home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.206
< prev
next >
Wrap
Text File
|
1995-01-03
|
31KB
|
689 lines
VIRUS-L Digest Thursday, 28 Sep 1989 Volume 2 : Issue 206
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
Today's Topics:
Cookie (monster) virus (PC)
viruses in anti-virals
Tiger Teams
Re: Preventing virus attacks (PC)
Anti-virus viruses
Hyperspace virus ? (PC)
Final word on Centel Corp and Viruscan
Viruses in Commercial Software
Re: October 12/13 (PC)
Compiled list of viruses...
Anti-viral hard disk controllers
Review of NIST anti-virus paper...
Anti-virus Virus
Columbus Day Virus attacks the military?
Tiger Teams (Was Re: Good viruses?)
Virus signatures
---------------------------------------------------------------------------
Date: 27 Sep 89 12:56:00 +0200
From: Antonio-Paulo Ubieto Artur <hiscont@cc.unizar.es>
Subject: Cookie (monster) virus (PC)
I haven't yet got VIRUS-L Digests #197 to #199. It seems that my
contributions about the "Cookie virus" was included in one of these.
Just after receiving some kind postings about this item, I found on
the French magazine "Soft & Micro" (september 1989, p. 156) a
description and a photo of the "Sesame Street virus". The described
version seems to be old, the virus is said to have been one of the
first virus around in some American colleges. No harm is described:
the only requirement was to write "cookie" when the text "I want a
cookie !" appeared on the screen. Incidentally, on the photo, the
virus appears on a dBASEIII screen, not on a word-processing program.
I have to apologize. I described what seems to be a Spanish hack
- -or at least translation- of the "Sesame Street virus" or "Cookie
monster virus". This version seems to be more violent, as there were
lost files due to this virus.
I insist: I haven't yet seen this virus, neither has it caused any
damage -as far as I know- at my University. But if there is something
I awfully hate in computing is to loose data and having to rekey them
again. Therefore my contribution was more intended as a warning
message. If someone out there avoids only one of this loosings by
"giving a cookie", I thing it was worth the effort.
Of course, any preventive or removal method against this virus
would be appreciated. As it was said in one recent VIRUS-L Digest,
"the best virus is the dead one". And my colleagues here at the
University -some of them recently threathened by the "Friday-13 virus"
(sUMsDos variant)- would also have a little more peace of mind.
Thank you very much.
Antonio-P. Ubieto.
Department of Modern and Contemporary History.
Zaragoza University (Zaragoza, Spain - Europe).
hiscont@cc.unizar.es
------------------------------
Date: 27 Sep 89 12:38:00 +0700
From: "Okay S J" <okay@tafs.mitre.org>
Subject: viruses in anti-virals
In VIRUS-L.V2NO201 David Gursky(DMG@LID.MITRE.ORG)
>Let me take this one step further. Anti-virus applications (IMO) make
>a poor carrier for a virus. In order for a virus to succeed, it must
>go undetected. This means that prior to the activation of the virus'
>logic-bomb or time-bomb, it cannot interfere with the normal operation
>of the computer or the applications in use on the computer. To do so
>greatly improves the chances the virus will be discovered (to wit, the
>Jerusalem virus). If we work under the assumption that when a user
>acquires an anti-virus application, they actually use it (in fact we
>must work under this rule; otherwise the virus would not spread), the
>virus necessarily undergoes an increased chance of detection because
>an application is running that looks for viruses!
The only problem with this is that with a virus or other destructive
program masking itself as an anti-viral, you would think that the
person would have ripped the detection code out for the particular
virus he is trying to spread, or just chopped it out altogether.
It would be kind of funny to have a virus you are trying to spread
zapped by its own carrier! :). But then again, some criminals can be
pretty stupid....(which is all any of us can really hope for)
----Steve
Stephen Okay Technical Aide, The MITRE Corporation
x6737 OKAY@TAFS.MITRE.ORG/m20836@mwvm.mitre.org
------------------------------
Date: Wed, 27 Sep 89 09:05:57 -0400
From: Joe McMahon <XRJDM%SCFVM.BITNET@VMA.CC.CMU.EDU>
Subject: Tiger Teams
Dave Gursky asked about the tiger team approach. It depends on several
things:
- - Is the computer in question a computer which belongs to the installation,
or one which belongs to the person?
