antiEXE Virus
Donkey
WOW, it is popular now...I just cleaned it off my system....but...here
is the funny part.
I copied a small exe file off my school computer and ran it at
home...my classmate did the same...he copied it from the school net as
well. two weeks L8r we both had the antiEXE virus. When I cleaned my
system it repaired the MBR and found no infected files on any of my
drives and I scanned all of my floppies. That was the only file we
had in common EVER so we thought it must have been the file we copied
off the school net. So when we scaned it with a bunch of scaners, it
came up clean. (OH yeah, and my friend lent the disk to his friend and
when he ran it, he had his resident scaner running and it saw it in a
flash so we know it was the file we got off the net.)
Our school is only a few months old and hte netword is still being
worked on and as far as I know there is no virus protection yet (I
dont think they are too worried since they have it set up so we cant
run anything [there is no access to DOS [well, all most, I can
get it :)] and you can not run anything in windows, they took out the
file menu in program manager and they took out file manager..and
anything else that will run progs...] The file we copyed was on a Read
Only drive...but...As far as I understand...the antiEXE virus wont do
too much til the computer is booted from an infected floppy and I
don't think they will be booting the servers off floppy too often :-)
so is the network infected?
I asked my teacher if he had ever heard of the antiEXE virus and he
said no. I did not want to ask too much questions because he would
suspect me :-)
so..what does anyone think? I have no idea....:-)
Donkey
George Wenzel
In article <3189188d...@news.rogerswave.ca>, don...@rogerswave.ca wrote:
>WOW, it is popular now...I just cleaned it off my system....but...here
>is the funny part.
>
>I copied a small exe file off my school computer and ran it at
>home...my classmate did the same...he copied it from the school net as
>well. two weeks L8r we both had the antiEXE virus. When I cleaned my
>system it repaired the MBR and found no infected files on any of my
>drives and I scanned all of my floppies.
Anti-exe is a boot sector virus, so it's highly unlikely that that particular
file carried it to your computer (it could have, but you'd have to
intentionally put it into your boot sector to be infected). Have you and your
friend shared disks? That's the likely infection method.
>That was the only file we
>had in common EVER so we thought it must have been the file we copied
>off the school net.
Perhaps that was the only common file, but what about common disks? Did you
share floppies at all?
>So when we scaned it with a bunch of scaners, it
>came up clean. (OH yeah, and my friend lent the disk to his friend and
>when he ran it, he had his resident scaner running and it saw it in a
>flash so we know it was the file we got off the net.)
Did this other person find a virus in the file or on the disk boot sector?
>Our school is only a few months old and hte netword is still being
>worked on and as far as I know there is no virus protection yet (I
>dont think they are too worried since they have it set up so we cant
>run anything [there is no access to DOS [well, all most, I can
>get it :)] and you can not run anything in windows, they took out the
>file menu in program manager and they took out file manager..and
>anything else that will run progs...] The file we copyed was on a Read
>Only drive...but...As far as I understand...the antiEXE virus wont do
>too much til the computer is booted from an infected floppy and I
>don't think they will be booting the servers off floppy too often :-)
>so is the network infected?
If one of the computers on the network is booted from a floppy, the virus has
the potential of spreading across the network. It's likely that somewhere
along the lines, one of the server computers was booted from an infected
floppy, and things spread from there. It'd be a really good idea for them to
get some good virus protection, since schools can get outrageous discounts on
AV software.
>I asked my teacher if he had ever heard of the antiEXE virus and he
>said no. I did not want to ask too much questions because he would
>suspect me :-)
:-) Don't go talking about viruses too much around the school... I made that
mistake back in high school (not that long ago), and the teacher that took
care of the network immediately suspected me when the network was infected
with Monkey. Needless to say, I was the one that knew enough to REMOVE the
virus, and I even managed to track down the infection path (the school was
small, so it wasn't that hard). The person that infected the system ended up
being the guy they hired to install some of the network software (go
figure...)
Regards,
George Wenzel
("`-''-/").___..--''"`-._ George Wenzel <gwe...@gpu.srv.ualberta.ca>
`6_ 6 ) `-. ( ).`-.__.`)Student of Wado Kai Karate
(_Y_.)' ._ ) `._ `.``-..-' University of Alberta Karate Club
_..`--'_..-_/ /--'_.' ,' NETSCAPE <tm> GOLD RUSH CONTEST WINNING PAGE:
(il),-'' (li),' ((!.-' http://www.ualberta.ca/~gwenzel/
dc
gwe...@gpu.srv.ualberta.ca (George Wenzel) wrote:
>In article <3189188d...@news.rogerswave.ca>, don...@rogerswave.ca wrote:
>>[snip]
>>As far as I understand...the antiEXE virus wont do
>>too much til the computer is booted from an infected floppy and I
>>don't think they will be booting the servers off floppy too often :-)
>>so is the network infected?
>If one of the computers on the network is booted from a floppy, the virus has
>the potential of spreading across the network. It's likely that somewhere
>along the lines, one of the server computers was booted from an infected
>floppy, and things spread from there.
>[snip]
Booting a server from an infected floppy will not spread an MBR virus
across a network. I'm suprised you don't know this, considering you
maintain a faq about viruses.....
Bruce Burrell
>
> >>[snip]
> >>As far as I understand...the antiEXE virus wont do
> >>too much til the computer is booted from an infected floppy and I
> >>don't think they will be booting the servers off floppy too often :-)
> >>so is the network infected?
>
> >If one of the computers on the network is booted from a floppy, the
> >virus has the potential of spreading across the network. It's likely
> >that somewhere along the lines, one of the server computers was booted
> >from an infected floppy, and things spread from there.
> >[snip]
>
> Booting a server from an infected floppy will not spread an MBR virus
> across a network.
Not with AntiEXE, perhaps, but it could with a multipartite virus,
e.g., Junkie.
> I'm suprised you don't know this, considering you maintain a faq about
> viruses.....
Ahhh, we all make mistakes, and this one is pretty minor. I suspect
that he knows it, but overlooked which BSI it was.
I don't know whether I'm surprised that you don't know this (or perhaps
that you overlooked it), because this is the first post I recall seeing
from you. Welcome to alt.comp.virus!
-BPB
George Wenzel
In article <4me49g$b...@news1.t1.usa.pipeline.com>, d...@dc.com wrote:
>>If one of the computers on the network is booted from a floppy, the virus has
>>the potential of spreading across the network. It's likely that somewhere
>>along the lines, one of the server computers was booted from an infected
>>floppy, and things spread from there.
>>[snip]
>
>Booting a server from an infected floppy will not spread an MBR virus
>maintain a faq about viruses.....
Directly across the network, no. But if somebody uses a floppy in the server
(which happens often enough on the servers I've seen), the floppy gets
infected. If that floppy (or others used in the server) is passed on to other
computers (on or off the network), and they're booted from that floppy, then
the other computers get infected. It starts of slowly, but then you get
geometric spreading, which is a bad thing.
I'm sorry if I was unclear...
Sandy Perle
gwe...@gpu.srv.ualberta.ca (George Wenzel) wrote:
>
>Directly across the network, no. But if somebody uses a floppy in the server
>(which happens often enough on the servers I've seen), the floppy gets
>infected. If that floppy (or others used in the server) is passed on to other
>computers (on or off the network), and they're booted from that floppy, then
>the other computers get infected. It starts of slowly, but then you get
>geometric spreading, which is a bad thing.
>
>I'm sorry if I was unclear...
>
>Regards,
>
>George Wenzel
>
> ("`-''-/").___..--''"`-._ George Wenzel <gwe...@gpu.srv.ualberta.ca>
> `6_ 6 ) `-. ( ).`-.__.`)Student of Wado Kai Karate
> (_Y_.)' ._ ) `._ `.``-..-' University of Alberta Karate Club
> _..`--'_..-_/ /--'_.' ,' NETSCAPE <tm> GOLD RUSH CONTEST WINNING PAGE:
>(il),-'' (li),' ((!.-' http://www.ualberta.ca/~gwenzel/
Last week a friend of my son was here and was going to copy some files
he had downloaded from the net to my system so my son could use them
in a school project. My son came in and said, "Dad, the system says
there is a virus." I went in, this being the first check of my Dr.
Solomon's that I had bought a few months ago, and sure enough, it
detected the antiexe virus on the 3.5" disk. I ran the reapir and it
cleaned the disk for my son't friend. He told me that it was a brand
new disk and that the files came from the net. He also said that he
ran Mcafee viru checker on it. I told hi to go out and buy a "real"
virus checker, like Dr. Solomons. He was impressed that our program
found the virus and McAfee didn't.
