Date: Wed, 9 Jan 91 15:21:27 EST
From: "The Moderator Kenneth R. van Wyk" <
[email protected]>
Subject: VIRUS-L Digest V4 #7
To: Multiple recipients of list VIRUS-L <
[email protected]>
VIRUS-L Digest Wednesday, 9 Jan 1991 Volume 4 : Issue 7
Today's Topics:
Re: Strange Problem Running Disinfectant 2.4! (Mac)
Joshi & Stoned 2 (PC)
Stoned Virus (PC)
Re: SCAN program for IBM's (PC)
MIBSRV back up & new files (PC)
F-DRIVER boot check (PC)
(c) BRAIN id and disinfection (PC)
Re: nVIR-like resources... (Mac)
Computers at Risk book - how to order - (General)
Info on resident virus scanner. (PC)
discovering 170x infection path (PC)
obscure procedure in Yankee Doodle (PC)
Stoned (PC)
VM, MS-DOS and Virex (PC, I *think*)
WP 8 byte bug (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
---------------------------------------------------------------------------
Date: Tue, 08 Jan 91 20:33:07 +0000
From:
[email protected] (Thumper)
Subject: Re: Strange Problem Running Disinfectant 2.4! (Mac)
[email protected] (Michael Greve) writes:
>
> program works great on 15 of the machines. When I run it on the
> last machine, the program calls up fine, but in the upper right
> hand corner where it should normally tell you which drive/partition
> you are currently scaning, the program comes up with a blinking message
> saying insert a disk to be checked. This lab is networked using
..
> 2 partitions and scan them. On this last machine, the name of the
> server shows up for a quick second then it changes to the flashing
> message. I've tried running it from diskette and the hard drives and
> still get the same message. I can't get it to work at all.
I saw a similar problem on a machine which has a Disinfectant Preferences
file which had been configured for Scanning Station Mode (which is supposed
to behave this way).
Discard the prefs file and try again.
- -Geoff Bronner '91
Student Consultant, Dartmouth College Computing Services
- --
[email protected] | Student Consultant Fieyrnt!
Alpha Theta TeddyBear. | Kiewit Computation Center
Channel Z. All static, all | HB 6028, Dartmouth College =-=-=-=-
day, forever. - The B-52's | Hanover, NH 03755 (603) 646-3417
------------------------------
Date: Tue, 08 Jan 91 13:41:24 -0800
From: Jeffrey <
[email protected]>
Subject: Joshi & Stoned 2 (PC)
My IBM PC has been hit with 2 viruses, Stoned-2 and Joshi. The
computer hangs when we try to boot, and now it looks as if the
hard-disk has been affected.
What long range effects do these viruses have on recovering files
from the Hard-disk? I have never heard of Joshi. I thought Stoned-2
just affected the boot-up. Do either of these viruses affect the FATS
table or somehow make recovery of disk files impossible? How about
using something like Norton utilities to get these files off the disk?
Are we totally screwed?
The guy that is "curing" the problem indicated that the
two viruses in combination created some sort of unique problem
and that Joshi may be a "Friday the 13th" type bomb.
Any info, on the list or direct to me would be appreciated.
Thanks very much. We are in the Central California area, BTW.
--Jeffrey
------------------------------
Date: 07 Jan 91 05:33:01 +0000
From:
[email protected] (Herb Presley, Emergency Planning Officer)
Subject: Stoned Virus (PC)
Last week I wrote.............
> I have had a problem with the "Stoned" virus on my 8088 based XT.
> After the virus appeared on Christmas Day, I reformatted (high level)
> the hard drive and reconfigured the partition table using FDISK.
> Although the message appeared on Christmas Day, the only problem that
> my PC seemed to develop was the inability to load RAMDRIVE.SYS at
> bootup. Reconfiguring the partition table and reformatting the hard
> drive do not seem to have helped RAMDRIVE.SYS to load.
Further to my earlier posting, I got ahold of a copy of McAfee's SCAN
program, and it confirmed that the [Stoned] Virus was still affecting
my hard drive. So I have now managed to cure the problem, and for
what it's worth to anyone, if interested, here's how:
1) I rebooted the system off my floppy system disks (DOS 3.3) which I had COPY
PROTECTED! I then backed up all the files onto floppy disks using XCOPY
making sure that I had removed drive "C" from the environment path
variable;
2) I opened the Partitiion Table and Boot Sector with the Norton Utilities;
3) I OVERWROTE the entire partition table with "0", and wrote it to the disk;
4) I then repartitioned the disk using FDISK;
5) I then reformatted the disk from the system floppies like so -
A> format c: /v/s
6) I scanned all floppy disks with the McAfee program PRIOR to copying them to
the hard drive. Where I found an infected disk, I repeated the same
treatment I had given the hard disk with Norton Utilities. (You can copy
the files from a floppy of which you have overwritten the Boot Sector
provided that you are careful NOT to overwrite the FAT) and
then reformatted them from the system floppies (which I knew to be clean).
