From CUNYVM.CUNY.EDU!lehigh.edu!virus-l Fri Feb 12 15:52:11 1993 Date: Fri, 12 Feb 1993 09:28:41 -0500 Message-Id: <9302121354.AA11086@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V6 #25 Status: R VIRUS-L Digest Friday, 12 Feb 1993 Volume 6 : Issue 25 Today's Topics: The moderator is moving to a new address Viruses in Warfare Pundits and bandits Re: Virus education Re: New virus in Germany :-( (PC) Re: New Virus (PC) STONED update/additional info questions. (PC) Notes about Sunday Virus (PC) DOS undocumented switches... (PC) F-prot/FSP/bootsum problem. Help! (PC) Re: dame virus (PC) Virus scan on a compressed drive (PC) New way of opening files??? (PC) Unknow Virus (PC) Re: New virus in Germany :-( (PC) MtE Infected... (PC) latest CPS virus definition file sought (PC) Warning: Michelangelo will return (PC) UMB-1 (Tremor) (PC) Re: Cascade & SCANV99 (PC) Michelangelo origins (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 11 Feb 93 14:21:52 -0500 From: Kenneth R. van Wyk Subject: The moderator is moving to a new address VIRUS-L/comp.virus readers: I'm going to be moving to a new location and a new job. Starting 1 March 1993, I'll be working for the Defense Information Systems Agency (DISA) in Washington, DC (actually, Arlington, Virginia...). I fully intend to keep VIRUS-L/comp.virus running at full steam, but please bear with me during the transition period. While all of my old e-mail addresses should continue to direct mail to me, I'll be getting a new e-mail address at the new location. I've set up an interim account, however, and will be moderating VIRUS-L from it for at least a few weeks. The new address is: krvw@first.org. Once I have a permanent $HOME account at DISA, I may move the moderation duties over to that, but for the meantime the above address will be used for my VIRUS-L work. I want to begin testing the new mechanism starting next week (15-19 February). None of you _should_ notice any change in service, but if you do, please report it to me at krvw@first.org. NOTE that the submission procedure will not change; you should still post any submissions to VIRUS-L@LEHIGH.EDU, or post to the comp.virus newsgroup. All submissions will be forwarded to the new moderator address, as if by magic. :-) Thanks to the National Institute of Standards and Technology (NIST), who is graciously allowing me to use one of their systems, first.org, for this purpose. Cheers, Ken My soon-to-change .signature follows: Kenneth R. van Wyk Moderator VIRUS-L/comp.virus Technical Coordinator, Computer Emergency Response Team Software Engineering Institute Carnegie Mellon University krvw@CERT.ORG (work) ken@THANG.PGH.PA.US (home) (412) 268-7090 (CERT 24 hour hotline) ------------------------------ Date: Thu, 11 Feb 93 19:17:10 +0000 From: "George Guillory" Subject: Viruses in Warfare In the past in this newsgroup there has been much discussion of the use of viruses in the military. I have always believed that I saw legitimate research in this area in the past. Well researching another issue I came across the reference. In the Procedings of the Fourth Annual Computer Virus and Security Conference there is an article on pages 830-845 titled "Computer Viruses in Electronic Warfare" by Dr. Myron L. Pratt and Stephen R. Pratt of Booz, Allen and Hamilton. Abstract included in the paper. "Events of the last few years have demonstrated dramatically that computer viruses are not only feasible but can quickly cause catastrophic disruption of computer systems and networks. Current trends in the development of military electronic systems have significantly increased the vulnerability of these systems to computer virus attack. This has created a new form of electronic warfare consisting of the electronic insertion of computer viruse microcode into a victim electronic system through direct or indirect mechanisms. This paper discusses the application of computer virus techniques to electronic warfare from a both an offensive and defensive perspective." ------------------------------ Date: Thu, 11 Feb 93 22:07:21 -0500 From: fergp@sytex.com (Paul Ferguson) Subject: Pundits and bandits On 7 Feb 93 (20:29:44 GMT), Vesselin Bontchev wrote - VB> According to the latest information, six members of the ARCV VB> group have been arrested. Perhaps this will stop them from VB> writing viruses any more... Well, it may stop them from authoring viruses, but unfortunately virus "creationists" are like a pesky rodent infestation -- you eradicate six of them and there are six (times two) that step in to take their