From lehigh.edu!virus-l  Thu Feb  8 13:59:22 1996 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Thu, 08 Feb 96 19:50:50 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mn3.swip.net (8.6.8/2.01)
	id NAA18445; Thu, 8 Feb 1996 13:59:22 +0100
Received: from fidoii.cc.lehigh.edu ([127.0.0.1]) by fidoii.cc.lehigh.edu with SMTP id <39083-52495>; Thu, 8 Feb 1996 07:58:09 EST
Message-Id: <01I0ZQJ93R4YPVIUA3@csc.canterbury.ac.nz>
Reply-To: virus-l@lehigh.edu
Originator: virus-l@lehigh.edu
Sender: virus-l@lehigh.edu
Precedence: bulk
From: VIRUS-L Moderator <virus-l@cantva.canterbury.ac.nz>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V9 #19
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
X-Comment: Virus Discussion List
Date: 	Thu, 8 Feb 1996 07:57:25 EST

VIRUS-L Digest    Friday, 9 Feb 1996    Volume 9 : Issue 19

Today's Topics:

Administrivia (ADMIN)
Re: Usefulness of AV people
Re: Virus Database
Re: Scanning Zip files
Word Macro Virus (MAC,WIN)
Re: Word macro "viruses" - clarification? (MAC,WIN)
Are OLE trojans possible? (WIN)
Re: B1 virus - what else can it do ? (PC)
Re: Israeli Boot, EmprieB, Filler and Ohio. (PC)
Re: Non-Word Files Infected by "Word Macro" Virus (PC)
Re: F-PROT: Request for Help (PC)
Re: Quality Anti-Virus Programs (PC)
Vertical lines behind icons, greyed-out buttons (PC)
NEW VIRUS? HELP! (PC)
Re: Byway virus : how remove it ??? (PC)
Re: What does SHZ do? (PC)
Re: NAtas Virus (PC)
Re: MTE COFEESHOP Virus (PC)
IBM Antivirus/DOS (DOS/Windows)
Dr. Solomon's Anti-Virus Toolkit (DOS/Windows)
F-PROT Professional (Data Fellows) (DOS/Windows)
Norton AntiVirus 3 (DOS/Windows)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform--diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CS.UCR.EDU (IP number 138.23.169.133) or upon
request.)  Please sign submissions with your real name; anonymous
postings will not be accepted.  Information on accessing anti-virus,
documentation, and back-issue archives is distributed periodically on
the list.  A FAQ (Frequently Asked Questions) document and all of the
back-issues are available by anonymous FTP on CS.UCR.EDU.

Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz.  (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Nick FitzGerald

----------------------------------------------------------------------

Date: Fri, 09 Feb 1996 01:34:23 +1300 (NZD)
From: Nick FitzGerald <n.fitzgerald@csc.canterbury.ac.nz>
Subject: Administrivia (ADMIN)
X-Digest: Volume 9 : Issue 19

A few more general submissions then the first batch of Rob Slade's product
reviews.  I will probably post the rest of Rob's reviews I have here in
similar sized batches in each of the next few digests.

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z.
 n.fitzgerald@csc.canterbury.ac.nz  TEL:+64 3 364 2337, FAX:+64 3 364 2332
              Virus-L/comp.virus moderator and FAQ maintainer
   PGP fingerprint =  2E 7D E9 0C DE 26 24 4F  1F 43 91 B9 C4 05 C9 83

------------------------------

Date: Mon, 05 Feb 1996 19:20:11 -0500 (EST)
From: Ken Stieers <kens@ontrack.com>
Subject: Re: Usefulness of AV people
X-Digest: Volume 9 : Issue 19

Take a GOOD LONG look at the moderators note.  As a former Tech Support 
analyst for McAfee Associates, I spent 8 hours a day on the phone saying
the same thing.  Then I'd spend 2 to 3 hours a night answering messages
for support@mcafee.com, typing (well, cutting and pasting) the same thing. 
People panic when they get a virus.  They don't know ANYTHING about the PC
boot sequence.  Hell, we developed fax sheets that explained creating a
clean bootable floppy, write protecting a floppy, formating a floppy. 
Tons of simple stuff that anyone with much experience can do in their
sleep.  

Let me tell you a little story:

There was this little AV company which gave away its software via BBS. 
And it was good.  They had 4 guys in tech support, and the times on the
queue were under 30 seconds.  In fact if a customer waited for more than
30 seconds a little siren went off, and lights blinked.  And it was good. 
Then they put the sofware in a box and sold in stores.  Now the times were
in the 10 minute range, and they had 15 techs, not counting the CS people
that answered  questions like "How do I clean?" "Try SCAN C: /CLEAN."  And
it sucked. 

The moral:
When McAfee's software was only available via BBS's any users who called 
usually knew something about computers.  Now the average level of
knowledge has been lowered.   Computers have become more and more
accessible to the common consumer.  But if something goes wrong, they
don't have a clue.  Point and click just doesn't work for viruses.  

The other problem is they don't RTFM.  In a world of point and click, they 
want it handed to them, with a pretty little bow.  Ask Nick about all the 
ANTIEXE and PARITY BOOT questions he's getting.  If they looked for the
FAQ, they'd get the answer, without every having to post.  

That's why so many of us "experts" keep saying the same thing over and
over again. 

Getting off the soapbox......

Ken

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prarie, MN           |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

Date: Mon, 05 Feb 1996 21:31:02 -0500 (EST)
From: costigan <costigan@enter.net>
Subject: Re: Virus Database
X-Digest: Volume 9 : Issue 19

Pube (i951636@redgum.bendigo.latrobe.edu.au) wrote:
> Can anyone point my to a good database of all known virus, with 
> descriptions and such.

Try VSUM that's available on most of the on-line services and also
from most AV makers.

