VIRUS-L Digest Friday, 28 Feb 1992 Volume 5 : Issue 45
Today's Topics:
Re: Houston Chronicle report on Michelangelo (PC)
Silly Season is Early (PC)
FProt a good bet for unexperienced user? (PC)
Re: Boot Sector Virus Infections (In General) (PC)
Re: Stoned, Michaelangelo, Boot Sector ReLocation (PC)
Re: Jeff virus!!!!! (PC)
Re: Will Write Protection Prevent Virus Infection? (PC)
Scan False Alert (PC)
Re: Possible virus? (PC)
Re: Possible virus? (PC)
Re: Quick way to check for Mich on PC's (PC)
Re: viruses in general-=help
Possible virus? (PC)
Re: What does Ping Pong B virus do? (PC)
Re: Will Write Protection Prevent Virus Infection? (PC)
mutated FORM? (PC)
Re: Question on Michelangelo Date-Trigger (PC)
Re: Disinfectant 2.6 (Mac)
Amiga Virus ? (Amiga)
Re: Virus Calendar
Re: Houston Chronicle, Edmonton Journal and the media in general
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
with your real name. Send contributions to
[email protected]
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Wed, 26 Feb 92 01:56:11 +0000
>From:
[email protected] (Robert Slade)
Subject: Re: Houston Chronicle report on Michelangelo (PC)
[email protected] (Terry N Reeves) writes:
>>You just reformat the disk and
>>re-install everything from your backups. You have spent at most one
>>day doing this, and at most one day of your work is lost (if you have
>>a good backup scheme). Nothing disastrous.
Actually, it may be.
We have seen that PCTOOLS (and how many others?) uses a non-standard
disk format for speed and storage reasons. All well and good, except
that Michelangelo (and Stoned) will infect the disk anyway. Which
renders it unusable.
Therefore, if you backup from an infected machine, and then play
"Michelangelo roulette", you just might end up with a dead hard disk
.. and a dead backup to boot.
=============
Vancouver | "Remember, by the
Institute for
[email protected] | rules of the game, I
Research into
[email protected] | *must* lie. *Now* do
User CyberStore Dpac 85301030 | you believe me?"
Security Canada V7K 2G6 | Margaret Atwood
------------------------------
Date: Tue, 25 Feb 92 22:21:07 -0500
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: Silly Season is Early (PC)
Heard that MTV is now warning about a "Super bad heavy virus that's going
down on March 6th...". What's next, the Mickey Mouse Club ?
Warmly,
Padgett
------------------------------
Date: 26 Feb 92 07:07:46 +0000
>From:
[email protected] (Nathan Gasser ><> )
Subject: FProt a good bet for unexperienced user? (PC)
Hi all,
I'm pretty much a user, period, of a PS/2 and would like
to enter the safe-computing era with a complete virus protection
package.
I'm considering installing FProt -- does this sound like
a good bet? Will it ask me too many things I don't understand?
Will it work without my constant attention?
Also, does it snag Michaelangelo and the latest crop
of baddies? I've got fprot201.zoo from the net.
Any/all replies greatly appreciated (Email is fine, thanks)
Nate.
- --
Nathan Gasser ><>
[email protected]
------------------------------
Date: 26 Feb 92 10:46:42 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: Boot Sector Virus Infections (In General) (PC)
[email protected] (Tim Martin; FSO; Soil Sciences) writes:
> Yes, The hard drive would already be infected. The virus would not be
> in memory if you reboot from a non-infected floppy disk, but it will
> install itself in memory each time you boot from the (infected) hard disk,
> or any other infected disk for that matter.
> This is typical of any boot sector viruses I have found "in the wild":
> stoned, michelangelo, the Empire family, bloody!, ....
In fact, it is typical for most -master- boot sector infectors. The
DOS boot sector infectors (e.g. Ping Pong) usually require a
successful boot in order to infect the disk. This is not a rule of
course, I think that Disk Killer infects even on unsuccessful boot
attempts.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: Wed, 26 Feb 92 11:02:18 +0000
>From:
[email protected] (Helmut Dier)
Subject: Re: Stoned, Michaelangelo, Boot Sector ReLocation (PC)
[email protected] writes:
>
[email protected] (Karyn Pichnarczyk) writes:
[...]