- - Is the virus completely self-limiting (i.e., if the date becomes anything
other that the date of infection, the virus removes itself?
- - Is the company willing to risk destroying this user's files and possibly
wasting large amounts of time and money to replace them?
Apple's statement on Mac viruses is that you should never trust a
once-infected file, even if it is "cleaned up". I tend to side with
that approach. I know that if I had been following procedures, and
some expletive-deleted from Security futzed around with my machine
behind my back, I'd be angry. Especially if it trashed my files.
--- Joe M.
------------------------------
Date: Wed, 27 Sep 89 13:40:46 +0000
From: frisk@rhi.hi.is (Fridrik Skulason)
Subject: Re: Preventing virus attacks (PC)
> Will changeing a file attribute to READ ONLY stop or slow down a virus?
> What about write locking a whole Directory?
> Does hiding a file or directory have any effect???
This is a very common question, but in general the answer is NO.
Boot sector viruses are of course not affected by the read-only
protection, since they do not infect files.
Some viruses can be stopped my making program files read-only, but
right now I can only think of two such viruses:
South African "Friday 13." (and the related VIRUS-B)
Lehigh
However, those two viruses are very rare. The rest of the PC viruses
remove the read-only attribute from files, before infecting them. Most
of them restore it later ("Icelandic" does not).
So - making files read-only will not provide any protection from
viruses like:
Jerusalem (Israeli Friday 13.) and relatives (Fu Manchu)
Vienna (DOS-62)
Traceback
DataCrime
Icelandic and relatives (MIX1 and Saratoga)
The main use of read-only protecting .EXE and .COM files is really to
protect the user from his own mistakes.
Hiding a file is equally ineffective.
--- frisk
------------------------------
Date: Wed, 27 Sep 89 14:25:25 +0000
From: frisk@rhi.hi.is (Fridrik Skulason)
Subject: Anti-virus viruses
I have been following the anti-virus-virus discussion with some
interest, but I have not yet seen anybody mention the fact that one
such virus already exists.
The virus is the "Den Zuk" (Translation: The Search) virus, which was
written to fight the Brain virus.
When this virus finds a Brain-infected diskette, it removes Brain and
puts a copy of itself in place.
It also looks for old versions of itself and "upgrades" them if
necessary.
The virus resides on track 40 on diskettes (normally 360K diskettes
only have tracks numbered 0-39), and thus takes up no usable space.
So far, so good.
However - this virus also demonstrates what can (and will) go wrong
with anti-virus-viruses.
The programmer did not anticipate 1.2M or 3.5" diskettes. When the
virus infects a disk of that type, it will destroy data.
Also, several "hacked" versions of this virus have been reported,
including one that will disable the SYS command and destroy all data
on drive C: on September 13. 1991. (One more of those "Friday the 13th
viruses. Why can't virus writers have a little more imagination :-) )
So - the conclusion is simple: "The only good virus is a dead one."
---- frisk
------------------------------
Date: Wed, 27 Sep 89 14:39:45 +0000
From: frisk@rhi.hi.is (Fridrik Skulason)
Subject: Hyperspace virus ? (PC)
Has anybody heard of a virus or trojan that will produce the following
effect ?
Suddenly the computer will switch to graphic mode, and dots
will appear, coming from the center of the screen, going
faster and faster. Then a flash of light will appear on
the screen, followed by the text "Welcome to HYPERSPACE"
Finnally the computer will svitch back to text mode, and everything
will be back to normal.
I have not seen this, only heard of it.
--- frisk
------------------------------
Date: Wed, 27 Sep 89 10:51:56 -0400
From: KARYN@NSSDCA.GSFC.NASA.GOV
Subject: Final word on Centel Corp and Viruscan
I decided to look into this Centel Corporation problem. As they are
situated just down the street, I called their office, and they sent me
the information alluded to in the Washington Post article. I received a
license agreement and a letter sent to various businesses addressed to
"Security Colleague".
