From mailbox.vhc.se!mikael  Fri Feb  9 08:39:50 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Fri, 09 Feb 96 08:43:58 GMT
	for mikael
Received: from mailbox.swip.net by mn3.swip.net (8.6.8/2.01)
	id IAA17731; Fri, 9 Feb 1996 08:39:50 +0100
Received: from win95.swipnet.se (dialup97-3-11.swipnet.se [130.244.97.51])
	by mailbox.swip.net (8.6.12/8.6.12) with SMTP
	id IAA01407 for <mikael@vhc.se>;
	Fri, 9 Feb 1996 08:40:18 +0100
Message-Id: <2.2.32.19960209074128.006b9e40@mailbox.swipnet.se>
X-Sender: m-33619@mailbox.swipnet.se
X-Mailer: Windows Eudora Pro Version 2.2 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 09 Feb 1996 08:41:28 +0100
To: mikael@vhc.se
From: Nick FitzGerald <n.fitzgerald@cantva.canterbury.ac.nz> (by way of Mikael Larsson <mikael@mailbox.vhc.se>)
Subject: Fwd: VIRUS-L Digest V9 #12

From:	IN%"virus-l@lehigh.edu"  5-FEB-1996 03:46:16.50
To:	IN%"virus-l@lehigh.edu"  "Multiple recipients of list"
CC:	
Subj:	VIRUS-L Digest V9 #12

Return-path: <postmaster@csc.canterbury.ac.nz>
Received: from fidoii.CC.Lehigh.EDU ("port 4949"@fidoii.CC.Lehigh.EDU)
 by csc.canterbury.ac.nz (PMDF V5.0-5 #7295)
 id <01I0U96L4BFUPVGQEE@csc.canterbury.ac.nz> for
 uoc-virus-l@csc.canterbury.ac.nz; Mon, 05 Feb 1996 03:45:57 +1300
Received: from fidoii.cc.lehigh.edu ([127.0.0.1]) by fidoii.cc.lehigh.edu with
 SMTP id <40722-5693>; Sun, 04 Feb 1996 09:28:16 -0500 (EST)
Date: Sun, 04 Feb 1996 09:16:45 -0500 (EST)
From: VIRUS-L Moderator <virus-l@csc.canterbury.ac.nz>
Subject: VIRUS-L Digest V9 #12
Sender: virus-l@lehigh.edu
To: Multiple recipients of list <virus-l@lehigh.edu>
Errors-to: postmaster@csc.canterbury.ac.nz
Reply-to: virus-l@lehigh.edu
Message-id: <01I0U823CEJ4PVGQEE@csc.canterbury.ac.nz>
Content-transfer-encoding: 7BIT
Precedence: bulk
Originator: virus-l@lehigh.edu
X-Comment: Virus Discussion List
X-Listprocessor-version: 6.0c -- ListProcessor by Anastasios Kotsikonas

VIRUS-L Digest    Monday, 5 Feb 1996    Volume 9 : Issue 12

Today's Topics:

Administrivia -- Please read (ADMIN)
Re: Usefulness of AV people
Re: virus damage to companies
Re: Usefulness of AV people
Re: Java Virus
Re: messiah info req'd
Re: Will one virus detector "detect" another one?
Re: Virus Scanner for E-Mail Attachment??
Re: Usefulness of AV people
Re: messiah info req'd
Re: Java Virus
Re: Can a computer get a virus from the internet?
Re: Can a computer get a virus from the internet?
Re: Harddrive firmware virus possible?
zingo virus
Re: Lucky?
Re: Viruses from the internet
Re: Usefulness of AV people
Re: were wolf 1996
Re: Virus concerns while using Netscape/www
Re: Usefulness of AV people
Re: Will one virus detector "detect" another one?
Re: Harddrive firmware virus possible?
Re: Java Virus
Re: messiah info req'd
Re: Usefulness of AV people

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available by anonymous FTP on CS.UCR.EDU.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Mon, 5 Feb 1996 02:34:00 +1300 (NZD)
From: Nick FitzGerald <n.fitzgerald@csc.canterbury.ac.nz>
Subject: Administrivia -- Please read (ADMIN)
X-Digest: Volume 9 : Issue 12

Due to the heavy demands of sorting out bad addresse on the mailing list,
etc I've fallen a bit behind with processing submissions.  Well, have I
news for you lot...

The next few digests will be blockbusters.  I have worked thru the weekend
doing little else and have all the submissions (except for 2 or 3 that
came in as I was tidying this up) in digests now.  There are four digests
by volume (I try not to go over 60KB per digest) but five given the way
I've grouped the material.  The first two are non-specific topics (i.e.
they are items I haven't tagged MAC, OS/2, WIN, etc).  Those, plus the
Digest #11 I posted out a few hours ago should keep you busy for a
while...  Within the next 24 hours I should post out the rest with
possibly one further digest from Monday's (NZ time remember!) submissions.

