Date: Tue, 8 Jan 91 14:30:48 EST
From: "The Moderator Kenneth R. van Wyk" <
[email protected]>
Subject: VIRUS-L Digest V4 #6
To: Multiple recipients of list VIRUS-L <
[email protected]>
VIRUS-L Digest Tuesday, 8 Jan 1991 Volume 4 : Issue 6
Today's Topics:
possible macintosh virus
Reported QEMM "virus" (PC)
MacVirusIndex (Mac)
Addition to monthly postings?
WordPerfect "virus"--summary of responses
Re: UK Computer Crime Unit
Strange Problem Running Disinfectant 2.4! (Mac)
Prevent hard disk infection? (PC)
Auto-scanning Virus Vaccine? (PC)
Fish Virus Activation (PC)
Grapes (Mac)
Re: Grapes virus? (Mac)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
---------------------------------------------------------------------------
Date: 07 Jan 91 20:43:44 +0000
From: <
[email protected]>
Subject: possible macintosh virus
Does anyone know of a Macintosh virus that will make all floppy disks
appear to be locked to the computer? At first, we thought the problem
was with the disk drive, but when it started surfacing on other
computers, we've become a little suspicious. Any help would be
appreciated.
Matt Wu
[email protected]
------------------------------
Date: 07 Jan 91 16:01:10 -0500
From: "David.M.Chess" <
[email protected]>
Subject: Reported QEMM "virus" (PC)
That person has some serious misinformation, I'm afraid; the 648
virus, while it does contain those 5 bytes, doesn't infect EXE files
or overlays (unless they have the extension "COM"), and doesn't write
zeros into files as he describes. The five bytes he gives as the
"sign of the virus" are just five bytes that cause the machine to
reboot. The 648 sometimes inserts this into programs, but there are
many legitimate programs out there that contain those five bytes for
good non-viral reasons (they want to reboot the machine, for
instance).
My guess would be (can't be anything like sure at this distance, of
course) that he's just got something mundane, like a conflict between
QEMM and his disk driver software...
DC
------------------------------
Date: Mon, 07 Jan 91 14:27:04 -1000
From:
[email protected] (Jim Wright)
Subject: MacVirusIndex (Mac)
Andreas "Pandy" Holmberg (
[email protected]) has pointed out to me
that there is a MacVirusIndex available from nic.funet.fi in the
directory /pub/mac/doc. Does anyone know if this is available from an
archive site in the U.S.? (Please don't everyone grab this file from
Finland. Wait until it shows up a bit closer to you.) I haven't seen
this, so I don't know how it compares to the Virus Encyclopedia Stack.
Jim
------------------------------
Date: Mon, 07 Jan 91 14:32:30 -1000
From:
[email protected] (Jim Wright)
Subject: Addition to monthly postings?
It has been suggested that I add a section to the monthly postings of
archive sites that would explain what to do with ZIP, ZOO, ARC, HQX,
SIT, etc. files. Would you find this information useful? Would you
like to see it added to the monthly postings? I'm trying to see if
many people are interested in this.
Jim
------------------------------
Date: Tue, 08 Jan 91 07:11:27 +0000
From:
[email protected] (John Kelly)
Subject: WordPerfect "virus"--summary of responses
Report on WordPerfect "Virus"
Over the last month or two over a dozen people (thank you all)
have posted articles responding to queries about a possible
"WordPerfect virus" which was to blame for certain problems
with WordPerfect-- specifically:
Trashed floppy disks,
Documents duplicated many times within a single file,
Screwy pagination,
Slow repositioning, and
Control codes mysteriously appearing in files, often in
conjunction with the other problems.
Here's the summarized wisdom of the group:
(1) There's no virus involved. It's just bugs and
design flaws in WP.
(2) The trashed-floppy problem is extremely common and
most likely results from users switching floppies too fast for
WordPerfect to keep track of them. The remedy is (a) don't
switch floppies; (b) if you do, save first, exit from the
document, switch floppies, and _immediately_ List Files (<F5>) so
WP will know that it's dealing with a new disk.
WordPerfect's autosave feature can be part of the problem
or part of a solution; one writer recommended disabling it and
saving yourself. I would recommend hanging on to it _if_ you can
make it save to a different drive from the one your documents are
on (i.e., if you have hard disk space on your machine or on a
network). If you and autosave write to the same disk, you're
likely to interfere with each other; if you and autosave write to
different disks, you're backing each other up.
(3) The other problems are less common and not readily
explained.
It's worth pointing out that no one wrote in to say WP
was a crappy program; indeed, one writer took pains to say it was
still his word-processor of choice, warts and all. I just hope
the next version is a bit more careful about writing to removable
media. (I'm not a sophisticated programmer, so will some hotshot
tell me: is WP taking a shortcut there around the DOS file-
writing functions, and is that what's trashing all those
floppies?)
------------------------------
Date: Tue, 08 Jan 91 09:26:17 +0000
From:
[email protected] (James Nash)
Subject: Re: UK Computer Crime Unit
[email protected] (Anthony Appleyard) writes:
>>"The UK Computer Crime Unit hasn't got an email-address, nor do they
>>read these UUCP-news. Pandy
>>
[email protected]"
>
>If they aren't in contact with the computing world, how can they operate
>effectively? If they can't email, and have to rely on GPO mail and the
>phone and personal visits, and can't get email circulars, they are going to
>be way behind developments. Can't they afford a microcomputer and a modem?