So, the software paid off .. and I have now been able to say, I've
seen it work!!!
Regards all,
-----------------------------------------------
Sandy Perle - Juno Beach, Florida - USA
http://www.wp.com/54398/home.html
-----------------------------------------------
Dr Alan Solomon
In article <318ce30...@nntp.ix.netcom.com>, Sandy Perle (san...@ix.netcom.com) writes:
>
>Last week a friend of my son was here and was going to copy some files
>he had downloaded from the net to my system so my son could use them
>in a school project. My son came in and said, "Dad, the system says
>there is a virus." I went in, this being the first check of my Dr.
>Solomon's that I had bought a few months ago, and sure enough, it
>detected the antiexe virus on the 3.5" disk. I ran the reapir and it
>cleaned the disk for my son't friend. He told me that it was a brand
>new disk and that the files came from the net. He also said that he
>ran Mcafee viru checker on it. I told hi to go out and buy a "real"
>virus checker, like Dr. Solomons. He was impressed that our program
>found the virus and McAfee didn't.
>
>So, the software paid off .. and I have now been able to say, I've
>seen it work!!!
Glad we could help. But I'd suggest that you check out your son's computer
too, in case that has the same virus. Also, any other computer that
diskette has been in, because it got the virus from somewhere, and it
couldn't have come from the net, as it's a boot sector virus.
--
Dr Alan Solomon, the man behind Dr Solomon's Anti Virus Toolkit
US tel (617) 273 7400 UK tel +44 1296 318700
Files: http://www.drsolomon.com CIS: GO DRSOLOMON AOL: VIRUS
Email: drso...@drsolomon.com CIS: 101377,3677 AOL: DrASolly
Personal: drs...@ibmpcug.co.uk http://www.ibmpcug.co.uk/~drsolly
Patrick Gosh
I use the latest version of McAfee (2.2.11) for Windows and it
finds and cleans the ANTIEXE virus with no problem. I had a disk
given to me that was infect with ANTIEXE and had been scanned by
an older version of McAfee and that older version had not
detected it.
There's a lesson here. ALWAYS use the latest and greatest
version of whatever anti-virus package you use.
Sandy Perle
drs...@chartridge.win-uk.net (Dr Alan Solomon) wrote:
>
>Glad we could help. But I'd suggest that you check out your son's computer
>too, in case that has the same virus. Also, any other computer that
>diskette has been in, because it got the virus from somewhere, and it
>couldn't have come from the net, as it's a boot sector virus.
>
It was my son's friend who brought the disk with the virus to my home,
and it was my computer that found it, since I had Dr. Solomons
installed. I told my son's friend to go home and check his system and
don't use the McAfee he had been using, since it didn't find the
virus. I strongly suggested he invest in Dr. Solomons, and he knew why
when he sw it detect it immediately!!!!
Dr Alan Solomon
In article <3193b544...@nntp.ix.netcom.com>, Sandy Perle (san...@ix.netcom.com) writes:
>drs...@chartridge.win-uk.net (Dr Alan Solomon) wrote:
>
>>
>>Glad we could help. But I'd suggest that you check out your son's computer
>>too, in case that has the same virus. Also, any other computer that
>>diskette has been in, because it got the virus from somewhere, and it
>>couldn't have come from the net, as it's a boot sector virus.
>>
>
>It was my son's friend who brought the disk with the virus to my home,
>and it was my computer that found it, since I had Dr. Solomons
>installed. I told my son's friend to go home and check his system and
>don't use the McAfee he had been using, since it didn't find the
>virus. I strongly suggested he invest in Dr. Solomons, and he knew why
>when he sw it detect it immediately!!!!
It would seem that the product your son's friend was using, has a
systematic problem in detecting any boot sector viruses that use stealth
(which means a great many of them). I would guess that there's a fair few
PCs around today that have one of the common boot sector viruses, and
McAfee, and the two live peacably together.
Question for Ken Stieers, or any McAfee person around. Did you know about
this problem? How long has it been in your software? Which versions have
the problem? Am I wrong about it being a problem - Ken seems to think it
exists, and he ought to know!
Most importantly - have McAfee users been told by the company about it?
Because if they haven't, that would explain why so many of them seem to
be blissfully unaware that they can have Antiexe (or some other stealth
virus) as well as their antivirus.
Or am I completely wrong on this. Jimmy? Are you here?
--
Dr Alan Solomon, Chairman of AuthenTec Data Recovery
Bob Witham Jr.
Dr Alan Solomon wrote:
>
> Most importantly - have McAfee users been told by the company about it?
> Because if they haven't, that would explain why so many of them seem to
> be blissfully unaware that they can have Antiexe (or some other stealth
> virus) as well as their antivirus.
>
I've seen others post that McAfee does not detect ANTIEXE. I really don't
know how you folks are using the software, but you do have to actually run
the program to detect the virus. We use it where I work, and we do detect
ANTIEXE from time to time. Of course, you could claim that we don't detect
all occurances of it. It is easy to CLAIM anything to be true. If you say
it long enough and loud enough, somebody will begin to believe you even it it
is not true.
Bruce Burrell
Bob Witham Jr. (robert.l....@state.me.us) wrote:
> Dr Alan Solomon wrote:
> >
> > Most importantly - have McAfee users been told by the company about it?
> > Because if they haven't, that would explain why so many of them seem to
> > be blissfully unaware that they can have Antiexe (or some other stealth
> > virus) as well as their antivirus.
> >
>
> I've seen others post that McAfee does not detect ANTIEXE. I really don't
> know how you folks are using the software, but you do have to actually run
> the program to detect the virus.
:-)
> We use it where I work, and we do detect
> ANTIEXE from time to time. Of course, you could claim that we don't detect
> all occurances of it. It is easy to CLAIM anything to be true. If you say
> it long enough and loud enough, somebody will begin to believe you even it
> is not true.
I believe there are several issues being confused here:
1. McAfee recognizes AntiEXE on diskette.
2. McAfee *for Windows* doesn't scan memory, according to McAfee
folks who should know. The DOS version -does- scan memory.
3. *IF* a stealth virus were active and McAfee *for Windows* were used
to disinfect it, the removal attempt would fail:
A. If the virus stealths MBR reads, then the drive would appear
uninfected.
B. If the virus stealths MBR writes, then the virus would be
untouched.
According to my analysis, AntiEXE does not employ stealth, so I would
expect McAfee to be able to remove AntiEXE from both floppy and hard
drives, WHETHER OR NOT the virus is active in memory; WHETHER OR NOT the
Windows version of McAfee is used. In the general case, however, McAfee
*for Windows* would fail to remove stealth viruses, while the DOS version,
everything else equal, would succeed. (Note that the DOS version might
request that a clean boot be performed; the Windows version wouldn't even
realize that a virus is active in memory.)
I seriously expect that McAfee will implement memory scanning with its
Windows products at the earliest opportunity. As it stands now, though,
one should clean boot and run the DOS version from floppy to disinfect
and, in my opinion, to scan as well. If the machine comes up clean, then
use the pretty Windows version if you like.
-BPB (who would love to be a Maineiac some day)
Dr Alan Solomon
In article <31975A...@state.me.us>, "Bob Witham Jr." (robert.l....@state.me.us) writes:
>Dr Alan Solomon wrote:
>>
>> Most importantly - have McAfee users been told by the company about it?
>> Because if they haven't, that would explain why so many of them seem to
>> be blissfully unaware that they can have Antiexe (or some other stealth
>> virus) as well as their antivirus.
>>
>
>I've seen others post that McAfee does not detect ANTIEXE. I really don't
>know how you folks are using the software, but you do have to actually run
>all occurances of it. It is easy to CLAIM anything to be true. If you say
>is not true.
Arguing about this would be like arguing about how many teeth a horse has.
Let's count the teeth. Could I suggest that someone who doesn't work for a
vendor (to avoid cries of foul) try out the experiment suggested by the
nature of the problem (Antiexe is a stealth MBR virus):
Install Win 95 and Wscan for 95.
Infect a computer with Antiexe.
Run Wscan-95.
Does it detect the virus on the HD, or in memory? Or does it not? I
haven't tried it myself, I've been going on what Ken said. George, you were
going to run W95 tests, weren't you?
Del Crouse
"Bob Witham Jr." <robert.l....@state.me.us> wrote:
>Dr Alan Solomon wrote:
>>
>> Most importantly - have McAfee users been told by the company about it?
