Received: from fidoii.CC.Lehigh.EDU by abacus.hgs.se (5.65c/1.5)

Received: from fidoii.CC.Lehigh.EDU by abacus.hgs.se (5.65c/1.5)
id AA17739; Fri, 5 Mar 1993 18:34:46 +0100
Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA07552
(5.67a/IDA-1.5 for <[email protected]>); Fri, 5 Mar 1993 12:10:21 -0500
Date: Fri, 5 Mar 1993 12:10:21 -0500
Message-Id: <[email protected]>
Comment: Virus Discussion List
Originator: [email protected]
Errors-To: [email protected]
Reply-To: <[email protected]>
Sender: [email protected]
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <[email protected]>
To: Multiple recipients of list <[email protected]>
Subject: VIRUS-L Digest V6 #40
Status: RO

VIRUS-L Digest Friday, 5 Mar 1993 Volume 6 : Issue 40

Today's Topics:

Scanners getting bigger and slower
Of guns, viruses, and geography (was re: your opinions...)
Viruses in other populations
Re: Sale of Viri
Central Point Antivirus and Stacker (PC)
EXE/COM switch (PC)
How can you recover a hrad drive from joshi? (PC)
Re: PC Magazine reviews virus software (PC)
PC Magazine on Anti-Virus (PC)
Validate values for Vshield v102 (PC)
Re: Unloading TSRs (was: scanners) (PC)
Re: Why only PC's?
re: Laws and Viruses
re: standardization (PC)
Re: Virus Development Programs (PC)
Re: wordperfect virus? (PC)
Re: Virus Development Programs
Identification needed for a Virus Message (PC)
Re: Effect of Form (PC)
Removal of Michelangelo (PC)
Financial firms open meeting Thursday on Trace Center recovery

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name. Send contributions to [email protected]. Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list. A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<[email protected]>.

Ken van Wyk, [email protected]

----------------------------------------------------------------------

Date: Sun, 28 Feb 93 12:38:00 +0100
From: [email protected] (Inbar Raz)
Subject: Scanners getting bigger and slower

Vesselin Bontchev writes:

> Bigger - yes. Slower - not necessarily. First, not everybody's scanner
> has a different signature for any different virus. There are a lot of
> scanners around that report "Jerusalem variant" for a couple of
> hundreds of different viruses, the only common thing being that they
> are indeed derived from the old Jerusalem virus. In most cases, all
> those variants are detected with 1-2 signatures. But, as more and more
> viruses appear, scanners must necessarily get bigger and use more
> memory.

You know, Vesselin, I thought of a different approach to be used, when the day
comes that there would be too many viruses.

Instead of having one big huge turtle speed scanner, you would have, say, 4
scanners.

One for stealths, one for common viruses, one for encryptive and one for rare.
Thus, you would use them in different frequencies, and each would run faster
and better.

Comments?

Inbar Raz
- - --
Inbar Raz 5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 [email protected]

- ---
* Origin: Inbar's. (9:9721/210)

------------------------------

Date: Thu, 04 Mar 93 09:15:06 -0500
From: ROBERT HINTEN 617-565-3634 <[email protected]>
Subject: Of guns, viruses, and geography (was re: your opinions...)

[email protected] (Dudley Horque) writes:

>[email protected] (Vesselin Bontchev) writes:
>>
>>You see, there are BIG differences between the local laws in the
>>different countries. You shouldn't assume that something is legal or
>>illegal (and should remain so) just because it is so in your
>>particular country. On the other side, computer viruses do not
>>recognize country boundaries...

>That's USAns for you.

While I'm sure (hope) other USAns will respond, I hasten to point out that
the original poster was Canadian:

>Date: Tue, 23 Feb 93 19:00:00 -0500
>From: Luis Gamero <[email protected]>
>Subject: your opinions on virus legality
>
>No. If you keep it in your OWN posession how could it be illegal?
>You can own a gun and not use it. That's not illegal.
>- --
>Canada Remote Systems - Toronto, Ontario
>416-629-7000/629-7044

[email protected] (Dudley Horque):

>But everyone else gets the last laugh... many of their kids in secondary
>education cannot even point out where USA is on a map.

