--------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: E1C00012 Date: 01/06/97 From: PAT SULLIVAN Time: 10:23am \/To: JASON CONNORS (Read 3 times) Subj: Anti-exe JC> Has anyone heard of a virus called anti-exe ???? My mothers JC>work was hit by this virus along with 2 others, but this one is JC>unkown to me. Any information about this virus will be greatly JC>appricated (sp?). We got hit with that one at work too. Very prolific virus, although it doesn't really do any damage. It's a simple stealthed boot-sector infector. Basically, once it infects your HD boot-sector, it becomes resident on every boot, and infects the boot sector of every floppy disk you use while it's resident. There is a single file (an .EXE, thus the name) that the virus supposedly attacks, but I haven't seen anyone who knows what it is. We picked it up before we had put any antivirus contingencies in place, and by the time we disocvered it, it had infected 4 out of 6 PC's in the department, and I found it on over 100 floppy disks. |)(| ... Smash forehead on keyboard to continue... TLX v3.30 --- GEcho 1.20/Pro * Origin: The Butch's Block - Bridgewater,MA - 508-697-2904 (1:101/575) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: E1C00013 Date: 01/07/97 From: BILL CLARK Time: 04:39pm \/To: RICK COLLINS (Read 3 times) Subj: stealth_C On (04 Jan 97) Rick Collins wrote to John Kismul... RC> You might argue that it's easier to FORMAT. Well, you'll be wrong, RC> and I'll save you the trouble by telling you why: if you FORMAT, RC> then the _first_ thing you have to do is re-install your OS. Then, RC> you may have to re-install and configure your backup software. After RC> you do that, you can do your restore from backup. Now, if you didn't RC> FORMAT, all you'd have to do is the last step - the restore. While I whole heartedly agree with your point about not bothering to format you are making way too much of a project out of your restore description. Decent backup software should be able to operate from a bootable floppy and restore everything, including the OS, with one command per partition. -bc- bclark@rochgte.fidonet.org --- PPoint 2.00 * Origin: The /\/\ountain point of view (N.H.) (1:132/180.1) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: E1C00014 Date: 01/07/97 From: PATRICK AHLBRECHT Time: 09:21pm \/To: RICK COLLINS (Read 3 times) Subj: Re: stealth_C RC>What about it? FDISK/MBR will rewrite the boot sector, and any RC>number of AV programs will eliminate a boot sector infection. By the way are there any bootsectorviri bigger than 512 Byte ? This would mean they had to store parts of their code in other areas of the disk (for example clusters marked as bad). In this case FDISK wouldn't get rid of the whole virus (only the starter routine). --- CrossPoint v3.02 * Origin: Wir schreiben das Jahr 19 n. Patrick (2:2435/708.36) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: E1C00015 Date: 01/05/97 From: RICHARD ST. JOHN Time: 09:24pm \/To: KURT WISMER (Read 3 times) Subj: Re: Virus Scaners Compar Simple question......have you by chance done some in depth scanner comparisons {not just one or two, but a complete comparison} that people would be able to see the data available? If so please post it as I would like to see the work that was done as well as the information gathered. If not, then I will continue to refer people to the information presented on the Virus Bulletin web page, as they HAVE done the work. Their testing methods may not encompass ALL virus out there, but their methods are at least presented and available, as are the results. RS ... "Bother," said Pooh, & pulled the detonator killing the dictator. --- GEcho 1.20/Pro * Origin: Slings & Arrows BBS St. Louis, Mo. (1:100/205.0) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: E1C00016 Date: 01/06/97 From: KURT WISMER Time: 03:21pm \/To: ANDREW KORMANIK (Read 3 times) Subj: Re: here again! -=> Mocking Andrew to Kurt <=- (Mock, mOck, moCk, mocK) KW> what is the benifit of using a resident scanner if you already scan KW> all incoming materials rigorously? i know vxd's are becoming AK> --Snip-- AK> You can also implement a behaviour blocker as a VXD right? He said AK> resident protection, in my book that includes scanning and behaviour AK> blocking. ok, unnecessary generalization on my part... KW> whether the change is caused by a virus or not is irrelevant... all KW> that is relevant