Received: from fidoii.CC.Lehigh.EDU by abacus.hgs.se (5.65c/1.5) id AA17739; Fri, 5 Mar 1993 18:34:46 +0100 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA07552 (5.67a/IDA-1.5 for ); Fri, 5 Mar 1993 12:10:21 -0500 Date: Fri, 5 Mar 1993 12:10:21 -0500 Message-Id: <9303051711.AA04562@first.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@first.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #40 Status: RO VIRUS-L Digest Friday, 5 Mar 1993 Volume 6 : Issue 40 Today's Topics: Scanners getting bigger and slower Of guns, viruses, and geography (was re: your opinions...) Viruses in other populations Re: Sale of Viri Central Point Antivirus and Stacker (PC) EXE/COM switch (PC) How can you recover a hrad drive from joshi? (PC) Re: PC Magazine reviews virus software (PC) PC Magazine on Anti-Virus (PC) Validate values for Vshield v102 (PC) Re: Unloading TSRs (was: scanners) (PC) Re: Why only PC's? re: Laws and Viruses re: standardization (PC) Re: Virus Development Programs (PC) Re: wordperfect virus? (PC) Re: Virus Development Programs Identification needed for a Virus Message (PC) Re: Effect of Form (PC) Removal of Michelangelo (PC) Financial firms open meeting Thursday on Trace Center recovery VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: Sun, 28 Feb 93 12:38:00 +0100 From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) Subject: Scanners getting bigger and slower Vesselin Bontchev writes: > Bigger - yes. Slower - not necessarily. First, not everybody's scanner > has a different signature for any different virus. There are a lot of > scanners around that report "Jerusalem variant" for a couple of > hundreds of different viruses, the only common thing being that they > are indeed derived from the old Jerusalem virus. In most cases, all > those variants are detected with 1-2 signatures. But, as more and more > viruses appear, scanners must necessarily get bigger and use more > memory. You know, Vesselin, I thought of a different approach to be used, when the day comes that there would be too many viruses. Instead of having one big huge turtle speed scanner, you would have, say, 4 scanners. One for stealths, one for common viruses, one for encryptive and one for rare. Thus, you would use them in different frequencies, and each would run faster and better. Comments? Inbar Raz - - -- Inbar Raz 5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660 Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il - --- * Origin: Inbar's. (9:9721/210) ------------------------------ Date: Thu, 04 Mar 93 09:15:06 -0500 From: ROBERT HINTEN 617-565-3634 Subject: Of guns, viruses, and geography (was re: your opinions...) dudleyh@redgum.ucnv.edu.au (Dudley Horque) writes: >bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >> >>You see, there are BIG differences between the local laws in the >>different countries. You shouldn't assume that something is legal or >>illegal (and should remain so) just because it is so in your >>particular country. On the other side, computer viruses do not >>recognize country boundaries... >That's USAns for you. While I'm sure (hope) other USAns will respond, I hasten to point out that the original poster was Canadian: >Date: Tue, 23 Feb 93 19:00:00 -0500 >From: Luis Gamero >Subject: your opinions on virus legality > >No. If you keep it in your OWN posession how could it be illegal? >You can own a gun and not use it. That's not illegal. >- -- >Canada Remote Systems - Toronto, Ontario >416-629-7000/629-7044 dudleyh@redgum.ucnv.edu.au (Dudley Horque): >But everyone else gets the last laugh... many of their kids in secondary >education cannot even point out where USA is on a map. There are indeed USAns in secondary education that have trouble with geography (as I'm sure do a proportionate number of Australians), but can't find USA on a map? That stretches credibility. My soon-to-be-five year old daughter can not only locate her country, state, county, city, and street on a map, but can also find Australia on a globe, and does quite well with most European and Mid-Eastern countries (was going to include eastern Europe, but lately *I've* had trouble with that :-)). The above notwithstanding, I fail to see the correlation between proficiency in geography and the ability to create "dangerous" viruses. >Still, this does cut down on the number of dangerous viruses that the >USAns can write. Can we infer that certain Bulgarians (i.e., Dark Avenger) can handle a map blindfolded? ========================================================================== Monty Hinten hinten.robert@epamail.epa.gov Information Security Officer (617)565-3634 US EPA, Region I Boston, MA *USA* ========================================================================== ------------------------------ Date: Thu, 04 Mar 93 11:07:39 -0500 From: WHMurray@DOCKMASTER.NCSC.MIL Subject: Viruses in other populations >I have a question. Why is it that all the virus discussions are about >PC's and Mac's? There ARE