From lehigh.edu!virus-l Fri Apr 2 05:43:23 1993 remote from vhc
Received: by vhc.se (1.65/waf)
via UUCP; Sat, 03 Apr 93 00:01:27 GMT
for mikael
Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2)
id AA19839; Fri, 2 Apr 1993 18:42:51 +0200
Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA22120
(5.67a/IDA-1.5 for <
[email protected]>); Fri, 2 Apr 1993 10:43:23 -0500
Date: Fri, 2 Apr 1993 10:43:23 -0500
Message-Id: <
[email protected]>
Comment: Virus Discussion List
Originator:
[email protected]
Errors-To:
[email protected]
Reply-To: <
[email protected]>
Sender:
[email protected]
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <
[email protected]>
To: Multiple recipients of list <
[email protected]>
Subject: VIRUS-L Digest V6 #55
VIRUS-L Digest Friday, 2 Apr 1993 Volume 6 : Issue 55
Today's Topics:
Re: Should viral tricks be publicized?
Obtaining info on virus's ?
Re: Latest list of viruses
Booting password (PC)
What is the Genb or Form Virus??? (PC)
Re: Boot virus or false positive? (PC)
New viruses warning (PC)
Re: Virus signature determination. (PC & Unix)
D2 virus (PC)
Re: Catch from DIR? (PC)
RE: PC-TOOLS 8.0 (PC)
Re: Pc-Tools 8.0 (Pc)
Cerfu (?) virus ... (PC)
Re: WIndows Virus (PC)
Information Needed (PC)
Zenith Hard Disk Boot (PC)
Re: varients of MichelAngelo (PC)
Re: Virstop 2.07 (PC)
Problems with DOS 6.0 Microsoft Anti-Virus (PC)
McAfee against f-prot virus programs (PC)
April Viruses? (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name. Send contributions to
[email protected]. Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list. A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<
[email protected]>.
Ken van Wyk,
[email protected]
----------------------------------------------------------------------
Date: Thu, 01 Apr 93 02:13:24 +0000
From:
[email protected] (ssg512k)
Subject: Re: Should viral tricks be publicized?
[email protected] (Donald G Peters) writes:
>YR pointed out that IR was "contributing" to forums (eg, Fidonet)
>which are used by "bad guys". (re: anti-debugging techniques).
>This is just one small fact, but I thought it was worth raising.
another 'small fact' worth raising:
virus exchange sites exist -everywhere-. academic sites, .mil sites,
gov sites lots of places.
it is disturbing to see a good source of information (i.e. an
information resource ) maligned in the manner fidonet is often maligned.
i personally have a fidonet bbs. sure, bad guys make use of the info
passed thru the fido network..but they make use of the information
passed thru the internet in -much greater degree-. if someone is going
to call Fidonet a 'forum used by bad guys', then they should at least
be reminded of the virus exchange sites located on some of the same
networks as the CERT teams in some cases. (Ken, you know what i'm
talking about here, i think).
it takes work to keep that sort of pestilence in control. we don't need
to kill the good info resources to stop the 'bad guys'.
lets encourage people to make use of the many good information resources
that are available to help them learn about how to prevent viruses and
make 'compurity' ((c) 1992, 1993 sara gordon) a reality. we can't do that
if we are saying system x,y,z is bad cause it has some loud mouthed technopathic
idiots making fools of themselves from time to time, now can we? :)
------------------------------
Date: Thu, 01 Apr 93 14:15:19 +0000
From:
[email protected] (Andrew Murdoch)
Subject: Obtaining info on virus's ?
I would like to update my knowledge and understanding of how different types
of virus (in general) are implemented. I can see why this type of
information might be restricted, is there any documentation I should read?
E-mail responses preferred.
Thanks, Andrew
------------------------------
Date: Thu, 01 Apr 93 20:22:08 +0000
From:
[email protected] (UMR Usenet News Post)
Subject: Re: Latest list of viruses
The humorous viruses listed in the previous article first appeared
in PC Computing magazine. It started with Mike Edelhart's August 1992
column where he roasted politicians with viruses named after them and
encouraged his readers to send in virus descriptions. Many of the
responses were listed in the "Letters" section of PC Computing in
the November 1992 issue.
This leads to the question, is it legal to re-distribute these over
Usenet or would it be OK anyway since they were only letters and not
(as far as I know) copyrighted articles? Would it be illegal to
distribute Mike's original article over the Usenet but not the
subsequent letters?
[Moderator's note: I was not aware that the list was published in a
magazine; had I known, I would have contacted the magazine and asked
for permission to re-print, as I've done in the past.]
