From
[email protected] Wed Mar 4 15:23:19 1992
Return-Path: <
[email protected]>
Received: from csrc.ncsl.nist.gov by brutus.ncsl.nist.gov (4.1/NIST)
id AA01201; Wed, 4 Mar 92 15:23:17 EST
Received-Date: Wed, 4 Mar 92 15:23:17 EST
Received: from csmes.ncsl.nist.gov (MACBETH.NCSL.NIST.GOV) by csrc.ncsl.nist.gov (4.1/NIST)
id AA29480; Wed, 4 Mar 92 15:22:08 EST
Organization: National Institute of Standards and Technology (NIST)
Sub-Organization: Computer Security Division
Posted-Date: Wed, 4 Mar 1992 14:52:52 EST
Received: from IBM1.CC.Lehigh.EDU by csmes.ncsl.nist.gov (4.1/NIST(rbj/dougm))
id AA05727; Wed, 4 Mar 92 15:29:23 EST
Message-Id: <
[email protected]>
Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 6775; Wed, 04 Mar 92 15:14:41 EST
Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id
8149; Wed, 04 Mar 92 15:13:37 EST
Date: Wed, 4 Mar 1992 14:52:52 EST
Reply-To:
[email protected]
Sender: Virus Discussion List <
[email protected]>
From: "The Moderator Kenneth R. van Wyk" <
[email protected]>
Subject: VIRUS-L Digest V5 #54
Comments: To:
[email protected]
To: Multiple recipients of list VIRUS-L <
[email protected]>
Status: RO
VIRUS-L Digest Wednesday, 4 Mar 1992 Volume 5 : Issue 54
Today's Topics:
Michelangelo down south (way down south!) (PC)
Re: F-prot and non-executable files (PC)
F-PROT shows - SBC virus? (PC)
Maltese Amoeba virus (PC)
Re: Will Write Protection Prevent Virus Infection? (PC)
List of Viruses and Effects??? (PC)
Re: exact damage of Michelangelo on 3-06 (PC)
Re: Michelangelo question (PC)
Michelangelo found - Symbol Technologies (PC)
Re: Possible virus? (PC)
DOS total memory check says we're infected but... (PC)
Re: Possible virus? (PC)
Re: mutated FORM? (PC)
another simple Michaelangelo question (PC)
Re: Kamikaze virus? (PC)
Re: Drug Rehad - Stoned (PC)
Will these find Mich? (PC)
WARNING: MBDF-A can spread on Plus and SE using System 7 (Mac)
WARNING: Macintosh users of PC-emulators, beware of PC-viruses (Mac)
Bulk Erasers
Re: Manufacturing of software (GENERAL)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
with your real name. Send contributions to
[email protected]
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: Tue, 03 Mar 92 12:08:42 -0500
>From:
[email protected] (Jaime Garmendia)
Subject: Michelangelo down south (way down south!) (PC)
If anyone is keeping track of Michelangelo's geographical spread, it
may be of interest to know that it has appeared in Argentina. I've
found one of my group's computers infected, and apparently it has
surfaced in several other sites in the country.
I couldn't find the vector, but the machine in question is accessible to
a large number of persons. Argentina is also a haven for pirates, so it
is not surprising.
I used F-Prot 2.02D to detect it and clean it. Nice program!
Jaime Garmendia
DuPont Argentina
**Standard disclaimer: The above opinions are my own, etc, etc...**
------------------------------
Date: Tue, 03 Mar 92 12:17:32 -0500
>From:
[email protected]
Subject: Re: F-prot and non-executable files (PC)
In the VIRUS-L Tapio Keih{nen <
[email protected]> writes:
(Note: Tapio quoted the following without any attribution:)
>We were using F-prot here and we noticed that it doesn't scan non
>executable files. This raises the question, can a virus hide in a
>text file, and then transfer itself elsewhere?
This is incorrect. In the "Scan" window select "Files:" and then
select either "All files" or "<User-specified>". This is not normally
necessary, however. No, a virus cannot hide in a text file. The
virus has to be in a file that will at some point be executed. There
are some types of files, however, that are not normally checked by
virus scanners, but can be infected. The .BGI graphics device driver
files used by the various compilers from Borland Intl. contain
executable code, and are, in fact, essentially overlays, but no virus
scanner I've seen checks them by default. You can, however, tell all
of the good ones additional extensions that you want checked. The
good ones include F-Prot and McAffee's Scan.