is whether the change was authorized... if not, KW> delete and replace... it could have been altered by someone wishing KW> to cause trouble, it could have been corrupted, it could have been KW> infected, but it doesn't matter because when it's been changed and KW> the change wasn't a desired effect the change has to be rectified KW> regardless of what caused it... AK> And the majority of users... AK> 1) Update their integrity checkers database regularly AK> 2) Backup their files AK> 3) Remember which files they modified or which files modify themselves i realize none of these is actually true, but they could easily be made true... AK> And look at newer viral threats like Doc viruses that can really AK> inconvience someone using an integrity checker. doc viruses don't offer any bigger a security threat than slow infectors as far as integrity checking goes... KW> integrity checkers require less expertise than heuristic scanner KW> reports... all a user needs to know is which files were supposed to KW> change - these are almost invariably the files the user was KW> actually working on (which is knowledge that the user should KW> already have)... AK> What about Doc viruses then? they'll know which documents they have worked on, and which they haven't... they'll most certainly know whether or not they've made any changes to the default macros (thus telling them whether normal.dot should be exhibiting any changes or not)... ... quantum chromodynamics - the RGB nature of the universe... --- Maximus 2.02 * Origin: Virus Watch BBS ,[(416)654-3814] (1:250/503) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: E1C00017 Date: 01/08/97 From: RYDELL ARKADY SVOBODOV Time: 11:04am \/To: CALVIN LICHTY (Read 3 times) Subj: Virus Library CL> Hello fellow Hackers, Lurkers, Tech-Heads, and Crashers, CL> CL> I am looking for any and all viruses you have. I am trying to collect and CL> build the largest library in the world. CL> CL> I would also like to know if there is anyone who would CL> like to "colaborate" CL> in the creating of a virus. The info on the virus shall CL> be kept confidential CL> until someone requests the 411. CL> CL> All I can say is that it will be a virus undetectable until it is in its CL> final stages of peocessing. CL> CL> See you all on the flip side,... and "Hack the Establishment"!!!!! CL> CL> --- TriToss (tm) Professional 10.0 - #172 CL> * Origin: The Outer Limits BBS * Tarpon Springs, FL * (1:3619/37.0) How do i contact you? --- Maximus 3.01 * Origin: rADiO_fREe_okC NuKe wHQ 405.634.9963! (1:147/69) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: E1C00018 Date: 01/07/97 From: JOHN KISMUL Time: 08:55pm \/To: KURT WISMER (Read 3 times) Subj: stealth_C KW> JK> Because there would probably be files just laying around on the hard KW> JK> drive and taking space, files which I don't need. And also, maybe he KW> JK> antivirus software did not find all the infected files and then it KW> JK> would be safer to format the hard drive instead of risking that you KW> JK> might get the virus back. KW> KW> you are incredibly paranoid, you know that... if you use an integrity KW> checker properly you will be able to identify ALL changed files, no KW> matter what... ergo, no need to worry about viruses slipping through the KW> cracks... Stealth viruses are able to infect files without getting detected. Not all of them, but there are some of them that won't be detected by the integrity checker. ... nfx v2.9 [C0000] --- BBBS/D v3.33 How-C * Origin: Circle of Protection - +47 55961259 (2:211/37) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: E1C00019 Date: 01/07/97 From: JOHN KISMUL Time: 08:55pm \/To: RICK COLLINS (Read 3 times) Subj: stealth_C RC> jk> maybe the antivirus software did not find all the infected files RC> jk> and then it would be safer to format the hard drive instead of RC> jk> risking that you might get the virus back. RC> RC> That's not how AV software works. If it finds an infection, it will RC> either clean the file (which may leave it non executable) or tell you RC> that it can't clean the file and suggest you delete it. Yes but that was not my point, it was that if the scanner had not found all the infected files after an infection, it would be safer to format or at least kill all files. RC> If you subscribe to this last point you raised, then I would suggest RC> you should format and re-install all your