Centel does not seem to be distributing Viruscan. The second paragraph
of the Preamble of the License agreement is:
In response to this threat [referring to DATACRIME viruses] Centel
Federal Systems, in conjunction with American Computer Security
Industries, Inc. ("ACSI"), has developed certain scanning software
("VCHECKER") that is capable of detecting certain forms of the virus,
and is offering that software to computer users for a nominal handling
fee of $25.00. It is presently believed that VCHECKER is capable of
detecting two of the unknown number of strains of the virus that are
in existence. However, because of the unpredictability of the virus
and its various strains, and because of the many uncertainties
surrounding its propagation and detection, neither Centel Federal nor
ACSI is able to warrant that VCHECKER software will succeed in
detecting the virus as it may exist in any particular computer
system. Users of VCHECKER should also understand that VCHECKER is
designed only to detect the possible existence of the virus, and that
removal of the virus from a particular computer system, or repair of
any damage that the virus may cause, is the responsibility of the
user.
An excerpted paragraph of the distribution letter follows:
...One company, ASCI, has developed a program called VCHECKER that
looks for the known signatures of what they call the Columbus Day
Virus...
It seems to me that ASCI got its hands on the DATACRIME signatures that
John McAfee distributed and wrote a program to check computers for it,
and decided to sell it.
Hopefully this will stop all the hoopla about this subject and clean up
Centel Corp's reputation. I hate to see reputations ruined over
misunderstandings.
Standard Disclaimer: I am in no way affilliated with Centel Corp, or
ASCI, and all the ideas presented are my own and in no way reflect
attitudes of anyone I work for.
*-- *-- *-- *-- *-- *-- *-- *-- *-- *-- *-- *--
Karen Pichnarczyk
KARYN@nssdca.gsfc.nasa.gov
703-648-0770
------------------------------
Date: Wed, 27 Sep 89 11:53:00 -0400
From: TMPLee@DOCKMASTER.ARPA
Subject: Viruses in Commercial Software
In commenting on viruses being distributed (accidentally, of course)
through commercial software someone recently mentioned that someone
near him had been hit by a virus that was in a shrink-wrapped copy of
WordPerfect. I'm skeptical -- WordPerfect is such a widely-sold
program that had there been one copy infected there would have been
thousands and the din would have been deafening. Could someone who
follows this closely summarize exactly which commercial packages have
definitely been identified as having been shipped infected? (i.e.,
the virus was found on them before there was any chance whatsoever
they could have been written to by the user's machine.) (I'm not
doubting that commercial software is a good vector for distributing
viruses or that it has happened before, I just want to make sure that
a company with good anti-virus practices doesn't get falsely accused;
in the case in point I have no idea what WP Corp's practices are.)
------------------------------
Date: 26 Sep 89 19:07:49 +0000
From: ttidca.TTI.COM!hollombe%sdcsvax@ucsd.edu (The Polymath)
Subject: Re: October 12/13 (PC)
In article <0006.8909251230.AA29228@ge.sei.cmu.edu> ttidca.TTI.COM!hollombe%sdc
svax@ucsd.edu (The Polymath) writes:
}}I'm the editor of our university's computing newletter. I need to
}}know how users can detect the October 12/13 virus ahead of time. Is
}}there a way at all? ...
}
}How about backing up the hard disk, then setting the system date ahead to
}October 13 and re-booting?
Since posting this, I've been advised that some viruses are designed
to detect and avoid this test. They do so by keeping track of date
increments to make sure they occur one day at a time. Typically, they
store a week's worth of dates, possibly more.
Assuming a one week buffer, you'd have to implement the sequence
"increment date, re-boot, run infected program" at least 8 times to
bypass such a check.
It's getting nasty out there.
}[Ed. Sounds (to me) kind of like testing to see if the mines in an
}inert minefield are "ert" by having someone walk through it. :-)]
I did say to back up the hard drive first. That way you can resurrect
your mine tester if it happens to step on an "ert" mine. (-:
The Polymath (aka: Jerry Hollombe, hollombe@ttidca.tti.com) Illegitimis non
Citicorp(+)TTI Carborundum
3100 Ocean Park Blvd. (213) 452-9191, x2483
Santa Monica, CA 90405 {csun|philabs|psivax}!ttidca!hollombe
------------------------------
Date: Wed, 27 Sep 89 14:44:01 -0500
From: Dave Boddie <DB06103%UAFSYSB.BITNET@VMA.CC.CMU.EDU>
Subject: Compiled list of viruses...
I may be asking quite a big question, but I want to know:
Is there a compiled list of viruses, symptoms, cures, source,
whathaveyou that I can somehow obtain? I am mostly looking for PC
viruses, cures and symptoms to most know viruses. If there is one,
could someone PLEASE send it or any like it to me?