>
>The question I have concerns what appears to me to be conflicting
>information from the two sources above. One source states that the
>Stoned virus and the Michaelangelo virus both copy the original boot
>sector information to the same location. The second source states
>that the two viruses copy the original boot sector information to two
>different locations. Am I reading this wrong? Which one is correct?
[...]
Due to my results on a machine that stated it was stoned an had Michelangelo
the two viruses use differnt locations. I was able to restore the original
bootsector with CLEAN from McAfee first deleting stoned and after that
delting Michelangelo. So it's obvious that the two viruses use different
locations.
Helmut
- ----------------------------------------------------------------------
Helmut Dier, | E-Mail:
sutdent of computer science, | Internet:
[email protected]
Technical Universitiy of Vienna | Bitnet: E13690B@AWITUW01
Austria, Europe |
- ----------------------------------------------------------------------
------------------------------
Date: 26 Feb 92 11:12:35 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: Jeff virus!!!!! (PC)
[email protected] (Dale Fraser) writes:
> I hope someone can help me. My PC just got infected by the Jeff virus.
> How do I get rid of it? I know I am supposed to remove the infected
> files, but I ran the latest version of SCAN (86B) and it never found
> it.
Hmm, SCAN 86-B -does- detect the Jeff virus. BTW, this is a rather
silly non-resident COM infector and I seriously doubt that it can
spread very widely... My bet is that you are not really infected and
have a false positive alarm. Why did you decide that you are infected
(i.e., what program reported this virus)?
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: Wed, 26 Feb 92 11:58:32 +0100
>From: Martin_blas Perez Pinilla <
[email protected]>
Subject: Re: Will Write Protection Prevent Virus Infection? (PC)
[email protected] (ELGHARIB,HESHAM MOHIEDDIN ABOBAKR) writes:
> If I set the attributes of all the executables, overlays, and COM
> files in my hard drive to be read-only, will this reduce the chances
> of getting virus infection?
Change the attributes is _absolutely_ useless. Only some very old and
very stupid viruses can be stopped with such trick, but all
well-written (:-)) viruses (Jerusalem, Yankee Doodle...) can change
the attributes, infect the programs and reset the attributes to its
original state.
Regards,
- -mb
M.B. Perez Pinilla |
[email protected] | Write 10^6 times:
Departamento de Matematicas | "I'll never waste bandwidth"
Universidad del Pais Vasco |
SPAIN
------------------------------
Date: Wed, 26 Feb 92 11:41:45 +0000
>From:
[email protected] (Mr K C Craig)
Subject: Scan False Alert (PC)
I have a problem with a false virus alert (15xx) to be exact from
MacFee's Scan V8.3B86. The program claims the virus is in memory. When
the /M option is used to check memory for all virii. I know that there
is no virus present. (If anyone's interested I can explain how I know
this but it's a bit superfluous to my question.)
Problem History.
The virus warning occured on two machines in a lab of 15 PS2 model 30s.
Each machine is of standard configuration but with a Western Digitial 8
bit ethernet card in them. In the lab we use a technique called
Rebuilding to keep a constant software set on the machines. This works
by letting each machine, when reset, to logon to a server which contains
a software backup set and copying any files which differ on the remote
machine, from the file server to the remote machine.
I have used Macfee's latest version of Netscan to check the network and
it reports no virii.
The two PS2s in question both report a 15xx virus in memory but not on
any files. Clean 8.1v85 fails to spot or remove the virus and running
scan without the /M option stops the error report. Findvirus from
Solomon's does not find the virus.
The only way that these two machines differ from the other fifteen is
that they did have multiple partitions under Dos 3.3 and when I upgraded
them to dos 5 I used fdisk on dos 5 to remove these partitions. Could
this be the problem? Should I have used Dos 3.3 fdisk? I would low-level
format these machines but no-one seems to know how to access the
facility on a PS2 model thirty.
Is there a problem with Scan. I am positive that the virus alert is a
false alarm.
Keith Craig.
Lancaster University.
Microcomputer Consultant.
------------------------------
Date: 26 Feb 92 11:21:24 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: Possible virus? (PC)
ZEM0%
[email protected] writes:
> In some programs I see this word 'MSDOS' and i do not if that is a
> virus all the progrmas that has that , has 5 byte more I know that if
> we immunize a program, is going to have 5 byte more, but when i run
Let me guess - you are using TNTVIRUS in "immunize" mode and the
actual string is "MsDos", right?
