VIRUS-L Digest Monday, 2 Mar 1992 Volume 5 : Issue 49

VIRUS-L Digest Monday, 2 Mar 1992 Volume 5 : Issue 49

Today's Topics:

Just wondering re Jerusalem-B, Michelangelo? (PC)
Re: exact damage of Michelangelo on 3-06 (PC)
Request for information re Brain, Jerusalem B, Stoned (PC)
New Viruses ? Bloomington,FLOM (PC)
McAfee's CLEAN and F-Prot against FORM virus (PC)
Damage Tally Proposal - Michelangelo (PC)
Michelangelo virus (PC)
Who knew his Birthday? (PC)
Re: Which Package is Best? (PC)
What is the best way to protect against Michelangelo (PC)
ircop!Help! (PC)
Drug Rehab - Stoned (PC)
Print screen virus? (PC)
Re: F-prot and non-executable files (PC)
Re: New virus????? (PC)
Re: Surviving warm reboot (PC)
McAfee SCAN or VSHIELD pickup Michelangelo? (PC)
Disabling boot from floppy? (PC)
Re: bulk eraser
Virus-L on a CD-ROM?

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
with your real name. Send contributions to [email protected]
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
[email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: Fri, 28 Feb 92 02:46:31 -0500
>From: I'M NOT JUST A NUMBER! <IO10968%[email protected]>
Subject: Just wondering re Jerusalem-B, Michelangelo? (PC)

Maybe I just have bad luck. But in the past 11 months, I've been
infected with Jerusalem-B virus....11 times!!!!
Since I have VSHIELD installed, I'm not so worried about any viruses
spreading, but quite frankly, I'm bored with Jerusalem-B...Where is
the infamous Michealangelo?
If anyone else has been infected more than 11 times, and you want to
take the time to let me know, please do! I'd love to here about it,
It might make me not feel so unfortunate. O O
Thanks in advance! o
>-----------------------< __o
Andre Comeau in Maine! | __|__|__
[email protected] | ______/
| ^^^^^^ ^^^^^^
>-----------------------< ===--->LIFE<---===
GOES
ON
(So I'm outa here!)

------------------------------

Date: Thu, 27 Feb 92 20:01:52 -0600
>From: [email protected] (Steven Tucker)
Subject: Re: exact damage of Michelangelo on 3-06 (PC)

Vesselin, have a quick question for ya. Regarding virii in general but
perhaps the Michelangelo virus in particular (as it seems to be the
most popular right now), one always reads about "booting from a clean
floppy" and my question is this: If one boots from an infected floppy
and then scans the disk (floppy or hard) will the memory-resident
virus disable the scan program rendering it unable to detect the virus
in question? Or will the scanner still pick it up? If it renders the
scanner useless then how does one with only a single computer get a
"clean" copy of a scanner (shareware) to scan a system since all
diskettes must be considered "suspect until they are proven
otherwise". I had an infection with Jerusalem B last year but it
wasn't near as nasty as this Michelangelo one seems to be and was very
easy to detect and remove. I appreciate your help on this probably
silly question but it is something I have been wondering about.
Thanks,
Steve
- ---
DOMAIN: [email protected] (Steven Tucker)
UUCP: ...!rwsys!lawton!steve (Steven Tucker)
Good News II BBS Lawton, OK USA +1 (405) 357-0478

------------------------------

Date: Thu, 27 Feb 92 13:54:00 -0500
>From: [email protected]
Subject: Request for information re Brain, Jerusalem B, Stoned (PC)

Now that our name address has been published I'll try this again. I
am looking for a site with information about the Brain, Jerusalem-B,
and Stoned viruses which would be appropriate for a seminar. Mainly
I'm looking for code samples of the aforementioned viruses. I
appreciate any help I can get

Rodney [email protected]

------------------------------

Date: Fri, 28 Feb 92 13:21:36 +0000
>From: [email protected].\\ (Skj\
Subject: New Viruses ? Bloomington,FLOM (PC)

Hi all,

Does anyone have any information on the Bloomington and the FLOM virus ?
Which scanners can detect & kill them ?

Any kind of information will be most welcome !!!

