home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker Chronicles 2
/
HACKER2.BIN
/
714.VIRUSL6.088
< prev
next >
Wrap
Text File
|
1993-05-31
|
40KB
|
950 lines
VIRUS-L Digest Tuesday, 1 Jun 1993 Volume 6 : Issue 88
Today's Topics:
Re: IDES '93 Conference Proceedings
Network Security Standards
info sharing
Human factor in infections
Re: Review of BootX (Amiga)
Re: The Anti-Viral Software of MS-DOS 6 (PC)
Re: CPAV updates? (PC)
Tremor (PC)
Re: Single state machines and warm reboots (PC)
Re: CPAV updates? (PC)
Re: Bug With Virstop 2.08a & DOS6 Memmaker? (PC)
TREMOR via Satellite (PC)
TREMOR Analysis (PC)
DOS 6 Double Space and Invisible Virus (PC)
Re: The Anti-Viral Software of MS-DOS 6 (PC)
Re: Cure against Tremor available? (PC)
Re: The Anti-Viral Software of MS-DOS 6 (PC)
Is "Untouchable" (V-ANALYST) Effective (PC)
Thunderbyte anti-virus utils v6.02 uploaded to SIMTEL20 and OAK (PC)
virus news INTERNATIONAL CONFERENCE 93
Activity Monitors - variations (CVP)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart. Discussions are not limited to any one hardware/software
platform - diversity is welcomed. Contributions should be relevant,
concise, polite, etc. (The complete set of posting guidelines is
available by FTP on cert.org or upon request.) Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).
Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@AGARNE.IMS.DISA.MIL.
All submissions should be sent to: VIRUS-L@Lehigh.edu.
Ken van Wyk
----------------------------------------------------------------------
Date: Thu, 27 May 93 18:06:35 +0000
>From: jmr@philabs.philips.com (Joanne Mannarino)
Subject: Re: IDES '93 Conference Proceedings
bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) writes:
|> George Guillory (wk04942@worldlink.com) writes:
|>
|> > I hate to bring this up but has anyone received the proceedings from
|> > the 6th International Computer Virus and Security Conference?
|>
|> At least none of the VTC participants (there were three of us) have
|> received them yet. I'll second your appeal to the organizers - due to
|> bad organization, it was almost impossible to attend the speeches, so
|> I would like at least to read the submitted papers...
This conference was held in New York City this past March and I
understand that the next one is already reserved for March 1994.
Please be forewarned to avoid this conference. I sent two people to
this last one and they felt it was the most unprofessional,
unorganized conference they'd ever attended -- they only went two of
the three days because they were waiting for it to get better but
realized it never would. I wrote a letter of complaint to the
organization and also sent copies to IEEE and ACM which were
supposedly sponsors. I don't expect to hear back from them, but
wanted to warn anyone who may contemplate going that it's a total
waste of time and money.
Also, from what I've heard, this wasn't just a bad year. The
conference is very badly organized and seems to get worse every year.
- -joanne mannarino
- --
joanne mannarino philabs!jmr@uunet or
philips laboratories - briarcliff jmr@philabs.philips.com
------------------------------
Date: Fri, 28 May 93 08:01:42 -0400
>From: MARTIN@SALIG.DEMON.CO.UK
Subject: Network Security Standards
Can anyone point me in the direction of FTP sites that carry papers on
strategy on security and anti-virus matters for networks?
If so, can you please list any FTP sites other than CERT.ORG which has
an anonymous FTP account.
Many thanks in advance.
--+
Martin Overton |Compuserve: 100063,1161
PC Technical Specialist |Internet : Martin@Salig.Demon.Co.Uk
Tel: +44 (403) 231937 |"Beam me up,Sooty!"
------------------------------
Date: Mon, 31 May 93 10:00:50 -0400
>From: rreymond@vnet.IBM.COM
Subject: info sharing
Hi everybody| After all that talk about the Inbar's article, I've got
my copy. Now I wanna thanks here Inbar for having shared those info.
In fact this article was very interesting and useful for me. Why?
Simple: all what I know about viruses and counter measures, I've
learned it ON MY OWN, or at least supported by some more skilled (and
patient) colleagues... D'ya understand? That stuff, that I'm sure it
wasn't a mistery for The Dark Side before Inbar's article, was quite a
mistery FOR ME. And if now I can better understand some tricks is
because someone (Inbar) has kindly decided to share that, insted to
keep for himself. C'm on, folks, let's share...
