VIRUS-L Digest Friday, 28 Feb 1992 Volume 5 : Issue 46
Today's Topics:
Re: Preventing virus infection by disabling the hard disk (PC)
Kamikaze virus? (PC)
3.5 Michaelangelo (PC)
Re: Quick way to check for Mich on PC's (PC)
Re: What does Ping Pong B virus do? (PC)
Automatic Virus Removal Question (PC)
re: A quick Michelangelo question (PC)
DOS PC Virus? Help? (PC)
Commercially-Available Michelangelo (PC)
False Rumor about Virus (PC)
Help me identify a virus? (PC)
Symantec AntiVirus (Michelangelo only) code? (PC)
V2P6 VIRUS (PC)
Re: A quick Michelangelo question (PC)
CIAC Bulletin C-17: MBDF A on Macintosh (Mac)
Re: WDEF infection at a school (Mac)
Cornell MBDF Press Release (Mac)
Mac MDBF and SAM 3.0 (Mac)
fixutil3 from A. Padgett Peterson (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
with your real name. Send contributions to
[email protected]
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Wed, 26 Feb 92 09:46:14 -0600
>From:
[email protected]
Subject: Re: Preventing virus infection by disabling the hard disk (PC)
> Before testing new software on my 286/386 machines, I disable the hard
> disk by changing the CMOS hard disk type to 0 and reboot from a
First of all, I make this statement without ever having experimented
with a present generation system containing the CMOS hardware
configuration setup ability so my opinions are worth just what you
paid for them, but I would say, with some confidence that it is
possible for a sophisticated virus to bypass any CMOS settings. After
all, it is possible for any running program to determine the type of
system which is running it. If anything about this system can be set
by software, it can be a potential mark for attack. Basically, if you
set something from the keyboard or a disk file, somebody else can set
it also with their program. Remember, we aren't talking about
following all the rules or doing things according to the book. We are
talking about field expedience and getting the job done any way one
can. If this means doing something totally unorthodox, such as
loading "incorrect" values into a BIOS routine, somebody will do it if
it makes their sabotage program stealthier or more destructive.
I believe that the only sure defense against unwanted software
making its way onto a disk is physical hardware control over the
ability to write to that disk. If the drive in question is installed
and the only thing between it and normal operating conditions is the
setting of a few registers, you can be sure that it is vulnerable.
Lightening is the only thing I have seen that can bypass an open
switch without the operator's consent and lightening sort of renders
all other questions academic.
Martin McCormick
Amateur Radio WB5AGZ
Oklahoma State University
Computer Center
Data Communication sGroup
Stillwater, OK
------------------------------
Date: Wed, 26 Feb 92 16:54:26 +0000
>From:
[email protected] (Pug)
Subject: Kamikaze virus? (PC)
OK, I'm confused. I was running virus dectors on mine and a friends
computer last night because the school got infected with a couple this
semester. When I run scan, it comes up with nothing. When I run
f-prot, it comes up with TURBO.TPL possibly being infected with the
Kamikaze virus. I understand that it's possible that the signature for
a virus COULD randomly appear, but for some reason I doubt it. This
was in turbo pascal 6.0 and we checked it right off the installation
disks as well. Anyone have any ideas on this?
- --
Richard Bainter Mundanely | "Teachers are supposed to
Phelim Utred Gervas Society | teach you *HOW* to learn
Pug Generally | not *WHAT* to learn."
[email protected] |
[email protected] |
[email protected]
------------------------------
Date: Wed, 26 Feb 92 10:52:21 -0600
>From: THE GAR <
[email protected]>
Subject: 3.5 Michaelangelo (PC)
Vesselin -
I did indeed "swap" from a 5.25" A: drive to a 3.5" A: drive. I have
only seen the virus on 360K and 1.2MB disks. Because of this, I have
only been able to infect hard drives on machines that use a 5.25" A:
drive.
