From lehigh.edu!virus-l Mon Mar 22 13:40:25 1993 remote from vhc Received: by vhc.se (1.65/waf) via UUCP; Tue, 23 Mar 93 11:20:28 GMT for mikael Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2) id AA21542; Tue, 23 Mar 1993 01:39:18 +0100 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA33914 (5.67a/IDA-1.5 for ); Mon, 22 Mar 1993 18:40:25 -0500 Date: Mon, 22 Mar 1993 18:40:25 -0500 Message-Id: <9303222240.AA22669@first.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@first.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #45 VIRUS-L Digest Monday, 22 Mar 1993 Volume 6 : Issue 45 Today's Topics: Re: Laws and Viruses F-Prot (PC) PC-Mag (PC) identification (PC) partition table (PC) Re: Michelangelo (PC) standardization (PC) PC Magazine on Anti-Virus (PC) and new ways of testing an A-V. Help, Am I VIRUSED???? (PC) LAT-9303 (PC) Virus that infects while Scanning? (PC) Virus found on PCs - WARNING (PC) How do you recover from a Michelangelo attack? (PC) Effect of Form (PC) EXE/COM switch (PC) scanners. (PC) VS for Pathwork (tm) (VMS) Michelangelo protection (CVP) March 1992 and the media VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: Fri, 12 Mar 93 05:12:12 +0000 From: curry@sctc.com (Russ Curry) Subject: Re: Laws and Viruses padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) writes: > For some time now we have been concerned about a "textbook" >definition of viruses, perhaps it is time to discuss a legal one >(obviously it is difficult to pass a law against something that is >not defined): > From a legal standpoint it might be enough to define a virus >as "a sequence of instructions that intentionally performs an unwanted >and undocumented modification within a computing system for which it is >intended." Hmm, How about an application program which creates a data file that isn't explicitly declared in the documentation, I think everyone has seen one such program at some point in time. If I didn't want that data file to be created on my hard drive, does that ( "Unwanted" and "Undocumented" ) function classify this application program as a virus? Subsequently, any shell script I create that modifies files in my working area can be called a virus since my system administrato may not always be aware of everything I am doing. That script may be making "unwanted" and "undocumented" modifications to a computer system that I do not own and am not in control of. >Finally, keep in mind that the current discussion is limited to *criminal* >actions and not civil (damages) ones. Two entire different things in the US. Not to be sniping, but I think that somebody can find a better classification of a virus, we all know how perverse the legal system can get at times, something like that description would turn into an incredible farce, IMO Off to see the wizard, R Curry. ( These opinions are my own, Like I'd use someone elses? ) ------------------------------ Date: Thu, 11 Mar 93 18:52:38 -0500 From: bill.lambdin%frenchc@eskimo.com (Bill Lambdin) Subject: F-Prot (PC) KT> Don't know 'bout CPAV, though -- I've never tried it. Why pay such a KT> amount of money, when I can get a product which I consider superior f KT> free? In my tests, F-Prot always ranks at or near the top. I like F-Prot because it is very good at telling the user specificly which virus happens to be present. Some scanners rank all variants under the same name. This may be OK for some viruses. but some variants can be destructive like the 1704 Format. If I have that virus on my hard drive, I want to kill all specimens ASAP before it tries to format my hard drive Bill - --- * WinQwk 2.0 a#383 * MIGRAM activates any Saturday - ---- +----------------------------------------------------------------------+ + The French Connection - 206/283-6453 - 206/771-1730 - 6.5g online + + It takes only 11 seconds to get loaded on the French Connection! + +----------------------------------------------------------------------+ ------------------------------ Date: Thu, 11 Mar 93 18:52:36 -0500 From: bill.lambdin%frenchc@eskimo.com (Bill Lambdin) Subject: PC-Mag (PC) FC> Date: Mon, 08 Mar 93 10:03:09 -0500 FC> From: fc@noether.duq.edu (Fred Cohen) FC> Subject: Product reviews in magazines FC> FC> When will you guys figure out that the PC magazine reviews of FC> antivirus products favored those who spend a lot of money advertising FC> These magazines don't want to offend their advertisers, they exist to I know this, but it isn't fair. Anti-viral products should be tested fairly, but testing against 11 viruses that are all at least 1.5 years old. I hope that they perform better tests next time, or not produce tests at all. Bill - --- * WinQwk 2.0 a#383 * Hacked versions of X00 fossil. 