1. Possible Virus
- Posted by Everett Williams <rett at GVTC.COM>
Oct 31, 1999
-
Last edited Nov 01, 1999
I know that the nature of an interpreter is likely to trigger virus
checkers, but I still thought that I should note this.
Norton Anti-Virus Identified both ed.exe and pded.exe as having the
"Bloodhound.File.String" virus in it. I had some sort of virus in my system
that was absorbing system memory like crazy. It caused me to have to do a
full re-install of Win98-SE2. With the reinstall, I can now get over 40 meg
of free memory again where for a while 20 meg was the limit and over time,
that went down until the system locked. NAV will not clean this problem, so
I will await somebody else's assurance that this is just my problem. I had
heard enough instances of other people on this list having crashed machines
lately that I thought that this might not just be my problem. Maybe there
are good explanations for those crashes...maybe not. Somebody reassure me.
Everett L.(Rett) Williams
rett at gvtc.com
2. Re: Possible Virus
Everett L.(Rett) Williams writes:
> Norton Anti-Virus Identified both ed.exe and
> pded.exe as having the "Bloodhound.File.String"
> virus in it.
I assume you mean ex.exe and pdex.exe.
These are both "compressed executables",
compressed using a tool provided with the
CauseWay DOS extender. ex.exe and pdex.exe
are essentially the same file. Some virus scanners
will flag these files because the virus scanner notices
that they are not "normal" DOS .exe files - i.e. the
machine code in the file is not recognizable - it's actually
compressed data. This very fact actually makes these files
*less* susceptible to virus attack.
If you have any doubts, you should download
these files again from our site and do a file compare
e.g.
fc /b ex1.exe ex2.exe
to see if they have been modified by some virus
on your system. I doubt that they have.
Regards,
Rob Craig
Rapid Deployment Software
http://www.RapidEuphoria.com
3. Re: Possible Virus
--------------6FDA2034BA9E70DC2CE09CDD
Hi:
I am running Norton Anti-Virus (Most recent virus defs) and I have never
gotten a virus warning. Although if a virus warning appears that has the
Bloodhound in it, it usually refers to content that may not actually be a
virus, but that NAV finds it questionable. The comments included in NAV's virus
list regarding "Bloodhound.file.string": "If the Norton Anti Virus reports this
infection in a file, this means the Bloodhound(TM) system has analyzed and
determined the file contains some viral signature (i.e. it may contain a
virus)." Just as a side note I had a similar problem with the PC's in my
company's restaurants. 76 out of 88 PC showed up with "Bloodhound.boot.virus"
when scanned with NAV, but did not react when scanned with IBMAV or McAfee.
Hope This was of some help
Bret Belgarde
Network Administrator
Seattle Crab Co.
Everett Williams wrote:
> I know that the nature of an interpreter is likely to trigger virus
> checkers, but I still thought that I should note this.
>
> Norton Anti-Virus Identified both ed.exe and pded.exe as having the
> "Bloodhound.File.String" virus in it. I had some sort of virus in my system
> that was absorbing system memory like crazy. It caused me to have to do a
> full re-install of Win98-SE2. With the reinstall, I can now get over 40 meg
> of free memory again where for a while 20 meg was the limit and over time,
> that went down until the system locked. NAV will not clean this problem, so
> I will await somebody else's assurance that this is just my problem. I had
> heard enough instances of other people on this list having crashed machines
> lately that I thought that this might not just be my problem. Maybe there
> are good explanations for those crashes...maybe not. Somebody reassure me.
>
> Everett L.(Rett) Williams
> rett at gvtc.com
--------------6FDA2034BA9E70DC2CE09CDD
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
Hi:
<br> I am running Norton Anti-Virus (Most recent virus
defs) and I have never gotten a virus warning. Although if a virus
warning appears that has the Bloodhound in it, it usually refers to content
that may not actually be a virus, but that NAV finds it questionable. The
comments included in NAV's virus list regarding "Bloodhound.file.string":
<b>"If the Norton Anti Virus reports this infection in a file, this means
the Bloodhound(TM) system has analyzed and determined the file contains
some viral signature (i.e. it may contain a virus)." </b>Just as
a side note I had a similar problem with the PC's in my company's
restaurants.
