VIRUS-L Digest Tuesday, 25 Feb 1992 Volume 5 : Issue 40

VIRUS-L Digest Tuesday, 25 Feb 1992 Volume 5 : Issue 40

Today's Topics:

Possible virus? (PC)
Query about peculiar CHKDSK results (PC)
Jeff virus!!!!! (PC)
Basics (PC)
Re: Houston Chronicle report on Michelangelo (PC)
Re: Simple IBM PC virus (PC)
Re: Houston Chronicle report on Michelangelo (PC)
Re: Boot Sector Virus Infections (In General) (PC)
Re: CIAC Bulletin (PC)
On reformatting floppies to remove infections (PC)
Re: F-Prot 2.02D/DOS 2.11 (PC)
Quick way to check for Mich on PC's (PC)
Possible virus? (PC)
What does Ping Pong B virus do? (PC)
Re: WDEF infection at a school (Mac)
Re: WDEF infection at a school (Mac)
Distributing info and shareware
RE: "Executive Guide to Computer Viruses" from NCSA?
Re: General Virus information ?
Disinfectant 2.6 (Mac)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
with your real name. Send contributions to [email protected]
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
[email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Thu, 20 Feb 92 10:25:09 -0700
>From: ZEM0%[email protected]
Subject: Possible virus? (PC)

In some programs I see this word 'MSDOS' and i do not if that is a
virus all the progrmas that has that , has 5 byte more I know that if
we immunize a program, is going to have 5 byte more, but when i run
scan say that in the memory i have 5 byte (the word (MSDOS)) i dont
understand that. i would like to know if is good to immunize programs
When i immunize a program with the tnt and after i run scan ,say that
i have the ohio in memory i would like to know aslo if SCAN immunize
porgram and if it is good and also when i immunize i have 5 byte more?

Person say that on march 6 is going to be a virus that no exist a anti
virus yet .I would like to know more about that.

THANK

------------------------------

Date: Fri, 21 Feb 92 14:46:51 +0000
>From: Ms Marilyn B Nash <[email protected]>
Subject: Query about peculiar CHKDSK results (PC)

To Subscribers of Virus-L;

I have a query which arose as a result of one of our technicians
running VISCAN (Bates Assoc.) on his departmental PC's.

On two machines he discovered several files which could not be read
and when exploring using XTREE Gold found 16 files in the directory
which contains our menuing software. These were identical and named
tttttttt.ttt (for 't' read the Greek tau). All had +RASH attributes
set which could not be changed using that version of XTREE -although
an earlier one worked but each file had to be deleted immediately
after the attributes were changed.

I ran CHKDSK /F afterwards to try and tidy up the disk and on one
machine got the message: Invalid directory entry... for our menu
directory and on the other: Probable non-DOS disk (although FDISK
insisted it was a DOS partition). I did not proceed with CHKDSK as a
bitter experience after having gotten the same message on a previous
occasion resulted in everything in that particular partition being
deleted irrecoverably.

If anyone has seen anything similar or has an explanation for the
above especially if a virus was involved, I would appreciate if they
would contact me (either E-mail or post).

My thanks in advance,

Marilyn Scott

[email protected]
Biology Dept.
University of Stirling
Stirling, Scotland FK9 4RP

------------------------------

Date: Fri, 21 Feb 92 16:10:51 +0000
>From: [email protected] (Dale Fraser)
Subject: Jeff virus!!!!! (PC)

I hope someone can help me. My PC just got infected by the Jeff virus.
How do I get rid of it? I know I am supposed to remove the infected
files, but I ran the latest version of SCAN (86B) and it never found
it.

