VIRUS-L Digest Tuesday, 3 Mar 1992 Volume 5 : Issue 52
Today's Topics:
New Virus TROI (PC)
Re: V2P6 Virus (PC)
Re: Possible virus? (PC)
disabling drive through CMOS (PC)
F-PROT and Tandon PAC (PC)
Re: about Michelangelo (PC)
Re: Disabling boot from floppy? (PC)
Re: Drug Rehab - Stoned (PC)
WARNING : Michelangelo on AI textbook disk (Kosko) (PC)
Re: Which Package is Best (PC)
Re: exact damage of Michelangelo on 3-06 (PC)
Re: False Positives with Virus Scanners (PC)
Re: ircop!Help! (PC)
Re: Just wondering re Jerusalem-B, Michelangelo? (PC)
Re: McAfee SCAN or VSHIELD pickup Michelangelo? (PC)
Re: McAfee's CLEAN and F-Prot against FORM virus (PC)
Re: Michelangelo question (PC)
Re: looking for... (PC)
Re: Disinfectant 2.6 (Mac)
MBDF A on an SE? (Mac)
Mac virus "ACNE"?? Any info? (Mac)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
with your real name. Send contributions to
[email protected]
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: 02 Mar 92 15:30:05 -0700
>From:
[email protected]
Subject: New Virus TROI (PC)
Upon further study of the TROI virus I have found the following:
It is a .com infector only. The Troi virus hinders execution of some programs.
Virus code is located at the end of the original .com file and is jmp'd to
as a FAR procedure. The virus adds 322 bytes to infected .com's.
If you are using a virus scanner that allows entry of new virus signatures
the following HEX string will detect TROI: 2ac0cf9c80fcfc75
I have not found a virus program that can detect this virus so that is
why I considered it "new".
See ya,
Stephen
P.S. Any new information or something I might have overlooked in my rush
to get this information out, would greatly be appreciated.
------------------------------
Date: 02 Mar 92 19:21:09 -0500
>From: "Ross M. Greenberg" <
[email protected]>
Subject: Re: V2P6 Virus (PC)
>From:
[email protected] (Vesselin Bontchev)
>> 2) Is it possible that virex-pc 2.0 is in error?
>It is almost certainly an error. Please report it to Microcomm (the
>producers of Virex-PC) or to Ross Greenberg (the author of the
>program).
Thanks, Vesselin, but we recently became aware of this false positive.
It's fixed for the next release. Real PITA, too! <grin>
Ross
- --------
>Date: Thu, 20 Feb 92 21:06:39 +0000
>From:
[email protected] (Marilyn Francis)
>Subject: False Positives with Virus Scanners (PC)
> Thought I would pass on an interesting experience for those of
>you who have to check out virus reports on other people's machines.
>I checked it out with F-Prot (which said he had the Brain) and
Scan (which said he had Invader) and VirX (which said he had
every virus! - I quit counting after 17).
Virex-PC and VIRx pop out after showing a single infection of a
file. The only multiple infections we show would be viruses we
find in memory.
> Further investigation showed he is using the Central Point
>Anti-Virus product and the above scanners were triggering on
>the VWATCH.SYS and VSAFE.SYS files. When we removed these files
>from the hard disk, all scanners reported the machine clean.
Dare I suggest you go with tools which were well designed instead of
well-advertised? I would think that the VWATCH and VSAFE drivers
either a)do not encrypt their viruses or b)leave all sorts of stuff
around in memory -- potentially in DOS or FILE buffers.
Ross M. Greenberg
Author, Virex-PC & VIRx
------------------------------
Date: 02 Mar 92 21:14:04 +0000
>From:
[email protected] (Jesse Chisholm AAC-RjesseD)
Subject: Re: Possible virus? (PC)
[email protected] (Vera Marvanova) writes:
: Please could someone tell me, if such a behavior of computers could be
: caused by a virus? In two computers (386-SX AND 386 - 33) after some
: time of operation suddently all look like CAPS LOCK would be touched.