76 out of 88 PC showed up with "Bloodhound.boot.virus" when scanned with
NAV, but did not react when scanned with IBMAV or McAfee. Hope This
was of some help
<p>Bret Belgarde
<br>Network Administrator
<br>Seattle Crab Co.
<br><b></b>
<p>Everett Williams wrote:
<blockquote TYPE=CITE>I know that the nature of an interpreter is likely
to trigger virus
<br>checkers, but I still thought that I should note this.
<p>Norton Anti-Virus Identified both ed.exe and pded.exe as having the
<br>"Bloodhound.File.String" virus in it. I had some sort of virus in my
system
<br>that was absorbing system memory like crazy. It caused me to have to
do a
<br>full re-install of Win98-SE2. With the reinstall, I can now get over
40 meg
<br>of free memory again where for a while 20 meg was the limit and over
time,
<br>that went down until the system locked. NAV will not clean this problem,
so
<br>I will await somebody else's assurance that this is just my problem.
I had
<br>heard enough instances of other people on this list having crashed
machines
<br>lately that I thought that this might not just be my problem. Maybe
there
<br>are good explanations for those crashes...maybe not. Somebody reassure
me.
<p>Everett L.(Rett) Williams
<br>rett at gvtc.com</blockquote>
</html>
--------------6FDA2034BA9E70DC2CE09CDD--
4. Re: Possible Virus
- Posted by Everett Williams <rett at GVTC.COM>
Nov 01, 1999
-
Last edited Nov 02, 1999
Hello Bret,
This is Rett. Sorry, couldn't resist that(having been miscalled by Bret half
of my life). I had turned Bloodhound all the way to max sensistivity and so
had discounted some of what it had to say, but here are the results of my
length checks when I checked them per Rob's comments.
files from RDS pdex.exe - 177,780
ex.exe - 177,468
quarantined files pdex.exe - 185,780
ex.exe - 185,468
You will note the 7k difference in size. Since I borrowed the NAV to check
this problem, I cannot send in this problem. I don't normally use NAV, but
my other packages were not detecting any problems in an obviously sick
system. I suspect from the pattern and timing that one of the bound or
shrouded downloads from either RDS archives or one of the systems that it
points to had the virus in it and it transferred to my copy when executed.
If anybody wants the infected modules to check out, I will gladly send them
to you.
Because of the nature of Euphoria, most virus checkers will not detect
anything in it, or will report viruses incorrectly when run. This problem is
not trivial. The worst of it, is that in a shrouded or bound module, the
virus could actually be written in Eu, though I suspect that the infection
was accidentally passed on in the "exe" part. Without some code from RDS,
this problem cannot be solved. I would hate to see Eu tagged as a pariah
because of it's vulnerability to this kind of attack.
In the long run, the only solution to this problem is to have some form of
approved and really thoroughly checked libraries being the only code allowed
for posting on the archive. Pokes outside of these libraries would not be
allowed in anything posted on the archive. Shrouded or bound code would have
to be provided to the librarian in source form, with the shrouded or bound
version provide by the librarian. Without some controls, this ride could get
very rough.
Everett L.(Rett) Williams
rett at gvtc.com
On Mon, 1 Nov 1999 14:33:02 -0800, Bret Belgarde
<BretBelgarde at WORLDNET.ATT.NET> wrote:
>Hi:
> I am running Norton Anti-Virus (Most recent virus defs) and I have
never
>gotten a virus warning. Although if a virus warning appears that has the
>Bloodhound in it, it usually refers to content that may not actually be a
>virus, but that NAV finds it questionable. The comments included in NAV's
virus
>list regarding "Bloodhound.file.string": "If the Norton Anti Virus reports
this
>infection in a file, this means the Bloodhound(TM) system has analyzed and
>determined the file contains some viral signature (i.e. it may contain a
>virus)." Just as a side note I had a similar problem with the PC's in my
>company's restaurants. 76 out of 88 PC showed up with
"Bloodhound.boot.virus"
>when scanned with NAV, but did not react when scanned with IBMAV or McAfee.
>Hope This was of some help
>
>Bret Belgarde
>Network Administrator
>Seattle Crab Co.
>
>
>Everett Williams wrote:
>
>> I know that the nature of an interpreter is likely to trigger virus
>> checkers, but I still thought that I should note this.