Once all these are out of the way, I have at least one digest's worth of
product reviews to post.

Could you all please help me out a little??  When replying to an item in
Virus-L/comp.virus, please remember that I do not see your original
headers because they come to me via the list processor machine.  This
means I have no idea whether you've only submitted to the list/group or
whether you did that as well as CC'ing to the original poster.  From now
I'll be less likely to post what seem to me should have simply been
followups to the poster and are of likely little -general- interest to the
readers of the list/group.

Regards,

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z.
 n.fitzgerald@csc.canterbury.ac.nz  TEL:+64 3 364 2337, FAX:+64 3 364 2332
	      Virus-L/comp.virus moderator and FAQ maintainer
   PGP fingerprint =  2E 7D E9 0C DE 26 24 4F  1F 43 91 B9 C4 05 C9 83

------------------------------

Date: Mon, 29 Jan 1996 22:54:05 -0500 (EST)
From: Bruce Burrell <bpb@stimpy.us.itd.umich.edu>
Subject: Re: Usefulness of AV people
X-Digest: Volume 9 : Issue 12

Nacho Man (ht_bui@ece.concordia.ca) wrote:
> I don't mean to sound like an asshole or anything but I'm just wondering
> how an anti-virus consultant could be useful. Since I started reading
> this newsgroup, I have seen a lot of OBVIOUS advice given by these
> so-called virus specialists: "You must reboot from a clean floppy and
> then run an anti-virus software" or "Boot from an uninfected floppy
> and format disk". I assume that people who ask these questions expect    
> more in-depth answers but I guess, giving it to them would be divulging
> sensitive information, right?

   I'm not sure exactly what you want here:

   1. "Boot clean and use topnotch AV software to remove the infection" 
      is certainly good advice, and it isn't obvious to many people. 
      Just look at some of the posts here or on alt.comp.virus. and that
      will be obvious to anyone who knows what's what about viruses. 
   2. Surely you don't want an answer along the lines of "Boot clean, and 
      fire up DEBUG.  Type U 100 and reverse-engineer the virus...."  
      Many people don't understand how to set tabs, let alone program.
   3. Even giving complete directions for removing a particular virus 
      with low level tools is pointless for the common audience; they'd
      probably prefer to leave the virus intact than go through the
      technospeak required to understand the procedure, let alone execute
      it. 
   4. The best AV software can handle roughly 8000 different viruses, all
      without the user having to know anything about the particular strain
      that has infected.  Much of that software is available on the 'Net,
      and at least one of the packages is free for personal use.  *WHY*
      would an expert recommend doing it by hand when it is both easier
      and less likely to cause damage to use the utility? 
 
> This brings me to my questions: why do we need so many virus specialists
> if they all repeat the same thing? 

   Remember that those who answer here don't get paid to do so.  Perhaps 
it's part of the job description for some of the experts who represent an 
AV product, but I doubt it.  In an ideal world, those asking the 
questions would contact their AV supplier directly, but it is clear that 
often this isn't the case.  Failing that, they ask here.  Again, in a 
perfect world, a company rep for that product would be the first to see 
the request, and would answer it.  It doesn't happen that way.  As it is, 
I think it's pretty remarkable how well some vendors help out their  
competitors' clients.  Of course, there may be a statement like "and you 
can try our product to confirm the diagnosis", but I think that's fair 
for free, high-quality advice.
   Perhaps that answers another question, so I'll try again: each AV 
vendor needs specialists, and we're lucky enough to have some of them 
participate here.  Then there are independent researchers, others who 
have a professional or amateur interest in virus control, and even some 
virus authors, all of whom offer help when they know something useful.  
When the solution is unique, or the most reasonable approach, is it a 
surprise that most of the responses are similar?

   -BPB

------------------------------

Date: Tue, 30 Jan 1996 03:36:40 -0500 (EST)
From: Aryeh Goretsky <goretsky@netcom.com>
Subject: Re: virus damage to companies
X-Digest: Volume 9 : Issue 12

Although not mentioned expressly, one other "cost" to be considered is
the cost of goodwill and trust "spent" during (or after) a virus removal:

After a day (or several days) of frantic virus removal, emotions are 
likely to run high.  It may be possible that the oraganization which
was infected may go on a "witch-hunt" to determine is to "blame" for
the virus incident.  Accusations and tempers may flare as management
tries to find an employee, vendor, or outside contractor who brought
the virus in.

The cost in terms of lost employee productivity and bruised business
relationships from this is not always easy to calculate (nor is it
alwayys financial).