> scan say that in the memory i have 5 byte (the word (MSDOS)) i dont
Of course. How do you think that word got on the disk? It has been
written there by a program (TNTVIRUS in this case), which first had it
in memory. After you quit the program, it does not clean the memory it
uses, so it is no wonder that you keep finding parts of it there...
Side note. Stop using TNTVIRUS. NOW! This is a very buggy program.
Sometimes it can even damage your data (I have verified this
personally for version 6.80A, so I know what I am speaking about).
BTW, as far as I know, the program has been discontinued and its
authors now produce Central Point Software's Anti-Virus. So it is an
old scanner on the top of that. Forget it and obtain something more
recent and more reliable.
> understand that. i would like to know if is good to immunize programs
No, it is a VERY BAD IDEA. First, you cannot immunize against all
possible viruses. (In our particular case, TNTVIRUS "immunizes" only
against some Jerusalem variants, Stoned, Brain, and Ping Pong, I
think.) Second, some viruses use contradictory checks, so you cannot
immunize against both of them. For instance, how you can immunize
files against two viruses, the first of which looks for the string
"MsDos" at the end of the files, while the second looks for " Terror"
at the same place? Third, some viruses are just impossible to immunize
against, since they simply check whether their whole body is present
in the file, and if it receives control. The only way to "immunize"
the files against such thing is to actually infect them.
> When i immunize a program with the tnt and after i run scan ,say that
> i have the ohio in memory
This is another silly thing in TNTVIRUS (which is still present in
CPAV) - it does not encrypt the scan strings it uses, and does not
clean the memory after itself. Therefore, other signature scanning
program can produce false positive alarms.
> i would like to know aslo if SCAN immunize
> porgram and if it is good and also when i immunize i have 5 byte more?
No, it is NOT GOOD to add anything to your files. SCAN cannot
"immunize", but it can either (1) add 10 bytes checksum to the files,
or (2) add 52 bytes for "general virus removing". Both are bad ideas,
DON'T USE THIS POSSIBILITY.
> Person say that on march 6 is going to be a virus that no exist a anti
> virus yet .I would like to know more about that.
Nonsense. What everybody is talking about is the Michelangelo virus,
which will activate its destructive payload on March 6. The recent
versions of most well-known scanners/removers are able to detect and
remove it. F-Prot 2.02d, CLEAN 86-B, Dr. Solomon's Anti-Virus ToolKit
5.54 all can remove it - I have tested this personally.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: Wed, 26 Feb 92 12:40:53 +0100
>From: Martin_blas Perez Pinilla <
[email protected]>
Subject: Re: Possible virus? (PC)
ZEM0%
[email protected] writes:
> In some programs I see this word 'MSDOS' and i do not if that is a
> virus all the progrmas that has that , has 5 byte more I know that if
> we immunize a program, is going to have 5 byte more, but when i run
Some "antivirus" programs add the 'MSDOS' signature as "vacunation"
against the Jerusalem virus. This is absolutely useless (even for
Jerusalem). Wipe the "antivirus".
> understand that. i would like to know if is good to immunize programs
NO. Change programs is a bad idea (see Vesselin's messages in previous
issues of VIRUS-L).
> When i immunize a program with the tnt and after i run scan ,say that
> i have the ohio in memory i would like to know aslo if SCAN immunize
> porgram and if it is good and also when i immunize i have 5 byte more?
(a) Wipe TNT.
(b) Possible false alarm, but don't trust. Boot from a clean floppy and
SCAN with the /M option.
(c) SCAN/AV adds a 10-byte CRC. No good (see above).
> Person say that on march 6 is going to be a virus that no exist a anti
> virus yet .I would like to know more about that.
The Michelangelo. Can be detected and eliminated with SCAN 85.
Regards,
- -mb
M.B. Perez Pinilla |
[email protected] | Write 10^6 times:
Departamento de Matematicas | "I'll never waste bandwidth"
Universidad del Pais Vasco |
SPAIN
------------------------------
Date: 26 Feb 92 13:07:54 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: Quick way to check for Mich on PC's (PC)
[email protected] (Russ Urquhart) writes:
> In either case, is there a quick way to determine if the PC's in my
> group have been infected with Michelangelo? Some memory location?