.............................................Bye|
..................................................Roberto
- -----------------------------------------------------------------------
* All the above are my own opinions, not necessarily shared by IBM *
***********************************************************************
Roberto Reymond IBM C.E.R.T. Italy via Lecco 61
- --------------- 20059 Vimercate (MI)
RREYMOND@vnet.ibm.com Italy MI VIM 491
.........Phone +39.39.600.6873 Fax +39.39.600.5015............
***********************************************************************
* " Another one bites the dust| " , Queen (The Game, 1980) *
***********************************************************************
------------------------------
Date: Sun, 23 May 93 10:12:01 +0200
>From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: Human factor in infections
frisk@complex.is (Fridrik Skulason) wrote:
>>Would I be mistaken if I assumed that those companies weren't adequately
>>protected, or was it a new variant?
> They *thought* they wre fully protected...unfortunately, they had not
> updated
> their anti-virus software for two years.
Then I wouldn't be mistaken to assume that :-)
The problem, the way I see it, is that companies that have something to lose <
namely, Data), don't realize that just equipping the employees (or
workstations) with Anti Virus products, no matter how idiot-proof or easy to
use they are, is NOT SUFFICIENTLY protective.
I believe that a company that cares about it's data bad enough, and that is in
the risk group that I defined earlier in this thread, should actually hire a
qualified person to handle the virus problem.
By Qualified, I don't mean 'First Degree in Computers', because people that
learned their computer science only when in College, don't really know much
about computer. By Qualified, I mean almost every one of this echo's
participants - people that involve with viruses all the time, wether they know
everything about every virus, like the hot-shots, or wether they don't, like
me, but they know how to deal with Anti-Viruses, and know the general risks
and how to defend against them.
Any comments?
Inbar Raz
Chief Data Recovery
- - --
Inbar Raz 5 Henegev, Yavne 70600, ISRAEL. Phone: +972-8-438660
Chief Data Recovery, 15 Habanim, Nes-Ziona 70400, ISRAEL. Phone: +972-8-400070
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il
- --- FMail 0.94
* Origin: Inbar's Point - Home of the first UnTinyProg. (9:9721/210)
------------------------------
Date: Sat, 29 May 93 15:37:25 -0400
>From: hkantola@cc.helsinki.fi (Heikki Kantola)
Subject: Re: Review of BootX (Amiga)
Rob Slade (roberts@decus.arc.ab.ca) wrote:
> Performance
>
> Unknown at this time due to lack of a test suite. Currently one of the most
> highly recommended Amiga antivirals.
>
> Local Support
>
> The author is reachable via Fidonet and Internet mail.
>
However, the author has recently announced that all BootX development is
discontinued. But luckily there happens to other equally good (?) PD/SW
viruskillers for Amiga, for example: Virus Checker (currently upto
v6.26) and VirusZ (latest is v3.06).
- --
- --------------------------------------------------------------------------
Heikki Kantola, Computer Linguistics student at the University of Helsinki
E-Mail: heikki.kantola@helsinki.fi IRC: Hezu
- --------------------------------------------------------------------------
------------------------------
Date: Thu, 27 May 93 14:37:41 -0400
>From: gary@sci34hub.sci.com (Gary Heston)
Subject: Re: The Anti-Viral Software of MS-DOS 6 (PC)
frisk@complex.is (Fridrik Skulason) writes:
[ about CPAV causing false alarms ]
>Unfortunately no...Here is for example one report I received yesterday from
>one of my largest users:
>>I have encountered interaction between DOS V6.0's VSAFE and McAfee V104 and
>>F-Prot 2.08a
> [ ... ] I see this basically as MS/CP problem - those scanners seem to
>be the only ones which do not encrypt all virus signatures in memory. This
>is generating too many questions for me though - and what I probably will do
>is to add a check for VSAFE to my program, and if it is found I will display
>a message like "WARNING! WARNING! - VSAFE found in memory"
First, I think this is an *excellent* idea. It'll help cut down on
inexperienced people panicing when they run into it (and there'll be a
*flood* of them as DOS 6.0 propagates).
Second, I think you also need to include a disinfect option. You'd be
doing the antiviral world a favor.