1.3, & 1.3J - ---- +----------------------------------------------------------------------+ + The French Connection - 206/283-6453 - 206/771-1730 - 6.5g online + + It takes only 11 seconds to get loaded on the French Connection! + +----------------------------------------------------------------------+ ------------------------------ Date: Thu, 11 Mar 93 18:53:01 -0500 From: bill.lambdin%frenchc@eskimo.com (Bill Lambdin) Subject: identification (PC) 0> Another reason for using a standard. Without a standard and careful 0> a potentially harmful variant can get mis-identified as a less harmfu 0> parent virus, take Stoned and Michelangelo for instance. Let me give you a better example. Cascade, and Cascade 1704 Format. Bill - --- * WinQwk 2.0 a#383 * Are computer viruses myth or reality? - ---- +----------------------------------------------------------------------+ + The French Connection - 206/283-6453 - 206/771-1730 - 6.5g online + + It takes only 11 seconds to get loaded on the French Connection! + +----------------------------------------------------------------------+ ------------------------------ Date: Thu, 11 Mar 93 18:53:03 -0500 From: bill.lambdin%frenchc@eskimo.com (Bill Lambdin) Subject: partition table (PC) SL> level format the harddisc (IDE). I was always under the impression SL> that a high level format from a clean , booted floppy would be enough SL> but this is apparently not so. Most boot sector viruses hide in the boot sector of floppies, but on hard drives, they hide in the partion table. The Partition table is never touched by a format. A fair way to get rid of boot sector viruses without using AV softwarem or low level formatting the hard drive, is to boot clean from a DOS 5.0 bootable diskette, then issue the following command. FDISK/MBR. Hope this helps. Bill - --- * WinQwk 2.0 a#383 * CHRISTMAS TREE activates Dec 24 - Jan 1 - ---- +----------------------------------------------------------------------+ + The French Connection - 206/283-6453 - 206/771-1730 - 6.5g online + + It takes only 11 seconds to get loaded on the French Connection! + +----------------------------------------------------------------------+ ------------------------------ Date: Thu, 11 Mar 93 23:10:50 +0000 From: hiscrp@nuscc.nus.sg (C R Pennell) Subject: Re: Michelangelo (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: : : BTW, I am very curious how many Michelangelo hits have happened this : year... Well we had quite a little crop in Singapore this year, which according to the Straits Times which is often wildly inaccurate about virus attacks, hit car dealers in particular. I know I shouldn;t feel this way, but if there HAVE to be viruses, car dealers seem a suitable victim! The point about Singapore is taht public offices work on a Saturday morning, and the car dealers were using a computerised bidding system to submit last-minute applications fro licences. Do you want more details? I coudl scan you the article, perhaps. Richard Pennell History NUS ------------------------------ Date: Mon, 08 Mar 93 13:32:00 +0100 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: standardization (PC) To: chess@watson.ibm.com (David M. Chess) You quote me: >>From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) >>I think there is already a naming scheame present. >>It gose like this: McAfee gets a virus, Releases the next >>VIRLIST.TXT, and everyone just uses it. If a new virus >>apears that is not there, a name is given to it according >>to its behaviour, and so on... That was a cynical remark made by me, but it has a good resemblance to the true scenarios. > Oh, do I wish it were that simple! Me too. > The main problems are: Only 2 ? > - Say some authority says "we've found a new virus, its > name is Blivet, and our scanner detects it as such". > Now someone else finds a virus, and that scanner identifies > it as "Blivet". Is it the same virus that the authority > first reported? The only way to tell for sure is if > that person has access to the original Blivet sample > (and virus collections probably shouldn't be > generally-available), or if someone has written a > program that does precise identification of the virus. > Writing such a