sardana@remus.rutgers.edu (Sandeep Sardana) (03/20/91)
Hi! Netters, I'm looking for a virus utility that scans the entire data space (all file formats) for an msdos PC. I currently have a utlity that'll only scan .EXE & .COM files. Any suggestions? Thanks Sandeep Sardana
CTuna@cup.portal.com (Don S Gladden) (03/20/91)
I use SCANv75 By McAfee (sp?) It checks system RAM, and all files on
the drive. Not sure where you can FTP it, but it's prolly out there
somewhere. :D
//////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
I Don Gladden ** ------------------------ I
I CTUNA@cup.portal.com ** "Sex is like pizza".... I
I CTUNA on Q-Link ** when it's good, it's I
I Co-author of IMAGE BBS ** GREAT... when it's bad, I
I for the Commodore 64! ** it's STILL pretty good! I
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\///////////////////////////esl1_ltd@uhura.cc.rochester.edu (Eric Lambert) (03/20/91)
In article <Mar.19.17.59.25.1991.3838@remus.rutgers.edu> sardana@remus.rutgers.edu (Sandeep Sardana) writes: > I'm looking for a virus utility that scans the entire >data space (all file formats) for an msdos PC. I currently have >a utlity that'll only scan .EXE & .COM files. > Any suggestions? >Thanks >Sandeep Sardana SCAN has an option to allow you to scan all files. It describes how you can do this in the documentation. This is an excellent program, part of a three-part group -- SCAN, CLEAN, and VSHIELD. It is available for FTP at many sites...if you can't find it, let me know and I'll send you an IP address (as soon as I can dig one out.) Hope this helps. =-= Eric (esl1_ltd@uhura.cc.rochester.edu) =-=
ts@uwasa.fi (Timo Salmi) (03/21/91)
In article <Mar.19.17.59.25.1991.3838@remus.rutgers.edu> sardana@remus.rutgers.edu (Sandeep Sardana) writes: > > I'm looking for a virus utility that scans the entire >data space (all file formats) for an msdos PC. I currently have >a utlity that'll only scan .EXE & .COM files. /pc/pd2/scanv75.zip, with the proper switches on, is the obvious choice. ................................................................... Prof. Timo Salmi Moderating at garbo.uwasa.fi anonymous ftp archives 128.214.12.37 School of Business Studies, University of Vaasa, SF-65101, Finland Internet: ts@chyde.uwasa.fi Funet: gado::salmi Bitnet: salmi@finfun
tporczyk@na.excelan.com (Tony Porczyk) (03/21/91)
The News Manager) Nntp-Posting-Host: na Reply-To: tporczyk@na.excelan.com (Tony Porczyk) Organization: Standard Disclaimer References: <Mar.19.17.59.25.1991.3838@remus.rutgers.edu> <40372@cup.portal.com> Date: Thu, 21 Mar 1991 00:29:19 GMT In article <40372@cup.portal.com> CTuna@cup.portal.com (Don S Gladden) writes: >I use SCANv75 By McAfee (sp?) It checks system RAM, and all files on >the drive. Not sure where you can FTP it, but it's prolly out there >somewhere. :D Oops... I don't know how you use it, but SCAN only scans executable files (.com, .exe, .ovr, ...). If you want the latest SCAN and CLEAN (absolutely great), you can download it from their Electronic Board, number 408-988-4004. Good luck, Tony
yev_g@athena.mit.edu (Yevgeny Gurevich) (03/22/91)
In article <1991Mar21.002919.27477@novell.com> tporczyk@na.excelan.com (Tony Porczyk) writes: >The News Manager) >Nntp-Posting-Host: na >Reply-To: tporczyk@na.excelan.com (Tony Porczyk) >Organization: Standard Disclaimer >References: <Mar.19.17.59.25.1991.3838@remus.rutgers.edu> <40372@cup.portal.com> >Oops... I don't know how you use it, but SCAN only scans executable files >(.com, .exe, .ovr, ...). If you want the latest SCAN and CLEAN (absolutely >great), you can download it from their Electronic Board, number 408-988-4004. > >Good luck, > >Tony > > Just type SCAN C: /a if you wanted to scan all of the files on your C partition. Read the accompanying .DOC file for more information on the program and all of the command-line switches. [============================================================================] [ Yevgeny Gurevich | yev_g@athena.mit.edu \.\...]...........// ] [ 500 Memorial Drive | \.\..]..........// ] [ Cambridge, Mass. 02139 | \.\.].........// ] [ ========================| \.\]__......// ] [ "Tech is Hell!" |.]__\..../| ] [===========================================================|.]...\../.|=====] |_]____\/__|
roy%cybrspc@cs.umn.edu (Roy M. Silvernail) (03/22/91)
