VIRUS-L Digest Tuesday, 3 Mar 1992 Volume 5 : Issue 53

VIRUS-L Digest Tuesday, 3 Mar 1992 Volume 5 : Issue 53

Today's Topics:

Re: New virus????? (PC)
New virus SLOVAKIA 3.00 (PC)
Re: What does the Tequilla virus do? (PC)
Re: What is the best way to protect against Michelangelo (PC)
Re: Which Package is Best? (PC)
Re: Who knew his Birthday? (PC)
FDISK/MBR (PC)
Viruses and Operating System Manufacturers (PC)
Re: Problem with McAfee CLEAN against the FORM virus (PC)
Michaelangelo and Stoned (PC)
a question re PKLITE and LZEXE (PC)
Michaelangelo (PC)
Michelangelo on Nightline and thank you for information (PC)
Question about TP44 (PC)
Need info on No-Int (Stoned) virus (PC)
Shipping Michaelangelo (PC)
Vshield and OS/2 (PC) (OS/2)
Antiviral features in operating systems?

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
with your real name. Send contributions to [email protected]
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
[email protected].

Ken van Wyk

----------------------------------------------------------------------

Date: 03 Mar 92 11:51:46 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: New virus????? (PC)

[email protected] (Jesse Chisholm AAC-RjesseD) writes:

> [email protected] (Jon Freivald) writes:
> : [email protected] (Vesselin Bontchev) writes:
> :
> : > [email protected] (Kathy Diaz) writes:
> : >
> : > > I have a question it seems that I have come across some sort of virus.
> : > > My Dos Machine has in every directory a file called aux. It seems also
> : >
> : > I don't know how exactly have you managed to "find" this "file". On
> : > the previous DOS versions it usually appeared when you execute
> : > Norton's FileFind and look for aux*.*. Unfortunately, I'm using MS-DOS
> : > 5.0 right now, so I can't confirm this.
> : >
> : I'm also running MS-DOS 5.0 -- if I do a "dir aux" (or com1, com2, prn,
> : lpt1, etc) I see a 112 byte file no matter what directory I'm in. Yes,
> : these are just the reserved names showing up, but you can see them
> : indeed!

> I find this thread a little confusing. I also am running MS-DOS 5.00 and
> when I do "dir aux" or "dir aux*.*" I get told "File not found".

Oops, I forgot to state something important. Mea culpa. I am using
NDOS 6.01 (roughpy equivalent to 4DOS 3.30 with some bugs fixed and
other brand new ones introduced) as command interpretter.

So, to be clear:

1) You will NOT see the AUX file, if you do DIR AUX*.*

2) You will NOT see the AUX file, if you do DIR AUX and your command
interpretter is COMMAND.COM.

3) You WILL see the AUX file, if you do DIR AUX and you command
interpretter is 4DOS (or equivalent). You will also see the file, if
you perform a directory search for a file named AUX (no wildcards!)
with SOME file managers or file finders.

4) You WILL see the AUX file, if you scan for a file named AUX. (note
the point) with Norton Comander or FileFind (from Norton Utilities
6.01).

Is it clear enough?

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date: Tue, 03 Mar 92 10:02:38 +0700
>From: Milan Mancel <[email protected]>
Subject: New virus SLOVAKIA 3.00 (PC)

At our university (Slovak Technical University in Bratislava) we
have discovered a new virus. Its name is SLOVAKIA version 3.00.
This virus is non-resident infector of EXE files and its only
activity is infecting files. Sometimes it will display a message.

When a program infected with Slovakia is executed, it will infect
one EXE file. First of all virus will search the current directory.
If no suitable file is found or current directory is root (\),
virus will search directories along the system path. Infected
files will increase in lenght by 2000 to 2200 bytes and the last
four bits of length are set to 1101bin. Virus remains inactive in
infected program ten days or till the end of the month.

Slovakia is encrypted. The decryption code has eight mutations and
the only suitable string for identification is 'E8 B9 07' (you can
try 'B? 03 00 5?' or 'B? B7 07' too).

Suitable file for infection must meet some criteria:
- length is between 4500 and 262143 incl.
- name doesn't begin with letters SC, CP, NO, DC, AS, PK, TN,
LH (for example SCAN, CPAV, ASTA, NOD, TNT ...)
- last four bits of length different from 1101bin.