7) The problem is solved. The PC is now, according to the McAfee program,
clean! And the RAMDRIVER is loading a-ok.
Hope this helps anyone else who has been infected by the [Stoned]
virus. (By the way, I don't know if you've noticed but the person who
wrote the message "Your PC is Stoned! LEGALISE MARIJUANA!" doesn't
even know how to spell legalize.......heh! heh! And I'll bet he
thinks he's smart.)
And one other thing, a warning! I think I picked up the virus from a
fairly reputable software company's disks that I purchased several
months ago - a word processor, no less! It looks like some this major
company may have a snake in the woodpile. I can't mention their name
here, however I will be taking my case up with them so that they can
call in the mongoose brigade.
But be warned! These stupid viruses come from the most unexpected and
innocent places! Check everything. If you don't have a copy of a
good scan program, I would suggest that you get one.
-
-------------------------------------------------------------------------------
DISCLAIMER: Any views expressed here are mine alone and
do not represent those of this organization
email :
[email protected]
mail : 10320 - 146 St., Edmonton, Alberta, Canada T5N 3A2
phone : (403) 451-7151
------------------------------
Date: Tue, 08 Jan 91 15:33:14 +0000
From: Douglas Barlow <
[email protected]>
Subject: Re: SCAN program for IBM's (PC)
> Date: Tue, 08 Jan 91 13:52:32 +0000
> From: Mr Gordon S Byron <
[email protected]>
> Subject: Auto-scanning Virus Vaccine? (PC)
>
> I am interested in finding a DOS antivirus program which would
> automatically scan disks as they are inserted. ideally, something like
> SAM II on the Mac. I noticed a reference to a program called McAfee's
> scan. Is that an auto-scan antivirus program?
Only one problem with that idea: How can the machine tell when a disk
is inserted? There isn't any type of sensor in IBM floppy drives like
in the Mac.
Doug Barlow
------------------------------
Date: Tue, 08 Jan 91 17:09:18 -0600
From: James Ford <
[email protected]>
Subject: MIBSRV back up & new files (PC)
MIBSRV (130.160.20.80) is back up. There will probably have to be some
minor adjustments to make in the operating system, but anonymous FTP users
should be able to access the antiviral files in pub/ibm-antivirus with no
problem. If there *is* a problem, please let me know so I can correct it.
The following files have been uploaded to 130.160.20.80 into the directory
pub/ibm-antivirus:
netscn72.zip
clean72.zip
vshld72.zip
scanv72.zip
- ----------
The ladder of success is easier to climb when laid flat.
- ----------
James Ford -
[email protected],
[email protected]
THE University of Alabama (in Tuscaloosa, Alabama USA)
------------------------------
Date: Tue, 08 Jan 91 11:25:39 -0800
From:
[email protected] (Rob Slade)
Subject: F-DRIVER boot check (PC)
[email protected] (Sulistio Muljadi) writes:
> F-driver.sys does not check drive A for any possible boot sector virus
F-DRIVER does not check the disk per se, but when the boot process starts
F-DRIVER, it will check memory for any resident viri. It will then
terminate the boot process, forcing you to boot from a clean disk.
------------------------------
Date: Tue, 08 Jan 91 11:56:34 -0800
From:
[email protected] (Rob Slade)
Subject: (c) BRAIN id and disinfection (PC)
[email protected] ( COLDENHOFF) writes:
> I do not quite understand how this boot sector virus was able to
> contaminate my disks without actually booting from them. Does DOS
Someone recently explained this, although I can't remember the terms
he used for the different "processes". Again, though, if you stick
the disk in the A: drive and power on, "reset" or <Ctrl><Alt><Del>,
then the program on the boot sector of the A: drive disk will be
loaded. Even on a "non-system" disk there is a program in the boot
sector. It usually prints "Non-system disk. Replace and press any
key to continue" on the screen. A BRAIN infected disk will load BRAIN
into memory *and then* run that message. You remove the disk and
replace with the proper system disk and hit a key, and the machine
"boots" the proper system files *but BRAIN is still active.*
And, of course, infects any disk it reads from then on.
> Does anybody know what the typical virus scanner looks for in
> reference to this virus? I hope it doesn't just look for the label -
Interesting that the (c) BRAIN label doesn't show up on your disks. As
BRAIN was one of the very early viri, and fairly obtrusive, it is also
one of the most widely "altered" viri. However, if you have a version
that is even *close* to the original, most of the scanners should find
it. The early "hackers" didn't do much messing with it's core code.