program (or adding a description to an > existing program) is quite a bit more work than just > extracting a signature for a scanner, and there are > some complex issues about avoiding spoofing. > Does the user care whether or not he really has > the same Blivet virus as was originally named? > Yes! And I say, NO ! As long as the scanner that calls it Blivet is capable of making the distinction between variants of the virus, and clean it correctly ( as I also said in my partly- quoated-by-you article). The information is of no use to the user if the virus is variant Vir.11.a234.5-A or Vir.234.87.1-D/45 of it (by any relatioship tree that you can invent). > The new Blivet might have different behavior, > requring different clean-up, and the user *must* > know that. "Cleaning up" a virus without knowing > exactly what it does is a contradiction in terms. Does this action is considered user responsibility? If so, it's a bad atitude. You cannot consider all users as capable of making the decision. > - Naming viruses based on behavior isn't as easy as > it sounds. You tell me, I do it all the time. I only don't bother sending it to Patricia Hoffman due to the enless conversations that you can read in Virnet about that issue. > Here's a brand-new virus. It goes > resident, and infects any file that's executed. It > has no payload. What do you call it? There are > probably hundreds of viruses that like. Naming > continues to be a hard problem; a good name would > be easy to remember, different from other names, > and have something to do with what the virus does. > It's generally impossible to do all three, though... Well, the answer to this is easy too. Did you here of the 1963, 1049, 1260, 1530, 1677, 757, 903, 1024 (do I have to write more?) viruses? Not all viruses have a name attached to them. Especially the kind that has no specific behaviour. Those will usualy get their "size name". Warmly * Amir Netiv. V-CARE Anti Virus, head team * - --- FastEcho 1.21 * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Mon, 08 Mar 93 13:02:00 +0100 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: PC Magazine on Anti-Virus (PC) and new ways of testing an A-V. Hello everyone. Regarding the PC-Magazine's article and Editors Choice. Well, you know what they say: " BENCHMARKS DO NOT LIE... LIERS MAKE BENCHMARKS ! " Bill Lambdin writes: > If they had tested the 70 or 80 common viruses known > to be in the wild, their tests would have been more valid. Don't you think its about time that these kind of tests should expire? Is it a whise idea to test modern Anti-Viruses with the oldest test in the book? Is it still a valid test? > I find it very hard to believe that there are more than 2,000 > specimens known, and 70 or 80 common viruses known to be > circulating in the wild, and they feel that 11 viruses are > enough ti use for testing purposes. Believe it, there are more. As for the 70 or 80 common ones, it could be even less, but the point is that if you are a user, and you are infected by the 1% that is not on the selebrity list, you will still have a 100% major problem in your hands. That's maybe the reason why the test is not valid. 8-) Besides these 11 common viruses may represent the status in the USA, but definitly not in any other country, since viruses spread differently in various countries. For example: DIR-2 and 1963 are the most widly spread in Israel at the moment, but no one (almost) had seen them in France or Germany. Therefore the Benchmark made by PC-Mag' has no real meaning in most countries of the world, except comercial. I think it's time to establish a new way of testing an Anti Virus, and I'm calling all of you, Virus researchers to initiate the process. Regards * Amir Netiv. V-CARE Anti Virus, head team * - --- FastEcho 1.21 * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Fri, 12 Mar 93 15:35:06 +0000 From: vic@astro.ocis.temple.edu (Victor Kasacavage) Subject: Help, Am I VIRUSED???? (PC) Yesterday, our fileserver crashed. Some of the files on the Server were corrupted when we tried to access them today. I tried restoring the files from a backup tape and in the process of scanning the tape, I got an error opening some files and had to quit the restore. After exiting the message below appeared on my monitor Invali busted jail and I'm gone forame = xas, busted jail andted man in Texas, we have a program running on the Novell 3.11 fileserver called LanProtect v1.5 from Intel. It