Slovakia will not infect any file if exists directory C:\SLOVAKIA
on your disk.

Since March 1992, from time to time, but only on Monday, Wednesday
or Friday virus will display the following message:

"SLOVAKIA virus version 3.00 (c) 1991-1992 by??. All Rights Reserved.

Greeting from Bratislava, SLOVAKIA.

Type the word SLOVAKIA : ........"

Now you must type SLOVAKIA. Next message is displayed if you are
four times wrong:

"Type word SLOVAKIA, not CZECH, YUGOSLAVIA or SLOVENIA !! Press Esc."

If you want to remove Slovakia, you must delete infected files.
If you don't want to delete files you must make directory SLOVAKIA
in the root directory on disk C:. Then virus will be inactive.

Slovakia has its own Critical Error Handler and will not display
message "Critical Error" when trying to write on locked disk.
If you try to debug Slovakia, you must run part of code with full
speed, because virus has two time checks.

Regards,
Milan.

-----------------------------------
Milan Mancel
Slovak Technical University
Bratislava, CSFR
[email protected] EUNET
[email protected] BITNET/EARN
[email protected] INTERNET
-----------------------------------

------------------------------

Date: 03 Mar 92 12:15:54 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: What does the Tequilla virus do? (PC)

[email protected] (Timothy Fredrick) writes:

> Does anyone have any experiences or comments about the Tequilla virus?

Yep... :-)

> Does it have a trigger date?

Not a date. It has a trigger time. Some time after it has been loaded
in memory, it displays a rough fractal image, using text mode and
pseudographic characters. I have to admit that I have never seen the
image personally.

The virus causes another damage. If it finds a file, to which a SCAN
checksum is appended (using the /AV option), it will remove the
checksum. This is done always and does not depend on any date or
time.

> How does it spread?

When you execute an infected file, it will infect the master boot
sector of your hard disk. When you boot from an infected hard disk,
the virus will install itself in memory and infect EXE files as you
execute them.

> Are there any machines or operating systems that are "immune"?

Yes. Those without a hard disk.

> How long has the virus been around?

About a year.

> Is it a particular problem in Belgium or has it
> been more prevalent here?

It is a particular problem in Western Europe. It has been created by
two kids in Switzerland. Their father was (is?) a shareware
distributor, and they managed to (unvoluntary) infect his diskettes.
That's how the virus got a large initial distribution.

> Any information would be appreciated.

Hope the above helps.

> I guess the publicity over the Michelangelo virus is helping us to
> ferret out the other ones.

Yeah, the whole Michelangelo panic is, of course, silly, but at least
it has some good implications. Like forcing the users to actually take
some anti-virus measures. Or at least check their computers with a
scanner...

> Thanks in advance.

You are welcome.

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date: 03 Mar 92 12:31:08 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: What is the best way to protect against Michelangelo (PC)

[email protected] (OLD FOGIE) writes:

> already been answered, but... What EXACTLY is the best way to protect
> against the Michaelengelo virus? I have SCAN and CLEAN and I also use

The best way to protect against this particular virus (and any other
boot/master boot sector infectors) is to never ever try to boot from a
floppy. That is, be careful not to forget a diskette in drive A: when
you are booting your computer. It doesn't matter whether the diskette
contains DOS or any executable files.

As to the other viruses, the best way to protect against all of them
is to never use new software... Unfortunately, this is quite
unrealistic, so you have to do a lot more inconvenient things, like
practicing safe computing and using anti-virus tools (integrity
checkers, scanners, etc.).

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date: 03 Mar 92 12:43:15 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Which Package is Best? (PC)

[email protected] (Y. Radai) writes:

> Note 1: As opposed to most "quick checks" and "Turbo modes", UT's
> quick check is performed in such a way that for all practical purposes
> there is no loss of security, *regardless of how the virus infects*.)

Regardless?! Hmm, it's a little bit hard for me to believe that...
I'll discuss this with you in private.

> Note 2: UTScan's speed is not decreased by addition of more viruses.

