Date:         Mon, 7 Jan 91 15:20:53 EST
From: "The Moderator Kenneth R. van Wyk" <[email protected]>
Subject:      VIRUS-L Digest V4 #5
To: Multiple recipients of list VIRUS-L <[email protected]>

VIRUS-L Digest   Monday,  7 Jan 1991    Volume 4 : Issue 5

Today's Topics:

Re: University Policy
Re: Virus Vaccine (PC)
re: Virus Vaccine (PC)
Re: Virus Protection (PC)
nVIR-like resources... (Mac)
Strange Problem Running Disinfectant 2.4! (Mac)
Apple //gs "Die!" Virus
Re: Apple //gs Virus (Followup - READ ME FIRST)
Grapes virus? (Mac)
PVALIDAT.ZIP - Portable VALIDATE using McAfee algorithms (PC)
QEMM Virus? (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  Please sign submissions with your real name.  Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks).  Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list.  Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

  Ken van Wyk

---------------------------------------------------------------------------

Date:    03 Jan 91 19:14:55 +0000
From:    [email protected] (David C Goodwin)
Subject: Re: University Policy

For a while last year we were hit with a lot of IBM viruses, all at
once.  We have Novell networks, that use individual boot disks, and
that's how it spread from floppy to floppy.  Every time a user asked
for a boot disk, we grabbed any floppies they had and SCAN'ed them.
The average user didn't carry more than two or three floppies at a
time.

Good luck.

------------------------------

Date:    Thu, 03 Jan 91 18:05:11
From:    [email protected]
Subject: Re: Virus Vaccine (PC)

>From:    Evelyn Duncan <[email protected]>
>
>A friend of mine has an IBM-compatible computer and wants to dial into
>the VM system here, but he needs a program that will prevent viruses
>from infecting his system at home.  He would like a program such as
>Virex.  He called Virex's 1-800 number, but it was disconnected.
>
>If you know of any program, please contact me.

You might want to try calling the Virex people at 919-490-1277. I know
there's a 1-800 number, but for me it's just a FastDial code on my
phone.  Try calling up 1-800 information and ask for either Microcom
in Durham, N.C., or for HJC Software (former name until Microcom
bought them out).

I can probably answer any questions you might have regarding Virex-PC.

Ross M. Greenberg
Author, Virex-PC & FLU_SHOT+

Views expressed herein are not representative of Microsoft.

------------------------------

Date:    Thu, 03 Jan 91 22:05:34 -0400
From:    [email protected] (Hai Pham)
Subject: re: Virus Vaccine (PC)

In reply to Evelyn Duncan's question for a PC Virex equivalent.

I could be very wrong (if there's away to do it, someone will find
away to), but as far as I know, your friend should not need a virus
shield to protect himself from infection if all he's going to do is
dial in and use your VM system interactively.  This is because for a
virus to enter a computer through a modem, it must enter via an
infected program which was downloaded into his computer.  If he does
download programs into his system, then all he would have to do is to
check it over with a virus scan program, such as McAfee's "scan".
This is because before a virus can infect the system, the infected
program would have to be ran first, so if you scan for virus infection
before you run the program, you will catch them before they can do any
harm.

There is no way in which your friend could be infected by something
like the Internet Worm, if he is only using a terminal emulator.  The
reason the Internet Worm was able to infect all those Internet sites
was because the computers involved all ran a common operating system
(UNIX), and it took advantage of a bug in the UNIX mail program to get
into the remote system.

If I am wrong on any of the above points, I would appreciate immediate
feed back (so I can take steps to protect my computer).

*******************************************
Hai Pham
TPI, Physics Dept.
Box 383, Saint Francis Xavier University
Antigonish, Nova Scotia, Canada, B2G 1C0.
Email: [email protected] (Internet)
*******************************************

------------------------------

Date:    04 Jan 91 14:53:35 +0000
From:    [email protected] (Fridrik Skulason)
Subject: Re: Virus Protection (PC)

[email protected] (Sulistio Muljadi) writes:
>[email protected] wrote in VIRUS-L volume 205:

>> The one negative comment about F-Prot is that the updates appear to be less
>> frequent than one might wish.

Well, yes, I admit I send out updates less frequently than would be desirable,
but I expect to send out a new version every 4 weeks or so in the future.  The
next version (1.14) should be ready any day now - I am busy adding routines to
detect and remove all the viruses I received at the conference in Hamburg.

>  One other negative comment about F-Prot is:
>
>F-driver.sys does not check drive A for any possible boot sector virus
>when we warm boot the machine.  The V-Shield does check drive A for
>any possible boot sector virus and will denied the warm boot if there
>is any boot sector virus in the floppy drive A.  Hopefully frisk will
>implement this for his next version of F-PROT.  It is a great program.