Regards,
David R. Conrad
[email protected]
------------------------------
Date: Tue, 03 Mar 92 16:44:17 +0000
>From:
[email protected] (Roger K. Akers)
Subject: F-PROT shows - SBC virus? (PC)
F-PROT 202D has indicated "SBC virus found" on a couple of machines.
There is no info with F-PROT that describes an SBC virus. I noticed
that there is information regarding an "SVC" virus.
Is there an SBC virus? If so, where can I find a description of it?
If not, why does F-PROT indicate that SBC is found?
Many thanks
Roger Akers
UNC - Chapel Hill
------------------------------
Date: Tue, 03 Mar 92 17:43:25 +0000
>From:
[email protected] (Dennis Leiterman)
Subject: Maltese Amoeba virus (PC)
In the March 2, issue of PC Week is an article about the Maltese Amoeba
virus, it's activation date is scheduled for March 15. Is there anyone
that knows about this virus and what scanners are effective on it???
- -----------------------------------------------------------------
| Dennis Leiterman | Picker International |
| VAX System Manager | 595 Miner Road |
| e-mail:
[email protected] | Highland Heights, OH |
- -----------------------------------------------------------------
------------------------------
Date: Tue, 03 Mar 92 12:45:24 -0500
>From:
[email protected]
Subject: Re: Will Write Protection Prevent Virus Infection? (PC)
[email protected] (ELGHARIB,HESHAM MOHIEDDIN ABOBAKR) writes:
>If I set the attributes of all the executables, overlays, and COM
>files in my hard drive to be read-only, will this reduce the chances
>of getting virus infection?
>
>I understand that viruses usually get transmitted by modifying these
>files. And since these files are rarely required to be read-write,
>(maybe during the installation only) I do not think that the
>applications would mind setting the attributes to read-only.
>========================
>Hesham Elgharib
The subject should ask about "Marking Read-Only" instead of "Write
Protection." Marking files as RO will stop only a very few very
stupid viruses. Do not rely on it. However, it will stop those few
viruses and will also stop the accidental deletion of any executables
so marked. There's nothing wrong with doing it IN ADDITION to making
frequent backups and scanning and checksumming your files. The only
program I've encountered which minds being marked RO is the Tempra
paint program that came with my Paradise SVGA card, which forgets its
configuration info, presumably because it can't open its executable to
read it. Of course, any programs which WRITE to their executables
will have to be marked Read-Write, at least while installing or
configuring them.
As long as you remember that most viruses will just flag the file
as writable, infect it, and then restore its attributes, there's no
harm in obtaining this extra protection. But don't let it replace the
other methods of protection. By itself, it does very, very little.
Regards,
David R. Conrad
[email protected]
------------------------------
Date: Tue, 03 Mar 92 18:28:38 +0000
>From:
[email protected] (Brian J Moore)
Subject: List of Viruses and Effects??? (PC)
Is there a list of the known viruses and what they do anywhere?
Not just Michaelangelo will destroy the disk (like it says on TV), but
when and what specifically does each virus do. I have one list like
this, but its pretty old.
Thanks, Brian
- --
________________________________________________________________________
/ / /
/ Brian J. Moore /
[email protected] /
/__________________________________/____________________________________/
------------------------------
Date: Tue, 03 Mar 92 09:41:00 -0800
>From: "
[email protected]"@BIIVAX.DP.BECKMAN.COM
Subject: Re: exact damage of Michelangelo on 3-06 (PC)
[email protected] (Steven Tucker) writes:
>Vesselin, have a quick question for ya. Regarding virii in general but
>perhaps the Michelangelo virus in particular (as it seems to be the
>most popular right now), one always reads about "booting from a clean
>floppy" and my question is this: If one boots from an infected floppy
>and then scans the disk (floppy or hard) will the memory-resident
>virus disable the scan program rendering it unable to detect the virus
>in question?
Michelangelo doesn't seem to make any attempt to hide itself on the
disk (although it makes a primative attempt to hide in memory). Many
viruses, however, _do_ hide.