constantly scans incoming and outgoing files on the network. We are using virus pattern lrx$rpn.022 and have had no problems with this program. If this message is from a virus, I need to know because I just scanned the fileserver and my hard drive and both came up clean. We are using this program all over campus and would hate to see someone elses files get corrupted. please respond to: vic@astro.ocis.temple.edu thanks in advance. - ---------------------------------------------------------------- Victor Kasacavage vic@astro.ocis.temple.edu Lan Technical Consultant Temple University - ---------------------------------------------------------------- ------------------------------ Date: Fri, 12 Mar 93 17:37:14 -0500 From: bill.lambdin%frenchc@eskimo.com (Bill Lambdin) Subject: LAT-9303 (PC) LAT 9303 Product Total Detected Ratio Flags +--------------------------------------------------------+ | F-Prot 2.07 | 841 | 836 | 99.4% | S | | Virus Net 2.06B | 841 | 835 | 99.3% | C | | VIRx 2.6D | 841 | 813 | 96.7% | S | | | | | | | | TBAV 5.04 VSIG9301 | 841 | 812 | 96.6% | S | | Scan 102 | 841 | 810 | 96.3% | S | | Dr Sol A-V toolkit 6.04 | 841 | 796 | 94.6% | C | | | | | | | | IM-141A | 811 | 751 | 92.6% | DGS | | UT Scan 25.1 | 811 | 749 | 92.4% | CDG | | SD Scan 1.0 | 811 | 747 | 92.1% | CD | +--------------------------------------------------------+ C- Commercial software D- This product does not scan for boot sector viruses inside droppers. I tried to be fair. G- Generic Virus detector. The other utilities with this product may detect viruses that this scanner misses, so don't judge this product too harshly because the scanner isn't as effective as you would like. S- Share Ware or Free Ware procuct. I removed the following products from the LAT report. PC-Scan Unable to get the new signature update Win-RX getting old Virucide 2.37 unable to get the new update. ======================================================================== I have tested the following generic products, and recommend them. Victor Charlie (Bangkok Security Associates) PC-Rx (Trend Micro Devices) Untouchable (Fifth Generation Systems) Integrity Master (Stiller Research) PC-cillin (Trend Micro Devices) ======================================================================== I would like to thank most of these companies for providing me with evaluation copies of their software to test. ======================================================================== These tests were performed on a 33 MHZ 486 Bill Lambdin P.O. Box 577 East Bernstadt, Ky. 40729 - --- * WinQwk 2.0 a#383 * McAfee voice support (408) 988-3832 - ---- +----------------------------------------------------------------------+ + The French Connection - 206/283-6453 - 206/771-1730 - 6.5g online + + It takes only 11 seconds to get loaded on the French Connection! + +----------------------------------------------------------------------+ ------------------------------ Date: Fri, 12 Mar 93 23:38:53 +0000 From: rkolter@csuohio.edu (Ryan Kolter) Subject: Virus that infects while Scanning? (PC) Please do not get alarmed by this. This is not rumormonging, but is a serious question. I do not know if this virus exists, and for this reason I am asking about it. A friend of mine recently (a few months ago) told me about what appeared to be a computer virus his machine had caught that (in some manner) appeared to infect the files of his hard disk just after they were scanned. His claim was that it dodged the scan by taking itself out of memory during the memory check (McAffee) and then reloaded into memory and removed itself from the infected file during the scan of that file. After that, it would infect every .exe that was scanned. Thus the process of scanning actually infected the whole drive. I don't know if there is a virus out there that does this. Is there? If so, is there a way to protect against it? He said that Mcaffee didn't pick it up. (I don't know what version he used). Sorry for being vague, and also sorry for wasting your time if this virus doesn't exist. But... does it? - --Hills ------------------------------ Date: Sat, 13 Mar 93 11:20:16 +0000 From: paul_r@bruny.cc.utas.edu.au (Paul Roberts) Subject: Virus found on PCs - WARNING (PC) A virus has been discover on one the of Computing Centre PCs. The virus is no longer on any machine in the Computing Centre, but the virus is believed to have been there for a number of weeks. The virus infectes both .exe and .com files. It is a nondesctructive virus. It can be by using the following string in F-Prot. "b8969633db8Ec3bb8400" A disinfectant is being written and will be available when it is finished in the few days. Paul. - -- | Paul Roberts Keeper of Queen Lore snail mail : 55 Tara Drive, Lauderdale | | Student at University of Tasmania Tasmania, Australia 7021 | | e-mail : paul_r@bruny.cc.utas.edu.au Phone +61 02 487370 (International) | | paul_r@postoffice.utas.edu.au 002 487370 (Australia) | ------------------------------ Date: 14 Mar 93 01:32:28 +0000 From: acw@calmasd.Prime.COM (Alan Wilson) Subject: How do you recover from a Michelangelo attack? (PC) I've learned from my son that many of his high-schoolmates here have their IBM/PC hard disks corrupted due to the Michelangelo virus recent activation. Please send any techniques on how to recover a corrupted disk and I'll pass them along via my son. This would be greatly appreciated. Alan Wilson acw@calmasd.prime.com ------------------------------ Date: Mon, 08 Mar 93 11:51:05 +0100 From: Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert) Subject: Effect of Form (PC) Hi Eugene! Your info about the FORM virus has been correct, I guess except to these line: > If you work with a hard disk, the data can be lost. How? FORM does not write data to the hard disk, except of its viral code to the active DOS Bootsector ant that bootsector to another unused sector. cu! eppi - --- GEcho 1.00 * Origin: No Point for Viruses - Eppi's Point (9:491/6051) ------------------------------ Date: Mon, 08 Mar 93 11:04:00 +0100 From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) Subject: EXE/COM switch (PC) > From: antkow@eclipse.sheridanc.on.ca (Chris Antkow) > The fact of the matter is, that any resident virus that monitors > function 4Bh, subfunction 00h (Int 21h) WILL be able to infect a file, > even if the extention has been renamed... (Provided the virus is written > "correctly"... Gack). > Whenever a file is executed, it is immediately passed to AX,4B00h/INT > 21h. The rest is at the mercy of the viral code... If the file can't be > executed, then it's never passed to AX,4B00h/INT 21h... > (Someone correct me if I'm wrong...) Well, you souldn't go as specific as sub-function 00h. Viruses also monitor service 03h and undocumented 01h that are used to load overlays. 04B is general enough. Inbar Raz - - -- Inbar Raz 5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660 Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il - --- * Origin: Inbar's. (9:9721/210) ------------------------------ Date: Mon, 08 Mar 93 11:14:00 +0100 From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) Subject: scanners. (PC) Malte Eppert writes: >> Making CRC checks from a BOOTING FLOPPY will also catch ANY >> virus, provided it hasn't infected your floppy yet. > Sorry, it won't. It will catch any modification, that's true. But if you > get infected with a slow virus, the user just would regard the change as > legitimate. Then, Vesselin introduced the idea of a DOS file > fragmentation attack. You could not detect that with a file-oriented CRC > checker, too. Look. In order for a file to infect a virus it must either add itself to the file, or overwrite or replace the first file's cluster (known methods of infection, correct me if I'm missing anything). If you run a CRC check DAILY, you WILL locate these changing. What you're saying is true only if I had let my system get infected, and only THEN, after the viruses had already started to activate, I ran the tests. If you run this test daily and consistantly, I think it might come out quite effective. > Unloading is a problem if the TSR is not the last one in the TSR chain. By unloading, I don't mean removing from memory. I mean disabling - ie. making as if the thing was never loaded, and therefore whatever protection it was supplying, does not exist anymore. > How do you get your system straight if you remove a TSR out of the > middle of the chain - is there a method? I once started a thread about this in the FidoNet 80XXX folder. We had some pretty good ideas there, and I had something that would free all memory by the program, minus 5 bytes per each interrupt you are hooking. If you wish to get more information about this, netmail me on any of the addresses on my signature. Inbar Raz - - -- Inbar Raz 5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660 Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il - --- * Origin: Inbar's. (9:9721/210) ------------------------------ Date: Sat, 13 Mar 93 13:32:38 -0500 From: HAYES@urvax.urich.edu Subject: VS for Pathwork (tm) (VMS) Hello. Just to announce the availability of John Burke's Virus Scanner (VS) for Pathwork. Please note: IMPORTANT: This site has "prime-time" from 10:00 to 22:00. Please do not initiate any file transfers during this period (all times EST) The files in this directory are provided "as-is." They are supplied as a public service, and the University of Richmond has not checked, used, or recommended them. If you do use them please contact the author. Neither university computing nor this user are responsible in case of problems occuring after using these programs. Neither University Computing nor this user will support these programs. =========== Directory content (03/13/93): [ANONYMOUS.MSDOS.ANTIVIRUS.VMS] - ----------------- This directory contains John Burke's "Virus Scanner (VS)" for Pathworks. Suggested retrieval: get VS040.COVER and VS040.INSTALL (ASCII files) and see i f you want the rest. If so, get LZDCMP.EXE and VS040.A_LZ in binary mode and: $ LZDCMP == "$SYS$DISK:[]LZDCMP" ! set up LZDCMP as a "foreign image" $ LZDCMP VS040.A_LZ VS040.A ! decompress and restore attributes LZDCMP.EXE;2 194 decompression program (from old decus tape) VS040.A_LZ;1 286 compressed version of original distribution VS040.COVER;1 5 original cover letter from author VS040.INSTALL;1 85 original installation letter from author Size is in "blocks" of 1/2 K (512 bytes) each. Please remember also that you have some _privileges_ to install this program. It is NOT for the end user... Many thanks to John Lundin Jr., our site manager, for the help he provided when dealing with this program. ===== Site: urvax.urich.edu, [141.166.36.6] (VAX/VMS using Multinet) Directory: [anonymous.msdos.antivirus.vms] FTP to urvax.urich.edu with username anonymous and your email address as password. You are in the [anonymous] directory when you connect. cd msdos.antivirus.vms to enter the directory where these files reside. === Best, Claude. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: 11 Mar 93 18:01:00 -0600 From: "Rob Slade" Subject: Michelangelo protection (CVP) HISVIRY.CVP 930210 Michelangelo protection A number of suggestions were made during early 1992 as to how to deal with Michelangelo. Since so very many antiviral programs, commercial, shareware and freeware, identified the virus, it was odd the lengths that people were willing to go to in order to avoid this obvious step. The "computer expert" in one of our local papers wrote an article on Michelangelo for his weekly column. It was packed with errors, and he was roundly chastised by many people. A large contingent of his detractors were local BBS sysops who urged him to simply get one of the shareware scanners and make certain. His response, the next week, was to publish a column stating that no self respecting business would be caught dead with a modem. Among the other recommendations of the high and mighty: Backups - *always* a good idea. And, given that Michelangelo is a boot sector infector, it wouldn't be able to "store" on a tape backup. On diskettes it would. Even worse, many popular backup programs use proprietary "non-DOS" disk formats for reasons of speed and additional storage. These, if "infected" by Michelangelo, would become unusable. Change computer clock - if Michelangelo was set to go off on March 6, just make sure March 6 never happened. Part of the trouble with this was that many people did not understand the difference between the MS-DOS clock and the "system" clock read by interrupt 1Ah. The MS-DOS DATE command did not always alter the system clock. Certain network connected machines also have "time server" functions, so that the date would be reset to conform to the network. Finally, 1992 was a leap year, and many "clocks" did not deal with it properly. Thus, for many computers, "March 6" came on the Thursday, not Friday. (An even sillier suggestion was to "test" for Michelangelo by setting the date to March 6 and then rebooting the computer. This is known as "Michelangelo roulette".) OS/2, Novell or UNIX boxes - Michelangelo is widely perceived as an MS-DOS virus. This is not quite correct. It is, rather, a BIOS virus. It can "infect" Intel CPU BIOS/ISA compatible machines, although many will no longer run after the infection. Stay off modems - neither the master/partition boot