Regards,

Aryeh Goretsky

______________________________________________________________________________
Aryeh Goretsky                                  EMAIL goretsky@netcom.com
627 W Midland Ave                               CompuServe     76702,1714
Woodland Park, CO                               TEL     +1 (719) 687-0480
USA    80863-1100                               FAX     +1 (719) 687-0716

------------------------------

Date: Tue, 30 Jan 1996 03:53:41 -0500 (EST)
From: Aryeh Goretsky <goretsky@netcom.com>
Subject: Re: Usefulness of AV people
X-Digest: Volume 9 : Issue 12

I think this is actually a very good question, Bui.  You're not an
asshole at all for bringing it up.  Lets look at a few aspects of
it.

First off, a lot of what is considered 'obvious' to experts is not
always so clear to novices.  Generally speaking, an expert has an
in-depth knowledge of the sequence of events that occurs in a computer
virus infection and can work through all the "cause and effect"
chains caused by unique combinations of circumstances.  Or, in other
words, they have a greater ability to clearly think things through
and see where something must be (or should not be) done at an early
stage in order to reach a satisfactory conclusion.

The keyword here is "clearly."  Computer viruses still manage to 
push many peoples' anxiety buttons.  They are upset, worried, and
concerned.  An expert is able to provide a soothing effect by 
appearing calm and authoriative.  This helps relieve the anxiety
felt by the person who has a virus on their computer.

I have found that a sizable percentage of technical support is
in "hand-holding," i.e. reassuring the customer, as opposed to the
conveyence of the actual information needed to remove a virus.

I hope this answers your question.

Regards,

Aryeh Goretsky

______________________________________________________________________________
Aryeh Goretsky                                  EMAIL goretsky@netcom.com
627 W Midland Ave                               CompuServe     76702,1714
Woodland Park, CO                               TEL     +1 (719) 687-0480
USA    80863-1100                               FAX     +1 (719) 687-0716

------------------------------

Date: Tue, 30 Jan 1996 04:01:47 -0500 (EST)
From: "A.Appleyard" <A.APPLEYARD@fs2.mt.umist.ac.uk>
Subject: Re: Java Virus
X-Digest: Volume 9 : Issue 12

Fred Cohen <fc@all.net> and the moderator wrote about Java Virus. What is
the Java system?

------------------------------

Date: Tue, 30 Jan 1996 07:05:03 -0500 (EST)
From: Fridrik Skulason <frisk@complex.is>
Subject: Re: messiah info req'd
X-Digest: Volume 9 : Issue 12

In <0001.01I0LP9POC0OPCQYD3@csc.canterbury.ac.nz> tom southey
<tsouthey@connect.ab.ca> writes:

>Anybody have any info on a virus called messiah?

called so by what ?  This is not a CARO standard name of any virus.

-frisk

- - 
Fridrik Skulason      Frisk Software International     phone: +354-5-617273
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-5-617274

------------------------------

Date: Tue, 30 Jan 1996 07:54:21 -0500 (EST)
From: Bill lambdin <vfreak@skn.net>
Subject: Re: Will one virus detector "detect" another one?
X-Digest: Volume 9 : Issue 12

steve640@aol.com> writes

>When I run a virus checker against my hard disk, are they 
>typically just looking for bit patterns in executable files?
>If they only check for matching patterns in exe files, will
>one virus detector see another virus detectors signatures files
>as a virus?

Most scanner authors select different scan strings, then they also encrypt
the scan strings. to prevent false alarms. Onlt two programs that I am
aware of leaves unencrypted virus scan strings in memory.

	Bill Lambdin

- --------------------------------------------------------------------------
vfreak@skn.net                     PGP fingerprints 9C CD 47 F3 C7 65 CA 33
102524.2206@compuserve.com                          C7 7D 69 8B 26 0C F8 08

------------------------------

Date: Tue, 30 Jan 1996 07:54:16 -0500 (EST)
From: Bill lambdin <vfreak@skn.net>
Subject: Re: Virus Scanner for E-Mail Attachment??
X-Digest: Volume 9 : Issue 12

<gwenzel@gpu.srv.ualberta.ca> writes

>I believe that PC-Cillin scans uuencoded e-mail attachments...  but this
>really isn't necessary.  Most antivirus programs contain a TSR or a VxD,
>which scan files as they are created (or run, or accessed... many ways to
>skin the same cat) - these programs would do the same thing, but once the
>message has been decoded.  They would likely stop the running of the
>program until it has been disinfected.

PC-cillin is not a scanner at all. It is a resident behaviour blocker. ie,
detects viruses via generic methods without the use of scan strings at all.

	Bill Lambdin

- --------------------------------------------------------------------------
vfreak@skn.net                     PGP fingerprints 9C CD 47 F3 C7 65 CA 33
102524.2206@compuserve.com                          C7 7D 69 8B 26 0C F8 08

------------------------------

Date: Tue, 30 Jan 1996 09:12:53 -0500 (EST)
From: Iolo Davidson <iolo@mist.demon.co.uk>
Subject: Re: Usefulness of AV people
X-Digest: Volume 9 : Issue 12

In article <0008.01I0LP4Q7OWKPCQYD3@csc.canterbury.ac.nz>
	   ht_bui@ece.concordia.ca "Nacho Man" writes:

> I have seen a lot of OBVIOUS advice given by these so-called
> virus specialists: "You must reboot from a clean floppy and
> then run an anti-virus software" or "Boot from an uninfected
> floppy and format disk".