Sounds like a good idea - I am not sure I will have time to add it in
version 1.14, but if not then it will certainly appear in the next
version after that.

- -frisk

------------------------------

Date:    Fri, 04 Jan 91 16:03:12 -0500
From:    Alan Pierce <[email protected]>
Subject: nVIR-like resources... (Mac)

I'm somewhat new to the world of Macs, so I hope someone can shed some
light for me.  A user recently reported a virus on their Mac SE.
Using SAM 2.0, I scanned the volumn and received the following
messages:

   Examined file 'System' in folder 'System Folder'.
   Warning!  This file contains nVIR-like resources(nVIR).
   It was last modified on 9/17/90 at 3:57 PM.

The most interesting thing is we never purchased the machine until
November and I installed the system software that came with it.
Thinking I may have an infected system disk, I scanned all 4 (v6.0.5)
disks and came up empty.  Next, I re-installed the system and scanned
the volume again--same messages.  I hope someone here can help me.
Either post to this list(as I am an avid reader, or respond directly.
Thank you.

Alan Pierce
Technical Consultant    <-- Huh?
Division of Nutritional Sciences
Cornell University
Ithaca, NY

APP@CORNELLA -- Bitnet
[email protected] -- Internet

------------------------------

Date:    Fri, 04 Jan 91 16:04:00 -0400
From:    Michael Greve <[email protected]>
Subject: Strange Problem Running Disinfectant 2.4! (Mac)

    I'm having problems running Disinfectant 2.4.  We have one Mac
  lab consisting of 16 SE/30's with 40 mg hard drives that are
  partitioned into two hard disks.  During my normal maintenance of
  the lab I do a routine virus check using Disinfectant 2.4.  The
  program works great on 15 of the machines.  When I run it on the
  last machine, the program calls up fine, but in the upper right
  hand corner where it should normally tell you which drive/partition
  you are currently scaning, the program comes up with a blinking message
  saying insert a disk to be checked.  This lab is networked using
  Appleshare and I do the virus check from the network.  On the other
  15 machines the name of the server comes up, I then switch to the
  2 partitions and scan them.  On this last machine, the name of the
  server shows up for a quick second then it changes to the flashing
  message.  I've tried running it from diskette and the hard drives and
  still get the same message.  I can't get it to work at all.

    Could this be some kind of virus??  I've never seen this before and
  have no clue as to what could be causing this.  I have had no problem
  with this particular machine, everything else runs fine on it.  Does
  anybody have ideas about what may be causing this.  I've run out of
  ideas.  Thanks for any assistance.

                                       Michael Greve
                                       University of Pa.
                                       The Wharton School
                                       [email protected]

------------------------------

Date:    Sun, 06 Jan 91 17:17:05 -0500
From:    [email protected]
Subject: Apple //gs "Die!" Virus

    This appeared on Info-Apple:

- --------------------------------------------------------------

Date: 6 Jan 91 21:06:19 GMT
From: [email protected]  (Benji Rudiak-Gould
)
Organization: University of California, Berkeley
Subject: Computer virus!
Message-Id: <[email protected]>
References: <[email protected]>,
<[email protected]>
Sender: [email protected]
To: [email protected]


I am posting this for a friend with a IIGS who recently fell victim to a
virus attack.  The symptoms (I think they were in this order):

1)  A pop-up window appeared in the Finder with the message, "Die!"

2)  When he tried to open his text viewer DA, it froze and the words "Ha!
   Ha! Ha!" appeared all over it.

3)  Now, just about everything is bombing.


He has done a complete reformat of his hard drive and restored from
backups, but the virus was still there.  He has Lode Runner, and
downloaded the L. R.  virus killer (while he still could), but hasn't
tried it yet.

These symptoms may be slightly skewed, since they were told to me quickly
by phone.  Can someone identify this virus?  Thank you thank you thank you
for your help.

- --                       \\  I think, therefore I am.     |___|___|
Disclaimer:
Benji Rudiak-Gould       //  I am, therefore I think.     |_|___|_|  Take with
[email protected] \\  Therefore, I think I am.     |___|___|  a grain
///////////////////////////  Therefore I am -- I think... |_|___|_|  of :-)

------------------------------

Date:    Sun, 06 Jan 91 19:15:44 -0500
From:    [email protected]
Subject: Re: Apple //gs Virus (Followup - READ ME FIRST)

    This correction to a virus warning posted to Info-Apple:

- -------------------------------------------------------------
Date:  6 Jan 91 17:05 -0600
From: "H. Grant Delaney" <[email protected]>
To: [email protected], [email protected]
Message-Id: <53*[email protected]>
Subject: RE Virus Not a virus ( Writeit NDA )

What was discribed was a window appearinf with DIE in it.  Well this sounds
exactly how Write It ! NDA crashes.  This is usually due to insufficient
memory and is part of the NDA.  It is not the first tome this has confused
people.  This may have been removed from the latest version.

