From lehigh.edu!virus-l Wed Mar 24 14:50:59 1993 remote from vhc Received: by vhc.se (1.65/waf) via UUCP; Thu, 25 Mar 93 06:57:26 GMT for mikael Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2) id AA17227; Thu, 25 Mar 1993 04:02:16 +0100 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AB27013 (5.67a/IDA-1.5 for ); Wed, 24 Mar 1993 19:50:59 -0500 Date: Wed, 24 Mar 1993 19:50:59 -0500 Message-Id: <9303242320.AA26771@first.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@first.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #47 VIRUS-L Digest Wednesday, 24 Mar 1993 Volume 6 : Issue 47 Today's Topics: Scanners getting bigger and slower Scanners getting bigger and slower bill.lamdin misquoted don.peters Privacy matters vs. Virus-related (All) Swap-boot virus (PC) scanners. (PC) scanners. (PC) Re: Virstop under windows (PC) New (?) 2294 virus ? (PC) Michelangelo Virus - do I have it? (PC) WordPerfect virus may be BUG (PC) Re: F-PROT 2.07 and Windows not compatible? (PC) Why are McAfee's reportfile-output and screen-output different? (PC) standardization (PC) Re: Signitures (PC) Re: standardization (PC) Re: Date triggered virus (PC) Re: EXE/COM switch (PC) Info Needed (PC) Strange occurances on Mar 6. (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: Fri, 12 Mar 93 08:06:00 +0100 From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) Subject: Scanners getting bigger and slower frisk@complex.is (Fridrik Skulason) writes: >>Instead of having one big huge turtle speed scanner, you would have, say, 4 >>scanners. > So what ? Remember - for any decent scanner the speed does (almost) not > depend on the number of viruses. Creating 4 scanners will simly mean > that the time will increase by a factor of 4, if you ran them all - and any > one of them would be of the same speed as the original one. The whole point of having more than one scanner, is that there is a considerable amount of viruses which are considered rare, or extinct, whose chances of infecting you are unreal. Therefore, scanning for them is less likely to be needed. On the other hand, there are somy viruses which are very common, such as Mich, Jerusalem or even 4096. Scanning for them should be done more requently. > Remember, not all scanners are turtles... I was predicting a future situation. Perhaps today not, but in the future, if viruses keep multiplying like they do, soon enough all anti-viruses will have to be written for protected mode, otherwise there wouldn't be enough memory for all virus information, or speed :-) Inbar Raz - - -- Inbar Raz 5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660 Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il - --- * Origin: Inbar's. (9:9721/210) ------------------------------ Date: Fri, 12 Mar 93 08:09:00 +0100 From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) Subject: Scanners getting bigger and slower bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >> Thus, you would use them in different frequencies, and each would run >> faster and better. > This is not very convenient from the user's point of view... But the > idea could be changed a bit to achieve practically the same thing - > there could be one scanner, with many overlays. The users will be able > to select how "secure" they want their scanner to be, thus selecting > which of the overlays will be executed during the scanning process. > However, the differentiation does not to be by stealth/encrypted/etc. > it only needs to be based on how common the viruses are. Ofcourse. Your idea does make more sense than mine does... Still, we both agree that the degree of commonness should be taken into consideration. > This will be much like the today's option in many scanners for > "secure"/"turbo" scanning mode, the former usually meaning that the > whole file is scanned, while the latter means that only those places > of the files are checked, where a virus is likely to be present. I believe this refers to complete file scan as opposed to checking the EXE header only, assuming a certain virus will always have the same IP or other header information set. Inbar Raz - - -- Inbar Raz 5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660 Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il - --- * Origin: Inbar's. (9:9721/210) ------------------------------ Date: Mon, 15 Mar 93 10:25:06 -0500 From: Donald G Peters Subject: bill.lamdin misquoted don.peters In issue 42/6 bill.lamdin mistakenly referred to some text to which he attribute me as the author. (The words don't sound like mine, and I never use "--" or "circumspect" in text.) The quote was too short for me to determine the author, or to determine if I agreed with what was being said. :-) ------------------------------ Date: Thu, 18 Mar 93 21:11:17 -0500 From: fergp@sytex.com (Paul Ferguson) Subject: Privacy matters vs. Virus-related (All) For those of you who attended last weeks "Ides of March" Conference in New York - I noticed a trend in discussion towards what I would categorize as privacy issues. The Toots after-dinner discussion went far astray, as far as discussion goes (perhaps you noticed my annoyance and attempt to route folks discussing the topic to the appropriate channels), but shall we address these topics as "virus" related topics in the future? I'd like to think not, but I think many of us would like to see legality and privacy cross paths somewhere in the immediate future. Legality is bourne upon introduction. Simplified, if you bitch about it loud and long enough, and it hurts someone, somewhere, at sometime, without their permission or knowledge -- it's criminal. Period. Common sense dictates measures that identify those that endorse criminal computer activity be identified and punished. This type of behavior in the computer community (as well as applied to non-computer related activities) is unacceptable. This where the topic of viruses comes into play, because in this capacity, they do infringe upon computer users right to a _private_ system, if they desire it. (Hey, that's why they call it a Personal Computer, right?) The "privacy" issues outlined and discussed within the confines of the conference "boundaries", have started to cross (again, what I categorize as) Open Systems designs. The linear definition of "Open Syetems" is constantly changing. With the recent aquisition of USL by Novell, the workstation environemt is changing, consistenty conforming and adapting to cross-platform computing. Yesterday I walked up to the McGraw-Hill Professional Bookstore and bought "The Programmer's Reference To Netware". This book includes the interrupt level information on the Netware API. It basically does for NetWare what Ralf Brown did for DOS. Is UNIX next? I've read Pete Radatti and Fred Cohen's "papers" in response to David Thompson's "Why UNIX is immune to computer viuses" paper. Hmmm.... Back on topic, (somewhat), for those of you who wish to address privacy issues, there are two other pipelines if you wish to wade into them: Cypherpunks - A realtime, mail subscription service. Be forewarned: It's high volume and sometimes very technical. In fact, last week one of it's "former" subscribers mail bombed the remainder of the subscribers because he grew impatient waiting to be "un-subscribed." Topics include digital privacy, anonymous remailers, PGP encryption. To subscribe: send a message to cypherpunks-request@toad.com Computer Privacy Digest - ALL submissions should be addressed to "privacy@cv.vortex.com" and must have RELEVANT "Subject:" lines. Submissions without appropriate and relevant "Subject:" lines may be ignored. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@cv.vortex.com". Mailing list problems should be reported to "list-maint@cv.vortex.com". All submissions included in this digest represent the views of the individual authors and all submissions will be considered to be distributable without limitations. I hope this helps filter topical messages unrelated to computer VIRUSES. Cheers. Paul Ferguson | Network Integration Consultant | "All of life's answers are Alexandria, Virginia USA | on TV." fergp@sytex.com (Internet) | -- Homer Simpson sytex.com!fergp (UUNet) | 1:109/229 (FidoNet) | PGP public encryption key available upon request. ------------------------------ Date: Mon, 15 Mar 93 02:04:56 +0000 From: phbtt@wombat.newcastle.edu.au Subject: Swap-boot virus (PC) I have used McAfee VIRUSCAN version 102 to scan my computer and a virus called Swap Boot [Swb] is found. I used McAfee CLEAN-UP version 9.14V102 to clean this virus. The screen prompt that `Virus can not be safely removed from partition table.'. I have tried to reformat the whole hard drive, delete the partition table and create a new one and turn the power off before rebooting again from diskette. These do not help at all. I hope someone can help me! B T TAN ------------------------------ Date: Fri, 12 Mar 93 14:41:00 +0100 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: scanners. (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) writes: >> VB: > when I'm saying Jerusalem.AntiCAD.4096.Mozart, Frisk knows what >> > I mean. AN: >> I would differentiate the interests of Virus researchers from this of >> the common user. VB: > Don't be so quick to underestimate the interests of the common user. I'm not! they are my costomers! VB: > When this user asks for assistance, it is not very > helpful if he tells you "The product XYZ found the Generic Boot virus on > my machine. How to remove this virus and what the hell does it do?"