other computers out there. What about NeXt, >C-64, Amiga's. I never see hardly anything on those types of computers. >Is it possible those types don't have as many virus problems as PC's? There have been a number of answers to this question. I would like to suggest two more. The first is that one of the conditions for the success of a virus is population size and density. Consider the case of a one of a kind computer. A virus makes no sense in that context. It does not make much more sense in the case of two, or any small number of computers. If you introduce Herpes Simplex ("Chicken Pox") into a sterile population of 10K people, about 10 percent will die, most of the remainder will become immune, and Herpes will die out. On the other hand, if you introduce it into a population of 100K, it will prosper. The reason is that the target population will replenish itself, from the bottom, at a rate sufficient to ensure that the virus will always have a new place to go. It is in part for this reason that we call chicken pox a "childhood" disease. It is not that children are inherently more vulnerable to the virus than adults, but that all of the adults are either immune or dead. So it is with computers. There is some minimum population size that is required for the continued successful spread and persistence of the virus. We do not know what that size is. We know clearly that the PC, MAC, and Atari Amiga populations are large enough. We suspect, but do not know for certain, that most of the other populations are too small. Another reason has to do with the extra-host persistence of the virus. The successful viruses spread via diskette. This is a very slow mechanism,but the virus is very safe and persistent on the diskette. Contrast this to the internet (RTM, "All Souls") worm. It spread very rapidly, doubling in tens of minutes. In part because of this rapid spread it was noticed, and identified very rapidly, within hours. Because it had no extra-host place to hide, it was eradicated with tens of hours. We see a similar phenomenon with the spread of viruses in LANs. They spread very rapidly, are noticed early, and copies on servers and even workstations can be eliminated fairly rapidly. However, here, during the infection, many copies were created on diskette. These are difficult to identify and eradicate. If we are both diligent and lucky, we may find about half; the remainder are waiting to infect us again. William Hugh Murray, Executive Consultant, Information System Security 49 Locust Avenue, Suite 104; New Canaan, Connecticut 06840 1-0-ATT-0-700-WMURRAY; WHMurray at DOCKMASTER.NCSC.MIL ------------------------------ Date: Thu, 04 Mar 93 12:34:31 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Re: Sale of Viri >From: Doug This was addressed to Vesselin but since it appears to come from a source in the USA & reflects a viewpoint I hoped had disappered in this country, I have some comments. >You are simply mistaken, sir. Distributing virus code to those who want it >is NOT a very wrong thing which should never be done. You are talking about >censorship. As far as I know, in the United States there are no laws against the sale or sharing of viruses between two consenting parties (am sure to be corrected if wrong), primarily since there is no consistant definition of what a virus is, and secondly they are not all proven to be bad (I have an opinion but that has nothing to do with the law). Similarly, I have very strong views on a number of subjects (abortion is one) BUT do not feel that I have any right to impose those views on anyone else. One of those views is not to distribute viral code to anyone who I do not personally know is capable of proper handling. This is my perrogative. > You are telling ME, and the rest of us, that we are not as knowledgeable >about virus code as you are, therefore we may not have it, but you can. >I don't like that. Tough. What you are saying is that you think that you have a "right" to viral code. By who's grace ? You are saying I do not have a right my ethical and moral decision not to distribute it. What will you want next ? The vulnerabilities that some of us have discussed privately (and thank heaven we have not seen yet). Sorry. So you want to learn viruses. Viruses are just a special case of programming and if you really understand the architecture then how they work is self- evident. Probably you can find someone who will allow you to specialize before you are a generalist (am told that before Picasso would take on a student, he required the ability to paint a flower with photographic quality), but it will not be me. Warmly, Padgett ------------------------------ Date: Sun, 28 Feb 93 12:34:00 +0100 From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) Subject: Central Point Antivirus and Stacker (PC) D_Gill@twu.edu writes: > I use stacker, and recently have begun Internet, etc. I have Central > Point Antivirus, but haven't installed it yet. Stacker manual warns > against using some antivirus packages, but doesn't cite which not to > use. > Are Central Point Antivirus and Stacker compatible? I wouldn't use Central Point AntiVirus, REGARDLESS of its stacker compatibility. I haven't seen even ONE version or release that didn't have a stupid bug, or nonsense written inside it. Inbar Raz - - -- Inbar Raz 5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660 Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il - --- * Origin: Inbar's. (9:9721/210) ------------------------------ Date: Sun, 28 Feb 93 12:35:00 +0100 From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) Subject: EXE/COM switch (PC) > From: Peters@DOCKMASTER.NCSC.MIL (Donald G Peters) > I will also leave it to an enterprising individual to > determine wither COMMAND.COM will run if it is renamed > to COMMAND.EXE (with the appropriate change to the COMSPEC > variable in CONFIG.SYS). Personally, I doubt it, but > perhaps a simple modification to the boot sector may make > this possible. I think a utility in this regard would be > very nice! One reason why NOT to do it, is that a lot of programs issue a shell to dos by calling COMMAND.COM. They don't even bother looking for comspec. Inbar Raz - - -- Inbar Raz 5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660 Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il - --- * Origin: Inbar's. (9:9721/210) ------------------------------ Date: Sun, 28 Feb 93 13:20:00 +0100 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: How can you recover a hrad drive from joshi? (PC) murray@andromeda.rutgers.edu (Murray Karstadt) Asks: > Can a hard drive once its been attacked by joshi be recovered? It depends. According to the description, it is not likely that the virus that infected you was necessarily Joshi. since this is a boot sector virus and will infect only if you boot from an infected floppy. This does not seam to be the case. It looks like your "old Anti Virus" had a false detection that caused it to CLEAN something that wasent there. The result is that the Master Boot Recors of your Hard Disk was overwritten by rubbish. If you absoluttely know what you are doing (or have nothing to lose, here's what you should try to do: - - If your disk is an MS-DOS formatted disk, using DOS 3.XX or higher, and with no DISK-MANAGER driver included, just reboot the PC from a clean MS-DOS 5.0 floppy and run FDISK /MBR. - - Reboot the PC, if it does not load, you will have to edit the partition table and set the correct parameters of Beginning / End location of your drive, rebotting after each attempt and checking if you have access to the disk. (Norton's DISKEDIT might get handy in this case). A good solution could be if you have another disk of the same configuration: Read the Partition Table from it and Write it to the damaged disk's Partition Table. Regards * Amir Netiv. V-CARE Anti Virus, head team * - --- FastEcho 1.21 * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: 01 Mar 93 21:32:00 +0000 From: bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) Subject: Re: PC Magazine reviews virus software (PC) Quoting from Christopher Yoong-meng Wo to All About Re: PC Magazine reviews v on 02-28-93 CY> I am embarassed. Some of you might jump on me for this, so I should CY> clarify this before others do. I should have been more thorough with CY> my reading before posting the above. The PC Magazine article does CY> indeed review the Mc Afee products, under the name of "Pro-Scan", a CY> commercial product. Also, F-prot's engine was present in 3 of the McAfee's Pro Scan, and Virus Scan (Share ware) are two different products. McAfee's Peo Scan is also sold under two other names. Virus Cure (from I.M.S.I), and Virucide (from Parson's technology) The latest revision that I have seen is 2.37. There may be a later one by now. Bill - --- * WinQwk 2.0 a#383 * DATACRIME II activates Oct 13 - Dec 31 ------------------------------ Date: 01 Mar 93 21:26:00 +0000 From: bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) Subject: PC Magazine on Anti-Virus (PC) Quoting from Joe.george@nd.edu to All About PC Magazine on Anti-Virus on 02-28-93 J > Do people in this group support Pc Mag's Editor's Choice Awards to J > Central Point Anti-Virus and Norton's Anti-Virus? I thought the best J > protection was McAfee's SCAN backed up by F-PROT or vice-versa. I do NOT support PC-Magazine's Editors Choice. They may be accurate, and the thests appear to be thourough. If they had tested the 70 or 80 common viruses known to be in the wild, their tests would have been more valid. I find it very hard to believe that there are more than 2,000 specimens known, and 70 or 80 common viruses known to be circulating in the wild, and they feel that 11 viruses are enough ti use for testing purposes. Bill - --- * WinQwk 2.0 a#383 * VICTOR activates any Wednesday ------------------------------ Date: Thu, 04 Mar 93 09:14:54 -0500 From: RON MURRAY Subject: Validate values for Vshield v102 (PC) In