place. I'm anxious to hear their punishment (if any). Hopefully the participants of this list will keep us informed of any interesting develpoments in this particular case. Cheers from Washington, DC. _____________________________________________________________________ Paul Ferguson | "The goal of all inanimate objects Network Integration Consultant | is to resist man and ultimately Alexandria, Virginia USA | defeat him." fergp@sytex.com (Internet) | -- Russell Baker sytex.com!fergp (UUNet) | 1:109/229 (FidoNet) | PGP public encryption key available upon request. - --- fergp@sytex.com (Paul Ferguson) Sytex Systems Communications, Arlington VA, 1-703-358-9022 ------------------------------ Date: Fri, 12 Feb 93 08:24:02 -0500 From: Chip Seymour Subject: Re: Virus education > Re: Donald G Peters > Subject: What is safe to discuss? > "How do we prevent the bad guys from getting educated?" I don't have > a good answer to that, since bad guys have a right to attend schools > like us good guys do. Personally, I believe strongly in censorship > of some things, but I'm not yet convinced that censorship of > virus-related information does much good. I couldn't agree with Mr. Peters more, but I find that I am the one in need of the education. It seems the Black Hats have a more advanced knowledge of how to perpetrate computer crimes than we White Hats have to properly protect electronic assets. WE'RE playing catch-up with THEM. BTW, all the talk over the definition of a virus is ok, but how do I apply that to the protection of my work here? The viruses themselves don't care - they just do what they're told. Chip Seymour Net Admin Computervision Corp Bedford MA ------------------------------ Date: 12 Feb 93 13:28:35 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: New virus in Germany :-( (PC) Malte_Eppert@f6050.n491.z9.virnet.bad.se (Malte Eppert) writes: > There's a new virus around in Northern Germany which was isolated on the > Fachhochschule Braunschweig/Wolfenbuettel on Feb. 4, 1993. It was analyzed by > Robert Hoerner and has the following characteristics: > - - infects COM and EXE > - - loves infecting COMMAND.COM on drive A: More exactly, loves infecting the command interpreter - regardless where it is. For instance, C:\DOS\4DOS\4DOS.EXE works just as well as A:\COMMAND.COM. > - - TSR in UMBs (!), stealth > - - uses interrupt trace techniques > - - slightly polymorphic, WHALE and FISH-like Tested the following scanners: FindVirus 6.10 (Drivers of December 5, 1992); F-Prot 2.07; SCAN 100. Only F-Prot 2.07 detects the virus and NOT reliably - some infected files are missed. I was told that S&S International has created an external additional driver for their scanner, that detects this virus; users of Dr. Solomon's Anti-Virus ToolKit should contact them for more information. > - - uses seconds-stamp for marking infections > - - contains the encrypted text "T.R.E.M.O.R was done by NEUROBASHER / > May-June'92, Germany" and "MOMENT OF TERROR IS THE BEGINNING OF > LIFE" > - - Length: exactly 4000 bytes Some additional information: 1) The virus uses the following "Are you there?" call: INT 21h/AX=F1E9h, returns AX=CADEh. A program that intercepts that could be used as poor man's defense. 2) The virus particularly targets the program VSAFE that comes with Central Point Anti-Virus and MS-DOS 6.0 and disables it. I'm not certain why it does that - the virus is tunnelling enough to bypass monitoring software... Maybe the virus author just wanted to demonstrate that he knows how to disable this particular program. 3) The virus is definitively in the wild in Germany. There is some information that a large software distributor has shipped it with some software, but we don't have confirmation yet. > The virus is provisorically referenced as "UMB-1 (Tremor)", until a name has > been officially constituted. CARO name for this virus is Tremor. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 12 Feb 93 13:41:53 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: New Virus (PC) Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) writes: > For someone who's not very smart, the Whale virus would sound like a > good work- grounds, because it is fairly known that most of the virus > code is dedicated to anti-debugging (which consequently made it very > slowing), and that would aledgedly make it harded to detect. First, for someone who's not very smart, the Whale virus will be too difficult to understand, so they are more likely to go hacking yet another Jerusalem variant. Second, Whale is -trivial- to detect - just 34 simple (i.e. non-wildcard) scan strings... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 11 Feb 93 12:23:59 -0700 From: CASTILLO@nauvax.ucc.nau.edu (Ulysses Castillo) Subject: STONED update/additional info questions. (PC) I want to thank the people who have responded with their ideas about what might be happening. I also wanted to explain more clearly the procedure we followed. Specifically: 1) Cold booted from a write-protected virus free disk. 2) Used SCAN v99 on C:, no virus was found in memory or on C:. 3) Inserted an infected floppy in B:. 4) Ran scan on b:. No virus found in memory, stoned virus found in boot sector of B:. 5) Ran scan on B: again. Virus found in memory and in boot sector of B:. (HOW???) 6) Reboot (cold boot, not control-alt-delete). 7) Inserted infected disk in B:. 8) Ran CLEAN on B:. Virus NOT in memory, but found in boot sector of B:. Virus removed from B:. 9) Ran scan on B:. Virus found in memory. (Again, HOW???), but NOT found on B:. Again, from these observations we are being led to believe that stoned loaded itself into memory after a read operation on the infected disk. Again, the documentation I've read on Stoned seem to indicate that this is impossible. Alternately, it's been suggested that SCAN/CLEAN can give false alarms on occasion. And to answer other questions that have come up, disk caching was NOT on during this time, all reboots were cold boots, and scan/clean.exe were located on C:. Ideas? Ulysses. _____ Ulysses Castillo (aka Belgarion) Trr, lbh zhfg or n irel phevbhf crefba! Castillo@nauvax.ucc.nau.edu "And be assured, I am with you always, to the end of Time.", Matt. 28:20 ------------------------------ Date: Thu, 11 Feb 93 17:09:07 -0500 From: "Mario Rodriguez (Virus Researcher)" Subject: Notes about Sunday Virus (PC) The virus Sunday is rather old, but is still on the wild. It hit on some Mexica n Universities, but is not too diseminated. The version we have here is the the original one (version A). This virus is a simple non-encripting virus. It stays resident using interru pt 21h service 31h (TSR). Because of this you can find the program from wich th e virus get into memory in the list presented by the command 'MEM.EXE /P'. The size showed in that list is 750h. Sunday infects programs with extensions .COM, .EXE and .OVL as they are exec uted. The .COM files grow 1,636 bytes, and files .EXE and .OVL grow between 1,6 36 and 1,647 bytes. They programs are NOT reinfected, the virus checks for the signature 'C8 F7 E1 EE E7' at the end of the file. In programs .COM the origina l program would be right before this signature. The virus doesn't infect the COMMAND.COM or any program with this name. In d isplacement 84h can be found the string "COMMAND.COM", which is the one that pr events the infection of that program. Sunday intercepts interrupts 21h (Dos services) and 8 (time of day), but the last one is only intercepted if the year is different 1989. In any other year the virus will activate on Sundays, and in that day 10 seconds after an infecte d program is excecuted, th virus will 'teletype' the next message using interru pt 10h (video services): "Today is SunDay! Why do you work so hard?" "All work and no play make you a dull boy!" "Come on ! Let's go out and have some fun!" The text above will keep apearing every 10 seconds. If you try to write a co mmand and the text 'brakes' it appart it will still work. By that time ANY prog ram tried to be run will be erased producing the error "Cannot execute 'filenam e'". Before deleting, the virus will erase any attribute of the file, so a READ ONLY attribute will be of no help. In any day, executing programs in a write-protected diskette will look norma l, becuase the virus intercepts for a moment interrupt 24h (error handler). To get rid of the virus it would be enough to press CTRL-ALT-DEL and the virus wil l be out of memory. Almost any vacsine can detect it and satetly remove it. Recently, in Mexico has appeared a rumor about a new version of the Sunday v irus that presents a diferent text and a strange sound instead of deleting file s, but I have seen none of those. So,perhaps it's just an invention. Any coments would be apreciated. Mario Rodriguez (Virus Researcher) Instituto Tecnologico de Estudios Superiores de Monterrey. Campus Estado de Mexico. em436861 at itesmvf1.cem.itesm.mx em436861 at rsserv.cem.itesm.mx ------------------------------ Date: Thu, 11 Feb 93 17:30:18 -0500 From: Fabio Esquivel Subject: DOS undocumented switches... (PC) Hi