>>
>> Norton Anti-Virus Identified both ed.exe and pded.exe as having the
>> "Bloodhound.File.String" virus in it. I had some sort of virus in my
system
>> that was absorbing system memory like crazy. It caused me to have to do a
>> full re-install of Win98-SE2. With the reinstall, I can now get over 40
meg
>> of free memory again where for a while 20 meg was the limit and over
time,
>> that went down until the system locked. NAV will not clean this problem,
so
>> I will await somebody else's assurance that this is just my problem. I
had
>> heard enough instances of other people on this list having crashed
machines
>> lately that I thought that this might not just be my problem. Maybe there
>> are good explanations for those crashes...maybe not. Somebody reassure
me.
>>
>> Everett L.(Rett) Williams
>> rett at gvtc.com
>
5. Re: Possible Virus
- Posted by Robert Craig <rds at ATTCANADA.NET>
Nov 01, 1999
-
Last edited Nov 02, 1999
Everett L.(Rett) Williams writes:
> quarantined files pdex.exe - 185,780
> ex.exe - 185,468
Send one of the above files as an e-mail attachment to:
rds at attcanada.net
Maybe pdex.exe would be better.
I'll put on my surgical mask and gloves and examine it.
Regards,
Rob Craig
Rapid Deployment Software
http://www.RapidEuphoria.com
6. Re: Possible Virus
- Posted by nieuwen at XS4ALL.NL
Nov 02, 1999
Everett, my apologies. It was not meant as a flame, though it turned out as one.
I must admit, I was slightly annoyed by some assumptions you made, that were, as
I still
believe it, entirely wrong. I felt this was a little inappropriate, considering
the help you are
receiving from Robert, with an issue that has likely got nothing to do with
Euphoria at all.
Though, I was out of line to be the one to point that out.
There are a number of reasons, why I state that Euphoria was nor is the carrier
of the virus.
Please correct me if I'm wrong, but, first of all, you _are_ the only one with
the virus.
Secondly, the files on the server of which we _all_ downloaded the registered
version, are
the very same. Also, of all programs, Euphoria is the most likely to be _spot_
as a virus,
however, it is the _least_ likely to _contain_ a virus. Another sign, that
points away from
Euphoria, would be the fact that the downloaded files, if they had been
infected, would have
to be 7 kb larger.
Also, on your (personal) note about my English, it actually _is_ my fault.
Wether my English
is 'ok' or 'terrible' is mostly dependent on my effort and focus. It takes some
discipline to re-
read and check every mail I sent, and discipline it pretty much lacking with me.
It off course
also has to do with they way I write an email, i.e. on-the-fly ..
I hope this clears some air, before this, as irrelevent as it is, turns into a
group discussion.
Ralf Nieuwenhuijsen
[[ Email ]]
nieuwen at xs4all.nl
ralf_n at email.com
[[ I-Seek-You ]]
UIN: 9389920
[[ The Elevator ]]
http://www.xs4all.nl/~nieuwen
7. Re: Possible Virus
Everett L.(Rett) Williams writes:
> files from RDS pdex.exe - 177,780
> ex.exe - 177,468
>
> quarantined files pdex.exe - 185,780
> ex.exe - 185,468
Thanks for sending me one of your quarantined files.
I compared the quarantined pdex.exe versus the
clean pdex.exe from our site. It took a bit of work
(using the tool below) but I can tell you that the
quarantined file is simply the clean file with an
extra 8000-byte block inserted at the front
*by Norton Antivirus itself*, plus Norton inverted
all the other bits in the file: 0 becomes 1,
1 becomes 0 in each byte.
Therefore, there is *no virus* in either the clean pdex.exe
or the "quarantined" version, unless you believe
that the clean pdex.exe on our site, which has been
downloaded and used for many months by many
thousands of people is tainted.
Obviously what happened is that Norton
erroneously raised a warning flag against
ex.exe and pdex.exe, probably because they are
compressed executables. Norton then proceeded to
create the quarantined versions of ex.exe and pdex.exe
by adding an 8000-byte information block and
inverting all the bits. The information block contains
things such as your name "Rett Williams", the
name of the suspected virus, a whole bunch of 0's etc.
