Return-Path: <VIRUS-L@ibm1.cc.lehigh.edu>

Return-Path: <[email protected]>
Received: from csmes.ncsl.nist.gov (macbeth.ncsl.nist.gov) by csrc.ncsl.nist.gov (4.1/NIST)
id AA19093; Sat, 30 May 92 13:13:35 EDT
Posted-Date: Sat, 30 May 1992 12:57:31 EDT
Received-Date: Sat, 30 May 92 13:13:35 EDT
Received: from IBM1.CC.Lehigh.EDU by csmes.ncsl.nist.gov (4.1/NIST(rbj/dougm))
id AA08879; Sat, 30 May 92 13:11:53 EDT
Message-Id: <[email protected]>
Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 8850; Sat, 30 May 92 13:05:34 EDT
Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id
1534; Sat, 30 May 92 13:05:20 EDT
Date: Sat, 30 May 1992 12:57:31 EDT
Reply-To: [email protected]
Sender: Virus Discussion List <[email protected]>
Comments: Warning -- original Sender: tag was [email protected]
From: "The Moderator Kenneth R. van Wyk" <[email protected]>
Subject: VIRUS-L Digest V5 #111
Comments: To: [email protected]
To: Multiple recipients of list VIRUS-L <[email protected]>
Status: R
VIRUS-L Digest Saturday, 30 May 1992 Volume 5 : Issue 111

Today's Topics:

Re: different viruses causing 2k loss in memory (PC)
Re: Can a virus survive being pkzipped or otherwise compressed (PC)
Re: Zipped Viruses (PC)
Re: changed virus names in scan (PC)
Re: Detecting the MtE (PC)
Re: different viruses causing 2k loss in memory (PC)
Re: Zipped Viruses (PC)
Warning: Troi Two (PC)
2k memory loss (PC)
Re: different viruses causing 2k loss in memory (PC)
re: different viruses causing 2k loss in memory (PC)
Re: Different viruses causing 2K loss in memory (PC)
Re: changed virus names in scan (PC)
Virus or hard disk problems ? (PC)
VIRx version 2.3 released (PC)
Re: PC\MS DOS based Viruses & OS\2 2.0 (PC) (OS/2)
Looking for virus researchers in China
VIRX23.zip (VIREX-PC update) (PC)
McAfee VIRUSCAN V91 uploaded to SIMTEL20 (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
with your real name. Send contributions to [email protected]
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
[email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Wed, 27 May 92 04:10:38 +0000
>From: [email protected] (Peter Welsby)
Subject: Re: different viruses causing 2k loss in memory (PC)

[email protected] (Cem S. Sutcu) writes:

>Here in our univ's computer labs, we have a virus (or more?) causing 2k loss
>in conventional memory.
>We have found out it by using chkdsk. It showed 653K instead of 655360 bytes.
>Scanv89b has alerted no suspicious finding. Neither CPAV 1.1 did.

Gidday Cem

Are you sure that it IS a virus if it does not show up ???

For example, some recent Unisys's bought here showed the same
symtom - 2 Kb lost (from the top of normal RAM) but no allerts.
(btw, these were shipped this way).

A bit of investigation showed that the 2 Kb was being grabbed by
the SCSI drive controllers! Those without SCSI controllers
were OK.

It might be worth wile checking this out ...

Pete
- --
=*=--=*=--=*=--=*=--=*=--=*=--=*=--=*=--=*=--=*=--=*=--=*=--=*=--=*=--=*=--=*=
Peter Welsby (Snr.Lab.Tech - PC.Dev) email: [email protected]
Ag.Chem, Dept.Primary.Ind, Meiers Rd, voice: + 61-7-877-9489
Indooroopilly, QLD, 4068, AUSTRALIA fax : + 61-7-371-6436

------------------------------

Date: 27 May 92 08:16:32 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Can a virus survive being pkzipped or otherwise compressed? (PC)

[email protected] (Robert Slade) writes:

> A virus can and will survive being ZIPped, ARCed, ARJed, LZHed,
> UUENCODEd, Binhexed or otherwise encrypted, decoded or compressed.