Thanks much in advance.
David Boddie
Remote Lab Operator
University of Arkansas.
------------------------------
Date: 27 Sep 89 20:37:15 +0000
From: ginosko!cg-atla!mallett@uunet.UU.NET (Bruce Mallett)
Subject: Anti-viral hard disk controllers
Seems to me that virus infestation in companies could be controlled
through a little bit of dicipline and with the help of a modified hard
disk controller. The scheme is to partition the hard disk into an
executable partition and into a data partition. All executables are
kept on the bootable, outer partition. The modified disk controller
has:
switches which indicate the last track number of this outer
partition
a switch out the back to enable/disable writes to this outer
partition. Probably a rotary requiring a screw-driver or other
tool to change.
In a corporate environment where systems are controlled I would think
that this would work quite well. Virus software must be able to write
to executables to spread, and they would not be able to since the
partition containing them is hardware protected. Without hardware
assist, software is always defeatable so no software solution is going
to guarantee protection against all infestations.
Dicipline is needed in several areas: administration to ensure that
systems get properly setup, environments defined correctly, etc.;
software packages must not maintain/modify data out of their
executable directories; users must not fiddle with the switch nor
import foreign, unknown software (by write-enabling the partition),
etc.
Note that programs run from the floppy can still wreak havoc to the
un- protected partition, but they cannot spread via the HD.
Is this workable?
[Ed. There is at least one commercial product that does exactly that,
but it's name escapes me.]
------------------------------
Date: Wed, 27 Sep 89 15:43:11 -0400
From: dmg@lid.mitre.org (David Gursky)
Subject: Review of NIST anti-virus paper...
Recently, the National Institute of Standards and Technology (NIST,
the successor to the National Bureau of Standards) published a short
paper entitled: _Computer Viruses and Related Threats: A Management
Guide_. I have had a chance to read through it, and here are my
comments:
NIST Virus study comments
First and formost, the NIST paper is an excellent, broad summary of
knowledge of prevention measures for "electronic threats". It does
not deal with the specifics of protecting this system, or that system,
but rather looks at two classes of systems (multi-user and
single-user) in two different environments (stand-alone or networked)
and discusses six aspects of the security issue: General Policies,
Software Management, Technical Controls, Monitoring, Contingency
Planning, and Network Concerns.
As much as I want to say this is an excellent paper, I find two flaws
that hold it back:
1 -- The paper is not always consistent in its tone and advice
2 -- Some advice presented in the paper is based on false assumptions
Inconsistency --
The authors of the paper appear to have a problem accepting that any
successful policy to deal with electronic threats must rely on the
cooperation of the user community. At certain points, it explictly
states system managers must *prevent* users from performing actions of
questionable risk altogether, and later on it states that users can do
the same thing under controlled circumstances.
The problem of electronic threats is *everyone's* problem, and
*everyone* must be part of the solution. The underlying attitude of
the authors seems to be "users cannot be counted on". For better or
for worse, users *must* be counted on, and when that is not possible,
made accountable.
Other examples of where the authors make one statement, and then back
down from it elsewhere in the paper exist; this is the one that I
happen to have picked up. By the same token, there are only a few
instances of this type of hemming and hawing.
False Assumptions --
The paper forwards the myth that programs obtained from public sources
(bulletin boards; public network libraries) are inheritely tainted,
and that shareware/freeware/etc. should really be avoided. Certainly
applications obtained from these sources are riskier, but these risks
can be minimized through careful selection of sources, (i.e. public
sources with a large pool of experienced users feeding from it), by
judicious testing of software obtained from these sources, and by
maintaining an internal library of these applications. This last step
(completely overlooked by Wack and Carnahan) of providing users access
to shareware from a corporate-sanctioned libraray can go far in
ensuring that applications from riskier, public sources are not
brought into the corporate computing environment.
By the same token, the paper forwards the myth that commercially
obtained applications are inheritly untainted. The Aldus Freehand
infection (among others) demonstrates that this is clearly not true.
Summary --
Summarizing, I would say this paper is a very good source for
technical users looking to gain information about how to go about
addressing the virus problem, and a good source for corporate managers
looking at the same question. The paper's inconsistency on the role
users must play in a successful anti-virus strategy, and it's partial
reliance on a false assumption hold it back from being excellent on
both counts.
