--------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: DGS00031 Date: 12/20/96 From: LEWIN EDWARDS Time: 08:36pm \/To: GEOFF WHITE (Read 3 times) Subj: Macs GW> you really musn't have much of a life eh? anyway, i hav used plenty Get in touch when you find a clue. In the meantime, I'd like you to meet a friend of mine, /dev/nul. -- Lewin A.R.W. Edwards [Team OS/2] Tel 0412809805 * http://www.zws.com/ --- MsgedSQ/2 3.35 * Origin: ZWSBBS +61-3-98276881 (V.FC)/+61-3-98276277 (V.34) (3:634/396) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: DGS00032 Date: 12/21/96 From: MICHAEL MUELLER Time: 12:00am \/To: ALEXANDER KOVNERISTY (Read 3 times) Subj: Is ADInf foolable? (was Re: Here again!)00:00:0012/21/96 Hi Alexander, you wrote in /FIDO/VIRUS_INFO at 13 Dec 96: KW>> integrity data be collected for all files, that it can be stored KW>> off-line, and that the checker be run from a clean bootable floppy like KW>> any other av program... AK> Just try to do the following: infect your PC with your favourite virus, O AK> NOT boot the PC from bootable floppy and run ADinf in BIOS disk access AK> mode. I hope you'll be wonder. When I remember right there was atleast one file virus infecting on Int 13h calls. IMHO it was an EXE-Header-Virus. So you may spread the virus all over with ADInf. Michael --- CrossPoint v3.11 * Origin: Never Make-A-Fee! (2:249/3040.55) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: DGS00033 Date: 12/21/96 From: MANUEL LLORENS Time: 03:24pm \/To: KURT WISMER (Read 3 times) Subj: Virus & antivirus fu Hello Kurt: 11 Dec 96 (at 11:22), Kurt Wismer wrote to Manuel Llorens: ML>> I think this echo is fine, and I know lots of people here ML>> havin' a lot of knowledge about virus/antivirus stuff. But ML>> many times this echo looks like a help echo, though I think KW> thats because so many people who have written viruses have also KW> released them... i think fully half the hard feelings av guys have KW> towards viruses and virus writers is from the hassle they have to go KW> through cleaning up messes... Yes, and that's not bad... of course. ML>> it could be something better (helping people's problems is KW> something better? in what way? In the way I've described in the last msg. We could just improve it! ML>> By the other way I think this is the place in Fido to talk about ML>> it. What do you think about that? How do you think future virus ML>> will be? And antivirus? How do you think they _should_ be? Of KW> viruses in the future? vxd infectors would be my guess (if it hasn't KW> already been done)... possibly more kernel infectors, or possibly an KW> trend towards linux viruses if that free, multitasking operating Probably... KW> system ever manages to encroach apon microsofts market share... of KW> course then theres macro viruses for programs other than word... word KW> perfect maybe, or lotus, or any other popular application... I think they will become more 'intelligent' since they can become bigger than ever. Maybe they could have enough space to use some kind of 'heuristic' scan of AV software, and so they could know what the AVs are doing :-??? KW> though these days it seems that most virus groups have been flushed KW> down the drain by their own politics... the percentage of lame virus KW> hacks and "generated" viruses will probably increase because of it... ...and many new zines will help lamers to make new silly viruses... KW> as for the future of anti-virus, i can conceive of nothing more KW> convenient than scanning... it may be augmented by things like hmmm... and integrity checkers will become almost perfect. Anyway there are still some new techniques to avoid those checkers... I will be please to show you by net if you like to, and only if you are going to use them right (don't know if you have ever meet some AV researcher). Hope Rod not to kick me out since I'm only trying to show AV programmers some new virus techniques that they may not know