--------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: DGL00006 Date: 12/15/96 From: KURT WISMER Time: 09:01am \/To: LUTHER KOLB (Read 3 times) Subj: Re: TBAV Bargain!!! -=> Mocking Luther to Bill <=- (Mock, mOck, moCk, mocK) BC> This sure looks like a _commercial_ plug for your buddy (or BC> aka )... LK> Are you comprehension-challenged, or just a dickhead? no, he's joking... see the ? it means ... you might use a :-) yourself, depends on your preference... ... today's mock has been brought to you by the letters p, u, and # pi... --- Maximus 2.02 * Origin: Virus Watch BBS ,[(416)654-3814] (1:250/503) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: DGL00007 Date: 12/15/96 From: KURT WISMER Time: 09:03am \/To: ROLAND STINER (Read 3 times) Subj: Re: SWISS 2 -=> Mocking Roland to Manuel <=- (Mock, mOck, moCk, mocK) RS> Thanks, got the latest copy of F-Prot and it says that the computer RS> is clean. People have written in this echo that Microsoft Antivirus is RS> not very good. I suppose thta F-Prot is much better right? yes, it is MUCH, MUCH better than msav... it has very high detection rates (about 98-99%)... ... can you see the pun in my name? --- Maximus 2.02 * Origin: Virus Watch BBS ,[(416)654-3814] (1:250/503) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: DGL00008 Date: 12/15/96 From: KURT WISMER Time: 09:06am \/To: MIKE SMITH (Read 3 times) Subj: Re: AntiEXE helpMe -=> Mocking Mike to All <=- (Mock, mOck, moCk, mocK) MS> Does anyone know if AntiEXE affects the clock in DOS??? not intentionally.... could be an incompatibility problem with the virus though... there are plenty of other things that will affect the clock though, notable a failing batter, or a poorly designed program that rewrites the clock handler to make it go faster or slower for whatever purpose (i have a game that does that, speeds the clock up by at least a factor of 2)... ... today's mock has been brought to you by the letters p, u, and # pi... --- Maximus 2.02 * Origin: Virus Watch BBS ,[(416)654-3814] (1:250/503) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: DGL00009 Date: 12/14/96 From: MIKE HUDSON Time: 10:18pm \/To: RYAN DICKINSON (Read 3 times) Subj: a virus?? -=> Quoting Ryan Dickinson to All <=- RD> ok i think that i have myself a little problem on my hands...when RD> ever i go to press either shift key i get either a "y" or a "{" RD> repeatedly...is this a virus? i had already scanned my system with RD> like 5 different programs, RD> tbav,scan,f-prot,chekmate,msav,pc-cillin....and for some reason it RD> keeps doin this...what else could be the problem if its not a virus? Bad keyboard comes to mind. Have you tried swapping out the keyboard with another to see if the problem occurs still? ... Keyboard not found, think "F1" to continue. ___ Blue Wave/386 v2.30 --- TriToss (tm) Professional 10.0 - (Unregistered) * Origin: WILD TURKEY BBS * Doors, Doors, Doors (1:133/5012.0) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: DGL00010 Date: 12/16/96 From: BRIAN PATTERSON Time: 02:13am \/To: RYAN DICKINSON (Read 3 times) Subj: a virus?? Hello, Ryan! > ok i think that i have myself a little problem on my > hands...when ever > i go to press either shift key i get either a "y" or a > "{" > repeatedly...is this a virus? No. Either keyboard failure, keyboard controller failure, or ansi bomb. If you load ansi.sys, DON'T load it on next boot and see if problem persists. If so, suspect keyboard or keyboard controller. If the problem persists, change the keyboard. If the problem still persists, change motherboard. Diagnostic software would help you out greatly here. Thanks. Brian --- ===FMail 1.02+========== * Origin: "He's Not Here, Lady!" (1:317/103) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: DGL00011 Date: 12/17/96 From: RUNE-KRISTIAN VIKEN Time: 12:24am \/To: KURT WISMER (Read 3 times) Subj: Regionalized Viruses >>> the author of the Internet Worm was Robert Morris JNR. >> Well - did that man get any 'penalty' for writing the Inet worm? > i do believe he was penalized in some manner, Well, but is there anyone who KNOWS exactly what happened? :-) Rune Kristian Viken / Fifth