You can probably it yourself. PCTOOLS, F-BOOT and many other utilities
will "show" you the boot sector contents, and there is a lot of text in
BRAIN so it should be obvious. (You can even do it with DEBUG if you can
find the right numbers.)
Disinfection is fairly easy. F-DISINF works perfectly, SCAN/D should
work OK, even good old SYS will take care of BRAIN. Provided you "boot
clean" first.
------------------------------
Date: 08 Jan 91 23:45:10 +0000
From:
[email protected] (Kevin Hill)
Subject: Re: nVIR-like resources... (Mac)
I beleive that a way to "vaccinate" a Mac against nVir is to create a
resource with the nVir type and when nVir tries to infect it, it bumps
into the nVir resource already there and fails.
If I am wrong, please correct me everyone.. Thanks.
------------------------------
Date: Wed, 09 Jan 91 10:47:42 -0500
From: Colin Lay <CMLHD%
[email protected]>
Subject: Computers at Risk book - how to order - (General)
In December there were submissions about available studies. The General
Accounting Office produced one that was recently announced as being
available by anonymous FTP I believe.
The National Research Council has published a much longer study entitled
"Computers at Risk - Safe Computing in the Information Age". It is
available from the National Academy Press in Washington. Telephone
orders are accepted at 1-800-624-6242 for US customers or (202) 334-3313
for those of us who can't access the 800 number. They will accept VISA,
MasterCard or American Express.
Their book code is COMRIS and the price is $19.95. Quantity discounts
are available.
Colin M. Lay,Assoc. Prof.
Fac. of Administration, Univ. of Ottawa
Tel. (613)564-7015 FAX (613) 564-6518
"Any opinions expressed are mine, not necessarily those of my employer."
Acknowledge-To: <CMLHD@UOTTAWA>
------------------------------
Date: Wed, 09 Jan 91 10:52:45 -0500
From: <
[email protected]>
Subject: Info on resident virus scanner. (PC)
This is in response to your posting on VIRUS-L.
I think a McAfee program called VSHIELD may be just what you
are looking for. The program, once loaded, scans all COM, EXE, and
OVR files as well as any files being copied, etc. It has the added
feature of scanning the floppy drive whenever a warm boot is
requested, to prevent any inadvertent introduction of viri if
an infected disk is accidently left in the drive.
You should be able to download this from several archives
in the UK. Check Virus-L back logs for a full listing of
archive sites. The file will be named VSHIELD72.ZIP.
Mark A. Stoffan
Graduate Student, New England Studies
Consultant, Academic Computing Services
University of Southern Maine
[email protected]
------------------------------
Date: Wed, 09 Jan 91 17:26:16 +0000
From: Martin Zejma <
[email protected]>
Subject: discovering 170x infection path (PC)
hello hunters |
During autumn I worked out a TurboPascal 5.5 ( without OOP , so just
5.0 ) program , that tries to show the infection path of a group of
infections with the 1701/1704 Virus , found with (no brackets) (170X)
when using SCAN. The virus stores the 32-bit system clock from
0040:006C or something like that, --> ( you get the TIME when the
virus gets resident )
2) it stores the jump instruction to the eof from the previous infection
( so you get the length of the previous infected file while being resident)
3) and all the original interrupt-vectors , so you can seperate different envi
ronments while infections occured
4) the original length of the current infected file
all that stuff quite simple programmed.
Now I want to know : IS this interesting enough to be posted in the
VIRUS-L archives ???
Please send opinions ( to me directly or to the list , i'm a maniac
reader ) especially the moderator of these fabulous list , Mr Ken van
Wyk .
Thank's for waisting your time
Martin
+-----------------------------------------------------------------------+
| Martin Zejma 8326442 @ AWIWUW11.BITNET |
| |
| Wirtschaftsuniversitaet Wien --- Univ. of Economics Vienna/Austria |
+-----------------------------------------------------------------------+
------------------------------
Date: Wed, 09 Jan 91 17:44:33 +0000
From: Martin Zejma <
[email protected]>
Subject: obscure procedure in Yankee Doodle (PC)
hello virus-proofed community |
Last week i found the ( or a ) oh-so-old-but-never-found Yankee Doodle
Virus at a friend , savely jailed on a floppy disk.
I worked through the code quite heavy ,found nothing unbelieveable
clever but : after copying the virus-code to the top of memory ( i
worked hard to figure out the meaning of TOM in recent issues) , it
gets the size of the absolute system memory for DOS from a word in the
BIOS-segment ( 280h) multiplies this by various things to get the end
of memory ( A000:0000 )
AND THEN ::: checksums 61 words starting from A000:014E ( or 012E ,
i'm not sure without the source next to me ) , simply adding all these
61 words together , and if the result is something like 0b52 , it
writes a jump instruct ion into high memory , pointing to a small
procedure which changes Int 13h (disk interupt).