PLease respond ASAP!!!
Thanks.
Dale

|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|
| "Why sex is so popular | Dale Fraser [email protected] |
| Is easy to see: | Memorial University of Newfoundland |
| It contains no sodium | CS Undergrad - Class of '92 |
| And it's cholesterol free!" |-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|
| Shelby Friedman | THIS SPACE FOR RENT-REASONABLE RATES! |
|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|
| *OPINIONS EXPRESSED ABOVE DO NOT BELONG TO ME OR THIS INSTITUTION!* |
|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|

------------------------------

Date: Fri, 21 Feb 92 12:00:13 -0500
>From: padgett%[email protected] (A. Padgett Peterson)
Subject: Basics (PC)

>From: [email protected]
(lengthy desription of multiple infection deleted)

>The question I have concerns what appears to me to be conflicting
>information from the two sources above. One source states that the
>Stoned virus and the Michaelangelo virus both copy the original boot
>sector information to the same location. The second source states
>that the two viruses copy the original boot sector information to two
>different locations.

Ok, what happens is that virus A (Stoned or Michelangelo) infects the
disk moving the Original Boot Record (OBR) to sector 7 and placing
itself in sector 1. Virus B (the other one) comes along and infects
moving virus A to sector 7 (losing the OBR) and putting itself in
secor 1 however, now the disk is unbootable since the OBR is lost.
Each virus contains a signature to avoid multiple infections by itself
but since Stoned and Michelangelo (or Joshi or...) use different
signatures, such multiple infections by different viruses are
possible. In the case of Stoned and Joshi or Mich & Joshi the disk may
remain bootable since different sectors are used and the OBR might not
be over-written
Enough ?
Padgett

------------------------------

Date: Fri, 21 Feb 92 17:18:00 +0000
>From: [email protected] (Terry N Reeves)
Subject: Re: Houston Chronicle report on Michelangelo (PC)

>You just reformat the disk and
>re-install everything from your backups. You have spent at most one
>day doing this, and at most one day of your work is lost (if you have
>a good backup scheme). Nothing disastrous.

I venture to say that only a tiny percentage of pc users make backups
once a day or even once a week. Yes they should. They don't and it
will be a disaster for them. Many have no backup at all and couldn't
reinstall it if they did. They would rely on company tech support for
this.

------------------------------

Date: 21 Feb 92 11:21:00 -0600
>From: "William Walker C60223 x4570" <[email protected]>
Subject: Re: Simple IBM PC virus (PC)

This sounds like the Jerusalem virus, which adds 1808 or so bytes to
program files (a little less than 2K), and contains the string
"sUMsDos" somewhere in the code. This virus is ancient (as far as
viri go), so just about any anti-virus package you happen across
should be able to clean things up.

Hope this helps.

Bill Walker ( [email protected] ) | "If 'pro-' is the opposite of
OAO Corporation | 'con-,' then is 'progress' the
Arnold Engineering Development Center | opposite of 'Congress?'"
M.S. 120 | - Gallagher
Arnold Air Force Base, TN 37389-9998 |

------------------------------

Date: Fri, 21 Feb 92 12:48:14 -0700
>From: [email protected] (Tim Martin; FSO; Soil Sciences)
Subject: Re: Houston Chronicle report on Michelangelo (PC)

[email protected] (Vesselin Bontchev) writes:

>There are much more devious viruses, like Phoenix and Nomenklatura.
>They spread every day, every hour, every minute. The corrupt
>information every day. But they corrupt it -slightly-. So, when you
>finally notice that something has gone wrong, you can no more rely on
>your backups - since you don't know when the infection occured, and
>which files are corrupted...

Apparently (I haven't seen it yet) the Edmonton Journal had an article
about Michelangelo yesterday, as well. Vesselin's concern is
particularly apt here in Edmonton. The Empire viruses are much more
common here, than is Michelangelo. And three of the Empire variants
never announce themselves: they just diddle away at data, byte by
byte. I wonder if I can get the Journal to write about that, though:
it isn't so dramatic, nor is it international news.

Tim.

-------------------------------------------------------------
Tim Martin *
Soil Science * These opinions are my own:
University of Alberta * My employer has none!
[email protected] *
-------------------------------------------------------------

------------------------------

Date: Fri, 21 Feb 92 13:06:14 -0700
>From: [email protected] (Tim Martin; FSO; Soil Sciences)
Subject: Re: Boot Sector Virus Infections (In General) (PC)

[email protected] writes:

>I have some curiosity questions about the way "boot sector" viruses
>infect the "hard drive" and "the system (memory)", (or is it "the
>system (memory)" and then the "hard drive"?), only because I have been
>reading the Digest for awhile and do not recall this being addressed.

