VIRUS-L Digest   Friday, 14 Feb 1992    Volume 5 : Issue 31

Today's Topics:

Re: yet another commercial Michelangelo (PC)
Request for virus information (PC)
DSZBREAK.* Virus (PC)
Re: McAfee pgms update (PC)
Re: Yankee Doodle ... What does it do? (PC)
Michaelangelo's ID bytes (PC)
Re: DAV/Sourcer/Rape (PC)
Re: Which anti-virus should I get? (PC)
Re: Polymorphic/Multipartite
SOFTWAR- 1985 book with TROJAN HORSE theme
Re: Iraqi Virus Question?
Houston Chronicle report on Michelangelo (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.)  Please sign submissions
with your real name.  Send contributions to [email protected]
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
[email protected].

  Ken van Wyk

----------------------------------------------------------------------

Date:    Fri, 14 Feb 92 15:40:55 +0000
>From:    [email protected] (Brian D. Howard)
Subject: Re: yet another commercial Michelangelo (PC)

[email protected] (Ron Baalke) writes:

>[email protected] (Tim Martin; FSO; Soil Sciences) writes...
>>The Michelangelo virus was found at the University of Alberta on a
>>diskette from "Meridian Data, Inc.", who seem to be involved in CD-ROM
>>extension software for MS-DOS systems.  The diskette was shipped
>>write-protected, and the infection was detected immediately.  Meridian
>>Data have been informed of the problem.
>>
>>Is that 5 confirmed commercial distributions of Michelangelo, now?

No. From alt.cd-rom:

>Message: #16125, S/1  General information
>~Date:    Tue, Feb 11, 1992 4:59:17 PM
>~Subject: #16092-Virus alert*
>~From:    Matt Seitz 75300,1721
>~To:      Nick Arnett/Chief Sysop 75300,1324 (deletable)
>
>My God, rumours do fly fast! DON'T PANIC!  Meridian customers have
>nothing to worry about.  The virus is not present on Meridian's
>standard release disks.
>
>The disk we sent to the University of Alberta was a custom disk we
>made here in the tech. support department.  It was not one of our
>standard software disks. Those are mastered on an isolated system
>that is regularly checked for viruses. Checks before and after the
>Alberta report show that the regular product disks are NOT INFECTED.
>We have gone through the company, and the virus has been stamped out.
_______________________________________________________________________________
"When open Internet access is outlawed, only Outlaws will have open
Internet access"...Is there something I am missing here...?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

------------------------------

Date:    Wed, 12 Feb 92 17:18:00 -0500
>From:    "[email protected]"@UALR.EDU
Subject: Request for virus information (PC)

I'm needing some virus information in particular for the stoned,
brain, and Jerusalem-B viruses.  Any sites of information and/or
program samples would be useful.

------------------------------

Date:    Thu, 13 Feb 92 00:02:42 +0000
>From:    [email protected] (Big Furry Pagan)
Subject: DSZBREAK.* Virus (PC)

Just thought I would post this to save some others some trouble. The
BBS that I am Co-Sysop on ran into a program being uploaded which is
carrying (or -is-) a virus. It is called dszbreak.exe (.com?) It is a
program supposedly meant to break the registration requirement on Omen
Software's DSZ (zmodem protocol)

The virus works on some kind of a timer, so that when you leave your
machine running without using the keyboard, it will then make anything
you attempt to enter from the keyboard a control character (CD DOS
would become ^C^D ^D^O^S )

The situation can be fixed by reloading your .sys files back to your
dos directory (Or you can go the hard way, and reformat C:, like I
did!)

- --
Scott Moir / Pentangle / Satyr     # "There's only one requirement for
[email protected] ____ #  a prophet, and you've got it."
B4 f t+ w g k+(+) s+ m r p    \/\/ # "What's that?"
These are my opinions, not SPDCC's # "A mouth."   --God, to J.R. 'Bob' Dobbs

------------------------------

Date:    10 Feb 92 21:21:43 +0000
>From:    [email protected] (Vesselin Bontchev)
Subject: Re: McAfee pgms update (PC)

[email protected] writes:

Sorry Claude, this message is not directed to you, it just makes some
comments on parts of the documentation that you are quoting.