The virus - maybe, but the program (if infected by some viruses) might
not... If the program is infected by viruses like Number of the Beast,
1963, Int13, or Dir II, and if the virus is not active in memory when
you archive the infected files, these filess will not be able to run
after you unarchive them. They will be still able to release the
virus, though...

Regards,
Vesselin

P.S. Just a thought - most companion viruses will probably not survive
if you compress the "infected" files - at least if you specify the
right extensions... :-)
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany

------------------------------

Date: Wed, 27 May 92 10:26:26 +0200
>From: Magnus Olsson <[email protected]>
Subject: Re: Zipped Viruses (PC)

[email protected] writes:

[excellent description of stealth viruses deleted]

Thanks for a very informative article! There's one point I think
you're missing, though, when describing the dangers of using scanners
on an infected system:

>Here's what happens: Your virus scanner is infected with a stealth,
>fast infecting virus. It isn't currently active. You run the scanner,
>telling it to scan your entire hard drive. First the virus gets control:
>It goes resident, takes over, then runs the scanner. Now the scanner
>attempts to perform a self-check on its file. This detects nothing,
>because the virus disinfects the file as it reads it. Now your scanner
>goes through your entire hard drive, reading all programs. Not only
>does it have no chance of catching the virus in any program, but every
>program (even ones which weren't infected before) will get infected!!!

At least McAfee's scanner doesn't only check files on the disk and
make a self-check, but also scans memory for viruses before doing
anything else. Doesn't this cure the above problem, as the
memory-resident stealth virus would be detected in memory?

Magnus Olsson | \e+ /_
Dept. of Theoretical Physics | \ Z / q
University of Lund, Sweden | >----<
Internet: [email protected] | / \===== g
Bitnet: THEPMO@SELDC52 | /e- \q

------------------------------

Date: 27 May 92 08:22:12 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: changed virus names in scan (PC)

[email protected] (Martin Zejma) writes:

> Recently I got a floppy containing a sample of the Ghostball Virus,
> named so by an austrian anti-virus program. When I SCANed it , Scan V
> 89b told me it was contanimated with the Lisbon Virus. So I took it
> home, compared it with other samples and voila it was exactly the same
> as the old Vienna Dos 62 Virus. So I digged through my ancient Scan
> versions, and ran each against the same sample :

SCAN is -very- unreliable for virus identification. NEVER believe it
anything it says about the virus name, number of viruses found, or the
virus' properties (in VIRLIST.TXT). The only thing it does pretty good
is to tell you whether the object (file or boot sector) is infected
(with anything) or not.

> So I tried other scanners , too ( only newest versions )
> Virex detects "Vienna 2 - 1", Htscan using the Virscan signatures detects
> "Vienna Related" (fits always :), and Fprot says "Vienna (Reboot)".

Your later description shows that F-Prot guessed it right. Dr.
Solomon's Anti-Virus ToolKit has better identification, but still not
good enough (it doesn't always make the difference between variants
which differ only in some text or constant fields).

> Only using one scanner, you can get up to 6 different versions of a virus
> without changing a single bit.

Yes, this shows very well the existing naming problem... We are
working on a standard set of virus names; you can get the current
results from our ftp site (directory pub/virus/texts/tests).

> BTW, the sample was different in one point from all other different samples
> of the Vienna Virus:
> When destroying a program , the begin is being overwritten with
> 'EA 0FFF00 F0' , resulting in a warmboot when the program gets started.
> And in the new sample the 'EA' is replaced with '20' resulting in junk code
> which hangs the computer. Fprot detects this as 'Vienna - D', all others
> don't seem to care about that byte.So is this a 'official' variant or
> has someone viewing the code just scrambled that piece ?