>I understand how the floppy does not need to be "bootable" because the
>virus can exist on the floppy in the area where the computer "looks"
>first when attempting to "boot" from any floppy in drive "A".

...

>Second example:

>We have the same "powered-off", non-infected, MS DOS based, PC computer
>system with one 5.25" floppy drive and one hard drive. Let's say I
>have an infected (Michaelangelo virus) 5.25", 360K, "NON-bootable"
>floppy. Let's put it into our "A" Drive and close the door. Now, turn
>on the power to the computer and let it attempt to "boot" up. Instead
>of a DOS Prompt, we now have "Non-system disk or disk error; replace
>and strike any key when ready" or something like that--you get the
>idea. NOW, instead of replacing and rebooting, let's turn the power
>off.

>1. Is the virus in memory? I believe no, since the power is off.

>2. Has the virus infected the hard drive? (I do not know. Can
> someone answer for me?)

Yes, the virus is on the hard drive. The typical sequence of events,
for many boot sector viruses (a sequence inherited from "stoned") is
as follows:

When you start the computer from any infected disk,

1. the virus "makes space" for itself in memory. (Sets the top-of-
memory indicator, sets up the required interrupt vectors)
2. the virus copies itself to upper memory, and the program control
jumps to the copy.
3. the virus checks if it booted from a floppy: if YES, it infects the
hard drive.
4. the virus loads the "clean" boot sector of the disk you are booting
from, from its hiding place on disk, into memory.
5. Processor control is given to that boot sector. Hereafter, bootup is
"normal", except that the virus is installed and watching whatever
BIOS interrupts it was designed to watch.

At this point, if the disk wasn't a boot disk, or if you turn the computer
off doesn't really matter: the virus is already installed on the hard
disk, waiting for you to reboot from the hard disk.

>If we were to turn the system power off, killing the virus in memory,
>and then reboot from a "non-infected" floppy disk, would the hard drive
>already be infected?

Yes, The hard drive would already be infected. The virus would not be
in memory if you reboot from a non-infected floppy disk, but it will
install itself in memory each time you boot from the (infected) hard disk,
or any other infected disk for that matter.

This is typical of any boot sector viruses I have found "in the wild":
stoned, michelangelo, the Empire family, bloody!, ....

Tim.

-------------------------------------------------------------
Tim Martin *
Soil Science * These opinions are my own:
University of Alberta * My employer has none!
[email protected] *
-------------------------------------------------------------

------------------------------

Date: Fri, 21 Feb 92 13:23:41 -0700
>From: [email protected] (Tim Martin; FSO; Soil Sciences)
Subject: Re: CIAC Bulletin (PC)

[email protected] (Karyn Pichnarczyk) writes:

>I wrote in my bulletin:

> > The infection mechanism of this virus may also cause read errors
> > to occur upon some high density (1.2 M) diskettes.

>I have seen a case where a 1.2M diskette was rendered unreadable by
>the virus on a specific older PC. I actually saw this happen. When I
>brought the unreadable diskette to a newer-model PC, the disk was read
>with no problem. I tried to read this diskette on a variety of PC's,
>and the older model PCs sometimes had trouble reading it, whereas the
>newer models didn't. The real strange thing was that >sometimes< the
>drive would read the disk, and >sometimes< it wouldn't. The disk
>was readable by that drive prior to infection, according to the
>user. The message received was a General Failure error.

>shrug?

At great risk of decapitation I'll "stick my neck out" and make a
comment. (I assume Karyn is responding to Vesselin's (?) challenge on
this point.)

What we observe here is a typical problem in virus
"analysis": there are two approaches that can be taken. One can
disassemble the virus and thereby "know" its every characteristic,
in principle, or one can rigorously test the virus, and "observe"
a set of behaviors.