by the moment... and not trying to show anyothers how to make more perfect viruses... at least not from this echo ;-) KW> be of any use or b) implimenting heuristics in a whole new way... Like a complete PC emulator ;-))) That will be useful only to test some specific program, but not to scan a HD; but sure it will be a perfect tool to analyze viruses. Greets :) Patuel, Pilgrim Cosysop of EDiSoN'S TeMPLe patuel@temple.subred.org * no files please ... Tal vez, slo los genios son verdaderos hombres. --- FMail 1.02 * Origin: Desde el Camino de Santiago... +34-1-5510065 (2:341/136.34) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: DGS00034 Date: 12/21/96 From: MANUEL LLORENS Time: 03:42pm \/To: KURT WISMER (Read 4 times) Subj: stealth_C Hello Kurt: 11 Dec 96 (at 10:59), Kurt Wismer wrote to Manuel Llorens: ML>> Run some good/recent AV program, like AVP or F-Prot. And ML>> reset inmediatly after that. Then boot from a clean floppy KW> i think you have this backwards... you have to boot from a clean KW> floppy and then run the anti-virus software... and stealth_c should be KW> easily gotten rid of by this method... I know... but many times that works too. I've test it. And it's faster if you don't have a clean boot disk with clean AVs on it. ML>> If this way you can't get rid of it, then reformat HD. But KW> it is never, ever necessary to reformat a drive to disinfect it... and KW> in the case of stealth_c, which is a bootsector/mbr infector, KW> reformatting won't even get rid of the virus (it'll only get rid of KW> everything else)... That's true... I was a bit out when a I wrote that X'DDD too many answers in a day ':-GG Greets :) Patuel, Pilgrim Cosysop of EDiSoN'S TeMPLe patuel@temple.subred.org * no files please ... :-| :-| :-| :-| :-| X-D :-| :-| :-|, y ese... de qu se rie, eh? --- FMail 1.02 * Origin: Desde el Camino de Santiago... +34-1-5510065 (2:341/136.34) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: DGS00035 Date: 12/21/96 From: MANUEL LLORENS Time: 03:44pm \/To: ROLAND STINER (Read 3 times) Subj: SWISS 2 Hello Roland: 13 Dec 96 (at 20:21), Roland Stiner wrote to Manuel Llorens: RS> My computer is working just fine. Glad of hearing that! ;-) Greets :) Patuel, Pilgrim Cosysop of EDiSoN'S TeMPLe patuel@temple.subred.org * no files please ... Los READ.ME son para los cobardes. Se valiente. Ejecuta. --- FMail 1.02 * Origin: Desde el Camino de Santiago... +34-1-5510065 (2:341/136.34) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: DGS00036 Date: 12/21/96 From: MANUEL LLORENS Time: 03:44pm \/To: KURT WISMER (Read 3 times) Subj: Here again! Hello Kurt: 14 Dec 96 (at 09:28), Kurt Wismer wrote to Manuel Llorens: ML>> Yes, but there could be general techniques which are not ML>> reversible. KW> looking for... once you properly disassemble a scanner you can find KW> out *everything* it does, general techniques, specific strings, I was saying that there could be some techniques which are not avoidable at all... don't saying I know them, by the moment. Anyway I was thinking in a PC emulator, that wouldn't be reversible ;-) KW> besides which, there are enough people using integrity checking that KW> any virus you release won't get far before the av guys put out a fix KW> for it... That's also right, but _some_ AV programs still says they can catch unknow viruses, and that's not a good thing to say. ML>> programs) are really well organized. But they create a ML>> false secure feeling in their users. KW> i'll agree that they do create a false sense of security, but it isn't KW> directly the fault of the av producers in most cases... marketting KW> personel are usually to blame, and theres also a certain amount of Well, but AV producers should be responsable of their products. KW> willful ignorance on the user's part (though there have been a few av KW> producers who really should have kept their big yaps shut)... but hmmm... that's a pity too... ML>> It was last summer in