Virus-L Digest V6 #37, aryeh@mcafee.com (McAfee Associates) writes: [...] > VALIDATE VALUES [...] > VSHIELD 5.22V102 (VSHIELD.EXE) S:45,724 D:02-27-93 M1: 06BB M2: 066C ^^^^ The .doc file, and the results of running Validate on this file, both give a value of 06EB here. I assume it's just a typo, but perhaps Aryeh can confirm the correct value here, just in case I have a hacked copy? .....Ron *** Ron Murray Internet: nmurrayr@cc.curtin.edu.au "Women are like elephants to me -- I like to look at 'em, but I wouldn't want to own one." -- W. C. Fields ------------------------------ Date: Thu, 04 Mar 93 09:15:16 -0500 From: Y. Radai Subject: Re: Unloading TSRs (was: scanners) (PC) Inbar Raz writes: >The problem with TSRs is, that as simple as they are to INSTALL resident, they >are also easy do remove from memory. > >The moment a virus writer acquires your module, he can write a relatively >small piece of code that will unload your TSR, without it knowing about it. >A friend of mine once wrote an 80byte routine to unload Carmel's TSafe. I >believe that after a little research, I could unload almost anything. 80 bytes? Your "friend" worked too hard. TSafe can be unloaded with just 8 bytes of code. But that's because Carmel's programmers supplied an interrupt handler for unloading TSafe. In general, you have to work a bit harder .... Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Thu, 04 Mar 93 10:35:45 -0500 From: "David M. Chess" Subject: Re: Why only PC's? >From: scott@shrug.dur.ac.uk (Scott A. McIntyre) >I'm sure that there is also the technical side of how viruses work -- >on a Unix machine, unless a virus is executed as root, then the damage >would be limited most likely to one user's files, and could quickly be >found...processes without owners can be tracked down and so on. I agree with most of the rest of this posting, but this paragraph misses the mark. Because viruses can spread from user to user whevener one user has write access to a program that another user has execute access to, a virus can spread to many users even in a system with access controls. If it then does some damage (on a certain date, say), it can damage the files of lots of users, even if none of them happen to be root. Viruses don't have to do any odd tricks like creating ownerless processes; all they have to do is read and write files. Fred Cohen did some early experiements in which a very simple virus spread within a Unix system without any trouble. PC viruses cause lots of distress, even though damage is in the same sense "limited... to one user's files"! *8) I think the reasons that we've not seen viruses in Unix environments is more cultural than technical: sharing patterns are very different, there's lots less exchange, a lower density of machines in homes, and so on, as you said earlier in your posting. - - -- - David M. Chess | "And like the clouds that turn to every High Integrity Computing Lab | passing wind, we turn to any signal IBM Watson Research | that comes through..." -- Eno/Cale ------------------------------ Date: Thu, 04 Mar 93 10:43:49 -0500 From: "David M. Chess" Subject: re: Laws and Viruses >From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) > From a legal standpoint it might be enough to define a virus >as "a sequence of instructions that intentionally performs an unwanted >and undocumented modification within a computing system for which it is >intended." > Possibly "malicious software" would be a better term but IMHO >the word "computer virus" has passed beyond any hope of control. Gak! I normally avoid terminology disputes like the plague, but why would we want to *codify* a loose popular usage of an otherwise-useful word? Do we *enjoy* confusion? What word are you going to use to talk about viruses (you know, those things that spread)? I tend to think: - We don't need laws against viruses at all, since the bad things about viruses isn't that they spread, but that they spread to (and otherwise exploit) systems belonging to people that don't want them. *That's* what ought to be illegal. - We don't really need new laws against Trojan horses (including the Trojan horse aspects of viruses), because we already have laws to cover things like this in general. (We don't need specific laws against assualt-with-tuna, because we have general laws against assault.) - If someone does decide to write a law against Trojan horse things, it shouldn't use the word "virus" to mean Trojan horse. The reasons not to are obvious, and I can't think of any reasons to... These are of course my own opinions, and not my employer's. DC ------------------------------ Date: Thu, 04 Mar 93 10:54:34 -0500 From: "David M. Chess" Subject: re: standardization (PC) >From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) >I think there is already a naming scheame present. >It gose like this: >McAfee gets a virus, Releases the next VIRLIST.TXT, and >everyone just uses it. If a new virus apears that is not >there, a name is