sardana@remus.rutgers.edu (Sandeep Sardana) writes: > > Hi! Netters, > > I'm looking for a virus utility that scans the entire > data space (all file formats) for an msdos PC. I currently have > a utlity that'll only scan .EXE & .COM files. McAfee's SCAN will scan .COM, .EXE, .SYS and .OV? files for you, as well as your boot sector. Beyond those types, scanning is of little value, since a virus must be executed to do any damage. ANSI bombs are a special case, but don't qualify as viruses. These are ANSI keyboard redefinition sequences hidden within textfiles. They only work if you TYPE the file from the DOS prompt, and any common textfile viewer (such as LIST.COM) will show the escapes and subsequent commands. You can remove this danger by using ANSI.COM as your screen driver, invoking with the '/b 0' option, or re-assembling NANSI.SYS to disallow redefinition. -- Roy M. Silvernail -- roy%cybrspc@cs.umn.edu - OR- cybrspc!roy@cs.umn.edu perl -e '$x = 1/20; print "Just my \$$x! (adjusted for inflation)\n"' [space reserved for clever quote]{mail your submissions}
mcastle@mcs213e.cs.umr.edu (Mike Castle {Nexus}) (03/22/91)
In article <LyP7y2w163w@cybrspc> roy%cybrspc@cs.umn.edu (Roy M. Silvernail) writes: > >McAfee's SCAN will scan .COM, .EXE, .SYS and .OV? files for you, as well >as your boot sector. Beyond those types, scanning is of little value, since a >virus must be executed to do any damage. Oh, really? What about franke.387 (a 80387 emulator)?? Scan won't scan it using defaults (someone posted /a as the option to force scanning of all files?), and franke wouldn't load as 387.sys or franke.sys. What about windows .dll files?? What about Procomm aspect files (you can do lots of poking and peeking from those)?? Granted, the last is a little far-fetched, but the idea is the same. It is possible to have executable code in files with other file names. -- Mike Castle (Nexus) S087891@UMRVMA.UMR.EDU (preferred) | XEDIT: Emacs mcastle@mcs213k.cs.umr.edu (unix mail-YEACH!)| on a REAL Life is like a clock: You can work constantly, and be right | operating all the time, or not work at all, and be right twice a day. | system. :->
jdb@reef.cis.ufl.edu (Brian K. W. Hook) (03/22/91)
In article <2453@umriscc.isc.umr.edu> mcastle@mcs213e.cs.umr.edu (Mike Castle {Nexus}) writes: |>In article <LyP7y2w163w@cybrspc> roy%cybrspc@cs.umn.edu (Roy M. Silvernail) writes: |>> |>>McAfee's SCAN will scan .COM, .EXE, .SYS and .OV? files for you, as well |>>as your boot sector. Beyond those types, scanning is of little value, since a |>>virus must be executed to do any damage. |> |>Oh, really? What about franke.387 (a 80387 emulator)?? Scan won't scan it |>using defaults (someone posted /a as the option to force scanning of all |>files?), and franke wouldn't load as 387.sys or franke.sys. What about |>windows .dll files?? What about Procomm aspect files (you can do lots of |>poking and peeking from those)?? |> |>Granted, the last is a little far-fetched, but the idea is the same. It is |>possible to have executable code in files with other file names. THANK YOU! Where I work I have to be the PC support technician, in charge of maintaining, recommending, installing, etc. new PCs and software. We got nailed by the Jerusalem-B and the Pakistani Brain virus since our PCs (about 240 of them) are spread over a very large area (a factory facility of 3 buildings). Two identical copies were introduced when two CAD workers in the Aerospace department brough in copies of a shareware "game" called FUCKHARD (no kidding). I got a chance to look at the original diskettes on this one: INSTALLH.COM FHARD.LBY INSTALLH installs the program to the hard drive (HD installable ONLY -- not a good sign), copies a hidden file (FHARD.BIN), then RENAMES FHARD.LBY TO FHARD.COM!!!! We use SCAN (we have a site license) by McAfee Assoc. All the employees with PCs watch out for viruses real well since we really came down on them another time this occured....so this one was SCANed, and I even SCANed the original files. NOTHING. NADA. No warnings of any type. That shows you a major flaw. One other thing: How a self-extracting virus in a self-extracting file using PKSFX? GO.EXE won't show any of the traits of a virus, but the extracted files will. And most people only check the diskettes BEFORE installation. Another way to get around you really have to watch for is a simple launch file ( probably a .COM file) that does a RENAME then an EXEC of another file....that could've been used with the FHARD example above. MORAL? ALWAYS SCAN AFTER INSTALLATIONS!!! ESPECIALLY ON ARCHIVED FILES! Brian