After the hard drive is infected, and I confirm the infection by
scanning with McAfee SCAN 85, and by infecting a 360K in the A: drive,
I turn the machine off, open the case, swap the drive cables around,
so that the 3.5" disk is now the A: drive. Then I try everything I
can think of on the A: drive, which is now a 3.5", and it won't
infect. I format the disk, copy files to it, delete files on it, do
directories, all with the virus in memory, and it won't infect the A:
drive. I have now tried this on a Zenith 386 running Zenith DOS 4.0,
a Zenith 386 running MS-DOS 5.0, a Zenith 159 (8088) running Zenith
DOS 3.21, and an IBM PC running PC-DOS 3.2. Nothing will infect A:.
/++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\
! Later + Systems Programmer !
! Gary Warner + Samford University Computer Services !
! + II TIMOTHY 2:15 !
\+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/
------------------------------
Date: Wed, 26 Feb 92 20:03:48 +0200
>From: Tapio Keih{nen <
[email protected]>
Subject: Re: Quick way to check for Mich on PC's (PC)
>In either case, is there a quick way to determine if the PC's in my
>group have been infected with Michelangelo? Some memory location?
>SOmething I can check.
One quick way to check if your PC is infected with Michelangelo,
Stoned or some other viruses is run CHKDSK on it. If the 'total
memory' line tells that the computer got 2048 bytes less RAM than
usually, there might be Michelangelo or any other virus which reduces
2048 bytes from the memory. On machines with 640+ kb RAM this would be
653 312 bytes when it is normally 655360 bytes. There are some other
things which reduce the amount of total free RAM (for example some
device drivers), so you if you find an unexpected value, you should
check the suspecting computer with a good antivirus program (F-Prot
and Scan are both good av programs, IMHO) before yelling 'VIRUS!'.
- --
Tapio Keihanen / Mesiheinank 2B6 / 33340 Tampere / Finland
- -=-=-=-=-=-=-=-=-=-=-=-= /---\ /---/ / /\ -=-=-=-=-=-=
I WANT TO BUY YOUR RARE =|| | =|| | =| | RECORDINGS!
-
[email protected]=- /---/ /---\ \/_/ =-=-=-=-=-=-
------------------------------
Date: Wed, 26 Feb 92 20:14:58 +0200
>From: Tapio Keih{nen <
[email protected]>
Subject: Re: What does Ping Pong B virus do? (PC)
>We managed to eradicate the virus from her hard disk and the floppy
>(she said she hadn't tried to use any other floppy since the problem
>started, so we only needed to contend with the one floppy).
I would check every floppy... Ping Pong B infects every accessed
non-write protected floppy. That means, if you got an disk which is
not write protected and do a DIR on it, Ping Pong B will infect it at
the same time.
>Is there anything else that Ping Pong B does to a system?
Ping Pong B produces a bouncing ball on the screen after being
resident for some time (If my memory serves, the time is 30 minutes
but I'm not sure) and if the disk is accessed at the same time.
- --
Tapio Keihanen / Mesiheinank 2B6 / 33340 Tampere / Finland
- -=-=-=-=-=-=-=-=-=-=-=-= /---\ /---/ / /\ -=-=-=-=-=-=
I WANT TO BUY YOUR RARE =|| | =|| | =| | RECORDINGS!
-
[email protected]=- /---/ /---\ \/_/ =-=-=-=-=-=-
------------------------------
Date: Wed, 26 Feb 92 12:21:27 -0500
>From: Greg Monroe <
[email protected]>
Subject: Automatic Virus Removal Question (PC)
I am brand new to this list so if this has been a constant re-occuring
topic, please pardon me. First some background:
Here at Duke's Fuqua School of Business, we are getting ready to add
hard disks to our student network PCs. Of course, we are conserned
about Virus detection and removal on these. For a variety of reasons, we
had decided on using a scan and fix approach rather than TSR monitoring.
In other words, when a HD machine logs into the student network, it is
scanned for viri and if infected, automatic corrective action is taken.
Now for the question, do any of you viri-busters see major problems
with the following scheme for corrective action?