:-)
- --
Gary Heston SCI Systems, Inc. gary@sci34hub.sci.com site admin
The Chairman of the Board and the CFO speak for SCI. I'm neither.
Hestons' First Law: I qualify virtually everything I say.
------------------------------
Date: Thu, 27 May 93 19:14:30 +0000
>From: ee1ckb@sunlab1.bath.ac.uk (Alan Boon)
Subject: Re: CPAV updates? (PC)
In the referenced article, bontchev@rzsun2.informatik.uni-hamburg.de
(Vesselin Bontchev) writes:
>Alan Boon (ee1ckb@sunlab1.bath.ac.uk) writes:
>
>> I am currently using CP Anti-Virus v1.4 and before anyone say anything
>> bad about it, I like it and think it's one of the best around! Does
>
>Would be curious to know why to you think that it is so good?
>According to my own experience, it is actually one of the worst
>anti-virus programs around... Don't you like it because of the user
>interface, by chance? Remember that there is no record of a virus
>being ever stopped by a user interface... :-)
>
>> anybody knows where I can download virus signature files from so I can
>> update my CPAV detection capabilities? It will be lovely if anyone
>
>They are available via anonymous ftp as
>
>ftp.informatik.uni-hamburg.de:/pub/virus/progs/cpav_upd.zip
>
>According to Padgett, the updates can be used to upgrade also the
>MS-DOS version of MSAV - the scanner that comes with MS-DOS 6.0.
With Bootsafe and Vsafe running, your system is well protected provided you
update the signature files. It offers a comprehensive protection system
that no other can match. Anyway, it wasn't the user interface that
attracted me but the protection level it offered.
Alan.
------------------------------
Date: Fri, 28 May 93 09:27:22 -0400
>From: "Dr. Martin Erdelen" <HRZ090@VM.HRZ.UNI-ESSEN.DE>
Subject: Tremor (PC)
On Wed, 12 May 93 13:45:20 MEZ
I wrote:
>is there any new development re: disinfection of the Tremor virus? Are there
>antiviral programs by now which can handle this beast?
Thanks to all who responded. With the help of KILLT2.EXE, the Tremor
Killer by Pascal Pochol, I was able to disinfect the afflicted files.
Yes, I do know that overwriting would be better, but do my clients
have clean backups? Nooooo! (Incidentally, how does one make sure that
the backups are *really* clean? If no permanent infection watch is run
- - as of course should be, but also of course often is not - you are
apt to sooner or later replace the clean copy with an infected one,
aren't you?)
While we are at it: I can't remember to have seen in the discussion
any description of Tremor's payload. Is there more to it than the
trembling screen image? Or has it not yet been fully analysed?
MArtin
(~ , ,
(___/__/__-_
Dr. Martin Erdelen EARN/BITNET: HRZ090@DE0HRZ1A.BITNET
- -Computing Centre- Internet: erdelen at hrz.uni-essen.de
University of Essen Tel.: +49 201 183-2998
Schuetzenbahn 70 FAX: +49 201 183-3960
D-4300 Essen 1 Binary: . .-. -.. . .-.. . -- (~~
Germany (()~~
+-----------------------+ Smoke: ()))) ((()))~~~ ())~~~
| Remarkably | ())))) ~~~
| remarkless | (())()~(())())
| room | (())())
+-----------------------+ ((()()())))
------------------------------
Date: Fri, 28 May 93 15:06:55 -0400
>From: "David M. Chess" <chess@watson.ibm.com>
Subject: Re: Single state machines and warm reboots (PC)
>From: Garry J Scobie Ext 3360 <GSCOBIE@ml0.ucs.edinburgh.ac.uk>
>> From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
>> I know of no virus (and am sure will be corrected if wrong 8*) that
>> can survive a *real* warm reboot.
>Was this thread ever followed up. In Volume 5 Issue 41 1992, Vesselin
>noted that no virus could survive the genuine or *real* Ctrl-Alt-Del
>or warm re-boot. However, in Issue 44 David Chess notes:
>> In short, since some viruses ARE able to survive the Ctrl-Alt-Del
>> sometimes,
>
>Was this taken off-line and resolved? David, Vesselin?
