From:      Kenneth R. van Wyk (The Moderator) <[email protected]>
Errors-To: [email protected]
To:        [email protected]
Path:      cert.sei.cmu.edu!krvw
Subject:   VIRUS-L Digest V5 #21
Reply-To:  [email protected]
--------
VIRUS-L Digest   Tuesday,  4 Feb 1992    Volume 5 : Issue 21

Today's Topics:

VIRUS WARNING - DaVinci Discovers Michelangelo (PC)
More infected floppies from vendors (PC)
Campana virus: how to cure it (PC)
Re: AUX files (PC)
virus -> reset (PC)
Re: Possible Virus, Help!! (PC)
OHIO virus (PC)
Will re-formatting a floppy remove ALL vires (PC)
IBM PS/2 and CHKDSK ... (PC)
Re: Pentagon and Keypress virus found (PC)
Re: Stoned (PC)
Re: very strange Mac behavior (Mac)
Re: Reviews and request (PC + Amiga)
New files on BEACH (PC)
Revised Product Test for VIRx, version 1.9 (PC)
Revision to Product Test on Virex-PC (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.)  Please sign submissions
with your real name.  Send contributions to [email protected]
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
[email protected].

  Ken van Wyk

----------------------------------------------------------------------

Date:    Tue, 04 Feb 92 08:22:01 -0500
From:    "Kenneth R. van Wyk" <[email protected]>
Subject: VIRUS WARNING - DaVinci Discovers Michelangelo (PC)

[Moderator's note: I received the following press release by FAX.  Any
typos are no doubt mine, not DaVinci's.]

News Release

DaVinci Systems Corporation
P.O. Box 17449
Raleigh, North Carolina 27619
Tel: (919) 881-4320
Fax: (919) 787-3550

Contact:        Chris Evans
               Vice President of Marketing
               DaVinci Systems Corporation
               (919) 881-4320

                DaVinci Discovers Michelangelo Virus
                 Warns users of possible infection

RALEIGH, North Carolina, February 1, 1992 - DaVinci Systems announced
today that a recent shipment of eMAIL 2.0 demonstration disks and
30-day kits may be infected with a computer virus known as
Michelangelo.  Approximately 900 customers and potential customers
were sent the infected disks.  Of these, over 600 were DaVinci
resellers.

DaVinci Systems immediately notified its resellers of the problem via
electronic mail and will mail a new set of disks to all recipients of
the infected disks by February 6th.  DaVinci Systems also advises
anyone who has received a DaVinci eMAIL 2.0 demo disk or 30-day kit
between January 20, 1992 and January 31st, 1992 not to use the disks
they received.

According to Bill Nussey, President of DaVinci Systems, "While there
is only a slim chance of one of our customers contracting the
Michelangelo virus from these disks, we wanted to take every possible
precaution."

The Michelangelo virus sits passively on infected machines until March
6th (Michelangelo's Birthday) when it corrupts data on a user's hard
disk.  FORTUNATELY, THE VIRUS CAN ONLY BE CONTRACTED BY BOOTING UP AN
INFECTED FLOPPY.  Because the infected disks are not bootable, most
users who have received these diskettes will not contract the virus on
their machine even if they run the demo or install the software on
their hard disks.  The only way users could catch the virus from an
infected disk is if they inadvertently boot up their computers with
the infected floppy in driver A while the drive door is closed.

DaVinci officials are still investigating the source of the virus.
Although DaVinci's master disks are routinely checked for viruses, the
virus software used apparently did not detect Michelangelo.  "We are
now using multiple virus-detection products and insisting that our
duplicating contractors also check for viruses", said Nussey.

The Michelango virus can be detected by Microcom's Virex version 2.l1
or later or by McAfee Associates shareware program VIRUSCAN version
7.9v84 or later.  DaVinci users and resellers can download VIRUSCAN
from DaVinci's BBS at (919) 881-4342.