------------------------------

Date: Mon, 05 Feb 1996 23:54:35 -0500 (EST)
From: Massimo Villa <max_vil@iol.it>
Subject: Re: Scanning Zip files
X-Digest: Volume 9 : Issue 19

How does a virus in a .zip file act ? 

I mean, is it possible that, just unzipping the .zip file (without
executing any of the now unzipped file )  the virus has already
infected your PC ?

Thanx,
Max.

------------------------------

Date: Mon, 05 Feb 1996 20:09:01 -0500 (EST)
From: Grahame Grieve <g.grieve@pgrad.unimelb.edu.au>
Subject: Word Macro Virus (MAC,WIN)
X-Digest: Volume 9 : Issue 19

Just a few queries about word macro viruses in general.

All the queries I have seen about Word viruses relate to windows.
Is the Macintosh affected... WordBasic is a cross-platform language,
after all.

Several generic solutions have been proposed.
1. Use scanners i.e. F-Prot. With word virus scanners, Do they use
   generic detection, or specific detection of known viruses?
   Is there mac scanners?
2. Write-protect your Normal.dot. Vessalin pointed out that it is
   easy to change this... but not from a macro in word (try it!
   it is locked (vshare.386), and you can't change it. Is this right?)
   What about Mac's?
3. Set tools -- options -- save --- Prompt to save normal.dot...
   I can't find a word statement to test for this, as opposed to set it.
   (I have the word developers kit in front of me...) A test would be nice.
   Same for the status of disableautomacros.
4. Does the M$ word virus detector provide generic detection or just 
   against Concept?
5. Is M$ (and similar developers - whoever gets WP, for instance) able
   to build real protection into further versions? And are they going to?

TIA,
Grahame

------------------------------

Date: Tue, 06 Feb 1996 00:13:15 -0500 (EST)
From: Robert Michael Slade <rslade@freenet.vancouver.bc.ca>
Subject: Re: Word macro "viruses" - clarification? (MAC,WIN)
X-Digest: Volume 9 : Issue 19

Alexis Manning (Alexis.Manning@durham.ac.uk) wrote:
: I have heard of WinWord.Concept and WinWord.Nuclear. I take it that
: these are not one and the same, so what are WinWord.Nuclear's

Nuclear attempts to delete system files and to insert an MS-DOS file 
infecting virus into the computer. The original version fails because of 
programming errors.  It also will add a message to the end of documents.

: effects? Are any other prank macros like these known to exist? There

There are also Colors, which changes the color of windows at intervals, 
Hot, which sets a "hot date" for deletion of files and Atom, which
attempts to delete and encrypt files.

: is no reason why this form of virus couldn't be written under, say,
: Access, or any other language which supports scripting to such an
: extent.

Quite true, unfortunately.  Such are known to exist in research versions 
in Lotus 1-2-3, Excel and Ami Pro.  So far, however, the Word macros have 
been the easiest and most "successful".

======================
roberts@decus.ca   rslade@vanisl.decus.ca  Rob.Slade@f733.n153.z1.fidonet.org
                    Frequent advice to Internet newcomers:
 State your business, avoid eye contact, leave quietly, and no one gets hurt.
Author "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 (800-SPRINGER)

------------------------------

Date: Mon, 05 Feb 1996 20:09:01 -0500 (EST)
From: Grahame Grieve <g.grieve@pgrad.unimelb.edu.au>
Subject: Are OLE trojans possible? (WIN)
X-Digest: Volume 9 : Issue 19

I'm a windows developer. I'm moving into ole (yuk!). What can be done
about ole trojans etc?

TIA,
Grahame

------------------------------

Date: Mon, 05 Feb 1996 17:24:04 -0500 (EST)
From: Bryan Lewis <bryan@world.std.com>
Subject: Re: B1 virus - what else can it do ? (PC)
X-Digest: Volume 9 : Issue 19

netnews@ix.netcom.com writes:

>My computer had the B1 virus. I read on a websight that one of the 
>symptoms was the read\write head on the floppy drive being sent back and 
>forth very fast causing a loud 'banging' noise. Well, I had this problem 
>but it was on my hard drive. At midnight, if the hard drive was being 
>written to, my computer would lock up and the hard drive would start 
>'banging' . I had several diskettes infected also, one of which was left 
>in the floppy drive on a reboot, therefore infecting the hard drive.
>
>I'm just wondering how common or rare is it to infect the hard drive 
>boot sector and has anyone ever heard their hard drive "knock" ?
>It's not fun !

YES!  That's exactly what happened to us.  Nobody else had heard of it.
I was calling it the "midnight crasher" virus.
Since that experience, we have changed our CMOS settings to not boot from A:.

Other things it can do:  bang your hard drive right away, not waiting for 
midnight, on one computer running Windows.  Prevent you from formatting
floppies... keep getting "General failure, track 0 unusable."

------------------------------

Date: Mon, 05 Feb 1996 17:31:47 -0500 (EST)
From: Ken Stieers <kens@ontrack.com>
Subject: Re: Israeli Boot, EmprieB, Filler and Ohio. (PC)
X-Digest: Volume 9 : Issue 19

I won't take that be Nick!  Its a suckers bet!

This is a known false alarm/ghost positive caused by having MSAV, CPAV,
VSAFE or BootSafe loaded and then scanning with McAfee SCAN v.2.2.? or
lower.  These AV programs keep their data strings unencrypted in memory
and McAfee's scan finds them. 

The most recent versions 2.2.8 and 2.2.9 shouldn't give this false alarm, 
though I haven't tested it myself.  