everybody. I recently found a copy of the Compaq MS-DOS 5 Reference Guide as published by Compaq Computer Corporation. Some of you have posted on this forum that undocumented switches for several DOS commands have been found in the MS-DOS 5 released by Microsoft (April 9, 1991 version). Reviewing this book I found that the Compaq DOS 5 version documents some of them. Documented switches: "FDISK /mbr" Indicates that the master boot record is to be updated. "FDISK /status" Displays a list of all hard drives and partitions. "VER /r" Specifies that the revision number is to be displayed along with a message, indicating whether DOS is loaded in high or low memory. Not documented switches: "COMMAND /f" (included in the SHELL= command in CONFIG.SYS) Makes an automatic (F)ail on "Abort, Retry, Fail?" messages. "FORMAT /backup" I don't know its function, but when I ran it I got this message: "Parameters not compatible with fixed disk". I'm using an IDE 40Mb hard disk that uses sector translation. "FORMAT /select" Unknown function, but it seems to do much besides creating the files MIRROR.FIL and MIRORSAV.FIL for use with UNDELETE and UNFORMAT commands. "FORMAT /autotest" Saves UnFormat information (by creating MIRROR.FIL and MIRORSAV.FIL again) and verifies drive 's surface without deleting information. This command fills the boot record (NOT the master boot record) of hard drives with null bytes... :-( So, if you try to boot from the hard drive formatted in this way, you'll get the message "Missing operating system" (thanx Norton's DiskTool.EXE, I could restore it from my Rescue Diskette ;-). Moreover, the MODE command has A LOT of new switches. Regards, Fabio. PS: BTW, What the h... does "IMHO" mean? [Moderator's note: The H in IMHO stands for "humble".] PS2: Yesterday I was playing with McAfee's SCAN V100 just a bit... When I issued the command "C>SCAN" with no parameters, I got the usual help lines for the SCAN.EXE; however, when I issued the command "C>SCAN /?" I got the help lines for NETSCAN.EXE. Sometimes you can find some funny "bugs"... * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Fabio Esquivel Chacon * Computerize God - It's the new religion * * fesquive@ucrvm2.bitnet * Program the Brain - Not the heartbeat * * University of * * * * Virtual existence / Superhuman mind * * Costa Rica * The ultimate creation / Destroyer of mankind * * "Women, * Termination of our youth / For we do not compute * * ____/| Music and * * * \'o O' Computers * "Computer God" - Dehumanizer * * =(_Q_)= drive me * Ronnie James Dio - Black Sabbath (1992) * * U crazy..." * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ------------------------------ Date: Thu, 11 Feb 93 17:54:06 -0500 From: 92brown@gw.wmich.edu (THE EYES OF GO ARE WATCHING YOU) Subject: F-prot/FSP/bootsum problem. Help! (PC) I have a question regarding a problem I am having running Flushot and F-prot 2.06 concurrently. (I have not yet updated to F-prot 2.07 or FSP+). I have FSP configured so that it checks my bootsum when I boot up. The value of the bootsum is not supposed to change, and never does until I scan my drive with F-prot. After I finish scanning my drive I get an alert from FSP saying my bootsum records do not match, and then it shows the newly assigned value. I am confused about why F-prot changes my bootsum when it scans my drive and if there is anything I can do about it. Should I simply disable FSP before I scan with F-prot, bear with the problem and pretend it doesn't exist or break down and upgrade my software? By the way, my system is a IBM AT (100% compatible) running Stacker on a 32m hard drive, and DOS 5.0. Help if you can, thanks. - -- ////////////////////////////////////////////////////////// / Sean Brown | / / Department of Anthropology | "The EYES in GO / / Western Michigan University | are Watching You" / / 92BROWN@GW.WMICH.EDU | / ////////////////////////////////////////////////////////// ------------------------------ Date: 11 Feb 93 16:20:00 -0800 From: a_rubin@dsg4.dse.beckman.com Subject: Re: dame virus (PC) worley@a.cs.okstate.edu (WORLEY LAWRENCE JA) writes: >A friend of mine has a 486 that recently crashed. After booting on a >clean disk, I ran ScanV100 on it, and found that it had the Stoned >virus. I cleaned it off, and ran scan again, only to find that it now >had Michaelangelo virus. I ran clean again, this time with [Mich], >and it reported that the virus had been cleaned off. However, after >cleaning, ScanV100 still reported it was in the partition table, and >the drive will still not boot. Both floppies in the computer are >write protected and are virus-free. I have now run Clean c: [Mich] >approx. 