... Good. So give him the information required if he asks it, let him read VSUM or your (not yet finished) VIRUS_INFORMATION (or whatever it is you call it). But don't make him/her worried about something that has no special meaning to him/her. VB: > I agree that the two most important questions for the user are "Am > I infected?" and "If I am, how to get rid of it?", but the third most > important question is "What has it done to my data?"... Most viruses to not temper with DATA. You probably meant "to my files" or " Disk". If so, then I completely agree with you. VB: > If it were not like that, everybody would use an integrity checker, Ohh Noooooo, (But it's not such a bad idea) 8-). VB: > instead of scanners - the integrity checker tells you that you are > infected, and often can repair the infection, Tell me about it... We've invented the generic restoration method that is in use today also by V-ANALYST of your favour. VB: > but is unable to identify the virus and to tell you what else to expect.. ------------------------------ Date: Fri, 12 Mar 93 10:22:01 +0100 From: Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert) Subject: scanners. (PC) Hello Inbar! >> Sorry, it won't. It will catch any modification, that's true. But if you >> get infected with a slow virus, the user just would regard the change as >> legitimate. Then, Vesselin introduced the idea of a DOS file >> fragmentation attack. You could not detect that with a file-oriented CRC >> checker, too. > Look. In order for a file to infect a virus it must either add > itself to the file, or overwrite or replace the first file's > cluster (known methods of infection, correct me if I'm missing > anything). If you run a CRC check DAILY, you WILL locate these > changing. True, but if you got a slow virus (which only infects when a file is intentionally written to), you just would say to yourself: Ah, of course the file has changed. I have done it by myself. You simply would regard any reported changes as legitimate, e.g. recompiling an EXE. That's why you couldn' t catch "any virus". The DOS file fragmentation, a theoretically possible infection described in one of Vesselin's papers, is another kind of attack you can not detect if you checksum your data file-based. That's due to the special structure of the two hidden system files, which are handled as a chain of physical sectors at boot time and get their file-character only after DOS is loaded (because when DOS is not loaded, there exists no file system). If a virus puts itself into a sector physically used by one of these files, moves the original sector to another location and changes the FAT chain for the file, an Integrity Checker which is not aware of this would not recognize any change, because this change is transparent for a file-based checker, but the PC will load the virus at boot time. > What you're saying is true only if I had let my system > get infected, and only THEN, after the viruses had already > started to activate, I ran the tests. Sorry :-) >> Unloading is a problem if the TSR is not the last one in the TSR chain. > By unloading, I don't mean removing from memory. I mean > disabling That's alright. cu! eppi - --- GEcho 1.00 * Origin: No Point for Viruses - Eppi's Point (9:491/6051) ------------------------------ Date: Wed, 17 Mar 93 11:27:19 -0500 From: Alessandro Lombardi Subject: Re: Virstop under windows (PC) In VIRUS-L 43, Otto Stolz wrote he could not use Virstop 2.07 with /copy using windows. I use DR-DOS 6.0 with windows 3.1 and have no problems, except that /warm(checks drive a: when ctrl-alt-del is pressed) crash the system. I reported this to frisk, but I still have not received any answer, neither as " you post arrived "!!! By the way, a friend of mine gave me PcTools 8.0, and when it asked me if to build an emergency diskette, the BIOS cried "ATTENTION: great error of the disk while writing on drive D:(I use DR-DOS with sstor) retry?" Has anyone the same problem??I had to format the HD using Auto interleave and BIOS format(I have an American Megatrends).You can answer also to my personal email, use the subject Re:PcTools 8.0. Thanks in advance. - -alexl *************************************************************************** ** ** ** Alessandro Lombardi, via P.Verri,12, 21100 VARESE (VA)-ITALY ** ** Tel.: 0332/265777; e-mail: alexl@dec01.ing.como.polimi.it ** ** ** ** # "Nonostante il paternalismo di noi allenatori, gli ** ** esclusi saranno umoralmente abbacchiati." ** ** # "Noi non compriamo uno qualunque per fare del qualunquismo" ** ** # "Giocatori con caratteristiche diverse poi si eludono a ** ** vicenda e diventa poi difficile proporsi in emozione come ** ** usate dire voi." ** ** ( Giovanni "gioppino" Trapattoni ) ** ** ** *************************************************************************** ------------------------------ Date: Thu, 18 Mar 93 15:14:48 +0000 From: v922340@multatuli.si.hhs.nl (Ivar Snaaijer) Subject: New (?) 