You probably mean that the spead is not decreased proportionally to
the number of viruses added. I hope you won't claim that if you add
100,000 new virus signatures, the program will run at -exactly- the
same speed... :-)

> I don't know how good the IM scanner rates, but according to the Feb.
> issue of the Virus Bulletin (p. 23), Ver. 19.04 of the UTScan compo-
> nent of UT detected 73% of the viruses in their "standard" set and 81%
> in their "acid" test.

According to my own tests, the program Unvirus 2.0, part of V-Analyst
III (which, as far as I understand, is equivalent to the UT), detects
about 60 % (maybe slightly less) of our virus collection. But, this
includes every virus we have been able to get a copy of (even the one
that arrived yesterday), not a standard set, or a set of the most
common ones. Unfortunately, I didn't have the time to test the IM's
known virus scanner.

> Now these percentages are relatively low (although I think they
> would be considerably higher if only commonly occurring viruses were
> used in the comparison).

I agree with both statements.

> But how important is this factor in the case of Untouchable?

Quite important, IMHO, although not as much as for a user, who depends
entirely on KVS.

> and such a low percentage could not be tolerated. As for IM, it is
> generic with respect to detection, hence a KVS is not needed to detect
> the fact that infection has occurred.

Correct, but you have to ensure that you are installing the integrity
checker on a clean (non-infected) system. Do you know a better way to
ensure this than to scan for known viruses? (I -know- that this is not
a good solution, but do you know a better one?)

> However, IM can *restore* files
> only if they are infected by viruses which it *specifically recogni-
> zes* (assuming backups are not available), hence a KVS is just as
> necessary for IM as for those who use a KVS alone.

No. In fact, IM (and any integrity checker) does not need to restore
the infected files at all. I don't know why it does it; it is not
necessary. There are plenty of good backup/restore programs on the
market. One (a rather bad one) even comes with DOS.

Everything an integrity checker has to do is to detect changes, and to
do this fast, secure, and conveniently. UT is more secure than IM and
that is all.

> In fact, IM is
> even *more* dependent on a KVS, for (like all programs based on modi-
> fication detection) IM must ensure that the files and boot records are
> uninfected when checksums are initially computed.

I fail to see why UT does not need this.

> On the other hand, UT performs *generic restoration* of files and
> boot records, hence it requires a KVS only for the second purpose, not
> for the first.

Unfortunately, the generic restoration is a bad idea, which does not
always work. IMHO, it is even worse than virus-specific disinfection.
OK, I agree that at least UT will not try to disinfect a file
incorrectly, but still the best solution is to use a backup/restore
program.

> With UT, a KVS need be performed on a given file only
> once, namely before it is added to the checksum database (or is re-
> placed by a new version of the file).

The same goes for IM.

> records are uninfected by using SYS and FDISK/MBR. Moreover, if some
> files happen to be infected by an unknown virus when their checksum is
> first computed, that fact will be detected as soon as the virus in-
> fects other files.

Not necessarily. Consider a Lehigh-type virus. Or a virus, which
infects only -one- object on the hard disk and then every executable
file being created or modified. Some of the existing viruses already
do that, we won't wait long until we see viruses, which attack
checksum-based defences.

And don't forget that the generic disinfection will simply not work,
if the file has been previously infected.

> So the number of viruses recognized is less impor-
> tant for Untouchable than for almost any other type of anti-viral
> software.

More exactly: the number of viruses recognized is less important of
integrity checkers than for the virus-specific software.

Both UT and IM are integrity checkers. What really matters for the
integrity checkers is their security, and UT is more secure than IM. I
hope that the author of IM will soon fix the small loopholes in this
product.

> (Nevertheless, because of criticisms of its low scanning
> percentage, I am told that the next version of UTScan will detect many
> more viruses than the present one; in fact, the version I have (21.00)
> is already considerably improved.)

I'll try to help you about that, as far as I can.

> Summary: UT performs generic disinfection of files; IM does not.

But this is not so important. To put it in another way: BACKUP/RESTORE
can restore an infected file in 100 % of the cases, when it has been
applied before infection. UT can't.

> Untouchable is faster than IM, especially with respect to their known-
> virus scanners.

But this is not important! The important is to compare the checksum
checking speed. I understand that UT is fater than IM in this case. Am
I right?