> SOmething I can check.
It depends what you are able to check... Do you know how many users
cannot make the difference between a boot sector and a master boot
sector? Well, in general, look at your master boot sector, or at the
boot sector of a non-write protected diskette. If you don't see any
plain text messages, this is already suspicious...
> I tried someone's suggestion of fdisk /mbr, but since we have Dos 3.3,
> this didn't have any effect!
Right, you need version 5.0 for that.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 26 Feb 92 13:17:05 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: viruses in general-=help
[email protected] (Gregory Grosshans) writes:
> Is it not true that checking on weekly or bi-weekly intervals for a
> virus infection is not dangerous?
It depends whether you are practicing safe computing or not. If you
do, then checking a already scanned machine is usually unnecessary.
You should only:
1) Check -very- carefully any new software that you get, regardless of
the way you have got it (commercial or not). What "very carefully"
means, depends on what you are able to do. For me it is inspecting
some vital places of the diskette (the boot sector, the last sector of
the root directory, the first copy of the FAT, the last sector of the
diskette) with a sector editor; inspecting some vital areas of the
executable files (their beginning, their end, the beginning of thesion of their
favourite scanner on it.
2) NEVER leave a diskette in drive A: while the machine is rebooting.
It is easy to forget one there; but you just must get the habbit to
remove all diskettes from the drives as soon as you have finished
copying to or from them. Or at least to open the drive door.
3) Run a checksummer often enough - say once per week. Do this only
after having booted from a non-infected write-protected system
diskette.
4) Use some kind of simple virus prevention tool, like Padgett's
utitlities or the ShrDog program (available from our ftp site).
5) Use a good backup scheme. This means keeping three sets of full
backups and making a full backup once per week and an incremental
backup every day.
If you follow the above steps, you don't need to scan for viruses on
every reboot and will probably catch a new virus, if one appears.
> Does anyone know how long it takes for a "new" virus to enter the
> market (public domain) after the latest anti-virus software package is
It depends on the virus. If it is a bad infector (non-resident,
overwriting, with a visible payload, etc.), it will probable never
spread. Otherwise, it can get spread very quickly, since there exist
several virus exchange BBSes around the world, which are used by the
hackers to swap viruses. This way it is relatively easy for a
malicious person to obtain a new virus and to infect your system...
I have observed something like this myself - the DataLock virus, which
originated somewhere in the States, was find in the wild in Bulgaria
even before I got a copy for my virus collection from the other
anti-virus researchers... :-(
> released (i.e. do the virus-writers wait until the latest anti-virus
> software is released before they come up with a new virus)?
No, they usually don't do this, since (thank goodness), the different
anti-virus software is updated on different dates.
> Methods of virus infection, or types of virus infection, can include:
> boot sector, .EXE and .COM files, device drivers. Are there any
You forgot the master boot sector and the .BAT files.
> others that I'm missing? Can non-executable (i.e. data files) be
No. Non-executable files cannot spread a virus. The problem is that a
lot of things that you usually don't consider as being executable, are
executed or interpretted by the computer. This includes .OBJ files,
libraries, sources of programs in any programming language, macro
files for several packages (MS Word, Lotus 1-2-3, etc.), and so on.
All those objects are potential virus carriers, although some of them
are quite difficult to infect, and won't help a lot to spread the
virus.
> infected with escape character sequences, etc?
Theoretically - yes. In practice, I have seen several trojan horses,
implemented in this way, but no viruses. Anyway, there is a simple
cure for that - just disable the ability of your ANSI driver to
reprogram the keyboard.
> Any information is greatly appreciated!
Hope the above helps.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: Wed, 26 Feb 92 14:58:17 +0000
>From: Vera Marvanova <
[email protected]>
Subject: Possible virus? (PC)
Please could someone tell me, if such a behavior of computers could be
caused by a virus? In two computers (386-SX AND 386 - 33) after some
time of operation suddently all look like CAPS LOCK would be touched.
All letters changes to upper case. After "SHIFT" all is O.K., but
after some time this appears again. Scan86b shows nothing.
Any help is appreciated!
Many thanks in advance.