2294 virus ? (PC) Hi virus netters, A costomer came across last thusday, complayning about window's the window's we installed on his system didn't work and baild out with an error complaying about almost everything. It was likely a virus becase when i execute a program that isn't likely to execute normaly (tree.com) the harddisk is quite buisy but the second time it isn't (I mean not searching the tree !) TBSCAN (v5.04) showed behind a lot of files a U and a K witch mean an undocumented dos call and an odd stack. executing a file that didn't have the UK flags, resulted in the fact that it did get the flags, I have beta tested TBSCAN v5.10 witch claims it is the 2294 virus, (v5.04 doesn't recognize it) ... it stroke me like an abnormality, because TBSCAN had recognized all the viruses i have on stock, I v'e tried F-PROT witch says that the file is strange but doesn't report a virus eigter, SCAN v99 doesn't see anything, and i gonna try v102 this afternoon Is there anybody who can tell me more about this virus. (acept it is 2294 bytes long) Ivar. - ----------------------------------------------------------------------------- Rule one in program optimization : Don't do it. Rule two in program optimization (for experts only) : Don't do it yet. Rule three in program optimization (for athlets only) : Just do it. - -- E-mail : v922340@si.hhs.nl ... i can't help it, i'm born this way ... - ----------------------------------------------------------------------------- ------------------------------ Date: Thu, 18 Mar 93 11:58:41 -0500 From: jimf@iwtdr.att.com Subject: Michelangelo Virus - do I have it? (PC) I just bought my first PC, a 486SX running MS-DOS 5.0. Someone gave me a floppy with the vi editor on it. When I went to install it, (xcopy a:\ c:\vifiles) the virus detection software that came on my PC, went off warning of Michelangelo in the boot sector of my a: floppy disk drive. Then MSDOS kept prompting me if vifiles was a directory. Being a PC novice, I couldn't figure out how to break out of it and accidentally hit the y so that some of the files did get copied to c:\vifiles before I turned off drive a:. I then deleted (del) them and removed the directory (rmdir). When I rebooted my machine, no viruses were detected. I did not attempt to execute vi or anything. My questions: 1) Could I have the virus now even though my virus detector says no? 2) If I do, how can I find it and get rid of it? ------------------------------ Date: Thu, 18 Mar 93 12:14:22 -0500 From: moy@xp.psych.nyu.edu () Subject: WordPerfect virus may be BUG (PC) Greetings: There have been several posts about a possible "WordPerfect Virus" where the hard disk usually runs out of space. The most recent posting mentioned that retrieving *.WQ1 files led to this problem. The behavior cited may be the result of a bug in WordPerfect. I call this the "Infinite Retrieve" bug. WordPerfect versions 4.2, 5.0 and 5.1 (DOS), when retrieving a damaged document file or a foreign-format file, sometimes appears to continue "retrieving" until you reboot the machine. It seems to allocate only free disk space until no more remains, yet it does not stop or report an error when the disk is completely allocated. I first discovered this problem a few years ago when I tried to retrieve a WordStar 3.3 document (actually, the original WordStar PRINT.TST) file. This behavior is repeatable and occurs with each of the three versions of WordPerfect I've tried it on. Recently, I have encountered the same behavior with a WordPerfect 5.1 document file with a damaged header. As an experiment, I tried truncating this damaged file to see how little was needed to trigger this effect. Only a 128-byte long fragment of this broken header was enough to cause WordPerfect to go silly. While later versions of WordPerfect supress the retrieving of certain system files like its own executables and temporaries, WordPerfect is still not clever enough to elegantly reject faulty files. This problem is NOT related to retrieving document files into the current document, effectively merging them together. Moy Wong, PC Specialist, Dept. of Psychology, New York University (moy@xp.psych.nyu.edu) ------------------------------ Date: 18 Mar 93 19:38:58 +0000 From: frisk@complex.is (Fridrik Skulason) Subject: Re: F-PROT 2.07 and Windows not compatible? (PC) >VIRSTOP is the TSR component of the F-PROT package. VIRSTOP 2.07 has >been enhanced with new features, which can be invoked via command line >options. Apparently, one of the new options, viz. "/COPY", is not com- >patible with Windows. The symptoms are thus: Actually, this seems to happen (almost ?) only if the /COPY and /DISK switches are used together. I have created version which disables /COPY while windows is running, but I expect to have a proper solution in place in version 2.08....until then don't use /COPY and /DISK together. - -frisk - -- Fridrik Skulason Frisk Software International phone: +354-1-694749 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801 ------------------------------ Date: Thu, 18 Mar 93 22:49:17 +0000 From: RUTGER@KUBVX1.KUB.NL (Rutger van de GeVEL) Subject: Why are McAfee's reportfile-output and screen-output different? (PC) Dear networkers, I'm not sure if this is the right place to ask this, but I'll do it anyway. Maybe some of you have noticed that the screen output from both SCAN.EXE and CLEAN.EXE (from McAfee Associates) is different from the output produced when the /REPORT option is used. The output in the report file is very brief and (for example) doesn't show if a virus is (or isn't) removed: it only tells that a virus has been found. Why is this? The reason why I ask this is that I would like to process the report files from SCAN.EXE and CLEAN.EXE in order to automatically eliminate any virus that is found with a self-written program. So IMHO the output in the report files should be more elaborate or at least the same as the screen-output (this applies to both SCAN.EXE and CLEAN.EXE). Example: Output on the screen from CLEAN.EXE when cleaning [Stoned]: Cleaning [stoned] Scanning for memory resident viruses. Scanning 64K RAM...... Drive B: has no volume label. Scanning boot sector of disk B: Found the Stoned [Stoned] Virus in boot sector. Virus cannot be safely removed from boot sector. <--- Yes, message is there Found 1 file containing viruses. This McAFEE(TM) software may..... Copyright (c) McAfee Associates 1989-1993. All Rights Reserved. Output in the report file by CLEAN.EXE (with /report option) when cleaning [Stoned] (the same disk with the same virus): Options: b: [stoned] /a /m /chkhi /nopause /unattend /report c:\clean.log Drive B: has no volume label. Found the Stoned [Stoned] Virus in boot sector. - ---> Am I missing something here? <---- Found 1 file containing viruses. Thanks, ******************************************************************************* Three Accounts for the Super-users in the sky, * Rutger van de GeVEL, Seven for the Operators in their halls of fame, * Student Information Nine for Ordinary Users doomed to crie, * Management & Technology, One for the Illegal Cracker with his evil game * Tilburg University, Holland In the Domains of Internet where the data lie. *********** Email address: One Account to rule them all, One Account to watch them, * rutger@kub.nl One Account to make them all and in the network bind them * Phone : (66)2049 In the Domains of Internet where the data lie. * Office: B512 ******************************************************************************* ------------------------------ Date: Sun, 14 Mar 93 10:07:00 +0100 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: standardization (PC) frisk@complex.is (Fridrik Skulason) in an answer to Amir Netiv on the issue of naming viruses writes: > the actual name is not significant, with respect to > cleaning - what matters is the ability of the anti-virus > software to distinguish between variants that must be > removed in different ways or have different effects Right... Tell that to Vesellin... > - something you cannot do if you call all the Jerusalem > variants just "Jerusalem-B" What you call it does not matter as you say in the above text, but only if the scanner can make the distinction, and if that is so... call it whatever you want. Regards * Amir Netiv. V-CARE Anti Virus, head team * - --- FastEcho 1.21 * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Fri, 19 Mar 93 08:15:01 +0000 From: wolfgang.stiller@rose.com (wolfgang stiller) Subject: Re: Signitures (PC) Date Entered: 03-19-93 03:04 hdg@fm11ap03.tu-graz.ac.at (Bernhard Heidegger) writes: HD>motazev@hobo.ECE.ORST.EDU wrote: HD>: To check for an executable file a virus will read in the appropriate bytes HD>: and check to see if it is "MZ". HD>: Why do some viruses check for "ZM"? What kind of file does this denote? HD>I think the signature is always "MZ" but Intel - processors (like 80386) HD>store a word (2 Bytes) in the form "lo-byte hi-byte". So, if a virus HD>checks the signature as a word it test for "ZM". It's a somewhat little known "feature" of DOS that .EXE loadable files can also begin with "ZM" as well as "MZ". Several viruses (as well as AV products of course ) are well aware of this fact and will look for files begining with either ZM or MZ to infect. Regards, Wolfgang (Author of Integrity Master) Stiller Research, 2625 Ridgeway St. Tallahassee, FL 