: All letters changes to upper case. After "SHIFT" all is O.K., but
: after some time this appears again. Scan86b shows nothing.
This is more likely a timing problem between the keyboard controller
chip and the BIOS. I have seen this many times on ACER machines.
What happens is the KEY-RELEASE code for the shift gets lost, so the
BIOS thinks you are still holding the SHIFT key down.
Jesse Chisholm | Disclaimer: My opinions are rarely understood, let
[email protected] | tel: 1-408-432-6200 | alone held, by this company.
[email protected] | fax: 1-408-435-8517 |-----------------------------
======== This company has officially disavowed all knowledge of my opinions.
- --
"I woke up one morning on the old Chisholm Trail;
A rope in my hand and a cow by the tail.
Come a ti-yi-yippy-yippy-ay yippy-ay.
Come a ti-yi-yippy-yippy-ay." -- from an old song, "The Chisholm Trail"
------------------------------
Date: Tue, 03 Mar 92 04:24:00 +0000
>From: Joshua Proschan <
[email protected]>
Subject: disabling drive through CMOS (PC)
There have been several questions raised regarding the safety of running
a suspect program on a PC whose CMOS drive table has been changed to show
no hard disk installed.
I may be wrong--all my assembly language work was on mainframes--but changing
the CMOS does nothing to protect the hard disk. All you do is remove a
table entry that legitimate programs, working through DOS, need. A virus
can get to the drive directly so long as the controller and drive are
installed and have power.
The virus will not even need to try all possible CMOS combinations to hit
on the right one. This information was essential for the original MFM
drives, but current drive types keep that information on the controller. I
recently had to recover the CMOS settings for a PC with no documentation,
and found that whatever I put into the drive table worked perfectly. I do
not know definitely which controllers work this way, but suspect that IDE
and SCSI both do.
The only really safe approach is to run the tests on a system with no hard
drive, or with an external hard drive that has been disconnected physically.
Joshua H. Proschan Internet:
[email protected]
[email protected]
------------------------------
Date: Tue, 03 Mar 92 10:27:49 +0100
>From:
[email protected] (Peter Schill)
Subject: F-PROT and Tandon PAC (PC)
Trying F-PROT 2.02 on a Tandon 286 PAC, (the PACs are some kind of
removable Harddisks, 30 or 40 MB), I cannot check these PACs, instead
I'm geting the error message "error on harddisk", no matter when
"search = harddisk" or "search = user-defined (c:\ resp. d:\)" is
selected.
Does anyone know how this problem can be circumvented?
Peter Schill
Zentrum fuer Datenverarbeitung
Universitaet Tuebingen
Brunnenstr. 27
D 7400 Tuebingen
(0049)-07071-29-3450
Internet:
[email protected]
or
[email protected]
------------------------------
Date: 03 Mar 92 09:49:10 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: about Michelangelo (PC)
[email protected] writes:
> o The virus works in march 6th only or it is activated this day
> and works every day after march 6th of 1992 ?
The virus -spreads- on any day in any year. Its destructive routine
activates only on March 6 of any year.
> o I haven't got the Scan V.85, Can I remove the Mich virus with the
> 84 version ?
Hm, the McAfee people have to answer this... I don't keep the old
versions, so I cannot check, but I think that version 85 was the first
to detect the virus... The latest one is 86-B, so you should
definitively upgrade... And one last thing - SCAN cannot remove the
virus at all, since it is just a scanner; you must use CLEAN for virus
disinfections...
> o My BIOS ask me what to do when somebody is trying to change the hard
> disk partition table or the boot. Can Mich get into mi hard disk
> without I note this ?
Are you sure that it is you -BIOS- (the one that is in the EPROM chips
of your computer), which asks you this? And not some kind of resident
program? If so, then it will warn you about the infection attempt.
Could you please tell us the exact brand of your computer? I have not
heard yet of any computer, the BIOS of which performs this... It is
really a nice thing to have around...
> o Sorry for my english, and, PLEASE send me the answer before march 4th.
> so it can reach me before march 6th.