- --
Scott Hayes
[email protected] [email protected] Standard Disclaimers Apply
"We have become too proud to pray to the God that made us!" --Abraham Lincoln
------------------------------
Date: 30 Mar 93 15:18:23 -0600
From:
[email protected] (Teerawat Pawittranon)
Subject: Booting password (PC)
Hi All,
A DTK 386SX in our lab was messed around (or virus infected). It would not
boot, actually after the memory is checked. It asks for booting password.
Normally we could activate the setup program (hold down esc key while
booting up) and change the password and we will be all set. This time it
would not go to system setup utilities at all. The screen will say that the
setup has been invoked but still asking for booting password!
I have disconnected the system battery hoping the CMOS setup would be gone
and trigger the setup routine when I boot it the next day. The problem
still persist! I have tried adding memory, disconecting drives (HD and FD)
and could not get it to run system setup at all!
Anyone has any idea what is going on? Virus?
Thank you very much in advance for any help or info.
Tee
------------------------------
Date: Wed, 31 Mar 93 09:23:29 -0500
From:
[email protected]
Subject: What is the Genb or Form Virus??? (PC)
Hi,
Yesterday one of our machines contracted the Genb virus at boot up. When I
cleaned it off it said that is was the Form virus. I suppose one is a
variant of the other. I have not been able to find any information on
either of these viruses and what they do, or how dangerous they are.
Thanks for your information.
Chris Kunselman
========================================================================
Chris Kunselman University of Pittsburgh
Systems Analyst 200 Scaife Hall
[email protected] Falk Library, MMC
(412)648-7335 Pittsburgh, PA 15261
========================================================================
------------------------------
Date: Wed, 31 Mar 93 11:30:19 -0500
From: Lomba <
[email protected]>
Subject: Re: Boot virus or false positive? (PC)
Elizabeth writes about his problem.
All I can say is my experience: when I load bootsafe and vsafe or vwatch of
cpav in memory at startup, then F-prot find a BSV(boot sector virus). This
is due to the code of the antivirus. I think it is a false positive(I hope).
You can ask to
[email protected] to get two files: get_mbr.exe and
put_mbr.exe, so in the future you'll replace what is no good.
Try not to load the tsr antivirus, THEN scan the disk with F-prot.
Good luck. Let me know about the results.
BTW, I am going to change my address from
[email protected]
to
[email protected] I questioned something on Virus-l, so if the
mailer-daemon send you back the message, try the 2nd address.
***************************************************************************
** Alessandro Lombardi, via P.Verri 12, 21100 VARESE (VA)-ITALY **
** Tel.: 0332/265777; e-mail:
[email protected] **
***************************************************************************
soon new email:
[email protected]
(about 5th of April)
------------------------------
Date: Wed, 31 Mar 93 13:58:07 -0500
From: Mario Rodriguez Cardenas <
[email protected]>
Subject: New viruses warning (PC)
Hi everybody, I'm writing from Mexico and I have just got some new viruses from
a friend in USA. In Mexico those viruses are not known at all but I don't know
if they are in the wild in USA. Their names are Susan 1 and FoneSex.
The Susan 1 virus is a resident overwriting virus. When an infected file is
run it gets into memory and can be seen with command 'MEM /P' as follows:
.
.
.
012280 chess 000340 Program
.
.
.
It's easily detected because all infected programs when are executed present th
e message "bad command or file name" and terminate.
This virus only infects the first .EXE in a subdirectory when a PLAIN dir com
mand is given. If you give a dir command with ANY parameter it would not activa
te the virus. After 15 infections the virus will errase all files in the curren
t directory with the next plain DIR command.
You can check for this virus with the following signature:
"C91FCD21B43ECD21C3505256571E068C"
The FoneSex virus is also an overwriting virus and seems to be nonresident, it'
s efficient len is 688 bytes and when you run an infected file it will infect a
ll .COM and .EXE files in the current directory and in \dos directory. It infec
ts COMMAND.COM. All infected files will only pressent the message "Out of Memor
y" and will terminate. If you have a modem the virus will dial sex numbers. I h
ave an Intel SatisFAXion modem and the virus didn't worked with it. I suppose
it will only work with more standard modems because it uses an OUT instructiion
to dial.
You can check for the signature "EB079000B43BCD21C3E89B00E89F00".
If you have any questions please write me.
Regards
Mario Rodriguez Cardenas
Instituto Tecnologico de Estudios
Superiores de Monterrey.