> IM's scanner probably detects more viruses than UT's,
> though I don't think that's as significant as most people assume it
> is.

Right.

> I'd be glad to hear what you think UT misses. I'm willing to bet that
> there are a couple of types of potential viruses that IM misses.

You are right... :-)

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date: 03 Mar 92 13:15:42 +0000
>From: [email protected] (Vesselin Bontchev)
Subject: Re: Who knew his Birthday? (PC)

[email protected] (Mickey Waxman) writes:

> Here we don't celebrate Michelangelo's birthday and I doubt
> anybody here would have known the signif of 6 March. Is it different
> in other places (Italy?)?
> For history's sake ... did the disassembler(s) who named this virus
> just happen to know this was M's birthdate or was there maybe some
> input from the virus' author as to its significance?

He just happened to know the date. BTW, does anybody know who exactly
named the virus like that?

My own theory is that March 6 was the date of the creation of the
virus (recall that it has been detected in April 1991).

Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
[email protected] Fachbereich Informatik - AGN, rm. 107 C
Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54

------------------------------

Date: Tue, 03 Mar 92 08:23:49 -0500
>From: James_Williams%ESS%[email protected]
Subject: FDISK/MBR (PC)

I have seen the command FDISK/MBR mentioned in various messages
recently. I have scanned all of my DOS 5.0 documention and find no
mention of it. Hence, I have three questions.

1. Is this simply the DOS FDISK command with a /MBR option, or is
this some special program?

2. Where is it documented?

3. When it builds a new MBR, does it have any affect on the
information on the rest of the hard disk?

- --------------------------------------------
| James Williams |
| Bitnet: JWW%ESS%[email protected] |
| Internet: [email protected] |
| CompuServ: 70304,2462 |
- --------------------------------------------

------------------------------

Date: Tue, 03 Mar 92 09:19:46 -0500
>From: [email protected] (A. Padgett Peterson)
Subject: Viruses and Operating System Manufacturers (PC)

>From: "Mark W. Schumann" <[email protected]>

>padgett%[email protected] (A. Padgett Peterson) writes:

>> Incidently it takes a whole 10 (decimal, not hex) generic bytes at
>> BIOS time to detect every MBR infector I have seen thusfar (including
>> Brain, Yale, Evil Empire, Stoned, Joshi, Michelangelo, and all their
>> cousins). "Stealth" just makes it easier. When are the O/S
>> manfacturers going to wake up ?

>Is it practical to include virus protection in an operating system?

Boy am I glad you asked: not only is it possible, given the viruses we
have seen thusfar, it is downright easy ! - maybe not to get 100%
protection, but certainly to eliminated at least 1000 viruses
including ALL the common ones right off the mark.

Ted Coppel asked this question on Nightline last night and it did not
get answered by the experts surveyed (they did not ask me though).

For example, it is MORE difficult to detect viruses from outside the
operating system than from inside & I have found it bl**dy easy to find
all that I have seen from the outside. Generically.

Item: every .EXE header contains a field for CHKSUM information yet the
only known use has been for some viruses to store their this-program-is-
already-infected flag.

Item: my SafeMBR code (Freeware) detects every MBR infector known - Brain,
Yale, Stoned, Azusa, Merrit, Aircop, Empire, etc, etc, etc, and including
Michelangelo, and takes fewer butes than Michelangelo to do it (had to be
compatable with overwriting controllers).

Item: my SafeFBR (Freeware) code does the same thing for every known
Floppy Boot Record Infector known (am working on a bootable version
and a fixed disk boot record now but are not Ready for Prime Time -
remember, this is not what I get paid for).

Of course, the real place for this kind of checking is in IO.SYS
(IBMIO.COM) - can use the same code there but I have to work with what
I have. (BTW all of these programs seem to weork with every DOS from
2.0 - 5.x - have deliberately avoided the "undocumented" interrupts
though they would have made life easier.

Item: my NoFBoot (Freeware) would eliminate 99+% of all accidental
floppy reboots that spread most MBR and BSI viruses. - only one of
this series of my programs mentioned that "goes resident" (TSR) and
takes up a whole 512 bytes (max.)