This is not obvious to the people who are asking for help.  It is
not even obvious to them that they could get the information they
need (the same information) by reading the FAQ.

> I assume that people who ask these questions expect
> more in-depth answers but I guess, giving it to them would be
> divulging sensitive information, right?

Wrong.  People asking for info usually just want a quick fix.
Technical details about many viruses are available to the
public, at AV web sites etc, but the numbers rise too fast for
there ever to be detailed information available for every virus.

> This brings me to my questions: why do we need so many virus
> specialists if they all repeat the same thing?

Because there are too many people asking the same questions
repeatedly instead of consulting the FAQ.  With enough
specialists, the load can be shared.

- -
NO LADY LIKES               ACCOMPANIED BY
	     TO DANCE                     A PORCUPINE
		     OR DINE                         Burma-Shave

------------------------------

Date: Tue, 30 Jan 1996 10:53:29 -0500 (EST)
From: "M.Torr" <dm7mt@hull.ac.uk>
Subject: Re: messiah info req'd
X-Digest: Volume 9 : Issue 12

This is the virus which plays a tune to "If your happy anf you know it
clap your hands" etc.... It places a picture of Jesus on the cross on the
screen and various other pices of information. Watch this space for a more
detailed breakdown in the next few days!

Mark.

------------------------------

Date: Tue, 30 Jan 1996 12:43:40 -0500 (EST)
From: Brian Daniels <bdaniels@mercury.interpath.com>
Subject: Re: Java Virus
X-Digest: Volume 9 : Issue 12

Fred Cohen <fc@all.net> wrote:

>> [Moderator's note:  All the technical accounts and opinions of
>> security experts I've seen to date suggest that the Java designers
>> "did it right", but there is concern that "non-standard extensions"
>> may become an expected, albeit unofficial, part of future Java
>> developments.  As with the development of HTML, the pressure would
>> then be on the developers of "browsers" and service providers to
>> support these extensions, so they could keep up with the latest,
>> coolest trends.  If these extensions get beyond the control of the
>> original developers there is no saying what insecurities they will
>> allow...
>
>The Java designers did not "do it right" - you might be interested in
>articles in the info-sec super journal on this and closely related
>subjects. (http://all.net/
>       browse -> (super-journal) Miscellaneous Contributions
>       browse -> (super-journal) Articles on Network Security (Dec 95)
>
>[Thanks Fred--Moderator]

Uhh...what in the two articles mentioned brings you to the conclusion
that the Java designers did not "do it right"?

The article on Java basically supports the view that it is reasonably
safe:

"Anyone that is considering using Java needs to understand that it
does increase the security risk, but that it does provide a fairly good
``firewall'' (to extend the Internet connection example). "

"The given analysis shows that Java is effective at preventing the
more dangerous types of attacks."

In it's point by point assesment of Java's risks, the primary problems
noted are with availability attacks (like opening lots of windows on
your screen, or filling memory) and annoyance attacks (like playing
rude sounds at you).  These are both extremely difficult to avoid (how
can Java possibly tell that the file fanafare.au is actually someone
saying 7 nasty words?), and are not overly worrisome.  On the other
points noted; integrity and disclosure, Java was rated as "attacks can
easily be prevented by the access control capabilities."  

The main concerns seem to be the importance of correct coding in the
browser and libraries.  This will always be true - no matter how
secure the design spec, if someone blunders in the code then security
holes may be created.  Unfortunately, only time and attacks will test
the skill of Java's coders.

Perhaps of more concern is the requirement that the developer of the
browser software code implement the security policies correctly.
Again, this is not specific to Java - if the browser ignores the
language restrictions (i.e. doesn't implement the security checks)
then any code it runs could be destructive.

Java has risks, but so does turning your computer on, or (horrors!)
connecting it to a network.  It will take time (and probably a few
nasty incidents) to test Java in the real world.  However, I don't see
anything in Java, or the articles mentioned, to make a flat statement
that the Java authors did not "do it right".

- -Brian

Brian Daniels                   | Gremlins squashed, bit-buckets emptied,
bdaniels@mercury.interpath.net  | webs woven&patched, cables untangled,
My opinions, not Interpath's    | users placated (extra fee), demons summoned
//www.interpath.net/~bdaniels/  | & dispelled, hacks while you wait!