Each method has drawbacks. If we analyse the code,
we may fail to take into account how each byte of code might
cause the virus to behave with unusual hardware. (Viruses have
bugs, too, and they aren't always identified by reverse engineering.)
Another error is one I fell into early into the "Empire" virus
studies: I rather haughtily declared that the Empire virus does not
change bytes in data files, because I thought I had seen and studied
all (three) variants of the Empire virus. I was grossly mistaken: there
where at least 14 other variants I hadn't yet come across, three of
which DO "diddle" data. I'm sure Vesselin wouldn't make such a mistake,
though!

The problem with the second approach to virus analysis
is that the virus may have all manner of "latent" surprises,
the conditions of which haven't yet occured. Come to think of it, I
once got hit by this error, too! With the "Happy Halloween" virus,
I found out quite by accident that its "bomb" was set to go off not
only on Halloween, but also on Christmas Day! Fortunately I was testing
on a properly isolated system.

In the case under discussion, I think the observed 1.2Mb effect was
a hardware coincidence, probably. Though I suspect michelangelo might
mess up 720k floppies, the way the Empire does, but I haven't tested
this - by either analysis method!

Tim.

-------------------------------------------------------------
Tim Martin *
Soil Science * These opinions are my own:
University of Alberta * My employer has none!
[email protected] *
-------------------------------------------------------------

------------------------------

Date: Fri, 21 Feb 92 14:14:48 -0600
>From: [email protected]
Subject: On reformatting floppies to remove infections (PC)

Someone recently raised the question of reformatting infected
diskettes. Believe me, you can do it successfully and there is no
need to physically destroy any useable magnetic disks. While simply
reformatting from a __known__ clean system will, more than likely, be
adequate, another good trick is to zap the disk with a bulk tape
eraser. These devices are sold in electronics stores and from vendors
of audio and video equipment. The idea, here, is to expose the
diskette to the alternating field of a very powerful electromagnet.
The field is many times more powerful than the field emitted by the
read-write head on your disk drive and it totally obliterates any
vestiges of formatting or data. The end result is a diskette which is
probably magnetically cleaner than it was the day it was made. It
will, of course, need to be reformatted before use. There is
absolutely no way in the universe that any sabotage program can
survive this process, nor for that matter, any data so be sure you
want to do this.
Finally, there is a correct way to use a bulk eraser for maximum
effectiveness. Don't turn the magnet on or off while near the
diskette that you are erasing. This will leave the disk magnetized
when you are finished. After holding the eraser at arm's length, turn
it on and bring it and the doomed diskette together. Wipe the bulk
eraser in a circular motion over the diskette a few times and then
move the two objects apart before turning the eraser off.

Martin McCormick
Amateur Radio WB5AGZ
Oklahoma State University
Computer Center
Data Communication sGroup
Stillwater, OK

------------------------------

Date: Fri, 21 Feb 92 14:22:00 -0600
>From: [email protected]
Subject: Re: F-Prot 2.02D/DOS 2.11 (PC)

Lynne Meeks wrote...
>We're having some trouble getting F-Prot (2.02D) to run successfully
>with AT&T DOS 2.11 (Yes, I know this is very old but fiscal
>constraints what they are not everyone has upgraded to a modern
>version of DOS)
>
>What happens is we run F-Prot and get the message:
>'*.TX0 not found'
>then we get the DOS prompt
>
>The English.TX0 file IS there; the same F-prot disk works fine on
>the same machine with 3.2 or 3.3 DOS.
>
>BTW,yesterday, the same experiment with 2.02B yielded
> *
>and then the DOS prompt.
>
> Anyone else with old DOS experiencing this? I KNOW the correct answer
>is to upgrade DOS, but any insights on how to cope with what we've got
>would be much appreciated! Thanks.

I have had the same problem on a Northgate 286 running MS-DOS 3.3.
F-Prot runs fine off the floppy drive, but will not run from the hard
disk. We successfully installed the same version of F-Prot 2.02 on
several other PCs.