Hmm, difficult to say... I didn't know about the existence of this
variant. The "original" Vienna.648, as published in Ralf Burger's
book, had five times '20' there (and a slight bug in the PATH
environment searching routine). The Vienna.648.Reboot variant has 'EA
0FFF00 F0', as you mentioned.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany

------------------------------

Date: 27 May 92 08:44:06 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Detecting the MtE (PC)

[email protected] (Vesselin Bontchev) writes:

> MtE. Of those 9,471 infected examples 3 turned out to be duplicates,
> which yelded to 9,468 different instances of the virus. It also means

Correction: a fourth duplicate has been found later. Therefore the
total number of generated different mutations used during the test is
only 9,467.

> Currently I am aware of the existence of at least three other scanners
> which claim 100 % detection of the MtE. One comes with the new version
> of V-Analyst III, the second has been designed by IBM, and the third
> is Dutch scanner. As soon as we get them we'll re-run the tests.

We tried out the Dutch scanner. Its authors were present during the
test. When they saw the results, they decided that the program is not
ready to be tested yet and promised to send us a fixed version soon...
:-)

We just received the V-Analyst III scanner; we haven't tested it yet.
As soon as the test is performed, I'll post the results.

Meanwhile we received and tested yet another scanner which claims "100
% detection of the MtE-based viruses". It is a German product, called
AntiVir IV and produced by H+BEDV. The version tested was 4.03 of May
15, 1992, beta version. It missed 584 mutations (6.17 %).

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany

------------------------------

Date: 27 May 92 08:52:08 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: different viruses causing 2k loss in memory (PC)

[email protected] (Cem S. Sutcu) writes:

> We have found out it by using chkdsk. It showed 653K instead of 655360 bytes.

You mean that it showed 638 Kb, instead of 640. (653312 bytes instead
of 655360.)

> Some people say this virus is sigalit, and some say it is cocain
> virus and fina lly some say it is cansu virus (a turkish name -
> probably the first turkish virus|). As they say each of them causes
> the same problem : 2k loss.

I have NEVER heard about ANY of the three viruses mentioned. Can you
supply more information? Are they file or boot sector infectors? How
to the Western anti-virus programs call them? Do they detect them at
all?

> My questions : 1. might they be the same virus?

I can answer this question only if I get a copy of all the three
viruses.

> 2. Is there an antivirus package that can clean either of them?
> thanks

I can't answer this question until I learn more about these viruses.
If they are master boot sector viruses (like Stoned), then you don't
need an anti-virus program - boot from a DOS 5.0 system diskette and
run FDISK /MBR - this will disinfect your hard disk. If they are boot
viruses, boot from the same DOS version as the one which is installed
on your disk and run SYS C:. If they are stealth file infectors, I can
show you a method to disinfect the files by using only an archiver
(ARJ). But I need more information about the viruses...

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany

------------------------------

Date: 27 May 92 09:22:45 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Zipped Viruses (PC)

[email protected] (A. Padgett Peterson) writes:

> And then of course we have the new order: compressed disks e.g.
> SuperStor & Stacker. These work just fine since what a scanner "sees"
> is the uncompressed code so don't really count. (IMHO this is going to
> put individual file compression out of use since you can only compress
> once effectively - recently

Individual file compression is still useful if you need to put as many
program on as few floppies as possible... This is often a requirement
for a travelling virus buster... :-)

> saw an advt for "something" that purported to compress 2:1 on each
> pass & 8 passes would give 16:1 compression. Not only is something
> wrong with the math

The way it was advertized was silly, of course. The truth is that the
method is rather good for compressing some kind of visual information
- - like aerophotos. It approcsimates the picture with fractals and then
stores only the functions that generates the fractals. Of course, it
does not work for ANY files, as it has been advertized...

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany

------------------------------

Date: Wed, 27 May 92 09:56:44 +0000
>From: [email protected] (Brian Marriott)
Subject: Warning: Troi Two (PC)

I've just isolated what seems to be a new strain of PC virus, which
isn't picked by the most recent readily available versions of
SCANV (89) or F-PROT (203).