Arcade^RaP'96 / SysOp Arcade's BBS Call: 38 35 12 88, 24Hrs a day. Moderator/Debatt at Krs. BBS -- SPEED 2.00 [NR]: E=mc - Einstein --- FidoMBBS v1.82, KRS#001 * Origin: Kristiansand BBS - +47 380-24292 - 4 nodes (2:211/46) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: DGM00000 Date: 12/15/96 From: KENNETH J. RENAUD Time: 10:45am \/To: MICHAEL AINSWORTH (Read 3 times) Subj: Re: Collectiom -=> Quoting Michael Ainsworth to Kenneth J. Renaud <=- MA> ***> Quoting Kenneth J. Renaud to Renaud MAVRE <**** * -=> Quoting Renaud MAVRE to Kenneth J. Renaud <=- KJR> I just had my first Opportunity to use My Mcafee Virus detector KJR> yesterday I was copying Files off of Old disks to my zip drive & KJR> opening them up & checking them when Mcafee halted me & said I had the KJR> Tai-Pain 48 Virus So I told it to clean the Disk & it did. KJR> bear@nightowl.net internet Address MA> Oh my!! MA> I had that darn Virus 4 times last year!!! MA> I kept cleaning it out, and it woul re-appear a couple months later!!! MA> I finally figured out, that I was D/loading it in .zips, from a bbs MA> that went down late last year... Mine was called Tai-pan Whipser MA> Presente it was a harmless virus luckily! It only added attached MA> to .com .exe a bit of it's own code which was Harmless.. I dont know if this is the same virus or not? But I wasnt going to take any chances, later copying another old disk I got a CMOS Virsu detected by Thunderbyte & Norton & had Thunderbyte Delete it. Its unusal to get a Virus from a BBS as most have there own Thd-Pro Scan to catch anything The ones I had were on Disks from friends which is the easiest way to catch one. ... (hic) BWave 2.10 (hic) BWave 2.10 * My computer is drunk ... --- GEcho 1.20/Pro * Origin: Slings & Arrows BBS St. Louis, Mo. (1:100/205.0) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: DGM00001 Date: 12/15/96 From: KENNETH J. RENAUD Time: 02:27pm \/To: RYAN DICKINSON (Read 3 times) Subj: Re: a virus?? -=> Quoting Ryan Dickinson to All <=- RD> ok i think that i have myself a little problem on my hands...when RD> ever i go to press either shift key i get either a "y" or a "{" RD> repeatedly...is this a virus? i had already scanned my system with RD> like 5 different programs, RD> tbav,scan,f-prot,chekmate,msav,pc-cillin....and for some reason it RD> keeps doin this...what else could be the problem if its not a virus? Have you checked your keyboard? I had to clean my with Alchol to get rid of a nagging skicking key that was showing similiar problems. I also had a problem with Ripterm 1.54 putting different letters than I was typing. Check them first before blaming it on a virus! ... RAM = Rarely Adequate Memory --- GEcho 1.20/Pro * Origin: Slings & Arrows BBS St. Louis, Mo. (1:100/205.0) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: DGM00002 Date: 12/17/96 From: DMITRY MOSTOVOY Time: 01:41pm \/To: KURT WISMER (Read 3 times) Subj: Re: Here again! Hi Kurt! 14 Dec 96, letter Kurt Wismer to Dmitry Mostovoy: DM>> For example ADinf scans disks by direct call to BIOS entry DM>> point KW> i find this somewhat unlikely... int13 entry points in the bios are not KW> constant for all bios (if they were, viruses would be having a field KW> day)... now i suppose adinf could use tunneling to find the true int13 KW> entry points... but whats to stop a virus from blocking your tunnelling KW> or from subverting your tunnelling? couldn't a kernel infector setup KW> pmode type trapping to stop even port writes?... could a conventional KW> virus patch the kernel in memory to acheive the same end?... All your words are true, BUT!... Of cource I know this problems and tried to overcome them in ADinf. First of all, ADinf looks for BIOS Int 13h entry poin only once - at the first start. Than it stores the address and uses stored one. As for all integrity checkers it is assumed that the first start is at the non-infected computer to keep integrity information. So, viruses can't prevent ADinf to access real BIOS entry point even if they are in memory in the next starts. More over, while looking for the Int 13h BIOS entry point at the first start, ADinf checks wether