given to it according to its behaviour, >and so on... Oh, do I wish it were that simple! The main problems are: - Say some authority says "we've found a new virus, its name is Blivet, and our scanner detects it as such". Now someone else finds a virus, and that scanner identifies it as "Blivet". Is it the same virus that the authority first reported? The only way to tell for sure is if that person has access to the original Blivet sample (and virus collections probably shouldn't be generally-available), or if someone has written a program that does precise identification of the virus. Writing such a program (or adding a description to an existing program) is quite a bit more work than just extracting a signature for a scanner, and there are some complex issues about avoiding spoofing. Does the user care whether or not he really has the same Blivet virus as was originally named? Yes! The new Blivet might have different behavior, requring different clean-up, and the user *must* know that. "Cleaning up" a virus without knowing exactly what it does is a contradiction in terms. - Naming viruses based on behavior isn't as easy as it sounds. Here's a brand-new virus. It goes resident, and infects any file that's executed. It has no payload. What do you call it? There are probably hundreds of viruses that like. Naming continues to be a hard problem; a good name would be easy to remember, different from other names, and have something to do with what the virus does. It's generally impossible to do all three, though... DC ------------------------------ Date: Thu, 04 Mar 93 18:27:48 +0000 From: cskahrs@sunvis1.vislab.olemiss.edu (John H. Kahrs) Subject: Re: Virus Development Programs (PC) sgt@lakes.trenton.sc.us (Sgt Rock) writes: >I just picked up the March 16th 93 issue of PC Magazine and was quite >interested in the article on antivirus software. It discussed some virus >development programs: The Phalcon/Skism Mass-Produced Code Generator, the >Virus Construction Set, and the Virus Construction Laboratory. >These programs sound scarey to me. Does anyone out there know anything >about them? Where do they originate and are they available for general >use or are they controlled as they should be? The code created by these programs are shotty at best. They weren't designed to create inovative viruses, there are a fixed number of possible viruses that can be created and ALL are based on existing models. I doubt that these programs are a threat at all. The people that know anything about coding viruses will never use them and the hatefull people that just want to make a virus for malicous reasons aren't connected to the community that makes the virus construction kits available. To be totaly safe from these programs, all one has to do is create EVERY type of virus possible, and include them in scanning programs. I admit this is not a very practical soulution, BUT I can't think of another way off the top of my head. - ----------------------------------------------------------------------------- JJ Kahrs "Virtual Reality is like electronic LSD!" Computer Science -News Journalist OleMiss "VR doesn't have as good a price/performance ratio." jj@tacky.cs.olemiss.edu -VR Researcher cskahrs@sunvis1.vislab.olemiss.edu - ----------------------------------------------------------------------------- ------------------------------ Date: Thu, 04 Mar 93 18:21:23 +0000 From: blake@nevada.edu (Rawlin Blake) Subject: Re: wordperfect virus? (PC) GMS@PSUVM.PSU.EDU (Gerry Santoro - CAC/PSU 814-863-7896) writes: >After scanning the past years worth of VIRUS-L offerings I've seen >this question asked before, but with no reply. Since it has now hit >at my institution I will ask it again in the hopes that someone knows >what is happening. > >A number of our lab machines are exhibiting very strange WordPerfect >behavior. For example, very small user documents are growing to >extremely large size, until they fill up available disk space. Scans >with F-PROT do not identify any known virus. > >Can anyone clue me into what is happening? In all cases the version >of WP5.1 is being run from a read-only volume of a Banyan network >server. This one is easy, I see it all the time. The users are doing one of two things-- using shift-F10 and continually retrieving the file within itself, or are doing the same thing in F5 list files by ignoring the prompt "retrieve into current document?" This is another example of what I teach in my classes and seminars. 