There are indeed USAns in secondary education that have trouble with
geography (as I'm sure do a proportionate number of Australians), but can't
find USA on a map? That stretches credibility. My soon-to-be-five year
old daughter can not only locate her country, state, county, city, and
street on a map, but can also find Australia on a globe, and does quite
well with most European and Mid-Eastern countries (was going to include
eastern Europe, but lately *I've* had trouble with that :-)).

The above notwithstanding, I fail to see the correlation between
proficiency in geography and the ability to create "dangerous" viruses.

>Still, this does cut down on the number of dangerous viruses that the
>USAns can write.

Can we infer that certain Bulgarians (i.e., Dark Avenger) can handle a map
blindfolded?

==========================================================================
Monty Hinten [email protected]
Information Security Officer (617)565-3634
US EPA, Region I
Boston, MA *USA*
==========================================================================

------------------------------

Date: Thu, 04 Mar 93 11:07:39 -0500
From: [email protected]
Subject: Viruses in other populations

>I have a question. Why is it that all the virus discussions are about
>PC's and Mac's? There ARE other computers out there. What about NeXt,
>C-64, Amiga's. I never see hardly anything on those types of computers.
>Is it possible those types don't have as many virus problems as PC's?

There have been a number of answers to this question. I would like to
suggest two more.

The first is that one of the conditions for the success of a virus is
population size and density. Consider the case of a one of a kind
computer. A virus makes no sense in that context. It does not make
much more sense in the case of two, or any small number of computers.

If you introduce Herpes Simplex ("Chicken Pox") into a sterile population
of 10K people, about 10 percent will die, most of the remainder will
become immune, and Herpes will die out. On the other hand, if you
introduce it into a population of 100K, it will prosper. The reason is
that the target population will replenish itself, from the bottom, at a
rate sufficient to ensure that the virus will always have a new place to
go. It is in part for this reason that we call chicken pox a
"childhood" disease. It is not that children are inherently more
vulnerable to the virus than adults, but that all of the adults are
either immune or dead.

So it is with computers. There is some minimum population size that is
required for the continued successful spread and persistence of the
virus. We do not know what that size is. We know clearly that the PC,
MAC, and Atari Amiga populations are large enough. We suspect, but do
not know for certain, that most of the other populations are too small.

Another reason has to do with the extra-host persistence of the virus. The
successful viruses spread via diskette. This is a very slow mechanism,but
the virus is very safe and persistent on the diskette. Contrast this to the
internet (RTM, "All Souls") worm. It spread very rapidly, doubling in
tens of minutes. In part because of this rapid spread it was noticed,
and identified very rapidly, within hours. Because it had no extra-host
place to hide, it was eradicated with tens of hours.

We see a similar phenomenon with the spread of viruses in LANs. They
spread very rapidly, are noticed early, and copies on servers and even
workstations can be eliminated fairly rapidly. However, here, during
the infection, many copies were created on diskette. These are
difficult to identify and eradicate. If we are both diligent and lucky,
we may find about half; the remainder are waiting to infect us again.

William Hugh Murray, Executive Consultant, Information System Security
49 Locust Avenue, Suite 104; New Canaan, Connecticut 06840
1-0-ATT-0-700-WMURRAY; WHMurray at DOCKMASTER.NCSC.MIL

------------------------------

Date: Thu, 04 Mar 93 12:34:31 -0500
From: [email protected] (A. Padgett Peterson)
Subject: Re: Sale of Viri

>From: Doug <[email protected]>

This was addressed to Vesselin but since it appears to come from a source in
the USA & reflects a viewpoint I hoped had disappered in this country, I have
some comments.

>You are simply mistaken, sir. Distributing virus code to those who want it
>is NOT a very wrong thing which should never be done. You are talking about
>censorship.

As far as I know, in the United States there are no laws against the sale
or sharing of viruses between two consenting parties (am sure to be corrected
if wrong), primarily since there is no consistant definition of what a virus
is, and secondly they are not all proven to be bad (I have an opinion but that
has nothing to do with the law).

