VIRUS-L Digest Monday, 6 May 1991 Volume 4 : Issue 74

VIRUS-L Digest Monday, 6 May 1991 Volume 4 : Issue 74

Today's Topics:

Found Tester Virus [TV] in LOG.COM (PC)
Found Tester Virus [TV] in LOG.COM (PC)
Virus lists for misc machines
Re: Viruses and Database Systems
F-prot v1.13 (PC)
Trident Microsystems/Packard Bell (PC)
F-PROT and FluShot problems
Re: can we trust diskette write-protection? (PC)
Listing of MIBSRV files. (PC)
help with mac "virus"? (Mac)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Thu, 02 May 91 09:48:58 -0500
>From: <[email protected]>
Subject: Found Tester Virus [TV] in LOG.COM (PC)

Interesting: We just obtained the new version of SCAN, NETSCAN, VSHIELD, &
CLEAN. Thru FTP. Version numbers:
CLEAN.EXE 6.9V75, SCAN.EXE 7.2C76, NETSCAN.EXE V76, VSHIELD.EXE 3.3C76,
VSHIELD1.EXE VSCRC 0.2
When I try: SCAN c:\utils\log.com f:\utils\log.com no virus...
However!! When I try: NETSCAN C:\utils\log.com f:\utils\log.com
Virus is found!!: C:\UTILS\LOG.COM
Found Tester Virus [TV]
F:\UTILS\LOG.COM
Found Tester Virus [TV]
BUT! I try to clean: CLEAN C:\UTILS\LOG.COM [TV]
We get: Sorry, I don't know any thing about the [TV] Virus.

Question#1: Why does NETSCAN find the virus & SCAN not find the virus?
---- --------
Question#2: Why doesn't CLEAN get rid of the virus? Should I UUENCODE the
file LOG.COM and send it to someone for testing?
Question#3: What harmful stuff will the Tester Virus [TV] do to us?
Question#4: Why is it only the LOG.COM file from PC-Magazine that I've had
for several years that shows up and infected? Is it really not
infected and just a bug in NETSCAN?
- _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ -
The note above contains my personal views and ideas. The above should
not be considered in any way a view of Columbus College.
- _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ -
Brian Daniel @ Columbus College, Computer Center, Woodall Hall Rm 113
BDaniel@USCN Cougar Court, Columbus GA 31993-2399 (404)568-2063

------------------------------

Date: Thu, 02 May 91 11:16:23 -0500
>From: [email protected]
Subject: Found Tester Virus [TV] in LOG.COM (PC)

More news on Tester Virus [TV]
I downloaded CLEAN76.ZIP from 128.237.253.5 /pub/virus_scan & ran it:
CLEAN C:\UTILS\LOG.COM (I ran norton wipefile f:\utils\log.com
Cleaning [TV] earlier to fix the file server...)
Scanning C:\utils\log.com
Found Tester Virus [TV]
Virus cannot be safely removed from this file.
Do you want to overwrite and delete "LOG.COM" [Y/n]

I had a backup of the file incase there is a fix for this in the future. I
labeled the disk 'DANGER Found Tester Virus [TV]'

I'll redownload scanv76.zip and see if that solves the problem of scan.exe
not finding the virus. Vshield didn't find it either. hmmm...
- _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ -
The note above contains my personal views and ideas. The above should
not be considered in any way a view of Columbus College.
- _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ -
Brian Daniel @ Columbus College, Computer Center, Woodall Hall Rm 113
BDaniel@USCN Cougar Court, Columbus GA 31993-2399 (404)568-2063

------------------------------

Date: 02 May 91 16:36:17 +0000
>From: [email protected] (Scott Hinckley)
Subject: Virus lists for misc machines

If you know of/have a list of viruses affecting various machines (Mac,
IBM, AMIGA, UNIX, etc). I would be interested in getting it. I am not
looking for the code persay, merely a list of names and the machine(s)
they can infect. A description of their effects would be appreciated,
but by no means necessary for this compilation.
(I will of course post a summary)
Thank you,
- --
<<<<<<<<<<<Scott Hinckley<<<<<<<<<<<<>>>>>>>>>>VW&Apple][Forever!!!>>>>>>>>>>
Internet:[email protected]|UUCP:...!uunet!uw-beaver!bcsaic!hsvaic!scott
DISCLAIMER: All contained herein are my opinions, they do not|+1 205 461 2073
represent the opinions or feelings of Boeing or its management| BTN:461-2073

------------------------------

Date: 02 May 91 22:10:27 +0000
>From: [email protected] (Fridrik Skulason)
Subject: Re: Viruses and Database Systems

Ramzi A. Haraty writes:
>Greetings,
> Does anybody know how to handle viruses in a database system?

Well, for now you can just ignore them - they don't exist. :-)

Seriously though - a virus can only INFECT executable code, not data
items in a database. The data items can be CORRUPTED by a virus, but
not in a way that will spread the infection.

For example, there exist two viruses targeted against dBASE, known as
'dBASE-virus' and 'DBF-blank virus'. Both are extremely rare, and it
is doubtful if they exist "in the wild". They both corrupt database
information, but they do not infect the database itself.

- -frisk

------------------------------

Date: Thu, 02 May 91 21:16:02 -0700
>From: [email protected] (Rob Slade)
Subject: F-prot v1.13 (PC)

[email protected] (Juha Hemminki) writes:

> I would like to know why the version of F-chk I have (1.13) wants to
> write a temporary file called LZ__TEMP.TMP to DOS current directory.