Sharon Strauss
University of St. Thomas
Computing Center

------------------------------

Date: Fri, 21 Feb 92 23:05:52 +0000
>From: [email protected] (Russ Urquhart)
Subject: Quick way to check for Mich on PC's (PC)

This is my first time on this groups, so if this has been asked
before, please forgive me!

In either case, is there a quick way to determine if the PC's in my
group have been infected with Michelangelo? Some memory location?
SOmething I can check.

I tried someone's suggestion of fdisk /mbr, but since we have Dos 3.3,
this didn't have any effect!

Any help is appreciated!

Thanks again

Russ

------------------------------

Date: Sat, 22 Feb 92 01:25:07 +0000
>From: [email protected] (Beastor the Mad)
Subject: Possible virus? (PC)

Ok... here is the problem. I have just put up a BBS, and have
just started downloading files from other BBS's. I bought myself
Central Point Anti Virus, and just recently got an update, since I
knew that BBSing was dangerous.
I have recently (yesterday) had this problem with my system...
it states COMMAND.COM is invalid, cannot load COMMAND system halted.
Then I have to reboot. Now, I've been playing around with the system,
and when I copy the command.com file from my disk to my HD, it
sometimes is alright for a while (until I run about half a dozen
programs). The times it doesn't work is when I have the following
statement in my config.sys file:
DEVICE=C:\ra\bnu.sys (fossil driver for my BBS) When this
statement is in there, it doesn't work at all. I keep getting that
message appearing when I boot.
Now, I've done lots a crap to try to figure out what is going
on... VSAFE is installed, BOOTSAFE is installed, I've done a slow
detection on all files with the CPAV, I've recopied all my dos files
from my originals, I've copied all my friends DOS files from their
originals, I've deleted my BNU.SYS file and downloaded another copy,
i've done a hard disk analysis, etc...
I've noticed that something might be wrong with my command.com
and autoexec files, cause when I copy them to my System disks the
system goes down again. There is nothing wrong with the files though,
as I haven't changed them for 6 months, until my bbs, then only
moderately. When I change back to my old Auto and Config files, the
system still doesn't work. I've deleted all my auto and config files,
and made new ones up... still to no avail.
ANYONE OUT THERE HAVE AN IDEA WHAT IS WRONG... IF THERE IS A
VIRUS WITH THESE SYSTEMS?
Another question here... I know that this one guy is
producing viruses and uploading these files to other systems. I've
found that these viruses have come out of his computer:
1. Michelangelo's
2. Yankee Doodle 41, 39, 24, 25
3. Aids 2
4. Stoned
5. Joshi
6. Ghost Balls
7. April 1st D

Thing is, all his programs work fine for him, I've asked him
if his system is alright (while he was on my BBS). He said yeah. Now
unless he scans every time he downloads something, and forgets to
clean them before he uploads, then something funny is going on...
WHAT SHOULD I DO? CALL THE COPS?

-BEASTOR THE MAD
(virus killer)

------------------------------

Date: Sat, 22 Feb 92 07:56:01 +0000
>From: [email protected] (Rich Wales)
Subject: What does Ping Pong B virus do? (PC)

What does the "Ping Pong B" virus do to a system?

A friend of mine got "Ping Pong B" on her PC from another system via a
floppy. She asked me for help after she was no longer able to run
WordPerfect (4.2 or 5.0).

We managed to eradicate the virus from her hard disk and the floppy
(she said she hadn't tried to use any other floppy since the problem
started, so we only needed to contend with the one floppy). After
doing this, she could once again use WordPerfect.

All I've been able to find out about Ping Pong B is that it's a boot
sector virus, reduces available system memory by 2K bytes (just like
Michelangelo), and keeps WordPerfect from running.

Is there anything else that Ping Pong B does to a system? If my
friend's brother (whose system was probably where she got the virus
from) doesn't act quickly to eliminate it on his machine, what kind
of risk is he facing?