software every time you use RC> your computer - just in case your scanner missed a virus. Only if I get an infection, It's better to kill all your executable files, just in case, instead of taking a risk. ... nfx v2.9 [C0000] --- BBBS/D v3.33 How-C * Origin: Circle of Protection - +47 55961259 (2:211/37) RC> JK> Answer ONE: RC> JK> You asked "Will it?" RC> JK> And I answers, Yes it will. RC> RC> Incomplete. You stated "with a virus in memory". A virus in the RC> disk read buffer will _not_ infect the system because the contents of RC> the disk read buffer are not executed. Well, when a virus is in memory it is not in the disk buffer. RC> JK> And I answers, Because when the VIRUS is active in memory RC> JK> it checks all the files that gets executed or accessed, and RC> JK> if the virus finds a file it want to infect it will infect RC> JK> it. RC> RC> You have changed your position. You now are stating "the virus is RC> _active_ in memory". Your original post said only "in memory". The RC> key element here is "active" - and the fact that you didn't mention RC> that point is _why_ I asked "where in memory" and "what causes the IP RC> to point to those addresses". Have YOU ever heard of a virus that just is in memory without doing ANYTHING. I have never. RC> Which doesn't answer the question. The answer, of course, is because RC> the virus is _active_ in memory, by definition, the IP will point to RC> and execute the virus instructions. The point of that question was RC> to lead you to the point of saying or appreciating that the virus RC> must be "active" - meaning that the CPU will, at some point, execute RC> the virus instructions, and simply being "in memory" wasn't enough. Yes but of course I know that the virus must be active in memory. ... nfx v2.9 [C0000] --- BBBS/D v3.33 How-C * Origin: Circle of Protection - +47 55961259 (2:211/37) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: E1C00020 Date: 01/07/97 From: JOHN KISMUL Time: 08:55pm \/To: RICK COLLINS (Read 3 times) Subj: Virus infect picture' RC> JK> Answer ONE: RC> JK> You asked "Will it?" RC> JK> And I answers, Yes it will. RC> RC> Incomplete. You stated "with a virus in memory". A virus in the RC> disk read buffer will _not_ infect the system because the contents of RC> the disk read buffer are not executed. Well, when a virus is in memory it is not in the disk buffer. RC> JK> And I answers, Because when the VIRUS is active in memory RC> JK> it checks all the files that gets executed or accessed, and RC> JK> if the virus finds a file it want to infect it will infect RC> JK> it. RC> RC> You have changed your position. You now are stating "the virus is RC> _active_ in memory". Your original post said only "in memory". The RC> key element here is "active" - and the fact that you didn't mention RC> that point is _why_ I asked "where in memory" and "what causes the IP RC> to point to those addresses". Have YOU ever heard of a virus that just is in memory without doing ANYTHING. I have never. RC> Which doesn't answer the question. The answer, of course, is because RC> the virus is _active_ in memory, by definition, the IP will point to RC> and execute the virus instructions. The point of that question was RC> to lead you to the point of saying or appreciating that the virus RC> must be "active" - meaning that the CPU will, at some point, execute RC> the virus instructions, and simply being "in memory" wasn't enough. Yes but of course I know that the virus must be active in memory. ... nfx v2.9 [C0000] --- BBBS/D v3.33 How-C * Origin: Circle of Protection - +47 55961259 (2:211/37) --------------- FIDO MESSAGE AREA==> TOPIC: 171 VIRUS INFO Ref: E1D00000 Date: 01/07/97 From: KURT WISMER Time: 04:41pm \/To: CALVIN LICHTY (Read 3 times) Subj: Re: Virus Library -=> Mocking Calvin to All <=- (Mock, mOck, moCk, mocK) CL> Hello fellow Hackers, Lurkers, Tech-Heads, and Crashers, CL> CL> I am looking for any and all viruses you have. I am trying to collect CL> and build the largest library in the world. so that you can (as aristotle put it) claim that yours is bigger? anyways, your requests are against the rules, you should really try lurking yourself for a little while so you can find out what the rules are... ... E = mc^2 = mv{photon}^2 = m(d^2)/(t^2) = mad = Fd = W... ~~~ TGWave v1.20 Beta-07+ --- Telegard 3.02/Gecho * Origin: fks Online! * Ontario, Canada * (905)820-7273 * (1:259/423)