Regards,
Rob Craig
Rapid Deployment Software
http://www.RapidEuphoria.com
---------------------------------------------------------------
-- determine frequency of byte-values in a file
-- usage:
-- ex analyse > junk
-- the frequencies were totally mismatched, until
-- I sorted them and saw the inversion of bits
include sort.e
integer b, count
function analyse(sequence name, integer min, integer max)
-- get frequencies for file "name" from min byte to max byte
integer fn
sequence freq
freq = repeat(0, 256)
fn = open(name, "rb")
count = 0
while 1 do
b = getc(fn)
if b = -1 then
exit
end if
if count >= min then
freq[b+1] += 1
end if
count += 1
if count = max then
exit
end if
end while
return freq
end function
function abs(atom x)
if x < 0 then
return -x
else
return x
end if
end function
sequence f1, f2
f1 = sort(analyse("pdex.exe", 0, 999999))
for i = 1 to length(f1) do
printf(1, "%5d", f1[i])
if remainder(i, 12) = 0 then
puts(1, '\n')
end if
end for
puts(1, "\n\n")
f2 = sort(analyse("pdex.vir", 8000, 999999))
for i = 1 to length(f2) do
printf(1, "%5d", f2[i])
if remainder(i, 12) = 0 then
puts(1, '\n')
end if
end for
puts(1, "\n\n")
-- sum of differences
atom ss
ss = 0
for i = 1 to length(f1) do
ss += abs(f1[i] - f2[i])
end for
? ss / length(f1)
-------------------------------
8. Re: Possible Virus
- Posted by Irv Mullins <irv at ELLIJAY.COM>
Nov 02, 1999
-
Last edited Nov 03, 1999
On Tue, 02 Nov 1999, Rob wrote:
> Therefore, there is *no virus* in either the clean pdex.exe
> or the "quarantined" version, unless you believe
> that the clean pdex.exe on our site, which has been
> downloaded and used for many months by many
> thousands of people is tainted.
>
> Obviously what happened is that Norton
> erroneously raised a warning flag against
> ex.exe and pdex.exe, probably because they are
> compressed executables. Norton then proceeded to
> create the quarantined versions of ex.exe and pdex.exe
> by adding an 8000-byte information block and
> inverting all the bits. The information block contains
> things such as your name "Rett Williams", the
> name of the suspected virus, a whole bunch of 0's etc.
For what it's worth, I downloaded the latest version of Norton,
and the viriii updates, last night. No problem was found in any
of the Euphoria programs.
So it may be that Rett was using an older version of Norton
which erroneously flags compressed files, or it may be
that there actually is a virus in his computer which is infecting various
things, and his copy of Euphoria is just one of the unlucky ones.
Regards,
Irv
9. Re: Possible Virus
On Tue, 2 Nov 1999 15:34:18 -0500, Robert Craig <rds at ATTCANADA.NET> wrote:
>
>Therefore, there is *no virus* in either the clean pdex.exe
>or the "quarantined" version, unless you believe
>that the clean pdex.exe on our site, which has been
>downloaded and used for many months by many
>thousands of people is tainted.
>
>Regards,
> Rob Craig
> Rapid Deployment Software
> http://www.RapidEuphoria.com
In reply to you and Irv and Ralf, my apologies for all the trouble. The only
items tagged by NAV were the files I noted. I did not realize that the
quarantine did what you have noted, but I congratulate you, Rob, on
discovering their formula. Nice piece of code, too. I thought of restoring
the item before sending it to you, but thought that might not be advisable
and did not know that it was necessary to return the code to normal mode.
Live and learn. And no, I did not suspect that the download of Eu was
contaminated. I suspected that a virus might be hidden in one of the bound
and shrouded items in the archive or on one of the user sites pointed to by
the archive. I still feel that Eu is an open invitation to hackers to attack
and I don't believe that current virus checkers are liable to be able to
detect what can be done legitimately from Eu. I will repeat something that I
wrote to Ralf offline.
> In the long run, the only solution to this problem is to have some form of
> approved and really thoroughly checked libraries being the only code
allowed
> for posting on the archive. Pokes outside of these libraries would not be
> allowed in anything posted on the archive. Shrouded or bound code would
have
> to be provided to the librarian in source form, with the shrouded or bound
> version provide by the librarian. Without some controls, this ride could
get
> very rough.