Hope that this reaches you in time.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 03 Mar 92 10:05:32 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: Disabling boot from floppy? (PC)
[email protected] (Ran Kondor) writes:
> Is is possible to disable a boot from a floppy and then enable upon
> demand?
With only a one-byte change in the BIOS, it is possible to disable the
floppy boots forever, but I guess that this is not what you want. Some
laptop and notebook computers can be configured (by a CMOS RAM
setting) from which drive to try to boot first - first A: then C:, or
first C: and then A: (only if the boot from C: has been unsuccessful).
I would like to see more such computers in the future...
> Could it be done by just executing some batch or .EXE file?
Padgett Peterson has a .COM file (<grin>), which does this. However,
this solves only the Alt-Ctrl-Del reboot problem. In fact, most users
get infected because the forget a floppy in drive A: when they turn
their machine on. And this can be solved only at the BIOS level; not
add-on program will do the job...
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 03 Mar 92 10:13:23 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: Drug Rehab - Stoned (PC)
James_Williams%ESS%
[email protected] writes:
> Someone found stoned on the computers using McAfee. They ran clean,
> and now can only access select files on the computer. They are going
> to reformat the HD and reload everything.
> My question is this, I'm probably going to be asked to get stoned off
> the remaining computers. What is the best way to do this?
Two possibilities. Either get a better disinfector, or (preferred) get
a MS-DOS 5.0 system diskette (should be write protected). Go to every
computer, boot from that diskette, and run FDISK /MBR. Should remove
the virus without problems.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 03 Mar 92 08:07:07 +0000
>From:
[email protected] (Roy Lurie)
Subject: WARNING : Michelangelo on AI textbook disk (Kosko) (PC)
WARNING : We have found that the disks distributed with our copy of the book :
NEURAL NETWORKS AND FUZZY SYSTEMS - by Bart Kosko
Publisher : Prentice-Hall International
ISBN : 0-13-612334-1
are INFECTED with the MICHELANGELO VIRUS !!!!!!!! :-(
NB: This virus attacks all data on the infected machine on
6 MARCH.
------------------------------
Date: Tue, 03 Mar 92 12:31:27 +0700
>From: "Donny Gilor" <
[email protected]>
Subject: Re: Which Package is Best (PC)
Y. Radai <
[email protected]> writes:
> Generic checker:
> UT full check 2:27
> IM 1:59
> UT quick check 1:09
>Note 1: As opposed to most "quick checks" and "Turbo modes", UT's
>quick check is performed in such a way that for all practical purposes
>there is no loss of security, *regardless of how the virus infects*.)
If there is no loss of security, why is there a "full check" option?
>Note 2: UTScan's speed is not decreased by addition of more viruses.
That doesn't seem mathematically possible. Could you please clarify?
No matter what method is used (hash or such) at some point the speed
will decrease (even if it is in the billions). Perhaps
"will not be decreased in the near future" is more appropriate?
> In almost all cases, one can be sure the boot
> records are uninfected by using SYS and FDISK/MBR.
Assuming the user knows how to get an uninfected system in order to
activate the SYS/FDISK commands.
> Moreover, if some
> files happen to be infected by an unknown virus when their checksum is
> first computed, that fact will be detected as soon as the virus in-
> fects other files.
Assuming the user knows that those changes are not "normal" (i.e.
a virus that infects during writes, etc).
Donny.
------------------------------
Date: 03 Mar 92 10:19:37 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: exact damage of Michelangelo on 3-06 (PC)
[email protected] (Steven Tucker) writes:
> floppy" and my question is this: If one boots from an infected floppy
> and then scans the disk (floppy or hard) will the memory-resident
> virus disable the scan program rendering it unable to detect the virus
> in question?
It depends on the particular virus. The so-called stealth viruses,
when active in memory, will subvert any read request to the infected
objects (files, boot sectors, or directories), so that the latter will
seem to be non-infected. The so called fast infectors, when active in
memory, will infect any object being accessed (e.g., for scanning).