99% of all virus reports are: 1. user error 2. software problems 3. hardware problems. - --- Rawlin Blake blake@nevada.edu No .sig is a good .sig ------------------------------ Date: 04 Mar 93 19:04:58 +0000 From: kerchen@k2.cs.ucdavis.edu (Paul Kerchen) Subject: Re: Virus Development Programs sgt@lakes.trenton.sc.us (Sgt Rock) writes: >I just picked up the March 16th 93 issue of PC Magazine and was quite >interested in the article on antivirus software. It discussed some virus >development programs: The Phalcon/Skism Mass-Produced Code Generator, the >From the PC-MPC documentation: The Phalcon/Skism Mass-Produced Code Generator is a tool which generates viral code according to user-designated specifications. The output is in Masm/Tasm-compatible Intel 8086 assembly and it is up to the user to assemble the output into working executable form. The features of the PS-MPC include the following: - Over 150 encryption techniques, randomly generated during each run of the PS-MPC - Compact, commented code, much tighter than VCL - COM/EXE infections - Two types of traversals - Optional infection of Command.Com - Critical error handler support >Virus Construction Set, and the Virus Construction Laboratory. Don't know about VCS (isn't that an Atari thing?), but VCL came before PC-MPC and is similar (but with less features) to PC-MPC. >about them? Where do they originate and are they available for general >use or are they controlled as they should be? Depends on what you mean by 'controlled'. VCL comes encrypted in a zip file that requires a password to unzip it. The 'bad guys' want to keep this toy to themselves. Other than that, though, all of these should be available at your local underground BBS (certainly VCL and PS-MPC are). So, I guess you could say there are no controls in the sense that you mean. | "Disembodied gutteral noise need not make sense" | | Paul Kerchen | | kerchen@cs.ucdavis.edu | ------------------------------ Date: Thu, 04 Mar 93 19:44:57 +0000 From: nmalde@hobbes.kzoo.edu (Nutan Malde) Subject: Identification needed for a Virus Message (PC) Recently one of our 486 machines displayed the following message: Infected!! There is a passkey to this virus. Enter the correct key word and the effects of the virus will cease. When we issued the command to change directories it would append the word "Infected" to the directory path. It would not let us use the A or B drives. I ran the latest version of F-Prot and it reported no infections. Can anyone shed some light on which virus this could be? I deleted the command.com and copied a clean version of command.com and that seemed to get rid of the Infected message and we were able to use all our programs again which it wouldn't let us before. However, I am curious as to whether it is a virus or is someone changing stuff on our system? Any help would be appreciated, Thanks in advance Nutan Malde nmalde@kzoo.edu - -- ************************************************************************** Nutan Malde Kalamazoo College Internet Address: nmalde@kzoo.edu ************************************************************************** ------------------------------ Date: Thu, 04 Mar 93 10:39:12 +0200 From: eugene@kamis.msk.su (Eugene V. Kaspersky) Subject: Re: Effect of Form (PC) > We have just discovered that we have been infected by a strain of > FORM. We do, however, suffer from lack of informaion about the effects > of the virus. The virus infects the boot sector and I just read that > it activates on certain days of the month, but what is the actual > action of the virus when it activates? This is a very dangerous virus. It hits Boot-sector of floppy disks during an access to them and Boot-sector of the hard disk on a reboot from an infected floppy disk. The virus acts on the 24th of every month. It processes a dummy cycle while pressing on the keys. If you work with a hard disk, the data can be lost. The virus hooks int 9 and int 13h. It contains the text "The FORM-Virus sends greetings to everyone who's reading this text.FORM doesn't destroy data! Don't panic! Fuckings go to Corinne." > This brings me to my next qestion: I it possible to obtain a file > somewhere giving a brief description of the action of various vira. I How about 300K of ZIP ? :-) > Another last qestion: Is there any informaiton around about the virus > TP4 (TP44)? It's Yankee Doodle virus. Regards, Eugene - -- - -- Eugene Kaspersky, KAMI Group, Moscow, Russia - -- eugene@kamis.msk.su +7 (095)499-1500 ------------------------------ Date: Thu, 04 Mar 93 18:06:15 -0500 From: "Roger Riordan" Subject: Removal of Michelangelo (PC) imeslsl@trex.oscs.montana.edu (LEPRICAN~~~) writes: > time. We tried McAfee v100, which would recognise the virus, but > would not remove it from hard drives. It appears to be [Mich] when > it is on a drive, but when it loads itself into memory, McAfee says > it's [STONED]. > It seems to be easily removed from floppies, but the virus infects > the partition table of hard drives, where McAfee cannot remove it. > Does anyone have any suggestions on how to combat this virus? It amazes me that anyone could still be unable to remove this virus. Our program VET will remove it (and all the other remotely common viruses) completely safely and almost automatically. The original version (released in early 1989) put back the whole of the hidden boot sector and I occasionally got reports of cases where it had left a PC unbootable after removing Stoned. Eventually I was able to