Based in Raleigh, North Carolina, DaVinci Systems Corporation is the
leading independent supplier of LAN-based electronic mail
applications.  The company's products run under acknowledged personal
computer network and operating system standards such as MS-DOS,
Microsoft Windows, and Novell Netware.  DaVinci Systems is at P.O. Box
17449, Raleigh NC 27619.  Telephone (919) 881-4320, (800) DAVINCI.
FAX: (919) 787-3550.

The product names and trademarks referenced are the trademarks or
registered trademarks of their respective companies.

------------------------------

Date:    Tue, 04 Feb 92 09:04:11 -0500
From:    padgett%[email protected] (A. Padgett Peterson)
Subject: More infected floppies from vendors (PC)

This is getting silly. Then again it indicates that a real understanding
of the architecture is not a prerequisite for success in vending software.

What has happened is that the vendors do not know what the disks they are
sending out are supposed to look like. This is understandable since there
is an incredible number of disk formats since every formatter puts in
Boot Record (and MBR for that matter) code that is different from
everyone elses.

This was part of the reason I developed the FREEWARE SafeMBR and SafeFBR
code, so that I could take a quick look at the code from a clean machine
and determine that it has not changed. Since the boot records of all my
floppies are the same (other than the four different BPBs), it makes for
an easy check whenever a floppy is put in the drive.

Nonwithstanding the anti-viral aspect, when a vendor prepares a distribution
disk, statistical sampling should permit a quick scan and comparison with
a "gold copy" cryptographic checksum. For some time, it has been my belief
that Scanners are best used for identifying a problem, not in the first
notice that there is a problem.

Since we have now reached the point at which floppies are not expected to
have bad sectors (I do not use any that do), the FATs and Programs on a
disk and their locations should be stable in a duplication process. Given
a stable Boot Record, then all distributed disks should be mirror images of
each other. At this point normal statistical sampling should be sufficient
for integrity management.

What I do not understand is why the vendors refuse to acknowlege this - I
would think that it would be a selling point. Not only would this make it
very difficult for viruses to spread, the incidences of corrupt files on
distribution disks (have been receiving quite a few lately) would be
sharply reduced. It would also provide a defense against claims of "shrink-
wrapped" viruses though more vendors seem to be picking up on "notchless"
floppies.

Maybe that's why I am not a vendor.

                                       Warmly,
                                               Padgett

             padgett%[email protected]

     Disclaimer: Obviously not my employer's opinions

------------------------------

Date:    Fri, 31 Jan 92 15:48:11 -0300
From:    Jean-Pierre Gattuso <[email protected]>
Subject: Campana virus: how to cure it (PC)

My PC is apparently infected by a virus. The symptom: most of the
time floppy disks formatting fails and when it succeeds,  a dir
command shows very odd caracters.

I was told that this virus might be Campana. Norton anti-virus, which
I purchased last October, does not detect it. It is not the the viri
list anyway.

Does anyone has an idea on how I could get rid of it. May be there is
some freeware virus checker which could do the job. I'm not familiar
at all with the PC stuff, especially for downloading software. If
anyone recommends a program, can I download it on my Mac and then save
it in DOS format via Apple File exchange?

Thanks in advance for your help.

Jean-Pierre Gattuso, Bitnet: JPG@FRPERP51

------------------------------

Date:    Fri, 31 Jan 92 12:37:12 -0400
From:    Doc Cottle <[email protected]>
Subject: Re: AUX files (PC)

- ----->   Leonard Erickson <[email protected]> writes:

- -In VIRUS-L V5#15, [email protected] (Kathy Diaz) writes:

- ->I have a question it seems that I have come across some sort of virus.
- ->My Dos Machine has in every directory a file called aux. It seems also
- ->that you can't find it by normal means. I guess the best way to find
- ->it is to use any editor(edlin, edit, vi, etc..) to look at it, but
- ->what you actually get is a computer freeze.

- ->You could also try to rename a file to aux and you will some sort of
- ->duplicate file error.

- ->Each aux file is about 112 bytes long.

- ->It doesn't seem to be malicious aside from taking up space but I can't
- ->even look in the file and try to dump the contents onto a file or
- ->something. And scanv85 doesn't find it.  Same thing with CPAV. If
- ->anybody knows something about this all your help will be greatly
- ->appreciated.