The reason why the UK CCU has such a small budget is because their
superiors do not believe there is a problem. If more people in the UK
actually reported viral infections as crimes then the police might be
interested in solving those crimes. We are years behind America and
other nations in this respect.
Also, if (and hopefully when) the "worms" are caught who write
viruses, they can be prosecuted for the damage they have caused. If
no-one has reported a crime, no action can be taken.
- --
James Nash, Coventry Polytechnic, England
------------------------------
Date: Mon, 07 Jan 91 04:26:51 -1200
From: Mark Anbinder <mha%
[email protected]>
Subject: Strange Problem Running Disinfectant 2.4! (Mac)
(Original poster described problem with Disinfectant launching and
immediately showing a flashing message asking the user to insert a
disk.)
I have a suggestion on how to handle the problem you've been having.
It sounds like someone has turned on the setting that makes that copy
of Disinfectant an auto-starting scanning station. This is designed
to allow a facility manager such as yourself to set up a single Mac
with no mouse and no keyboard (tamper-proof, in other words) that can
be started up with a disk containing a Disinfectant that will
automatically go into this mode.
The solution I'd suggest is that you throw away the Disinfectant Prefs
file in the System Folder of the hard drive in question. Then,
Disinfectant will use its default settings, and you should be fine.
Another solution is to do your checks by shutting down each computer,
and then starting up from a locked startup floppy containing only a
stripped-down System, a Finder, and Disinfectant. This will ensure
that the settings remain the same from one session to the next.
- --
Mark H. Anbinder
[email protected]
BAKA Computers, Inc. 607-257-2070 - FAX 257-2657
200 Pleasant Grove Road QuickMail QM-QM 257-2614
Ithaca, NY 14850 Memory Alpha BBS * 607-257-5822
------------------------------
Date: Mon, 07 Jan 91 16:44:29 -0500
From: MONAT%
[email protected]
Subject: Prevent hard disk infection? (PC)
Is there any way to prevent a virus from infecting a hard disk when
you cold boot with an infected diskette in drive a: ? (I should have
written "when you unfortunately have left a diskette in drive a:" or
"when you leave your computer unattended and someone boots from a
diskette").
Paul M. Monat Lab Manager Phone: 613-564-6895/6500
Faculty of Administration Fax: 613-564-6518
Canada K1N 6N5 Bitnet: Monat @ Uottawa
------------------------------
Date: Tue, 08 Jan 91 13:52:32 +0000
From: Mr Gordon S Byron <
[email protected]>
Subject: Auto-scanning Virus Vaccine? (PC)
I am interested in finding a DOS antivirus program which would
automatically scan disks as they are inserted. ideally, something like
SAM II on the Mac. I noticed a reference to a program called McAfee's
scan. Is that an auto-scan antivirus program?
------------------------------
Date: Tue, 08 Jan 91 15:19:19 +0100
From:
[email protected] (Morton Swimmer)
Subject: Fish Virus Activation (PC)
I'm not sure whether this is generally known, but the Fish virus's
damage is activate starting from this year (1991). The virus will (or
should) display the message:
FISH VIRUS #6 - EACH DIFF - BONN 2/90 '~knzyvo}'
( ^^^^^^^^ VB claims this translates
to TADPOLES )
and the virus halts the machine. This is I believe similar to what
Frodo is supposed to do. One question remains: is there perhaps
another virus (perhaps Whale) that will continue from that point, via
the timer interrupt perhaps, I haven't looked at whale that closely
yet.
Far fetched? Well I fail to be surprised by anything these viruses do
nowadays.
Cheers, Morton
(and thanks to Stefan Tode for the information.)
PS: In light of this: Happy New Year!
------------------------------
Date: Tue, 08 Jan 91 09:32:08 -0500
From: Joe McMahon <
[email protected]>
Subject: Grapes (Mac)
Try rebuilding your desktop file. Someone may have been playing with
ResEdit and changed the icon for Fortran files to that. If one of them
was changed, the first one copied onto a new disk will make the rest of
them look that way, too.
--- Joe M.
------------------------------
Date: 08 Jan 91 20:23:13
From:
[email protected] (Pandy Holmberg)
Subject: Re: Grapes virus? (Mac)
[email protected] (Nick Guoth) writes:
- -> We are using MacFortran on some of our Macintoshs here and just over
- -> the last few days, we seem to have contracted a strange virus or
- -> something. Now I'm never confident about viruses affecting us here in
- -> Australia as the protection software generally arrives before the
- -> virus. What is happening is that the icons for the Fortran executable
- -> files have turned into bunches of grapes.
As I can't examine your machine from here all I can do is come with guesses.
I haven't heard of this behaviour before so what I suggest is.
Use ResEdit or some other Resource editor to determine from which program
the grape icon originates.
Then study that program closely.
Another explanation would be that another application has the same creator name
i.e. if you make a program of your own and make the creator name WILD all
hypercard stacks will have the same icon as your program and versa.
(OK. It's not THAT simple, but close enough.)
Third guess:
Check that the original icons still are in the MacFortran application. Some
wise guy might have redisigned them.
I would be interested in hearing what you discover.
Tsaukki says
Pandy
- --
"Don't worry, ski happy"
- Skischule Arlberg
******************************************************************************
/I I Andreas "Pandy" Holmberg
[email protected]
/-I-I Helsinki University of Technology
[email protected]
/ I I Faculty of Electrical Engineering
[email protected]
******************************************************************************
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 6]
****************************************
Downloaded From P-80 International Information Systems 304-744-2253