It has been infecting our laboratory of public-access PC's.

Briefly, the virus has been found infecting .EXE files, where it
appends itself to the end, adding 512 bytes. I haven't found it in
a .COM file yet, but neither have I had a chance to check this
thoroughly nor to deliberately expose one to infection. It seems to
infect programs as they are executed.

It's sufficiently buggy that it renders most programs inoperable
after infection. I haven't yet attempted to disassemble it to find
out what it's supposed to do. The most obvious symptom of
infection is that the PC hangs trying to write to a write-locked
floppy disk, if an attempt is made to run a program from that disk.

The 512 bytes includes the string 'Troi Two', so I presume that's
what to call it. I've so far been able to get positive
identification (with F-PROT) using the signature string:
'1E06B42ACD2181F9C8077211770681FA' but I've no guarantee that this
will pick up an infected .COM file, if one were to exist.

Brian

- -----------------------------------------------------------------------
Brian Marriott, Department of Computer Science, University of Tasmania
Mail: GPO Box 252C, Hobart, Tasmania 7001, AUSTRALIA. Ph: +61-02-202929
Internet: [email protected] Fax: +61-02-202913

------------------------------

Date: Wed, 27 May 92 08:13:42 -0400
>From: [email protected] (A. Padgett Peterson)
Subject: 2k memory loss (PC)

>From: Cem S. Sutcu <[email protected]>
>Subject: different viruses causing 2k loss in memory (PC)

>Here in our univ's computer labs, we have a virus (or more?) causing 2k loss
>in conventional memory.
>We have found out it by using chkdsk. It showed 653K instead of 655360 bytes.

>2. Is there an antivirus package that can clean either of them?

I have not seen a "cansu" virus (though suspect that I will shortly) however
the 2k loss from the Top of Memory (TOM) (reduction in "655360 total bytes
memory) is almost certainly an MBR or Boot Record virus.

When dealing with something "unknown", manual tools work well e.g. DEBUG.
My first action would be to use DEBUG to examine the "missing" memory with
the D(ump) command: "D 9F80:0 L 800" (800h = 2k). If mostly nulls, then it may
just be a ROM data area such as DOS 4.x uses (though that is only 1k). If full
of code, I get suspicious. The only "code" use of this area I know of is

1) the transient portion of COMMAND.COM - but the memory won't be missing.
or
2) some access control programs (e.g. my DISKSECURE but you should know if
that is present).

Note: some MBR infectors practice "stealth" with regard to disk access.
"stealthing" absolute memory locations is much more difficult.

Next, if the area was full of unknown code, I might just zero it out:
"F 9F80:0 L 200 0" and see if the system crashes on the next disk access.
(Won't crash if transient COMMAND.COM).

More likely, I'll pull out a known clean bootable floppy with DEBUG and start
looking at the MBR and DBR sectors for "suspicious" code.

Once I've determined that what is in one or more sectors is not what is
supposed to be there, I extract the "necessary" information (Partition table
if MBR or BPB if Dos Boot Record, place it into known safe code, and replace
the questionable sectors. The MBR process is automated with FixMBR (available
for FTP as FixUtil3.ZIP on many archives) but I have not completed FixDBR yet
so you have a choice of using the SYS.COM that came with DOS or rebuilding
it by hand.

If you have DOS 5.0, you can also use FDISK /MBR to replace the MBR code.

The final case exists if you can boot with the hard disk but booting from
floppy does not find the partitions. Luckily, there are only a few viruses
that exhibit this behaviour but special virus-specific techniques are needed.