Once a Virus is found, via our scan program (VIREX from Microcom), the
PC's Master Boot record, the partition table, and CMOS are restored
from a Novell RO protected directory (Virex supplies such a utility).
The hard disk is reformatted (students are told repeated not to store
stuff here). The files are restored from the network. Finally, the PC
is forced to do a cold reboot. The prototype for this process only
takes about 3 minutes.
This should take care of most of the common viri that I know about.
However, you never know.... Also, the format process used is DOS
5.0's "Quick format". Is the danger of not clearing the data area
greater than the time savings it generates?
Thanks for any comments on this scheme.
Greg Monroe <
[email protected]>
Duke's Fuqua School of Business
Durham, NC 27706
------------------------------
Date: Wed, 26 Feb 92 14:36:36 -0500
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: re: A quick Michelangelo question (PC)
>From: LARRY MATEO <HSVLM%
[email protected]>
> A recent article in
>a local newspaper sta ted that the virus can be spread from a floppy
>diskette to a hard drive simply by doing a DOS dir of the floppy disk.
>I think this is an incorrect statement.
I could but it can't so you are right (hey folks, the Michelangelo is
just another nastily hacked STONED by an antisocial individual, it is
not the virus that ate Cleveland.)
Incidently it takes a whole 10 (decimal, not hex) generic bytes at
BIOS time to detect every MBR infector I have seen thusfar (including
Brain, Yale, Evil Empire, Stoned, Joshi, Michelangelo, and all their
cousins). "Stealth" just makes it easier. When are the O/S
manfacturers going to wake up ?
Warmly,
Padgett
padgett%
[email protected]
Opinions are all my own...
------------------------------
Date: Wed, 26 Feb 92 16:32:17 -0500
>From:
[email protected] (Marc D Sayre)
Subject: DOS PC Virus? Help? (PC)
Please Help!
I have a Zeos 386sx portable with a 3.5inch - 1.44MB floppy drive and
30MB hard disk. If I boot off of the hard drive I encounter sector
read errors when trying to access the floppy drive (A:). Further
investigation with a PC tool show that the machine thinks my drive A:
is a 360K 5 1/4" drive.
If I boot off of a DOS disk in the A: drive I have no read
errors on the floppy and the PC tool shows that the drive
is a 3.5" 1.44MB drive.
If I go into the CMOS setup it reports a 3.5" - 1.44 MB drive
for A:.
I have seen many of the postings regarding Michaelangelo and
other boot viruses so I ran the DOS CHKDSK command. The total
memory reported was 649,xxx instead of 655,360. This leads
me to believe that something is in memory that should not be.
I ran SCAN 8.1V85 and came up with no viruses found. I also
ran something called Vaccine III (Ahn Cheolsoo) and it reported
that the system probably has an unknown boot virus.
????????????????????????????????????????????????????????????????
Does this scenario sound familiar to any known viruses? Will
SCAN 8.1V85 pick up the 'Mike' virus and other 'Stoned' type
viruses. Is there something I can get 'freeware' or 'cheapware'
to find the latest viruses?
????????????????????????????????????????????????????????????????
Any help, hints, suggestions would be appreciated.
===========================================================================
| Marc Sayre | |
| AT&T Bell Labs | If you continue to do what you have |
| Naperville, IL | always done, you will continue to get |
| att!ihlpb!mds1 | what you always have! |
| (708) 224-7506 | |
===========================================================================
------------------------------
Date: 26 Feb 92 15:58:00 -0600
>From: "William Walker C60223 x4570" <
[email protected]>
Subject: Commercially-Available Michelangelo (PC)
Two more:
1. R.S. Means Company, Inc. has sent a notice to many of its customers,
including 5.25" and 3.5" diskettes with McAfee's ViruScan and CleanUp
and a 5-day license to use them. The company indicated that it had
found Michelangelo on some of the firm's computers, and was sending
the anti-virus software to its customers as a service to them. The
notice did not specifically name any software which may have been
distributed with the virus. It may be possible that no software
at all was distributed infected. If this is the case, then this is
truly "dedication to service to our customers" (their words). The
two versions of the R.S. Means estimating software which we use here
(FY91 and FY92) were both clean, as were the associated data disks
and the registration disk.