30 times, each time, it says it cleaned the drive, and then >after rebooting, Scan still reports the virus is there. Any ideas? This is a known problem, as Stoned and Michaelangelo both modify the boot sector in similar ways. You'll need to recreate or relocate the boot sector. Norton Utilities will probably help you locate the boot sector (it may be absolute sector 3 or 7). If you have DOS 5, FDISK /MBR will probably work. Otherwise, Padgett's fine program (whose name I've forgotten) may help you. - -- Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea 216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal) My opinions are my own, and do not represent those of my employer. My interaction with our news system is unstable; please mail anything important ------------------------------ Date: Mon, 08 Feb 93 14:13:00 +0100 From: Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz) Subject: Virus scan on a compressed drive (PC) > From: wongja@ecf.toronto.edu (WONG JIMMY PAK-YEN) > I'm considering getting some sort of disk compression utility for my > PC (such as Stacker). Are virus scan programs still able to detect a > virus on a compressed hard drive? Presently, when I download some ZIP Those programs user-transparent, and decompress on the fly. Since most, if not all the scanners use standard DOS function calls to access files, there is no reason for them not to work on compressed media or any other device that has a transparent interface. Inbar Raz - - -- Inbar Raz 5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660 Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il - --- * Origin: MadMax BBS - Co-SysOp's Point. (9:9721/210) ------------------------------ Date: Tue, 09 Feb 93 14:48:00 +0100 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: New way of opening files??? (PC) Hi You quote: > Nemrod_Kedem@f101.n9721.z9.virnet.bad.se (Nemrod > Kedem) writes: Nemrod is quating me: >> > Why go so far? Did you here of writing to the disk via a port - instead >> > of using standard interrupt method to write? >> > I don't know of any A-V product that can monitor writing to ports, >> > (unless it was a debugger that monitors every command that an >> > application performs, and believe me: you don't want to use that!). and adds: >> More then that: A product like the one you described will only work on 386, >> or higher, in protected mode.... > Well, there are several ways to spot writing to the > disk port directly. > Obviously, software-only methods would be limited in > speed, which means Isn't that what I said?... > it is a good idea to have a dedicated machine for > testing programs for > viruses (and compatibility) as they come into an > organisation. Great idea. > The methods are: Here you list a list of debuggers, hardware tools and so to help you monitor direct disk access. Obviously you are correct, but the main isue here was to help anyone (not only an organization with capabilities) to think of a solution to this problem. What you suggest is a bit too expensive for a user to get, and he doesn't have the time nor the means to create a virus combat Tank, (nor should he). > Overall, I prefer viruses that do something out of the > ordinary, like trying to > write to disk ports, since they become easy to > distinguish from valid software. Me too, but life is different, don't you think? > The big problem with viruses on PC's, at least, at the > moment is that there is > a large fuzzy area filled with programs (like Norton's > DS and self-modifying > executables) that bypass DOS in the same way that > viruses do - you have to > individually look at what they are doing and decide > whether that is okay. I wish it were the only problem. > There are a few "clever" tricks like direct disk access that > I genuinely hope virus > writers will adopt - in place of yet-another-stoned- > hack and so on, and I think > that naming schemes which give too much glory to > authors of slightly-changed > viruses should be changed to reflect that fact it is > just another hack of > somebody else's idea. Even if string-scanners weren't > being overtaken by virus > technology, the sheer nuisance factor of hundreds of > slightly new viruses is > worth discouraging. Personally I prefer that they will just stop writing viruses, or better yet write usual ones that are easy to solve with generic methods like FDISK /MBR or SYS or... and let the PC users work without fear. Are you