We are all agreeing loudly with each other, as usual! *8)
There are viruses which will still be there if you press
Control-Alt-Delete and wait for the good old DOS prompt to
come back. However, the way they work is by preventing
a "real" warm reboot (in Padgett's sense of "real"),
and in many cases someone as observant as Vesselin will
be able to tell, by watching exactly what happens after
the C-A-D is pressed, that that "real" reboot did not
occur. So it's true both that we know of no virus
that's still in memory after a "real" warm reboot, but
at the same time if you just press C-A-D and wait for
the machine to settle down again, there *are* viruses
that can survive that.
- - -- - / We have a little garden,
David M. Chess / A garden of our own,
High Integrity Computing Lab / And every day we water there
IBM Watson Research / The seeds that we have sown.
------------------------------
Date: Sat, 29 May 93 08:57:30 -0400
>From: A.M.Zanker@newcastle.ac.uk (A.M. Zanker)
Subject: Re: CPAV updates? (PC)
bontchev@rzsun2.informatik.uni-hamburg.de (Vesselin Bontchev) writes:
>Alan Boon (ee1ckb@sunlab1.bath.ac.uk) writes:
>> I am currently using CP Anti-Virus v1.4 and before anyone say anything
>> bad about it, I like it and think it's one of the best around! Does
>Would be curious to know why to you think that it is so good?
>According to my own experience, it is actually one of the worst
>anti-virus programs around... Don't you like it because of the user
>interface, by chance? Remember that there is no record of a virus
>being ever stopped by a user interface... :-)
Ha Ha! Yes, it has a nice user interface. It also detects the 50 or so
virii that are ever really seen outside virus testing labs etc. (according
to Alan Solomon). It always seems to have a fairly low rating in P. Hoffman's
certification tests, but then she seems to use the standard 1.4 version without
any of the updates.
The Windows version is also rather nice and has got me out of a few scrapes.
Both DOS and Windows versions can also detect changes to "system" files
(.exe, .com, .dll, .ov?, etc.) which seems to cover just about everything
one is likely to meet in everyday home use.
Mike
- --
- --
Mike Zanker | A.M.Zanker@ncl.ac.uk
Department of Mathematics and Statistics |
University of Newcastle upon Tyne, UK |
------------------------------
Date: Sun, 30 May 93 01:23:51 -0400
>From: medici@dorm.rutgers.edu (Mark Medici)
Subject: Re: Bug With Virstop 2.08a & DOS6 Memmaker? (PC)
sphughes@sfsuvax1.sfsu.edu (Shaun P. Hughes) writes:
| RTRAVSKY@corral.uwyo.edu (Rich Travsky 3668 (307) 766-3663/3668) writes:
| >I have encountered an odd interaction between virstop.exe version
| >2.08a and dos 6's memmaker. Specifically, having virstop running
| >(either in conventional or high memory) will hang the pc when using
| >memmaker. This means then that to run memmaker you have to comment
| >it out of whichever startup file you have it in.
| I finally got around to dos 6.0 yesterday and had absolutely no
| conflict between virstop 208a and memmaker. I suspect your problem
| lies elsewhere.
I have had experiences similar to Rich's. If I allow DOS6's MemMaker
to try and determine the best way to load VIRSTOP from F-PROT 2.08a,
the system locks hard requiring cold-boot. However, if I select the
custom MemMaker option, tell MemMaker that I want to specify which
files to try and load high, and exclude VIRSTOP, there is no problem.
Note that VIRSTOP is actually loaded into memory, it's just that I
don't let MemMaker try to fit it high. After MemMaker is done, I have
no trouble loading VIRSTOP into UMB (providing enough space is left
over for it).
So the problem seems only to be that MemMaker's method of determining
VIRSTOP's size is not working -- not that VIRSTOP is incompatible with
DOS6's UMB/EMM386.EXE.
- --
_________________________________________________________________________
RUCS | Mark A. Medici * Telecommunications Analyst II * User Services
User | Rutgers University Computing Services, New Brunswick, NJ 08903
Services | [medici@gandalf.rutgers.edu] [908-932-2412]
------------------------------
Date: Mon, 31 May 93 16:17:05 -0400
>From: Fischer@rz.uni-karlsruhe.de
Subject: TREMOR via Satellite (PC)
Clarification:
Several people sent e-mail to me asking which version of PKUNZIP or McAfee's
SCAN were infected! Maybe I was not precise enough.