Copies of the NIST paper can be obtained for $2.50 from the U.S.
Government Printing Office, 202.783.3238. The document is NIST
Special Publication 500-166, GPO #003-003-02955-6.
The opinion expressed in this review is mine, and does not in any way
reflect the official policy of the MITRE Corporation, or any of
MITRE's clients.
Please do not redistribute this review without my consent first.
Thank you.
Submitted 27 September 1989
David M. Gursky
Member of the Technical Staff, W-143
Special Projects Department
The MITRE Corporation
------------------------------
Date: Wed, 27 Sep 89 20:13:00 -0400
From: WHMurray@DOCKMASTER.ARPA
Subject: Anti-virus Virus
Chris Poet invites comment on the idea of an anti-virus virus.
Chris you are correct. The idea is not original and has been
discussed here ad nauseum. The consensus appears to be that it is not
a good idea.
Certain behavior is reprehensible regardless of its motive or
intention. One such class of behavior is misrepresentation. Nice
people do not resort to lies, regardless of motive. A subset of
misrepresentation is stealth. Nice people do not intrude unannounced
and univited. Good intentions in such cases rarely excuse the
behavior.
Finally, some behavior is so potentially dangerous that it cannot be
justified by good intentions. Spreading any kind of computer code by
automatic replication is dangerous and not justified by the intent or
value of the code so distributed. Nor is it justified by any
superiority of this method of distribution over any other. The
decision to employ protection is a personal one. Open distribution by
overt channels is preferred.
I am glad that you sought advice before embarking on this ill-advised
scheme. Having sought it and received it, I hope that you will heed
it.
[Ed. I agree with Dr. Murray in that this topic has been discussed
here ad nauseum - the general concensus of which is that it is not a
good idea. Unless anyone has anything significant to add to the
conversation, let's please consider this topic closed. Ok? Please?
:-)]
____________________________________________________________________
William Hugh Murray 216-861-5000 Fellow, 203-966-4769 Information
System Security 203-964-7348 (CELLULAR)
ARPA: WHMurray@DOCKMASTER
Ernst & Young MCI-Mail: 315-8580
2000 National City Center TELEX: 6503158580
Cleveland, Ohio 44114 FAX: 203-966-8612
Compu-Serve: 75126,1722
INET: WH.MURRAY/EWINET.USA
21 Locust Avenue, Suite 2D DASnet: [DCM1WM]WMURRAY
New Canaan, Connecticut 06840 PRODIGY: DXBM57A
---------------------------------------------------------------------
------------------------------
Date: Thu, 28 Sep 89 02:59:00 -0400
From: CZMUREK%DREW.BITNET@VMA.CC.CMU.EDU
Subject: Columbus Day Virus attacks the military?
Once again there is some frightening news about the Columbus DAy
Virus!!! As I was watching the Monday edition of computer chronicles
there was a segment on the problem that exists for the military. It
seems that all branches have been put on the watch for this one
because of the recent HUGE number of finds in the Air Force and Navy.
The implications of this are wuite scary indeed. Did anyone else hear
abou this or does anyone else have any light to shed on the severity
of the infection?
One last question- do the armed forces have any plan of action
for such an occurance as the downing of a large number of their
systems at one time or for the vaccination of military hardware?
------------------------------
Date: 27 Sep 89 19:34:37 +0000
From: chinet!ignatz@att.att.com
Subject: Tiger Teams (Was Re: Good viruses?)
In article <0002.8909261721.AA06193@ge.sei.cmu.edu> dmg@retina.mitre.org (David
Gursky) writes:
...
>Suppose a company has stringent rules about protecting desktop
>computers from viruses. How do you go about ensuring the rules are
>being followed? One thought I had was the user of "Tiger Teams".
And goes on to describe a "Tiger Team" which would prowl the halls
after-hours, looking for unsecured desktop machines which it could
then infect with an "approved" virus, preparatory to an upleasant
visit by the PC Police the next day.