Therefore the scanning may just spread the infection to all your
files. Some viruses are both stealth and fast infectors (in fact, all
fully stealth viruses -must- be fast infectors, otherwise you could
disinfect the files by just copying them), so the net result of trying
to scan for such virus while it is active in memory is that you won't
be able to spot it and it will infect everything that is infectable.
Even worse, some viruses may trigger their destructive payload
routine, when a particular number of infections is reached. Therefore,
you must -always- boot from a non-infected write-protected system
diskette, any time you suspect a virus, and before any attempts to
detect or remove it.
> Or will the scanner still pick it up?
If the scanner is good enough, it should be able to detect the virus
in -memory-. If the -virus- is good enough (<grin>), then the scanner
won't be able to find it on the -disk-. However, not that the scanners
are able to detect only -known- viruses. If there is a new, stealth
fast infector active in your computer's memory, then the scanner won't
report anything at all and will just infect all your files (and maybe
even cause the destruction of some).
> If it renders the
> scanner useless then how does one with only a single computer get a
> "clean" copy of a scanner (shareware) to scan a system since all
> diskettes must be considered "suspect until they are proven
> otherwise".
Ah, that's a tough question... The best answer is: you should obtain
your scanner from a reliable source. Actually, there is no way to
- -prove- that you don't have a virus. Are you certain that the original
DOS diskettes that come from IBM do not contain an unknown virus, put
intentionally there? :-) Or, are you certain that the compiler that
they used to produce the DOS wasn't infected? Or that the compiler
that was used to produce this compiler wasn't infected? All this with
the only purpose to infect your PC? :-) Well, while you can be almost
100 % certain that this is not the case, you can never actually
- -prove- it, unless you disassemble any single instruction yourself
(and do you trust your disassembler? Do you trust the microcode in
your CPU?). There is an excellent paper on this topic by Ken Tompson
(one of the guys who created Unix), called "Reflections ot Trusting
Trust" or something like that.
> I had an infection with Jerusalem B last year but it
> wasn't near as nasty as this Michelangelo one seems to be and was very
> easy to detect and remove.
In fact, Jerusalem is much nastier than Michelangelo... Believe it
or not. It is more widespread, and it sometimes destroys the files
that you infect, although you have no way to determine that the files
has been destroyed, unless you run it and it crashes. This is much
worse, IMHO, than just overwriting your hard disk on one day of the
year...
> I appreciate your help on this probably
> silly question but it is something I have been wondering about.
The only silly question is the one that hasn't been asked... :-) Hope
the above helps.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 03 Mar 92 10:41:01 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: False Positives with Virus Scanners (PC)
[email protected] (Marilyn Francis) writes:
> I recently got a call from a staff member who said when he
> booted from his hard disk the scanners reported it infected with
> the Pakistani Brain virus and said to immediately
> turn off the machine until it was disinfected.
This is enough to conclude that you had a false positive. Brain does
not infect hard disks.
> I checked it out with F-Prot (which said he had the Brain) and
> Scan (which said he had Invader) and VirX (which said he had
> every virus! - I quit counting after 17).
Didn't need to read any further, in order to conclude that he used Central
Point Software's Anti-Virus. :-) Tell him to stop doing so, until CPS
comes with a better product...
> Further investigation showed he is using the Central Point
> Anti-Virus product and the above scanners were triggering on
> the VWATCH.SYS and VSAFE.SYS files. When we removed these files
> from the hard disk, all scanners reported the machine clean.
Yep. Just don't put them back... :-)
> I'm not sure why these files triggered the message unless they
> pick up the signatures that Central Point is using and think
> it is the actual virus.
The reason is that all those products are using one and the same
signatures for all those viruses... However, CPAV is silly enough to
keep the signatures in memory unencrypted.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 03 Mar 92 10:50:04 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: ircop!Help! (PC)
[email protected] (Segal Livian) writes:
> 1.I had a diskette infected by Aircop Virus for a long time,and i
> didn't knew about it(i dont have HD so i dont care very much about
Well, you should, since as you have seen even computers without hard
disks can be infected and be sources of infection. Particularly AirCop
does not even infect hard disks, if I recall correctly...