>AUX is one of the default *devices* in MS-DOS. It is usually mapped to
>COM1:. Like all devices it can be *addressed* as if it were a file. (ie
>COPY XYZ AUX)

>The 112 bytes (how'd you get that?) is probably the buffer size for AUX.

>The list of standard MS-DOS devices follows:
>device  Input     Output
>CON     yes  yes  input=keyboard/output=screen
>PRN     no   yes  mapped to LPT1
>AUX     yes  yes  mapped to COM1
>NUL     yes  yes
                --- rest deleted.

I've  also  noted  one  other  response to  Kathy's question that was of a
similar  nature.   It  seems  to me that BOTH respondees missed the thrust
of what she was asking.

While  it is true that AUX is another  name for COM1 what  we are  dealing
with  is a logical HANDLE.  What she  is  ASKING  about is  the  existence
of  numerous FILES which carry the  name AUX - and I believe  that that is
            ^^^^^
an  entirely  different matter.  I don't know the answer to  her  question
(sorry  Kathy)  but  it  seems that answers are  occurring to people based
on a faulty reading of same.

 What meager knowledge I've obtained to this point tells me that all of
 these device drivers are memory resident!   I see NO REASON AT ALL for
 numerous 112 byte FILES to've been created residing in EVERY directory
 (including all sub, sub sub, and sub sub ... etc ones?  Ohmygawd!!) of
 (what I presume is) Kathy's hard drive!

Pardon  any misunderstandings on  my part but I feel that those of you who
are trying to help those of us with lesser knowledge (and we DO appreciate
it, believe me!) should try to be sure that you are answering the question
we ASKED,  not the question you that you've ASSUMED that we asked  (due to
a too quick read?).  I'm very interested in  knowing  what  WOULD  cause a
proliferation of 112 byte files that would appear to be redundant.

                                        Thanks for reading,
                                           Darryl O. (Doc) Cottle
                                             [email protected]*

*That's the account I monitor daily.  I only look at this one about
once (maybe twice) a week.
     .........................................................
     :                                                       :
     : "That was NOT manual override, Captain."   Mr. Data.  :
     :.......................................................:

------------------------------

Date:    Thu, 30 Jan 92 13:13:52 +0000
From:    [email protected] (K W Chan)
Subject: virus -> reset (PC)

Hi,     Does anyone know of a virus on the PC that reboots the
       computer every-so-often. :-)     Kai.

------------------------------

Date:    Fri, 31 Jan 92 18:57:32 +0000
From:    [email protected] (Ron Coleman)
Subject: Re: Possible Virus, Help!! (PC)

[email protected] (RICKY GATES) writes:
>I was working on a friends Gateway 2000 386SX-20 MHz computer this
>weekend, when every time I hit the space bar on the keyboard. It stops
>taking input from the keyboard, but the computer types out TUMARC FROM
>CHINA on the screen and beeps for about 3 to 4 minutes. It then stops
>and leaves the text on the screen. I can backspace it off the screen,
>but as soon as I hit the spacebar again it does it again. I asked my

Gateway 2000s come with an AnyKey Keyboard that allows you to redefine
the keyboard with macros.  You're description sounds like someone
redefined the space bar to enter the above characters instead of a
blank space.  The fact that you can the backspace over them may
support this.  Has anyone had the opportunity to mess around with his
computer?  I've accidently redefined a key on my keyboard, though it
doesn't sound like the above would be accidental.

Thomas Coleman
- --
[email protected]  ...!{tektronix!nosun,uunet}techbook!cetek
Public Access UNIX at (503) 644-8135 (1200/2400) Voice: +1 503 646-8257
Public Access User --- Not affiliated with TECHbooks

------------------------------

Date:    Fri, 31 Jan 92 23:28:04 +0000
From:    [email protected] (Joe Rosenfeld)
Subject: OHIO virus (PC)

Greetings to you all:

Can anyone tell me what the OHIO virus is?  How does it infect?  How
can I clean it (and with what product)?  I saw it today, and McAffee's
Clean does not seem to handle it (it is not listed by name).