record nor the boot sector are identifiable files under MS-DOS. Therefore, neither can be transmitted as files over a modem or bulletin board by the average user. Although "dropper" programs are theoretically possible, if they exist at all they are extremely rare. The danger of getting a Michelangelo infection from a BBS is therefore so small that for all practical purposes it does not exist. The prohibition against bulletin boards merely cuts you off from a major source of advice and utility software. copyright Robert M. Slade, 1992 HISVIRY.CVP 930210 ============== Vancouver ROBERTS@decus.ca | Omne ignotum pro magnifico. Institute for Robert_Slade@sfu.ca | - Anything little known Research into rslade@cue.bc.ca | is assumed to be User p1@CyberStore.ca | wonderful. Security Canada V7K 2G6 | - Tacitus ------------------------------ Date: 11 Mar 93 18:10:00 -0600 From: "Rob Slade" Subject: March 1992 and the media HISVIRZ.CVP 930210 Michelangelo - March 1992 and Media In the fall of 1989, there was a large amount of media attention given to two Jerusalem variants, Datacrime and "Columbus Day". The promotion appeared to be instigated by a particular antiviral service vendor. It turned out that these viri had far less distribution than was being claimed. I suspect that the media has had a distrust of "virus hype" stemming from this date. However, the epidemic of Michelangelo in the spring of 1992 could not be denied. Vendors were making unsubstantiated claims for the numbers of infections which, in retrospect, turn out to have been surprisingly accurate. More importantly, the research community as a whole were seeing large numbers of infections. The public was seeing them as well, since no less than thirteen companies shipped commercial products which turned out to be infected with the Michelangelo virus. "Instant experts" arose to fill the need for press releases, confusing Michelangelo with every other virus that ever put a message on a screen. (One such "consultant" called a researcher for a "professional courtesy consultation" -- to ask what a "boot sector" was.) Accounting firms (why are accountants supposed to be so "computerate"?) trumpeted the injunction not to call bulletin boards, heedless of the fact that BSIs don't *spread* via modem. The media darlings, of course, took full advantage, but even I had twenty seconds of my fifteen minutes of fame used up on the tube. (But who got his picture in the paper? My brother, who did not *believe* in viral programs, to whom I had given a copy of a scanner, and who found the computer in his church to be infected -- at 11:50 pm on March 5.) (Two producers of commercial antiviral programs released crippled "freeware" versions of their scanners. These I view with some disfavour. The programs *did* briefly mention that they only checked for Michelangelo, but certainly gave users the impression that they were checking the whole system.) Because of the media attention, a number of checks were made that would have been done otherwise. Hundreds, even thousands, of copies of Michelangelo were found in single institutions. Infection rates ranged from one per thousand to 25% and more in some parts of Europe. Some reports, such as the infection of an entire network of pharmacy computers in South Africa, were later found to be spurious, but estimates of millions of copies had a sound basis. (There were no reports of Michelangelo detected in Japan beforehand, but a small number of computers were wiped out on the Friday. This is particularly interesting in view of the fact that MITI had been loudly proclaiming that Michelangelo would not be a problem in Japan.) Having found, and removed, a great many copies, the number of "hits" on March 6 was not spectacular. Hundreds, and perhaps thousands, of machines were struck, but the damage was nothing as great as it might have been. Predictably, perhaps, media reports on March 6 started to dismiss the Michelangelo scare as another overhyped rumour, completely missing the reality of what had transpired. copyright Robert M. Slade, 1992 HISVIRZ.CVP 930210 ============== Vancouver ROBERTS@decus.ca | Slade's Law of Computer Institute for Robert_Slade@sfu.ca | Literacy: Research into rslade@cue.bc.ca | - There is no such thing User p1@CyberStore.ca | as "computer illiteracy"; Security Canada V7K 2G6 | only illiteracy itself. ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 45] *****************************************