Item: my CHKMEM can catch nearly every virus that goes resident at the
TOM (just below the 640k boundary) - based on the "flawed" Six Bytes
but handles nearly all of the "stealth" viruses (do not have the 1963
so haven't tested that one).

(Am I starting to sound like a fanatic ? - move over Mr. Janney)

Point is that not a single one of these programs has any idea what a
virus is. What they do know is what the "envelope" of the IBM-PC
architecture is and check for & prevent deviations.

Now these will not remove the necessity for anti-virus technicians
armed with professional grade tools. However, they will provide
warning and their installation utilities will remove those viruses
causing over 50% of all reported infections. What they will do is to
detect such infection immediately so that you know that *something*
has happened.

Since viruses rely on invisibility to multiply and become widespread,
this IMHO should stop them. It will not wipe out viruses, but it will
take care of the current crop and make future ones considerably harder
to write.

It may not be the *one true answer* but it will take care of the
Michelangelo today.

Hotly,
Padgett

padgett%[email protected]
Obviously my own opinions

------------------------------

Date: 03 Mar 92 15:05:59 +0000
>From: [email protected] (Timothy Fredrick)
Subject: Re: Problem with McAfee CLEAN against the FORM virus (PC)

[email protected] (Maarten Meijer) writes:
We - at the Academic Computing Centre of Utrecht University (ACCU),
the Netherlands - have tried to remove the FORM virus from several
hard disks using McAfee's CLEAN version 8.3B86. All disks were larger
than 60 MB, formatted with DOS 5.0, some with one large partition,
others with multiple partitions (C:, D:, etc.). CLEAN always reports
removal of the [FORM] virus, but in the meanwhile it often destroys
the boot sector of partition C:, making the partition unreachable at
the next bootstrap. Although the FORM virus puts the original
bootsector at the end of the hard disk, CLEAN isn't able to find it.

It seems quite simple to locate the original bootsector at the very end of
the hard disk. Why then do both these programs not succeed?

We had the same experience with the Tequila virus [Teq]. I had to use
Norton Utilities' Disk Doctor (from v6.01) to rebuild the bootsector
and partition table. What do people without Norton Utilities do? Is
there a way to find out if clean is going to destroy the boot sector
before it actually does the damage? (we simply executed the command
"clean c:").

Thanks. --Tim Fredrick ([email protected])
Ntl Center for Atmospheric Research, Boulder, CO 80307-3000

------------------------------

Date: Tue, 03 Mar 92 10:23:02 -0500
>From: Brian Seborg <[email protected]>
Subject: Michaelangelo and Stoned (PC)

There is an interesting problem with certain virus packages which take
advantage of knowing the characteristics of specific viruses to
perform their clean up. For example, a collegue of mine recently
called me and told me that he had just used McAfee to rid a machine of
the Michaelangelo virus. Upon re-scanning the machine, Scan reported
that the machine was infected with the Stoned virus. When my collegue
tried to clean the Stoned virus with McAfee he couldn't. Why is this,
he asked me. I felt that the answer may be of interest to some of you
and so here it is: as most of you know, the Stoned and Michaelangelo
viruses both use essentially the same spreading technique, that is
they move the old MBR to sector 7 and place their own code in the 0
sector. Now imagine the following scenario, the Stoned virus infects
a hard drive placing a copy of the clean MBR in sector 7 and its own
code in sector 0. Next, this same machine becomes infected with the
Michaelangelo, it places what it believes to be the clean MBR in
sector 7, and its own code in sector 0. What has now happened is that
Michaelangelo has taken the Stoned virus code and placed it in sector
7, effectively overwriting the clean MBR code which Stoned had
previously stored there. Now, if I clean this machine with McAfee or
any other virus cleaning program which strictly takes advantage of the
characteristics of viruses this is what happens: First, since I know
the virus is the Michaelangelo, I know that it (like the Stoned) has
stored the old MBR in sector 7, so, instead of rebuilding the MBR I
simply copy whatever is in sector 7 to sector 0. In this case this
copies the Stoned virus code back into sector 0. I then rescan and
find I now have removed the Michaelangelo virus, but now have the
Stoned virus. So I repeat the procedure. I know that the Stoned
virus stores the clean MBR in sector 7, so I copy whatever is in
sector 7 back to sector 0. But, Stoned is in sector 7 so the computer
will be re-infected with Stoned etc. etc. So you can see, virus
software packages which use this technique have some real problems
when it comes to multiple infections of boot sector viruses using the
same tricks. Perhaps this provides an answer to the previous issues
question about the FORM virus as well.