>> Because if they haven't, that would explain why so many of them seem to
>> be blissfully unaware that they can have Antiexe (or some other stealth
>> virus) as well as their antivirus.
>>
>I've seen others post that McAfee does not detect ANTIEXE. I really don't
>know how you folks are using the software, but you do have to actually run
>the program to detect the virus. We use it where I work, and we do detect
>ANTIEXE from time to time. Of course, you could claim that we don't detect
>all occurances of it. It is easy to CLAIM anything to be true. If you say
>it long enough and loud enough, somebody will begin to believe you even it it
>is not true.
I'm using McAfee for Win95, and it does detect ANTIEXE. It did so
today on an infected floppy given to me by one of my students. Trouble
is, McAfee would not clean the disk. Any ideas on this? In general,
I've found McAfee to be one of the best in detection, but not so hot
in cleaning/removal, at least in Win95.
Earl Merrifield
>
>In article <31975A...@state.me.us>, "Bob Witham Jr." (robert.l....@state.me.us) writes:
>>Dr Alan Solomon wrote:
>>>
>>> Most importantly - have McAfee users been told by the company about it?
>>> Because if they haven't, that would explain why so many of them seem to
>>> be blissfully unaware that they can have Antiexe (or some other stealth
>>> virus) as well as their antivirus.
>>>
>>
>>I've seen others post that McAfee does not detect ANTIEXE. I really don't
>>know how you folks are using the software, but you do have to actually run
>>the program to detect the virus. We use it where I work, and we do detect
>>ANTIEXE from time to time. Of course, you could claim that we don't detect
>>all occurances of it. It is easy to CLAIM anything to be true. If you say
>>it long enough and loud enough, somebody will begin to believe you even it it
>>is not true.
>
>Arguing about this would be like arguing about how many teeth a horse has.
>Let's count the teeth. Could I suggest that someone who doesn't work for a
>vendor (to avoid cries of foul) try out the experiment suggested by the
>nature of the problem (Antiexe is a stealth MBR virus):
>
>Install Win 95 and Wscan for 95.
>Infect a computer with Antiexe.
>Run Wscan-95.
>
>Does it detect the virus on the HD, or in memory? Or does it not? I
>haven't tried it myself, I've been going on what Ken said. George, you were
>going to run W95 tests, weren't you?
>
>>
>
>--
>Dr Alan Solomon, Chairman of AuthenTec Data Recovery
>US tel (617) 273 7400 UK tel +44 1296 318700
>Files: http://www.drsolomon.com CIS: GO DRSOLOMON AOL: VIRUS
>Email: drso...@drsolomon.com CIS: 101377,3677 AOL: DrASolly
>Personal: drs...@ibmpcug.co.uk http://www.ibmpcug.co.uk/~drsolly
>
>
>
>
been there, done it.
I run win95, I have McAfee VirusScan running at startup. Two weeks
ago I put in a disk that I had laying around. Tried to pull up MS
Explorer to see what was on that disk, VirusScan told me it was
infected with the AntiExe virus and asked if I wanted to clean.
I also asked the scanner to check all of the drives that were attached
to my system. All were clean. In all fairness to all, I downloaded
the evaluation version of Dr. Solomon and ran it to see if the McAfee
scanner had missed anything. No other viruses were found.
I don't work for a virus vendor. Competition is good for the
industry. Keeps both sides working to excel. End result is that we.
the consumer, get a better product.
Please don't let competition get out of control. If that happens, it
will be just like the U.S. politics. Everyone pointing fingers saying
how they could have done better, but then they don't.
Graham Cluley
b...@stimpy.us.itd.umich.edu writes:
> I believe there are several issues being confused here:
>
> 1. McAfee recognizes AntiEXE on diskette.
> 2. McAfee *for Windows* doesn't scan memory, according to McAfee
> folks who should know. The DOS version -does- scan memory.
> 3. *IF* a stealth virus were active and McAfee *for Windows* were
used
> to disinfect it, the removal attempt would fail:
> A. If the virus stealths MBR reads, then the drive would appear
> uninfected.
> B. If the virus stealths MBR writes, then the virus would be
> untouched.
It's worse than that, it's not just that removal would fail but McAfee
for Windows wouldn't tell you you had a virus in the first place. I
haven't tested this (I don't use McAfee) but it sounds like it could be a
problem as there are many viruses which use stealth which would go
undetected by the Windows version.
As Alan says we really need someone independent to test this, or the
chaps at McAfee to confirm before we leap to any conclusions.
Regards
Graham
---
Graham Cluley CompuServe: GO DRSOLOMON
Senior Technology Consultant, UK Support: sup...@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit. US Support: sup...@us.drsolomon.com
Email: gcl...@uk.drsolomon.com UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com USA Tel: +1 617-273-7400
NEW:Evaluate Dr Solomon's FindVirus 7.59! Download it from our webpage
George Wenzel
In article <50...@chartridge.win-uk.net>, drs...@chartridge.win-uk.net (Dr
>Arguing about this would be like arguing about how many teeth a horse has.
>Let's count the teeth. Could I suggest that someone who doesn't work for a
>vendor (to avoid cries of foul) try out the experiment suggested by the
>nature of the problem (Antiexe is a stealth MBR virus):
>
>Install Win 95 and Wscan for 95.
>Infect a computer with Antiexe.
>Run Wscan-95.
>
>Does it detect the virus on the HD, or in memory? Or does it not? I
>haven't tried it myself, I've been going on what Ken said. George, you were
>going to run W95 tests, weren't you?
Indeed... I'm still waiting for Marko to clean up the collection, and the
tests are postponed until I can get a cleaner copy of the test bed (otherwise,
what'd be the point of doing a corrupted test).
Since this isn't really a performance test, I'll rely on F-Prot and FindVirus
to dig up a copy of Anti-Exe out of the current test bed (I'm almost certain
there's one there, but I haven't catalogued the collection yet). I'll
download a copy of Wscan, and see what turns up.
Regards,
George Wenzel
--
|\ _,,,--,,_ ,) George Wenzel <gwe...@gpu.srv.ualberta.ca>
/,`.-'`' -, ;-;;' Student of Wado Kai Karate
|,4- ) )-,_ ) /\ University of Alberta Karate Club
<---''(_/--' (_/-' http://www.ualberta.ca/~gwenzel/
George Wenzel
In article <4najkl$p...@pulp.ucs.ualberta.ca>, gwe...@gpu.srv.ualberta.ca (George Wenzel) wrote:
>Indeed... I'm still waiting for Marko to clean up the collection, and the
>tests are postponed until I can get a cleaner copy of the test bed (otherwise,
>what'd be the point of doing a corrupted test).
>
>Since this isn't really a performance test, I'll rely on F-Prot and FindVirus
>to dig up a copy of Anti-Exe out of the current test bed (I'm almost certain
>there's one there, but I haven't catalogued the collection yet). I'll
>download a copy of Wscan, and see what turns up.
Now that I take a closer look at the collection, I have several dozen copies
of AntiCAD (gotta get rid of the duplicates...), but not a single copy of
AntiEXE...
Anybody else have Win95 and a copy of AntiEXE to try this out?
Bruce Burrell
Earl Merrifield (ea...@msn.com) wrote:
> On Tue, 14 May 1996 00:30:40 GMT, drs...@chartridge.win-uk.net wrote:
[snip]
> >Arguing about this would be like arguing about how many teeth a horse
> >has. Let's count the teeth. Could I suggest that someone who doesn't
> >work for a vendor (to avoid cries of foul) try out the experiment
> >suggested by the nature of the problem (Antiexe is a stealth MBR virus):
> >Install Win 95 and Wscan for 95.
> >Infect a computer with Antiexe.
> >Run Wscan-95.
> >Does it detect the virus on the HD, or in memory? Or does it not? I
> >haven't tried it myself, I've been going on what Ken said. George, you were
> >going to run W95 tests, weren't you?
> been there, done it.
No you haven't, if the information you provide below is correct.
> I run win95, I have McAfee VirusScan running at startup. Two weeks
> ago I put in a disk that I had laying around. Tried to pull up MS
> Explorer to see what was on that disk, VirusScan told me it was
> infected with the AntiExe virus and asked if I wanted to clean.
>
> I also asked the scanner to check all of the drives that were attached
> to my system. All were clean.
Then YOU DIDN'T INFECT THE COMPUTER. You merely tested it on a
diskette. Different matter entirely.
If George doesn't beat me to it, I'll give it a shot.