2. We have had one computer infected with Michelangelo here, which we
were fortunately able to catch before it spread. The APPARENT source
was a write-protected diskette which came with a Chicony keyboard
with built-in trackball. The diskette is labelled "Tracking-Ball
Utility Diskette Version 1.00." The documentation had no phone
number or address (not a Good Thing), but we did notify the
distributor and report our suspicions, who will notify Chicony in
turn if they uncover anything. Can anyone else confirm this?
How many does that make now?
Bill Walker (
[email protected] ) |
OAO Corporation | "Some days you just can't get
Arnold Engineering Development Center | rid of a bomb!"
M.S. 120 | -- Adam West, "Batman"
Arnold Air Force Base, TN 37389-9998 |
------------------------------
Date: 26 Feb 92 14:55:00 -0800
>From: "LUSTIG, ROB L." <
[email protected]>
Subject: False Rumor about Virus (PC)
Hi,
I read some disturbing news in a SIG on a BBS that said if you type
HAPPY BIRTHDAY MICHELANGELO at the DOS prompt, it would disable the
virus. I posted a reply stating that it was FALSE and if they have a
copy of the virus that responds to that then send it to me so I can
forward it on. The person reported that their company (based in Santa
barbara) told them this in prevention of the virus. If ANYONE can
give a confirmation about this, please let me know, or I will continue
to 'educate' the masses B*)
Regards,
Rob Lustig
------------------------------
Date: Wed, 26 Feb 92 19:30:42 -0500
>From: Sid <
[email protected]>
Subject: Help me identify a virus? (PC)
Sorry i don't read this newgroup... Why would anyone unless you like
answering frantic people's questions? Anyway...
My mother called me saying that here 200 Meg harddrive (yes I do hate her)
was dead. She took it to someone who I am sure charged her alot and said
"Umm it had a virus which replaced information is sectors 2-35 with "E5"."
She, wishing to know more contacted me, can anyone identify this virus and
will MacAffe find it?
Thanks for any info on the Virus.
+------------+---------------------------------------------------+
| Sid |
[email protected] |
+------------+---------------------------------------------------+
| Lyric of the Week: "...I've got a strong urge to fly, but I |
| got nowhere to fly to" -Roger Waters |
+----------------------------------------------------------------+
| Flying Leap NEW ADDRESS
[email protected] |
| Server commands SELLLIST, BOOTLIST, and BOOTHELP are working. |
+----------------------------------------------------------------+
------------------------------
Date: Thu, 27 Feb 92 00:02:09 +0000
>From:
[email protected] (Richard A. Johnson)
Subject: Symantec AntiVirus (Michelangelo only) code? (PC)
Symantec Corp. is giving out ("free" if you pay $9 for shipping and
handling) special copies of their program AntiVirus which detect and
remove only the Michelangelo virus. They also have it available from
their publicly accessible bulletin board, however I don't seem to have
access to a dialout line in such a way that I can run kermit on it (I
can do text, but no file transfers).
Does anyone have a copy of this antivirus program which would be publicly
FTPable on the Internet?
Just curious.
(I don't normally read this bboard so please respond to me directly. If
there's enough interest I'll post a summary...)
- -----------------------------------------------------------------------------
U.S. Postal Monopoly address: Other addresses:
Richard A. Johnson
[email protected] (Internet)
NCGIA Computing Resources Manager ucbvax!ucivax!raj (UUCP)
Geography Department raj@VOODOO (via BITNET)
U. C. Santa Barbara (805) 893-4677 (Phone)
------------------------------
Date: Thu, 27 Feb 92 03:20:53 +0000
>From:
[email protected] (S. E. Grove)
Subject: V2P6 VIRUS (PC)
One of my co-workers ran virex-pc 2.0 on his 486 and it declared that
powermenu was infected by the virus v2p6. He doesn't beleive he has
done anything to infect the pc, and he hasn't had it very long. The
same program on his old pc is clean and that is where he got powermenu
from.