Let me modify that slightly. I don't mean that libraries should be the only
things posted on the archive. What I mean is that code in the archive should
only be based on checked code or checked libraries. I believe that for this
language to grow in use and importance, pokes outside of standard libraries
should not be needed(lots of work and thought necessary to get to this one)
or used except in unusual circumstances or for code clearly marked as
"single platform".
That aside, my last item is the most important. Shrouded or bound code
should not be posted on any archive without the librarian of that archive
having the source in posession. A standard non-disclosure agreement can
handle any problems. If the shrouded or bound object is then created by the
librarian and posted, the rest of us can be certain that intentional damage
is unlikely and easily tracked if found. The use of stamped libraries should
be acceptable. I'm sorry that I don't have Ralf's certainty that no one on
this list would do ill things. I have no concerns about the major library
posters or the major contributors that are active on the list, but there is
much other that seems interesting that is not by these folks.
In answer to the thought that I am the only one with trouble, I have noted
that in recent times many of the major contributors to the list have had to
recreate one or more of their systems. I suppose that all those problems
could be hardware related or due to viruses not acquired from the Eu based
items but it doesn't seem likely. I have downloaded over 5 gigabytes of
items over time and tested most of them and this is the first time that I
have had problems with a virus. In 14 years of PC usage, I have had one true
hard-disk crash and that cost me no data loss. I have helped many others
with both hardware and software caused data loss, so I know that it happens
and I know both it's causes and cures. Prevention and backup are the
sovereign solutions. What I am asking for here is prevention.
Everett L.(Rett) Williams
rett at gvtc.com
10. Re: Possible Virus
On Wed, 03 Nov 1999, Everett Williams wrote:
> I still feel that Eu is an open invitation to hackers to attack
> and I don't believe that current virus checkers are liable to be able to
> detect what can be done legitimately from Eu.
I just don't see anything that makes Euphoria more or less vulnerable
than any other programming language. Do you have the source code
for all those Windows programs you download.? I don't think so.
If not, how do you know that among those many megabytes of files,
there isn't a little routine to read a seemingly harmless data file,
transpose the bytes in one manner or another so it is restored to
it's original "virus" form, and write it somewhere? No virus checker
will detect that until the damage is already done. If there's a time delay
involved, perhaps not until months later.
Even when you have the source code, I really doubt that you are going
to wade thru each program in search of a tiny routine such as mentioned
above.
In the final anlysis, it's up to each of us to provide what protection we
feel is necessary. Either run virus scans, or choose a less-vulnerable
environment than Windows.
Regards,
Irv
Side note:
symptoms: Windows running slowly, no free memory left.
diagnosis 1: Virus cure 1: reload Windows from scratch.
diagnosis 2: Windows cure 2: reload Windows from scratch.
When both symptoms and cure are the same, maybe the disease is also
the same.
11. Re: Possible Virus
On Wed, 3 Nov 1999 07:17:25 -0500, Irv Mullins <irv at ELLIJAY.COM> wrote:
>On Wed, 03 Nov 1999, Everett Williams wrote:
>
>> I still feel that Eu is an open invitation to hackers to attack
>> and I don't believe that current virus checkers are liable to be able to
>> detect what can be done legitimately from Eu.
>
>I just don't see anything that makes Euphoria more or less vulnerable
>than any other programming language. Do you have the source code
>for all those Windows programs you download.? I don't think so.
No, but Euphoria, as most interpreter type languages, is by it's nature
viruslike in behavior and therefore difficult to check for virus action
before it is taken. Ninety-nine percent of those windows programs are pure
data and executable. They do not go through a transform(interpretation) to
take whatever action that they take. Virus checkers know how to look for
patterns imposed on existing executables. If the virus is written into the
program, the virus checker will probably not have a chance at it until it
takes a viruslike action. Those of us who have used virus checkers for a
long time know that active virus checkers suck up lots of cycles and set off
lots of false alarms. The solution to that is to only download from sources
that heavily virus check programs before putting them into downloadable
status. In general, I do that. The small nature of the Eu effort makes that
almost impossible.
>
>If not, how do you know that among those many megabytes of files,
>there isn't a little routine to read a seemingly harmless data file,
>transpose the bytes in one manner or another so it is restored to
>it's original "virus" form, and write it somewhere? No virus checker
>will detect that until the damage is already done. If there's a time delay
>involved, perhaps not until months later.