-BPB
Bruce Burrell
Graham Cluley (ham...@cix.compulink.co.uk) wrote:
> b...@stimpy.us.itd.umich.edu writes:
>
> > I believe there are several issues being confused here:
> >
> > 1. McAfee recognizes AntiEXE on diskette.
> > 2. McAfee *for Windows* doesn't scan memory, according to McAfee
> > folks who should know. The DOS version -does- scan memory.
> > 3. *IF* a stealth virus were active and McAfee *for Windows* were
> used
> > to disinfect it, the removal attempt would fail:
> > A. If the virus stealths MBR reads, then the drive would appear
> > uninfected.
> > B. If the virus stealths MBR writes, then the virus would be
> > untouched.
>
> It's worse than that, it's not just that removal would fail but McAfee
> for Windows wouldn't tell you you had a virus in the first place.
Um, that's point (3A). Sorry I didn't state it more clearly.
> I haven't tested this (I don't use McAfee) but it sounds like it could
> be a problem as there are many viruses which use stealth which would go
> undetected by the Windows version.
> As Alan says we really need someone independent to test this, or the
> chaps at McAfee to confirm before we leap to any conclusions.
Agreed.
-BPB
Dr Alan Solomon
In article <4n8k75$t...@thrush.sover.net>, Del Crouse (wcr...@sover.net) writes:
>"Bob Witham Jr." <robert.l....@state.me.us> wrote:
>
>>>
>>> Most importantly - have McAfee users been told by the company about it?
>>> Because if they haven't, that would explain why so many of them seem to
>>> be blissfully unaware that they can have Antiexe (or some other stealth
>>> virus) as well as their antivirus.
>>>
>
>>I've seen others post that McAfee does not detect ANTIEXE. I really don't
>>know how you folks are using the software, but you do have to actually run
>>the program to detect the virus. We use it where I work, and we do detect
>>ANTIEXE from time to time. Of course, you could claim that we don't detect
>>all occurances of it. It is easy to CLAIM anything to be true. If you say
>>it long enough and loud enough, somebody will begin to believe you even it it
>>is not true.
>
>today on an infected floppy given to me by one of my students. Trouble
>is, McAfee would not clean the disk. Any ideas on this? In general,
>I've found McAfee to be one of the best in detection, but not so hot
>in cleaning/removal, at least in Win95.
>
To clean your floppies:
Go to an S&S files area (see sig below) and download the evaluation
copy of Findvirus. Cold-boot from a clean Dos disk, and run
FINDVIRUS C: /REPAIR and after a short time, you're clean. Then check
all your floppies. Various other antivirus products would be able to
do the job for you, I should think.
Sandy Perle
>been there, done it.
>
>I run win95, I have McAfee VirusScan running at startup. Two weeks
>ago I put in a disk that I had laying around. Tried to pull up MS
>Explorer to see what was on that disk, VirusScan told me it was
>infected with the AntiExe virus and asked if I wanted to clean.
>
>I also asked the scanner to check all of the drives that were attached
>the evaluation version of Dr. Solomon and ran it to see if the McAfee
>scanner had missed anything. No other viruses were found.
>
>I don't work for a virus vendor. Competition is good for the
>industry. Keeps both sides working to excel. End result is that we.
>the consumer, get a better product.
>
>Please don't let competition get out of control. If that happens, it
>will be just like the U.S. politics. Everyone pointing fingers saying
>how they could have done better, but then they don't.
>
As I wrote earlier, a friend of my son brought over a new 3.5" disk
that had been scanned with McAffee ... it was infected with the
antiexe virus. McAffee didn't find it .. Dr. Solomon's did, BEFORE it
ened up on my HD. Enough evidence for me. One detected it, the other
didn't. End of story .. end of comparison.
Graham Cluley
Alan Solomon writes:
> In article <31975A...@state.me.us>, "Bob Witham Jr."
> (robert.l....@state.me.us) writes:
> >>
> >> Most importantly - have McAfee users been told by the company about
> > it?
> >> Because if they haven't, that would explain why so many of them seem
> > to
> >> be blissfully unaware that they can have Antiexe (or some other
> > stealth
> >> virus) as well as their antivirus.
> >>
> >
> >I've seen others post that McAfee does not detect ANTIEXE. I really
> don't >know how you folks are using the software, but you do have to
> actually run >the program to detect the virus. We use it where I work,
> and we do detect >ANTIEXE from time to time. Of course, you could
> claim that we don't detect >all occurances of it. It is easy to CLAIM
> anything to be true. If you say >it long enough and loud enough,
> somebody will begin to believe you even it it >is not true.
>
> has.
> Let's count the teeth. Could I suggest that someone who doesn't work
> for a
> vendor (to avoid cries of foul) try out the experiment suggested by the
> nature of the problem (Antiexe is a stealth MBR virus):
>
> Install Win 95 and Wscan for 95.
> Infect a computer with Antiexe.
> Run Wscan-95.
>
> Does it detect the virus on the HD, or in memory? Or does it not? I
> haven't tried it myself, I've been going on what Ken said. George, you
> were going to run W95 tests, weren't you?
Although a Win95 test would be interesting, I've got a feeling in my
bones that Ken Stieers of Ontrack said it was the Win *3.x* version of
McAfee (not the Win95 version) which didn't scan memory for viruses and
so couldn't deal with stealth viruses.
I think I should go back through my messagelog and find out exactly what
was said.
Graham Cluley
I tested McAfee for Windows 3.x against AntiEXE this afternoon and came
up with some interesting results. However, I'm not independent (and
people may accuse me of being biased or nobbled or just plain
incompetent) so do people want to hear what happened or not?
Or should someone else (who is independent) test McAfee for Windows 3.x
(you can download it from just about everywhere, I got mine from their
CompuServe area) against an AntiEXE hard disk infection?
Graham Cluley
Alan Solomon writes:
> In article <DrGGC...@cix.compulink.co.uk>, "Graham Cluley"
why
> it's important that someone test it out.
>
> Ken, is Graham correct?
Well, I played with McAfee for Windows 3.x this afternoon in the labs and
I also played with an AntiEXE hard disk infection. I know what happened
to me, but I'm not independent and people might think I'm a little bit
biased so I'm uncomfortable making a big song and dance about it... and
at least one anti-virus vendor was quoted in the national press the other
day suggesting that established anti-virus companies like S&S should "get
their heads out of their arses and stop talking shit" (you can probably
guess which anti-virus vendor that was... NAME THAT VENDOR!!! :-) )
I think someone independent should have a go and post their results, or
maybe McAfee can have a test.
George Wenzel
In article <4nar0s$e...@lastactionhero.rs.itd.umich.edu>, b...@stimpy.us.itd.umich.edu (Bruce Burrell) wrote:
> Then YOU DIDN'T INFECT THE COMPUTER. You merely tested it on a
>diskette. Different matter entirely.
>
> If George doesn't beat me to it, I'll give it a shot.
It's all yours, Bruce... I don't have a copy of AntiExe... I've got quite a
few others, but not a single copy of AntiExe. :-(
Dr Alan Solomon
Ken, is Graham correct?
--
Gene Wirchenko
ham...@cix.compulink.co.uk ("Graham Cluley") wrote:
[snip]
>Well, I played with McAfee for Windows 3.x this afternoon in the labs and
>I also played with an AntiEXE hard disk infection. I know what happened
>to me, but I'm not independent and people might think I'm a little bit
>biased so I'm uncomfortable making a big song and dance about it... and
>at least one anti-virus vendor was quoted in the national press the other
>day suggesting that established anti-virus companies like S&S should "get
>their heads out of their arses and stop talking shit" (you can probably
>guess which anti-virus vendor that was... NAME THAT VENDOR!!! :-) )
Doren Rosenthal. I knew it! I knew it! That was too easy.
Boy, am I good. Did any of you others get it? I didn't...
Wait a minute. Doren isn't an AV vendor. That WAS too easy.
Who was it?
>I think someone independent should have a go and post their results, or
>maybe McAfee can have a test.
[snip]
Sincerely,
Gene Wirchenko
C Pronunciation Guide:
y=x++; "wye equals ex plus plus semicolon"
x=x++; "ex equals ex doublecross semicolon"
Bob Witham Jr.
Sandy Perle wrote:
>
>
> As I wrote earlier, a friend of my son brought over a new 3.5" disk
> that had been scanned with McAffee ... it was infected with the
> antiexe virus. McAffee didn't find it .. Dr. Solomon's did, BEFORE it
> ened up on my HD. Enough evidence for me. One detected it, the other
> didn't. End of story .. end of comparison.