- --
Arthur L. Rubin
[email protected] [email protected] [email protected] (personal)
[email protected] (work) Beckman Instruments/Brea
My opinions are my own, and do not represent those of my employer.
------------------------------
Date: Tue, 03 Mar 92 18:15:21 +0000
>From:
[email protected] (Jason Mathews - 514)
Subject: Re: Michelangelo question (PC)
[email protected] writes:
>Does the Mich virus spread from executable files (such as the
>Jerusalem B virus)? In other words, can the virus be spread through
>distribution of executable files, or does it require a boot sector to
>be present to spread it?
In general, Michelangelo and the other boot sector viruses do not come
from executable programs. Most boot sector viruses are spread by
leaving an infected disk in the floppy drive, which activates the
virus.
However, some file infecting viruses, can contain a boot sector
payload and copy it onto the boot sector (as does the actual boot
sector virus). The trojan/virus copies the boot sector to where the
boot sector virus will find it and copies the virus boot sector to
sector 0.
There has been no report of any program or virus doing this for
Michelangelo.
Jason
-
-------------------------------------------------------------------------------
Jason Mathews | Mission Operations Division
NASA/Goddard Space Flight Center| Internet:
[email protected]
Greenbelt, MD 20771-0001 |
[email protected]
- --------------------------------+ CPU time flies when you're having fun.
------------------------------
Date: 03 Mar 92 19:09:44 +0000
>From:
[email protected] (Chris Bracy)
Subject: Michelangelo found - Symbol Technologies (PC)
Symbol Technologies Corp has confirmed that it has been distributing
disks infected with the Michelango virus.
Chris.
------------------------------
Date: 03 Mar 92 19:52:01 +0000
>From:
[email protected] (Brett Hollon)
Subject: Re: Possible virus? (PC)
[email protected] (Robert Slade) writes:
>
[email protected] (Vera Marvanova) writes:
>
> >caused by a virus? In two computers (386-SX AND 386 - 33) after some
> >time of operation suddently all look like CAPS LOCK would be touched.
> >All letters changes to upper case. After "SHIFT" all is O.K., but
>
> Actually, this is extremely common behaviour in MS-DOS machines in
> general. I have often had machines that would suddenly behave as if
> all the keys were "shift"ed, "ctrl"ed or "alt"ed. Some could be
> recovered, and some couldn't (at least I never found a way to do it.)
> None were virally infected.
I am no genius on the subject of viruses, but I feel you may have
dismissed Ms. Marvanova's question too quickly. We here have also
seen this problem popping up a lot lately (a great deal more than say
a month ago). We have about 45 AT&T PC clones here (20 386s & 25 88s)
and it seems to have hit the 88s first, then moved to the 386s. This
makes sense as access to the 386s is more restricted. Additionally,
should we manage to isolate the thing, who should we send it to?
Thanks in advance.
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
"
[email protected] " Purgamentum init, exit purgamentum "
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
------------------------------
Date: Tue, 03 Mar 92 20:21:26 +0000
>From:
[email protected]
Subject: DOS total memory check says we're infected but... (PC)
The local paper said CHKDSK without CONFIG.SYS or AUTOEXEC.BAT in
place should show 653,312 bytes total memory if the machine has
Michelangelo, and 655,360 if it does not.
We have at least 2 machines at RTI which show 653,312 but are
pronounced Michelangelo-free by the Norton and PCCSCAN programs we
downloaded from CompuServe.
What's the story? Could something else cause the 2K to be missing, or
could Norton or PCCSCAN be somehow missing Michelangelo?
-joe
------------------------------
Date: Tue, 03 Mar 92 20:51:57 +0000
>From:
[email protected]
Subject: Re: Possible virus? (PC)
this has happened to me on several occasions. Though it is Possible
that this is a virus, it is Highly unlikely.(also there are no known
(at least by me) viruses that behave in this way). What will ussualy
cause it is software that set up weird things in the keyboard buffer.
Some games will do it and I would assume that some other types of
software would do that. So don't pull your hair out about it.
Mike Yalter
------------------------------
Date: Tue, 03 Mar 92 21:03:32 +0000
>From:
[email protected]
Subject: Re: mutated FORM? (PC)
it is very possible that you have come accross an unknown variant of
the "form" virus. Though I don't knwo much about this particular
virus, it would seem that the variant leaves the same signature in
memory but not on disk. Suggestion: sned it to McAffee or Vesslin.
and I would also not trust any of those computers either.