> viruses) and now every time the drive read this diskette i get a
> message "Divide overflow" or "Divide error"(i don't remember
Let me guess, did you recently upgrade to a higher DOS version? Or are
you using a different hardware configuration?
> 2.Can anybody recommend me a Very very good and powerfull Anti-Virus
> which don't costs too much?
F-Prot is very very good and poverful, is free for individual usage,
and costs only $1 per machine per year for corporate use ($0.75 for
educational institutions). If you need something even better, you'll
have to pay more... :-)
> 3.What can be done with a HD with virus/es on it?To throw it away?
Of course not! That would be silly, wouldn't it? First, you have to
determine which particular virus it is. If it is a master boot sctor
infector, just booting from a MS-DOS 5.0 system diskette and executing
FDISK /MBR will remove the infection. If it is a boot sector infector,
booting from a non-infected system DOS disk (the same version that you
have on the hard disk) and performing SYS C: will get rid of the
virus. If it is a file infector, then removing the infected files and
replacing them with clean ones from your backups (you -do- have
backups, don't you?) will remove the virus. Sometimes it is even
possible to safely remove the virus from the infected objects. In the
worst case, you could low-level format your hard disk (almost always
unnecessary).
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 03 Mar 92 11:01:06 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: Just wondering re Jerusalem-B, Michelangelo? (PC)
IO10968%
[email protected] (I'M NOT JUST A NUMBER!) writes:
> Maybe I just have bad luck. But in the past 11 months, I've been
> infected with Jerusalem-B virus....11 times!!!!
> Since I have VSHIELD installed, I'm not so worried about any viruses
> spreading, but quite frankly, I'm bored with Jerusalem-B...Where is
Correction. Since you are using VShield, you should not be worried
about any viruses that VShield IS ABLE TO DETECT PROPERLY. Not that it
will not stop a new (unknown to it) virus.
But wait, being infected (11 times!) by Jerusalem seems pretty strange
for me, especially for a person, who uses VShield... Wasn't VShield
able to detect that a file has been infected and refuse to execute it?
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 03 Mar 92 11:06:44 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: McAfee SCAN or VSHIELD pickup Michelangelo? (PC)
[email protected] (D442-D. F. Haertig (Dave) x3040) writes:
> A quick question on the virus-du-jour "Michelangelo". Will either
> of the following McAfee products pick it up?
> SCAN 7.9V84
> -or-
> VSHIELD 3.9B80
This is to McAfee to answer, but I suspect (don't believe me when I do
not -know- something for sure) that version 85 was the first to detect
Michelangelo.
> autoexec.bat, I don't know exactly what these products are supposed
> to do or what they're supposed to protect against. VSHIELD appears
> to be a TSR, but does it detect currently infected disks, or just
> prevent future infections *after* it is installed? SCAN looks
VShield is a TSR, which scans files on-the-fly when you try to execute
them and refuses to run them if it considers them infected. It also
intercepts the Alt-Ctrl-Del and will refuse to reboot, if there is a
diskette, infected with a boot sector virus in drive A:.
> like it scans every file on my disk, but is the version I have
Every file -and- the boot sectors, -and- memory.
> current enough to pick up the latest viruses?
The latest - no. One of them is since yesterday... :-) But hopefully
"the latest viruses" have not had enough time to reach you... :-)
> like a good little engineer. However, my PC now accesses
> a PC network in our plant and I heard that Michelangelo has been
> found on a few PCs at our work location ...
Michelangelo cannot spread over a network. It is a boot/master boot
sector virus.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 03 Mar 92 11:15:57 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: McAfee's CLEAN and F-Prot against FORM virus (PC)
[email protected] (Maarten Meijer) writes:
> CLEAN always reports removal of the [FORM] virus, but completely
> destroys the boot sector of partition C:, making it unreachable at the
> next bootstrap. Although FORM puts the original bootsector at the
> end of the hard disk, CLEAN doesn't seem to be able to find it.