Ken 

- - 
Views expressed herein are not necessarily the views 
of Ontrack Computer Systems, Inc. or Ontrack Data Recovery, Inc.
*******************************************************************
* Ken Stieers               |  Minneapolis - 1.800.872.2599       * 
* AV Research/Apps. Eng.    |  Los Angeles - 1.800.752.7557       *
* Ontrack Computer Systems  |  Washington, D.C. - 1.800.650.2410  *
* Ontrack Data Recovery     |  London - 0800 24 39 96             *
* Eden Prarie, MN           |  Japan - 81.429.32-6365             *
*******************************************************************

------------------------------

Date: Mon, 05 Feb 1996 17:57:44 -0500 (EST)
From: Robert Michael Slade <rslade@freenet.vancouver.bc.ca>
Subject: Re: Non-Word Files Infected by "Word Macro" Virus (PC)
X-Digest: Volume 9 : Issue 19

T. Schwark (schwarkt@fox.nstn.ca) wrote:
: When I run F-PROT it tells me that the AAAZAO string (word concept
: macro virus?) appears in a Microsoft Access database file and the

One possibility for the Access database is OLE, specifically object 
embedding.  If a Word document has been inserted in a database file, 
then it may be an infected document.

------------------------------

Date: Mon, 05 Feb 1996 21:30:56 -0500 (EST)
From: costigan <costigan@enter.net>
Subject: Re: F-PROT: Request for Help (PC)
X-Digest: Volume 9 : Issue 19

I have a similar situation but on a smaller scale.  Being an MIS
Manager, I insist that all my PC's on the network be configured
roughly the same.  The users screamed and moaned but after about one
year's worth of work, I have them roughly all the same.  

I enforce this standard configuration by running daily system audits
that alert me to anyone loading anything new on the system.   This
makes my Virus Scanning very simple.

Just last week, I had our company CNC Programmer complain about his
system.  He had loaded games from home on his PC at work and it no
longer worked.  I  was alerted of this but unfortunately it was too
late.  He had tried to boot from a DOS diskette and load the software
to the network, bypassing the audit.  The games disks were infected
with a variant of AIDS and corrupted his CNC programming directory and
his backups.  AIDS is one of the nasty ones that you can't get rid of.
When he rebooted, VIRSTOP froze his system dead and he was caught red
handed.  He learned his lesson the hard way.

I use Virus Net Pro which in essence is F-PROT.  It works great and
have no problems using it.  It has saved my hide many a time.

------------------------------

Date: Mon, 05 Feb 1996 22:01:27 -0500 (EST)
From: costigan <costigan@enter.net>
Subject: Re: Quality Anti-Virus Programs (PC)
X-Digest: Volume 9 : Issue 19

Take a look at Patricia Hoffman's VSUM listing that's available as a
trial package in the public domain.  It show's whose system found and
cleaned  what viruses.  While this is a lab benchmark, it's a good
rule of thumb.  

I agree with the guy from SYMANTEC, the good packages are all good, In
my opinion, what separates them is ease of use.  They're all quite
inexpensive to try so just look at the top sellers and top performers
in VSUM and pick the one you like best.

------------------------------

Date: Tue, 06 Feb 1996 00:15:59 -0500 (EST)
From: "Ryan T. Farnes" <rfarnes@cogent.net>
Subject: Vertical lines behind icons, greyed-out buttons (PC)
X-Digest: Volume 9 : Issue 19

I would love some help on this, I suspect I may have a virus, I've
been doing a lot of Web and News stuff lately.  I've noticed strange
screen activity Feb. 4, 1996 after not using my computer ofr about a
week.

Here are the symptoms:

1	All Program items in Windows have black or grey vertical lines
as a background.

2	Vertical lines are also present over buttons in programs.

3	Vertical shadow lines are present after a window has
dissappeared.

4	Vertical lines are on the down arrows for pull down items.

5	After running Immune 2 anti-virus, a happy face appeared in
the upper-right hand corner in DOS and when loading Windows.

6	Trumpet seems to lag sometimes when saying bye.

7	In ProComm Plus 2.0 for Win31, the command screen scrolls
constantly with alpha-numeric-puntuation garbbledy-goop (the ProComm
monitor too with 000s and 111s and happy faces).

8	No anti-virus progs have been able to find anything (VSafe, MS
AntiVirus from DOS 6.1, Immune 2).

PLEASE HELP!!!

							Ryan
							rfarnes@cogent.net

------------------------------

Date: Tue, 06 Feb 1996 02:28:35 -0500 (EST)
From: Trevor Rotzien <trevor@epac.norway.ibm.com>
Subject: NEW VIRUS? HELP! (PC)
X-Digest: Volume 9 : Issue 19

Well, at least it is new to me! I need some advice, and news on whether or
not anyone else has run into this, and better yet, on how to kill it!

Back in Aug and Sept '95 I downloaded a number of playable game demos from
the Games Domain (http://www.gamesdomain.co.uk). I am assuming that there
is some connection, because up until then, my Gateway 486DX2-66 had been
running without a problem since I bought it in 93. On Sept 24, I attempted
to start Windows for Workgroups 3.11 up, and got the following message:

"The Microsoft Windows 32-bit disk driver (WDCTRL) cannot be loaded. There
is unrecognizable disk software installed on this computer.

 The address that MS-DOS uses to communicate with the hard disk has been
 changed. Some software, such as disk caching software, changes this
 address.

 If you aren't running such software, you should run a virus detection
 program.

 To continue starting Windows without using the 32-bit disk driver, press
 any key."

I took the message's advice, and ran MS Anti-Virus. It didn't detect a
virus explicitly, but it warned that the checksum of WIN.COM and USER.EXE
had changed, and the date had been change from 05-31-94 to 08-14-95.

After running MSAV, I attempted a soft boot (Ctrl-Alt-Del). What I got was
a hang with "PARITY CHECK" on a otherwise blank screen. I could only
restart via the reset button or a cold boot.