Questions:
1) What does V2P6 do to a pc?
2) Is it possible that virex-pc 2.0 is in error?
Stephen Grove Comm. Tech. ESS Pacific Bell
[email protected]
PacBell.COM!{rtpkh0,rtpkh1,rtpkh3,rtpkh4}!segrove
------------------------------
Date: Thu, 27 Feb 92 10:49:10 +0100
>From: Martin_blas Perez Pinilla <
[email protected]>
Subject: Re: A quick Michelangelo question (PC)
LARRY MATEO <HSVLM%
[email protected]> writes:
> From information I've read about the Michelangelo virus, it seems that
> the virus can be spread from an infected floppy diskette to a hard
> drive only by attempting to boot from the floppy. A recent article in
> a local newspaper sta ted that the virus can be spread from a floppy
> diskette to a hard drive simply by doing a DOS dir of the floppy disk.
> I think this is an incorrect statement.
You are right. The viral code _must_ be executed to get infected,
that is, you must boot from a infected floppy to infect the HD. Then,
a DIR A: will infect any floppy. _Never_ trust the newspapers (or the
CNN :-)) as information source in virus affairs; they are absolutely
unreliable.
Regards,
- -mb
M.B. Perez Pinilla |
[email protected] | Write 10^6 times:
Departamento de Matematicas | "I'll never waste bandwidth"
Universidad del Pais Vasco |
SPAIN
------------------------------
Date: Wed, 26 Feb 92 11:08:45 -0800
>From:
[email protected] (Karyn Pichnarczyk)
Subject: CIAC Bulletin C-17: MBDF A on Macintosh (Mac)
NO RESTRICTIONS
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
INFORMATION BULLETIN
New Virus on Macintosh Computers: MBDF A
February 25, 1992, 1130 PST Number C-17
________________________________________________________________________
NAME: MBDF A virus
PLATFORM: Macintosh computers-except MacPlus and SE (see below)
DAMAGE: May cause program crashes
SYMPTOMS: Claris applications indicate they have been altered; some
shareware may not work, unexplained system crashes
DETECTION &
ERADICATION: Disinfectant 2.6,Gatekeeper 1.2.4, Virex 3.6,
VirusDetective 5.0.2, Rival 1.1.10, SAM 3.0
________________________________________________________________________
Critical Facts about MBDF A
A new Macintosh virus, MBDF A, (named for the resource it exploits)
has been discovered. This virus does not appear to maliciously cause
damage, but simply copies itself from one application to another.
MBDF A was discovered at two archive sites in newly posted game
applications, and has a high potential to be very widespread.
Infection Mechanism
This virus is an "implied loader" virus, and it works in a similar
manner to other implied loader viruses such as CDEF and MDEF. Once
the virus is active, clean appliacation programs will become infected
as soon as they are executed. MBDF A infects only applications, and
does not affect data files. This virus replicates under both System 6
and System 7. While MBDF A may be present on ALL types of Macintosh
systems, it will not spread if the infected system is a MacPlus or a
Mac SE (although it does spread on an SE/30).
Potential Damage
The MBDF A virus has no malicious damaging characteristics, however,
it may cause programs to inexplicably crash when an item is selected
from the menu bar. Some programs, such as the shareware
"BeHierarchic" program, have been reported to not operate correctly
when infected. Applications written with self-checking code, such as
those written by the Claris corporation, will inform the user that
they have been altered.
When MBDF A infects the system file, it must re-write the entire
system file back to disk; this process may take two or three minutes.
If the user assumes the system has hung, and reboots the Macintosh
while this is occuring, the entire system file will be corrupted and
an entire reload of system software must then be performed.
This virus can be safely eradicated from most infected programs,
although CIAC recommends that you restore all infected files from an
uninfected backup.
Detection and Eradication
Because MBDF A has been recently discovered, only anti-viral packages
updated since February 20, 1992 will locate and eradicate this virus.