All help is appreciated.  Thanks!

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Joe Rosenfeld
Automation Librarian
CSU Law Library

[email protected]
[email protected]

"Now my name is on the line ... how could people get
so unkind?"

------------------------------

Date:    Sat, 01 Feb 92 01:02:43 +0000
From:    [email protected] (Jim Washer)
Subject: Will re-formatting a floppy remove ALL vires (PC)

I am know the proud and happy owner of an infected 3.5" 1.44Mb floppy.
Should I immediately burn it in a large bonfire, or will re-formatting
exorcise it adequately.

just want to be safe...
- jim [email protected]

------------------------------

Date:    Sat, 01 Feb 92 00:00:46 -0400
From:    Andrew Brennan <[email protected]>
Subject: IBM PS/2 and CHKDSK ... (PC)

     When you run CHKDSK under Dos 3.3 on a PS/2, shouldn't the
  numbers for total memory still come up to 655360?  I have four
  machines here (at least) all pulling 1k short of that.  The
  only explanation I have is that it might be linked to the
  Microchannel, etc.  I booted from (what I think to be a) clean
  Dos and still have the same results.

     I'm about to start looking through VSUM for Stealth virii
  as nothing shows up in a clean scanning with NAV 1.5 (I know,
  I know ... get the update!  :^)  Time to dig out McAfee and
  F-Prot to see what they say.

     Andrew.

------------------------------

Date:    Sat, 01 Feb 92 11:03:59 +0000
From:    Fridrik Skulason <[email protected]>
Subject: Re: Pentagon and Keypress virus found (PC)

In Message 24 Jan 92 16:51:55 GMT,
 [email protected] (Eric Carlson) writes:

>Pentagon and Keypress viruses were found on floppys in one of our labs.
>
>Pentagon virus was NOT FOUND by SCANv84, but it was found with SCANv69.

The Pentagon "virus" is not a real virus - for a simple reason - it
simply doesn't work...never has, and never will.

However, if it was found on a diskette, I see two possible explanations

   False alarm - (very likely) A problem in v69 that was corrected later

   New and updated version of the virus - (highly unlikely)

Frankly, I wouldn't worry to much about this...

- -frisk

------------------------------

Date:    Sat, 01 Feb 92 16:14:51 +0000
From:    [email protected] (Jerry Greenwood)
Subject: Re: Stoned (PC)

...yes, and I also found stoned on my hard drive.  It was also in the
boot sector of eight of my disks.  It never went off ( no screen
message) and what puzzles me is that I've had some of these disks
lying around here for quite a long time (a year?).  Why didn't it go
off?  What sets it off?

- --
Jerry Greenwood  N9NRG
[email protected]

"Logic is the begining of wisdom, Lieutenent, not the end"

------------------------------

Date:    Fri, 31 Jan 92 23:57:46 +0000
From:    [email protected] (Jesse Taylor)
Subject: Re: very strange Mac behavior (Mac)

If your computer isn't that important,and/or you have all stuff backed
up, try setting the file privs for those programs in Gatekeeper. If
your computer goes crazy,at least you're not in the dark anymore. You
may simply have an error in your Gatekeeper INIT,it may be
incompatible with a new program or init/cdev,if you have just
installed one. Or it could simply be a hardware problem... I have not
heard of any viruses that would do something like that... It may be a
new strain? (shrug)

L8R///

------------------------------

Date:    Thu, 30 Jan 92 13:23:30 +0000
From:    [email protected] (Jacco de Leeuw)
Subject: Re: Reviews and request (PC + Amiga)

[email protected] (Maarten Berggren) writes:

>>Now, a request.  We haven't heard much from the Amiga people lately.  Can
>>I get some feedback on the top Amiga antiviral shareware of recent date?

>I more or less write this to prove that Amiga-owners read this channel,
>although there isn't much amiga-related stuff here.