> -----------------------------------------------
> Sandy Perle - Juno Beach, Florida - USA
> http://www.wp.com/54398/home.html
> -----------------------------------------------
As I wrote earlier. We scan all diskettes with McAfee. It finds ANTIEXE.
End of story ... no need for comparison.
Bob Witham Jr.
Info Systems Security Analyst
State of Maine
Dr Alan Solomon
In article <4ndcl3$15...@pulp.ucs.ualberta.ca>, George Wenzel (gwe...@gpu.srv.ualberta.ca) writes:
>In article <4nar0s$e...@lastactionhero.rs.itd.umich.edu>, b...@stimpy.us.itd.umich.edu (Bruce Burrell) wrote:
>> Then YOU DIDN'T INFECT THE COMPUTER. You merely tested it on a
>>diskette. Different matter entirely.
>>
>> If George doesn't beat me to it, I'll give it a shot.
>
>It's all yours, Bruce... I don't have a copy of AntiExe... I've got quite a
>few others, but not a single copy of AntiExe. :-(
>
Patrick Gosh
> I tested McAfee for Windows 3.x against AntiEXE this afternoon
> and came up with some interesting results. However, I'm not
> independent (and people may accuse me of being biased or
> nobbled or just plain incompetent) so do people want to hear
> what happened or not?
> Or should someone else (who is independent) test McAfee for
> Windows 3.x (you can download it from just about everywhere, I
> got mine from their CompuServe area) against an AntiEXE hard
> disk infection?
I have used McAfee for Windows 3.x (v2.2.11 March 14, 1996) to
detect and remove the AntiEXE virus from both floppy disks and
hard disks. On all occasions, the disks were already infected
when I received them. The floppy disks were fine after virus
removal. The computer with the hard disk was another story.
Windows wouldn't run and the DOS Edit command would lock up the
computer. Reinstallation of DOS and Windows did not help. The
hard disk had to be formatted before it would work correctly.
This is odd to me since I don't believe formatting a drive
changes the boot sector or boot record. I thought formatting
simply freed up directory entries and cleaned out the FAT. What
I haven't done is boot from an infected floppy. The only
possible memory resident infection I've seen was the hard disk
mentioned above.
Dr Alan Solomon
I think you could both be right. Suppose Mcafee finds Antiexe under some
circumstances (e.g, if you use the Dos scanner) but not under others
(e.g., you boot from the hard disk and run the Win 3 scanner, and it
doesn't scan memory, and Antiexe is a stealth virus, so it won't find it
on the HD either).
Could someone, not a vendor, please test this out?
Larry Chapman
san...@ix.netcom.com (Sandy Perle) wrote:
>As I wrote earlier, a friend of my son brought over a new 3.5" disk
>that had been scanned with McAffee ... it was infected with the
>antiexe virus. McAffee didn't find it .. Dr. Solomon's did, BEFORE it
>ened up on my HD. Enough evidence for me. One detected it, the other
>didn't. End of story .. end of comparison.
I have several versions of Mcafee here at work. The 9509 and
the 9602 versions (WIN95) detect antiexe on floppie. The 9602
version (WINNT) also detects it. What Version/OS are you using ?
larryc
Graham Cluley
> As I wrote earlier. We scan all diskettes with McAfee. It finds
ANTIEXE.
> End of story ... no need for comparison.
I don't think anyone's questioned that. The question is about whether
McAfee for Windows 3.x finds AntiEXE on the hard disk, and whether McAfee
for Windows 3.x scans memory for viruses.
Bruce Burrell
George Wenzel (gwe...@gpu.srv.ualberta.ca) wrote:
[I wrote, re: testiing AntiEXE with McAfee WSCAN]:
> > If George doesn't beat me to it, I'll give it a shot.
>
> It's all yours, Bruce... I don't have a copy of AntiExe... I've got quite a
> few others, but not a single copy of AntiExe. :-(
Done. See posting under a new thread.
-BPB
George Wenzel
In article <319B2...@state.me.us>, "Bob Witham Jr." <robert.l....@state.me.us> wrote:
>As I wrote earlier. We scan all diskettes with McAfee. It finds ANTIEXE.
>End of story ... no need for comparison.
Of course, whether McAfee detects AntiExe on a hard drive or in memory is a
different matter. It may detect AntiExe on floppies, but not on the other
mediums. This also depends on what version of McAfee was used (and what OS is
running).
It'll be interesting to see some independent tests of this (I'd do them, but I
don't have a copy of AntiExe)
Bruce Burrell
Distribution:
I wrote:
[snip]
> According to my analysis, AntiEXE does not employ stealth,
[snip]
Oops.
I meant to omit this, after having looked more carefully at my
analysis. As a matter of fact, I thought I *did* remove this section
before posting. Oh, well. <<Sigh>>
AntiEXE does indeed employ stealth.
Graham Cluley pointed out this error to me in private email. Thanks,
Graham!
-BPB
George Wenzel
In article <50...@chartridge.win-uk.net>, drs...@chartridge.win-uk.net (Dr Alan Solomon) wrote:
>>> Then YOU DIDN'T INFECT THE COMPUTER. You merely tested it on a
>>>diskette. Different matter entirely.
>>>
>>
>>It's all yours, Bruce... I don't have a copy of AntiExe... I've got quite a
>>few others, but not a single copy of AntiExe. :-(
>>
Yet another problem.... would it be a fair test to run Wscan for Win3.1 on a
Win95 system?
Bruce P. Burrell
References: <3189188d.299783<31975A...@state.me.us> <50...@chartridge.win-uk.net> <319888f0...@news.primenet.com> <4nar0s$e...@lastactionhero.rs.itd.umich.edu><4ndcl3$15...@pulp.ucs.ualberta.ca> <50...@chartridge.win-uk.net> <4nifgl$2e...@pulp.ucs.ualberta.ca>
George Wenzel (gwe...@gpu.srv.ualberta.ca) wrote:
[Dr. Solly wrote]:
> >Actually, I think any stealth BSV will do, plus Wscan for Win 3.
>
> Yet another problem.... would it be a fair test to run Wscan for Win3.1 on
> a Win95 system?
Well, first of all McAfee has a Win95 product, so that would be pretty
pointless (in my opinion). Second, WSCAN would do better in the Win95
environment because of the 32-bit disk access... AntiEXE and (most?
all?) other memory-resident viruses wouldn't be able to infect
floppies, at least.
SEGMENT SARCASM Para Public 'EXTRA' At 0A000h
db 07h,09h,0dh,0ah,'Except maybe the "dreaded Boza virus".',07h,0dh,0ah,'$'
ENDS SARCASM
WSCAN might not detect it, but it wouldn't spread a stealthed file
infector or floppy BSI either. Of course, Win95 might detect it if the
MBR or DBS were infected; then folks who read the manual would know to
disinfect with the DOS version.
All in all, I suspect WSCAN would perform better in the Win95
environment, but the Win95 version of McAfee is probably better suited.
Another test; another day.
-BPB
Donkey
On Tue, 14 May 96 21:09:32 GMT, Iolo Davidson <io...@mist.demon.co.uk>
wrote:
>In article <319888f0...@news.primenet.com>
> ea...@msn.com "Earl Merrifield" writes:
>
>> Please don't let competition get out of control. If that happens, it
>> will be just like the U.S. politics. Everyone pointing fingers saying
>> how they could have done better, but then they don't.
>
>Only in the USA, eh?
>
>--
>SOAPS TURN JOLLY GENTS
> THAT IRRITATE TO JITTERBUGS
> THEIR MUGS Burma-Shave
I got hit by the antiEXE virus a while ago. I did not run a virus
scan for some time and when I started up Win95 it told me that my MBR
had been tampered with. So, crossing my fingers, I ran NortonAV and
sure enough I had the antiEXE virus. I booted of a clean disk and
Norton had it clean in 1 min.....
The funny thing is that I could not figure out where i got, even tho I
have a good idea where. I scaned my drives with muliple scaners and
it came up clean. About 2 weeks before I detected it, I took a copy
of a program of my school's LAN and ran it, my bud did the same (did
not copy the disk but copyed it off the LAN aswell as far as I can
remember) I then got the virus and cleaned it. 2 days after i cleaned
it, I told him and he scaned and found it aswell...Did the virus come
form the file off the LAN? He has no access to the net or any online
serveice so he is not putting new programs on his computer often.