After restarting, I ran the latest McAfee, which also could not identify
the virus.

Just to make sure it wasn't hardware, I ran QAPlus, which found no errors
in any component.

When I attempted to run Windows, the computer would crash unpredictably,
each time displaying the "PARITY CHECK" message.

I used FDISK to delete the active partition, re-assign the active
partition, and then re-FORMATTED the drive, and re-installed everything,
MSDOS 6.22 and WFWG 3.11. Everything was fine for a while, but one of my
diskettes may have been infected, as the symptoms have returned. Worst of
all, the PC that my wife uses at a volunteer organization has now
displayed the same symptoms! I am now convinced it is definitely a virus
and NOT hardware. I know enough that I must now isolate the two machines
and any and all diskettes formatted on them.

I would greatly appreciate ANY additional advice. If it is a boot-sector
virus, can I safety get my data (non-executables) off the harddrive?
How do I kill this thing if anti-virus software cannot detect it?

Please respond directly to trevor@epac.norway.ibm.com. I will sumarize.

Trevor D. Rotzien

------------------------------

Date: Tue, 06 Feb 1996 02:50:47 -0500 (EST)
From: Joe.Peter@meer.net
Subject: Re: Byway virus : how remove it ??? (PC)
X-Digest: Volume 9 : Issue 19

On 29 Jan 1996 12:11:43 -0000, Patrick Noyens <patrick.noyens@ping.be>
wrote:

>How can the 'Byway' virus be removed ?
>
>F-prot 2.21, AVP 2.2, DSAVTK 7.55 and Sweep 218 reported all that the
>system of a friend of mine is infected with BYWAY virus.
>
>All visible symptoms are indicating that the system is *INDEED*
>infected :
>	- a lot of checksum files are on the system (normaly generated by
>	  MSAV or CPAV), while he even doesn't have this scanners on his
>	  system.
>
>	- The typical problems with the COM ports : unusual mouse behavior
>	  and problems when using his modem.
>
>As F-prot is not able to remove this virus, so I'm looking for another
>method.

If you have something like NDOS then do a REN *.EXE *.VXE /s to rename
all exe files to non-execuitables. Then again do a REN *.COM *.VOM /s.
Make sure you do this while booting off the infected machine. 
After you have renamed the execuitable files to non-execuitables
reboot off a clean floppy and copy all the files off the hard disk.
Reformat the hard disk and copy the files back. You have to be
extremely careful to make sure no traces of this virus remains on the
hard disk or you will get re-infected immedieately and very fast.
Deleteing files will not remove this virus.

You could also pkzip the entire hard drive off and then reformat it
and pkunzip all the files back will also get rid of the infections..

The main thing to remember is that renaming an EXE file to another
extension like VXE will disinfect that particular file...

------------------------------

Date: Tue, 06 Feb 1996 02:50:51 -0500 (EST)
From: Joe.Peter@meer.net
Subject: Re: What does SHZ do? (PC)
X-Digest: Volume 9 : Issue 19

On 2 Feb 1996 08:28:02 -0000, "Jeoffrey D. Regino"
<jregino@enterprise.engg.upd.edu.ph> wrote:

>My computer (PC) is infected by this SHZ virus. I have tried to run
>several scanners but they just can't seem to remove it. I just want
>to know if 
>
>	a) it can do any damage to my PC. And if it can, 
>	b) what does it do and 
>	c) how could I get rid of it?

>From the little bit I looked at, This one just infects com files but
is very rare and has been around since the times of moses. But are you
sure you are really infected? One version of scan mis-detected this
virus in some versions of files protected with central point av tools.

------------------------------

Date: Tue, 06 Feb 1996 05:16:31 -0500 (EST)
From: sysop@command-bbs.com
Subject: Re: NAtas Virus (PC)
X-Digest: Volume 9 : Issue 19

>Does anyone know how to kill Natas Virus?

Most antivirus scanners can handle Natas. AntiViral Toolkit Pro to name
just one but I think Dr. Solomon's and F-Prot do also.

Keith
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Central Command Inc.                 USA  Distributor  for
P.O. Box 856                         AntiViral Toolkit Pro
Bruswick, Ohio 44212                 216-273-2820
Internet: info@command-hq.com        Compuserve:102404,3654
FTP: ftp.command-hq.com /pub/command/avp       :GO AVPRO
WWW: http://www.command-hq.com/command
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

------------------------------

Date: Tue, 06 Feb 1996 05:16:35 -0500 (EST)
From: sysop@command-bbs.com
Subject: Re: MTE COFEESHOP Virus (PC)
X-Digest: Volume 9 : Issue 19

>I am in need of a virus remover for the MTE COFEESHOP virus.
>Is anyone out there able to help ?

IF you want reliable detection and removal use AntiViral Toolkit Pro (AVP),
 Dr. Solomon's or F-Prot...

Keith
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Central Command Inc.                 USA  Distributor  for
P.O. Box 856                         AntiViral Toolkit Pro
Bruswick, Ohio 44212                 216-273-2820
Internet: info@command-hq.com        Compuserve:102404,3654
FTP: ftp.command-hq.com /pub/command/avp       :GO AVPRO
WWW: http://www.command-hq.com/command
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

------------------------------

Date: Fri, 12 Jan 1996 16:41:15 -0500 (EST)
From: "Rob Slade, the doting grandpa of Ryan Hoff" <roberts@mukluk.hq.decus.ca>
Subject: IBM Antivirus/DOS (DOS/Windows)
X-Digest: Volume 9 : Issue 19

PCIBMAV.RVW   950606
                               Comparison Review
Company and product:

IBM Corporation
Old Orchard Road
Armonk, NY   10504
IBM High Integrity Computing Lab
Thomas J. Watson Research Center
P. O. Box 704
Yorktown Heights, New York
USA      10598
David Chess CHESS@WATSON.IBM.COM, CHESS@YKTVMV.BITNET
http://www.brs.ibm.com/ibmav.html
Note - customers should contact IBM rep, not HICL directly
800-551-3579 (US only)
800-465-7999
fax: 800-267-5185
IBM Antivirus/DOS 2.1 (also IBM Antivirus/2)

Summary: scanner and change detector

Cost    U$29.95/C$37.95

Rating (1-4, 1 = poor, 4 = very good)
      "Friendliness"
            Installation      3
            Ease of use       3
            Help systems      3
      Compatibility           3
      Company
            Stability         4
            Support           2
      Documentation           2
      Hardware required       4
      Performance             3
      Availability            2
      Local Support           2

General Description:

An integrated change detection and scanning system with a GUI (graphical user
interface) for manual operation.  Provision for operation under either DOS or
Windows (OS/2 version available separately.)  Recommended as a basic protection
system for most users.  Now bundled with PC-DOS, and a definite reason to
prefer PC-DOS to the MS-DOS versions.  This is the retail version: a "site
license" version is also available with additional features and information.


                  Comparison of features and specifications

User Friendliness

Installation

IBM Antivirus/DOS is shipped on three 720K or six 360K writable but protected
diskettes.  Two install programs are provided (for DOS and for Windows), with
no provision for manual installation.  The Windows installation program is a
bit odd in places, giving an impression of completing a few times before it
actually does.  If a previous version of the program is detected, it will be
updated.

The user is in charge of the operation at every point, but not always given
much information.  There is, for example, the option to install for either DOS
only or DOS and Windows operation.  It is not clear from the documentation
whether the Windows installation also installs the DOS files (it does).

The earlier VIRSCAN did not suggest installation on the hard drive at all.  In
opposition, Antivirus/DOS must be installed on a hard disk, and only one
operation is stated to work in the absence of a hard disk.  This does allow for
"offline" signature scanning.  There is also a set of files for a "stand alone"
scanner.

Ease of use

The user interface is generally clearly laid out.  Using the DOS program with a
monochrome monitor, though, the menu item selected is almost impossible to
distinguish.

While the documentation talks of "fuzzy" and "heuristic" systems, details of
operation and options are not given.  This does prevent "false alarms" being
presented to the user, but may allow viral changes as well.  This is good in
that is does not require much in the way of knowledge from the user, but there
is no option to provide the information for those more capable.

Help systems

Help is available via the F1 key.  The Windows version has a version of the
manual online, and a fairly abbreviated set of virus descriptions.

Compatibility

The structure of the signature file is no longer outlined in the manual.

Company Stability

These guys are Warped.  Really Warped.

Company Support

Those on the Internet and Usenet who receive VIRUS-L/comp.virus will have
access to David Chess' postings and email address.  IBM also sells a support
package which includes a variety of antiviral assistance.

Whether from faulty diskettes or damage in shipping, my own copy had defective
gates on two of the three 720K disks.  This was not evident until I tried to
remove the diskettes from the drive, when they jammed.  This could cause a trip
to the shop to get the diskette removed, or, at worst, damage to the disk
drive.

Documentation

The level of the documentation is uneven.  At some points, such as
installation, it seems to be written with the novice as the primary audience,
and the experienced user may find it frustrating.  At other points, in regard
to some of the options which can increase the level of protection the reader
had better be used to fighting with technical manuals and lists of switch
settings.  The program is definitely easy enough to use without the manual, but
customization is not explained as well as in other products.

The material provided is generally accurate, and very well written.  New
contents provide better general background to the virus situation, but still
show some minor errors, such as the date of the first known virus.

System Requirements

DOS 3.3+, Windows 3.1+ (for the Windows portion), memory required is variously
stated as 640K, 450K, 400K and 480K, disk space of 1.6 or 2.6 megabytes (for
DOS and Windows respectively).

Performance

Speed and general detection and protection capabilities are still neither the
best nor the worst tested, but should be acceptable in most situations.  The
basic "system" check that is performed deals with change detection first.  Only
if a change is detected is scanning brought to bear.  (This is obviously not
the case with diskette scanning, and the system can be made to scan everything
by default if desired by the user.)

The package will now scan PKZip and LZEXE format compressed files.

Local Support

Local support from IBM staff is, in my experience, becoming more dependable.

Support Requirements

The program should be suitable for any user.

                                 General Notes

This product is a basic antiviral tool, but one that will offer substantial
protection to the normal user.  Users in a "high risk" environment may want
slightly more protection than the package has to offer.

copyright Robert M. Slade, 1991, 1992, 1993, 1995   PCIBMAV.RVW   950606

==============
Vancouver      ROBERTS@decus.ca         | "If you do buy a
Institute for  Robert_Slade@sfu.ca      |  computer, don't
Research into  Rob.Slade@f733.n153.z1/  |  turn it on."
User                      .fidonet.org  | Richards' 2nd Law
Security       Canada V7K 2G6           | of Data Security

------------------------------

Date: Fri, 12 Jan 1996 16:40:11 -0500 (EST)
From: "Rob Slade, the doting grandpa of Ryan Hoff" <roberts@mukluk.hq.decus.ca>
Subject: Dr. Solomon's Anti-Virus Toolkit (DOS/Windows)
X-Digest: Volume 9 : Issue 19

PCDSAVT.RVW  950604
                               Comparison Review

Company and product:

S&S International plc.
Alton House, Gatehouse Way
Aylesbury, Bucks   HP19 3XU
England
Phone:     +44 1296 318700
Fax:       +44 1296 318777
Sales:     +44 1296 318800
Sales Fax: +44 1296 318888
BBS:       +44 1296 318810
support@sands.co.uk
S&S Software International, Inc.
17 New England Executive Park
Burlington, MA   01803
USA
+1-617-273-7412
fax"+1-617-273-7474
+1-800-595-9175
support@sands.com
Dr. Solomon's Anti-Virus Toolkit (AVT) 7.10

Summary:

Multilayered detection and disinfection system, strong scanning and
disinfection components, intended for advanced use.                           