32310, U.S.A. - --- SLMR 2.1a RoseMail 2.10 : ------------------------------ Date: Fri, 19 Mar 93 15:07:42 +0000 From: gerald@vmars.tuwien.ac.at (Gerald Pfeifer (Prak Gusti)) Subject: Re: standardization (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >Hm, that's rather natural, maybe we should include this in the naming >scheme... Currently it allows abbreviations in the "opposite >direction", i.e., if your scanner cannot distinguish between >Jerusalem.AntiCAD.4096.Mozart and Jerusalem.AntiCAD.4096.Danube, you >are allowed to report just Jerusalem.AntiCAD.Mozart. ^^^^^^^^^^^^^^^^^^^^^^^^ Shouldn't that read "Jerusalem.AntiCAD.4096"? Gerald, in a pedantic mood ........................................................................... . Gerald Pfeifer (Jerry) Technical University Vienna, Austria . . gerald@kongo.vmars.tuwien.ac.at Home: Mondweg 64, 1140 Wien, Austria . ........................................................................... ------------------------------ Date: Fri, 19 Mar 93 11:59:34 -0500 From: mikael larsson Subject: Re: Date triggered virus (PC) marx@vms.huji.ac.il (Michael M. Marx / Jerusalem, Israel) writes: > Hi there -- > I will be very thankful if someone will send me a list of viruses (virii...) > triggered by dates, such as Michael Angello and April 1st etc etc. > > Thanks for your urgent response, Try downloading VSUMX3nn.ZIP (where nn is the number of the month, like 02 for February.) From a BBS... VSUM have a list with viruses that activates on different dates. You can contact the following BBS in Israel: Rudy's Place, Rishon le Zion Israel Phone: 972-3-9667562 SysOp: Nemrod Kedem Regards, MiL - --- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Virus Help Centre Phone: +46-26 275740 Email: mikael@vhc.se P.O. Box 7018 Fax: +46-26 275720 or: mikael@abacus.hgs.se S-811 07 Sandviken, BBS #1: +46-26 275710 Sweden BBS #2: +46-26 275715 Authorized McAfee Agent ------------------------------ Date: Fri, 19 Mar 93 13:33:08 -0500 From: BOORMABC@snyalfva.cc.alfredtech.edu (Brian C. Boorman) Subject: Re: EXE/COM switch (PC) >From: Donald G Peters [text deleted for brevity]..... >APP discusses how 4B works and leaves the reader to draw his own >conclusions. My question to APP is how do I resolve the difference >between the description in Norton's book and Duncan's book regarding >how to load a program WITHOUT executing it. One book says to use >subfunction 1 and the other says subfunction 3. Neither book gives >enough detail that I can gain a good understanding of it without >experimenting first. >Controversially, >Don Peters There is no difference in the discussions of Function 4Bh between the Norton and Duncan Books. The books that I referenced, Norton's Guide to PC/PS2 2nd Edition, and Duncan's Advanced MS-DOS Programming. Both of them state that subfunction 00h load and execute a program (as Command.com would) and that subfunction 03h loads but doesn't execute. Neither book makes any mention of subfunction 01h. The Undocumented DOS by Andrew Schulman does make some reference to a subfunction 01h, but doesn't go into enough detail. Either way, if a virus intends to infect any executable, and uses function 4Bh to locate executables as they are run, then simply changing the name won't do any good, since it will still be able to find the files when they are executed. Brian C. Boorman Sysop, Tech-Line BBS (VAX/VMS) SUNY College of Technology at Alfred ------------------------------ Date: Fri, 19 Mar 93 22:12:10 +0000 From: wad22023@uxa.cso.uiuc.edu (Frumious Manxome ) Subject: Info Needed (PC) Could somebody please send me some info on the Icelandic family of viruses. Thanks in advance. wad22023@uxa.cso.uiuc.edu ------------------------------ Date: 20 Mar 93 00:09:49 +0000 From: lhdsy1!kato.lahabra.chevron.com!hwrvo@uunet.UU.NET (W.R. Volz) Subject: Strange occurances on Mar 6. (PC) On Mar 5 I ran NAV 2.1 and CP tools A-V and they found nothing. On Mar 6 I booted and twice I got a message "cannot boot from floppy". No floppy was in either drive. The first time was at power on boot, the second was after replying 'yes' to reboot. I powered off and powered back on and all has been normal. No problems with the HD. I have noticed that sometimes the HD will start writing for no apparent reason. Sometimes it is in a burst while sometimes it quickly repeats the writing (this from wathing the HD active light). This is running dos/windows on a gw2k 66v. Any clues as what it happening? All is appreaciated. - -- ====================== Bill Volz Chevron Petroleum Technology Co. Earth Model/Interpretation & Analysis Division. P.O. Box 446, La Habra, CA 90633-0446 Phone: (310) 694-9340 Fax: (310) 694-7063 ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 47] *****************************************