Mike Yalter
------------------------------
Date: Wed, 04 Mar 92 10:08:00 +1300
>From:
[email protected]
Subject: another simple Michaelangelo question (PC)
Having been unfortunate enough to tempt fate recently and
reset system date to March 6th .. and wipe out our hard disk with the
Michaelangelo virus .. I leant my lesson , and now run regular checks.
Today I discovered it(Mich) on the boot sector of our drive.
Question is .. how does it get there ?
Was the file distributed originally as an infexted boot sector
. or is there code which comes indirectly infects the boot sector?
- --
Stephen Pearce, University of Otago, Dunedin, New Zealand.
------------------------------
Date: Tue, 03 Mar 92 21:13:25 +0000
>From:
[email protected]
Subject: Re: Kamikaze virus? (PC)
I beleive that Fprot will also check for programs that SEEM to Run
like viruses, but that would not tell you you are infected but rather
This program is suspicious. Now, also if you did not use Scan c: /A
then scan only checked exe and com files. And not all files including
*.TPL. This might be the problem. Also the version of Fprot you are
using might have a bug in it. many reasons.
Mike Yalter
------------------------------
Date: Tue, 03 Mar 92 15:30:25 -0500
>From: James_Williams%ESS%
[email protected]
Subject: Re: Drug Rehad - Stoned (PC)
Vesselin Bontchev writes:
>Two possibilities. Either get a better disinfector,
Which disinfector would you recommend? I thought that McAfee was one
of the better.
>or (preferred) get a MS-DOS 5.0 system diskette (should be write
>protected). Go to every computer, boot from that diskette, and run
>FDISK /MBR. Should remove the virus without problems.
Most of the infected computers are running DOS 3.3, will using a
MS-DOS 5.0 system disk and FDISK /MBR work on these computers?
- --------------------------------------------
| James Williams |
| Bitnet: JWW%ESS%
[email protected] |
| Internet:
[email protected] |
| CompuServ: 70304,2462 |
- --------------------------------------------
------------------------------
Date: Tue, 03 Mar 92 14:32:00 -0600
>From: Bernadette Feyerharm <
[email protected]>
Subject: Will these find Mich? (PC)
Will F-prot 2.01 or vshield72 or scanv72 detect the Mich virus?
Bernadette
------------------------------
Date: Wed, 04 Mar 92 10:12:56 -0600
>From: Werner Uhrig <
[email protected]>
Subject: WARNING: MBDF-A can spread on Plus and SE using System 7 (Mac)
further investigation into the matter has revealed, that
the earlier posted information (that MBDF is inert on Plus
and SE) applies only when using a System earlier than 7.
on a Plus or SE running under an os version 7.0 or later,
the virus does indeed spread (I am told). But there is no
excuse for not having installed the latest version of some
anti-viral by now even on a 512... ;-)
- ----
Internet:
[email protected]
BITnet: werner@UTXVM
UUCP: ...!uunet!cs.utexas.edu!werner
AppleLink:
[email protected]@Internet#
- -----
He who will not reason, is a bigot; he who cannot is a fool;
and he who dares not is a slave. --- Sir William Drummond
------------------------------
Date: Wed, 04 Mar 92 10:32:43 -0600
>From: Werner Uhrig <
[email protected]>
Subject: WARNING: Macintosh users of PC-emulators, beware of PC-viruses (Mac)
Macintosh users of PC-emulating hardware or software should be
conscious and aware that they are threatened by PC-viruses
(such as Michelangelo) and that as part of their emulation
environment set-up it is HIGHLY RECOMMENDED to install some
mix of PC-antiviral software. Installation of anti-virals
in your Macintosh System Folder may (MAY!!) protect your
Macintosh partitions, but they are (probably) of little or
no help when your PC disk partitions is attacked by PC critters.
If and when I have more specific information needed by the user
community to protect from the threat of PC critters in an
emulation environment running on a Macintosh, I will post
such information here again.
