From lehigh.edu!virus-l Fri Apr 2 05:43:23 1993 remote from vhc Received: by vhc.se (1.65/waf) via UUCP; Sat, 03 Apr 93 00:01:27 GMT for mikael Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2) id AA19839; Fri, 2 Apr 1993 18:42:51 +0200 Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA22120 (5.67a/IDA-1.5 for ); Fri, 2 Apr 1993 10:43:23 -0500 Date: Fri, 2 Apr 1993 10:43:23 -0500 Message-Id: <9304021149.AA05068@first.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@first.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #55 VIRUS-L Digest Friday, 2 Apr 1993 Volume 6 : Issue 55 Today's Topics: Re: Should viral tricks be publicized? Obtaining info on virus's ? Re: Latest list of viruses Booting password (PC) What is the Genb or Form Virus??? (PC) Re: Boot virus or false positive? (PC) New viruses warning (PC) Re: Virus signature determination. (PC & Unix) D2 virus (PC) Re: Catch from DIR? (PC) RE: PC-TOOLS 8.0 (PC) Re: Pc-Tools 8.0 (Pc) Cerfu (?) virus ... (PC) Re: WIndows Virus (PC) Information Needed (PC) Zenith Hard Disk Boot (PC) Re: varients of MichelAngelo (PC) Re: Virstop 2.07 (PC) Problems with DOS 6.0 Microsoft Anti-Virus (PC) McAfee against f-prot virus programs (PC) April Viruses? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.org or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk, krvw@first.org ---------------------------------------------------------------------- Date: Thu, 01 Apr 93 02:13:24 +0000 From: vfr@netcom.com (ssg512k) Subject: Re: Should viral tricks be publicized? Peters@DOCKMASTER.NCSC.MIL (Donald G Peters) writes: >YR pointed out that IR was "contributing" to forums (eg, Fidonet) >which are used by "bad guys". (re: anti-debugging techniques). >This is just one small fact, but I thought it was worth raising. another 'small fact' worth raising: virus exchange sites exist -everywhere-. academic sites, .mil sites, .gov sites lots of places. it is disturbing to see a good source of information (i.e. an information resource ) maligned in the manner fidonet is often maligned. i personally have a fidonet bbs. sure, bad guys make use of the info passed thru the fido network..but they make use of the information passed thru the internet in -much greater degree-. if someone is going to call Fidonet a 'forum used by bad guys', then they should at least be reminded of the virus exchange sites located on some of the same networks as the CERT teams in some cases. (Ken, you know what i'm talking about here, i think). it takes work to keep that sort of pestilence in control. we don't need to kill the good info resources to stop the 'bad guys'. lets encourage people to make use of the many good information resources that are available to help them learn about how to prevent viruses and make 'compurity' ((c) 1992, 1993 sara gordon) a reality. we can't do that if we are saying system x,y,z is bad cause it has some loud mouthed technopathic idiots making fools of themselves from time to time, now can we? :) ------------------------------ Date: Thu, 01 Apr 93 14:15:19 +0000 From: andrew@iwr.ru.ac.za (Andrew Murdoch) Subject: Obtaining info on virus's ? I would like to update my knowledge and understanding of how different types of virus (in general) are implemented. I can see why this type of information might be restricted, is there any documentation I should read? E-mail responses preferred. Thanks, Andrew ------------------------------ Date: Thu, 01 Apr 93 20:22:08 +0000 From: cnews@umr.edu (UMR Usenet News Post) Subject: Re: Latest list of viruses The humorous viruses listed in the previous article first appeared in PC Computing magazine. It started with Mike Edelhart's August 1992 column where he roasted politicians with viruses named after them and encouraged his readers to send in virus descriptions. Many of the responses were listed in the "Letters" section of PC Computing in the November 1992 issue. This leads to the question, is it legal to re-distribute these over Usenet or would it be OK anyway since they were only letters and not (as far as I know) copyrighted articles? Would it be illegal to distribute Mike's original article over the Usenet but not the subsequent letters? [Moderator's note: I was not aware that the list was published in a magazine; had I known, I would have contacted the magazine and asked for permission to re-print, as I've done in the past.] - -- Scott Hayes scotth@cs.umr.edu shayes@usgs.gov Standard Disclaimers Apply "We have become too proud to pray to the God that made us!" --Abraham Lincoln ------------------------------ Date: 30 Mar 93 15:18:23 -0600 From: teera@emunix.emich.edu (Teerawat Pawittranon) Subject: Booting password (PC) Hi All, A DTK 386SX in our lab was messed around (or virus infected). It would not boot, actually after the memory is checked. It asks for booting password. Normally we could activate the setup program (hold down esc key while booting up) and change the password and we will be all set. This time it would not go to system setup utilities at all. The screen will say that the setup has been invoked but still asking for booting password! I have disconnected the system battery hoping the CMOS setup would be gone and trigger the setup routine when I boot it the next day. The problem still persist! I have tried adding memory, disconecting drives (HD and FD) and could not get it to run system setup at all! Anyone has any idea what is going on? Virus? Thank you very much in advance for any help or info. Tee ------------------------------ Date: Wed, 31 Mar 93 09:23:29 -0500 From: crk5@vm2.cis.pitt.edu Subject: What is the Genb or Form Virus??? (PC) Hi, Yesterday one of our machines contracted the Genb virus at boot up. When I cleaned it off it said that is was the Form virus. I suppose one is a variant of the other. I have not been able to find any information on either of these viruses and what they do, or how dangerous they are. Thanks for your information. Chris Kunselman ======================================================================== Chris Kunselman University of Pittsburgh Systems Analyst 200 Scaife Hall crk5@vms.cis.pitt.edu Falk Library, MMC (412)648-7335 Pittsburgh, PA 15261 ======================================================================== ------------------------------ Date: Wed, 31 Mar 93 11:30:19 -0500 From: Lomba Subject: Re: Boot virus or false positive? (PC) Elizabeth writes about his problem. All I can say is my experience: when I load bootsafe and vsafe or vwatch of cpav in memory at startup, then F-prot find a BSV(boot sector virus). This is due to the code of the antivirus. I think it is a false positive(I hope). You can ask to frisk@complex.is to get two files: get_mbr.exe and put_mbr.exe, so in the future you'll replace what is no good. Try not to load the tsr antivirus, THEN scan the disk with F-prot. Good luck. Let me know about the results. BTW, I am going to change my address from alexl@dec01.ing.como.polimi.it to alexl@varano.puc.it I questioned something on Virus-l, so if the mailer-daemon send you back the message, try the 2nd address. *************************************************************************** ** Alessandro Lombardi, via P.Verri 12, 21100 VARESE (VA)-ITALY ** ** Tel.: 0332/265777; e-mail: alexl@dec01.ing.como.polimi.it ** *************************************************************************** soon new email: alexl@varano.puc.it (about 5th of April) ------------------------------ Date: Wed, 31 Mar 93 13:58:07 -0500 From: Mario Rodriguez Cardenas Subject: New viruses warning (PC) Hi everybody, I'm writing from Mexico and I have just got some new viruses from a friend in USA. In Mexico those viruses are not known at all but I don't know if they are in the wild in USA. Their names are Susan 1 and FoneSex. The Susan 1 virus is a resident overwriting virus. When an infected file is run it gets into memory and can be seen with command 'MEM /P' as follows: . . . 012280 chess 000340 Program . . . It's easily detected because all infected programs when are executed present th e message "bad command or file name" and terminate. This virus only infects the first .EXE in a subdirectory when a PLAIN dir com mand is given. If you give a dir command with ANY parameter it would not activa te the virus. After 15 infections the virus will errase all files in the curren t directory with the next plain DIR command. You can check for this virus with the following signature: "C91FCD21B43ECD21C3505256571E068C" The FoneSex virus is also an overwriting virus and seems to be nonresident, it' s efficient len is 688 bytes and when you run an infected file it will infect a ll .COM and .EXE files in the current directory and in \dos directory. It infec ts COMMAND.COM. All infected files will only pressent the message "Out of Memor y" and will terminate. If you have a modem the virus will dial sex numbers. I h ave an Intel SatisFAXion modem and the virus didn't worked with it. I suppose it will only work with more standard modems because it uses an OUT instructiion to dial. You can check for the signature "EB079000B43BCD21C3E89B00E89F00". If you have any questions please write me. Regards Mario Rodriguez Cardenas Instituto Tecnologico de Estudios Superiores de Monterrey. Campus Estado de Mexico. em436861 at itesmvf1.cem.itesm.mx em436861 at vmtecmex.cem.itesm.mx ------------------------------ Date: Wed, 31 Mar 93 14:59:57 -0500 From: radatti@cyber.com (Pete Radatti) Subject: Re: Virus signature determination. (PC & Unix) In VIRUS-L Digest V6 #53 phys169@csc.canterbury.ac.nz (Mark Aitchison) writes >For what its worth, I'm working on a public domain virus scanner for Unix >(and other systems) to look for DOS (and other??) viruses where file systems >are shared. In these situations it is reasonable to combine scanning for >non-polymorphic viruses with change detection, because of the way that people >tend to use networked drives. What you are trying to create has been on the market for about 3 years. The product is called VFind. VFind version 3R2 info sheet states the following: Scans for Unix, MSDOS, Macintosh and Amiga viruses on your NFS network, servers , clients or stand alone systems, in one pass. Can prevent infection of your site by scanning tapes, diskettes and other media for viruses prior to usage. Using the Unix "dd" command, VFind can read "tar", "cpio", "dump" and all other tape or disk formats. Does not require the virus to be active to be located. It can locate dormant viruses by using known scan keys and generic models. VFind includes the CVDL generic pattern matching language with programmable case sensitivity, forward proximity scanning, boolean operations and large model capacity. It locates "migrating" company classified or sensitive information such as payroll, R&D documents and databases while it scans for viruses. Forward proximity scanning allows search of most compressed data formats with high accuracy. VFind can be run after business hours or any other time desired. VFind is "cron" ready for automatic start-up. It can scan on-line disks prior, during or after nightly backup. - --- It also has a X11 GUI interface. A single user copy sells for $300 US. Contact info@cyber.com for more information (human not mail server) Pete ------------------------------ Date: Wed, 31 Mar 93 07:27:04 +0000 From: hitesh@sarang.iitb.ernet.in (Hitesh Shah) Subject: D2 virus (PC) I seem to have D2 virus on one of our machines and clean says it cannot safely recover command.com so I asked it to delete it. However, after I copy a clean command.com onto c: I still have D2 sitting there. Also this strabge Sector not founf error reading drive C has started showing .If I jusr say i for ignore there the exe file seems to run fine. Any help on how to clean this would be highly appreciated. I am using version 100 of scan and clean from McAfee assoc. thanx in advance Hitesh Shah shah@ee.iitb.ernet.in ------------------------------ Date: Thu, 01 Apr 93 01:23:39 +0000 From: maniac@snooky.cs.unlv.edu (Eric J. Schwertfeger) Subject: Re: Catch from DIR? (PC) a_rubin@dsg4.dse.beckman.com writes: ) cftdl@ux1.cts.eiu.edu (Terry Lundgren) writes: ) ) >I have received some excellent replies to my posting on catching ) >a virus. Basically the question is this: Assume my system is ) >clean and I have an infected disk. I put the disk in the drive ) >and do a DIR. Then I take the disk out. Can my system be ) >infected now? ) ) >The responses are running about 1/3 saying no way and 2/3 saying ) >it is possible. I would really like to get a definitive answer. ) >If a virus can be passed in this way, would someone please ) >describe how it might happen? Or not. ) ) (1) Not on a PC. Nothing from the disk is ever executed. Agreed. ) (2) On a Mac, maybe. I can't give a definiative answer, but I believe the ) a disk driver or file system can be loaded from the disk, and THAT could be ) infected. Definitely. In fact, some of my Mac using friends think this type of virus is nearly extinct because of the availability of Anti-virus INITs, though I have to disagree with that. Other: AmigaDos: Possible under versions prior to 2.0, as the disk validator is loaded from the corrupt disk if posssible, under ADos versions up to 1.3X. ADos 2.0 and later only uses the validator in rom. ) - -- ) Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea ) 216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal ) ) My opinions are my own, and do not represent those of my employer. - -- Eric J. Schwertfeger, maniac@cs.unlv.edu ------------------------------ Date: Thu, 01 Apr 93 03:54:49 -0500 From: Lomba Subject: RE: PC-TOOLS 8.0 (PC) On Tue, 30 Mar 1993, Mikko Hypponen wrote: > > Was the message displayed something like this? > > +-------------------------------------+ > | | > | ATTENTION: A serious disk error has | > | occured while writing to drive D: | > | Retry (r)? _ | > | | > +-------------------------------------+ Perfectly. > If it was, this is a known problem. You're using the Italian > version of Windows 3.1, right? yes. > > Microsoft's disk caching program SmartDrive, version 4, will > display this message when it decides that something has gone > terribly wrong. The reason you got the message in Italian is > simply because the localised version of Windows has also the > included smartdrv.exe translated. > > Obviously, Microsoft thinks that EVERYONE automatically knows > that when such error is displayed, SmartDrive is in question. > Thus, they do not bother telling the users which program is > giving the error message. > > I would suggest turning off SmartDrive during the installation, > or, better yet, substitute SmartDrive with some other disk cache. > > I personally use HyperDisk, not just because it is faster, > but also because it's safer and more configurable (an obvious > plug for a great shareware product :). > Ok, in fact I load first smartdrv.exe, then hyper386.exe. Are you sure Windows works with DR-DOS 6.0, SuperStor, and HYperDisk 4.32? And should I re-format my HD? (I still have all backups) - -alexl ------------------------------ Date: Thu, 01 Apr 93 03:59:42 -0500 From: Lomba Subject: Re: Pc-Tools 8.0 (Pc) On Tue, 30 Mar 1993, Nick Leverton wrote: > >... at the top left of the screen appeared this > >message(in Italian):"ATTENTION: big error of the drive while writing on > >unit D: retry?" (I use DR-DOS 6.0 with sstordrv). > > This message sounds to me like one which Smartdrive generates when you > load a second cache on top of it (or underneath it). Are you using > Smartdrive, or a DR-DOS equivalent cache ? I seem to remember that PC > Tools also includes a disk caching utility, and it's possible that it > may have automatically installed it in addition to the existing cache. > If I were you I'd check for double caching as a possible cause of the > problem. > > Nick Leverton Yes, you are right, in fact I use both smartdrv and hyperdisk. You are one of the answers I received, thanks much. I think I'll solve the problem quite soon. - -alexl ------------------------------ Date: Thu, 01 Apr 93 10:14:14 +0000 From: rick@universe.demon.co.uk (Richard Wilton) Subject: Cerfu (?) virus ... (PC) Has anyone heard of a virus called Cerfu (or similar - I can't quite remember the spelling !!) What Does it do ? What can I kill it with ? - -- Richard Wilton ------------------------------ Date: 01 Apr 93 11:25:38 +0000 From: rogera@compnews.co.uk (Roger Allen) Subject: Re: WIndows Virus (PC) sgr4211@ggr.co.uk writes: : > From: rogera@compnews.co.uk (Roger Allen) : > : > Has anyone else experienced a virus that fades the screen to : > black after starting Windows 3.1. : : Well, someone has to ask - it's not a Windows screen saver program, is : it? The screen saver supplied with Windows 3.1 doesn't provide a : "fade-to-black" saver, only a "blank-the-screen" one. There is, : however, a "fade-to-black" saver for the shareware program ScreenPeace, : and I suspect the commercial program After Dark would have one also. : : Apologies of this is too obvious. : : Steve Richards. No it's definetly a virus, screen savers refresh the screen if a key or mouse movement is detected. I had to either reset or guess the keys to exit windows. I may have the found the culprit source file if any one is interested. Roger Roger ------------------------------ Date: 01 Apr 93 20:40:55 +0000 From: ST20E@jetson.uh.edu (Bushido) Subject: Information Needed (PC) My company is planning on implementing a standard virus scaning procedure. For this we need software. We are pretty sure that we would like to go with McCaffe's (sp?) SCAN and CLEAN utilities. What I need is information on where I can find some independant (of McCaffe) studies of its effectivness versus other software with similar functions. Any information of this sort or directions to find it, will be greatly appreciated. Thank you Robert Wood ------------------------------ Date: Thu, 01 Apr 93 16:17:43 +0000 From: cftdl@ux1.cts.eiu.edu (Terry Lundgren) Subject: Zenith Hard Disk Boot (PC) Our computer lab seems to be under constant virus attack, especially from boot sector viruses. We have Zenith 386's and they allow through the setup procedure accessible by Ctrl/Alt/Ins to make the system boot from the hard disk. I tried it and it made no difference then what was in the A drive (empty, unformatted, formatted no system, etc.). The startup obviously did check the drives, but I don't think the boot sector is being used. Will changing the setup to boot from the hard disk stop boot sector infections? (Of course it could be changed, but it might significantly slow down the spread if it works.) - -- Terry Lundgren, Administrative Information Systems, EIU ------------------------------ Date: Thu, 01 Apr 93 18:58:22 +0000 From: yates@alexia.lis.uiuc.edu (Kent Yates) Subject: Re: varients of MichelAngelo (PC) GHGAOAT%BLEKUL11.BITNET@FRMOP11.CNUSC.FR (Sjamayee) writes: >Can anyone warn me if he has found a possible copy of Michelangelo, so that >I can take note of it for my new book? What is the name of your book? "Who's Who among Michaelangelo Victims"? THAT should make interesting reading. 