Campus Estado de Mexico.
em436861 at itesmvf1.cem.itesm.mx
em436861 at vmtecmex.cem.itesm.mx
------------------------------
Date: Wed, 31 Mar 93 14:59:57 -0500
From:
[email protected] (Pete Radatti)
Subject: Re: Virus signature determination. (PC & Unix)
In VIRUS-L Digest V6 #53
[email protected] (Mark Aitchison) writes
>For what its worth, I'm working on a public domain virus scanner for Unix
>(and other systems) to look for DOS (and other??) viruses where file systems
>are shared. In these situations it is reasonable to combine scanning for
>non-polymorphic viruses with change detection, because of the way that people
>tend to use networked drives.
What you are trying to create has been on the market for about 3 years. The
product is called VFind. VFind version 3R2 info sheet states the following:
Scans for Unix, MSDOS, Macintosh and Amiga viruses on your NFS network, servers
,
clients or stand alone systems, in one pass.
Can prevent infection of your site by scanning tapes, diskettes and other media
for viruses prior to usage. Using the Unix "dd" command, VFind can read "tar",
"cpio", "dump" and all other tape or disk formats.
Does not require the virus to be active to be located. It can locate dormant
viruses by using known scan keys and generic models.
VFind includes the CVDL generic pattern matching language with programmable
case sensitivity, forward proximity scanning, boolean operations and large
model capacity.
It locates "migrating" company classified or sensitive information such as
payroll, R&D documents and databases while it scans for viruses. Forward
proximity scanning allows search of most compressed data formats with high
accuracy.
VFind can be run after business hours or any other time desired. VFind is
"cron" ready for automatic start-up. It can scan on-line disks prior,
during or after nightly backup.
- ---
It also has a X11 GUI interface. A single user copy sells for $300 US.
Contact
[email protected] for more information (human not mail server)
Pete
------------------------------
Date: Wed, 31 Mar 93 07:27:04 +0000
From:
[email protected] (Hitesh Shah)
Subject: D2 virus (PC)
I seem to have D2 virus on one of our machines and clean says it cannot
safely recover command.com so I asked it to delete it. However, after I
copy a clean command.com onto c: I still have D2 sitting there. Also
this strabge
Sector not founf error reading drive C has started showing .If I jusr
say i for ignore there the exe file seems to run fine.
Any help on how to clean this would be highly appreciated. I am using
version 100 of scan and clean from McAfee assoc.
thanx in advance
Hitesh Shah
[email protected]
------------------------------
Date: Thu, 01 Apr 93 01:23:39 +0000
From:
[email protected] (Eric J. Schwertfeger)
Subject: Re: Catch from DIR? (PC)
[email protected] writes:
)
[email protected] (Terry Lundgren) writes:
)
) >I have received some excellent replies to my posting on catching
) >a virus. Basically the question is this: Assume my system is
) >clean and I have an infected disk. I put the disk in the drive
) >and do a DIR. Then I take the disk out. Can my system be
) >infected now?
)
) >The responses are running about 1/3 saying no way and 2/3 saying
) >it is possible. I would really like to get a definitive answer.
) >If a virus can be passed in this way, would someone please
) >describe how it might happen? Or not.
)
) (1) Not on a PC. Nothing from the disk is ever executed.
Agreed.
) (2) On a Mac, maybe. I can't give a definiative answer, but I believe the
) a disk driver or file system can be loaded from the disk, and THAT could be
) infected.
Definitely. In fact, some of my Mac using friends think this type of virus
is nearly extinct because of the availability of Anti-virus INITs, though
I have to disagree with that.
Other:
AmigaDos: Possible under versions prior to 2.0, as the disk validator is
loaded from the corrupt disk if posssible, under ADos versions up to 1.3X.
ADos 2.0 and later only uses the validator in rom.
) - --
) Arthur L. Rubin:
[email protected] (work) Beckman Instruments/Brea
)
[email protected] [email protected] [email protected] (personal
)
) My opinions are my own, and do not represent those of my employer.
- --
Eric J. Schwertfeger,
[email protected]
------------------------------
Date: Thu, 01 Apr 93 03:54:49 -0500
From: Lomba <
[email protected]>
Subject: RE: PC-TOOLS 8.0 (PC)
On Tue, 30 Mar 1993, Mikko Hypponen wrote:
>
> Was the message displayed something like this?
>
> +-------------------------------------+
> | |
> | ATTENTION: A serious disk error has |
> | occured while writing to drive D: |
> | Retry (r)? _ |
> | |
> +-------------------------------------+
Perfectly.
> If it was, this is a known problem. You're using the Italian
> version of Windows 3.1, right?
yes.
>
> Microsoft's disk caching program SmartDrive, version 4, will
> display this message when it decides that something has gone
> terribly wrong. The reason you got the message in Italian is
> simply because the localised version of Windows has also the
> included smartdrv.exe translated.
