From CUNYVM.CUNY.EDU!lehigh.edu!virus-l Wed Feb 10 11:31:57 1993 Date: Wed, 10 Feb 1993 11:23:02 -0500 Message-Id: <9302101546.AA07205@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #23 Status: R VIRUS-L Digest Wednesday, 10 Feb 1993 Volume 6 : Issue 23 Today's Topics: Re: Internet Worm - the "Perp" (CVP) Re: Mainframe viruses? [Sam Wilson:06/13] Re: Checksums, CRCs, and other toys Re:Wank [Rob Slade:v06 ?21] Re: Viruses and Worms Re: Sale of Viri Re: undecidability virus-definitions Re: NAV questions (PC) Virstop 2.07 in Icelandic (PC) (false?) alarm on drx109.zip by Tbav 5.03 with Asig9301 !!! (PC) Re: Dame virus (PC) Re: NAV questions (PC) Suggestion to the developers of resident scanners (PC) Twelve Tricks (PC) STONED, Scanv99/Clean 99 Questions/Concerns (PC) Re: dame virus (pc) SCAN100 and DOS3.3 (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 09 Feb 93 01:58:12 +0000 From: buhr@umanitoba.ca (Kevin Andrew Buhr) Subject: Re: Internet Worm - the "Perp" (CVP) rslade@sfu.ca writes: | Robert Tappan Morris was a student at Cornell University when he | wrote the Worm. He was a student of data security. The Worm is | often referred to as a part of his research, although it was neither ^^^^^^^^^^^^^^^^^^^^^^^ | an assigned project, nor had it been discussed with his advisor. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This amusing non sequitur points out a common misconception. For some reason, there is the implicit assumption made by people outside the academic community--and, distressingly, my many people *inside* it-- that student research has to be assigned or authorised before the student is permitted to use university facilities in its pursuit. RTM might have done a lot of terrible things, and he might have gotten exactly what he deserved, but his worm doesn't fail to classify as valid academic research only because he didn't get permission from professors or university administration. A "university" that requires such permission can hardly call itself a university. Any institution that treats students with that level of contempt is better termed an "academic cattle drive". Kevin ------------------------------ Date: 09 Feb 93 07:55:02 +0000 From: valdis@black-ice.cc.vt.edu (Valdis Kletnieks) Subject: Re: Mainframe viruses? [Sam Wilson:06/13] brunnstein@rz.informatik.uni-hamburg.dbp.de writes: >Sam Wilson mentioned a "survey of 816 European and North America mainframe >sites (with) ...35.5% .. disasters .. 60% of which had been due to viruses". > >Since about 10 years, I happen to supervise several large IBM mainframes for >security and backup procedures, but I have NEVER seen, in several disasters >due to bugs, inadequately installed or used programs, hacker attacks and few >chain letter happenings, ***ANY real mainframe virus*** (I know of some tests As the old saying about statistics goes, "Figures don't lie, but liars can figure...". The problem is that 60% of the data *centers* reported viruses. Now.. Let's look at this in detail (using our site as an example)... Here at Virginia Tech, the main computing center has a 3090, a 3084, a 4381, several high-end RS/6000 boxes, a Vax 8800, and probably 75 to 100 desktop systems in the NeXT/Mac II/RS6K-200/Decstation class on programmer's desks. This is all in our main facility in the university computing center, which is actually off-campus (it was cheaper/faster to build a new building there). The computing center also maintains several on-campus computer labs that are usually stocked with some 386-based clone. Now - if one of our labs gets wiped out by a virus, this will be a disaster (at least for the guy in Operations who gets to clean up). So we're in the 35.5%. It was virus based. So we're in the 60%. And we *do* have mainframes here. So we would qualify, even though the virus literally never got within 2 miles of our mainframes. Of course, if Wilson's survey *specifically* addressed mainframe-*based* viruses, that's a different story. But I doubt that... Valdis Kletnieks Computer Systems Engineer Virginia Tech ------------------------------ Date: 09 Feb 93 11:23:01 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Checksums, CRCs, and other toys padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) writes: > From: raph@panache.demon.co.uk (Raphael Mankin) > >This means that every CRC can be calculated with very few instructions > >per byte just by pre-computing a 256-entry table of 16- or 32-bit > >values. > Perhaps CRC is a poor choice of acronym since it has an explicit > meaning (but I was replying to another posting). "Checksum" is Padgett, while I agree with the rest of your remark, in the message quoted by you, Mankin is speaking exactly about CRCs, not about checksums in general. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Tue, 09 Feb 93 06:53:48 -0500 From: brunnstein@rz.informatik.uni-hamburg.dbp.de Subject: Re:Wank [Rob Slade:v06 ?21] Comparing Rob Slade's report on Wank with the final report of Th.Langstaff and E.Eugene Schultz from Lawrence Livermoore National Laboratory with title: "Beyond Preliminary Analysis of the WANK and OILZ Worms: A Case Study of Malicious Code" (and my own analysis of WANK#1), I find several differences. Among others, the password attacks were not essentially on "system" etc, and moreover, these worked only correctly in the 2nd WANK version (called OILZ according to some field in the code) which was an *essential* update of WANK (not "vary few changes"). Due to some self-modifying part (this worms were oligomorphic!), there was some confusion in the initial analysis about different versions of Wank. Code analysis showed that there were essentially 2 distinct authors (plus one for arranging final code), with clearly differentiated tasks and skills. Finally, the most interesting part of WANK (which affected significantly less systems than Internet worm) was how Incident handling was done, rather than the worm's functionality. While I generally favour Robert Slade's short reports in Virus-L on network incidents, I strongly suggest that trustful sources of detailed information are mentioned for further reading. The Anti-Malware community should have enough experience that myths spread much faster and live longer than plain truth -:) Klaus Brunnstein (U-Hamburg, February 9,1993) ------------------------------ Date: 09 Feb 93 11:58:44 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Viruses and Worms padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) writes: > True, both propagate but in different ways: a worm is a stand-alone, > complete in itself and needing only to ensure regular scheduling using > available common resources found within a computing environment. The > processes a worm creates are also separate and distinct entities within > that environment. Resources (e.g. compiler, linker) may need to > be invoked to produce those entities, but will not be altered by it. It is just a matter of definitions. The difference expressed above disappears if you consider that the whole OS of a computer is nothing more than a complex program and a wrom "attaches" itself to the execution of this program. Maybe it is better to put it this way: 1) What Dr. Cohen calls "viruses" is what most other people would call "programs that are able to replicate themselves". They include worms, DISKCOPY, etc. 2) What most other people call "viruses" are programs that attach themselves to the execution of other programs. They are not worms - worms are stand-alone programs, not attached to the execution of a "hast" program. > On the other hand, a process which copies itself onto a disk and modifies > AUTOEXEC.BAT to execute it through a simple append operation would be a worm: > nothing was *replaced*. Sorry, there is a MS-DOS virus, called Dr_Watson, which does exactly that. And we are still calling it a "virus". The main problem is not in the definition of the word "virus". The main problem is that there are several things (BSIs, companion viruses, file system infectors, AUTOEXEC.BAT infectors, etc.) which look much more like worms but we are still calling them "viruses"... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 09 Feb 93 13:29:54 +0000 From: rikardur@rhi.hi.is (Rikhardur Egilsson) Subject: Re: Sale of Viri ercm20@festival.edinburgh.ac.uk (Sam Wilson) writes: >>From the front page of 'Computing', a UK weekly trade paper (the one >which gave us the recent article on supposed 'mainframe viruses'), 4 >February 1993: >"Apache scalps virus cowboys > "Police raided the homes of suspected computer virus authors across >the country last week, arresting five poeple and seizing equipment. > "The raids were carried out last Wednesdau by police in Manchester, >Cumbria, Staffordshire and Devon and Cornwall. > "Scotland Yard's computer crimes unit co-ordinated the raids under the >codename Operation Apache. > " A spokeswoman for the Greater Manchester Police said: 'The >investigation began in the Mancheter area following the arrest of the >self-styled president of the virus writing group in Salford last >December.' > "Police would not reveal the man's name, but said he had been released >on bail. > "Last week's raids led to the the arrest of a further two people in >Manchester. Three other suspects were also arrested in Staffordshire, >Cumbria and Cornwall. > "PCs and floppy disks were seized in all the raids. > "All those arrested have been released on police bail pending further >investigations." But the orginal question STILL remains: how are you going to find the virus writers ? The actions as described above kinda scare me. There seems to be continous 'fright-propaganda' about viruses and the idea is to let people think "viruswriter = criminal" Let's say that someone leaked to the police that *I* was the one responsible for the Michaelangelo outbreak. Then let's say they find out that I hang out with a strange group Interested in Assembly language programming and genereal computing 'hacking'. If someone would ever look through my files and data they *WOULD* find the sourcecode for MA, documented, and some other viruses. Where could that leave me ? The moral of the story is just that, no matter what data you find, you can NEVER prove anything based on that data . As widespread as Viruses have come it does not take a long time to create the source for, let's say, 1704 bytes virus and comment it to the point that there is no trace of the source-code-generator. Even if they actualy found the real writer of MA