cctr132@csc.canterbury.ac.nz (Nick FitzGerald, CSC, Uni. of Canterbury, NZ) (03/23/91)
In article <27569@uflorida.cis.ufl.EDU>, jdb@reef.cis.ufl.edu (Brian K. W. Hook) writes: > [Several quotes from previous posts about what files are scanned by McAfee's SCAN program deleted] > THANK YOU! Where I work I have to be the PC support technician, in charge > of maintaining, recommending, installing, etc. new PCs and software. We > got nailed by the Jerusalem-B and the Pakistani Brain virus since our PCs > (about 240 of them) are spread over a very large area (a factory facility > of 3 buildings). > > Two identical copies were introduced when two CAD workers in the Aerospace > department brough in copies of a shareware "game" called FUCKHARD (no > kidding). I got a chance to look at the original diskettes on this one: > > INSTALLH.COM > FHARD.LBY > > INSTALLH installs the program to the hard drive (HD installable ONLY -- not > a good sign), copies a hidden file (FHARD.BIN), then RENAMES FHARD.LBY TO > FHARD.COM!!!! OK - so this shows how Jerusalem got onto your machines (an .EXE and .COM infector), but how did the Paki Brain get there? - it is a boot sector infector, not an executable infector. Maybe this "game" (or its install program) is a trojan, and deviously installs PB as its payload - next boot and the machine is busily infecting all the floppies it is fed. > We use SCAN (we have a site license) by McAfee Assoc. All the employees > with PCs watch out for viruses real well since we really came down on them > another time this occured....so this one was SCANed, and I even SCANed the > original files. NOTHING. NADA. No warnings of any type. > > That shows you a major flaw. In the following, assume my contention above about the PB implanting trojan is correct: But the problem is worse than you think. OK, so we now all add .LBY to our SCAN invocations so it searches any .LBY files, and so on. Even better, we always SCAN new disks with the /A switch (All files). At most, this would have told us that FHARD.LBY was infected with JeruB. No great problem, it's common and CLEAN (or somesuch) will easily disinfect it, so we do so and say "All's well - play your game (wink, wink)". On playing, the machine is "artificially infected" with PB. Why didn't the scanner pick up the PB code. Ignoring the obvious possibility of the sleazoid "author" of this trojan having encrypted it in some way - hell, it's what I'd do if I ever sunk that low - the answer is simple: the virus scanner *wasn't looking for it*. Why? - because everyone knows that PB (and Stoned and.. and.. and..) are only boot sector infectors, so the scanners (this applies to most/all, not just the McAfee product mentioned earlier) don't look in executables for them (like they don't look in boot sectors for executable infectors). This, of course, speeds up the scanning process somewhat. > One other thing: > > How a self-extracting virus in a self-extracting file using PKSFX? GO.EXE > won't show any of the traits of a virus, but the extracted files will. And > most people only check the diskettes BEFORE installation. > > Another way to get around you really have to watch for is a simple launch > file ( probably a .COM file) that does a RENAME then an EXEC of another > file....that could've been used with the FHARD example above. Good points you should all take note of. > MORAL? ALWAYS SCAN AFTER INSTALLATIONS!!! ESPECIALLY ON ARCHIVED FILES! ... and always scan ALL files on new disks **REGARDLESS OF WHERE THEY COME FROM**. Also, if your "commercially supplied" software doesn't come on unnotched floppies *complain to the company* - if enough of you do so, some things might change (apparently this worked with WP!). --------------------------------------------------------------------------- Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. Internet: n.fitzgerald@csc.canterbury.ac.nz Phone: (64)(3) 642-337
wcs) (03/26/91)
In article <27569@uflorida.cis.ufl.EDU> jdb@reef.cis.ufl.edu (Brian K. W. Hook) writes:
]We use SCAN (we have a site license) by McAfee Assoc. All the employees
]with PCs watch out for viruses real well since we really came down on them
] ...