The fact that it has only happened once in 14 years makes me think that the
precautions that I do take are fairly effective.
>
>Even when you have the source code, I really doubt that you are going
>to wade thru each program in search of a tiny routine such as mentioned
>above.
I don't have to if the source is available someplace to be checked if
problems arise. I don't have to possess the source if I know someone other
than the author has a copy that can be checked.
>
>In the final anlysis, it's up to each of us to provide what protection we
>feel is necessary. Either run virus scans, or choose a less-vulnerable
>environment than Windows.
As I have pointed out above, Euphoria can easily create a situation where
such scans are ineffective.
>
>Regards,
>Irv
>
>Side note:
> symptoms: Windows running slowly, no free memory left.
> diagnosis 1: Virus cure 1: reload Windows from scratch.
> diagnosis 2: Windows cure 2: reload Windows from scratch.
>When both symptoms and cure are the same, maybe the disease is also
>the same.
No question that you are right on this point, but I am a consultant and must
run the environment possessed by most of my customers. If I chose to run
Linux or any other option all the time, I wouldn't be able to run about
ninety percent of the downloads available from the archive or use the major
libraries that are being written for Eu. I think that the emphasis in the
future should be towards creating a set of libraries that function across
systems and isolate the programmer from the underlying operating system.
This is not the current direction of most of the contributions to the
archive, but some of them could be warped to that purpose. I tend to agree
somewhat with Jiri's wry comments about the Microsoft hacker nature of most
of the current libraries. From his other comments, I know that he respects
these people, but wishes, as do I, that their efforts were directed
elsewhere. For example, if many of these 3D efforts were directed towards
OpenGL instead of DirectX, their potential for portability would obviously
multiply. If a portable GUI interface could be chosen or written, then the
non-game programmers among us could hope to write portable programs without
re-inventing the wheel each time. A portable language without portable
programs is at best a non-sequiter.
Everett L.(Rett) Williams
rett at gvtc.com
12. Re: Possible Virus
Everett Williams wrote:
>[...] Euphoria, as most interpreter type languages, is by it's nature
>viruslike in behavior [...]
You have to admit, though, that Euphoria has better run-time error checking,
more powerful type checking, and is easier to write in than most other
viruses.
Additionally, the only programs on my disk which have been infected with it
are -- you guessed it -- the Euphoria programs; and they were deliberately
written that way to begin with!
So this is "viruslike behavior?" Those darn virus-protection software makers
have been ripping us off for years! 
Gabriel
13. Re: Possible Virus
- Posted by Everett Williams <rett at GVTC.COM>
Nov 03, 1999
-
Last edited Nov 04, 1999
Touche' or is that touchy,
I wouldn't bother to suggest/criticize/bother if I did not believe all the
things that you have noted about Euphoria. It is the best looking language
that I have seen in thirty-three years of looking at different languages.
And if those darn virus-protection types( whom I suspect of at least
distributing if not actually writing some viruses) would like to give me a
refund, I'll take it
Now when you get around to it, since I have indirectly taken some potshots
at the type of coding that you do(and I freely admit that you are a much
better coder than I have ever been), why don't you take a shot at some of
the other points that I so humbly tried to make. What I was trying to say
was that the type of coding that you do belongs exactly where it normally
is, hidden behind the routines of a library. I just wish the libraries were
more generally and less particularly aimed. Meaning, that they could be used
in any environment with suitable adjustments...DOS, Windows, Linux,& etc.
Everett L.(Rett) Williams
rett at gvtc.com
On Wed, 3 Nov 1999 19:21:21 -0600, Boehme, Gabriel
<gboehme at POSTOFFICE.MUSICLAND.COM> wrote:
>Everett Williams wrote:
>
>>[...] Euphoria, as most interpreter type languages, is by it's nature
>>viruslike in behavior [...]
>
>You have to admit, though, that Euphoria has better run-time error
checking,
>more powerful type checking, and is easier to write in than most other
>viruses.
>
>Additionally, the only programs on my disk which have been infected with it
>are -- you guessed it -- the Euphoria programs; and they were deliberately
>written that way to begin with!
>
>So this is "viruslike behavior?" Those darn virus-protection software
makers
>have been ripping us off for years!
>
>
>Gabriel