Similarly, I have very strong views on a number of subjects (abortion is one)
BUT do not feel that I have any right to impose those views on anyone else.

One of those views is not to distribute viral code to anyone who I do not
personally know is capable of proper handling. This is my perrogative.

> You are telling ME, and the rest of us, that we are not as knowledgeable
>about virus code as you are, therefore we may not have it, but you can.
>I don't like that.

Tough.

What you are saying is that you think that you have a "right" to viral code.
By who's grace ? You are saying I do not have a right my ethical and moral
decision not to distribute it. What will you want next ? The vulnerabilities
that some of us have discussed privately (and thank heaven we have not seen
yet). Sorry.

So you want to learn viruses. Viruses are just a special case of programming
and if you really understand the architecture then how they work is self-
evident. Probably you can find someone who will allow you to specialize
before you are a generalist (am told that before Picasso would take on
a student, he required the ability to paint a flower with photographic
quality), but it will not be me.

Warmly,
Padgett

------------------------------

Date: Sun, 28 Feb 93 12:34:00 +0100
From: [email protected] (Inbar Raz)
Subject: Central Point Antivirus and Stacker (PC)

[email protected] writes:

> I use stacker, and recently have begun Internet, etc. I have Central
> Point Antivirus, but haven't installed it yet. Stacker manual warns
> against using some antivirus packages, but doesn't cite which not to
> use.

> Are Central Point Antivirus and Stacker compatible?

I wouldn't use Central Point AntiVirus, REGARDLESS of its stacker
compatibility.

I haven't seen even ONE version or release that didn't have a stupid bug, or
nonsense written inside it.

Inbar Raz
- - --
Inbar Raz 5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 [email protected]

- ---
* Origin: Inbar's. (9:9721/210)

------------------------------

Date: Sun, 28 Feb 93 12:35:00 +0100
From: [email protected] (Inbar Raz)
Subject: EXE/COM switch (PC)

> From: [email protected] (Donald G Peters)

> I will also leave it to an enterprising individual to
> determine wither COMMAND.COM will run if it is renamed
> to COMMAND.EXE (with the appropriate change to the COMSPEC
> variable in CONFIG.SYS). Personally, I doubt it, but
> perhaps a simple modification to the boot sector may make
> this possible. I think a utility in this regard would be
> very nice!

One reason why NOT to do it, is that a lot of programs issue a shell to dos by
calling COMMAND.COM. They don't even bother looking for comspec.

Inbar Raz
- - --
Inbar Raz 5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 [email protected]

- ---
* Origin: Inbar's. (9:9721/210)

------------------------------

Date: Sun, 28 Feb 93 13:20:00 +0100
From: [email protected] (Amir Netiv)
Subject: How can you recover a hrad drive from joshi? (PC)

[email protected] (Murray Karstadt) Asks:

> Can a hard drive once its been attacked by joshi be recovered?

It depends.
According to the description, it is not likely that the virus that infected
you was necessarily Joshi. since this is a boot sector virus and will infect
only if you boot from an infected floppy. This does not seam to be the case.
It looks like your "old Anti Virus" had a false detection that caused it to
CLEAN something that wasent there. The result is that the Master Boot Recors
of your Hard Disk was overwritten by rubbish.

If you absoluttely know what you are doing (or have nothing to lose, here's
what you should try to do:

- - If your disk is an MS-DOS formatted disk, using DOS 3.XX or higher, and
with no DISK-MANAGER driver included, just reboot the PC from a clean MS-DOS
5.0 floppy and run
FDISK /MBR.
- - Reboot the PC, if it does not load, you will have to edit the partition
table and set the correct parameters of Beginning / End location of your
drive, rebotting after each attempt and checking if you have access to the
disk.
(Norton's DISKEDIT might get handy in this case).

A good solution could be if you have another disk of the same configuration:
Read the Partition Table from it and Write it to the damaged disk's Partition
Table.