------------------------------

Date: Tue, 30 Jan 1996 14:07:33 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Can a computer get a virus from the internet?
X-Digest: Volume 9 : Issue 12

Fred Cohen <fc@all.net> writes:

> postscript file with a normal postscript interpreter.  Our web site
> provides a test to see if your postscript interpreter is configured and
> if so whether it has the most obvious of these vulnerabilities.
> (http://all.net/ -> test)

Cute. The correct URL is http://all.net/tests/webtest.html, actually.
But your "browser abusers" aren't even remotedly as powerful as

	http://www.waste.org/~oxymoron/crash/

For instance, the latest beta of Netscape for Windoze passed all the
three of your tests, yet it is still buggy as an anthill.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Tue, 30 Jan 1996 14:09:09 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Can a computer get a virus from the internet?
X-Digest: Volume 9 : Issue 12

Doug Muth <dmuth@oasis.ot.com> writes:

>       No, the only way you will be able to get a virus would be to get 
> an executable file from a website and run it on your system. 

That's not quite precise. The only way to get a virus would be to
execute (or interpret) an infected executable program. This program
can be in an executable file, in a boot sector, or even in the macro
area of a WinWord document or Excel spreadsheet.

> Should you 
> download an file that is infected with a virus, just running the usual 
> scanners on it, as you would any other software, will do the trick.

Only if it is a virus that these scanners know about and can detect.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Tue, 30 Jan 1996 16:14:35 -0500 (EST)
From: Doug Muth <dmuth@oasis.ot.com>
Subject: Re: Harddrive firmware virus possible?
X-Digest: Volume 9 : Issue 12

In article <0010.01I0LP4Q7OWKPCQYD3@csc.canterbury.ac.nz>,
support@vse.ac-copy.com writes:
: Just yesterday I read that the most recent generation of harddrives do no
: longer contain the firmware in ROM, but on a reserverd track on the disk,
: which is booted on power up. The reason for this, should be, that the
: firmware is easily upgradeable.

	I think what you are referring to are the drivers stored on IDE 
disks greater than 540 MB because an IDe controller can noramlly access 
only 540 MB.  Anything past that requires a special driver loaded at bootup.

: This is where I got some rather frightening ideas: if this code is
: accessible on a regular harddrive already in use, what precautions are
: there to prevent access?

	I think this code is more like an extension of the bootsector, 
and if you are infected with a bootsector virus that checks if sectors 
are already in use, that they shouldn't cause any major problems.  I know 
that with my Seagate 1GB, the driver program can be placed on a floppy 
and booting from the floppy will run the driver program thus making the 
full 1GB availible.

	Regards,

- -
- -<Doug Muth>---<dmuth@ot.com>--| Finger dmuth@oasis.ot.com for
- --<http://www.ot.com/~dmuth>---| PGP public key and geek code
Anti-virus software and utils:  | The Transformers fanfiction:
~dmuth/virus/virus.html         | ~dmuth/tf/tf.html

------------------------------

Date: Tue, 30 Jan 1996 15:19:30 -0500 (EST)
From: Ted Rollheiser <trollhei@sonic.net>
Subject: zingo virus
X-Digest: Volume 9 : Issue 12

Does anyone have any information about a virus that displays "zingo day 
has arrived" during the booting process? We don't know what the other 
effects might be yet.

Ted Rollheiser


------------------------------

Date: Tue, 30 Jan 1996 15:56:44 -0500 (EST)
From: Doug Muth <dmuth@oasis.ot.com>
Subject: Re: Lucky?
X-Digest: Volume 9 : Issue 12

In article <0002.01I0LP4Q7OWKPCQYD3@csc.canterbury.ac.nz>, William Bebout
writes:
: I have been using the net and BBS's for 5 years.  I have never
: encountered a virus.  I consider myself very fortunate.  I watch with
: interest some of the posts here but I have a question.  Where are most
: people contracting these nasty programs?  

	Well, I don't have the numbers to back this up, but I believe 
that the most infections come through commercial packages.  Probally 
because people who buy them think that becuase they come from some big 
company that they are virus free.

[Moderator's note:  I'd be most interested in figures supporting that
contention!  Most AV experts I associate with seem to agree that "most"
infections come from accidental rebooting of machines with BSI/MBR-
infected diskettes left in their A: drives...  The figures vary, but they
tend to be in the range 60-85%.]

	I myself have only encountered one unexpectidly, and that was on 
Night Owl #15 (or was it 16?) in the DMNCHEAT.ZIP file that had a copy of 
tai-pan in it.

: I am using NAV and am unsure
: whether it works because of never being infected.

	Well, from what I have read, NAV has detection rates of only 70% 
or so.  A good scanner should have 90%+ for a detection rate.  You can 
find links to several AV products from my virus homepage. (URl in the 
SIG file) Please note that some of the links are outdated, such as 
complex.is for F-Prot.