and all the code and test- versions he probably made, they couldn't do a thing unless of course they had some other information on him/(her?). I don't remember what group it was but someone posted a request resently for virus-code. In short 'hell broke loose' almost anyone reading the posting seemed to belive he was going to use that code for evil purposes. It seemes impossible for those interested, to get the code/data for viruses. Of course that does not surprice me, as I know what most people think of viruses and that there would always be someone to misuse that. On the other hand it shouldn't be that strange that someone offered to sell the code/data to whoomever is interested. In short : do viruses realy have to be that 'taboo' Informing people about them and how they work and even distribute simple samples could be just as effective as the fright-propaganda. The reason for I learned Assembly language was to be able to write a virus. And so I did (I wrote a wariant of vienna). Then Stealth-viruses came along and that tecnology excited me. But as I learned more about them and how they work the 'miracle' tag dropped off. The idea of writing a virus doesn't excide me anymore. I wouldn't be doing anything new. I got issue 1 of CVDQ and there virus there shows me that poople have to spent anourmous time to make a virus that is going to have a faint-change of surviving in the modern-world. I guess that most of those who do write viruses and release them wouldn't if they knew better. They probably think that they're adding new variants to a pool of a couple of viruses and that a lottsa people are going to see and inspect/admire there code. We all know that the viruses are here to stay and noone can stop there spread. If we choose to follow the path we're on it's just a question of time when viruses will outnumber the scanners to the point that they will drown of the sheer mass-code. I guess most of us can aggree on that,that will happen sooner or later the question is just what path we want to take to that point. Net-addr: rikardur@rhi.hi.is Realname: Rikhardur Egilsson Callsign: TF3RET ------------------------------ Date: Tue, 09 Feb 93 15:34:07 -0500 From: fc@turing.duq.edu (Fred Cohen) Subject: Re: undecidability Y. Radai writes: > Secondly, although I address this reply to Fred Cohen, I think it >will also serve as a reply to most of the comments on this subject >made by Vesselin, Padgett and others.) How come I get an engraved invitation? .. I must admit that I am now totally lost. I don't understand what you are trying to communicate. Is it a proposed english language definition of a virus and a pseudo-proof that detection is hard without requiring infinite tapes? Is it 3 different proposed definitions and three pseudo-proofs, one for each definition? Is it the concept of conditional `infection'? Are you using a different concept than the common one for the term undecidability? Perhaps we should consider things piecewise - one definition per article - one point at a time. It just gets too confusing to deal with so many variations at once. You ask for my comment on a non-conclusive proof (designated by the phrase `for all practical purposes') - but there is no such thing as far as I can tell. Either it is a proof or it is not. If it is a proof, it is conclusive, otherwise, it is not - that's what a proof is! You say you are trying to convince people with insufficient background that virus detection is `undecidable'. But without enough background, the term itself is meaningless. Maybe you are going after the wrong thing. Perhaps you should simply try to show them that it is hard with a simple example. That usually works for me. See my short course book for how I usually do it if you are interested. __________________________________________________________________________ US+412-422-4134 Protection Experts US+907-344-5164 FAX US+412-422-4135 -OR- 907-344-3069 24 hours - 7 days __________________________________________________________________________ ------------------------------ Date: Wed, 10 Feb 93 07:00:27 -0500 From: KARGRA@GBA930.ZAMG.AC.AT Subject: virus-definitions Hi, in my previous posting "+- viruses" I did not try to give another definition. I was and am still missing the point wether a piece of software is necessary for a user to do what he wants or not. If we add this question to the last definition of Vesselin, then Diskcopy will not show up as virus, as it is necessary to use this program to copy a floppy. Alfred ################################################################################ Alfred Jilka #This place intentionally left blank. This place inteti Geologic Survey, Austria #onally left blank. This place intentionally left blank KARGRA@GBA930.ZAMG.AC.AT #. This place intentionally left blank. This place inte ################################################################################ ------------------------------ Date: Tue, 09 Feb 93 01:14:37 +0000 From: oep@colargol.edb.tih.no (oep) Subject: Re: NAV questions (PC) Richard M. Flood (rflood@cis.umassd.edu) wrote: : balog@eniac.seas.upenn.edu (Eric J Balog) writes: : >2) Last week, someone posted a message comparing the effectiveness of : >several anti-virus programs. Can anyone tell