examine a case where this had happened, and worked out that dealers were booting from an infected master disk before partitioning the hard disk. This meant that the partition information in sector seven was no longer correct, and if you put it back you would be unable to access the hard disk. I promptly modified the program so it only puts back the partition info if it knows the virus overwrites it, and released a revised version in July 1989. We discovered (and named) Michelangelo, and released a version of VET which dealt with it in February 1991. Since 1989 our support staff have listened to hundreds of users remove Stoned, Michelangelo and sundry other boot sector viruses, and innumerable file viruses, and we can't remember any user reporting that VET had rendered a previously accessible hard disk inaccessible. Although the dangers of putting back the whole of sector seven have been well known for at least two years (1.), Clean still does so, and still does not bother to check that sector seven is not itself infected. We have verified that both faults are still present in Clean 9.1V100. Roger Riordan Author of the VET Anti-Viral Software. riordan.cybec@tmxmelb.mhs.oz.au 1. R.H.Riordan VET; a program to detect & remove computer viruses. Proc 4th Annual Computer Virus & Security Conference. NY 1991 CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Thu, 04 Mar 93 12:48:27 -0800 From: Richard W. Lefkon Subject: Financial firms open meeting Thursday on Trace Center recovery SIXTH INTERNATIONAL COMPUTER SECURITY & VIRUS CONFERENCE and Exposition sponsored by DPMA Fin.Ind.Chapter in cooperation with ACM-SIGSAC, BCS, CMA, COS, EDPAAph, ISSAny, NUInyla, IEEE Computer Society Box 894 Wall Street Station, NY NY 10268 (800) 835-2246 x190 FINANCIAL FIRMS OPEN MEETING THURSDAY ON TRADE CENTER RECOVERY -------------------------------------------------------------- To address the technical side of network and computer terrorism recovery while information systems personnel are interested, a special public forum of industry leaders has been scheduled for next Thursday March 11, entitled, "Trade Center Crisis Recovery." The in-depth panel will include eight industry representatives - from four affected financial firms that successfully resumed business after Friday's disaster, and four suppliers that helped them The panel will be housed in next week's Sixth International Computer Security & Virus Conference at the Madison Square Garden Ramada, co-sponsored by the eight computing and networking societies. With damage estimates already in the multi-billions, Sally Meglathery, Elec- tronic Security Head for the New York Stock Exchange and a scheduled panelist, warns financial data keepers: "Review [your] restart recovery procedures to be sure that you have adequate backup to recover from an attack." Other than state and federal offices, the main corporations inhabiting the famed skyscraper are indeed banks (First Boston, Sumitomo, Dai-ichi), brokers (Dean Witter, Shearson, Salomon, Mocatta and the Commodities Exchange) and insurance companies (Hartford and Guy Carpenter). Each type will send a representative, as will some service firms. William Houston, Eastern Region Head for Comdisco Data Recovery, notes that "This is the second time in three years an electrical disaster has completely shut down" the famed twin skyscraper. His firm helped rescue the computer, networking and "back office" operations of two dozen downtown firms in response to the August 13, 1990, electrical substation fire. "We have some major customers in the Towers," notes Houston, "and while pre- serving their anonymity I intend to plainly tell the Thursday audience just what worked this time and what didn't." Michael Gomoll, an executive with competitor CHI/COR Information Management, says the terrorist act will have three key results: "Direct loss of revenues, effects on global markets and businesses, and concerns of the business insurance profession." Ironically, CHI/COR, a firm specializing in disaster recovery, was itself assaulted by the crippling Chicago flood of April 13, 1992. As part of his presentation, Gomoll intends to explain how cable conduits played an important role in both disasters. Last fall, the conference now hosting this "Trade Center Crisis Recovery" roundtable, received what now seem prophetic words in its greeting from Mayor David Dinkins: "As the telecommunications capital of the world . . . we are also extraordinarily susceptible to the various abuses of this technology." Another irony has to do with the "Meet the Experts" reception at the Empire State Building Observatory following the forum. In previous years, the hosting conference has had its skyline reception at Top of The World, located within the Trade Center. That spot will not open this month. also extraordinarily susceptible to the various abuses of this technology." ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 40] *****************************************