Vera Marvanova
VM at CSPGIG11
Geophysical Institute
Praha
Czechoslovakia
------------------------------
Date: 26 Feb 92 13:49:28 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: What does Ping Pong B virus do? (PC)
[email protected] (Rich Wales) writes:
> What does the "Ping Pong B" virus do to a system?
> A friend of mine got "Ping Pong B" on her PC from another system via a
> floppy. She asked me for help after she was no longer able to run
> WordPerfect (4.2 or 5.0).
(The following information should probably be mentioned in the FAQ.)
Please, when reporting a virus infection, be as specific as possible
and report as much information as you can. Especially:
- The name of the virus;
- The name of the program that detected it;
- The version of the program that detected it;
- Any other anti-virus software that you are running and
wether it has been able to detect the virus or not, and if yes - how
did it call it;
- Your software and hardware configuration (computer type,
kinds of disk(ette) drives, amount of memory and configuration
(extended/expanded/conventional), TSR programs and device drivers
used, DOS version, whether it has been loaded high, etc.)
(End of the introductory FAQ info. Now let's go back to the virus.)
There are about 7 different variants of the Ping Pong virus. I don't
know what "Ping Pong B" means exactly in your case, but I suspect that
it was SCAN who reported it. And SCAN is very unreliable when
reporting virus names, so the only thing that is certain is that the
disk is really infected, and probably by one of the Ping Pong
variants.
None of the known Ping Pong variants is intentionally destructive. One
of them (sometimes called Typo) introduces spelling mistakes when you
are printing a file. The others display a bouncing ball (ASCII 7, one
of the variants uses ASCII 4) on the screen, when certain conditions
are met (a tiny time window, which appears once in about 30 minutes,
combined with disk access).
The virus is a boot sector infector (-unlike- Michelangelo, which is a
MASTER boot sector infector), allocates a cluster, marked as bad,
where it stores its second part and the original boot sector.
Most variants of the virus do not run on a 80286 or above, because
they contain an illegal instruction, but at least one of the variants
has this bug fixed.
I have no ides why the virus causes WordPerfect to stop working. It
can sometimes hang DOS 3.30, however. Ah, and it does not infect DOS
4.x and above volumes.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 26 Feb 92 14:06:56 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: Will Write Protection Prevent Virus Infection? (PC)
[email protected] (ELGHARIB,HESHAM MOHIEDDIN ABOBAKR) writes:
> If I set the attributes of all the executables, overlays, and COM
> files in my hard drive to be read-only, will this reduce the chances
> of getting virus infection?
This will stop only very few and very simple viruses. Most of the
existing ones will easily get around this kind of "protection".
> I understand that viruses usually get transmitted by modifying these
> files. And since these files are rarely required to be read-write,
> (maybe during the installation only) I do not think that the
> applications would mind setting the attributes to read-only.
A very reasonable assumption. Unfortunately, in Messy-DOS it is
equally easy to switch the ReadOnly attribute on and off. If you can
turn it on, a virus can turn it off, infect the file, then restore the
previous state of the attribute. In fact, most viruses do exactly
that.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 26 Feb 92 14:53:26 +0000
>From:
[email protected] (James P. Gunderson)
Subject: mutated FORM? (PC)
At the University of Colorado Denver we have run across an interesting
situation. On a routine scan of a users disk, we found FORM in memory
with no detection on the disk it self. After making a disk copy of
the disk (5 1/4 HD formatted at 360K) we again scanned. No image on
the disk, but the machine was reinfected.
I then took a machine and completely cleaned it, booted from a clean,
write-protected floppy, and rescanned. The machine was clean. I
scanned the 'suspect' disk; it was clean according to both f-prot202d
and scan86b. After several accesses, (not booting, just dir, and
running command.com) a scan of the machine showed FORM in memory.
What gives?
Needless to say, any help would be appreciated.
No signature, just a name. JIM
------------------------------
Date: 26 Feb 92 15:04:06 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: Question on Michelangelo Date-Trigger (PC)
[email protected] (NSI Security Manager +1-202-434-4541) writes:
> This question may have been asked/answered already, but does merely
> setting the system date ahead on the 5th (to the 7th) cause the
> trigger mechanism never to go off?