>      Three new options have been added to this release of VIRUSCAN to allow
> it to save and check information that can be used by CLEAN-UP to recover
> infected files, partition tables, or boot sectors infected with unknown
> viruses.  Using this option will add 52 bytes to COM and EXE files.

Several times I have stated that IT'S A BAD IDEA TO MESS WITH OTHER
PEOPLE'S FILES. I have also discussed this largely in private with the
programmers at McAfee Associates, and they don't seem inclined to
change their mind.

Adding the 52 bytes mentined above to the files has the following
drawbacks:

1) It will screw up any self-checking software, including most
anti-virus utitlities, and probably including McAfee's own scanners
(haven't check the latter, so don't take my word for it).

2) A LOT OF people will begin to ask questions about what is that
virus that adds 52 bytes to all my executable files.

3) A file can be infected with a virus, and the 52 bytes added after
it. This can

       a) make the virus unrecognizable by several other existing
anti-virus programs, and will certainly make the file
non-disinfectable by any self-respecting anti-virus program, which at
least tries to perform exact virus identification, before attempting
to remove the virus.

       b) be transfered (the whole thing - file+virus+52 bytes) to a
new system. If the user of the new system is running VShield or
something similar, s/he may decide that since the file has it's
52-byte checksum record, it has been checksummed and scanned, and
therefore cannot be a source of infection.

       c) mask the existing virus out, so that it is not able to
recognize that the file is already infected and will re-infect it.

4) It is trivial to design a virus, which will look for such
52-byte records and will remove them. In fact, there is already a
virus, which removes the 10-byte record that the /AV option adds to
the file - this is the Tequila virus.

5) It is relatively easy to design a virus, which will infect a file
and add the appropriate 52-byte record to it, so that the file will
look as "checksummed and therefore not dangerous".

6) The mentioned method for "generic virus removal" DOES NOT WORK even
with all of the currently existing viruses. So, don't expect it to
provide you with security against the future ones. In fact, it
provides no security at all.

There are numerous other problems as well. I therefore advise all the
users: DO NOT USE THIS FEATURE! Do not permit to anything to change
your files - even to the McAfee's SCAN. I myself will promptly refuse
to analyze any file for possible viruses, if the latter has this
52-byte record appended to it, and will promptly refuse to provide any
virus-related consultation for a system, where this option has been
used.

>      An option allow VSHIELD to be loaded off of network drives has been
> added, plus the option to check to check for viruses any time an executable
> file is accessed for any reason.  This includes ZIPing executable files,
> moving files from one subdirectory to another, etcetera.

Wouldn't it a better idea to check the write operations only? This
would reduce the time overhead and after all, it is by copying an
infected file -to- your disk that you get infected; not by copying an
already existing file -from- the disk... The check on any file access
seems a bit unnecessary to me... Or do you know a method to become
infected by RENaming a file? (Note: EXEC calls are already checked
anyway.)

>      We've done a virus audit and have started re-writting the VIRLIST.TXT
> file, adding in viruses that were not listed or listed incorrectly and
> updating information when necessary.  Unfortunately, we did not have
> time to separately list the viruses that were added in this release.
> The number of viruses now detected is 480 with 719 strains, for a total
> of 1199.  This is compared with 373 viruses/977 strains in the last
> (V85) release.

Nope, this is the number of viruses -listed- in VIRLIST.TXT. (Well, in
fact, the exact number listed is 482 if you count them correctly.) The
total amount of variants detected is probably roughly correct (+/- 100
variants), but have in mind that SCAN detects much -more- viruses than
listed, and the viruses have much -less- variants than listed (13
different variants of the AIDS Information Trojan? C'mon, they are
kidding...) I am currently trying to fix up the errors in the
VIRLIST.TXT file and am sending reports to McAfee Associates. They
have been rather cooperative on this subject, so let's hope that we'll
be able to fis the thing up before the next release.