F-FCHK will check compressed LZEXE format files. In order to do so, it
has to decompress it.

=============
Vancouver [email protected] | "Don't buy a
Institute for [email protected] | computer."
Research into (SUZY) INtegrity | Richards' First
User Canada V7K 2G6 | Law of Data
Security | Security

------------------------------

Date: Fri, 03 May 91 10:39:46 -0400
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: Trident Microsystems/Packard Bell (PC)

If the reports I am getting can be believed, Packard-Bell computers are
STILL being sent out and sold with virus(es) on the distribution disks.

When first reported last December, it was bad enough and I have had the
opportunity to receive some sealed distribution disks that, when opened,
did contain the MusicBug virus. For the condition to continue nearly six
months later would seem to me to be actionable.

Since the MusicBug now seems to have been replaced (or possible augmented,
they should be able to co-exist) by the Azusa on the SVGA disks is
bordering on the ridiculous but is not unique: Recently I received a set
of Video driver disks that a user brought in with his laptop labeled
CAF. These were infected by the Aircop in such a way as to indicate to
me that the disks were infected before the files were copied onto the
disk.

I am not sure what the remendy is for manufacturers who distribute viruses,
but have felt for some time that our legal system needs to get involved.

Warmly,
Padgett

(obviously, my employer may not share my opinion on this matter)

------------------------------

Date: Fri, 03 May 91 17:10:20 +0000
>From: [email protected] (cs106132)
Subject: F-PROT and FluShot problems

Hello,
I was testing the new release of F-PROT 1.15a the other day, and came
across an interesting problem. It happened when a variant of 4096 was
active. Since F-PROT did not know this strain, it could not detect
it. This is expected as the documentation hints. However, when I ran
F-OSCHK, the virus infected the system files (IBMBIO....), the result
was a non-bootable hard disk. This indicates that F-PROT can actually
contribute to the spread of this kind of viruses. This is not a bug
type of thing, it is a design flaw!
I repeated the same test using FluShot+ (1.81), the same thing
happened in a slightly different manner. But the system again became
impossible to boot from the hard disk. I had to run SYS C: to restore
the sanity of the system. Any comments?

Regards,
Tarkan

------------------------------

Date: Fri, 03 May 91 09:44:12 -0700
>From: jesse%[email protected] (Acer - Jesse Chisholm)
Subject: Re: can we trust diskette write-protection? (PC)

[email protected] (Mark Aitchison, U of Canty; Physics) writes:
| Possibly, the reason why it sometimes fails, other than obvious loose
| wires, is because of light bouncing around the diskette drive.
| ...
| Someone may be able to answer the
| question as to whether the circuitry uses synchronised pulsed light,
| or plain light (the latter would mean daylight from outside the
| computer could nullify the protection system).

I don't know about the pulsed or steady light, but I do know that if I
leave the cover off my machine, the flourescent lights totally confuse
the drive as to whether there is or isn't a write protect tab on the
floppy. I have had no trouble with silvered tabs, but then, the brand
I buy usually comes with black ones.

------------------------------

Date: Sat, 04 May 91 14:09:33 -0500
>From: James Ford <[email protected]>
Subject: Listing of MIBSRV files. (PC)

This is a listing of files available for downloading from 130.160.20.80
(MIBSRV). This list is current as of May 2, 1991. Sorry for not posting
the IP address in the earlier announcment.

James Ford - [email protected]

- -------------------- uploads to 00uploads -----------------------------
00uploads/ htscan12.zip unvir902.zip vc200ega.zip vshld77.zip
0REVIEWS/ innoc.zip uu-help.text vcheck11.zip vstop54.zip
0files.9104 m-disk.zip uudecode.pas vcopy74.zip vsum9104.txt
INDEX.291 navupd01.zip uuencode.pas vdetect.zip vsum9104.zip
MsDosVir.291 netscn77.zip uxencode.pas virpres.zip vtac48.zip
MsDosVir.690 pkz110eu.exe vacbrain.zip virsimul.zip wp-hdisk.zip
MsDosVir.790 scanv77.zip vaccine.zip virstop.zip xxdecode.bas
avs_e224.zip secur222.zip vaccinea.zip virusck.zip xxdecode.c
clean77.zip sentry02.zip validat3.zip virusgrd.zip xxencode.c
fprot114.zip shez59.zip validate.crc vkill10.zip xxencode.cms
fshld15.zip trapdisk.zip vc140cga.zip vshell10.zip zzap54a.zip

------------------------------

Date: 05 May 91 04:44:21 +0000
>From: [email protected] (Snugglupagus)
Subject: help with mac "virus"? (Mac)

recently, we've come across a problem with one of the macs in our lab.
we really don't know if it's a virus or not, but it does act something
like one. anyway, here are the symptoms:

- - the mac has a 40 meg hard disk
- - there is only about 16 meg of software installed
- - both the finder and mactools report 38 meg used, 2 meg free
- - disinfectant can't find anything, and neither can virus detective
- - there are no hidden files anywhere on the disk (if there are, neither
mactools nor resedit can find them)
- - the "virus" hasn't spread to any of our other macs

what we really want to know is: is this some sort of new virus, or is
our mac just confused?

thanks in advance,

snugglupagus
- --
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
"Steppin' on toes is a common routine | Send email/flames to:
Sneakin' up from behind | [email protected]
You won't get anywhere |-----------------------------------
Dancin' out of time" - Deborah Gibson | Disclaimer: It's all mine!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 74]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253