Presumably, the purpose of actually infecting the machine is to
provide an object lesson to the unhappy employee careless enough to
not lock the system. This, however, is Not A Good Idea, for many
reasons. First, you've disrupted the productivity of a probably
useful employee for at least half a day, or more, while his/her
machine is zoned out. Next, you're tying up one or more people
comprising the "Tiger Team"; as proposed, worse, they're having to put
in non-prime hours performing what is essentially an overhead (read
"costs money, makes none") task; you're setting up the kind of
confrontational situation that can cause stressful relations between
employees; and it's not necessary. Not to mention that there are
other security holes that are unaddressed, such as terminals left
logged into multi-user systems which nevertheless can be used to
corrupt or destroy company data and programs. Also, how about desktop
or cubicle multi-user and/or multi-tasking systems, such as small
Unix/Xenix boxes, VAX/VMS workstations, etc.? Look at finding access
to these, and then corrupting them, and you'll start to see that this
is a form of sanctioned cracking which is beneficial to none, and
detrimental to all.
More useful, and actually used in many client sites I've been assigned
to, is to simply have the guard--who must make rounds anyway--also
made responsible for checking certain criteria for computer equipment.
Such things as locked access when applicable, no media left lying
about unattended, login-protected terminals (whether remote
timesharing, desktop multi-task/user, etc.) logged off whenever
unattended, etc. would be grounds for a report by the guard. At the
same time, the unsafe condition would be corrected as well as possible
by the guard--media collected and secured, accounts either logged off
or reported to system operators for deactivation, unlocked single-user
desktop machines either locked in the office, if possible, or the
power supply secured, etc. The same desired benefits are obtained:
the employee is made amply aware of his/her faux pas, and security is
maintained. Anyone who's ever worked in a security environment is
aware of these and other methods; they're actually used, as I
mentioned before.
The military does make use of "Tiger Teams" that attempt to penetrate
security and leave proof of their success. Usually, however, they are
employed in an environment where they're attempting to subvert or
circumvent active security measures, such as the deck guard on a nuke
sub that's docked, or access to a presumably secured and monitored
area.
------------------------------
Date: Wed, 27 Sep 89 16:26:48 +0300
From: Luiz Felipe Perrone <COS99284%UFRJ.BITNET@VMA.CC.CMU.EDU>
Subject: Virus signatures
A few weeks ago I received one VIRUS-L digest (unfortunately I do not
remember which one) which had the signatures of two versions of the
Datacrime virus. I happened to loose the listings and to make matters worse
I found out I also had discarded the digest from my mailbox. I wonder if
someone could send me this signatures as soon as possible and also show me
an effective way to look for them in my hard disk.
As a matter of fact it would be of great help to receive all the known
virus signatures, although I guess I might be asking too much.
I study at COPPE/UFRJ in Rio de Janeiro and a couple of months agoall
this fuss about computer viruses was like Science Fiction for me. I had never
seen any kind of it, and thought that it would take a long time before I had
any trouble with them. In Brazil there are no networks like CompuServe, The
Source, PCMagnet, etc. so I thought that the "problems" that affect Europe or
North America couldn't reach us so fast for they would not be downloaded.
But I was quite wrong. About two moths ago I have seen Bouncing-ball and JV
infect the whole Lab in which I work. And worse than that : they have got to
my hard disk. After running a program that kill BB and JV I have run Norton
Utilities to look for the string "sUMsDos" and it found four instances of it.
I still do not know if they belong to sectors in use by .EXE or .COM filesbut
I must say I'm worried. There is a strong possibily that other evil creatures
lurk in my system just waiting for the day to come up and make a big mess.
I would be very grateful if someone could help me to make a list of methods to
take this orcs out from our hard disks and develop anti-virus programs.
I have appreciated the help contained in the VIRUS-L disgests but sometimes
I feel I have missed a lot of the basic information.
[Ed. From an earlier editorial comment (v2i195):
In VIRUS-L volume 2 issue 192, Charles M. Preston
<portal!cup.portal.com!cpreston@sun.com> states that a) Viruscan V36
can detect Datacrime and that b) Datacrime can be identified by the
hex string EB00B40ECD21B4 (1168 version) or 00568DB43005CD21 (1280
version). Note that a hex string search can be done via the DEBUG 'S'
command (e.g., "S CS:100 FFFF hex_string" at the DEBUG prompt), if my
memory of MS-DOS is correct.
]
Thanks a lot and greetings from Brazil
Luiz Felipe Perrone
COS99284@UFRJ - Bitnet
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253