Warmly (90+ today)

Padgett

ps Now that the virus is removed from the machine, it will most likely be
necessary to examine mountains of floppy disks since sich viruses are
usually (not always !) transmitted this way. -app

------------------------------

Date: Wed, 27 May 92 13:00:03 +0000
>From: [email protected]
Subject: Re: different viruses causing 2k loss in memory (PC)

[email protected] (Cem S. Sutcu) writes:

>Here in our univ's computer labs, we have a virus (or more?) causing 2k loss
>in conventional memory.
>We have found out it by using chkdsk. It showed 653K instead of 655360 bytes.

This *could* be a virus, one of the ways viruses go memory resident is
by altering the apparent size of memory in order to guarantee a spot where
the virus code will not be overwritten.

..*but*... before you panic, make sure that the cause isn't a benign
one. Some systems reserve some space at the top of memory for system
use. My own experience has been with an XT-clone in which CHKDSK shows
2K missing. I found by booting with several different DOS versions on
virus-free floppy disks that the 2K was always reported missing; it was
in fact the ROM BIOS that was setting the area aside.

As a first step I would advise that you try booting from a known-good
write-protected floppy disk (i.e., an original DOS system disk) and then
execute a known-good copy of CHKDSK (it will be present on the original
DOS system disk). If under these conditions you find that 2K is still
missing you can assume that the space was reserved by the ROM
BIOS or by your version of DOS. If the space is not reserved then maybe
you should worry. Run a good copy of CHKDSK (from a write-protected
floppy) after each of the programs you normally use. In this way you can
find which of your programs is altering the system parameters.

It was reassuring in the case of my own XT to examine the part of memory
in question and verify there was no meaningful code hidden there. On a
640K system you can see the upper 2K of memory by running DEBUG and
displaying the contents of this part of memory with the command:

- -d9000:f800 ffff

If I do this immediately after boot-up (before running any programs that
use large quantities of memory) I see mostly zeros, with a scattering of
bytes of other values. The zeros are left from the power-on self-test.
The other values are, I suppose, the result of whatever use the ROM BIOS
makes of that memory area. I had no difficulty convincing myself that no
executable code was present.

Albert S. Woodhull
School of Natural Science, Hampshire College, Amherst, MA 01002
413-549-4600 ext 581 (office), 413-549-4740 (home)
[email protected], [email protected]

------------------------------

Date: 27 May 92 11:27:13 -0400
>From: "David.M.Chess" <[email protected]>
Subject: re: different viruses causing 2k loss in memory (PC)

Cem S. Sutcu <[email protected]> asks about the CANSU virus,
and three signatures that have been given for it in Turkey.

The virus is indeed a master boot infector that takes 2K and
does a simple self-modification. Of the three signatures that
you give, only the first will ever appear in the master boot
record, and it will appear in only about one-third of
infections. The other two signatures are in the non-boot-sector
part of the virus, but they will be visible in memory if
the virus is active in the system. Here are three better
signatures for the virus; at least one will be found in
every infected MBR, and in memory if the virus is active:

31C0 8ED0 8ED8 8EC0 48 89C4 30E4 CD13 72FA
%s the Cansu virus.
Boot records. No mutants.
31C0 8ED8 8EC0 8ED0 48 89C4 30E4 CD13 72FA
%s the Cansu virus.
Boot records. No mutants.
31C0 8EC0 8ED0 8ED8 48 89C4 30E4 CD13 72FA
%s the Cansu virus.
Boot records. No mutants.

(This is the format that the IBM Virus Scanning Program uses,
but it should be readily convertible.) If you have the IBM
Virus Scanning Program version 2.2.1 or better, it will detect
the virus. The Cansu doesn't seem to have any destructive
effects; it will sometimes display a sort of "logo" when
booting an infected machine, but this shouldn't be counted
on for detection.

As for disinfection, since it's a normal master-boot-record
infector, you can use FDISK /MBR, or anything else that can
fix the master boot record code without altering the partition
table data (see previous talk in VIRUS-L about this).