it is a real BIOS or not. Now about prot. mode viruses and possible viruses in flash BIOS. Before calling saved Int 13h address, ADinf checks CRC of Int 13h handler at that address. CRC was saved togather with address at the first start. So, if a virus changed a code in the hardware BIOS, ADinf will warn you about it. KW> also, and i know this from experience, adinf (the version i tested, KW> 10.02 i believe) can't use the secure mode you're talking about if your KW> memory manager is using a stealth option (which my installation of qemm KW> does)... Yes, ADinf can't use direct BIOS access when QEMM works in the stealth mode. In that case ADinf works via Int 13h chain. It is less reliable but can find stealth viruses which use stealth methods at the level of Int 21h and disk drivers. Of course BIOS access in ADinf is preferable becouse in that mode ADinf can find all stealth viruses. KW> perhaps, but your integrity files are open to attack if not stored on a KW> floppy disk, and a new virus could certainly be made to block the KW> loading of your program simply on the basis of it's exe header... The 3-d time, YES! When any anti-virus program became popular virus writers began to write viruses against it. ADinf is very popular in the ex-USSR countries and many Russian viruses tried to attack it. I did some things to prevent it and now I do not know any virus which saccessfully attack ADinf. But if it will appeare I'll do everything to prevent it. So conclusions: 1. There is no panaceya against viruses. No one anti-virus program alone can provide saccessful defence. 2. If one use any anti-virus program, the latest version should be installed, becouse developer of the program looks at the virus situation and keeps the program actual. KW> by the way, does adinf detect companion infectors? i have a couple KW> companion bodies on my computer but i've never seen adinf complain KW> about them... ADinf detects if new files were created, or some files were renamed or moved to another directory. It can help to detect companian viruses. By the way, do any other integrity checker looks for deleted, moved and renamed files? DM>> More over! ADinf implements special alghorithms which DM>> compare information obtained by direct disk access sector- DM>> by-sector throw the BIOS and information obtained by DOS DM>> functions. This comparation implemented in ADinf can find DM>> any new active stealth virus. So stealth mechanism helps to DM>> find infectors! :-) KW> that will catch ordinary stealth viruses, will that catch sector level KW> stealth viruses? ADinf can find even viruses vith a stealth methods on a HDD controller level. One of such viruses is known "Hmm..." which hide itself by changing sectors in th IDE HD controller buffer. The special alghoritms are implemented in ADinf to find such infectors too. KW> my, oh my... it's good to see an actual av developer in this area KW> again... :-) KW> i hear bill lambdin was looking for anyone related to adinf to KW> discuss a security concern a couple months ago... did he manage to KW> get in touch with anyone and voice those concerns? No. It seems to me that he could not find me or our company. The easyes way to contact us is e-mail: antivir@dials.ru and our WWW site: http://www.dials.ccas.ru. KW> good product by the way... i'm amazed by the speed of the crc KW> generation... :-) Thank you for a good words... Speed is acheaved thanks to the HD head movement optimisation. ADinf scans drives on the sector level, optimising the head movement. With best regards, Dmitry Mostovoy --- GoldED 2.50+ * Origin: DialogueScience, Inc.; E-mail: dmost@dials.ru (2:5020/69.4) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: DGM00003 Date: 12/17/96 From: RYAN DICKINSON Time: 08:11pm \/To: KURT WISMER (Read 3 times) Subj: Re: a virus?? -> ansi bomb (and i was just telling someone else that these weren't muc -> of a threat anymore) or hardware failure (you make have a short in yo -> keyboard)... -> -> ... wash, rinse, repeat... yeh i did have ansi.sys loaded when it started...aight thanks --- WM v3.10/92-0026 * Origin: The Programmers Attic (713) 894-4429 (1:106/462)