No. The trigger mechanism will go off the next March 6 (after one
year) too. "Never say never"... :-)
> It would seem that if true, as an interim measure until all systems
> could be scanned, that the systems just be set so that Friday, the 6th
> of March never comes....
Yeah... And on March 13 (Friday) the Jerusalem virus (a quite
widespread one, maybe more than Michelangelo) will delete files. And
on March 15 the Maltese Amoeba virus (quite widespread in the UK, but
also in other places in the world) will destroy your hard disk... Are
you going to change the date in these cases as well? Not to forget
the few hundreds other viruses, which cause destruction every day,
every hour... Some of them are -very- widespread (Dark Avenger). Are
you going to turn your computer on at all?
No, you must take proper anti-virus measures. Not because one silly
virus happens to activate in a few days, but because computer viruses
do exist and because the -are- widespread. You -must- take those
measures -now- and not wait till the next panic, or rely on changing
the system date.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: Wed, 26 Feb 92 05:53:01 +0000
>From: Norman Paterson <
[email protected]>
Subject: Re: Disinfectant 2.6 (Mac)
I've been having trouble running Disinfectant 2.6 on an Apple Quadra.
There are several other applications that might be involved, including
TELNET 2.4 and CAP/AUFS. Symptoms include crashing during hard disc
scan with "unimplemented trap" error and sporadic unmounting of file
server volumes.
Has anyone else come across this? The Quadra seems to have a number of
peculiarities.
Norman Paterson
------------------------------
Date: Wed, 26 Feb 92 13:00:43
>From: "" <
[email protected]>
Subject: Amiga Virus ? (Amiga)
I have a A500 with 1.2 Kickstart, 512 Kb memory extension and i have
the following problem : When a normal bootable and readable disk is
inserted during a CLI/WB session *sometimes* the bootblock is filled
with zeroes. I suspect that for this to happen some command/command
sequence must be executed. Also if I try to repair the Bootbl. with
SECTORAMA for example, the write is trapped and the bootblock gets
filled with zeroes again. this does'nt happen when I boot from a
'Clear' disk. I frequently use ARPDos1.3 with CONMAN 1.1 together
with MESSYDOS for MSDOS file transfers. It never tried to kill any
MSDOS disks.
------------------------------
Date: 26 Feb 92 15:11:57 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: Virus Calendar
[email protected] (Roy Coates) writes:
> I am compiling a 'calendar' of signifcant dates with respect to PC
> viruses. I figured that this could be a handy tool in helping to
> prepare for possible outbreaks. the response so far from the UK has
> been good with people sending both dates, and requests for the
> finished list.
First, the idea is not new. One of our students, Morton Swimmer, has
already compiled such a callendar. It is published by perComp Verlag,
Hamburg, and costs about 20 DM. For more information, ask Guenter
Musstopf, perComp Verlag GmbH, High-Tech-Center, Holzmuehlerstrasse
84, 2000 Hamburg 70, tel. +49-40-6932033, fax +49-40-6959991, e-mail
[email protected].
The calendar contain three different kind of red spots on some dates,
indicating different level of damage, caused by some viruses. A very
limited virus subset is used (limited, compared to the number of
existing variants), but there are more days with red spots, than days
without...
Second, a cross reference by activation date exists in Patricia
Hoffman's VSUM document, but it is by no means exchaustive.
Hope the above helps.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: Wed, 26 Feb 92 02:05:11 +0000
>From:
[email protected] (Robert Slade)
Subject: Re: Houston Chronicle, Edmonton Journal and the media in general
At the recent DECUS Symposium in Calgary, Ray Kaplan made an
interesting point in this regard.
He suggested that the media, particularly the "news" media, works on
"spikes" in the signal: the unusual and out of the ordinary. The rise
of the computer virus problem has been rapid, but consistent (as
opposed to the "cracker" problem, where a new "team" or a big break-in
makes the news). The "signal" has therefore been on a steady and
steep rise, but hasn't had many "spikes" to trigger the media.
I was on the local CBC morning show yesterday, and tried the theory
out on them. They figured it was about right.
=============
Vancouver | Lotteries are a tax
Institute for
[email protected] | on the arithmetically
Research into
[email protected] | impaired.
User CyberStore Dpac 85301030 |
Security Canada V7K 2G6 |
------------------------------
End of VIRUS-L Digest [Volume 5 Issue 45]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