- --
Rich Wales <[email protected]> // UCLA Computer Science Department
3531 Boelter Hall // Los Angeles, CA 90024-1596 // +1 (310) 825-5683

------------------------------

Date: Fri, 21 Feb 92 15:59:13 +0000
>From: [email protected] (Jesse Taylor)
Subject: Re: WDEF infection at a school (Mac)

I would say talk to the computer lab person at your child's school and
see if you can find a way to find out te person who put it there in
the first place... Run a virus-checker init off the startup disk and
have it check all the disks people bring in...

------------------------------

Date: Fri, 21 Feb 92 17:25:37 +0000
>From: [email protected]
Subject: Re: WDEF infection at a school (Mac)

sure, the method we use here at Bradeis to keep our startups clean is
a program called Disinfectant by John Nortstad. The detector/stopper
is free distribution but the disinfectant might not be. Works fairly
well.
Mike Yalter

------------------------------

Date: Sun, 09 Feb 92 22:31:36 -0500
>From: [email protected] (Michael Fry)
Subject: Distributing info and shareware

We would like to distribute information and make shareware available
to PC users in the area, to help reduce the possibility of March 16
carnage to hard disks around here. Maybe not all whom we'd like to
reach are familiar with the shareware concept. We want to include a
disclaimer and a short explanation (and plea). (In addition to
materials included with each package, which we are distributing
intact.) Stole from one shareware package to get this:

XXXXX College does not guarantee reliablilty or offer
support for use of these packages, nor does the College
endorse them. These are being made available only as
a service.

Each of these packages is copyrighted, and is
distributed under the Shareware concept. This allows
users to evaluate software for a short time to
determine if it is useful to them. If you decide the
software is of value to you and decide to keep and use,
you are required to register it with the owner of the
copyright (not XXXXX College). Information can be found
in the accompanying .DOC files.

If Association of Shareware Professionals members have a canned
version of this for an institution to use to help with shareware
cooperation, we'd be glad to use it.

Mike Fry Math Sci Dept. Lebanon Valley College Annville PA 17003
[email protected]

------------------------------

Date: Thu, 20 Feb 92 19:32:00 -0500
>From: <[email protected]>
Subject: RE: "Executive Guide to Computer Viruses" from NCSA?

In Virus-L (137) Rich Travsky writes:
>In an article on the Michelangelo virus, the February 12th Network World
>mentions an "Executive Guide to Computer Viruses" ($24.95 from the NCSA).
>Anyone seen this guide? Is it a worthwhile thing to pursue?

Actually, I'm the author of this book. It is targeted toward
the corporate or government microcomputer manager (as well as
individual users and aims to educate them to the problem and provide
ways to combat it. It's written in a straight-forward manner, which
should be easily comprehensible to users of all levels. It seemed (a
year or two ago when the book was conceived) that there was a void in
the available literature: most was written for either highly technical
users or complete neophytes. The Executive Guide fits somewhere in
between.
I've reproduced the table of contents here:

Table of Definitions and Abbreviations
Virus Overview
Computers and Biology
The Viruses
Virus Prevalence
Viruses and Computer Networks
Detection and Removal
A Peek into the Other Side
Virus Research
Virus Legislation
Practical Suggestions
Policy Recommendations
The Future of Viruses
Appendix A: Cures for Common Viruses
Appendix B: The Boot Process
Appendix C: Creating and Anti-Viral Diskette

The second edition has just entered publication this week.
Call the National Computer Security Association (NCSA) at
1-800-488-4595 to order. Hope this helps...

Charles

*********************************************
*[email protected] (Charles B. Rutstein) *
* "Fourty-Two" -- Ford Prefect *
*********************************************

------------------------------

Date: Fri, 21 Feb 92 20:09:00 +0700
>From: MARK <[email protected]>
Subject: Re: General Virus information ?

Hello,

I would appreciate if anyone could send some general information
regarding behavioural characteristics of viruses.

In particular,characterisation of those properties that would be
detectable by an experienced programmer if they were given a
virus-infected source code program.

