because they contained <gasp> *actual viral source code*), I dusted off
> my assembly books, and am looking for some good disassemblers so I
> can get decent information on the two virii that I have encountered
> here in the "wild".  It seems that in the current climate of viral
> censorship, the only way to get decent info is to

> a) Go to the "underground" (not always good information, but at least
>    they aren't afraid to share it...)
>    
> b) DIY (Which I'm currently in the process of doing.  It costs me spare time,
>    but I (slowly) gain knowldege and I know that the only person BS'ing
>    me is me.

Indeed, DIY is the best way to learn a lot - even in the virus field.
Most of those "underground" or legal (huh?) virus-oriented
publications are too bad; it's much better to sit down and learn
assembly language and the DOS internals from a good book and then try
to disassemble a few viruses yourself.

And since you asked about a good disassembler - Sourcer from V
Communications is a good one. Actually, it is so good, that many
people with no knowledge of assembler think that the output it
produces when you run it on a virus is the "source" of this virus. In
reality, it is not well adapted for the task of disassembling viruses,
but it is still one of the best tools around. Just remember that you
still need to do a lot of work, in order to produce a good disassembly
- - just running Sourcer is not enough.

> I've yet to read a decent virus book.  Can you recommend a solid,
> relevant virus book?

Nope. All really good ones I've seen were actually anti-virus books...
:-)

> And how does a "good guy" get 40-Hex? 

There are different sources; some BBSes carry them without even
knowing what's inside...

> Wouldn't receipt of 40-Hex from
> *any* source be participation in the -distribution- of this magazine?

In a sense - yes, but if somebody sends it to you, there's not much
you can do about it, right? My suggestion was that in such cases you
just use the situation and read it.

> Not necessarily by dissemenating the info ("good guys" would NEVER do
> that), but by creating demand. 

Yes, and by creating an anti-virus program you are "creating a demand"
or a "challenge" for the virus writers to write viruses that bypass
your program. And by describing what a virus does and how it
penetrates the system you are "giving the bad guys ideas". Yes,
that's all true (in a sense) - but the important part is the income.
If as a result of your acts you gets more users protected than
endangered, it is my belief that you should just go on and do it. Of
course, the estimation of what exactly prevails - the "bad" or the
"good" is sometimes extremely difficult to make...

> Tell me, where do YOU get 40-Hex from?

Don't recall exactly; besides I got the different volumes from
different places. Most of them were sent directly to me. I still don't
have volume #10. One thing is certain - I didn't get them from virus
exchange BBSes, because I don't call -any- BBSes.

> Why should it be ok for you to receive it, but not me?

But I am not saying that it wouldn't be OK for you to receive it; I am
just saying that it won't be OK for me to send it to you or for you to
send it further.

> I do not wish to detract from the extremely valuable and "good" work that
> you do as a virus researcher, just want to point out that "good"/"bad"
> is not black/white, more like shades of gray. 

Oh, I know that; actually in the virus field it is much worse... As
Dr. Solomon says, very often black is white and white is black...

> BOTTOM LINE:  I really get peeved when access to information such as
> 	      40-Hex is limited "for my own good".  

So you don't like it? OK, let's try to put it in another way...

Who cares about your own good? You are probably competent enough not
to get infected by the viruses published in 40-Hex and probably
trustworthy enough not to use them to infect somebody else's system.
However, note that I have no way to know that for sure. And, if I make
a mistake, I'll feel partially guilty for the resulting incident. Thus,
I am concerned about -my- own good.

Next, what if you just forget a diskette with all those viruses on
your desk? Here comes Joe User, sees a diskette, puts it in his m...
er, in his computer's disk drive and runs all programs on it - to see
"what they are doing". Believe me, I've seen this happening, even with
diskettes clearly labeled "DANGER! Contains VIRUSES!". So, I am
concerned about other people's good.

Next, suppose that I agree to send you 40-Hex, or any other viruses,
and this becomes publicly known. What will be the result? People will
not ask whether you are competent or trustworthy, or why do you need
those viruses for. Instead, they'll say "Vesselin Bontchev spreads
viruses", "VTC-Hamburg spreads viruses", "The anti-virus people are
spreading viruses", "The anti-virus people are writing viruses and are
spreading them to sell their products". And since the last thing is
what you all silently suspect (although the stupidity of such thing
becomes blatantly obvious if you bother to just -think- a little bit),
everybody will believe in it and will repeat it. So, you see, I am
concerned about my own and other anti-virus people's good.