- ----
Internet:
[email protected]
BITnet: werner@UTXVM
UUCP: ...!uunet!cs.utexas.edu!werner
AppleLink:
[email protected]@Internet#
- -----
He who will not reason, is a bigot; he who cannot is a fool;
and he who dares not is a slave. --- Sir William Drummond
------------------------------
Date: Tue, 03 Mar 92 12:52:05 -0600
>From:
[email protected]
Subject: Bulk Erasers
Using a permanent magnet to erase disks is not really a good idea.
While the magnetic field definitely will destroy the data and
formatting of the disk, it will not really erase the disk. The medium
is left in a state of magnetization in which all the particles are
either set to 1 or 0, so to speak. Moving it around in a wiping motion
will most likely result in a large portion of the media being
magnetically oriented one way and another large portion oriented
another way. When the disk spins, the effect on the head is like a
very low frequency alternating current being introduced into the
system.
The reason that an electro magnet is the best choice is that the field
is in a constant state of flux, never staying the same magnetic
orientation or intensity. As the disk is moved away from it, the
fields become progressively weaker until they have no more effect.
The end result is a magnetic medium with no magnetic orientation or
bias on it, at all. All the advantages of an electromagnet, however,
are for nothing if you cut the power to it while the disk is within a
few centimeters of the eraser. This will leave the disk magnetized
just like a permanent magnet would have done. If you do accidentally
turn off the eraser while using it on a disk, just re-erase that disk
again properly to demagnetize it.
Martin McCormick
Amateur Radio WB5AGZ
Oklahoma State University
Computer Center
Data Communications Group
Stillwater, OK
------------------------------
Date: Tue, 03 Mar 92 20:53:20 +0000
>From:
[email protected] (Steve Fuller)
Subject: Re: Manufacturing of software (GENERAL)
[email protected] (Michael Purcell) writes:
> Can anyone respond to (a) How do software publishers tend to produce
>the physical disks -- in house or by contract to another business, (b)
>How is this software copied to the disks (xx thousands of copies), and
>(c) How often and what type of quality checks are being performed?
This is how software duplcation was done at the small company I worked
for this past summer. It is not an official policy or statement from
that company.
a) We produced our own disks in house. Usually this was done by
anywhere from one to three people in a duplication room.
b) The equipment used was made by a company called, I believe, Trace
or Tracer. It consisted of a dedicated UNIX box and a bunch of
duplication units. When the programmers finished the program and were
ready to duplicate it, they brought down a master disk for us to copy
onto the UNIX box. One image for 720K disks and one for 360k disks.
The machine was then programmed as to how many copies we wanted to
make of each disk, and what tracing units each program was being
duplicated on. If we had 10 duplication units hooked up to the system,
we could use all of them to make one program, duplicate a different
program on each unit, or any combination there-of. The disks were
loaded into hoppers by hand after being labeled and counted. Then run
was then started and all we had to do was wait for it to finish and
occasionally replentish the hoppers. The majority of the disks are
write protected straight from the disk maker itself. The copiers are
able to copy the disk w/o worrying about the notches or tab positions
The disks themselves were duplicated and then verified by the
unit it was copied on. If it failed, it got chucked into a
separate holind are from the good ones. The bad disks were sent
back to the manufacturer for replacement. As a side note, the
particular machines we ran took 15 seconds to duplicate and
verify a 360K disk and 30 seconds to do the same on a 720K disk.
c) As far as quality checks perfromed, there was the verification
of the disk by the duplication unit itself. The company also made
it's own anti-viral software, so I am assuming that the masters
were carefully checked, as were all of the machines that the
programmers worked on, but I do not know this for sure.
The company itself is small. Every one knows everyone so worrying
about virii getting into the software is not an every day
occurance. There are also security badges that are required to be
worn by every one that works there.
> I'm sure that there are as many variations as there are companies,
>but I'm wondering what the normal practice is. Personally, I never
>trust any software with regards to viruses irregardless of the source.
>But it is frustrating to hear of these reports of Michelangelo being
>distributed via commercial software. Maybe it is time for the lawyers
>to test the laws concerning merchantability.
I hope that this sheds some light on what at leat ONE company
does in order to duplicate software...
- ---------------------=---------------------------------------------------
Steve Fuller = Critics are like eunuchs in a harem. They know
Net.nerd = how it's done, they've seen it done every day,
[email protected] = but they're unable to do it themselves. B. Behan
------------------------------
End of VIRUS-L Digest [Volume 5 Issue 54]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