Regards

* Amir Netiv. V-CARE Anti Virus, head team *

- --- FastEcho 1.21
* Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date: 01 Mar 93 21:32:00 +0000
From: bill.lambdin%[email protected] (Bill Lambdin)
Subject: Re: PC Magazine reviews virus software (PC)

Quoting from Christopher Yoong-meng Wo to All About Re: PC Magazine
reviews v on 02-28-93

CY> I am embarassed. Some of you might jump on me for this, so I should
CY> clarify this before others do. I should have been more thorough with
CY> my reading before posting the above. The PC Magazine article does
CY> indeed review the Mc Afee products, under the name of "Pro-Scan", a
CY> commercial product. Also, F-prot's engine was present in 3 of the

McAfee's Pro Scan, and Virus Scan (Share ware) are two different products.

McAfee's Peo Scan is also sold under two other names. Virus Cure (from
I.M.S.I), and Virucide (from Parson's technology)

The latest revision that I have seen is 2.37. There may be a later one by
now.

Bill

- ---
* WinQwk 2.0 a#383 * DATACRIME II activates Oct 13 - Dec 31

------------------------------

Date: 01 Mar 93 21:26:00 +0000
From: bill.lambdin%[email protected] (Bill Lambdin)
Subject: PC Magazine on Anti-Virus (PC)

Quoting from [email protected] to All About PC Magazine on Anti-Virus on
02-28-93

J > Do people in this group support Pc Mag's Editor's Choice Awards to
J > Central Point Anti-Virus and Norton's Anti-Virus? I thought the best
J > protection was McAfee's SCAN backed up by F-PROT or vice-versa.

I do NOT support PC-Magazine's Editors Choice.

They may be accurate, and the thests appear to be thourough.

If they had tested the 70 or 80 common viruses known to be in the wild,
their tests would have been more valid.

I find it very hard to believe that there are more than 2,000 specimens
known, and 70 or 80 common viruses known to be circulating in the wild,
and they feel that 11 viruses are enough ti use for testing purposes.

Bill

- ---
* WinQwk 2.0 a#383 * VICTOR activates any Wednesday

------------------------------

Date: Thu, 04 Mar 93 09:14:54 -0500
From: RON MURRAY <[email protected]>
Subject: Validate values for Vshield v102 (PC)

In Virus-L Digest V6 #37, [email protected] (McAfee Associates) writes:

[...]
> VALIDATE VALUES
[...]
> VSHIELD 5.22V102 (VSHIELD.EXE) S:45,724 D:02-27-93 M1: 06BB M2: 066C
^^^^
The .doc file, and the results of running Validate on this file, both give
a value of 06EB here. I assume it's just a typo, but perhaps Aryeh can confirm
the correct value here, just in case I have a hacked copy?

.....Ron
***
Ron Murray
Internet: [email protected]
"Women are like elephants to me -- I like to look at 'em, but I wouldn't
want to own one." -- W. C. Fields

------------------------------

Date: Thu, 04 Mar 93 09:15:16 -0500
From: Y. Radai <[email protected]>
Subject: Re: Unloading TSRs (was: scanners) (PC)

Inbar Raz writes:
>The problem with TSRs is, that as simple as they are to INSTALL resident, they
>are also easy do remove from memory.
>
>The moment a virus writer acquires your module, he can write a relatively
>small piece of code that will unload your TSR, without it knowing about it.
>A friend of mine once wrote an 80byte routine to unload Carmel's TSafe. I
>believe that after a little research, I could unload almost anything.

80 bytes? Your "friend" worked too hard. TSafe can be unloaded with
just 8 bytes of code. But that's because Carmel's programmers
supplied an interrupt handler for unloading TSafe. In general, you
have to work a bit harder ....

Y. Radai
Hebrew Univ. of Jerusalem, Israel
[email protected]
[email protected]

------------------------------

Date: Thu, 04 Mar 93 10:35:45 -0500
From: "David M. Chess" <[email protected]>
Subject: Re: Why only PC's?

