VIRUS-L Digest Tuesday, 26 Nov 1991 Volume 4 : Issue 227
Today's Topics:
Request for help on getting ".CVP" documents.
PC Week's Skatt Column of Nov 11th: Word Perf. & Virus? (PC)
"Tequila" virus (PC)
What the user wants (was Re: Disk Compression) (PC)
Latest version of McAfee Scan?? (PC)
What's special about LAN's? (PC)
Re: McAfee84 fails on Stone, Azusa and Joshi? (PC)
Telefonica (PC)
Michelangelo Virus (PC)
VIRUS: DIR-II (PC)
Lamer Exterminator (Amiga)
Re: Washburn
Possible Virus (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Sat, 23 Nov 91 22:19:59 -0800
>From:
[email protected] (Rob Slade)
Subject: Request for help on getting ".CVP" documents.
cooper%
[email protected] (APACHE::COOPER) writes:
> Dear Gentlemen of Virus-L.
>
> When I was subscribed to the list, someone (sorry I forgot
> your name) was posting instructional files with the extension of
> ".CVP". Is there somewhere that I can do a database search for that
> string? Or do I have to download all the archives via FTP then
> search? Or maybe the kind gentleman can send me all those files?
While the kind gentlemen is glad that his writing is appreciated, no, he
is not going to send copies all over the net. He hasn't the time, nor
the bandwidth.
The .CVP files are archived on the bulletin boards of both Microcom and
McAfee Associates. They are also available on Cyberstore, the X.75
address of which is contained in my sigblock.
On the question of where to find the Bontchev article, I refer you to the
original posting by Ken. cert is cert.sei.cmu.edu. If you need more
help than that, wait for Jim Wright's excellent postings overy month or
contact Ken.
=============
Vancouver
[email protected] | "If a train station
Institute for
[email protected] | is where a train
Research into CyberStore | stops, what happens
User (Datapac 3020 8530 1030)| at a workstation?"
Security Canada V7K 2G6 | Frederick Wheeler
------------------------------
Date: Sat, 23 Nov 91 21:58:54 -0800
>From:
[email protected] (Rob Slade)
Subject: PC Week's Skatt Column of Nov 11th: Word Perf. & Virus? (PC)
[email protected] (Rich Travsky) writes:
> This certainly sounds goofy. Anyone have any idea what the Katt's
> talking about?
I think you hit it bang on the money. Spencer's rumour's regarding viri
generally rank in accuracy with the Weekly World News.
=============
Vancouver
[email protected] | "If a train station
Institute for
[email protected] | is where a train
Research into CyberStore | stops, what happens
User (Datapac 3020 8530 1030)| at a workstation?"
Security Canada V7K 2G6 | Frederick Wheeler
------------------------------
Date: Sun, 24 Nov 91 23:11:13 +0700
>From: Myron Seto <K3006E7%
[email protected]>
Subject: "Tequila" virus (PC)
I used a software by the Ikarus Corp. and found a virus called
"TEQUILA" on my hard-disk. Would anyone know what is available to get
rid of this virus and where I can get it. Any help is greatly
appreciated| (I would much prefer a private e-mail response due to the
large number of postings to this newsgroup.)
Myron
------------------------------
Date: Mon, 25 Nov 91 16:41:00 +1300
>From: "Mark Aitchison, U of Canty; Physics" <
[email protected]>
Subject: What the user wants (was Re: Disk Compression) (PC)
padgett%
[email protected] (A. Padgett Peterson) writes:
> I take a more optomistic view: DOS is just a program and when properly
> understood can be both controlled and trusted. The hard part is
> designing a mechanism that is applicable to 60+ (or whatever) million
> existing platforms, installs automatically & seamlessly, is compatable
> with all known applications, and uses no memory.
I agree. Firstly that DOS can be made a lot more secure, and secondly the
problem with existing hardware & software being made safe enough. Not that
the problem is entirely the lack of special hardware on the older machines,
although a 386 or better is preferrable, rather it is hard to get existing
users to bother with any virus protection at all, whether it is 100% perfect
or not.
I appreciate what Vesselin Bontchev is saying, but it is from the perspective
of total security, and what some future viruses (and a few present ones) might
be able to do. It is worthwhile spending some time on such questions, but it
is also reasonable to answer questions like: "What use is a virus protection
system that only offers partial protection?". It shouldn't be a rhetorical
question; this is what I think the answer is...
As I see it, it is hard to get users to make the effort unless it is either
built into the operating system or provides some other advantage that is
worthwhile (like extra disk space), or preferably both. If it is possible
to knock the main viruses on the head, by (for once) having the majority of
PC's stopping/slowing the spread of the main viruses, then this could have a
major impact both on those individual viruses that have reached epidemic
proportions PLUS (I guess) a psychological effect to discourage new virus
production.