>
> Obviously, Microsoft thinks that EVERYONE automatically knows
> that when such error is displayed, SmartDrive is in question.
> Thus, they do not bother telling the users which program is
> giving the error message.
>
> I would suggest turning off SmartDrive during the installation,
> or, better yet, substitute SmartDrive with some other disk cache.
>
> I personally use HyperDisk, not just because it is faster,
> but also because it's safer and more configurable (an obvious
> plug for a great shareware product :).
>
Ok, in fact I load first smartdrv.exe, then hyper386.exe.
Are you sure Windows works with DR-DOS 6.0, SuperStor, and HYperDisk 4.32?
And should I re-format my HD? (I still have all backups)
- -alexl
------------------------------
Date: Thu, 01 Apr 93 03:59:42 -0500
From: Lomba <
[email protected]>
Subject: Re: Pc-Tools 8.0 (Pc)
On Tue, 30 Mar 1993, Nick Leverton wrote:
> >... at the top left of the screen appeared this
> >message(in Italian):"ATTENTION: big error of the drive while writing on
> >unit D: retry?" (I use DR-DOS 6.0 with sstordrv).
>
> This message sounds to me like one which Smartdrive generates when you
> load a second cache on top of it (or underneath it). Are you using
> Smartdrive, or a DR-DOS equivalent cache ? I seem to remember that PC
> Tools also includes a disk caching utility, and it's possible that it
> may have automatically installed it in addition to the existing cache.
> If I were you I'd check for double caching as a possible cause of the
> problem.
>
> Nick Leverton
Yes, you are right, in fact I use both smartdrv and hyperdisk. You are one
of the answers I received, thanks much. I think I'll solve the problem
quite soon.
- -alexl
------------------------------
Date: Thu, 01 Apr 93 10:14:14 +0000
From:
[email protected] (Richard Wilton)
Subject: Cerfu (?) virus ... (PC)
Has anyone heard of a virus called Cerfu (or similar - I can't
quite remember the spelling !!)
What Does it do ?
What can I kill it with ?
- --
Richard Wilton
------------------------------
Date: 01 Apr 93 11:25:38 +0000
From:
[email protected] (Roger Allen)
Subject: Re: WIndows Virus (PC)
[email protected] writes:
: > From:
[email protected] (Roger Allen)
: >
: > Has anyone else experienced a virus that fades the screen to
: > black after starting Windows 3.1.
:
: Well, someone has to ask - it's not a Windows screen saver program, is
: it? The screen saver supplied with Windows 3.1 doesn't provide a
: "fade-to-black" saver, only a "blank-the-screen" one. There is,
: however, a "fade-to-black" saver for the shareware program ScreenPeace,
: and I suspect the commercial program After Dark would have one also.
:
: Apologies of this is too obvious.
:
: Steve Richards.
No it's definetly a virus, screen savers refresh the screen if a key
or mouse movement is detected. I had to either reset or guess the keys to
exit windows. I may have the found the culprit source file if any one is
interested.
Roger
Roger
------------------------------
Date: 01 Apr 93 20:40:55 +0000
From:
[email protected] (Bushido)
Subject: Information Needed (PC)
My company is planning on implementing a standard virus scaning procedure.
For this we need software. We are pretty sure that we would like to go
with McCaffe's (sp?) SCAN and CLEAN utilities. What I need is information
on where I can find some independant (of McCaffe) studies of its effectivness
versus other software with similar functions. Any information of this sort
or directions to find it, will be greatly appreciated.
Thank you
Robert Wood
------------------------------
Date: Thu, 01 Apr 93 16:17:43 +0000
From:
[email protected] (Terry Lundgren)
Subject: Zenith Hard Disk Boot (PC)
Our computer lab seems to be under constant virus attack,
especially from boot sector viruses. We have Zenith 386's and
they allow through the setup procedure accessible by Ctrl/Alt/Ins
to make the system boot from the hard disk. I tried it and it
made no difference then what was in the A drive (empty,
unformatted, formatted no system, etc.). The startup obviously
did check the drives, but I don't think the boot sector is being
used.
Will changing the setup to boot from the hard disk stop boot
sector infections? (Of course it could be changed, but it might
significantly slow down the spread if it works.)
- --
Terry Lundgren, Administrative Information Systems, EIU
------------------------------
Date: Thu, 01 Apr 93 18:58:22 +0000
From:
[email protected] (Kent Yates)
Subject: Re: varients of MichelAngelo (PC)
GHGAOAT%
[email protected] (Sjamayee) writes:
>Can anyone warn me if he has found a possible copy of Michelangelo, so that
>I can take note of it for my new book?