>      Of particular interest in this release is the Pogue, which is a
> polymorhphic virus.  This virus uses a new and difficult-to-detect self-
> mutating engine employing a very sophisticated variable encryption technique
> loosely based on one developed by the author of Dark Avenger virus and
> contains code similar to that found in other Bulgarian viruses.  The virus wa
s
> uploaded anonymously to our BBSso it is not clear as to whether it is from
> Eastern Europe or the USA.  It also unknown if it is widespread or not.

The only problem is that SCAN does not seem to detect all instances of
this virus... :-(

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev        Virus Test Center, University of Hamburg
[email protected]  Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226    Vogt-Koelln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date:    10 Feb 92 22:45:11 +0000
>From:    [email protected] (Vesselin Bontchev)
Subject: Re: Yankee Doodle ... What does it do? (PC)

[email protected] (Ken Ritchie) writes:

> I was just wondering if anyone knows what the Yankee Doodle virus does

Yes, a lot of people do. Including myself. :-) This virus has several
variants, the most recent ones will play the Yankee Doodle tune a few
seconds before 17:00. Some of the last variants will do this only with
probability of 1/8. Unfortunately, I cannot provide more information,
since I don't know which variant you are infected with. Try running
F-Prot - it reports the exact variants.

> ever since we have wondered what it does. Also, is there any info as
> to known viruses and what they do?

There are many sources, but none of them is complete, since there are
too many viruses (about 1150) and nobody is able to describe them all.
The largest source of information is Patricia Hoffman's hypertext
document, called VSUM. The lates version is 201 and is available on
most archive sites (but NOT on Simtel20). Unfortunately, it contains a
lot of errors.

A much more exact, but a much less complete, is Prof. Brunnstein's
Computer Virus Catalog, published by the Virus Test Center Hamburg
(plug). It also describes several of the currently known Macintosh,
Amiga, and Atari ST viruses, and with much more technical details. The
latest version is available for anonymous ftp at
ftp.informatik.uni-hamburg.de (IP=134.100.4.42); directory
pub/virus/texts/catalog. The MS-DOS section is waiting for an update:
it will be probably published at the end of this month.

At last, one of the most correct (error-free) sources of information,
is the manual of Dr. Solomon's Anti-Virus ToolKit. However, this is a
commercial product, and is not available in electronic form.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev        Virus Test Center, University of Hamburg
[email protected]  Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226    Vogt-Koelln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date:    Wed, 12 Feb 92 18:00:13 -0500
>From:    William <[email protected]>
Subject: Michaelangelo's ID bytes (PC)

> Date:    07 Feb 92 13:58:56 -0500
> From:    "David.M.Chess" <[email protected]>
> Subject: re: Michaelangelo ID sigs comp/w Stoned (PC)

>checking for "stone" will *not* find this variant, and this variant
>*is* out there...

I have modified my program extensively to search for the command
sequence suggested by Tim Martin recently.  I also check the contents
of 0000:0413 using the INT 0x12 routine.  All of my PC's should have
one of 0x80, 0xC0, 0xE0, in this location.  I would not imagine that
even the Empire virus dare falsify this information since I expect
that it is necessary that it be true if the virus is to avoid having
DOS overwrite it when a program is executed or with the transient
portion of command.com.

>Is there some reason you don't want to use some commercial or
>shareware/freeware anti-virus program?

We have an extensive site license for McAffee's products.  However,
we have been hit so often with "stoned" that I want a routine which
can literally be run a 100 times per day entirely transparently
to the user.  VIRUSCAN is not suitable for that kind of application.
Additionally, I have more than 200 PC's to look after, and a user
community not highly computer literate.  I can't afford the extensive
customization that many products require in order to be effective.
You know what it is like upgrading software versions on 200 PC's
spread all over a 200 acre campus?

Ultimately, I have to balance many costs/probabilities in my work
otherwise I'd never survive!