All the major Macintosh anti-viral product vendors are aware of this
virus and have scheduled updates for their products. These updates
have all been available since February 24, 1992. The updated versions
of some products are Disinfectant 2.6, Gatekeeper 1.2.4, Virex 3.6,
SAM 3.0, VirusDetective 5.0.2, and Rival 1.1.10. Some Macintosh
applications (such as the Claris software mentioned above) may contain
self-verification procedures to ensure the program is valid before
each execution; these programs will note unexpected alterations to
their code and will inform the user.
MBDF A has been positively identified as present in two shareware
games distributed by reliable archive sites: "Obnoxious Tetris" and
"Ten Tile Puzzle". The program "Tetricycle" (sometimes named
"Tetris-rotating") is a Trojan Horse program which installs the virus.
If you have downloaded these or any other software since February 14,
1992 (the day these programs were loaded to the archive sites), CIAC
recommends that you acquire an updated version of an anti-viral
product and scan your system for the existence of MBDF A.
For additional information or assistance, please contact CIAC:
Karyn Pichnarczyk
(510) 422-1779 or (FTS) 532-1779
[email protected]
Call CIAC at (510)422-8193/(FTS)532-8193.
Send e-mail to
[email protected]
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Some of the other teams include the NASA NSI response
team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team. Your
agency's team will coordinate with CIAC.
CIAC would like to thank Gene Spafford and John Norstad, who provided
some of the information used in this bulletin. This document was
prepared as an account of work sponsored by an agency of the United
States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any
warranty, express or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any
information, apparatus, product, or process disclosed, or represents
that its use would not infringe privately owned rights. Reference
herein to any specific commercial products, process, or service by
trade name, trademark, manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation or
favoring by the United States Government or the University of
California. The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States Government or
the University of California, and shall not be used for advertising or
product endorsement purposes.
------------------------------
Date: Wed, 26 Feb 92 19:26:39 +0000
>From:
[email protected]
Subject: Re: WDEF infection at a school (Mac)
Since WDEF rides the Desktop file (the basic directory file), to get
rid of a WDEF infection on a disk, all you have to do is rebuild the
Desktop of the suspected disk. For a floppy, hold the Option and
Command keys down as you insert the disk, or for a hard drive as the
machine starts or the Finder restarts.
Also, System 7.x is immune to WDEF, because the Desktop for the new
system behaves differently than for 6.0.x. (Info courtesy Disinfectant
help files)
Since rebuilding the Desktop is recommended by Apple every month
or so anyway, it's an easy way to make sure that WDEF doesn't sneak in
on you anyway.
------------------------------
Date: Wed, 26 Feb 92 15:32:02 -0500
>From:
[email protected] (Mark Anbinder)
Subject: Cornell MBDF Press Release (Mac)
_____________________________________________________
PRESS RELEASE ISSUED BY CORNELL NEWS SERVICE 2/25/91
Students charged
with releasing
computer virus
By Linda Grace-Kobas
Following a university investigation that tracked a computer virus and
its originators, two Cornell students were arrested and charged with
computer tampering for allegedly launching a computer virus embedded in
three games into national computer archives. Arraigned Feb. 24 in
Ithaca City Court were David S. Blumenthal, 19, a sophomore in the
College of Engineering, and Mark Andrew Pilgrim, 19, a sophomore in the
College of Arts and Sciences. They were charged with computer tampering
in the second degree, a Class A misdemeanor. The pair is being held in
Tompkins County Jail with bail set at $2,000 cash bond or $10,000
property bond. At a hearing Tuesday afternoon, Judge Sherman returned
the two to jail with the same bond and recommended that they remain in
jail until at least Friday pending the federal investigation. A
preliminary hearing is set for April 10.
Both students were employed by Cornell Information Technologies, which
runs the university's computer facilities. Pilgrim worked as a student
operator in an Apple Macintosh facility from which the virus is believed
to have been launched. The university's Department of Public Safety is
working with the Tompkins County district attorney's office, and
additional charges are expected to be filed. The Federal Bureau of
Investigation has contacted the university to look at possible violations
of federal laws, officials said. The Ithaca Police Department is also
assisting in the investigation.