>From: [email protected] (Scott A. McIntyre)

>I'm sure that there is also the technical side of how viruses work --
>on a Unix machine, unless a virus is executed as root, then the damage
>would be limited most likely to one user's files, and could quickly be
>found...processes without owners can be tracked down and so on.

I agree with most of the rest of this posting, but this paragraph
misses the mark. Because viruses can spread from user to user
whevener one user has write access to a program that another user
has execute access to, a virus can spread to many users even in
a system with access controls. If it then does some damage (on
a certain date, say), it can damage the files of lots of users,
even if none of them happen to be root. Viruses don't have to
do any odd tricks like creating ownerless processes; all they
have to do is read and write files. Fred Cohen did some early
experiements in which a very simple virus spread within a Unix
system without any trouble. PC viruses cause lots of distress,
even though damage is in the same sense "limited... to one
user's files"! *8)

I think the reasons that we've not seen viruses in Unix
environments is more cultural than technical: sharing patterns
are very different, there's lots less exchange, a lower
density of machines in homes, and so on, as you said
earlier in your posting.

- - -- -
David M. Chess | "And like the clouds that turn to every
High Integrity Computing Lab | passing wind, we turn to any signal
IBM Watson Research | that comes through..." -- Eno/Cale

------------------------------

Date: Thu, 04 Mar 93 10:43:49 -0500
From: "David M. Chess" <[email protected]>
Subject: re: Laws and Viruses

>From: [email protected] (A. Padgett Peterson)

> From a legal standpoint it might be enough to define a virus
>as "a sequence of instructions that intentionally performs an unwanted
>and undocumented modification within a computing system for which it is
>intended."

> Possibly "malicious software" would be a better term but IMHO
>the word "computer virus" has passed beyond any hope of control.

Gak! I normally avoid terminology disputes like the plague,
but why would we want to *codify* a loose popular usage of
an otherwise-useful word? Do we *enjoy* confusion? What
word are you going to use to talk about viruses (you know,
those things that spread)?

I tend to think:

- We don't need laws against viruses at all, since the
bad things about viruses isn't that they spread, but
that they spread to (and otherwise exploit) systems
belonging to people that don't want them. *That's*
what ought to be illegal.

- We don't really need new laws against Trojan horses
(including the Trojan horse aspects of viruses), because
we already have laws to cover things like this in
general. (We don't need specific laws against
assualt-with-tuna, because we have general laws
against assault.)

- If someone does decide to write a law against Trojan
horse things, it shouldn't use the word "virus" to
mean Trojan horse. The reasons not to are obvious,
and I can't think of any reasons to...

These are of course my own opinions, and not my employer's.

DC

------------------------------

Date: Thu, 04 Mar 93 10:54:34 -0500
From: "David M. Chess" <[email protected]>
Subject: re: standardization (PC)

>From: [email protected] (Amir Netiv)

>I think there is already a naming scheame present.
>It gose like this:
>McAfee gets a virus, Releases the next VIRLIST.TXT, and
>everyone just uses it. If a new virus apears that is not
>there, a name is given to it according to its behaviour,
>and so on...

Oh, do I wish it were that simple! The main problems are:

- Say some authority says "we've found a new virus, its
name is Blivet, and our scanner detects it as such".
Now someone else finds a virus, and that scanner identifies
it as "Blivet". Is it the same virus that the authority
first reported? The only way to tell for sure is if
that person has access to the original Blivet sample
(and virus collections probably shouldn't be
generally-available), or if someone has written a
program that does precise identification of the virus.
Writing such a program (or adding a description to an
existing program) is quite a bit more work than just
extracting a signature for a scanner, and there are
some complex issues about avoiding spoofing.

Does the user care whether or not he really has
the same Blivet virus as was originally named?
Yes! The new Blivet might have different behavior,
requring different clean-up, and the user *must*
know that. "Cleaning up" a virus without knowing
exactly what it does is a contradiction in terms.

- Naming viruses based on behavior isn't as easy as
it sounds. Here's a brand-new virus. It goes
resident, and infects any file that's executed. It
has no payload. What do you call it? There are
probably hundreds of viruses that like. Naming
continues to be a hard problem; a good name would
be easy to remember, different from other names,
and have something to do with what the virus does.
It's generally impossible to do all three, though...