]MORAL? ALWAYS SCAN AFTER INSTALLATIONS!!! ESPECIALLY ON ARCHIVED FILES!
Are you also using VSHIELD ? We had a bout with Jerusalem B which
someone's kid brought home from school, and SCAN/CLEAN seem to have
done a better job of cleanup than VB_101 or VKILL, which are public
domain (sigh - we want a PD version to give the school, but I'm not
sure I can trust them to clean up everything.)
Since then, we've been installing VSHIELD, which does a good job of
catching infections at boot time and execution time. Don't yet know
if the public-domain IMMUNE will do as well - it's a lot smaller.
VSHIELD comes with lots of dire warnings about using it along with
disk caches; I don't know if IMMUNE is safe or merely doesn't warn you :-)
Either way, it's cheap insurance against reinfection - can it catch
your FHARD program at work??
--
Pray for peace;
Bill
# Bill Stewart 908-949-0705 erebus.att.com!wcs AT&T Bell Labs 4M-312 Holmdel NJ
# Hacker. System Designer. Troublemaker.frisk@rhi.hi.is (Fridrik Skulason) (03/27/91)
In article <2453@umriscc.isc.umr.edu> mcastle@mcs213e.cs.umr.edu (Mike Castle {Nexus}) writes: >In article <LyP7y2w163w@cybrspc> roy%cybrspc@cs.umn.edu (Roy M. Silvernail) writes: >> >>McAfee's SCAN will scan .COM, .EXE, .SYS and .OV? files for you, as well >>as your boot sector. Beyond those types, scanning is of little value, since a >>virus must be executed to do any damage. > >Oh, really? What about franke.387 (a 80387 emulator)?? Yes, really! The original posting asked about viruses - not a generic trojan scanner. All known viruses (well, apart from a couple of stupid little .BAT viruses) use one of to possible methods to select suitable files for infection: 1) Files having the extensions .COM and/or .EXE 2) Files supplied as argument to INT 21H, function 4BH, which includes the above, as well as occasional .OVL, .OVR, .APP etc files. A virus could THORETICALLY infect a .DLL file, but such a virus does not exist yet - so why bother scanning for it ? We don't know what to look for. Anyhow - if you want to waste time scanning everything, including .DAT, .GIF etc, you can also use my F-FCHK program posted recently on c.s.i.p.b. with the /ALL argument.
cd5340@mars.njit.edu (David Charlap) (03/28/91)
In article <2975@krafla.rhi.hi.is> frisk@rhi.hi.is (Fridrik Skulason) writes: >In article <2453@umriscc.isc.umr.edu> mcastle@mcs213e.cs.umr.edu (Mike Castle {Nexus}) writes: >>In article <LyP7y2w163w@cybrspc> roy%cybrspc@cs.umn.edu (Roy M. Silvernail) writes: >>> >>>McAfee's SCAN will scan .COM, .EXE, .SYS and .OV? files for you, as well >>>as your boot sector. Beyond those types, scanning is of little value, since a >>>virus must be executed to do any damage. >> You can append a "/A" to the McAfee SCAN command to have it scan every file in the scope specified. I find it useful, since I know of programs whose overlays are not .OV? extensions. (anyone remember Turbo Pascal version 3 and lower? It used .000, .001, etc... for overlays) And it may very well be possible to put virusses in documents for some high- end word processor's documents, although I don't think a scanning program would find it easilly. And it doesn't take that much longer if you incrementally scan every unknown floppy that makes its way into your computer anyway. -- David Charlap "Invention is the mother of necessity" cd5340@mars.njit.edu "Necessity is a mother" Operators are standing by "mother!" - Daffy Duck