1. The virus infection did *not* happen at McAfee Associates nor at PK Ware!
2. The company Channel Videodat near Cologne, Germany most probably contracted
TREMOR from a shareware dealer in Duesseldorf, Germany
named Software Projekt Heidel, who supplied the 104 Version of McAfee's
anti-virus software and an infected copy of PKUNZIP.EXE
3. The transmission is on the same channel as the TV program PRO-7, that is
broadcasted in Europe.
I hope this clarifys the matter.
Christoph Fischer
Micro-BIT Virus Center
University of Karlsruhe
Zirkel 2
W-7500 KARLSRUHE 1
Germany
+49 721 376422 Phone
+49 721 32550 FAX
email: ry15@rz.uni-karlsruhe.de
------------------------------
Date: Mon, 31 May 93 16:28:31 -0400
>From: Fischer@rz.uni-karlsruhe.de
Subject: TREMOR Analysis (PC)
TREMOR Analysis
The analysis of the mutation mechanism in TREMOR revealed a complexity of
5.8 billion possibilies of variation of the decryption loop. Now that the full
tree is analysed a 100% hit rate in detecting this virus can be achieved.
During this analysis a delay mechanism for the payload trigger has been found.
This can be used to back-trace an infection strain, since the infection date
can be derived from the trigger code!
TREMOR Prevalence
TREMOR is now pretty much spread in Germany the Micro-BIT Virus Center gets
about 1-2 calls from infected sites per day. Several companies were among the
callers.
Christoph Fischer
Micro-BIT Virus Center
University of Karlsruhe
Zirkel 2
W-7500 KARLSRUHE 1
Germany
+49 721 376422 Phone
+49 721 32550 FAX
email: ry15@rz.uni-karlsruhe.de
------------------------------
Date: Tue, 01 Jun 93 03:35:02 -0400
>From: "Roger Riordan" <riordan@tmxmelb.mhs.oz.au>
Subject: DOS 6 Double Space and Invisible Virus (PC)
We recently received a sample of "Invisible" virus. This infects
both files and MBRs. Without really thinking we ran it on a
test PC in which the hard disk was set up using DOS 6 Double
Space. After running an infected file the PC was rebooted.
Immediately we discovered major corruption. The root directory
appeared to be OK, but many files and directories (at various
levels) were unreadable, and a number of directories were
recursive. Of about 15M on the hard disk about 4M was lost.
We tried running CHKDISK. This reported many lost clusters, and
made these into about 300 files, but most of these were still
unreadable.
Eventually we gave up and reformatted the hard disk. We did not
install Double Space this time!
As far as we know at present the only deliberate damage done
by the virus is to write the original MBR, followed by the virus,
to the last seven sectors on the hard disk. We were able to read
this as an absolute sector using Nortons, but many clusters
and even physical sectors appeared to be totally unreadable. It
is possible that the virus marked the occupied sectors as bad,
and that this caused the damage, but this does not seem very
probable.
CONCLUSION.
Double Space would appear to have the capability of converting an
infection with an otherwise trivial virus into a major disaster.
Roger Riordan Author of the VET Anti-Viral Software.
riordan.cybec@tmxmelb.mhs.oz.au
CYBEC Pty Ltd. Tel: +613 521 0655
PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727
------------------------------
Date: Sat, 29 May 93 17:02:07 +0000
>From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: The Anti-Viral Software of MS-DOS 6 (PC)
Y. Radai (RADAI@vms.huji.ac.il) writes:
> I do not notice any behavior like that described above when I use McAfee's
> Scan V102, S&S's FindViru 6.18, or UTScan 28. I find it only when I run
> F-PROT after running MSAV. I then get the message "The xxxxxx virus search
> pattern has been found in memory" (where xxxxxx is "Telecom", unless VSafe is
> loaded in extended memory, in which case xxxxxx is "Stoned"). I therefore
> think that the problem lies with F-PROT rather than with MSAV or VSafe in this
> particular case.
I beg to disagree. Although I have not observed it myself, I have
received several reports about interaction with SCAN 104 and ghost
positives. It seems indeed to depend on where exactly is VSAFE loaded
in memory. And the cause of the problem is, of course, VSAFE and
nothing else - because it doesn't bother to encrypt its scan strings.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: Sat, 29 May 93 16:45:47 +0000
>From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Cure against Tremor available? (PC)
Robert Hoerner (Robert.Hoerner@f2170.n492.z9.virnet.bad.se) writes:
> F-PROT 2.08 finds it.