DC

------------------------------

Date: Thu, 04 Mar 93 18:27:48 +0000
From: [email protected] (John H. Kahrs)
Subject: Re: Virus Development Programs (PC)

[email protected] (Sgt Rock) writes:

>I just picked up the March 16th 93 issue of PC Magazine and was quite
>interested in the article on antivirus software. It discussed some virus
>development programs: The Phalcon/Skism Mass-Produced Code Generator, the
>Virus Construction Set, and the Virus Construction Laboratory.
>These programs sound scarey to me. Does anyone out there know anything
>about them? Where do they originate and are they available for general
>use or are they controlled as they should be?

The code created by these programs are shotty at best. They weren't
designed to create inovative viruses, there are a fixed number of
possible viruses that can be created and ALL are based on existing
models. I doubt that these programs are a threat at all. The people
that know anything about coding viruses will never use them and the
hatefull people that just want to make a virus for malicous reasons
aren't connected to the community that makes the virus construction
kits available. To be totaly safe from these programs, all one has to
do is create EVERY type of virus possible, and include them in
scanning programs. I admit this is not a very practical soulution, BUT
I can't think of another way off the top of my head.

- -----------------------------------------------------------------------------
JJ Kahrs "Virtual Reality is like electronic LSD!"
Computer Science -News Journalist
OleMiss "VR doesn't have as good a price/performance ratio."
[email protected] -VR Researcher
[email protected]
- -----------------------------------------------------------------------------

------------------------------

Date: Thu, 04 Mar 93 18:21:23 +0000
From: [email protected] (Rawlin Blake)
Subject: Re: wordperfect virus? (PC)

[email protected] (Gerry Santoro - CAC/PSU 814-863-7896) writes:
>After scanning the past years worth of VIRUS-L offerings I've seen
>this question asked before, but with no reply. Since it has now hit
>at my institution I will ask it again in the hopes that someone knows
>what is happening.
>
>A number of our lab machines are exhibiting very strange WordPerfect
>behavior. For example, very small user documents are growing to
>extremely large size, until they fill up available disk space. Scans
>with F-PROT do not identify any known virus.
>
>Can anyone clue me into what is happening? In all cases the version
>of WP5.1 is being run from a read-only volume of a Banyan network
>server.

This one is easy, I see it all the time.

The users are doing one of two things-- using shift-F10 and continually
retrieving the file within itself, or are doing the same thing in F5 list
files by ignoring the prompt "retrieve into current document?"

This is another example of what I teach in my classes and seminars. 99% of
all virus reports are: 1. user error 2. software problems 3. hardware
problems.

- ---
Rawlin Blake [email protected]

No .sig is a good .sig

------------------------------

Date: 04 Mar 93 19:04:58 +0000
From: [email protected] (Paul Kerchen)
Subject: Re: Virus Development Programs

[email protected] (Sgt Rock) writes:
>I just picked up the March 16th 93 issue of PC Magazine and was quite
>interested in the article on antivirus software. It discussed some virus
>development programs: The Phalcon/Skism Mass-Produced Code Generator, the

>From the PC-MPC documentation:
The Phalcon/Skism Mass-Produced Code Generator is a tool which
generates viral code according to user-designated specifications. The
output is in Masm/Tasm-compatible Intel 8086 assembly and it is up to
the user to assemble the output into working executable form. The
features of the PS-MPC include the following:
- Over 150 encryption techniques, randomly generated during
each run of the PS-MPC
- Compact, commented code, much tighter than VCL
- COM/EXE infections
- Two types of traversals
- Optional infection of Command.Com
- Critical error handler support

>Virus Construction Set, and the Virus Construction Laboratory.

Don't know about VCS (isn't that an Atari thing?), but VCL came before
PC-MPC and is similar (but with less features) to PC-MPC.

>about them? Where do they originate and are they available for general
>use or are they controlled as they should be?