DC

------------------------------

Date: Wed, 27 May 92 21:27:35 +0700
>From: [email protected] (Fridrik Skulason)
Subject: Re: Different viruses causing 2K loss in memory (PC)

I was unable to reply directly to a post by Cem S. Sutcu, as my mailer just
gave the following reply:

> ERROR: trmarunv not in EARN/BITNET routing tables
> 554 <[email protected]>... Service unavailable

So, I apologize for posting the following reply here...

In comp.virus you write:

>Some people say this virus is sigalit, and some say it is cocain virus and
>finally some say it is cansu virus (a turkish name - probably the first
>turkish vir

I have not heard of any of those, but it is possible that my anti-virus
package (F-PROT) detects the virus(es) under a different name. Have
you tried that program ? Even if the scanner does not detect it, the
heuristic analysis part should be able to detect it - it seems to detect
around 88% of totally new viruses.

> 2. Is there an antivirus package that can clean either of them?

Well, not as far as I know, but if you send a sample (either on a floppy disk
or as a xx/uuencoded E-Mail file) to any of the anti-virus software
producers, a disinfector should be available soon thereafter.

> -frisk

------------------------------

Date: 27 May 92 22:45:00 +0000
>From: [email protected] (Fridrik Skulason)
Subject: Re: changed virus names in scan (PC)

[email protected] (Martin Zejma) writes:

>Scan Vrs 0- 60 "Vienna (DOS 62) Version A "
> 62- 72 "Vienna (DOS 62) Version B " ( very interesting...)
> 75- 84 " Vienna / Violator Virus "
> 85 " Lisbon Virus " & "VHP Related Virus" (twice found)
> 86b " Lisbon Virus "
> 89b " Lisbon Virus " & "Generic Virus" ( twice again)

Not surprising, really - SCAN does not attempt any serious variant
identification. It is pretty good at finding out if a file contains a
virus signature, but don't rely on it for accurate identification. In
that respect, the best program is Alan Solomon's FINDVIRU, simply
because it calculates a checksum for the virus body in most cases. It
is not foolproof - in a few cases he has included a variable byte in
the checksumming range, so he occasionally (but VERY rarely)
identifies the same virus as the a and b variant (or whatever). My
own scanner performs a decent variant identification - just enough to
make sure the program does not damage the original program by
incorrectly disinfecting, but I don't necessarily notice insignificant
minor modifications.

> So I tried other scanners , too ( only newest versions )
> Virex detects "Vienna 2 - 1", Htscan using the Virscan signatures detects
>"Vienna Related" (fits always :), and Fprot says "Vienna (Reboot)".

>When destroying a program , the begin is being overwritten with
>'EA 0FFF00 F0' , resulting in a warmboot when the program gets started.

Yes, this is the standard "Reboot" variant.

>And in the new sample the 'EA' is replaced with '20' resulting in junk code
>which hangs the computer. Fprot detects this as 'Vienna - D', all others
>don't seem to care about that byte.

Well, that fits - this single byte is the only difference, and yes, it
is an "official" variant - I have had it for a long time, but I think
only I and Alan detect it as a special variant.

- -frisk

------------------------------

Date: Thu, 28 May 92 14:03:08 +0000
>From: [email protected] (Andy Ravenna)
Subject: Virus or hard disk problems ? (PC)

Last night my whole system seemed to go on the fritz... I booted off
of a clean floppy and started to investigate things.

First I ran "Qaplus" which came with my Gateway, and the DMA testing
on the Main Components menu seemed to freeze up. Does this mean the
DMA chip has gone bad ?

Secondly, I ran Norton Disk Doctor II and when Norton got to the last
55% of my 80 meg hard drive, it started marking every sector as "BAD".
Is it possible to have a "partial" disk crash ?

I did run a virus check on the system and nothing was found.

HELP ! Does this sound like a virus problem or a hardware problem ?

Thanks,
Andy.