Unfortunately, neither version 2.08, nor version 2.08a of F-Prot is
able to find the Tremor virus -reliably-, let alone to disinfect it.
(By unreliable detection I mean that some infected files are detected
and some aren't.) As far as I understand, Frisk has solved the problem
and an update for F-Prot should be out RSN...
> I myself wrote a finder+cleaner : ANTISER.ZIP, frequestable. It desinfects
> TREMOR-infected files just at the moment, they are started. No danger for re-
> infection anymore. Does not work on packed files !
If your program is freeware or shareware (and if it is good, of course
<grin>), and if you are interested to make it available via anonymous
ftp, then I could put it on our ftp site - just uuencode it and e-mail
it to me.
BTW, are you sure that your program detects the Tremor virus reliably?
This is extremely difficult to test, because the virus has a
considerable potential for polymorphism, but mutates very slowly. That
is, even if you generate a few thousands of replicants, you'll still
have only a few different mutations and a test based only on them
might not be good enough.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: Sat, 29 May 93 16:58:59 +0000
>From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: The Anti-Viral Software of MS-DOS 6 (PC)
A. Padgett Peterson (padgett@tccslr.dnet.mmc.com) writes:
> As far as the easy disable in memory as documented widely, a tiny TSR
> (uses no free RAM) could disable the disabler just as easily.
Nope. The disabler -is- needed - as Yisrael pointed out, MSAV needs to
turn VSAFE off before it begins to scan the disk. If you don't allow
disabling of VSAFE, then you won't be able to run MSAV with VSAFE in
memory. A quick fix is to make the TSR ask the user whether s/he
really wants VSAFE to be disabled, but this is, after all, a kludge.
> Finally, given that the signatures are distributed separately, what is to
> stop an enterprising person from distributing their own signature update
> for use with MSAV having a much higher detection rate (for a suitable fee
> of course) ?
I am not competent in legal matters, but I think that one must obtain
a permission from Central Point Software and/or from Microsoft, before
publishing such an update... And why would they permit their
competitors to publish better anti-virus software? Besides, the format
of the updates is not published. On the top of that, I suspect that
those updates have some internal limitations, which cannot be
circumvented without a complete re-design of the product. For
instance, I am 100% sure that they don't provide the means for exact
virus identification.
> Thus the question must be not "whether MSAV is the One True Answer" but
> "*could* it be ..." e.g. is the engine robust enough ? Certainly, Windows
Hm, what do you mean by "robust enough"? I've got the impression that
the scanning engine in CPAV/MSAV is rather far from the modern fast
scanning technologies...
> Now let's look on the positive side: MSAV is at least trivially integrated
> into DOS.
Is it? How? From what I have seen, it is just an add-on product, which
has nothing to do with the operating system. Heh, it even doesn't
check the DOS version like the other external DOS commands... :-)
> I haven't tried it yet but would expect it to be compatable with
> disk compression and Windows 32BitDiskAccess (possibly why the boot sector
Please try it and post the results. I have my reasons to doubt that
the above is true, but I might be wrong.
> it against necessary functions that we do not know about (yet 8*). In
> other words, the hard part (nice human interface & it works) is done and the
> a-v people can concentrate on improving the detection rate plus the low
> level add-ons.
Actually, even the user interface is screwed-up. The nice user
interface of CPAV has been restricted quite a lot in MSAV...
> There are some drawbacks that I know of. For instance you can take a looong
> coffee break while waiting for the memory scan on a 4.77 Mhz PC or XT but
> this is fixable or possibly no-one will care.
This is again a result of the usage of out-of-date scanning
technology. It cannot be fixed without a complete re-design of the
scanning engine.
> ps STAC also quietly announced availability of STACKER for OS/2 on p 170
> of the May 24 PC-Week. Did anyone else notice ?
Sure, I even saw the product at the CeBIT'93 computer fair in
Hannover... :-)
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: Tue, 25 May 93 17:44:00 +0200
>From: Schwartz_Gabriel@f101.n9721.z9.virnet.bad.se (Schwartz Gabriel)
Subject: Is "Untouchable" (V-ANALYST) Effective (PC)
TO: bontchev@news.informatik.uni-hamburg.de
Yes you might be right about the integrity checker of V-Analyst but most of
the users want to see scan results much more then integrity check.