Cost                         

Rating (1-4, 1 = poor, 4 = very good)
      "Friendliness"
            Installation      2
            Ease of use       3
            Help systems      3
      Compatibility           4
      Company
            Stability         3
            Support           3
      Documentation           3
      Hardware required       4
      Performance             4
      Availability            2
      Local Support           3

General Description:

Menu driven (TOOLKIT) activity monitoring (VirusGUARD, GUARDMEM), change
detection (ViVerify, Certify), scanning (FINDVIRU), disinfection and operation
restricting (Author, NOFLOPPY, NOHARD) suite of programs.  Also contains
additional utilities (SHRED, TKUTIL, DEFERBAT, DEFERKEY).


                  Comparison of features and specifications


User Friendliness

Installation

The program is shipped on non-writable 1.44M disks, two for DOS and one
additional one for Windows.  (Other disk formats can be requested.)  There are
two installation programs, both of which run from DOS.  Windows installation
will install all of the DOS software as well.  The installation program will,
at the user's discretion, also add the resident portion of the package to the
AUTOEXEC.BAT file, however it does not affect the PATH statement, and therefore
all virus checking must either start from within the \TOOLKIT directory (or
whichever one the user creates), or be invoked with a full pathname.  A handy
feature is the inclusion of a card of installation instructions actually packed
with the disks, but these are not quite enough for the novice.  The instruction
call for using the FINDVIRU program to check for infections before doing the
installation (which is good) but don't say which disk it is on.  (The file
actually resides on the Toolkit DOS disk #2, so it is not intuitively obvious.)

I have recommended the manual installation.  The installation program provided
is simple and quick, and I can see no problem with using it.  However, the full
advantage of this product is not, and probably cannot be, provided with an
automated installation.

Ease of use

The TOOLKIT program provides a clear and uncluttered menuing system to access
the various parts of the package.  The screen messages and displays are
intelligible and there is little chance for confusion.

There are a number of command line options for use with the various programs
when not using the TOOLKIT interface.  The defaults are well chosen, and should
be appropriate for most situations, and for novice users.

For situations where client support is available, the message generated by
VirusGuard on detection of a virus can be customized to direct the user to the
local security support person.

Help systems

Online help is available.  The Windows version contains the VIRUS-L FAQ
document.  (Careful readers will note that the FAQ is the 1992 version, but
that was current at the time of testing.)  The "Virus Encyclopedia" is also
available online.  Note that online help is currently the only source of
information about the American offices.

Compatibility

No conflicts were encountered in testing.

Company Stability

S&S International is an established presence in the antiviral software field,
and has been so for some years.  For some years it published Virus News
International (now Secure Computing).

Company Support

The manual no longer lists provision for support through distributors, but the
online help (choose Index, then Distributors) lists a truly impressive array of
agents.  The earlier version I reviewed came from OnTrack in the United States,
and I have been extremely impressed with the regularity of updates that they
shipped.  The current package appeared to come from the S&S office in
Massachusetts, but no American address is given in the manual: you have to look
it up in the online help.  (I am told that an "American" edition is in
process.)

Documentation

The documentation is an excellent study work for those just entering the
computer virus field and wanting an introductory work.  The explanation of how
viral programs work is one of the best general treatments of the subject, even
including suggestions for companies wishing to set up policies and procedures
for in house data recovery teams.  Even before the table of contents, there are
sections detailing "Quick Virus Check", "Quick Repair", and "Quick Install" for
the novice.  The "Virus Encyclopedia", an excellent reference to known MS-DOS
viral programs, is now a separate manual, but still included with the package.

Hardware Requirements

The Toolkit now requires 330K of memory and 2.5 to 4 megabytes of disk space to
install (for DOS and Windows versions respectively).  The FINDVIRU scanner can
still be run from a floppy disk.

Performance

This package is consistently cited as being one of the two most accurate
scanners for virus identification, and also one of the two best in terms of
disinfection.

The package now has the ability to scan "inside" archived and compressed files,
although this is not enabled by default.

NetWare and OS/2 versions are also available.  Mac, NT and Windows 95 versions
are in development.

The TKUTIL program can remove references to CPAV, MSAV and NAV in startup
files.  Normally I would deplore a hostile action against a competing antiviral
product, but I'm not sure that principle applies here.  The action is not taken
by default, and the user must find the refernce in the manual and specifically
request the action.  Also, these products have given such a high rate of false
alerts that many antiviral researchers recommend against their use.

Local Support

The company seems to have become more responsive on the Internet, and from a
call on VIRUS-L for review programs was the first to arrive.  In addition, the
East Coast office in the US provides both a World Wide Web site
(http://www.sands.com) and ftp (ftp://ftp.sands.com).

Support Requirements

The package is easy to use, particularly in the areas of scanning and
disinfection, and should not require any additional assistance in detection of
known viral programs.  However, the package has very strong and sophisticated
protection components which would give fullest advantage when installed by
knowledgeable support personnel.

The ongoing upgrade programs provided should be very strongly considered in the
case of this package.

                                 General Notes

This package provides very strong antivirus protection to the advanced user,
and very strong virus scanning capability for all users.