>I havn't had much problems with viruses recently. The only virus got last
>year was a lamer-exterminator, and I think I used BootX to remove it.

>I think that more Amiga-owner ought to write to this channel, to share
>the latest info. about viruses.

One Amiga virus which caused many problems here in Holland was/is the Saddam
virus, which can infect memory as soon as you insert an infected disk (are
Amiga viruses more advanced than PC viruses? ;-). I use VirusChecker
by John Veldthuis to protect, and in conjunction with FixDisk to wipe it off.

Personally, I had no real problems with it, but many beginners in my
computerclub still have...

Jacco

- --
Jacco de Leeuw           | Dpt. of Computer Science |
J.C. van Wessemstr. 54   | University of Amsterdam. | Fidonet: 2:512/128.347
1501 VM Zaandam, Holland | Email: [email protected]  | Phone: +31-75-352068
This signature was infected by several viruses!(What an asshole, eh?) [SProt3.1]

------------------------------

Date:    Tue, 04 Feb 92 08:19:31 -0600
From:    [email protected] (John Perry KG5RG)
Subject: New files on BEACH (PC)

Hello Everyone!

       The 86B version of the McAfee anti-viral software suite is now
available on beach.gal.utexas.edu (129.109.1.207). Please contact
[email protected] if you have any questions or problems.

John Perry KG5RG                    | [email protected] - Internet
University of Texas Medical Branch  | PERRY@UTMBEACH             - BITnet
Galveston, Texas  77550-2772

------------------------------

Date:    Sun, 19 Jan 92 13:00:05 -0700
From:    Chris McDonald ASQNC-TWS-R-SO <[email protected]>
Subject: Revised Product Test for VIRx, version 1.9 (PC)

*******************************************************************************
                                                                         PT-41
                                                                     July 1991
                                                          Revised January 1992
*******************************************************************************

1.  Product Description:  VIRx is a copyrighted program written by Ross M.
Greenberg to detect computer viruses and malicious programs.  VIRx is the
detection portion (VPCScan) of the commercial protection program Virex-PC
(reference PT-23, revised January 1992).  This product test addresses version
1.9, 17 December 1991.

2.  Product Acquisition:  The program is freely distributed by Microcom
Systems, Inc., with special instructions for business and corporate users.
These users have only a 30 day license for product evaluation, after which they
must contact Microcom for site license authorization.  THIS CONSTITUTES A
MAJOR LICENSING CHANGE FROM PREVIOUS VERSIONS.  Microcom has made VIRx
available on many bulletin boards and software repositories, to include the MS-
DOS repository on simtel20 [192.88.110.20].  The current path on simtel20 is
pd1:<msdos.trojan-pro>virx19.zip.

3.  Product Tester:  Chris Mc Donald, Computer Systems Analyst, Information
Systems Command, White Sands Missile Range, NM 88002-5506, DSN:  258-4176, DDN:
[email protected] or [email protected].

[Moderator's note: The remainder of this product test is available by
anonymous FTP on cert.sei.cmu.edu (IP=192.88.209.5) in the
pub/virus-l/docs/reviews/pc directory under the filename
mcdonald.virx.]

------------------------------

Date:    Tue, 21 Jan 92 09:17:38 -0700
From:    Chris McDonald ASQNC-TWS-R-SO <[email protected]>
Subject: Revision to Product Test on Virex-PC (PC)

*******************************************************************************
                                                                         PT-23
                                                                    March 1991
                                                          Revised January 1992
*******************************************************************************


1.  Product Description:  Virex-PC is a software package to detect, disinfect
and prevent computer viruses and malicious programs for the MS-DOS environment.
This product test addresses version 2.0.

2.  Product Acquisition:  Virex-PC is available from Microcom Software
Division, P.O. Box 51489, Durham, NC 27717.  The telephone number is 919-490-
1277.  The price is $99.00.  There are several third party vendors who sell
single copies at a significantly reduced cost.  Registered users receive
discounts on product upgrades.

3.  Pr
Downloaded From P-80 International Information Systems 304-744-2253

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.