*--------------------------------------------------------------------------*
| Lars Kaare Skjoerstad | E-Mail : [email protected] |
| Rogaland University Center | Tlf. : +47-4-874220 ,Fax. : +47-4-874300|
| P.B. 2557, ULLANDHAUG | [email protected] |
| 4040 STAVANGER , NORWAY | NetWork Coordinator/Supervisor |
*--------------------------------------------------------------------------*

------------------------------

Date: 28 Feb 92 14:08:10 +0000
>From: [email protected] (Maarten Meijer)
Subject: McAfee's CLEAN and F-Prot against FORM virus (PC)

We - at Academic Computing Centre of Utrecht University (ACCU), the
Netherlands - tried to remove the FORM virus from several hard disks
using McAfee's CLEAN version 8.3B86. All disks were larger than 60 MB,
formatted with DOS 5.0, some with one large partition, others with
multiple partitions (C:, D:, etc.).

CLEAN always reports removal of the [FORM] virus, but completely
destroys the boot sector of partition C:, making it unreachable at the
next bootstrap. Although FORM puts the original bootsector at the
end of the hard disk, CLEAN doesn't seem to be able to find it.

So does F-PROT 2.02D of Fridrik Skulason, but at least this program
correctly reports that it can't find the original bootsector, instead of
messing up the system.

It seems quite simple to locate the original bootsector at the very end of
the hard disk. Why then do both these programs not succeed?

Of course, the simple remedy against most boot sector viruses is the DOS
SYS command. But CLEAN even makes things worse! May be could someone from
McAfee Associates explain what's wrong?

- --
Maarten Meijer,
ACCU, Budapestlaan 8, De Uithof, 3584 CD Utrecht,
Postbus 80011, 3508 TA Utrecht.
Fax: 030-531633
E-mail: [email protected]

------------------------------

Date: Fri, 28 Feb 92 08:30:02 -0600
>From: Mickey Waxman <[email protected]>
Subject: Damage Tally Proposal - Michelangelo (PC)

March 6 is a Friday. I expect someone will ask me on
Monday, the 9th: "So, heard of any disks ruined by Michelangelo,
or was this just another hysteria special-interest groups are so
fond of whipping up?" (No, our anti-virus campaign was a complete
success ;-)
I'd like to have an answer that encompasses more than just
my little corner of the world so here's what I propose:
If you have (what you feel are) believable reports of
Michelangelo-trashed disks in your vicinity, keep a tally of the
numbers until about Thursday (12th) or Friday and then send me
the totals. Include, if possible, A) Environment of affected
computers, e.g., industrial, educational, home; B) Some indication
of reliability of the info, e.g., Solid, Not-sure,-but-I-believe-
it; C) City, State/Province/Canton, Country; D) details of any
particularly tragic losses.
Don't let my tone fool you. I'm serious about this.
Write following on a scrap of paper and tape to your computer:
Send tally to: [email protected] or [email protected]

I will compile the results, if any, and report here. As a survey,
this will be almost worthless, but it may give some idea whether
this virus earned its rep, and the distribution might be
interesting. Do not worry, I will not post names of institutions.

Mickey@Ukanvm Mickey Waxman
[email protected] University of Kansas USA

------------------------------

Date: Fri, 28 Feb 92 15:31:59 +0700
>From: Eric Lambermon <[email protected]>
Subject: Michelangelo virus (PC)

Dear reader,

Perhaps this is a too simple question for the regular users of this
list (I am new here) but I would like to ask it anyway.

I recently bought Novell Netware and network hardware and
now I here that there's a risk that this software is infected.

My question is this: What do I need to scan our computer for
virusses?

Is there a list of hex-sequences to import into anti-virus programs?
Is there some public domain wherefrom I can download anti-virus programs?

Thanks in advance, greetings from Holland,
Eric Lambermon <[email protected]>

------------------------------

Date: Fri, 28 Feb 92 08:50:02 -0600
>From: Mickey Waxman <[email protected]>
Subject: Who knew his Birthday? (PC)

Here we don't celebrate Michelangelo's birthday and I doubt
anybody here would have known the signif of 6 March. Is it different
in other places (Italy?)?
For history's sake ... did the disassembler(s) who named this virus
just happen to know this was M's birthdate or was there maybe some
input from the virus' author as to its significance?
Mickey@ukanvm Mickey Waxman
[email protected] Univ. of Kansas USA

------------------------------

Date: Fri, 28 Feb 92 17:06:00 +0200
>From: Y. Radai <[email protected]>
Subject: Re: Which Package is Best? (PC)

Wolfgang Stiller writes (in reply to Vesselin Bontchev):
> For the benefit of those who are not aware of my product,
>Integrity Master verifies the data integrity of your files and system
>sectors and also contains a very high speed virus scanner under the
>covers. I do not personally have a copy of Untouchable, but I have
>customers who use both this product and Integrity Master. They report
>that Integrity Master is more thorough and faster than Untouchable.