Do you see now how many other things I have to be concerned about? Do
you like this explanation better? And you thought all we were
concerned was -your- own good... Black is white. White is black.

> 	      I trust any expert as far as I can independantly verify what
> 	      they say.

As a scientist, I am trying to provide verifiability of my claims any
time I am able to do it. Unless I have to worry about more important
things. You don't demand that NASA takes you in the Shuttle, in order
to verify the claims that the Earth is round with your own eyes, do
you?

Regards,
Vesselin

P.S. Lots of smileys for the humor impaired...
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Wed, 14 Apr 93 14:43:46 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Help wanted with Dir-II virus (PC)

kleyngel@dutiws.TWI.TUDelft.NL (Raymond Kleijngeld) writes:

> I recently discoverd the Dir-II virus on my system (486/33 with a
> 212 Mb Hd). I've a bootable flop  which contains no virus and
> includes a virusscanner, scan v102 from Mcafee. I scanned the HD but
> scan didn't detect any virus. So I assumed that the HD was clean.

SCAN 102 is able to detect most of the existing variants of Dir_II.
Either you have done something wrong, or it is not a virus, or it is a
new variant.

> I have read in the virlist.txt that the dir-II virus uses stealth 
> techniques and selfencryption . Maybe this is the reason that the
> virus can't be detected. 

It is indeed very stealth. It doesn't use encryption; that entry in
VIRLIST.TXT is bogus. Because it is stealth, you must first boot from
a clean diskette, before trying to find it. Have you done that? If
not, this would explain why SCAN has not found it - but it should have
found it at least in memory.

> Actually I have the following problem. Because the virlist.txt
> describes that the dir-II virus crosslink files and directories I used
> chkdsk and norton diskdoktor to correct the problem. There are crosslinked

It indeed cross-links files (not directories), but running CHKDSK/F or
NDD is the worst thing you could do - you'll lose all your executable
files this way.

> files and directories. Norton disktor (ndd) repairs the files.

It has actually screwed up everything.

> After using NDD I use chkdsk and the unallocated chained are nicely
> converted to files. I delete those files.

Too bad; you've just deleted all executable files but the virus.

> But when I run NDD again
> I get the same errors and even some more. So I think that my system 
> is still infected. 

Not sure why more such problems appear, but in any case NDD is NOT the
tool to use when you have a Dir_II infection.

> Can anyone help me with this problem.

I'm afraid that at the state your problem currently is, it's kinda
difficult to help... If there were only the virus (without the
screw-up caused by NDD) there wouldn't be any problems, but...

> Because I have optimized the
> programs to communicate with eachother I don`t like formating the 
> disk again.  

Then just restore from a backup. Oh, I guess you don't have a backup,
right? Too bad... OK, next possibility - delete all executable files
(I mean, files with COM and EXE extension), restore them from the
original disks and re-compile any programs you have developed
yourself from their sources.

> So any comments about the dir-II virus are welcome.

Some information about it can be found in

ftp.informatik.uni-hamburg.de:/pub/virus/texts/viruses/dir2doc.zip

If you need a disinfection program, take a look at

ftp.informatik.uni-hamburg.de:/pub/virus/progs/dir2clr.zip

Also, CLEAN is able to disinfect the most widespread variant of this
virus. Note however, that none of those programs will be able to
repair the screw-up caused by NDD.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Wed, 14 Apr 93 14:57:55 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Terminator 2 and Bert virus ?? (PC)

houkes@eb.ele.tue.nl (Vincent Houkes) writes:

> Hello there,

Hi!

> Can anyone help me with the following problem !!??

Yup.

> Yesterday morning I found my system infected with two virusses.  Scan
> v100 found only one, and scan v102 detected a file with two.  I found

There's actually only one of them, see below.