- --
###############################################################################
## ##
Andy Ravenna ## "Some really clever or unusual ## SAS Institute Inc.
[email protected] ## ## SAS Campus Drive
X-6120 ## remark in quotations..." ## Cary, NC 27513
## ##
###############################################################################

------------------------------

Date: Tue, 26 May 92 18:51:57 +0000
>From: [email protected] (C. Glenn Jordan -- Virex-PC Development Team)
Subject: VIRx version 2.3 released (PC)

The Virex for the PC Development Team is proud to announce the
release of our detection-only, mostly-free anti-virus utility VIRx,
version 2.3. Copies uploaded from the source are available from the
anti-viral FTP sites, CompuServe, GEnie, Fido-Net and our support BBS.

What's New In VIRx Version 2.3
==============================
Date: 05/22/92

1. This release of VIRx detects 73 new viruses, bringing the total
to 925 total strings.

2. VIRx now detects all files encrypted with the "Mutating Engine"
attributed to the Dark Avenger that are not already destroyed by the
Engine's attempts to encrypt them (and most of those, as well).
If you find executable programs with MtE encryption that we miss,
please advise us at Microcom. As always, the BBS number is:
(919) 419-1602 v.32bis.
We can be reached through the Internet at [email protected],
and through FIDONet NetMail at "Glenn Jordan@1:3641/1.201".

3. Due to an intensive reworking of the code, we have sped up the
scanner's raw speed by yet another 20%.

4. VIRx v2.3 will start to warn users it is getting dated in July.

-------------------------------------------------------------------------
Searching ZIP: VIRX23.ZIP

Length Method Size Ratio Date Time CRC-32 Attr Name
------ ------ ----- ----- ---- ---- ------ ---- ----
911 Implode 554 40% 05-22-92 00:00 7c83bcb4 --w $TOC
7129 Implode 2615 64% 05-22-92 00:00 505730b1 --w VIREX.TXT
13184 Implode 5516 59% 05-22-92 00:00 f79005aa --w README.VRX
129432 Implode 72059 45% 05-22-92 00:00 0cb06241 --w VIRX.EXE
13184 Implode 5114 62% 05-22-92 00:00 bc4cc488 --w OLD_NEWS.TXT
4480 Implode 2032 55% 05-22-92 00:00 28f0f5f0 --w WHATSNEW.23
------ ------ --- -------
168320 87890 48% 6

------------------------------

Date: Thu, 28 May 92 19:40:30 +0000
>From: [email protected] (Douglas A. Bell)
Subject: Re: PC\MS DOS based Viruses & OS\2 2.0 (PC) (OS/2)

[email protected] (Vesselin Bontchev) says:

>MCHLG%[email protected] writes:
>
>>I have a few questions for Ken, Vesselin, and the other GURU's as well as any
>>one who is knowledgable enough about PC\MS-DOS, Viruses, & OS\2 2.0.
>
>Unfortunately, my knowledge about OS/2 2.0 is near to nothing, but
>let's see...
>
>>1.Is it possible for a DOS based Virus to survive & thrive on a system
>> running OS\2 2.0 using the (HPFS file system) instead of the (FAT system)?
>
>To infect files - certainly not. Even some of the existing scanners
>cannot access the HPFS partitions.

This is not true. Some dos viruses can infect files on an hpfs
partition when running in an os/2 dos window. A good rule of thumb is
that if the virus can infect files on a network drive, it should be
able to infect files on an hpfs partition.
- --
Ren and Stimpy for President in '92 !!!!

------------------------------

Date: 27 May 92 09:38:14 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Looking for virus researchers in China

Hello, everybody!

One of the VTC members is going to visit China in August. He would
like to contact some computer virus-experienced people from there. If
anybody from China is reading this and if you happen to know any virus
researcher, especially in the Peking area, please contact me by
e-mail. Thanks.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: [email protected] D-2000 Hamburg 54, Germany

------------------------------

Date: Wed, 27 May 92 15:15:00 -0400
>From: [email protected]
Subject: VIRX23.zip (VIREX-PC update) (PC)

Hi.