What is the name of your book? "Who's Who among Michaelangelo Victims"?
THAT should make interesting reading. 1500+ pages or so?
- --
/ / , Kent Yates, Mgr., Computing and Net Resources
/ / /~~~~> /~~~\ ~~/~~~ Univ of IL Grad School of Library & Info Sci
/ < (~~~~~ / / / Urbana, IL (Voice: 217-244-6279)
/ \ \___ / / / (FAX: 217-244-3102) (email:
[email protected])
------------------------------
Date: Thu, 01 Apr 93 20:30:54 +0000
From:
[email protected] (Thorbj|rn Tau Christensen)
Subject: Re: Virstop 2.07 (PC)
VIRSTOP is a memory resistent program that prevent things like
Editing Interupts, like Ctrl-Alt-Break.. Which is wath windows
dose!
The VIRSTOP program is exeptional to stop viruses before they
do any harm, but they have a litle problem! It dose not only
prevent viruses in duing somthing spokey !!!
- --------------------------------------------------------------
BY:
,
|| _
=||= < \, \\ \\
|| /-|| || ||
|| (( || || ||
\\, \/\\ \\/\\ <> May the Force Be With You (*)
Name: Thorbjoern Tau Christensen Email:
[email protected]
- --------------------------------------------------------------
- --
- -------------------------------------------------------------------
Venlig Hilsen
------------------------------
Date: 02 Apr 93 00:23:58 +0000
From:
[email protected] (Albert Crosby)
Subject: Problems with DOS 6.0 Microsoft Anti-Virus (PC)
WARNING: MSAV CANNOT DETECT OR REMOVE SOME 1575/1591 VARIANTS.
This is the virus I have most recently (read - last 2 months) had infections
with and reported in this forum. I placed a file infected with this virus on
a machine with DOS 6.0 and scanned. NO VIRUS FOUND. Loaded VSAFE. Tried to
copy the infected file, and VSAFE identified the virus as the '1591 virus',
and instructed me to use MSAV to remove the infection. But MSAV doesn't know
about the virus! THE MSAV AND THE VSAFE PROGRAMS ARE OUT OF SYNCH. THIS
POINTS TO A POTENTIAL MAJOR FLAW WITH MSAV/VSAFE.
At least MS promises upgrades to the detection portion from their bulletin
board. They *DO NOT* explicitly promise these to be free. No charges are
mentioned, but you *MUST* acquire a userid on their bulletin board to obtain
the files. *NO PERMISSION* to share the signature files is explicitly
granted.
The *SPECIAL OFFER* price for MSAV *DISINFECTORS* is $9.95 each. No mention
is made of the 'regular' price after the special offer expires. IT STATES
!!!!!_EXPLICITLY_!!!!! THAT THE FIRST UPDATE WILL SHIP ---->NOW<---- and that
the next will follow in 3-4 months. Implication: Microsoft KNOWS that the
MSAV product included with DOS 6.0 is insufficient and wants an extra $9.95
*NOW* to make it right. IMHO, that is poor buisness practices, espcecially
where something as series as anti-virus software is concerned.
Personally, I think Frisk and McAfee can rest assured. I, for one, CANNOT
take this offering from Microsoft seriously, and will reccomend other
anti-virus solutions to my network users and clients.
- ----
Albert Crosby | Microcomputer & Network Support | WANTED: any good
[email protected] | University of Arkansas | "Intro To The Net
or AL.CROSBY on GENIE | College of Agriculture And | For Newbies" guides
1 501 575 4452 | Home Economics | (email for mine...)
------------------------------
Date: 02 Apr 93 01:28:04 +0000
From:
[email protected] (Alan V. Pham)
Subject: McAfee against f-prot virus programs (PC)
Hi there,
Will you please give me your opinions/comparison between McAfee and f-prot
computer virus program? What are their advantages/disadvantages?
Any input would be greatly appreciated.
Thanks!
- --alan
------------------------------
Date: Fri, 02 Apr 93 02:31:09 +0000
From:
[email protected] (John Mechalas)
Subject: April Viruses? (PC)
Does anyone have, or know where I can find, a listing of viruses that
trigger in April? And the other months? I remember someone posting the
list of March viruses, and it would be nice to have the rest of the months
layed out as well....
Cheers,
John
- --
John Mechalas \ If you think my opinions are Purdue's, then
[email protected] \ you vastly overestimate my importance.
Purdue University Computing Center \ Stamp out and abolish redundancy.
General Consulting \ Stop Barney before its too late.
------------------------------
End of VIRUS-L Digest [Volume 6 Issue 55]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