------------------------------

Date:    Mon, 07 Jan 91 16:47:01 +0000
From:    [email protected] (Nick Guoth)
Subject: Grapes virus? (Mac)

Hi,

or should I say what is going on?

We are using MacFortran on some of our Macintoshs here and just over
the last few days, we seem to have contracted a strange virus or
something. Now I'm never confident about viruses affecting us here in
Australia as the protection software generally arrives before the
virus. What is happening is that the icons for the Fortran executable
files have turned into bunches of grapes.

Now it doesn't seem to harm the programs but it soon will become a
nuisance. We have SAM with all the latest virus definitions installed
on each of the Macs.

Can anyone tell me whether this is a virus or not, and if not what is
causing the problem.

Ta,

nick
[email protected]
"Happiness is a piece of fudge caught on the first bounce" - Snoopy

------------------------------

Date:    Sat, 05 Jan 91 17:27:42 -0400
From:    [email protected] (G. Mussar)
Subject: PVALIDAT.ZIP - Portable VALIDATE using McAfee algorithms (PC)

I have uploaded to SIMTEL20:

pd1:<msdos.trojan-pro>
PVALIDAT.ZIP    Portable VALIDATE using McAfee algorithms

Portable VALIDATE is a file authentication program which can be used
to check software for signs of tampering.  The program calculates two
check codes over the data in a file by using two different CRC
algorithms.  Portable VALIDATE uses the same CRC algorithms as McAfee
Associates VALIDATE. The McAfee VALIDATE module only runs on IBM (and
compatible) machines. Portable VALIDATE is written in C language and
can be compiled and run on many non-IBM platforms.

-
-------------------------------------------------------------------------------
Gary Mussar  |Bitnet:  [email protected]                  |  Phone: (613) 763-4937
BNR Ltd.     |  UUCP:  ..uunet!bnrgate!bcars53!mussar |  FAX:   (613) 763-2626

------------------------------

Date:    Mon, 07 Jan 91 08:13:28 -0700
From:    [email protected] (Richard W Travsky)
Subject: QEMM Virus? (PC)

This appeared in a recent Info-Ibmpc digest.  Figured I'd pass it on.
I have not seen any mention of this in recent virus-l postings so
hopefully I'm not passing on old news.  Then again, I hope I'm not
also spreading panic!


Date: Tue, 1 Jan 91 10:58:09 -0500
From: David Kirschbaum <[email protected]>
Subject: Reported QEMM virus

Received from the Fido Dr. Debug Echo, 1 Jan 91.
David Kirschbaum
Toad Hall

FROM:    Richard Crain                 Area # 23 (    Dr. Debug     )
TO:      ALL
SUBJECT: Virus

I have found what appears to be a virus on the factory supplied disk
from Quarterdeck on the QEMM386 V5.1 diskette in the Optimize.com amd
install.exe programs. These 2 programs contain a HEX signature of
EAF0FF00F0 which indicates the possible presence of the 648 virus.
This virus is supposed to infect overlay programs, which I have had
MAJOR problems with lately. In the last 18 hours, every program that I
have used that uses overlays has had its CRC change, or worse yet,
totaly crash on invocation locking the system.

Further, it has been only the EXE files that have changed. Also, in
doing a byte by byte compare of a corrupted file with a good version
on backup (tape) I find an absolute pattern of corruption in the
files.  These changes are the substitution of a HEX 00 00 at loctaions
68B8, 68BC, 78B8, 78BC, 88B8, 88BC, Etc.....

 This problem started yesterday (again) after running the Optimize
program that comes with Qemm386 V5.1 . This problem occured before
causing me to panic and wipe out my hard disk, secure erase, reformat,
and reload without doing serious research as to the cause, I ASSUMED
that a new program that I had just added was the cause.

This time, I have found what I believe to be the true cause with some
advise from Chris Anderson.

Further, Quarterdeck has been notified and the original disk is being
returned to them for replacement and analysis. Also, the disk was never
written onto by me at any time, the diskette was copied and the copy
underwent the registeration process.

The HEX string to look for is EAF0FF00F0

- --- msged 1.99S ZTC
* Origin: DinoPoint 2  (1:104/114.2)

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 5]
****************************************


Downloaded From P-80 International Information Systems 304-744-2253

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.