Donkey
DOS never says "Excellent command or file name"
Mark Lookabaugh
In article <4ng684$4...@amber.ora.com>, lar...@ora.com (Larry Chapman)
wrote:
The point that was originally made, was that McAfee for windows is not able
to check *memory* for stealth viruses, and therefore would not be able to
identify them or clean them. I have no doubt that the software can detect
it on a disk when the system is not infected. (Shooting fish in a barrel
is easy, I would imagine)
Seems to me that a rather well respected person tested this out recently,
but was reluctant to post the results. The group is still waiting for an
independent researcher to confirm this problem with the software.
Don't suppose that Mr. Kuo is following this thread with much interest.
I'm sure he is far to busy with upgrades...
Mark Lookabaugh
Dr Alan Solomon
It sounds to me like you might still have Antiexe on your HD. Go to an S&S
files area (see the sig below) and download the evaluation copy of
Findvirus. Cold-boot from a clean Dos disk, run FINDVIRUS C: Other
antivirus products can also detect this virus.
Dr Alan Solomon
In article <>, "Bruce P. Burrell" (b...@umich.edu) writes:
>References: <3189188d.299783<31975A...@state.me.us> <50...@chartridge.win-uk.net> <319888f0...@news.primenet.com> <4nar0s$e...@lastactionhero.rs.itd.umich.edu><4ndcl3$15...@pulp.ucs.ualberta.ca> <50...@chartridge.win-uk.net> <4nifgl$2e...@pulp.ucs.ualberta.ca>
>
>George Wenzel (gwe...@gpu.srv.ualberta.ca) wrote:
>[Dr. Solly wrote]:
>> >Actually, I think any stealth BSV will do, plus Wscan for Win 3.
>>
>> Yet another problem.... would it be a fair test to run Wscan for Win3.1 on
>> a Win95 system?
>
> Well, first of all McAfee has a Win95 product, so that would be pretty
>pointless (in my opinion). Second, WSCAN would do better in the Win95
>environment because of the 32-bit disk access... AntiEXE and (most?
>all?) other memory-resident viruses wouldn't be able to infect
>floppies, at least.
I'm afraid you're partly right and partly wrong, Bruce. When you infect an
HD with an MBR virus, Win 95 says "Oo, there's something using int 13,
might be important, I'd better not use 32 bit disk access (32 BDA). So it
uses 16 BDA, and tells the user this. The message even suggests a virus. But
you only get that message once, and after that, Win 95 uses 16 BDA, and a
lot of viruses weork just fine. David Emm did some research on this - David,
could you post your findings? And could we put that article up on the S&S
web site?
>WSCAN might not detect it, but it wouldn't spread a stealthed file
>infector or floppy BSI either. Of course, Win95 might detect it if the
>MBR or DBS were infected; then folks who read the manual would know to
>disinfect with the DOS version.
But the virus would spread, see above.
>All in all, I suspect WSCAN would perform better in the Win95
>environment, but the Win95 version of McAfee is probably better suited.
>Another test; another day.
Meanwhile, I wonder how many people run McAfee WSCAN for Win 3 on
their hard disk every day and at the end of it think they're clean?
Dr Alan Solomon
In article <4njmo9$i...@insosf1.netins.net>, Chris Feldhacker (bon...@netins.net) writes:
>>Now that I take a closer look at the collection, I have several dozen
>copies
>>of AntiCAD (gotta get rid of the duplicates...), but not a single copy of
>>AntiEXE...
>>
>>Anybody else have Win95 and a copy of AntiEXE to try this out?
>
>I think I meet those criteria. What exactly is it you want done?
>
>
>(Just what is Antiexe designed to do?)
Please, don't try out viruses except on a computer you don't have any
important data on. Antiexe is designed to find a certain EXE file and
patch it. We don't know which file, it isn't searching using a filename.
Anyway, we've established that the non-detection problem is with the Win 3
version of McAfee.
Chris Feldhacker
>Now that I take a closer look at the collection, I have several dozen
copies
>of AntiCAD (gotta get rid of the duplicates...), but not a single copy of
>AntiEXE...
>
>Anybody else have Win95 and a copy of AntiEXE to try this out?
I think I meet those criteria. What exactly is it you want done?
(Just what is Antiexe designed to do?)
--
Chris Feldhacker
E-mail: bon...@netins.net
Location: Spencer, IA
Bruce P. Burrell
Dr Alan Solomon (drs...@chartridge.win-uk.net) wrote:
> In article <>, "Bruce P. Burrell" (b...@umich.edu) writes:
> >George Wenzel (gwe...@gpu.srv.ualberta.ca) wrote:
> >[Dr. Solly wrote]:
> >> >Actually, I think any stealth BSV will do, plus Wscan for Win 3.
> >> Yet another problem.... would it be a fair test to run Wscan for Win3.1
> >> on a Win95 system?
> > Well, first of all McAfee has a Win95 product, so that would be pretty
> >pointless (in my opinion). Second, WSCAN would do better in the Win95
> >environment because of the 32-bit disk access... AntiEXE and (most?
> >all?) other memory-resident viruses wouldn't be able to infect
> >floppies, at least.
> I'm afraid you're partly right and partly wrong, Bruce. When you infect an
> HD with an MBR virus, Win 95 says "Oo, there's something using int 13,
> might be important, I'd better not use 32 bit disk access (32 BDA). So it
> uses 16 BDA, and tells the user this. The message even suggests a virus.
This much I knew.
> But you only get that message once,
But this I didn't. Thanks!
> and after that, Win 95 uses 16 BDA, and a
> lot of viruses weork just fine. David Emm did some research on this - David,
> could you post your findings? And could we put that article up on the S&S
> web site?
Yes, David; please do.
> >WSCAN might not detect it, but it wouldn't spread a stealthed file
> >infector or floppy BSI either. Of course, Win95 might detect it if the
> >MBR or DBS were infected; then folks who read the manual would know to
> >disinfect with the DOS version.
> But the virus would spread, see above.
Ok, but given that the Win95 version is also available for anonymous
ftp, I hope you'll agree that the real issues become:
1. Do McAfee Associates recommend that Win95 users upgrade to to the
Win95 version of SCAN? If so, this is roughly equivalent to
suggesting that users keep their AV software current.
2. Does the Win95 version of SCAN scan memory or in some other way
subvert stealth?
If the answer is "yes" to both, then the behavior of WSCAN under Win95
is essentially moot. It's akin to using Disinfectant on a DOS platform,
though to a lesser degree.
> >All in all, I suspect WSCAN would perform better in the Win95
> >environment, but the Win95 version of McAfee is probably better suited.
> >Another test; another day.
> Meanwhile, I wonder how many people run McAfee WSCAN for Win 3 on
> their hard disk every day and at the end of it think they're clean?
...but THIS point is far from moot; I agree.
-BPB
Dr Alan Solomon
In article <4njldf$b...@zoom2.telepath.com>, Mark Lookabaugh (mloo...@telepath.com) writes:
>
>Seems to me that a rather well respected person tested this out recently,
>but was reluctant to post the results. The group is still waiting for an
>independent researcher to confirm this problem with the software.
Bruce Burrell has already done it - maybe that articale hasn't reached
your server yet?
>Don't suppose that Mr. Kuo is following this thread with much interest.
>I'm sure he is far to busy with upgrades...
To be fair to Mr Kuo, technical support isn't his job function.
Dr Alan Solomon
In article <4nifgl$2e...@pulp.ucs.ualberta.ca>, George Wenzel (gwe...@gpu.srv.ualberta.ca) writes:
>In article <50...@chartridge.win-uk.net>, drs...@chartridge.win-uk.net (Dr Alan Solomon) wrote:
>>>> Then YOU DIDN'T INFECT THE COMPUTER. You merely tested it on a
>>>>diskette. Different matter entirely.
>>>>
>>>> If George doesn't beat me to it, I'll give it a shot.
>>>
>>>It's all yours, Bruce... I don't have a copy of AntiExe... I've got quite a
>>>
>>Actually, I think any stealth BSV will do, plus Wscan for Win 3.
>
>Yet another problem.... would it be a fair test to run Wscan for Win3.1 on a
>Win95 system?
No, I don't think it would be fair. McAfee sell a Win3 and a Win 95 version
(I think it's combined in one package). So, unless the installer
habitually gets things wrong (which I don't think it does) then that would
be a poor test, IMHO.
Dr Alan Solomon
In article <319cdb5...@news.rogerswave.ca>, Donkey (don...@rogerswave.ca) writes:
>
>I got hit by the antiEXE virus a while ago. I did not run a virus
>scan for some time and when I started up Win95 it told me that my MBR
>had been tampered with. So, crossing my fingers, I ran NortonAV and
>sure enough I had the antiEXE virus. I booted of a clean disk and
>Norton had it clean in 1 min.....