Altough integrity check is a very important path of an anti-virus package it
can't stand alone as the leading part.I'm lookin in the latest VSUM reports
and V-Analyst doesn't look very good there,
- --- FastEcho/386 B0426/Real! (Beta)
* Origin: >> Rudy's Place << VirNet, Israel (9:9721/101)
------------------------------
Date: Sat, 29 May 93 17:50:37 -0400
>From: bondt@dutiws.TWI.TUDelft.NL (Piet de Bondt)
Subject: Thunderbyte anti-virus utils v6.02 uploaded to SIMTEL20 and OAK (PC)
I have uploaded to WSMR-SIMTEL20.Army.Mil and OAK.Oakland.Edu:
pd1:<msdos.virus>
TBAV602.ZIP Thunderbyte anti-virus utilities, v6.02
TBAVU602.ZIP Thunderbyte anti-virus pgm, upgrade 6.01->6.02
TBAVX602.ZIP TBAV processor specific pgms; see TBAV602.ZIP
VSIG9305.ZIP Signatures for HTSCAN virus scanner
Greetings,
Piet de Bondt E-Mail : bondt@dutiws.twi.tudelft.nl
------------------------------
Date: Mon, 31 May 93 09:44:43 -0400
>From: wachtel@canon.co.uk (Tom Wachtel)
Subject: virus news INTERNATIONAL CONFERENCE 93
virus news
INTERNATIONAL CONFERENCE
93
23rd June 1993
Sheraton Skyline
Heathrow
Virus News International is widely recognised for its excellent
coverage of security issues. VNI contributors gather information
from around the world and are in constant contact with police forces
and law enforcement agencies. Nowhere near all of this information
has been published in VNI - yet.
As the virus field comes of age, so your need for information becomes
more and more specialised. Because you now have a much better
understanding of viruses, you are now asking more focused questions.
You will be given answers on which to build your defences against
potential security breaches.
What you will get at the VNI Conference is a concise intelligence
briefing. When you return to your organisation, you will be in a
position to update your company's policies and procedures with the
advantage of having a clear idea of what is to come.
* Why do virus authors do it?
* What new approaches are virus authors likely to take?
* How to prepare for the next attack
* Up to the minute news of activities in the virus world
What the conference will give you
One of the most frequently asked questions is "Why do they do it?"
At the VNI Conference, you will hear from people who have contacted
virus authors and who have hacked into closed computer systems.
Their insights will help you understand your enemy better.
Knowing what new angles virus authors are likely to take is one of
the questions many technical people would like to know. Vesselin
Bontchev of the Virus Test Center at the University of Hamburg is one
of the world's leading virus researchers and is better placed than
most to be able to provide at least some of the answers.
Most people assume that all anti-virus software operates in the same
way. Dr. Simon Shepherd of the United Kingdom Computer Virus
Certification Centre, University of Bradford knows better. He will
explain how a full evaluation is carried out and what you should look
for when deciding which products to use.
Dr Alan Solomon, Chairman of S & S International, will give you a
briefing on the activities of virus authors and others involved in
the dissemination of viruses. With contacts right around the globe,
Dr Solomon has an unrivalled understanding of what virus authors and
distributors are doing.
Speakers
Sara Gordon is an independent researcher and consultant in computer
security. Her insight into the minds, motives and methods of hackers
and virus writers provides a unique perspective, with a wealth of
expertise and information. She recently interviewed the Dark Avenger.
Robert Schifreen is the man the House of Lords cleared of all charges
of hacking into Prince Philip's Prestel mailbox. Now one of the
world's most respected consultants in the field of protection from
hacking, he will be giving you an insight into the motives of
hackers.
Vesselin Bontchev is a Research Associate at the University of
Hamburg, while continuing his research at the Virus Test Center there.
Dr Simon Shepherd is Senior Lecturer in Cryptography and Computer
Security at the University of Bradford, and Director of the UK
Computer Virus Certification Centre. He has extensive experience in
the design of secure communications and computing systems.