*WmP*

*-----------------------------*
|    William M. Pipher        |
|    [email protected]     |
|    University of Toronto    |
|    Library Systems          |
*-----------------------------*

------------------------------

Date:    10 Feb 92 20:40:23 +0000
>From:    [email protected] (Vesselin Bontchev)
Subject: Re: DAV/Sourcer/Rape (PC)

[email protected] writes:

> First, has anyone heard about Dark Avenger's latest?  I got a report
> secondhand last week that he'd come up with a new gem...I believe the
> report came from a researcher in the UK.  Fridrik/Vesselin/others, can
> you confirm/deny this report?

Yeah, I can confirm it... :-( And it is a first-hand information,
since I have it. The long-rumored Mutating Engine is real and is
circulated to several virus exchange BBSes... :-(( The bad news is
that the damn thing really mutates, no kidding! It comes as an OBJ
file, which is supposed to be linked to any virus, with a detailed
do-it-yourself guide, and with a demo virus. The demo virus is in
source, but the source of the Mutating Engine (called MtE) is not
provided. According to the docs, what we have is version 0.90-beta of
the MtE, but version 0.91 is also known to exist... I'm wondering what
will be implemented more in version 1.00... :-(((

The damn thing is really difficult to crack! I mean, it contains no
encryption or anti-debugging and anti-disassembling thechniques, but
it mutates too well... I have observed changing of encryption
algorithms, random bytes padding, usage of different ways to express
one and the same algorithm (yeah, that's right - different ways, not
just modifying the opcodes and inserting do-nothing instructions)...
The currently most mutating virus (V2P6Z) is a toy compared to it...

The worst of all is that just anybody can sit and use it to create a
virus. Well, some experience in assembly language programming is
needed, so the kids from RABID, NukE, and the other punk virus writing
groups that use to write overwriting viruses in high-level languages
will have a little bit of trouble to learn how to use it... But a very
little bit!

Currently there are only two viruses, which use the MtE. The first is
the demo virus in the package (a silly, non-resident, COM file
infector, infects only the files in the current directory), and a
virus, called Pogue, which has been available on some VX BBSes in the
USA. McAfee's SCAN 86-B claims to be able to detect the Pogue virus.
Unfortunately, I haven't had the time to verify this (I recieved the
virus just two days ago). There are reports that in fact not all
possible variants of the virus are detected. SCAN 86-B DOES NOT detect
the MtE for sure - I tested it on the demo virus supplied with the
package.

As a conclusion, don't panic. Currently there are only two viruses,
using the MtE and both are too silly to pose a serious threat. Copies
of the MtE have been provided to several anti-virus researchers (no,
don't write me to ask for a copy, you won't get one), including McAfee
Associates, Fridrik Skulason, Dr. Solomon, etc., so there are a lot of
people working right now on the problem. The good news is that once we
learn to recognize the MtE, we'll be able to detect -any- new viruses
that are using it.

Oh, yes, just out of interest. The whole package comes in a neat ZIP
archive, with -AV code for "CrazySoft, Inc.". The Bulgarian hackers
have demonstrated again that the -AV authenticity verification in
PKZIP is just crap, so PLEASE DO NOT RELY ON IT!

> Next, for those using the Sourcer disassembler...why does it sometimes
> produce machine code output, while other times it produces assembly
> output?  Is there something I'm missing in the manual (probable something
> obvious :)  )?

Sourcer does this when it thinks that the appropriate areas contain
data, not code. To force it to change its mind, use the FORCE, CODE
directive (look in your manual for it).

> Finally, have others had reports of increasing numbers of RAPE infections?
> I've noted quite a few in the last month or so...has anyone else had
> similar experience?