me how NAV rates as : >compared to other anti-virus programs? : programs rate. As far as I know Macafee SCAN gets a score of 90% and : NAV gets a score of 65%, this is just from memory but you can find out : yourself by ftping vsumx###.zip ( the numbers are the most current : version I think it is 212 ) from most of the better ftp sites. As far as I know, there is a close link between the authors of SCAN and VSUM, and i wouldn't trust the test as a purely independent test. I did *not* say that I trust NAV either.... - - oep ------------------------------ Date: Tue, 09 Feb 93 04:16:53 +0000 From: jdh@medicine.newcastle.edu.au (John Hendriks) Subject: Virstop 2.07 in Icelandic (PC) We have just downloaded the latest version of f-prot (2.07). Of course all is well as far a scan is concerned. At least I can understand the reports. When loading virstop though and testing with f-test the diagnostics are incomprehensible. Is there an English version of virstop? - --------------------------------------------------------------- John Hendriks | Intenet : jdh@medicine.newcastle.edu Faculty of Medicine | University of Newcastle | NSW 2308 | Australia | - --------------------------------------------------------------- ------------------------------ Date: 09 Feb 93 10:25:17 +0100 From: robk@win.tue.nl (Rob Knubben) Subject: (false?) alarm on drx109.zip by Tbav 5.03 with Asig9301 !!! (PC) Hello, Yesterday I downloaded ASIG9301.ZIP; some additional virus-signatures for TbScan 5.03. I checked my hard-disk and got a virus-alarm!!! TbScan reported that the file DIRX.EXE from DRX109.ZIP was infected by the Necropolis virus. Today I downloaed DRX109.ZIP from ftp.terra.stack.urc.tue.nl (a simtel mirror), and the original DIRX.EXE from DRX109.ZIP was infected as well. Is this just a false alarm by TbScan ? (The Second in 2 weeks ...) Or do I really have a virus in my PC? (On my 20Mb disc only DIRX was infected). Please send any answers directly to robkn@blade.stack.urc.tue.nl and put them on the net as well... Thanks, Rob Knubben ------------------------------ Date: 09 Feb 93 11:25:07 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Dame virus (PC) cssiow@iastate.edu (Ching S Siow) writes: > I would like to find out more about this "DAME Virus". My network has > 3 files infected with this virus and would appreciate some help in > cleaning it out. I have tried netscan and inoculan, both of which > failed to discover the virus. So how do you know that 3 files are infected by it? Who told you so? Which scanner? Which version? Please, read the FAQ to learn what information has to be supplied in questions like the above... To my knowledge, mainly McAfee's SCAN calls the MtE-based viruses "DAME". It is not -a- virus, it is a tool for building very polymorphic viruses. In your case you probably have a false positive - only 3 infected files doesn't sound much like any of the known MtE-based viruses... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 09 Feb 93 11:39:05 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: NAV questions (PC) balog@eniac.seas.upenn.edu (Eric J Balog) writes: > 1) I have NAV 2.0 (included w/ NDW 2.0), and I just downloaded > nav20a10.exe from dorm.rutgers.edu. Does my version of NAV now check > for all of the viruses that NAV 2.1 checks for? (mine checks for 451 > viruses/1159 strains) The version that we have here (2.1 with updates of December 1992) claims to check for more than 1,400 strains, so obviously still need to upgrade... > 2) Last week, someone posted a message comparing the effectiveness of > several anti-virus programs. Can anyone tell me how NAV rates as > compared to other anti-virus programs? When tested on our virus collection, NAV detects roughly 70-80% of them, which agrees with its claims (1,400 is about 73% of 1,900 - the number of different viruses in our collection). Unfortunately, I am not able to provide a more exact number, because NAV lacks some features that would be useless to its users but would greatly facilitate the testing. In particular, it does not put the names of the files is doesn't consider to be infected in its report file and is unable to apply its algorithm for boot sector scanning to files containing images of boot sectors. For comparison - McAfee's SCAN gets about 90% and FindVirus and F-Prot get about 95-98%. Note: some people argue that such numbers do not make much sense, because what really has to be tested is how well a scanner detects the viruses that are in the wild. I am unable to provide such testing and I disagree with this belief, for several reasons. Will describe them, if there is enough interest. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 09 Feb 93 12:14:04 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Suggestion to the developers of resident scanners (PC) Hello, everybody! My colleague in front of me is working on an old 12 MHz AT, with no ex{te|pa}nded memory and a slow hard disk. He's using Dr. Solomon's resident scanner GUARD. In order to keep memory requirements low, GUARD is swapping the virus signatures to the disk. This makes the system -horribly- slow, so my colleague considers removing the protection. There are versions of GUARD that swap to EMS, XMS, or to a RAM disk, but this doesn't help him, 'coz he has none of these... I understand that Frisk also intends to make a version of VirStop that keeps the virus signatures on the disk and loads them when necessary. This means VirStop will become almost unusable on the system I am talking about too... What do you want, not everybody has a '486... :-) One solution is to have an option that forces the resident scanner to keep the virus signatures in memory. This is fast, but could take a lot of memory as the number of viruses increases... In the same time, more resident scanners provide the possibility to scan executable files not only when they are about to be executed, but also when they are copied. Of course, if enabled, this slows down the system additionally. I would like to propose to the developers of resident scanners to provide the following mode: 1) Scan the file when it is executed ONLY if it resides on a floppy. 2) Scan a file with executable extension on CLOSE, if this file has been WRITTEN TO -and- if it resides on the hard disk ONLY. The advantage is: 1) By scanning files that are written to, you also catch viruses when they are unpacked from archives, not just when they are copied. 2) If your system is virus-free, then you can catch a virus only if you execute something from a floppy, or if you copy something infected to your hard disk and execute it afterwards. The above methods catches the virus in both cases. 3) When you execute files from the hard disk (the usual situation), there is no overhead for scanning. Thus, the performance of the system is less affected. 4) When you copy files between different directories of the hard disk, there is no scanning overhead. 5) When you copy files from the hard disk to floppies, there is no scanning overhead, which is a plus, because floppy disk access is slow anyway... Of course, I am not saying that this must be the only mode. Users should be able to always scan on execution and/or copying, if they want so. The behavior proposed by me should be provided as an option - - a rather useful option, IMHO. Any comments from the producers of resident scanners? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 09 Feb 93 11:46:16 +0000 From: REEDA@ibm3090.bham.ac.uk Subject: Twelve Tricks (PC) Norton anti-virus detected Twelve-Tricks virus on one of our PCs but f-prot 2.06a reported the PC as clean. Is this virus one that the current f-prot misses or have we found a NAV false +ve? A.Reed@bham.ac.uk ------------------------------ Date: 09 Feb 93 17:10:39 -0700 From: CASTILLO@nauvax.ucc.nau.edu Subject: STONED, Scanv99/Clean 99 Questions/Concerns (PC) Over the past several days our school has been dealing with the Stoned virus. We've come up with some questions about what might be going on: 1) When Untouchable is used, it says that No-Int has been found but that it cannot fix it. 2) When McAfee's Scan v99 is used, it finds the Stoned virus, and the Clean can clean it. HOWEVER, when scanning AGAIN for the virus, we find it in memory. This is after having booted from a write-protected virus free floppy disk. Further tests apparently show that Stoned can load into memory by a simple read on an infected disk. The documentation I've read via FTP land say that that is impossible. Some people have suggested that Scan is not correct. Questions: Why doesn't Untouchable work right? CAN the Stoned virus load into memory by a simple read from an infected floppy?? Is there a strain of stoned that can do this? Thanks for any help/suggestions. Ulysses. _____ Ulysses Castillo (aka Belgarion) Trr, lbh zhfg or n irel phevbhf crefba! Castillo@nauvax.ucc.nau.edu "And be assured, I am with you always, to the end of Time.", Matt. 28:20 ------------------------------ Date: Wed, 10 Feb 93 01:42:36 +0000 From: worley@a.cs.okstate.edu (WORLEY LAWRENCE JA) Subject: Re: dame virus (pc) A friend of mine has a 486 that recently crashed. After booting on a clean disk, I ran ScanV100 on it, and found that it had the Stoned virus. I cleaned it off, and ran scan again, only to find that it now had Michaelangelo virus. I ran clean again, this time with [Mich], and it reported that the virus had been cleaned off. However, after cleaning, ScanV100 still reported it was in the partition table, and the drive will still not boot. Both floppies in the computer are write protected and are virus-free. I have now run Clean c: [Mich] approx. 30 times, each time, it says it cleaned the drive, and then after rebooting, Scan still reports the virus is there. Any ideas? Thanks- Jason Worley ------------------------------ Date: Wed, 10 Feb 93 07:33:07 -0800 From: An-Ly Yao Subject: SCAN100 and DOS3.3 (PC) SCAN 100 detected an 1575 virus on an 286 AT with DOS 3.30. The virus was detected during memory scan after any kind of TSR program was installed residently. I then found, that COMMAND.COM was 4 bytes longer, than the original COMMAND.COM: 86h,05h,86h,05h, if I remember correctly. (or was it 05h,86h,...?). Anyway, that shouldn't be dangerous. I reloaded COMMAND.COM from that PC's original DOS 3.30 disk, and no viruses were reported. Goetz Kluge anlyyao@igc.apc.org Seoul, Korea, 1993/02/11 ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 23] *****************************************