This short note to signal the availability of VIRX23.ZIP, the update for
VIREX-PC. The file was sent to me directly by C. Glenn Jordan, a member of the
Virex-PC Development Team.

Thanks Glenn!

=====
Site: urvax.urich.edu, [141.166.1.6] (VAX/VMS using Multinet)
Directory: [anonymous.msdos.antivirus]

FTP to urvax.urich.edu with username anonymous and your email address
as password. You are in the [anonymous] directory when you connect.
cd msdos.antivirus, and remember to use binary mode for the zip files.
=====

Best, Claude

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET)
University of Richmond [email protected] (Bitnet or Internet)
Richmond, VA 23173

------------------------------

Date: Thu, 28 May 92 19:21:22 -0400
>From: [email protected] (McAfee Associates)
Subject: McAfee VIRUSCAN V91 uploaded to SIMTEL20 (PC)

I have uploaded to WSMR-SIMTEL20.Army.Mil:

pd1:<msdos.trojan-pro>:
SCANV91.ZIP SCAN V91 virus scanner
CLEAN91.ZIP CLEAN-UP V91 virus remover
VSHLD91.ZIP VSHIELD V91 infection prevention TSR
NETSCN91.ZIP NETSCAN V91 network server virus scanner

VIRUSCAN VERSION 91 RELEASED

Version 91 of the VIRUSCAN series has been released. This
release replaces Version 90 which had several minor bugs.

GENERAL

This release adds detection of 52 new viruses, bringing
the total number of known viruses to 586, or counting variants,
1,302.

VIRUSCAN

Two new DOS ERRORLEVEL's have been added for creating
enhanced batch files. An ERRORLEVEL of 3 is returned if an
uncertified file is found when SCAN is run with the /CERTIFY
switch. An ERRORLEVEL of 4 is returned if a user aborts the
scan with a Ctrl-C or Ctrl-Brk.
A /HISTORY option has been added. This option functions
similarly to the /REPORT option except that if a report file
exists it will not be overwritten, instead, the new report will
be appended to the end of the existing report file.
Three new options have been added to the validation
(checksum) suite of commands: /AF, /CF, and /RF. These options
allow SCAN to Add, Check, and Remove validation (checksum) data
from a user-specified file. The file can then be stored offline
to create a secure database and act as a recovery disk in case
of infection.

CLEAN-UP

The 696, 1339 and Troi viruses have been added to the list of
viruses that can be disinfected by CLEAN.
One new option has been added, the /GRF option. When CLEAN
is run with this switch it removes nonspecific (new or unknown)
viruses using recovery information stored by VIRUSCAN program in
a separate file.

VSHIELD

Version 91 adds a /NOREMOVE option to prevent VSHIELD from
being unloaded from memory (a frequently requested option from
network administrators).

NETSCAN

NETSCAN has been updated to detect the new viruses.

VALIDATE VALUES FOR VERSION 91:
CLEAN-UP V91 (CLEAN.EXE) S:96,570 D:05-27-92 M1: D0F7 M2: 1AA1
NETSCAN V91 (NETSCAN.EXE) S:75,050 D:05-27-92 M1: 33DA M2: 1AD1
VIRUSCAN SCANV91 (SCAN.EXE) S:75,801 D:05-27-92 M1: 18FA M2: 127D
VSHIELD VSHLD91 (VSHIELD.EXE) S:41,005 D:05-27-92 M1: 194F M2: 11CF

Aryeh Goretsky
McAfee Associates Technical Support
- - - -
McAfee Associates | Voice (408) 988-3832 | [email protected] (business)
3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | ObQuote: "Log... from Blammo"
Santa Clara, California | |
95054-3107 USA | BBS (408) 988-4004 | CompuServe ID: 76702,1714
ViruScan/CleanUp/VShield | USR Courier DS 14.4Kb| or GO VIRUSFORUM

------------------------------

End of VIRUS-L Digest [Volume 5 Issue 111]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253