Also characteristics of viruses and characterisation of clues to
virus-like behaviour.

Mark Tierney
University College Dublin
Ireland.

------------------------------

Date: Sat, 22 Feb 92 05:37:41 -0600
>From: [email protected] (John Norstad)
Subject: Disinfectant 2.6 (Mac)

Disinfectant 2.6

February 22, 1991

Disinfectant 2.6 is a new release of our free Macintosh anti-viral
utility.

Version 2.6 detects the new MBDF virus and Trojan horse.

The MBDF virus was discovered in Wales. Several popular Internet
archive sites contained some infected games for a short period of
time, so a number of people around the world were affected. The games
were named "10 Tile Puzzle" and "Obnoxious Tetris."

In addition to these two games, a third game named "Tetricycle" or
"tetris-rotating" was a Trojan horse which installed the virus.

Disinfectant identifies both infected files and the Trojan horse as
being infected by the MBDF virus. Repairing an infected file removes
the virus and returns the file to the state it was in before being
infected. Repairing the Trojan horse renders it ineffective and
inoperable.

The MBDF virus is similar to the MDEF virus. It infects both
applications and the System file. It also usually infects the Finder
and several other system files. The System file is infected as soon as
an infected application is run. Other applications become infected as
soon as they are run on an infected system.

The MBDF virus is non-malicious, but it can cause damage. In
particular, the virus takes quite a long time to infect the System
file when it first attacks a system. The delay is so long that people
often think that their Mac is hung, so they do a restart. Restarting
the Mac while the virus is in the process of writing the System file
very often results in a damaged System file which cannot be repaired.
The only solution in this situation is to reinstall a new System file
from scratch.

We also have reports that the MBDF virus causes problems with the
"BeHierarchic" shareware program, and reports of other menu-related
problems on infected systems.

The MBDF virus is named after the type of resource it uses to infect
files.

MBDF resources are a normal part of the Macintosh system, so you should
not become alarmed if you see them with ResEdit or some other tool.

Special thanks to the people at Claris who included self-check code in
their Macintosh software products. Their foresight resulted in an
early detection of the virus, and has thus helped the entire Mac
community. We strongly encourage other vendors to consider doing the
same with their products.

There are a few other minor changes in version 2.6:

We improved the "busy file" error message. In particular, we no longer
advise System 7 users to "try again without MultiFinder."

The document was revised. In particular, we now mention more System 7
issues in the main body of the document, not just in the special
"System 7 Notes" section.

In previous versions of Disinfectant, we recommending creating a
special "virus tools" startup disk. With newer versions of the Mac
system, and with System 7 in particular, this is no longer possible.
The document has been revised appropriately.

Disinfectant 2.6 is available now via anonymous FTP from site
ftp.acns.nwu.edu [129.105.113.52]. It will also be available soon on
sumex-aim.stanford.edu, rascal.ics.utexas.edu, comp.binaries.mac,
America Online, CompuServe, GEnie, Delphi, BIX, MacNet, Calvacom,
AppleLink, and other popular sources of free and shareware software.

Macintosh users who do not have access to electronic sources of free
and shareware software may obtain a copy of Disinfectant by sending a
self-addressed stamped envelope and an 800K floppy disk to the author
at the address given below. People outside the US may send an
international postal

reply coupon instead of US stamps (available from any post office).
Please use sturdy envelopes, preferably cardboard disk mailers.

People in Western Europe may obtain a copy of the latest version of
Disinfectant by sending a self-addressed disk mailer and an 800K
floppy disk to macclub benelux. Stamps are not required. The address
is:

macclub benelux
Disinfectant Update
Wirtzfeld Valley 140
B-4761 Bullingen Belgium

John Norstad
Academic Computing and Network Services
Northwestern University
2129 Sheridan Road
Evanston, IL 60208 USA

Internet: [email protected]

John Norstad
Academic Computing and Network Services
Northwestern University
[email protected]

------------------------------

End of VIRUS-L Digest [Volume 5 Issue 40]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253