Regards,

Brian Seborg

------------------------------

Date: Tue, 03 Mar 92 17:24:16 +0700
>From: [email protected] (yair rajwan (IBM lover))
Subject: a question re PKLITE and LZEXE (PC)

i have a qustion:

is pklite or lzexe change file and infected file?

if yes: is there any program that clean the virus from the compressed
file?

- -- Yair Rajwan

------------------------------

Date: Tue, 03 Mar 92 10:32:58 -0500
>From: Brian Seborg <[email protected]>
Subject: Michaelangelo (PC)

I know that some people have recommended setting your computer dates
ahead so that one can avoid March the 6th altogether. Other than the
good points not to do this brought up by Vesslin and others, there is
one other reason not to expect this to work if your PC is connected to
a network. Many networks specifically, Banyan, and I believe Novell
as well, make sure that there is a consistent "network time" among all
machines on the network. This is for logging purposes as well as
other administrative reasons. On Banyan, I can set my PC date and
time to anything, but when I logon to the network, the date and time
in my PC automatically gets set to that of the network. I believe the
same is true for Novell networks, but since I am not a Novell expert,
someone else might want to confirm this. The date and time change
affects the CMOS values so that the time change on the PC is
"permanent" until I change it again. Therefore, if I set my date and
time to avoid March the 6th and this is the only protection I use,
then when I logon to the network on March 6th I could be in for a rude
awakening! So, use virus scanning software, and use common sense, and
don't set the time and date forward!!! It won't work well for
networks.

Regards,

Brian Seborg

------------------------------

Date: Tue, 03 Mar 92 11:19:00 -0500
>From: Dan Sline <[email protected]>
Subject: Michelangelo on Nightline and thank you for information (PC)

In case any of ya'll were not watching Nightline last night
(Monday night) they did a special report on Michelangelo. It was a
good special report. If any of ya'll want a description I will post
one to you as soon as I can.

Also, thanks to all of you who gave me information for my
article, and it was a big success. Unfortunately, I could not get an
copy on disk to post to the list.

Thanks again,

Dan Sline

------------------------------

Date: Tue, 03 Mar 92 10:58:00 -0600
>From: "Tim T. Preston" <[email protected]>
Subject: Question about TP44 (PC)

Could anyone tell me anything about the TP44 virus? I had never
encountered it before I found seven copies of the same virus on one
machine. It seems to have infected all of the major executables on
the hard drive and had made itself resident in memory. I used NAV to
get rid of it, but I am still curious as to what TP44 does.

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
*To Be is To Do. * Tim T. Preston *
* - I. Kant * Box 654 Buena Vista College *
*To Do is To Be. * 610 West 4th Street *
* - A. Sartre * Storm Lake, IA 50588 *
*Yabbadabbadoo! * *
* - F. Flinstone * INTERNET : [email protected] *
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

------------------------------

Date: Tue, 03 Mar 92 17:14:11 +0000
>From: [email protected] (Robert Evans)
Subject: Need info on No-Int (Stoned) virus (PC)

I apologize if this question is a FAQ, but I am posting for an anxious
friend.

With the Michelangelo scare, he has used SCANv86b, which has reported
a virus found "No Int [Stoned]" and is wondering is the the strain to
which Michelangelo belongs, or is it a different one? Also, if it is
not Michelangelo...

1) What damage does it do?

2) How does it get activated?

Again I apologize if this is a FAQ, but he is unfortunately a bit
panicky :-)

- --
- -----------------------------------------------------------------------
| Robert B. Evans | My opinions are MINE, MINE, MINE! |
| | I'm a greedy little monster! |
| ([email protected]) | ~ D. Duck |

------------------------------

Date: Tue, 03 Mar 92 14:00:03 -0500
>From: Charlie MOORE (703)425-5122 <[email protected]>
Subject: Shipping Michaelangelo (PC)

For those of you keeping score on how many and what vendors have
shipped the Michaelangelo Virus, add Intel.