> So does F-PROT 2.02D of Fridrik Skulason, but at least this program
> correctly reports that it can't find the original bootsector, instead of
> messing up the system.
> It seems quite simple to locate the original bootsector at the very end of
> the hard disk. Why then do both these programs not succeed?
I don't know why exactly CLEAN fails (it seems to me that it does this
quite often with boot sector infectors), but F-Prot -must- be able to
correctly remove the virus. If it doesn't, then maybe you have a
modified variant.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 03 Mar 92 11:35:25 +0000
>From:
[email protected] (Vesselin Bontchev)
Subject: Re: Michelangelo question (PC)
[email protected] writes:
> Does the Mich virus spread from executable files (such as the
> Jerusalem B virus)? In other words, can the virus be spread through
> distribution of executable files,
No.
> or does it require a boot sector to be present to spread it?
Yes. It requires an attempt to boot from an infected diskette.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54
------------------------------
Date: 03 Mar 92 12:00:10 +0000
>From:
[email protected] (Nadav Har'El)
Subject: Re: looking for... (PC)
[email protected] (Vesselin Bontchev) writes:
>
[email protected] (Lloyd E Vancil) writes:
>
> > I'm trying to locate a program called PROTEC.COM. This program
> > prohibits writes to the C: drive.
>
> > Any thoughts?
>
> Forget it. It does its "protection" by simply intercepting INT 13h and
> therefore is just crap, since it can be easily bypassed by most modern
> viruses.
does any one know if the f-dlock that came with the old fprot is any
good?
- --
Nadav Har'El | ###### ######## # | <-- Sorry if
Email:
[email protected] | # # # | you can't
Department of Mathematics, Technion | # # # | read Hebrew.
Israel Institute of Technology | ######## # ###### | Nadav. ;)
------------------------------
Date: Mon, 02 Mar 92 21:57:11 +0000
>From:
[email protected] (Rob Schaeffer)
Subject: Re: Disinfectant 2.6 (Mac)
[email protected] (Norman Paterson) writes:
>I've been having trouble running Disinfectant 2.6 on an Apple Quadra.
>There are several other applications that might be involved, including
>TELNET 2.4 and CAP/AUFS. Symptoms include crashing during hard disc
>scan with "unimplemented trap" error and sporadic unmounting of file
>server volumes.
>Has anyone else come across this? The Quadra seems to have a number of
>peculiarities.
>Norman Paterson
I have seen, once, this error from Disinfectant 2.6. (System 7.0.0, on
a cx, 8MB RAM, virtual memory, 32-bits addressing ON, very few
extensions, Disk Doubler)
I ran the scan once and it bombed, ran it a second time (after
restarting) and it worked fine. No probrlems since. There were other
apps open the first time, and files were open that had been disk
doubled.
But I can forgive one crash, especially since it has never happend
again.
The only reason I mention it is because it was the same error.
(Unimplemented trap)
Rob
----------------------------robs@ux1.cso.uiuc.edu---------------------------
| The only thing worse than a bored legal department |
| is a bored marketing department. |
----------------------------------------------------------------------------
------------------------------
Date: Mon, 02 Mar 92 16:09:32 -0800
>From:
[email protected] (Karyn Pichnarczyk)
Subject: MBDF A on an SE? (Mac)
I have received a note from a user who said that MBDF A ran perfectly
happily on his vanilla SE running System 7. Can someone with a copy
of the virus please check this out? From all the documentation I have
seen about this virus, this should *not* occur. If it occurs on an
SE, can it not occur on a Mac Plus as well?
karyn
------------------------------
Date: Tue, 03 Mar 92 03:50:23 -0500
>From: <XKWNY%
[email protected]>
Subject: Mac virus "ACNE"?? Any info? (Mac)
A while back, some data was damaged on my Mac Plus, when I retrived
the damaged macwrite files, the word ACNE was splattered throughout
the document and it was no longer openable. Is there such a virus? or
is this just a coincidence?? Thanks (holding our breath until the
16th!) -Elan
------------------------------
End of VIRUS-L Digest [Volume 5 Issue 52]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