My tests do not bear out these claims, at least as regards speed.
Here are the times it took for Integrity Master and UnTouchable to
check all executable files on my hard disk (I threw in McAfee's SCAN
also):
Known-virus scanner component:
SCAN 86b 3:49
IM 1.02 2:13
UTScan 21.00 1:02
Generic checker:
UT full check 2:27
IM 1:59
UT quick check 1:09

Note 1: As opposed to most "quick checks" and "Turbo modes", UT's
quick check is performed in such a way that for all practical purposes
there is no loss of security, *regardless of how the virus infects*.)

Note 2: UTScan's speed is not decreased by addition of more viruses.

>It apparently detects more known viruses with its scanner component

I don't know how good the IM scanner rates, but according to the Feb.
issue of the Virus Bulletin (p. 23), Ver. 19.04 of the UTScan compo-
nent of UT detected 73% of the viruses in their "standard" set and 81%
in their "acid" test.
Now these percentages are relatively low (although I think they
would be considerably higher if only commonly occurring viruses were
used in the comparison). But how important is this factor in the case
of Untouchable? For a user who depends *only* on a KVS (Known-Virus
Scanner), ability to keep up with all the latest viruses is essential,
and such a low percentage could not be tolerated. As for IM, it is
generic with respect to detection, hence a KVS is not needed to detect
the fact that infection has occurred. However, IM can *restore* files
only if they are infected by viruses which it *specifically recogni-
zes* (assuming backups are not available), hence a KVS is just as
necessary for IM as for those who use a KVS alone. In fact, IM is
even *more* dependent on a KVS, for (like all programs based on modi-
fication detection) IM must ensure that the files and boot records are
uninfected when checksums are initially computed.
On the other hand, UT performs *generic restoration* of files and
boot records, hence it requires a KVS only for the second purpose, not
for the first. With UT, a KVS need be performed on a given file only
once, namely before it is added to the checksum database (or is re-
placed by a new version of the file).
Now suppose the worst happens and some files or boot records are al-
ready infected at installation time by a rare virus which is not re-
cognized by the KVS. What would be lost then? In practice, not as
much as people think. In almost all cases, one can be sure the boot
records are uninfected by using SYS and FDISK/MBR. Moreover, if some
files happen to be infected by an unknown virus when their checksum is
first computed, that fact will be detected as soon as the virus in-
fects other files. So the number of viruses recognized is less impor-
tant for Untouchable than for almost any other type of anti-viral
software. (Nevertheless, because of criticisms of its low scanning
percentage, I am told that the next version of UTScan will detect many
more viruses than the present one; in fact, the version I have (21.00)
is already considerably improved.)

Summary: UT performs generic disinfection of files; IM does not.
Untouchable is faster than IM, especially with respect to their known-
virus scanners. IM's scanner probably detects more viruses than UT's,
though I don't think that's as significant as most people assume it
is. (Btw, I'm not trying to "knock" IM; it seems to be one of the
best packages of its kind. But then so was V-Analyst 2.3, the prede-
cessor of UT.)

>and finds other discrepancies which Untouchable misses (I'll go into
>these via private mail if you wish).

I'd be glad to hear what you think UT misses. I'm willing to bet that
there are a couple of types of potential viruses that IM misses.

Y. Radai
Hebrew Univ. of Jerusalem, Israel
[email protected]
[email protected]

------------------------------

Date: Fri, 28 Feb 92 08:54:00 -0800
>From: OLD FOGIE <[email protected]>
Subject: What is the best way to protect against Michelangelo (PC)

Hello. This may be a completely stupid question, or one that has
already been answered, but... What EXACTLY is the best way to protect
against the Michaelengelo virus? I have SCAN and CLEAN and I also use
PCTOOLS Virus Protect but I am still concerned. What are the steps to
be taken to prevent this virus (and others).?

Thanks!

Chris Miller
Pacific Lutheran University

Bitnet: [email protected]

------------------------------

Date: Fri, 28 Feb 92 19:44:04 +0200
>From: Segal Livian <[email protected]>
Subject: ircop!Help! (PC)

Hello!

1.I had a diskette infected by Aircop Virus for a long time,and i
didn't knew about it(i dont have HD so i dont care very much about
viruses) and now every time the drive read this diskette i get a
message "Divide overflow" or "Divide error"(i don't remember
exactly).I cant do ANYTHING with that diskette,because the drive can't
read the disk.Maybe somebody knows what is the problem,and how can i
save the disk(maybe with other PC?).