NOTES:
(1) The combination of read-protection (via DMDRVR.BIN or DISKSECURE or
DISKGARD) plus SuperStore (I had included Stacker as an option; I think only
SuperStore works with DMDRVR partitions - someone may like to check that),
that I mentioned, isn't enough in itself. You need virus protection and
something like F-PROT as well. However, the important point is that it is a
good starting point, not so much from the anti-virus perspective - an unlikely
combination, since the main ingredients weren't designed as such - rather from
the question of what is attractive to the majority of users that have ignored
anti-virus products in the past.
(2) You could argue that making it tougher for a virus to survive makes it more
of a game for virus writers. Well, it is tougher still for viruses on Unix
and VMS systems, but you don't see a lot of viruses there. Unix systems are a
special case perhaps, due to hardware differences, but I suspect the main
reasons there aren't plagues of VMS viruses are: (a) Virus writers don't give
the idea of tackling VMS a second thought, and (b) Users of the system are
more security conscious, because they know the operating system is "serious"
about security. PC's are considered "easy meat" by virus writers.
It seems to me that discussing relatively simple, cheap, POPULAR antivirus
techniques would be rewarding for the PC user community as a whole. Sure, we
have to avoid people thinking they have a totally secure system, so long as
a lot of people adopt at least a reasonable amount of security. Possibly a
new "secure DOS" is it. Possibly a hardware add-on that gives security plus
something else that is attractive. Overall, the problem is selling the idea
to users... not only the idea of any security at all, but the concept that
it is not (can never be) 100% effective (as anyone determined enough, with
a big enough sledgehammer, can always beat any security system) - yet is worth
having.
Mark Aitchison.
------------------------------
Date: Mon, 25 Nov 91 04:58:54 +0000
>From:
[email protected] (Simone Douglas 577-0108)
Subject: Latest version of McAfee Scan?? (PC)
What is the latest version of McAfee Scan?
Also is there a program that can check floppies for viruses using
McAfee Scan immediately upon placing the floppy in the drive?
thank you
------------------------------
Date: Sun, 24 Nov 91 21:55:00 -0700
>From: TED SHAPIN <
[email protected]>
Subject: What's special about LAN's? (PC)
What if anything is special about virus on a LAN? Is it simply a
matter of needing to scan all the network drives when looking for
possible virus?
------------------------------
Date: 25 Nov 91 13:36:05 +0000
>From:
[email protected] (Robert Turner)
Subject: Re: McAfee84 fails on Stone, Azusa and Joshi? (PC)
[email protected] (McAfee Associates) writes:
>If you want to prevent your PC's from being booted from a floppy disk,
>you may want to consider a new BIOS that will allow you to "lock out"
>boots from the floppy drives, or a card that will do something similar.
The simplest form of protection from booting from floppies that we
have found is hard-wiring the floppy disc to be the 'b' drive, then
assigning it back as part of boot-up.
Combining this with a partitioned disc, and a write-protect on the 'C'
drive, means that our classroom machines are (almost) impervious to
viruses. However, we have had to write a new front end to FORMAT, this
procedure will only work on single drive machines, and the command
'COPY A: B: will no longer work. Small cost for a uninfected
environment.
Rob
- --
________________________________________________________________________
/ | \
| Rob Turner | email :
[email protected] |
| Brunel University | |
| London, England | Tuppence of trivia |
\____________________________|___________________________________________/
------------------------------
Date: 25 Nov 91 13:57:38 +0000
>From:
[email protected] (Robert Turner)
Subject: Telefonica (PC)
hi
We have recently been inundated with a new (to us) virus, called
Telefonica (AKA Spanish Telecom, Anti-Tel). Before new software was
acquired, this virus managed to run its' course on a few machines, and
we have been left with some dead PCs.
Does anyone have experience of this virus, and if so, can they tell me
how to recover a totally corrupted hard disc.
Also, is there any way of removing this virus safely from a floppy disc?
Norton is erratic, and seems to wipe the contents of the disc two or
three times more than saving the data. Scan (McAfee) recognises the
virus but cannot remove it. We have been removing all files,
re-formatting the disc, then replacing files, but there must be a more
elegant method than this.
Thanks in advance,
Robert Turner
- --
________________________________________________________________________
/ | \
| Rob Turner | email :
[email protected] |
| Brunel University | |
| London, England | Tuppence of trivia |
\____________________________|___________________________________________/
------------------------------
Date: Mon, 25 Nov 91 17:14:07 -0500
>From: Scott Bringen <
[email protected]>
Subject: Michelangelo Virus (PC)
I recently discovered that my 386 compatable was infected with the
Michelangelo virus. I had downloaded the Windows version of McAfee's
VSCAN84.ZIP and ran a quick test after installing it into Windows. I
had been running a previous version of VSCAN and had not detected viruses.