Therefore, this package is highly recommended for use by advanced users, who
are willing to make the commitment to study the material provided.  The package
is recommended for novice users where local support is available.

copyright Robert M. Slade, 1992, 1995   PCDSAVT.RVW  950604

======================
DECUS Canada Communications, Desktop, Education and Security group newsletters
Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733
Author "Robert Slade's Guide to Computer Viruses" 0-387-94311-0/3-540-94311-0

------------------------------

Date: Fri, 12 Jan 1996 16:42:10 -0500 (EST)
From: "Rob Slade, the doting grandpa of Ryan Hoff" <roberts@mukluk.hq.decus.ca>
Subject: F-PROT Professional (Data Fellows) (DOS/Windows)
X-Digest: Volume 9 : Issue 19

PCFPROTD.RVW   950607
                    Antiviral Protection Comparison Review

Company and product:

Data Fellows Ltd
Paivantaite 8
FIN-02210 ESPOO, FINLAND
tel +358-0-478 444
fax +358-0-478 44 599
f-prot@datafellows.fi
http://www.datafellows.fi
produced by Frisk Software International
frisk@complex.is
F-PROT Professional 2.17

Summary: Resident and manual scanning, change detection

Cost: U$50 and up (varies)

Rating (1-4, 1 = poor, 4 = very good)
      "Friendliness"
            Installation      3
            Ease of use       4
            Help systems      3
      Compatibility           3
      Company
            Stability         3
            Support           3
      Documentation           3
      Hardware required       4
      Performance             4
      Availability            3
      Local Support           2

General Description:

Scanning, resident scanning and disinfection capabilities.  A commercial
version of the shareware F-Prot package, it also contains change detection
software.  DOS and Windows software, plus a specific Windows "resident" scanner
(Gatekeeper).  OS/2 and NetWare versions are available separately.


                  Comparison of features and specifications


User Friendliness

Installation

The product is shipped on three writable but protected 1.44M disks.  There is
separate installation for each of the DOS, Windows and Gatekeeper programs.

In the automated installation, VIRSTOP is installed to be invoked from
AUTOEXEC.BAT.  Those wishing to invoke it from CONFIG.SYS must do the
installation manually.

Ease of use

Except for resident scanning, F-PROT is now invoked from a single program.  The
user, by default, is presented with a graphical interface, but command line
switches are an option for those wanting more speed, or a standard invocation
for a large group of users.

Help systems

Online help is available.

Compatibility

F-PROT consistently maintains the highest ratings in all independent tests of
scanning of known viral programs, including my own.

Because of an external language file, F-PROT is available in at least eighteen
languages, and can be readily translated into others.  (The additional language
versions are primarily available from Data Fellows.)

The heuristic analysis portion of the program occasionally generates a "false
positive" alert about a program that is not, in fact, infected.  This is to be
expected from this type of scanning, and the incidence is much reduced from
when this function was first included with the program.  The heuristic analysis
feature has been generally effective in identifying new and "unknown" viral
strains, but is not perfect.  (Perfection is, of course, inherently
unattainable in this type of program.)  Indeed, the documentation for this
feature states that it is still to be considered experimental, and is very
conservative in its claims.  Programs known to cause false positives are
listed.

The program now has a specific Windows interface, as well as a resident scanner
specifically built for the Windows environment (to address problems of scanning
for polymorphic viral programs in that environment).

Company Stability

Fridrik Skulason now has an established company.  F-PROT is being included in
commercial programs and is now sold in these commercial versions.  frisk has,
however, committed to continuing to support the shareware version.  Data
Fellows has been the European agent for F-Prot for some years, but is also
actively involved in the antiviral research community, and is genuinely "adding
value" to the product.

Company Support

Data Fellows is available on the Internet and has some presence on Fidonet as
well.  Data Fellows provides an excellent "F-Prot Update" publication which
covers not only new features, but also general news on the virus scene.

Documentation

The manual from Data Fellows is very complete and contains some excellent
general background.  However, Gatekeeper, Windows and Windows Administration
are essentially separate manuals contained in the same binder, and this can be
confusing.  The Gatekeeper manual does need some clarification in the network
area.

Hardware Requirements

No special hardware is required.  The DOS programs can be run from floppy disk.

Performance

During my own testing, and the majority of others as well, F-PROT has
consistently identified more viral programs than the "current release" of any
other product.  F-PROT is somewhat slower at scanning than other products which
concentrate on speed because of the multiple signatures being used to check for
each virus, but is not the slowest scanner tested.

The user is in control of F-PROT at all times, with the exception that VIRSTOP
will not allow the boot sequence to continue in the case of a boot sector
infection at startup.

F-PROT, in six years of my testing, has not given a false positive alarm on any
normal program, nor has it interfered with any normal program operation.  This
is not to say that it doesn't: there are many reports of false positives and
Fridrik Skulason usually puts out a notice as soon as he confirms such reports.
These reports, and those from users, have significantly reduced over the past
year, indicating a very stable and reliable product.

The change detection file is now renameable: a minor security weakness in
previous versions.  Additional strength may be obtained by running the program
from a locked floppy disk.

Local Support

The popularity of the shareware version makes it likely that local users can
give you assistance.  Data Fellows has an extensive VAR network in the
countries they distribute to.

Support Requirements

Very little support should be needed for this program, although additional help
may be required for full functionality in network situations.  On occasion
assistance may be needed in disinfection, or in positively identifying a new
viral strain, but no product tested deals with this situation better than
F-PROT.

copyright Robert M. Slade, 1990, 1992, 1993, 1995   PCFPROTD.RVW   950607

======================
ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 RSlade@cyberstore.ca
             "No passion in the world is equal to the passion to
                   alter someone else's draft" - H. G Wells
Author "Robert Slade's Guide to Computer Viruses" 0-387-94311-0/3-540-94311-0

------------------------------

Date: Fri, 12 Jan 1996 16:42:54 -0500 (EST)
From: "Rob Slade, the doting grandpa of Ryan Hoff" <roberts@mukluk.hq.decus.ca>
Subject: Norton AntiVirus 3 (DOS/Windows)
X-Digest: Volume 9 : Issue 19

PCNRTNAV.RVW  950608
                               Comparison Review

Company and product:

Symantec/Peter Norton
10201 Torre Avenue
Cupertino, CA   95014
USA
408-253-9600
800-441-7234
Customer Service 408-252-3570
Fax: 503-334-7400
416-923-1033
Technical Support: 503-465-8450
BBS: 503-484-6669
Retrieval Fax: 503-984-2490
Norton AntiVirus 3


Summary:

Manual and TSR virus scanning, as well as change detection.