Below is a message (edited by me) that appeared on a technically
oriented BBS in the Washington DC area--it triggered my queries.
________________________________________________________________

SUBJECT: Michaelangelo is Here!/? DATE: 03/02/92

Today I received a Fed Ex package from Intel. Here's part of
what the enclosed letter said:

"Dear LANSpool user,

Like a number of commercial hardware and software vendors, we
have been struck by the Michelangelo virus. We have discovered
the Michelangelo virus on the 5 1/4 inch diskettes shipped with
LANSpool 286 version 3.01 and LASNSpool 386 version 3.01"....

They included a disk with a custom written utility to check for
the virus, and a fact sheet about it. They also set up a toll
free hotline 800-228-4561 to provide assistance with fighting
it. They are also offering affected LANSpool customer's a free
copy of LANProtect, their server based network virus protection
(lists at $999)!

The fact sheet provided with the letter said they estimated
about 800+ disks were shipped. So, Intel, has sold a number of
production, shrink wrapped software packages with the virus.
________________________________________________________________

Before posting this message, I called Intel for verification.

Intel asked me to contact their public relations (PR) firm for further
info. Their PR firm was remarkably straight forward with me--in
essence they said this: We slipped up; we (Intel) and our disk
duplicating contractor failed to keep our commercial anti-virus
software [not Intel's own product] up to date and it failed to detect
Michaelangelo (the master disk sent for duplication was infected and
the disk-duplication contractor also failed to detect Michaelangelo).
When I suggested that it might be especially embarrassing for Intel,
since they also have an anti-virus product, I was told that Intel's
anti-virus product was still in testing during this period and hence,
not installed on their own systems.

------------------------------

Date: Tue, 03 Mar 92 07:54:59 -0500
>From: "Christine M. Bouchard" <[email protected]>
Subject: Vshield and OS/2 (PC) (OS/2)

Hello

I have a server running OS/2 connected to 25 work stations running DOS
4.0. I am running vshield on the work stations. Will Vshield run on
my OS/2 server? Is there another virus protection program out for
OS/2? Any help you could give will be greatly appreciated.

Thanks in advance
Christine

- --
[ Christine M. Bouchard ]
[ [email protected] ]

------------------------------

Date: Tue, 03 Mar 92 09:18:28 -0500
>From: [email protected]
Subject: Antiviral features in operating systems?

Mark W. Schumann asks the question "Is it practical to include virus
protection in an operating system?" The answer is yes, not only is it
practical but I think it is a gross deriliction of duty of operating
system manufacturers not to have included even the basic antiviral
features yet. DOS 5.0 doesn't contain any integrity checking or
antiviral features--neither will OS/2 2.0 nor (probably) the
workstation version of Windows NT. When DOS or OS/2 is booted, it
could perform a simple check to insure the integrity of its essential
components, including the partition table and boot sector, employing a
secure cryptographic algorithm. Some DOS application programs do this
now and it is even more important for an operating system to have this
capability. Of course, someone would eventually write a virus to
subvert such protection, but 95% of virus damage is caused by the 10
most common viruses today, e.g., Stoned, Jerusalem, Joshi. Protection
against 95% of viruses is better than protection against 0%.

I think the main reason operating system manufacturers haven't yet
included security features in PC operating systems is that their
customers (i.e., you and me) have not clamored for it loud enough,
which I hope will change. If I was a corporate PC manager in charge
of implementing a mission-critical application on PCs, and IBM or
Microsoft came to me and tried to get me to base it on DOS or OS/2, I
would refuse because of the total lack of built-in security features.
And telling me that I could use an add-in security package wouldn't
satisfy me because while that may work for me, only when a large
percentage of the general PC computing population uses such features,
as would happen if they were built into the base operating system,
will the spread of virues begin to be curtailed. Organizations and PC
users who entrust mission-critical applications to supposedly
"advanced" operating systems have a right to expect built-in security
and antiviral features. I hope PC users will begin to stick up for
their rights.

Kevin Haney, Computer Specialist
Internet: khv%[email protected]

------------------------------

End of VIRUS-L Digest [Volume 5 Issue 53]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253