	Regards,

- -
- -<Doug Muth>---<dmuth@ot.com>--| Finger dmuth@oasis.ot.com for
- --<http://www.ot.com/~dmuth>---| PGP public key and geek code
Anti-virus software and utils:  | The Transformers fanfiction:
~dmuth/virus/virus.html         | ~dmuth/tf/tf.html

------------------------------

Date: Tue, 30 Jan 1996 14:46:52 -0500 (EST)
From: Lee Brown <lee.brown@ukonline.co.uk>
Subject: Re: Viruses from the internet
X-Digest: Volume 9 : Issue 12

On 29 Jan 1996 12:11:13 -0000 , George Wenzel
<gwenzel@gpu.srv.ualberta.ca> wrote:

>>I am using the Dial up Networking with WIN95 to connect my PC to an 
>>university account. Can a virus infect a computer by downloading image 
>>files, sound files, and other types of files from Web sites? Can you get 
>>a virus just by going to a Web site? If so, will a anti-virus program 
>>detect it?

>There is a disclaimer here:  If you download an executable file
>(basically any sort of program, a DLL, a screen saver, many others) there
>is a possibility of your computer being infected with a virus when you
>run the executable.  

>It is HIGHLY advisable that you obtain a reputable anti-virus program,
>either from the web (which would be less featured, usually with no tech
>support) or by buying a commercial program (more expensive, more
>featured, more support).  

I use Dr Solomons Virus Toolkit for Win95 and it is fantastic at
finding viruses from the net, i.e if you get an EXE, Bat or DLL file
attached to your e-mails etc.. before you run them , just get DR s, to
check them over, I've found two viruss that could of destroyed my hard
disk, but thanks to DR S, they were cut out straight away.

If you are more concerend about Internet Virus getting past your
e-mail, or files being downloaded that have viruss then I would
strongly recomment PC-Cillin for windows, it's cheaper than DR
Solomons, but the bonus with PC-Cillin is that it stops the files
before they are even downloaded onto your pc.  PC-Cillin is designed
for the Internet and does not allow anything past your modem if it
contains a virus :)

It will constantly moniter your Internet connection for anyfiles you
try and download or even upload, when it detects a virus it will
prompt you and then stop the transfer... if it finds an e-mail with a
virus attached it will prompt you again and immidiatly delete it.
If you buy this package then you can get free virus updates directly
from their home-page at no extra cost.. 

So all in all, I suggest getting PC-Cillin... do a web search on the
name and it will give you a home-page address, I cannot remember
myself... Good luck!!!

Regards,
Lee.
*********************************
lee.brown@ukonline.co.uk
*********************************

[Moderator's note:  Following the thread so far, there is a question as to
whether PC-Cillin will in fact stop you downloading anything infected--
what about UU- or MIME Base64- encoded Email?  Presumably it will pull up
when you decode these, but that hasn't stopped a form of them getting onto
your machine, which is the strong claim Lee is making here.]

------------------------------

Date: Tue, 30 Jan 1996 18:00:15 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: Usefulness of AV people
X-Digest: Volume 9 : Issue 12

Nacho Man <ht_bui@ece.concordia.ca> writes:

>I don't mean to sound like an asshole or anything but I'm just wondering
>how an anti-virus consultant could be useful. Since I started reading
>this newsgroup, I have seen a lot of OBVIOUS advice given by these
>so-called virus specialists: "You must reboot from a clean floppy and
>then run an anti-virus software" or "Boot from an uninfected floppy
>and format disk". I assume that people who ask these questions expect    
>more in-depth answers but I guess, giving it to them would be divulging
>sensitive information, right?

Our assumption is that people who ask these questions want to get past
their problem.  1) Get past the panic.  2) Now teach me what I need to
know so it doesn't happen again.  So, here we get people past the panic.
Consequently, we also expose our email addresses for the followup phase.
The followup phase usually involves a bit of marketing, which is avoided
in this forum.

>This brings me to my questions: why do we need so many virus specialists
>if they all repeat the same thing? 

Basically, a portion of the public won't believe one "partisan" voice.  
So, you need at least 2 if they're affiliated.  Secondly, we wouldn't 
need so many ANTIvirus specialists if there weren't so many VIRUS 
specialists to start with.  :-(

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Tue, 30 Jan 1996 18:03:12 -0500 (EST)
From: "Chengi J. Kuo" <cjkuo@alumnae.caltech.edu>
Subject: Re: were wolf 1996
X-Digest: Volume 9 : Issue 12

Super D <perderea@worldnet.net> writes:
>Does anyone know the new virus WEREWOLF 1996 ?

It appears to be in the wild in France.  It appears to be from a
French author(s) as there appear to be more of the same coming
from France.  It's a file infector.

I haven't spent any time deciphering the virus.
You can use our 9601 DAT set to detect it.