Dr Alan Solomon, one of the leading figures in the anti-virus
research community, is co-founder and technical director of the
European Institute for Computer Anti-Virus Research. He is also
Chairman of S & S International and of the IBM PC User Group.
An International Event
Virus News International has frequently shown that the appearance of
a virus in one part of the world is usually the prelude to its
appearance in other countries, probably including yours. VNI has a
truly international following and the conference provides and
opportunity to discuss experienced with delegates from around the
globe.
For the benefit of international delegates, The Sheraton Skyline at
Heathrow has been selected as the venue for the conference. VNI is
conscious that delegates must justify fees and expenses so we have
packed this conference into one day. The location makes it perfectly
possible for delegates to fly in from Europe or other parts of the
UK, spend a full and fruitful day at the conference, and return home
without incurring any overnight expense.
Who should attend?
Senior IT staff, network managers, Information Centre managers and
technical staff involved in data security procedures and development
Date 23rd June 1993
Venue The Sheraton Skyline, Heathrow
Fee L295.00 + VAT per delegate
Delegates' fees may be paid by Access or Visa or by cheque. Company
purchase orders accepted.
Since the conference is scheduled for less than one month from now,
interested persons should contact Paul Robinson on +44-792-324-000 asap.
Alternatively, his email address is 70007.5406@COMPUSERVE.COM.
- -----------------------------------------------------------------------
virus news INTERNATIONAL, William Knox House, Llandarcy, Swansea. West
Glamorgan, SA10 6NL, United Kingdom
Tel No. +44 792 324000 Fax No. +44 792 324001
===================
- --
Tom Wachtel (wachtel@canon.co.uk)
------------------------------
Date: Fri, 28 May 93 15:05:12 -0400
>From: "Rob Slade" <roberts@decus.arc.ab.ca>
Subject: Activity Monitors - variations (CVP)
PRTAVSA.CVP 930522
Activity Monitors - variations
I would like to cover, under the topic of activity monitoring
software, two variations on the theme. The first variation is very
minor: that of operation restricting software. Operation
restricting software is similar to activity monitoring software,
except that instead of watching for suspicious activities it
"automatically" prevents them. In the past I have tended to class
operation restricting software as a separate type of antiviral even
though the difference between a "monitor" and a "restrictor" is
really only one of degree in the information given to the user. The
reason that I have done so is that the "degree" is not a continuum,
and there tends to be a definite gap between those programs which
inform the user, and those which do not.
As with mainframe security "permission" systems, some of these
operation restricting packages allow you to restrict the activities
that programs can perform, sometimes on a "file by file" basis.
However, the more options these programs allow, the more time they
will take to set up. Again, the program must be modified each time
you make a valid change to the system, and, as with activity
monitors, some viri may be able to evade the protection by using low
level programming.
It is important, when evaluating both activity monitoring and
operation restricting software, to judge the extent that the
operator is given the option of "allowing" an operation. It is also
important that the operator be informed, not only that a particular
program or operation should be halted, but also why. There should
not be too many "false alarms" generated by the software, and it
would be helpful to have the option of "tuning" the software to be
less, or more, sensitive to a given type of activity.
The second variant on activity monitoring may at first seem to be
wildly diverse: "heuristic" scanning. However, please note that
heuristic scanners attempt to do the same thing that an activity
monitor does, if in a slightly different way. Instead of "waiting"
for a program to perform a suspicious activity, a heuristic scanner
examines the *code* of a program for suspicious calls (hopefully
before the program is even run). Although such scanners may be
limited to checking for very generic sections of code in their
current, natal state, eventually they will require a good deal of
"intelligence" to justify the analytical nature implied by the name
"heuristic". Heuristic scanners are currently tools best used by
those with some background in virus identification and prevention,
but they hold a promise to become very useful tools even for the
novice with future development.
copyright Robert M. Slade, 1993 PRTAVSA.CVP 930522
============== _________________________
Vancouver ROBERTS@decus.ca | | |\^/| | | swiped
Institute for Robert_Slade@sfu.ca | | _|\| |/|_ | | from
Research into rslade@cue.bc.ca | | > < | | Alan
User p1@CyberStore.ca | | >_./|\._< | | Tai
Security Canada V7K 2G6 |____|_______^_______|____|
------------------------------
End of VIRUS-L Digest [Volume 6 Issue 88]
*****************************************