>The funny thing is that I could not figure out where i got, even tho I
>have a good idea where. I scaned my drives with muliple scaners and
>it came up clean. About 2 weeks before I detected it, I took a copy
>of a program of my school's LAN and ran it, my bud did the same (did
>not copy the disk but copyed it off the LAN aswell as far as I can
>remember) I then got the virus and cleaned it. 2 days after i cleaned
>it, I told him and he scaned and found it aswell...Did the virus come
>form the file off the LAN? He has no access to the net or any online
>serveice so he is not putting new programs on his computer often.
>
you start up the computer, whether it's bootable or not. That's the only
way that people get boot sector viruses. Files aren't the way they can
spread.
George Wenzel
In article <832501...@mist.demon.co.uk>, io...@mist.demon.co.uk wrote:
>Somewhere you have a floppy dish infected with this virus.
I don't usually point out spelling mistakes, but viral dinner pieces just have
to be recognized. :-)
Do I have to worry about my forks and knives being infected if they come in
contact with the floppy dish? 8-)
Bruce Burrell
Iolo Davidson (io...@mist.demon.co.uk) wrote:
> In article <319cdb5...@news.rogerswave.ca>
>
> booting or attempting to boot from an infected floppy. Files
> copied from other computers don't have anything to do with it,
> but the floppy you copy the files onto would get infected (in the
> boot sector) if the other computer has the virus.
>
> Somewhere you have a floppy dish infected with this virus.
So THAT's why all the antivirus experts recommend booting from a
-clean- floppy; without it, one would get food scraps in the A: drive.
Ick.
Make a pretty good environment for a virus to grow, whether or not it's
a cultured one.
-BPB
pp00...@interramp.com
In article <4nqimn$b...@pulp.ucs.ualberta.ca>,
<gwe...@gpu.srv.ualberta.ca> writes:
> In article <832501...@mist.demon.co.uk>, io...@mist.demon.co.uk wrote:
> >Somewhere you have a floppy dish infected with this virus.
>
> I don't usually point out spelling mistakes, but viral dinner pieces
just have
> to be recognized. :-)
>
> Do I have to worry about my forks and knives being infected if they come
in
> contact with the floppy dish? 8-)
>
Possibly... if your fork DID become infected could we say you were then
forked???
dlc
Graham Cluley
Bruce Burrell writes:
> Alan Solomon wrote:
> > and after that, Win 95 uses 16 BDA, and a
> > lot of viruses weork just fine. David Emm did some research on this -
> > David,
> > could you post your findings? And could we put that article up on the
S&S
> > web site?
>
> Yes, David; please do.
I believe it's already there in the technical papers section. It's
certainly going into the next issue of "Dr Solomon's Virus Report". I'm
sure if there's anyone who wants a copy of David's report who can't find
it on our website he'll be happy to email them a copy (email:
davi...@uk.drsolomon.com) and say you want his "Win95 and viruses"
report.
Graham Cluley
ge...@mindlink.bc.ca writes:
> ham...@cix.compulink.co.uk ("Graham Cluley") wrote:
>
> [snip]
>
> > Well, I played with McAfee for Windows 3.x this afternoon in
> > the labs and I also played with an AntiEXE hard disk infection.
> > I know what happened to me, but I'm not independent and people
> > might think I'm a little bit biased so I'm uncomfortable making
> > a big song and dance about it... and at least one anti-virus
> > vendor was quoted in the national press the other day
> > suggesting that established anti-virus companies like S&S
> > should "get their heads out of their arses and stop talking
> > shit" (you can probably >guess which anti-virus vendor that
> > was... NAME THAT VENDOR!!! :-) )
>
> Doren Rosenthal. I knew it! I knew it! That was too easy.
> Boy, am I good. Did any of you others get it? I didn't...
> Wait a minute. Doren isn't an AV vendor. That WAS too easy.
> Who was it?
Have another guess... too difficult? Okay, here's a clue: When they had
their product reviewed in Virus Bulletin they described the review and
reviewer as "petty", "a farce", "plain deception", "deliberate
nit-picking", "an insult", "plain rubbish", "underestimating the users'
intelligence", "a sad joke", "hype", "arrogant", "plain malice",
"deceptive", "inflated sense of false-importance and (false) expertise",
"garbage", "pompous", "lacking in professional etiquette and courtesy".
And they summed up: "Their motive was simple: To kill xxxxxxxxxx as a
viable competitor to their own conceptually outdated product before it
became a real threat to the established and entrenched AV industry, and
probably to the very existence and need for a publication like the
Bulletin."
NAME THAT VENDOR!!!
> >I think someone independent should have a go and post their results,
> > or maybe McAfee can have a test.
George Wenzel
In article <DrwL...@cix.compulink.co.uk>, san...@cix.compulink.co.uk ("Graham Cluley") wrote:
>Have another guess... too difficult? Okay, here's a clue: When they had
>their product reviewed in Virus Bulletin they described the review and
>reviewer as "petty", "a farce", "plain deception", "deliberate
>nit-picking", "an insult", "plain rubbish", "underestimating the users'
>intelligence", "a sad joke", "hype", "arrogant", "plain malice",
>"deceptive", "inflated sense of false-importance and (false) expertise",
>"garbage", "pompous", "lacking in professional etiquette and courtesy".
>
>And they summed up: "Their motive was simple: To kill xxxxxxxxxx as a
>viable competitor to their own conceptually outdated product before it
>became a real threat to the established and entrenched AV industry, and
>probably to the very existence and need for a publication like the
>Bulletin."
>
>NAME THAT VENDOR!!!
I'd say it's Netz computing, makers of InVircible. Do I get another pair of
socks? A T-Shirt? What's the prize?
I think one of the vendors should have 'Just say NO! To FDISK/MBR' printed on
a T-Shirt. It'd make a spiffy marketing gimmick. :-)
pp00...@interramp.com
In article <DrwL...@cix.compulink.co.uk>, <san...@cix.compulink.co.uk>
writes:
> Have another guess... too difficult? Okay, here's a clue: When they
had
> their product reviewed in Virus Bulletin they described the review and
> reviewer as "petty", "a farce", "plain deception", "deliberate
> nit-picking", "an insult", "plain rubbish", "underestimating the users'
> intelligence", "a sad joke", "hype", "arrogant", "plain malice",
> "deceptive", "inflated sense of false-importance and (false) expertise",
> "garbage", "pompous", "lacking in professional etiquette and courtesy".
>
> And they summed up: "Their motive was simple: To kill xxxxxxxxxx as a
> viable competitor to their own conceptually outdated product before it
> became a real threat to the established and entrenched AV industry, and
> probably to the very existence and need for a publication like the
> Bulletin."
>
> NAME THAT VENDOR!!!
Was it Zvi??????????????????????????????????????
Graham Cluley
Well done. Send me your snail mail address by private email to
gcl...@uk.drsolomon.com and I'll arrange for the Dr Solomon's socks to
be whisked off to you.
Regards
Graham
---
Graham Cluley CompuServe: GO DRSOLOMON
Senior Technology Consultant, UK Support: sup...@uk.drsolomon.com
Dr Solomon's Anti-Virus Toolkit. US Support: sup...@us.drsolomon.com
Email: gcl...@uk.drsolomon.com UK Tel: +44 (0)1296 318700
Web: http://www.drsolomon.com USA Tel: +1 617-273-7400
NEW:Evaluate Dr Solomon's FindVirus 7.60! Download it from our webpage
George Wenzel
>> > NAME THAT VENDOR!!!
>>
>>
>> Was it Zvi??????????????????????????????????????
>
>Well done. Send me your snail mail address by private email to
>gcl...@uk.drsolomon.com and I'll arrange for the Dr Solomon's socks to
>be whisked off to you.
I'd contest the ruling. Zvi is not a vendor, he's a person that runs a
vendor. NetZ computing is the vendor, as I posted. :-)
Regards,
George Wenzel
(who just loves Dr. Solomon's comfy socks)
Graham Cluley
George Wenzel writes:
> >> > NAME THAT VENDOR!!!
> >>
> >>
> >> Was it Zvi??????????????????????????????????????
> >
> >Well done. Send me your snail mail address by private email to
> >gcl...@uk.drsolomon.com and I'll arrange for the Dr Solomon's socks
to
> >be whisked off to you.