Jimmy
cjkuo@mcafee.com

------------------------------

Date: Tue, 30 Jan 1996 19:22:53 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Virus concerns while using Netscape/www
X-Digest: Volume 9 : Issue 12

Tim Stewart <timmy@primenet.com> writes:

> In the message I just read through from this list, I saw a paragraph 
> which sparked some concern for me about the possibility of viruses 
> being introduced into our network through the use of netscape, I 
> assume specifically by allowing one of the 'plugin' helper apps to 
> automatically execute a sound or video or other file after 
> downloading.

Yes, sort of. For instance, if you use this capability of Netscape and
tell it to use WinWord to view files with a DOC or DOT extension, and
if someone's web link contains such a file which is infected with a
macro virus, the virus will infect your system when you click on the
link containing the file.

A more elaborate chain is possible too. For instance, I have
demostrated that "infection with a few clicks" can happen this way.
Suppose that you configure Netscape to launch WinZip to view the links
which contain ZIP files, and you use the file manager to associate
WinWord with the files with a DOT or a DOC extension. Now, consider a
web link which contains a ZIP archive, which contains some DOC files,
which are infected with a macro virus. You click on the link, Netscape
launches WinZip, WinZip presents you the contents of the archive. You
double-click on one of the DOC files, WinZip launches WinWord to read
the infected document, and the virus in it infects your system.

In short, it is a Very Bad Idea (tm) to use WinWord for automatic
viewing of documents that come from the 'net. Better use the Wordview
program - a freeware WinWord document viewer from Microsoft. It cannot
interpret macros, so it is not vulnerable to macro virus attacks.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Tue, 30 Jan 1996 19:29:17 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Usefulness of AV people
X-Digest: Volume 9 : Issue 12

Nacho Man <ht_bui@ece.concordia.ca> writes:

> I don't mean to sound like an asshole or anything but I'm just wondering
> how an anti-virus consultant could be useful. Since I started reading
> this newsgroup, I have seen a lot of OBVIOUS advice given by these
> so-called virus specialists: "You must reboot from a clean floppy and
> then run an anti-virus software" or "Boot from an uninfected floppy
> and format disk".

Well, believe it or not, these things are not obvious to most users. I
once had a case of a user who didn't know how to boot from a floppy at
all - he thought that the computer is designed to always boot from the
hard disk.

> I assume that people who ask these questions expect    
> more in-depth answers but I guess, giving it to them would be divulging
> sensitive information, right?

Wrong. We give precisely the information that the inexperienced users
need from us. Some of us often provide more technical information, if
they feel that the person asking the question is able to understand
it.

> This brings me to my questions: why do we need so many virus specialists
> if they all repeat the same thing? 

You wouldn't need so many of us if most people bothered to do what we
are repeating.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Tue, 30 Jan 1996 19:31:57 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Will one virus detector "detect" another one?
X-Digest: Volume 9 : Issue 12

Steve640 <steve640@aol.com> writes:

> When I run a virus checker against my hard disk, are they 
> typically just looking for bit patterns in executable files?

That depends on the particular virus checker and the principles it is
based on.

> If they only check for matching patterns in exe files, will
> one virus detector see another virus detectors signatures files
> as a virus?

Yes, that is why it is considered state-of-art to keep the scan
strings encrypted in the anti-virus programs.

BTW, I already replied to a copy of this message in alt.comp.virus.
Replying twice tends to be boring. On the other hand, if I do not
reply, some people who do not have access to alt.comp.virus will not
be able to read the answer. If I have to post the answer only in a
single newsgroup, I would prefer to post it in comp.virus. However,
this newsgroup is moderated, which means that I see the duplicated
message several days after I have seen in in alt.comp.virus - and when
I see it in a.c.v., there is no clue that it has been posted to c.v.
as well... Any ideas how to solve this problem?

[Moderator's note:  Sorry, but because comp.virus traffic is generated
from the digested form sent out on Virus-L by a "mail exploder", there is
no mechanism for dealing with cross-posts.  In fact, because of the way
the Lehigh listserv works, I am unaware of whether someone cross-posted to
other groups when they posted a comp.virus submission.  On the issue of
the time delay between items appearing in both groups, I have had much
more mail bounce traffic to deal with than I ever imagined or Ken could
have prepared me for.  I have finally broken the back of that-each mailout
now produces about 18-20 persistent bounces I can't find the culprits for
on the subscriber list, anywhere from 5-20 "temporarily undeliverable"
warnings that I ignore (unless they persist for 3 or 4 digest mailouts)
and anywhere from 5-15 "new" unknown user type bounces.  Having attained
such a low error rate (Ken was impressed) I am trying to clear the whole
submission backlog this weekend and then you should seldom see few
submissions with more than a 24 hour posting delay.]

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E


------------------------------

Date: Tue, 30 Jan 1996 19:40:18 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Harddrive firmware virus possible?
X-Digest: Volume 9 : Issue 12

support@vse.ac-copy.com writes:

> Just yesterday I read that the most recent generation of harddrives do no
> longer contain the firmware in ROM, but on a reserverd track on the disk,
> which is booted on power up. The reason for this, should be, that the
> firmware is easily upgradeable.