among those that will secrifice the user's benefit for an academic interest? > (Hopefully this will generate some interesting discussion!) If that's what you were aming at... you got it. Regards * Amir Netiv. V-CARE Anti Virus, Head team * - --- FastEcho 1.21 * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: Tue, 09 Feb 93 14:11:00 +0100 From: Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) Subject: Unknow Virus (PC) PROPE4@ifens01.insa-lyon.fr (Arnaud Thomas) writes: > I've got a problem with my computer . Sometimes ASCII > files change . There > is letters which become other . When I use SCAN , i > find no viruses . You probably have a hardware problem or a configuration problem of your software. However some viruses tend to do just what you write. For example the HAIFA virus will add some text to every *.DOC file that it meets, or the DBASE virus will change dbase data files in a way only he knows and there are others. I think it would be best to try to reconfigure your software or try to take some files to another machine: if the other machine will try to show strange symptoms, then you probably have a virus problem in your hands, otherwise its probably what I explained above. If you do not manage to solve it by yourself call (1) 64 66 15 97 (Paris) mabe they can help you. Good Luck... Regards * Amir Netiv. V-CARE Anti Virus, Head team * - --- FastEcho 1.21 * Origin: <<< NSE Software >>> Israel (9:9721/120) ------------------------------ Date: 11 Feb 93 22:06:27 -0500 From: eggo@STUDENT.umass.edu (Round Waffle) Subject: Re: New virus in Germany :-( (PC) ballerup@diku.dk (Per Goetterup) writes: >Some of those words are from material by the Belgian techno/industrial >band named 'Front 242'. "Neurobasher" is a B-side song from the >"Tragedy For You" remix-maxisingle, and the sentence "Moment of terror >is the beginning of life" is from the inner cover of their album >"Front By Front" (I think). This is mere semantics, but the Front 242 single I have lists "Neurodancer" rather than "Neurobasher". Thus, the word "Neurobasher" may not have come from Front 242, but rather some other musical (or non-musical) source. I just wanted to clear this up in case someone was perhaps trying to do a little viral pathology. - -- +- eggo@titan.ucc.umass.edu Eat Some Paste -+ +- Yorn desh born, der ritt de gitt der gue, -+ +- Orn desh, dee born desh, de umn bork! bork! bork! -+ ------------------------------ Date: Fri, 12 Feb 93 06:52:20 +0000 From: mdewaele@TrentU.CA (martin dewaele) Subject: MtE Infected... (PC) I have Norton Anti-Virus 2.1 and it has detected what is called the MtE Infected virus. Yet the Repair function states that it is unable to repair the infected file. Does anyone happen to know what the virus is or the problem which is creating this warning in Norton Anti-Virus. I usually don't subscribe to this conference, but am now, so if it has previously been discussed I apologize. Martin Dewaele ------------------------------ Date: Fri, 12 Feb 93 03:52:12 -0500 From: simionat@unive.it Subject: latest CPS virus definition file sought (PC) I have CPS Antivirus software (original package) and I would like to now if the latest virus definition files are available on the Internet. I know they are posted by CPS to dialup BBS, but it's somewhat trickier - and too expensive - if you're calling from Italy. If someone has them, would be so kind to send them to me? Please reply DIRECTLY, I'm not on this list. If someone asks for it, I can later summarize the responses to the list. ___________________________________________________________________ Marco Simionato tel : 39 - (0)41 5225570 Dorsoduro 2408/B fax : 39 - (0)41 5225570 30123 Venezia, ITALY email: simionat@unive.it ___________________________________________________________________ ------------------------------ Date: Fri, 12 Feb 93 10:23:10 From: Subject: Warning: Michelangelo will return (PC) We, a group of young informatics concerned with viruses, tried it out with some infected floppy's we still had and Michelangelo is starting indeed on March 6. We also made another test and scanned several floppy's from not-professionel users and on some of them, we've found Michelangelo. So to be sure, scan your disk before March 6. - ---> SJAMAYEE ______________________________________________________________________ GHGAOAT@CC1.KULEUVEN.AC.BE ******************************************* ______________________________________________________________________ ******************** * SJAMAYEE * * P.O. BOX 1 * * B-3370 BOUTERSEM * * BELGIUM * ******************** _______________________________________________________________________ ------------------------------ Date: Fri, 12 Feb 93 10:28:42 From: Subject: UMB-1 (Tremor) (PC) This virus was already discovered earlier somewhere in Belgium. Who, I don't know, but someone passed me the information just before Newyear. And that info was just the same as the one that Malte Eppert writes. P.S. Ballerup.diku is talking about the origin of the words and as a Belgian, I can affirm what he said. - ---> SJAMAYEE ______________________________________________________________________ GHGAOAT@CC1.KULEUVEN.AC.BE ******************************************* ______________________________________________________________________ ******************** * SJAMAYEE * * P.O. BOX 1 * * B-3370 BOUTERSEM * * BELGIUM * ******************** _______________________________________________________________________ ------------------------------ Date: Fri, 12 Feb 93 14:53:29 +0000 From: julianh@sni.co.uk (Julian Haddrill) Subject: Re: Cascade & SCANV99 (PC) I too have had the same problem, with the 'FORM' virus. Scanning and finding the virus caused it to infect my PC, and I had to Clean the PC from a Write-Protected safe floppy with CLEAN on it. You've just got to be careful out there! Regards Julian ------------------------------ Date: Thu, 11 Feb 93 14:57:15 -0800 From: rslade@sfu.ca Subject: Michelangelo origins (CVP) I've been a bit behind in keeping ahead of my columns. This past week's research reminds me: it's that time of year again. Part 1 of 5. HISVIRV.CVP 930210 Michelangelo Origins Although disputed by some, Michelangelo is generally known by researchers to have been built on, or "mutated" from, the Stoned virus. The identity of the replication code, down to the inclusion of the same bugs, puts this beyond any reasonable doubt. Any "successful" virus inspires (if such a term can be used for the unimaginative copying that tends to go on) "knock-offs": Michelangelo is unusual only in the extent of the "renovations" to the payload. The Stoned virus was originally written by a high school student in New Zealand. All evidence suggests that he wrote it only for study, and that he took precautions against its spread. Insufficient precautions, as it turns out: it is reported that his brother stole a copy and decided that it would be "fun" to infect the machines of friends. Reporting on the "original" state of a virus with as many variants as Stoned is difficult. For example, the "original" Stoned is said to have been restricted to infecting floppy disks. The current most common version of Stoned, however, does infect all disks. It is an example of a second "class" of boot sector infecting viri, in that it places itself in the master boot record, or partition boot record, of a hard disk instead of the boot sector itself. In common with most BSIs, Stoned "repositions" the original sector in a new location on the disk. On hard disks and "double density" floppies this generally works out: on high (quad) density floppies system information can be overwritten, resulting in a loss of data. One version of Stoned (which I do not have) is reported not to infect 3.5" diskettes: this is undoubtedly the template for Michelangelo since it doesn't infect 3.5" disks either. Stoned is an extremely simple virus. Its length is less than 512 bytes, and it requires no more space than the original boot sector. It is extremely infective, and also, in viral terms, extremely successful. Stoned is definitely the most "common" (in terms of number of infections) virus at present. If all variant members of the Stoned family are included, all my research, and all published studies that I have seen, indicate that this family accounts for more infections than all other viral programs combined. Stoned has "spawned" a large number of "mutations" ranging from minor variations in the spelling of the "payload" message to the somewhat functionally different Empire, Monkey and No-Int variations. Interestingly, only Michelangelo appears to have been as "successful" in reproducing, although the recent rise in Monkey reports is somewhat alarming. copyright Robert M. Slade, 1992 HISVIRV.CVP 930210 ============= Vancouver ROBERTS@decus.ca | "The client interface Institute for Robert_Slade@sfu.ca | is the boundary of Research into rslade@cue.bc.ca | trustworthiness." User p1@CyberStore.ca | - Tony Buckland, UBC Security Canada V7K 2G6 | ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 25] *****************************************