Depends on what you mean by 'controlled'. VCL comes encrypted in a
zip file that requires a password to unzip it. The 'bad guys' want to
keep this toy to themselves. Other than that, though, all of these
should be available at your local underground BBS (certainly VCL and
PS-MPC are). So, I guess you could say there are no controls in the
sense that you mean.

| "Disembodied gutteral noise need not make sense" |
| Paul Kerchen |
| [email protected] |

------------------------------

Date: Thu, 04 Mar 93 19:44:57 +0000
From: [email protected] (Nutan Malde)
Subject: Identification needed for a Virus Message (PC)

Recently one of our 486 machines displayed the following message:
Infected!!
There is a passkey to this virus. Enter the correct
key word and the effects of the virus will cease.

When we issued the command to change directories it would append the
word "Infected" to the directory path. It would not let us use the A or B
drives. I ran the latest version of F-Prot and it reported no
infections. Can anyone shed some light on which virus this could be?

I deleted the command.com and copied a clean version of command.com and
that seemed to get rid of the Infected message and we were able to
use all our programs again which it wouldn't let us before. However, I
am curious as to whether it is a virus or is someone changing stuff on
our system?

Any help would be appreciated,
Thanks in advance

Nutan Malde
[email protected]

- --
**************************************************************************
Nutan Malde Kalamazoo College
Internet Address: [email protected]
**************************************************************************

------------------------------

Date: Thu, 04 Mar 93 10:39:12 +0200
From: [email protected] (Eugene V. Kaspersky)
Subject: Re: Effect of Form (PC)

> We have just discovered that we have been infected by a strain of
> FORM. We do, however, suffer from lack of informaion about the effects
> of the virus. The virus infects the boot sector and I just read that
> it activates on certain days of the month, but what is the actual
> action of the virus when it activates?

This is a very dangerous virus. It hits Boot-sector of floppy disks during
an access to them and Boot-sector of the hard disk on a reboot from an
infected floppy disk. The virus acts on the 24th of every month. It
processes a dummy cycle while pressing on the keys. If you work with a hard
disk, the data can be lost. The virus hooks int 9 and int 13h. It contains
the text "The FORM-Virus sends greetings to everyone who's reading this
text.FORM doesn't destroy data! Don't panic! Fuckings go to Corinne."

> This brings me to my next qestion: I it possible to obtain a file
> somewhere giving a brief description of the action of various vira. I

How about 300K of ZIP ? :-)

> Another last qestion: Is there any informaiton around about the virus
> TP4 (TP44)?

It's Yankee Doodle virus.

Regards,
Eugene
- --
- -- Eugene Kaspersky, KAMI Group, Moscow, Russia
- -- [email protected] +7 (095)499-1500

------------------------------

Date: Thu, 04 Mar 93 18:06:15 -0500
From: "Roger Riordan" <[email protected]>
Subject: Removal of Michelangelo (PC)

[email protected] (LEPRICAN~~~) writes:

> time. We tried McAfee v100, which would recognise the virus, but
> would not remove it from hard drives. It appears to be [Mich] when
> it is on a drive, but when it loads itself into memory, McAfee says
> it's [STONED].

> It seems to be easily removed from floppies, but the virus infects
> the partition table of hard drives, where McAfee cannot remove it.

> Does anyone have any suggestions on how to combat this virus?

It amazes me that anyone could still be unable to remove this virus.
Our program VET will remove it (and all the other remotely common
viruses) completely safely and almost automatically.

The original version (released in early 1989) put back the whole of
the hidden boot sector and I occasionally got reports of cases where
it had left a PC unbootable after removing Stoned.

Eventually I was able to examine a case where this had happened, and
worked out that dealers were booting from an infected master disk
before partitioning the hard disk. This meant that the partition
information in sector seven was no longer correct, and if you put
it back you would be unable to access the hard disk.

I promptly modified the program so it only puts back the partition
info if it knows the virus overwrites it, and released a revised
version in July 1989. We discovered (and named) Michelangelo, and
released a version of VET which dealt with it in February 1991.