2.Can anybody recommend me a Very very good and powerfull Anti-Virus
which don't costs too much?

3.What can be done with a HD with virus/es on it?To throw it away?
Thanx a lot,all
Livian

------------------------------

Date: Fri, 28 Feb 92 13:13:25 -0500
>From: James_Williams%ESS%[email protected]
Subject: Drug Rehab - Stoned (PC)

An office which I do some computer support for has a batch of
computers infected with Stoned. These are Northgate 286s.

Someone found stoned on the computers using McAfee. They ran clean,
and now can only access select files on the computer. They are going
to reformat the HD and reload everything.

My question is this, I'm probably going to be asked to get stoned off
the remaining computers. What is the best way to do this?

Any thoughts would be appreciated.

- --------------------------------------------
| James Williams |
| Bitnet: JWW%ESS%[email protected] |
| Internet: [email protected] |
| CompuServ: 70304,2462 |
- --------------------------------------------

------------------------------

Date: Fri, 28 Feb 92 13:08:55 -0500
>From: [email protected]
Subject: Print screen virus? (PC)

We have found a previoulsy unknown virus in our computer lab called
"Print Screen 2". We are using FPROT202. Can anyone tell me about
this virus?

********************************************************************
DANNY JOHNSON, COMPUTER SYSTEMS MANAGER, TARLETON STATE UNIVERSITY,*
STEPHENVILLE, TEXAS. *
********************************************************************

------------------------------

Date: 28 Feb 92 19:17:23 +0000
>From: [email protected] (Jaap Verhage)
Subject: Re: F-prot and non-executable files (PC)

[email protected] (Ivan Quill) writes:

>Hello,

>We were using F-prot here and we noticed that it doesn't scan non
>executable files. This raises the question, can a virus hide in a
>text file, and then transfer itself elsewhere? We have no reason to
>believe that this is happening, just curious.

You can instruct F-Prot to scan *all* files, if you want to. Choose
Scan, hit <Return>, and see.

- --
Regards, Jaap.

Jaap Verhage, Academic Computer Centre, State University at Utrecht, Holland.
[email protected] +<-*|*->+ I claim *every*thing and speak for myself

------------------------------

Date: 28 Feb 92 16:49:07 +0000
>From: [email protected] (Jesse Chisholm AAC-RjesseD)
Subject: Re: New virus????? (PC)

[email protected] (Jon Freivald) writes:
: [email protected] (Vesselin Bontchev) writes:
:
: > [email protected] (Kathy Diaz) writes:
: >
: > > I have a question it seems that I have come across some sort of virus.
: > > My Dos Machine has in every directory a file called aux. It seems also
: >
: > I don't know how exactly have you managed to "find" this "file". On
: > the previous DOS versions it usually appeared when you execute
: > Norton's FileFind and look for aux*.*. Unfortunately, I'm using MS-DOS
: > 5.0 right now, so I can't confirm this.
: >
: I'm also running MS-DOS 5.0 -- if I do a "dir aux" (or com1, com2, prn,
: lpt1, etc) I see a 112 byte file no matter what directory I'm in. Yes,
: these are just the reserved names showing up, but you can see them
: indeed!

I find this thread a little confusing. I also am running MS-DOS 5.00 and
when I do "dir aux" or "dir aux*.*" I get told "File not found".

This whole thing indicates that some people have this bogus aux file and
others don't. Now I'm really curious about it. Why do Jon and Kathy
have a plethora of "aux" files, while Vesselin and I do not? And at least
three of us are running MS-DOS 5.0, so I doubt it is DOS itself causing
this. Perhaps running different smartdrv.sys? DOS comes with one, but
WINDOWS 3.0 replaces it with another one. I am using the WINDOWS one.

Jesse Chisholm | Disclaimer: My opinions are rarely understood, let
[email protected] | tel: 1-408-432-6200 | alone held, by this company.
[email protected] | fax: 1-408-435-8517 |-----------------------------
======== This company has officially disavowed all knowledge of my opinions.
- --
"I woke up one morning on the old Chisholm Trail;
A rope in my hand and a cow by the tail.
Come a ti-yi-yippy-yippy-ay yippy-ay.
Come a ti-yi-yippy-yippy-ay." -- from an old song, "The Chisholm Trail"

------------------------------

Date: 28 Feb 92 16:08:45 -0500
>From: "David.M.Chess" <[email protected]>
Subject: Re: Surviving warm reboot (PC)

>From: [email protected] (Peter Paraska)
>
>Won't a system reset which goes throught the POST overwrite all the
>memory during the testing? Wouldn't this eradicate the virus from
>memory. I'm refering to hitting the "RESET" button.