> The viruses were called the Terminator 2 virus (stealth), and the Bert
> virus.  The latter was only found by vers. 102.  Alas there is no
> description of those viruses in the virlist.txt, and vsum x303 doesn't
> answer completely too (only some info on the terminator, terminator
> 2001 (or something like that) and the terminator 3002 (or something
> like that)).

Are you sure that you have looked? Really hard? Even using the
"search" capability of VSUM? Or under the 'T' entry? Hint: "your"
virus is listed as Terminator-2294 in VSUM. I could tell you that the
description of the virus in VSUM is verbose, incorrect, and
incomplete, but that wouldn't be something terribly new, would it? I
have recently posted a description of this virus here; just look a few
issues back. The virus seems to be in the wild in the Netherlands.

> Does anyone know these viruses. (scan gives [Term2] and [Bert] )

This is actually a bug in SCAN 102 (version 100 didn't have it for
this virus). It reports the Terminator_II virus (or Terminator-2294,
if you prefer) as two viruses - [Term2] and [Bert]. This is not
something terribly new either - SCAN reports several viruses as more
than one and the problem has been reported to McAfee Associates since
a long time. Hopefully they are working on it... When the next SCAN
comes out, I'll post a list of all incorrect multiple reports it gives
on out virus collection.

> Second of all, is there a way to check zip files before extracting
> them on viruses ??.

I am aware of only one anti-virus program that supports this - this is
the scanner (UTScan) from Untouchable (dunno how it's called in the
Netherlands; maybe V-Analyst 3). What's wrong with unzipping the files
first? There are enough shell programs that let you do that and scan
for viruses automagically.

> f-prot 207  cannot locate the viruses, not even in a heuristic scan. !!

Correct, version 2.07 of F-Prot is not able to detect the
Terminator_II virus.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Wed, 14 Apr 93 15:11:40 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Virus Data Base (PC)

keith.watson@stucen.gatech.edu writes:

> I just found an ad for a hypertext virus database. V-Base from
> International Computer Security Associates. A free demo is available from
> their BBS at 202-364-0644.

The free demo is also available for anonymous ftp as

ftp.informatik.uni-hamburg.de:/pub/virus/progs/vbaseabc.zip

> Is this a rehash of Vsum

No, but you can use the same hypertext engine (VSUM.EXE) to view the
information in it.

> or is the long awaited
> for virus database finally here?

I'm afraid that not yet.

> Comments?

Describes fewer viruses than VSUM, is significantly less verbose and
less inexact than VSUM. Still has some errors and LOTS of incomplete
entries. The authors are more willing to cooperate to fix the
mistakes/omissions, however - you can send them corrections and
supposedly they'll be fixed in the next version of the product.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Wed, 14 Apr 93 15:18:06 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: viruses and compression (PC)

sosc1043@wc05.writer.yorku.ca (Colin Beckmann) writes:

> 	I was wondering if anybody could tell me if it is possible for a  
> scanner to detect a virus in a compressed file

Possible? Yes. Some scanners (VirX, SCAN, F-Prot, UTScan) do it for some 
(the most popular) compressors (PKLite, Diet, etc.). No scanner does it
for all existing compressors.

> or on a stacked hard drive  

Without leading the Stacker device driver? Possible - yes. Practical -
no. So, no scanner does it currently.

> or if the virus can be detected on a file that has been backed up using  
> DOS  or Norton backup. 

No, but Central Point Software's Backup can be configured to scan for
viruses when backing up or restoring. Not that it is a very good
scanner, mind you...

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Wed, 14 Apr 93 15:23:04 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Windows 3.1 virus (PC)

fites@qucis.queensu.ca (Philip Fites) writes:

> Today, someone reported actually cleaning up a 36 byte virus.  I,have
> real trouble believing this; the smallest I know of is 44 bytes and
> isn't viable, much a Windows specific infector.

> Do you know of anyone with real data on this?  (Bontchev or Skulason,
> perhaps?)

The shortest virus I've seen is 25 bytes and it works only sometimes
on some systems. It is definitively not a Windows-specific infector,
although it will "infect" (overwrite) anything, including Windows
applications, due to pure stupidity. I know of only one
Windows-specific virus and it adds 854 bytes to the infected files. I
find it difficult to believe that somebody can fit a viable virus into
36 bytes, let alone a Windows-specific infector.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 63]
*****************************************