"We absolutely abhor this type of behavior, which appears to violate the
university's computer abuse policy as well as applicable state and
federal law," commented M. Stuart Lynn, vice president for information
technologies, who headed the investigation to track the originators of
the virus. "Cornell will pursue all applicable remedies under our own
policies and will cooperate with law enforcement authorities."
Lynn said Cornell was alerted Feb. 21 that a Macintosh computer virus
embedded in versions of three computer games, Obnoxious Tetris,
Tetricycle and Ten Tile Puzzle, had possibly been launched through a
Cornell computer. A virus is normally embedded in a program and only
propagates to other programs on the host system, he explained.
Typically, when an infected application is run, the virus will attack the
system software and then other applications will become infected as they
are run.
The virus, MBDF-A, had been deposited on Feb. 14 directly and indirectly
into several computer archives in the U.S. and abroad, including
SUMEX-AIM at Stanford University and archives at the University of Texas,
the University of Michigan and another in Osaka, Japan. These archives
store thousands of computer programs available to users of Internet, the
worldwide computer network.
Macintosh users who downloaded the games to their computers were subject
to a variety of problems, notably the modification of system software and
application programs, resulting in unusual behavior and possible system
crashes. Apparently, there was no intent to destroy data, Lynn said, but
data could be destroyed in system crashes.
Reports of the virus have been received from across the United States and
around the world, including Wales, Britain, Lynn said, adding that he has
no estimate for the number of individuals who might have obtained the
games.
As soon as the virus was identified, individuals and groups across the
country involved with tracking viruses sent messages across computer
networks to alert users who might have been affected by the virus, Lynn
added. The virus has since been removed from all archives and
"disinfectant" software available to the Internet community has been
modified so that individual Macintosh users can purge their computers of
it.
"Our sense is that the virus was controlled very rapidly," he said. In
1988, Cornell received national attention when graduate student Robert T.
Morris Jr. launched a computer virus into important government and
university research networks. That virus, actually considered a "worm"
since it was self-perpetuating, caused major damage in high-level
systems. Morris was convicted under the 1986 Computer Fraud and Abuse
Act and fined $10,000, given three years probation and ordered to do 400
hours of community service by a federal judge in Syracuse, N.Y.
The new virus differs greatly from the Morris worm, Lynn said. "This
virus is not to be compared with the Morris worm, which independently
moved from machine to machine across the network," he explained. All
Macintosh users should take appropriate measures to be certain their
systems are not infected with the virus.
News Service science writer William Holder also contributed to
this report.
- --
Mark H. Anbinder 607-257-2070 - FAX 607-257-2657
BAKA Computers, Inc. QuickMail QM-QM 607-257-2614
200 Pleasant Grove Road
[email protected]
Ithaca, NY 14850
------------------------------
Date: Wed, 26 Feb 92 14:58:03 -0800
>From:
[email protected] (Dan Revel)
Subject: Mac MDBF and SAM 3.0 (Mac)
Will SAM 3.0 detect the MDBF virus?
Thanks.
- --
Dan Revel (
[email protected])
Network Manager Me transmittem sursum, Caledoni!
Lewis & Clark College
------------------------------
Date: Wed, 26 Feb 92 22:28:00 -0500
>From:
[email protected]
Subject: fixutil3 from A. Padgett Peterson (PC)
Hi.
Just received and will make available an update for A. Padgett
Peterson's FIXUTIL series. The program is now named FIXUTIL3.ZIP
Site: urvax.urich.edu, IP# 141.166.1.6
Directory: msdos.antivirus
Login: anonymous
Password: your_email_address
At login, the user is in the anonymous directory. typing:
cd msdos.antivirus<ret>
will place the user in the proper directory for this file.
Best, Claude.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET)
University of Richmond
[email protected] (Bitnet or Internet)
Richmond, VA 23173
------------------------------
End of VIRUS-L Digest [Volume 5 Issue 46]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