>
> I'd contest the ruling. Zvi is not a vendor, he's a person that runs a
> vendor. NetZ computing is the vendor, as I posted. :-)
You're correct George, but your entry to the competition has not yet
reached my newsserver! The guy who said "Zvi" was the first answer which
reached me. :-( Anyway, haven't you got a pair of socks already?
pp00...@interramp.com
> George Wenzel writes:
> > >> > NAME THAT VENDOR!!!
> > >>
> > >>
> > >> Was it Zvi??????????????????????????????????????
> > >
> > >Well done. Send me your snail mail address by private email to
> > >gcl...@uk.drsolomon.com and I'll arrange for the Dr Solomon's socks
> to
> > >be whisked off to you.
> >
> > I'd contest the ruling. Zvi is not a vendor, he's a person that runs
a
> > vendor. NetZ computing is the vendor, as I posted. :-)
George,
I contest your contesting ;-)
Webster defines a vendor as "one that vends: seller". Zvi may run the
company, but he's selling too.
Cheers,
DLC
George Wenzel
In article <Ds094...@cix.compulink.co.uk>, ham...@cix.compulink.co.uk ("Graham Cluley") wrote:
>You're correct George, but your entry to the competition has not yet
>reached my newsserver! The guy who said "Zvi" was the first answer which
>reached me. :-( Anyway, haven't you got a pair of socks already?
That's because your news server has a 2 day lag to mine. :-(
Yes, I've got a pair of socks, but they're SO comfortable. :-)
I guess I'll just have to track you guys down at a show.
Regards,
George Wenzel
George Wenzel
> > > I'd contest the ruling. Zvi is not a vendor, he's a person that
runs
> a
> > > vendor. NetZ computing is the vendor, as I posted. :-)
> I contest your contesting ;-)
>
OK... It's just that those socks are so soft and comfy. :-)
Regards,
George Wenzel
(who should have mailed the reply, knowing it'd take forever to get across
to Graham's server)
Graham Cluley
> I got hit by the antiEXE virus a while ago. I did not run a virus
> scan for some time and when I started up Win95 it told me that my MBR
> had been tampered with. So, crossing my fingers, I ran NortonAV and
> sure enough I had the antiEXE virus. I booted of a clean disk and
> Norton had it clean in 1 min.....
> The funny thing is that I could not figure out where i got, even tho I
> have a good idea where. I scaned my drives with muliple scaners and
> it came up clean. About 2 weeks before I detected it, I took a copy
> of a program of my school's LAN and ran it, my bud did the same (did
> not copy the disk but copyed it off the LAN aswell as far as I can
> remember) I then got the virus and cleaned it. 2 days after i cleaned
> it, I told him and he scaned and found it aswell...Did the virus come
> form the file off the LAN? He has no access to the net or any online
> serveice so he is not putting new programs on his computer often.
You catch AntiEXE by booting (or attempting to boot) off an infected
floppy disk. Ever seen the message "Non system disk or disk error" when
you leave a floppy in the A: drive? You don't catch this virus by
executing a file.
One way to help prevent infection from a boot sector virus like AntiEXE
is to run an anti-virus VxD under Win95. Dr Solomon's Anti-Virus Toolkit
for Windows 95 includes one called Dr Solomon's WinGuard. It intercepts
every disk you access and warns you if it contains a boot sector virus.
Of course, it stops file and macro viruses as well.
Here's a description of AntiEXE from Dr Solomon's:
AntiEXE
Aliases: NewBug, D3
Type: Memory-resident boot and partition sector virus.
Affects: Write-enabled hard and floppy disks if the computer is booted
from an infected (not necessarily bootable) floppy. Some EXE files.
File Growth: N/A
Description
This boot and partition sector virus infects the hard disk when booted
from an infected floppy. Diskettes are infected on read access (eg. DIR
command).
When a certain (unknown as yet) EXE file is being executed or read from a
disk (eg. using the COPY command) the virus patches the first byte of the
in-memory file image, thus causing unpredictable errors. In most cases
the computer hangs.
Good anti-virus products like Dr Solomon's can easily detect, intercept
and clean-up this virus.
Todd Andrews
ham...@cix.compulink.co.uk ("Graham Cluley") spake thusly:
|> I got hit by the antiEXE virus a while ago.
<snip>
|> The funny thing is that I could not figure out where i got, even tho I
|> have a good idea where.
<snip>
|You catch AntiEXE by booting (or attempting to boot) off an infected
|floppy disk. Ever seen the message "Non system disk or disk error" when
|you leave a floppy in the A: drive? You don't catch this virus by
|executing a file.
I was at a friend's place a while back, and we were going to install a
program on his win 3.1 box. Previously, I had told him about f-prot's
virstop TSR, and he had installed it. (Not a plug, just what
happened).
So in windows File|run|a:/install.exe, or setup, or whatever it was
called, caused the virstop tsr to flash through windows from dos,
accompanied with beeps telling us the disk was infected.
Turned out to be the antiexe virus, but we did not boot from this
disk, it was a simple installation procedure.
Any thoughts on this?
A further query:
In the virus list, this virus was described as affecting a specific
byte size file. I have been curious since as to why it is so targeted.
Shareware competitors?
cheers,
Todd Andrews
tand...@atcon.com
http://www.atcon.com/~tandrews
Short sigs are the sweetest.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dr Alan Solomon
In article <4oe3tf$q...@thor.atcon.com>, Todd Andrews (tand...@atcon.com) writes:
>ham...@cix.compulink.co.uk ("Graham Cluley") spake thusly:
>
>program on his win 3.1 box. Previously, I had told him about f-prot's
>virstop TSR, and he had installed it. (Not a plug, just what
>happened).
That's the kind of reason why I think on-access scanning is the way to go.
Have you checked the computer that disk came from? And if it was a Win 3.1
computer, *don't* use WSCAN to check it, it's been discovered that WSCAN
can't detect that virus if it's on the hard disk. Either use Scan for
Dos, or some other product.
>So in windows File|run|a:/install.exe, or setup, or whatever it was
>called, caused the virstop tsr to flash through windows from dos,
>accompanied with beeps telling us the disk was infected.
>
>Turned out to be the antiexe virus, but we did not boot from this
>disk, it was a simple installation procedure.
>Any thoughts on this?
Infected floppy, happens all the time, not a problem. That's what a virus
incident *should* be like. No muss, no fuss.
>
>A further query:
>In the virus list, this virus was described as affecting a specific
>byte size file. I have been curious since as to why it is so targeted.
>Shareware competitors?
We don't know what the target file is. But maybe a disgruntled employee?
--
Dr Alan Solomon, Chairman of AuthenTec Data Recovery
Personal address: drs...@ibmpcug.co.uk http://www.ibmpcug.co.uk/~drsolly
Here's how to contact S&S, the people who sell Dr Solomon's Antivirus:
US tel (617) 273 7400 UK tel +44 1296 318700
Files: http://www.drsolomon.com CIS: GO DRSOLOMON AOL: VIRUS
Email: sup...@drsolomon.com CIS: 101377,3677 AOL: DrASolly
Todd Andrews
drs...@chartridge.win-uk.net (Dr Alan Solomon) spake thusly:
Previously, I had told him about f-prot's
|>virstop TSR, and he had installed it. (Not a plug, just what
|>happened).
|That's the kind of reason why I think on-access scanning is the way to go.
I hear you here!
|Have you checked the computer that disk came from? And if it was a Win 3.1
|computer, *don't* use WSCAN to check it, it's been discovered that WSCAN
|can't detect that virus if it's on the hard disk. Either use Scan for
|Dos, or some other product.
They were three disks total, with only the first infected.
The source of infection was before the time I had the disks I believe.
A gift of a commercial product, which had been used, so...?
|>Turned out to be the antiexe virus, but we did not boot from this
|>disk, it was a simple installation procedure.
|>Any thoughts on this?
|Infected floppy, happens all the time, not a problem. That's what a virus
|incident *should* be like. No muss, no fuss.
We all wish it were this easy, but instilled a little faith in a
scanner. I had been lucky not to see such a bug previously.
I recall seeing a post and/or online virus info, that detailed the
fact that antiexe could not infect without an attempted boot from an
infected floppy. I now have synaptic proof that is a cart of meadow
muffins, but your post is the first I have read in support of this.
|>A further query:
|>In the virus list, this virus was described as affecting a specific
|>byte size file. I have been curious since as to why it is so targeted.
|>Shareware competitors?
|We don't know what the target file is. But maybe a disgruntled employee?
As an aside:
Have you ever met a "gruntled" employee....?