Sorry, have no information on this subject.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev        Virus Test Center, University of Hamburg
[email protected]  Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226    Vogt-Koelln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date:    10 Feb 92 22:35:17 +0000
>From:    [email protected] (Vesselin Bontchev)
Subject: Re: Which anti-virus should I get? (PC)

[email protected] writes:

> i would like to know which antivirus is the best to detect and clean
> virus. i have an AT 286 with MSDOS

This probably must go in the FAQ list. There's no "best" anti-virus
program. It depends what exactly you need. From your words, I
understand that you need disinfection. This is a Very Bad Idea, IMHO,
but if you desperately need it, I'll recomend you Dr. Solomon's
Anti-Virus ToolKit. It performs exact identification on the virus, so
you know that it won't try to disinfect the wrong variant... If it
says it is unable to remove a virus, there's usually a perfect reason
for this. Unfortunately, it cannot deal with viruses, which use
encryption. (That is, it can find them, but not remove them.) Cascade
(1701/1704) is an exception. The program is commercial and is
manifactured by S & S International, UK.

> i have the tntvirus (not original) and when i inmunize all the diskket
> the virus ohio appear in the memory that the tnt not detect,
>  i detected  by mean of scan84

I strongly advise you to stop using TNTVIRUS! This is a very bad
program and can actually damage your data (depends on the version you
have; I can confirm this for version 6.80A, but it is pretty old by
now). The program has several major drawbacks, and as far as I know is
discontinued by now; it authors are producing now Central Point
Software's Anti-Virus.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev        Virus Test Center, University of Hamburg
[email protected]  Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226    Vogt-Koelln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date:    12 Feb 92 14:42:40 -0600
>From:    [email protected] (Werner Uhrig)
Subject: Re: Polymorphic/Multipartite


       I had sent an email response to the original poster,
       but have not seen my suggestion mentioned in the public
       discussion (I thought he might summarize email reactions):

       anyway, I suggested the term "cloaked" or "cloaking"
       might be appropriate to use to best "classify" some
       critter behavior.

       from Webster's II (a dated 1984 copy)

cloak n. 1. a loose outer garment
        2. something that covers or conceals

cloak v. 1. to cover with or as if with a cloak
        2. to hide; conceal

       from Scribner-Bantam (even older)

... SYN: hide, secrete, disguise, mask (see conceal)


       on the other hand, as always, it behooves to be wary of
       using terms which already have acquired (loaded?) meanings
       in other taxonomies; sometimes it is preferable to use
       a classification system which is strictly numeric (as in
       Type 1, Type 2, Type 2.3.7) and associate rather verbose
       and precise attempts at definitions to those numbers.

       for conversational use, no doubt "polymorph" or "cloaking"
       is much preferable, and once a numeric classification is
       established it might be quite alright to refer to critters
       of class 2, subclass 3 as "polymorph" -- at least that
       way one has something concrete and verbose to refer to
       when someone is confused or confusingly uses the term...

       5 cents (adjusted for inflation)
- --
 --([email protected])--*OR*--(...!uunet!cs.utexas.edu!werner)--
..One, two, even three years of deficit budgets might be considered
...a couragous move by a government; however 10+ years of deficits
.............is theft from our children's generation.

------------------------------

Date:    Wed, 12 Feb 92 23:42:18 +0000
>From:    [email protected] (Nicholas Hoffmann)
Subject: SOFTWAR- 1985 book with TROJAN HORSE theme

I would like to buy or borrow a book that is out of print and is not
available at NY libraries or from the publisher.

The book is- SOFTWAR by Thierry Breton and Denis Beneich, c 1985,
trnaslated from the French by Mark Howson, published by Holt,
Rinehart, and Winston ISBN 0030049989. It is a novel about the sale of
super- computers to the then Soviet Union that contain Trojan Horses
that can be activated at a future date by the United States.  Nicholas
Hoffmann

------------------------------

Date:    10 Feb 92 21:13:55 +0000
>From:    [email protected] (Vesselin Bontchev)
Subject: Re: Iraqi Virus Question?