this echo area... but better if you ML>> have forgotten the discussion... I'd like to do the same. KW> i know the feeling... That's a good beguining for both us ;-) Greets :) Patuel, Pilgrim Cosysop of EDiSoN'S TeMPLe patuel@temple.subred.org * no files please ... Backup no encontrado (A)bortar (P)anico (D)iarrea --- FMail 1.02 * Origin: Desde el Camino de Santiago... +34-1-5510065 (2:341/136.34) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: DGS00037 Date: 12/21/96 From: MANUEL LLORENS Time: 03:50pm \/To: KURT WISMER (Read 3 times) Subj: Here again! Hello Kurt: 14 Dec 96 (at 10:07), Kurt Wismer wrote to Manuel Llorens: AK>> about integrity checkers? Can recent viruses avoid them? Before ML>> Most of them are also deceiveable... KW> not if properly used.... boot clean and the virus won't be in memory KW> and won't be able to hide itself... keep the integrity files offline I have to insist... KW> cannot infect a file without changing something somewhere... (and a Not necesary. Beleave me ;-) Greets :) Patuel, Pilgrim Cosysop of EDiSoN'S TeMPLe patuel@temple.subred.org * no files please ... Error #152 - Windows not found: (C)heer (P)arty (D)ance --- FMail 1.02 * Origin: Desde el Camino de Santiago... +34-1-5510065 (2:341/136.34) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: DGS00038 Date: 12/21/96 From: GORDON FREY Time: 06:24pm \/To: KURT WISMER (Read 3 times) Subj: Macs On (19 Dec 96) Kurt Wismer wrote to Paul Walker... -=> Mocking Paul to John <=- KW> (Mock, mOck, moCk, mocK) PW> When you /boot/, then the /bootsector/ is /executed/. When PW> you do a directory, or copy/delete/etc. then the bootsector PW> isn't executed, in fact probably isn't even looked at. KW> not too sure about that one... the computer has to read the media KW> descriptor byte, which i would imagine would be somewhere in the KW> bootsector... No its in the fat area, not the bootsector. Gordon ... REDNECK: If you purchase earrings that double as fishing lures. --- PPoint 1.92 * Origin: From the Underground Zorkian Empire (1:105/40.42) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: DGS00039 Date: 12/21/96 From: GORDON FREY Time: 07:16pm \/To: RICK COLLINS (Read 4 times) Subj: stealth_C On (20 Dec 96) Rick Collins wrote to John Kismul... -=> Quoting John Kismul to Kurt Wismer <=- -=> FidoMail to 1:163/215, please.-=< jk> Yes but it's a good idea to format your HD when you have removed jk> the virus. Since the virus has probably done damage to your jk> files and they may not be working like their supposed to. RC> You are particularly dense, aren't you? RC> Look, since you know all the answers, why do you ask so many RC> questions? RC> There in no need to format a disk after a virus infection. None at RC> all. Ever. On the conservative side you should replace the infected files from your original install disks, if there is ANY question about the scanner cleaning them. Gordon ... If guns cause crime, do matches cause arson? --- PPoint 1.92 * Origin: From the Underground Zorkian Empire (1:105/40.42) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: DGS00040 Date: 12/22/96 From: THE VISIONARY Time: 09:55am \/To: BRIAN PATTERSON (Read 3 times) Subj: a virus?? BP> No. Either keyboard failure, keyboard controller failure, or ansi BP> bomb. If you load ansi.sys, DON'T load it on next boot and see if BP> problem persists. If so, suspect keyboard or keyboard controller. If he's rebooted, then the ANSI problem will have gone away, even if he IS loading ANSI.SYS, because he will have had to 'type'd the ANSI file to re "infect" his system (unless it was smart enough to put itself at the end of his AUTOEXEC.BAT file). I suggested a failing A20 line, which is probably the cause of the problems he seeing. -The Visionary visionary@brazerko.com ... A mistress is something between a mister and a matress -*- TurboEDIT v1.62 [MSP96] --- WtrGate+ 0.93.PRE1 beta sn 116 * Origin: hacker heaven bbs - #include (1:320/2600)