On my system ( a 286 Neat with 2 MB Ram running at 20 MHz 1 WS ) there
is nothing accessible after a000:0000 , everything just HIGH-VALUE
(FFh), not possible to change a byte .
I tried using Shadow RAM enabled at A000 , but that also failed .
SO THE ONE AND ONLY QUESTION :
Are there systems where this part of memory is accessible or would the
virus just overwrite a resident other virus when the value in the
BIOS-segment is below 280h due to a previous (already running)
infection ?
Please many answers and soon , i'm puzzled
Sincerly yours , Martin
+-----------------------------------------------------------------------+
| Martin Zejma 8326442 @ AWIWUW11.BITNET |
| |
| Wirtschaftsuniversitaet Wien --- Univ. of Economics Vienna/Austria |
+-----------------------------------------------------------------------+
------------------------------
Date: Wed, 09 Jan 91 10:29:53 -0800
From:
[email protected] (Rob Slade)
Subject: Stoned (PC)
[email protected] (Herb Presley, Emergency Planning Officer) writes:
> I have had a problem with the "Stoned" virus on my 8088 based XT.
> After the virus appeared on Christmas Day, I reformatted (high level)
> the hard drive and reconfigured the partition table using FDISK.
Repartitioning and reformatting is a rather drastic way to deal with
"Stoned". F-PROT and SCAN will both remove the infection fairly
easily. However, none of these measures will be effective if the
virus is still resident in memory. You can repartition all you like,
"Stoned" will just pop right back in to your "clean" system unless you
first boot from a clean source.
Also, did you check your floppy disks?
> Although the message appeared on Christmas Day, the only problem that
>
> I'm not even sure if the problems are related.
>
> Remember that the RAMDRIVE.SYS load worked prior to the appearance of the
> "Stoned" virus. I didn't change any parameters prior to that time.
I'm not sure they are related either. You say "Stoned" "appeared" on
Christmas Day: how do you know that? Are you referring to the "Your
PC is now Stoned" message? If so, you should know that the infection
could have occured long before that. The message only appears on "1
in 8" boots, and its appearance is randomly generated. It might have
been in your system for a long time before you got the message.
I suggest you get a copy of F-PROT and check your system *and* floppy
disks again. Since you are in Canada, you get antiviral programs and
information from the SUZY Information Service. Check out the
INtegrity section of the Information Networks.
------------------------------
Date: Wed, 09 Jan 91 10:14:28 -0800
From:
[email protected] (Rob Slade)
Subject: VM, MS-DOS and Virex (PC, I *think*)
[email protected] (Evelyn Duncan) writes:
> A friend of mine has an IBM-compatible computer and wants to dial into
> the VM system here, but he needs a program that will prevent viruses
Are you saying that he is worried about getting an infection, in some
way, on his PC from an IBM mainframe running VM? If so, he can stop
worrying, for some time at least. I assume he would be using some
kind of terminal emulation package rather than being linked in some
sort of network situation, but the worst that could happen is to act
as a carrier for some sort of "mail virus/worm". That would still be
the case whether or not he used a terminal in place of a PC, and
whether or not he called in from outside, and would not affect his PC
at all. (And in any case, it would be your problem. :-) )
> Virex. He called Virex's 1-800 number, but it was disconnected.
The address and phone numbers I have for Microcom (makers of Virex, for
the Mac, and Virex-PC) are:
3700-B Lyckan Parkway
P. O. Box 51816
Durham, NC 27717
919-490-1277
fax 919-490-6672
They also have an office in England.
A brief observation: Ross Greenburg, who wrote Flu-Shot, also wrote
Virex-PC, and the scanner portion, VPCSCAN is *very* fast in
operation. The documentation for the product is well written and
helpful.
You might also try the F-PROT and SCAN shareware protection products.
------------------------------
Date: Wed, 09 Jan 91 09:46:22 -0800
From:
[email protected] (Rob Slade)
Subject: WP 8 byte bug (PC)
[email protected] (Rob Slade) writes:
> The problem I encountered was that Word Perfect version 5.0, when
> saving to 4.2 format (one of the options under <ctrl>F5) will save an
> eight byte file *and erase the previous version, not just rename thee
Since I posted this I have been in touch with Word Perfect. They
have, apparently, not had any major reports of this type. Also *I
have made some error* or this bug is intermittent. I swear I
reproduced it ten times the day I found it, but I haven't been able to
do it since. Some other option? A different file origin? I don't
know.
Anyway, to some up everything: 1) no, we still don't have any evidence
for a Word Perfect specific virus; 2) operator errors or disk
corruption can affect document files and 3) "there are some programs,
Dr. Slade, man was not meant to delve into!" :-)
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 7]
****************************************
Downloaded From P-80 International Information Systems 304-744-2253