[email protected] (Bald Oldie) writes:

> I had a chat with an engineer friend who seems knowledgeable about
> these things, and he suggested that IF the printer connection was
> RS232 rather than Centronics and IF the cable was configured
> appropriately and IF the printer had been engineered to behave briefly
> as an RS232 terminal (rather than simply having a PROM replaced) THEN
> it was just conceivable that control of the host processor could be
> siezed long enough to transfer one or more viruses without the change
> in behaviour being noticed.

Wrong. Tell your engineer friend that I challenge him to connect
ANYTHING (not just a printer) to my serial port and to do whatever he
wishes on this anything. As soon as I do not permit him to execute a
program on my PC, he has NO WAY to send me something, neither to force
me to execute it. NO WAY. Period.

Now, if the printer needed a special device driver, and your friend
tells me "You need to install this in your CONFIG.SYS, if you want to
be able to print on this wonderful printer", this is another story. Or
if his printer was a networked device and I had to run some kind of
network software, this is also another story. But what you said above
is IMPOSSIBLE.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev        Virus Test Center, University of Hamburg
[email protected]  Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226    Vogt-Koelln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date:    Wed, 12 Feb 92 18:56:19 -0600
>From:    [email protected] (Joe Abernathy)
Subject: Houston Chronicle report on Michelangelo (PC)

This story appeared on Saturday, Feb. 8 in the Houston Chronicle, Page
1A.

It may be redistributed as individuals/moderators see fit in order to
serve the online community. Thanks to all who helped.

Comments to [email protected]

- -- edtjda

Michelangelo: Master of disaster
Insidious computer virus, timed for artist's birthday, infects PCs worldwide

By JOE ABERNATHY
Copyright 1992, Houston Chronicle

A fast-moving, highly destructive computer virus called Michelangelo is
spreading among IBM-compatible personal computers in Houston and around
the world.

Michelangelo is set to strike on March 6 -- the birthday of the Renaissance
master -- erasing vast amounts of information, according to computer
scientists specializing in viruses.

"This destructive virus is spreading worldwide very rapidly," wrote virus
specialist A. Padgett Peterson in a bulletin recently circulated on computer
networks. "Unlike the DataCrime 'fizzle' of 1989, which contained similar
destructive capability but never spread, the Michelangelo appears to have
become 'common' in just 10 months following detection.

"I have never seen so many reports of a virus in so short a time before."

A virus is a computer program designed to spread itself without the
knowledge of users, usually causing harm to infected systems. Although
viruses have become common, Michelangelo's exceptional rate of reproduction
and potential for harm are causing special concern.

DataCrime was the last virus that prompted such concern when, in 1989, a
number of news reports warned of its destructive potential. Most experts said
later that these fears had been overblown, although they did boost awareness
and prevention efforts.

While scientists said that Michelangelo could represent another such 'fizzle,'
the prospects for that are decreasing with word of widespread infections.

"It is a virus that we get calls on, multiple reports every day," said Aryeh
Goretsky, manager of technical support at McAfee Associates, a publisher
of antiviral software. "Maybe 25 percent of our calls are related to that
virus -- people that have it as opposed to people requesting information --
so it is something that's out there, that's a real threat."

The manager of one Houston retail computer center acknowledged that
Michelangelo infections have been frequent of late. He requested anonymity,
saying, "It's not good to let people know that you've had Michelangelo."

Store employees run a program to disinfect each computer before it is sold,
but Michelangelo's surprising presence in a number of software products when
shipped from the factory has made it difficult to guard against every avenue
of spread.

"The virus got a head start through major distributions," said Christoph
Fischer, who as director of the Micro-BIT Virus Center at the University
of Karlsruhe, Germany, first analyzed Michelangelo. "The many reports clearly
indicate the wide and manifest infection."

Among the notable infections:

* DaVinci Systems Corp. announced last week that it had shipped a large
number of infected copies of its electronic mail software eMAIL 2.0. The
copies were sent to more than 900 customers, more than 600 of whom are
DaVinci resellers.

"We are now using multiple virus-detection products and insisting that
our duplicating contractors also check for viruses," Bill Nussey, president
of DaVinci Systems, said in a statement.