But version 84 picked the Michelangelo virus on the boot sectors of my
C: HD and about half of the floppies used on my A: drive. I quickly
down loaded CLEAN84.ZIP and cleaned my hard drive and floppies. After
doing a cold reboot VSCAN reported 'no viruses found'. Later, I ran
the validation program included in the ZIP file. The HEX patterns matched.
Since this is my first run in with computer viruses, will someone
please explain what Michelangelo(a boot sector virus) does to PCs.
And can I be confident that CLEAN84 did *really* remove it from the
disinfected disks.
Thanks for any replies,
Scott Bringen (
[email protected])
------------------------------
Date: Tue, 26 Nov 91 09:14:03 +0700
>From: avi enbal <
[email protected]>
Subject: VIRUS: DIR-II (PC)
HELLO THERE !!!
I heard & read abaut the viruses above,(DIGEST-4).
We tryed all kind of anti viral softwer (CLEAN 84,F-PROT,etc). all of them
infformed me abaut "my" virus's, NO ONE of them CLEAN this virus.
your concept requested KUICKLY as possible.
Avi Enbal
University of Haifa
Computer Center
972-4-240777
------------------------------
Date: Tue, 26 Nov 91 11:30:39 +0000
>From:
[email protected] (Maarten Berggren)
Subject: Lamer Exterminator (Amiga)
(Posting this to both to comp.virus and to comp.sys.amiga.misc,
because it seems like just a few amiga-owners read comp.virus)
Yeasterday, my amiga locked up when I booted it. (After some loading
from the disc, the AmigaDos-window just freezed.) I found out that
the cause of this was the ARP 'mount ff0: ff1:'. Futher investigations
revealed that it was the 'Lamer Exterminator'-virus that caused the
lock-up.
My Amiga has the 1.2 kickstart; I don't know if the virus will lock-up
later versions as well.
So, if you have a Amiga with kickstart 1.2 and you use ARP and the
cli/shell-windows freezes when you mount FastFileSystem, it might be
the 'Lamer Exterminator'-virus...
M}rten Berggren (
[email protected])
------------------------------
Date: Tue, 26 Nov 91 16:46:00 +0200
>From: Y. Radai <
[email protected]>
Subject: Re: Washburn
Bill Murray challenges my posting opposing Frisk's recommendation to
ignore the software of Mark Washburn or any other virus author. Well
well, Bill, I felt pretty sure that my posting would bring you out of
the woodwork, and I see I wasn't wrong.
>>And Mark's viruses are not destructive.
>
>Patently false.
When making a statement like this, it is customary to produce *evi-
dence*, not merely to rely on words like "patently" as if that set-
tled everything. My statement that they are *not* destructive can
be checked in any of the usual virus catalogs. (Of course, they and
I are using the term "destructive" in its usual sense of deleting or
overwriting files, destroying the FAT, formatting disks, etc.)
> we must, in our own collective interest, punish the
>behavior, without regard to its perpetrator, his intent, or subsequentot
>his meaning. ....
> We should ignore, indeed we should
>ostracise, any and all who intentionally or knowingly release a virus.
These statements are not truths, but merely opinions. My opinion is
that we should weigh the benefit of such punishment against the bene-
fit of providing knowledge of (what I believe to be) a good product.
>The author of this posting clearly believes that the intent of the author
>is important; it is not.
Again, that's just opinion, and I disagree. And so does the law;
otherwise there would be no difference between murder and manslaugh-
ter. The end result is the same, but the punishment is different,
and that's what we're talking about here: punishment.
>While the author of a virus can be expected to know a little bit about
>the machine in which some copies of his creation will execute, he cannot
>know about all of them. While he may may be able to predict how it will
>behave in a particular machine, he can only speculate as to how it will
>behave in a population, all the salient characteristics of which he
>cannot possibly know.
Agreed. Therefore (1) Washburn's release of the virus was a mistake,
and (2) I would never *encourage* releasing of a virus. But *given
the fact that it HAS ALREADY BEEN RELEASED*, I question the value of
boycotting a good product.
>To assert otherwise is hubris.
Funny, I would have sworn that to assert otherwise was arrogance. And
here it turns out to be hubris! Just goes to show that you learn
something new every day ....
Y. Radai
Hebrew Univ. of Jerusalem, Israel
[email protected]
[email protected]
------------------------------
Date: Tue, 26 Nov 91 10:32:13 -0500
>From: Eric Carlson <
[email protected]>
Subject: Possible Virus (PC)
Microcomputer software support
Northern Virginia Community College, Annandale Virginia
In one of our computer labs some students have been getting a message while
using dBase. The message says "slyder says ..." with quotes. It is at
another campus, so I won't be able to check it out this week for specifics.
Scanv84 says the PC is clean. I haven't had a chance to run F-PROT analyze on
the machine yet to look for suspicious code. It may just be something that one
of the students did, or it could be a virus.The message seems to be on the
ASSIST line at the bottom. Did someone just add a message to dBase III+.
- - Thanks - Eric
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 227]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