Cost    U$130, U$69/C$79 for annual update service

Rating (1-4, 1 = poor, 4 = very good)
      "Friendliness"
            Installation      3
            Ease of use       2
            Help systems      2
      Compatibility           3
      Company
            Stability         3
            Support           2
      Documentation           2
      Hardware required       2
      Performance             2
      Availability            4
      Local Support           1

General Description:

The NAV.EXE program has the ability to scan memory, boot sectors and files for
the presence of known viral programs, and to "inoculate" programs to detect
change.  It can also recover some damage to programs and boot sectors.


                  Comparison of features and specifications


User Friendliness

Installation

The program is shipped on three 1.44M "read only" disks, therefore cannot be
infected at the user's site without active intervention.

Network installation assistance is provided in the installation program.

Ease of use

The program is "menu driven", but use without a mouse is not necessarily
intuitive, nor do all menus work consistently.  Ten pages of the manual are
devoted to the use of the interface.  The menus are, however, generally clear
and readable.

The "Advanced scan" and "Auto-inoculate" features of the system are simply
variations on checksumming and change detection, but are set up and explained
in a manner which appears to be unnecessarily confusing.  The options available
in the "Options/Configuration" menu allow for a considerable degree of
customization, but reasons for choosing certain options are not clearly
explained in the initial installation section of the manual.  Some options do
not appear to work: I did not chose to "Disable scan Cancel *b*utton" (*b*
being the letter used to access this option), but the "cancel scan" option was
disabled on my program anyway.

If a virus is detected in memory at the beginning of a scan, the program will
refuse to scan further.  This is an advantage in that it prevents infection by
viri which infect each file as it is open, but there is no "discretion" on this
feature, and it activates even when boot sector viri are found.  The program
does not terminate, but will not perform (in terms of scanning).  No help is
given at this point: the user is referred to a section of the manual.

Help systems

The program contains an extensive help file.  Personally, I did not find the
onscreen help to be very useful, generally having to go to the of the manual if
I could not figure out the operation from the menus.

Compatibility

Although not stated in the manual, many functions no longer work for CPUs lower
than a 286 level.

Company Stability

Symantec and Peter Norton have both been solid companies in their respective
environments.  Symantec has also purchased Zortech, Certus and Fifth
Generation, all of which have been marketing antiviral software and recently
merged with Central Point, which had been following a similar pattern.

Company Support

The company appears to have removed both a technical support line and a "Virus
Newsline" for update information on new viral signatures. 

The distribution of updated signature files has been problematic.  Initially
they were available only from the Symantec BBS or on CompuServe, where Symantec
runs a support forum.  Offers of space on other systems were turned down.
Subsequently, a Symantec representative stated that update files could be
distributed via BBSes, at the same time that other agents were saying that this
was a violation of copyright.  At one point a demo version of the program was
stated to be available on "hundreds of bulletin boards worldwide".  This was
later found to refer to the Symantec BBS and CompuServe only.  Most recently
permission has been granted to distribute the update files from ftp sites on
the Internet.  However, no announcements of availability were made and the
future of this distribution is completely unknown.

It should be noted that although the initial program was promised to the
reviewer, that it required eleven return phone calls to five different offices
to finally have it delivered over three months later.  Other shipping was
similar, although most recently the package was the fourth to arrive after a
general call for review materials.

The series of acquisitions by both Symantec and Central Point means the company
has absorbed a significant group of antiviral software vendors.  This
represents more than a dozen products which have been removed from the market
or had support withdrawn.  The buyouts appear to have been done soley to gain
market share.  Less than a month after the company had been purchased, callers
were being told that the product support for Fifth Generation products had been
discontinued, and were offered "upgrades" to NAV.  To date, only one of the
technologies of the "orphaned" products has been added to the Norton AntiVirus.

Documentation

The documentation is much improved from earlier versions, but still refers only
to program operation and has little general discussion of viral programs.

Hardware Requirements

A 286 or above is required for many functions.

Performance

The TSR scanner is invoked from CONFIG.SYS.  While it cannot prevent infection
of the system from a "boot sector" infected diskette, it does not detect the
presence of such a virus in memory, and it neither prevents infection of
diskettes, nor alerts the user to the use of an infected diskette or the
operation of infecting.

Repair of viral programs appeared to be effective on those few for which this
is an option.  However, the major option tends to be deletion.

Local Support

Although local sales offices of Symantec/Peter Norton are widely available,
support is only provided through central technical support.

Support Requirements

In its current form, the product is suitable for novice users, but installation
and actions when a virus is found may require more expert support.

                                 General Notes

Statements from former employees indicate serious problems within the Norton
AntiVirus product development group, possibly with regard to management.
Normally, this would simply fall within the realm of mere gossip, but the
almost complete lack of development of the product over the past year tends to
add credence to the rumour.

copyright Robert M. Slade 1991, 1993, 1995  PCNRTNAV.RVW  950608

======================
ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 RSlade@cyberstore.ca
Why did the chicken cross the Moebius Strip? To get to the other.. um.. er..
Author "Robert Slade's Guide to Computer Viruses" 0-387-94311-0/3-540-94311-0

------------------------------

End of VIRUS-L Digest [Volume 9 Issue 19]
*****************************************