That depends on just what your "RESET" button does; vanilla IBM PC's
and PS/2's don't have such a thing (last time I looked!). If it
really causes a COLD boot (and I imagine many/most of them do), that
should indeed clear memory just like a power-cycle does (and with less
stress on the components!). If you're incredibly paranoid (as I tend
to be, I admit), a cold boot is still somewhat nicer, as it forcibly
resets all the adapter cards and stuff on the bus as well; this
doesn't matter for any current virus that I can think of, but
someday...

- - --
David M. Chess mI' jIHbe' jay'!
High Integrity Computing Lab loD tlhab jIH!
IBM Watson Research -- qama''e'

------------------------------

Date: 28 Feb 92 23:06:26 +0000
>From: [email protected] (D442-D. F. Haertig (Dave) x3040)
Subject: McAfee SCAN or VSHIELD pickup Michelangelo? (PC)

A quick question on the virus-du-jour "Michelangelo". Will either
of the following McAfee products pick it up?
SCAN 7.9V84
-or-
VSHIELD 3.9B80
These are the two products that our in-house PC support group
uses. I think they install VSHIELD on all new PCs before delivering
them to the users (we must have a site liscense). But other than
knowing that VSHIELD is on my PC and is invoked out of my
autoexec.bat, I don't know exactly what these products are supposed
to do or what they're supposed to protect against. VSHIELD appears
to be a TSR, but does it detect currently infected disks, or just
prevent future infections *after* it is installed? SCAN looks
like it scans every file on my disk, but is the version I have
current enough to pick up the latest viruses?

As you can tell, I'm pretty "virus ignorant". I've pretty much
ignored the various virus scares since I don't use BBS's or
shareware. The PC group says run these programs, so I run them
like a good little engineer. However, my PC now accesses
a PC network in our plant and I heard that Michelangelo has been
found on a few PCs at our work location ...

Thanks,
Dave Haertig
dwx3bs.att.com

------------------------------

Date: Fri, 28 Feb 92 22:55:02 +0000
>From: [email protected] (Ran Kondor)
Subject: Disabling boot from floppy? (PC)

I have often wondered, is it possible to disable the drive
capable of booting from a floppy?

If this is done, much heartache can be spared as most viruses,
that I have seen, rely on a boot to load up to memory. This would
be used to help those who, much to their dismay, find out, only too
late, that they have booted with a floppy in drive A. They would
now be at the mercy of a possible virus.

My question is this:
Is is possible to disable a boot from a floppy and then enable upon
demand? Could it be done by just executing some batch or .EXE file?
This should take care of the Michaelangelo virus!

Ran

------------------------------

Date: Fri, 28 Feb 92 00:04:00 -0700
>From: Jeff Cox <[email protected]>
Subject: Re: bulk eraser

"[email protected]"@Arizona.edu writes:
>>[email protected] (Vesselin Bontchev) writes:
>>
>>>[email protected] (Jim Washer) writes:
>>>
>>> I am know the proud and happy owner of an infected 3.5" 1.44Mb floppy.
>>> Should I immediately burn it in a large bonfire, or will re-formatting
>>> exorcise it adequately.
>>
>>Formatting should be enough - if you don't have a virus in memory.
>>Otherwise you'll destroy everything... except the virus. :-)
>
> Does anybody know if a bulk tape eraser would be practical for erasing
> floppies? If so, it would be the ideal solution for quandaries like
> this one.

I have on occasion used a bulk eraser and then (re)formated both 3.5
and 5.25 floppies. Sometimes I even have noticed that "lost" or bad
data blocks are "found" and useable.

------------------------------

Date: Fri, 28 Feb 92 13:40:06 +0000
>From: "Christopher J. Wells" <[email protected]>
Subject: Virus-L on a CD-ROM?

Hi netlanders!

Just wondering, does there exist a CD-ROM with the Virus-L digests on, and if
not, are there any plans to do so? Virus-L is an ideal source to track the
spread of virii, and it seems a pity to have to keep on requesting the
articles from ftp sites.

Many thanks,

Chris

------------------------------

End of VIRUS-L Digest [Volume 5 Issue 49]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253