If you are referring to the special drivers used to access hard disks
larger than 528 Mb on computers without built-in LBA translation in
the BIOS, then this concept is rather obsolete; not "the most recent
generation".

> This is where I got some rather frightening ideas: if this code is
> accessible on a regular harddrive already in use, what precautions are
> there to prevent access?

You are right to be frightened. People with such disks who get
infected with a boot sector virus are usually in serious trouble. What
can be done? First, avoid such environments. Second, boot the machine
from a floppy and make a backup copy of the contents of track zero -
or at least of that part of it that you can read after booting from a
floppy. Third, contact the company that produces the driver and ask
their technical support how to restore the driver if it becomes
damaged. (Do not mention the word "virus" when talking to them.)

> Does anyone know more about this? Drive manufactures preferred :-)

I know of two *software* manifacturers who produce such drivers; I
have seen these two drivers used on many different hard disks. One of
the manifacturers is OnTrack and the other is Microhouse. Both are
present on the Web, so you should be able to find them with a web
search.

> What if someone DOES download altered code to the drive. Since the
> firmware does some caching, the ultimate dropper is easy to write...

In case you are indeed referring to *firmware* updates (as opposed to
a software driver on track zero), then most producers of such things
(e.g., Flash BIOSes) are sensible enough to require a hardware jumper
or a switch to be enabled, in order the write access to be permitted.

> And if the firmware controls the drive motors directly, a few parameter
> changes would permanently ruin the drive...

Nope, if the hardware is properly designed.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Tue, 30 Jan 1996 20:11:00 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: Java Virus
X-Digest: Volume 9 : Issue 12

Fred Cohen <fc@all.net> writes:

> Java viruses are possible.

This seems far from obvious to me.

> The Java designers did not "do it right" - you might be interested in
> articles in the info-sec super journal on this and closely related
> subjects. (http://all.net/
>       browse -> (super-journal) Miscellaneous Contributions
>       browse -> (super-journal) Articles on Network Security (Dec 95)

I failed to see any evidence there of the claim that Java viruses are
possible. The first article essentially explains why Java is secure
and the second article (yours) simply *claims* that applet-based
viruses are possible, without providing any argumentation.
Furthermore, it is listed as an attack that has never been
demonstrated. While both articles are excellent and I highly recommend
them to everybody, they failed to convince me that Java viruses are
possible - provided that the language interpreter is implemented
properly; insecure implementations don't count. Sorry, but I'll
believe it when I see it.

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Tue, 30 Jan 1996 20:40:43 -0500 (EST)
From: Vesselin Bontchev <bontchev@complex.is>
Subject: Re: messiah info req'd
X-Digest: Volume 9 : Issue 12

tom southey <tsouthey@connect.ab.ca> writes:

> Anybody have any info on a virus called messiah?

Please read the FAQ for information how to ask such questions. Which
anti-virus software reported a virus under this name? Which version of
it? Under what circumstances? Where was the virus reported?

Regards,
Vesselin
- - 
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

------------------------------

Date: Tue, 30 Jan 1996 21:29:34 -0500 (EST)
From: sysop@command-bbs.com
Subject: Re: Usefulness of AV people
X-Digest: Volume 9 : Issue 12

>I don't mean to sound like an asshole or anything but I'm just wondering
>how an anti-virus consultant could be useful. Since I started reading
>this newsgroup, I have seen a lot of OBVIOUS advice given by these
>so-called virus specialists: "You must reboot from a clean floppy and
>then run an anti-virus software" or "Boot from an uninfected floppy
>and format disk". I assume that people who ask these questions expect
>more in-depth answers but I guess, giving it to them would be divulging
>sensitive information, right?
>
>This brings me to my questions: why do we need so many virus specialists
>if they all repeat the same thing?

The virus specialist ususally are people very familiar with viruses and
tend to be long winded because of some time doing tech support. Technical
support in the antivirus industry can be the *best* way to learn how to
use all kinds of non-antivirus software, believe me. The reason us virus
types take so much time explaining the basics is that we cannot predict
the end users PC knowledge.

Example: Today I, while the phones were ringing  picked up the wrong phone
line and found myself on a tech support call from a woman who just knew
she had a virus. I mean when a accounting program was backing up to a
diskette and the program gave a warning message that "Wrong media type in
drive A:" that was exactly what a virus does! Right? :-)

One just has to explain step by step all the information not matter how
trival that is needed to help a person.

Keith
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Central Command Inc.                 USA  Distributor  for
P.O. Box 856                         AntiViral Toolkit Pro
Bruswick, Ohio 44212                 216-273-2820
Internet: info@command-hq.com        Compuserve:102404,3654
FTP: ftp.command-hq.com /pub/command/avp       :GO AVPRO
WWW: http://www.command-hq.com/command
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 12]
*****************************************