1500+ pages or so? - -- / / , Kent Yates, Mgr., Computing and Net Resources / / /~~~~> /~~~\ ~~/~~~ Univ of IL Grad School of Library & Info Sci / < (~~~~~ / / / Urbana, IL (Voice: 217-244-6279) / \ \___ / / / (FAX: 217-244-3102) (email: dkyates@uiuc.edu) ------------------------------ Date: Thu, 01 Apr 93 20:30:54 +0000 From: u920400@daimi.aau.dk (Thorbj|rn Tau Christensen) Subject: Re: Virstop 2.07 (PC) VIRSTOP is a memory resistent program that prevent things like Editing Interupts, like Ctrl-Alt-Break.. Which is wath windows dose! The VIRSTOP program is exeptional to stop viruses before they do any harm, but they have a litle problem! It dose not only prevent viruses in duing somthing spokey !!! - -------------------------------------------------------------- BY: , || _ =||= < \, \\ \\ || /-|| || || || (( || || || \\, \/\\ \\/\\ <> May the Force Be With You (*) Name: Thorbjoern Tau Christensen Email: tau@daimi.aau.dk - -------------------------------------------------------------- - -- - ------------------------------------------------------------------- Venlig Hilsen ------------------------------ Date: 02 Apr 93 00:23:58 +0000 From: acrosby@uafhp..uark.edu (Albert Crosby) Subject: Problems with DOS 6.0 Microsoft Anti-Virus (PC) WARNING: MSAV CANNOT DETECT OR REMOVE SOME 1575/1591 VARIANTS. This is the virus I have most recently (read - last 2 months) had infections with and reported in this forum. I placed a file infected with this virus on a machine with DOS 6.0 and scanned. NO VIRUS FOUND. Loaded VSAFE. Tried to copy the infected file, and VSAFE identified the virus as the '1591 virus', and instructed me to use MSAV to remove the infection. But MSAV doesn't know about the virus! THE MSAV AND THE VSAFE PROGRAMS ARE OUT OF SYNCH. THIS POINTS TO A POTENTIAL MAJOR FLAW WITH MSAV/VSAFE. At least MS promises upgrades to the detection portion from their bulletin board. They *DO NOT* explicitly promise these to be free. No charges are mentioned, but you *MUST* acquire a userid on their bulletin board to obtain the files. *NO PERMISSION* to share the signature files is explicitly granted. The *SPECIAL OFFER* price for MSAV *DISINFECTORS* is $9.95 each. No mention is made of the 'regular' price after the special offer expires. IT STATES !!!!!_EXPLICITLY_!!!!! THAT THE FIRST UPDATE WILL SHIP ---->NOW<---- and that the next will follow in 3-4 months. Implication: Microsoft KNOWS that the MSAV product included with DOS 6.0 is insufficient and wants an extra $9.95 *NOW* to make it right. IMHO, that is poor buisness practices, espcecially where something as series as anti-virus software is concerned. Personally, I think Frisk and McAfee can rest assured. I, for one, CANNOT take this offering from Microsoft seriously, and will reccomend other anti-virus solutions to my network users and clients. - ---- Albert Crosby | Microcomputer & Network Support | WANTED: any good acrosby@uafhp.uark.edu | University of Arkansas | "Intro To The Net or AL.CROSBY on GENIE | College of Agriculture And | For Newbies" guides 1 501 575 4452 | Home Economics | (email for mine...) ------------------------------ Date: 02 Apr 93 01:28:04 +0000 From: alpham@cirrus.SEAS.UCLA.EDU (Alan V. Pham) Subject: McAfee against f-prot virus programs (PC) Hi there, Will you please give me your opinions/comparison between McAfee and f-prot computer virus program? What are their advantages/disadvantages? Any input would be greatly appreciated. Thanks! - --alan ------------------------------ Date: Fri, 02 Apr 93 02:31:09 +0000 From: mechalas@expert.cc.purdue.edu (John Mechalas) Subject: April Viruses? (PC) Does anyone have, or know where I can find, a listing of viruses that trigger in April? And the other months? I remember someone posting the list of March viruses, and it would be nice to have the rest of the months layed out as well.... Cheers, John - -- John Mechalas \ If you think my opinions are Purdue's, then mechalas@expert.cc.purdue.edu \ you vastly overestimate my importance. Purdue University Computing Center \ Stamp out and abolish redundancy. General Consulting \ Stop Barney before its too late. ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 55] *****************************************