Since 1989 our support staff have listened to hundreds of users
remove Stoned, Michelangelo and sundry other boot sector viruses,
and innumerable file viruses, and we can't remember any user
reporting that VET had rendered a previously accessible hard disk
inaccessible.

Although the dangers of putting back the whole of sector seven have
been well known for at least two years (1.), Clean still does so,
and still does not bother to check that sector seven is not itself
infected. We have verified that both faults are still present in
Clean 9.1V100.

Roger Riordan Author of the VET Anti-Viral Software.
[email protected]

1. R.H.Riordan VET; a program to detect & remove computer viruses.
Proc 4th Annual Computer Virus & Security Conference. NY 1991

CYBEC Pty Ltd. Tel: +613 521 0655
PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727

------------------------------

Date: Thu, 04 Mar 93 12:48:27 -0800
From: Richard W. Lefkon <[email protected]>
Subject: Financial firms open meeting Thursday on Trace Center recovery

SIXTH INTERNATIONAL COMPUTER SECURITY & VIRUS CONFERENCE and Exposition
sponsored by DPMA Fin.Ind.Chapter in cooperation with
ACM-SIGSAC, BCS, CMA, COS, EDPAAph, ISSAny, NUInyla, IEEE Computer Society
Box 894 Wall Street Station, NY NY 10268 (800) 835-2246 x190

FINANCIAL FIRMS OPEN MEETING THURSDAY ON TRADE CENTER RECOVERY
--------------------------------------------------------------

To address the technical side of network and computer terrorism recovery
while information systems personnel are interested, a special public forum
of industry leaders has been scheduled for next Thursday March 11, entitled,
"Trade Center Crisis Recovery." The in-depth panel will include eight
industry representatives - from four affected financial firms that successfully
resumed business after Friday's disaster, and four suppliers that helped them

The panel will be housed in next week's Sixth International Computer Security
& Virus Conference at the Madison Square Garden Ramada, co-sponsored by the
eight computing and networking societies.

With damage estimates already in the multi-billions, Sally Meglathery, Elec-
tronic Security Head for the New York Stock Exchange and a scheduled panelist,
warns financial data keepers: "Review [your] restart recovery procedures to
be sure that you have adequate backup to recover from an attack."

Other than state and federal offices, the main corporations inhabiting the
famed skyscraper are indeed banks (First Boston, Sumitomo, Dai-ichi), brokers
(Dean Witter, Shearson, Salomon, Mocatta and the Commodities Exchange) and
insurance companies (Hartford and Guy Carpenter). Each type will send a
representative, as will some service firms.

William Houston, Eastern Region Head for Comdisco Data Recovery, notes that
"This is the second time in three years an electrical disaster has completely
shut down" the famed twin skyscraper. His firm helped rescue the computer,
networking and "back office" operations of two dozen downtown firms in response
to the August 13, 1990, electrical substation fire.

"We have some major customers in the Towers," notes Houston, "and while pre-
serving their anonymity I intend to plainly tell the Thursday audience just
what worked this time and what didn't."

Michael Gomoll, an executive with competitor CHI/COR Information Management,
says the terrorist act will have three key results: "Direct loss of
revenues, effects on global markets and businesses, and concerns of the
business insurance profession." Ironically, CHI/COR, a firm specializing
in disaster recovery, was itself assaulted by the crippling Chicago flood
of April 13, 1992. As part of his presentation, Gomoll intends to explain
how cable conduits played an important role in both disasters.

Last fall, the conference now hosting this "Trade Center Crisis Recovery"
roundtable, received what now seem prophetic words in its greeting from Mayor
David Dinkins: "As the telecommunications capital of the world . . . we are
also extraordinarily susceptible to the various abuses of this technology."

Another irony has to do with the "Meet the Experts" reception at the
Empire State Building Observatory following the forum. In previous years,
the hosting conference has had its skyline reception at Top of The World,
located within the Trade Center. That spot will not open this month.
also extraordinarily susceptible to the various abuses of this technology."

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 40]
*****************************************

Downloaded From P-80 International Information Systems 304-744-2253