* Between Dec. 10 and Dec. 27, Leading Edge PRoducts shipped up to 6,000
computers whose hard drives were infected at the factory with Michelangelo.

* All of the PCs at Southeastern Louisiana University recently were infected.

* At the University of Florida, half of the PCs recently tested positive
for the virus.

* In New Zealand, Victoria University of Wellington received 400 requests
for an antivirus disk within three days.

* A magazine spread 10,000 to 12,000 copies of the virus in a diskette
included with the magazine.

* Verbatim, a diskette manufacturer, has become an unwitting victim because of
an untrue rumor that some of the company's blank diskettes were infected.

Fischer named the virus based on its trigger date. Viral detection and
analysis is a difficult process even for experts; a formal method Fischer
has designed will in fact be the topic of a research paper to be presented
at the Fifth International Conference on Viruses and Computer Security,
in March in New York.

Interviewed online via the Internet computer network, Fischer warned that
Michelangelo is especially dangerous because it permanently erases the entire
hard drive, rather than just deleting some information, as most viruses do.

Michelangelo was first found in April 1991, in Sweden and the Netherlands.
Beyond that, nothing is known of its author or his motives.

Rob Slade, an expert at the Vancouver Institute for Research into User
Security, in British Columbia, recently pointed to the infection of supposedly
"safe" commercial products as one of the biggest challenges facing the
computing community.

"If I had to choose one viral myth which most contributed to the unchecked
spread of viral programs that exists today, it would be that of the 'safety'
of commercial software," Slade said, writing in a copyrighted contribution
to Virus-L, an electronic journal serving the computer science community.

Viral infection commonly occurs when contaminated programs or disks are
traded among computers. It does not matter if a program comes from the
store, a friend or over the telephone lines.

"I'm trying very hard not to draw too close a parallel between computer use and
sexual activity," said Ray Trent, a scientist at SRI International, the Menlo
Park, Calif., research and consulting firm. "But the fact is that people who
use computers promiscuously are most at risk."

The number of viruses has multiplied rapidly since 1986, when Pakistani
Brain introduced the breed to the world of IBM-compatible computers. The forms
of spread and attack also have grown steadily more sophisticated.

In November, the national Computer Security Association commissioned a virus
survey of 600,000 North American businesses by Dataquest, the San Jose, Calif.,
market research firm.

The results show that 63 percent of the firms have experienced a virus
encounter, and 9 percent have experienceda virus disaster, which the survey
defines as an incident affecting 25 or more PCs or diskettes.

Of those struck by a virus, 62 percent reported lost productivity; 4 percent
reported screen messages, interference or lockup; and 38 percent reported
that files were corrupted.

In 1991, among companies with more than 1,000 PCs, 16 percent experienced
a virus disaster.

Trent said that good computing practices, including regular, incremental
backups, are the best response to any system threat, whether from a virus or
other problems.



With graphic:/

Diagnosis: Michelangelo virus

* Symptoms: Disk directory damage; hard drive reformating, resulting in
destruction of data and programs; decrease in total system and available
memory.

* Trigger: System date of March 6 of any year, birthda6y of the Renaissance
artist.

* Computer type: All IBM PCs, all MS-DOS-compatible file systems.

* First detected: April 1991.

* Origin: Sweden or the Netherlands.

* Detection: Virus-detection software including ViruScan Version 80 or
later; F-Prot version 1.16 or later; IBM Scan version 2.1 or later.

* Cure: CleanUp Version 80 or later; F-Prot Version 12.16 or later. If you do
not own one of these virus protection products, you can gain some protection
against Michelangelo by leaving your computer turned off on March 6 and by
backing up data.

* Comments: The Michelangelo virus becomes memory resident the first time
an attempt is made to boot the system from an infect disk. It will then infect
the hard drive and any diskettes that are inserted.

Source: Christoph Fishcer; Micro-BIT Virus Center; University of Karlsruhe,
Germany.

------------------------------

End of VIRUS-L Digest [Volume 5 Issue 31]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.