home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Phoenix Rising BBS
/
phoenixrising.zip
/
phoenixrising
/
vir-docs
/
v05i004.txt
< prev
next >
Wrap
Internet Message Format
|
1992-09-27
|
21KB
From: Kenneth R. van Wyk (The Moderator) <krvw@CERT.SEI.CMU.EDU>
Errors-To: krvw@CERT.SEI.CMU.EDU
To: VIRUS-L@IBM1.CC.LEHIGH.EDU
Path: cert.sei.cmu.edu!krvw
Subject: VIRUS-L Digest V5 #4
Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU
--------
VIRUS-L Digest Wednesday, 8 Jan 1992 Volume 5 : Issue 4
Today's Topics:
Norton Anty Virus (PC)
Stoned virus questions (PC)
Re: Michelangelo virus on Zyxel disk (PC)
New Virus (Ultimate Weapen)? (PC)
Joshi Virus and IDE Hard Drives (PC)
Looking for info on "Friday the 13th" virus (PC)
Avoid false alarms/ don't run SCAN when VWATCH is active(PC)
(forwarded) Is it a virus or is it memorex (Mac)
RE:Theoretical Literature on Viruses
Re: Geraldo Show: Claims Viruses can blow up Monitors
Virus Reserce
re: theoretical literature on viruses?
New data integrity anti-virus product (PC)
WSCANV85.ZIP (PC)
Write protection - hardware
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions
with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
krvw@CERT.SEI.CMU.EDU.
Ken van Wyk
----------------------------------------------------------------------
Date: Tue, 07 Jan 92 15:31:55 +0700
From: Cezar Cichocki <CEZAR@PLEARN.BITNET>
Subject: Norton Anty Virus (PC)
Hi folks,
I use Peter Norton's programm and I very interesting in his antyviral
program. Somebody said me that there is Shareware version of NAV
(about 1.5 or something like this). Is this true ?
And if it's true, where can I catch this program ?
Cezar Cichocki
p.s. Best New Year's wishes to all folks on this list !
------------------------------
Date: Tue, 07 Jan 92 14:15:31 +0000
From: keshava@is.Morgan.COM (Sanjay Keshava)
Subject: Stoned virus questions (PC)
One secretary's PC has been infected with the STONED virus.
What effect does this virus have on the PC? How is it propagated?
Where does it reside?
We used Macaffee's SCAN and CLEAN programs to neutralize it, but it
still recurs at unpredictable intervals. (We may have some floppies
that are infected and un-neutralized, so that could be the problem.)
Please reply via email.
Thanks.
- --
Later...
Sanjay Greetings to alumni: Anteater ('84), Trojan ('87), Longhorn ('91)
- ->|<- keshava@is.morgan.com
...uunet!is.morgan.com!keshava
Morgan Stanley & Co., Inc., Equities Analytical Research, NYC
------------------------------
Date: Tue, 07 Jan 92 18:22:20 +0200
From: Tapio Keih{nen <tapio@nic.funet.fi>
Subject: Re: Michelangelo virus on Zyxel disk (PC)
>I've just become the proud owner of a Zyxel U-1924E modem (hurray!),
>but found the Michelangelo virus on the disk I got with it (boo!).
>The disk was not write-protected and the envelope it came in was open,
>so I cant say for sure whether it was Zyxel or the distributor.
It could have been Zyxel, because I've got reports of infected Zyxel
disks from Germany, USA and Finland.
Tapio Keih{nen - tapio@nic.funet.fi
------------------------------
Date: Tue, 07 Jan 92 15:52:17 +0100
From: overdijk@ECN.NL
Subject: New Virus (Ultimate Weapen)? (PC)
Dear readers,
I've got a friend with a possible virus on his disks...
SCANV85 doesn't detect this beast. He has a HISCREEN 386sx
machine. I haven't seen the problem myself, but after discussion
I understood the following:
Symptoms:
- - It appears that the 'virus' is activated after january 1-st, 1992
- - After boot, a message is displayed:
+-------------------------------------------+
! The Ultimate Weapon has arrived, !
! please contact the nearest police station !
! to tell about the illegal copying of you !
+-------------------------------------------+
(Yes, I had a 'printscreen' of the message)
(No, I don't know if he has an illegal copy of a program ;-))
- - System hangs.
- - After boot from floppy in A: he found ALL his files and directory's
in the root and next directory-level renamed to CRIMINAL.001,
CRIMINAL.002, CRIMINAL.003 ..... etc.
After a format of the HD the virus was gone (of course). My
friend believes he still has the virus on one of his floppy's, but
doesn't know on wich one. He is going to try to reproduce the problem
to find out which floppy is guilty. Listening to his story, it appears
to me that it might be a boot-sector virus...
I couldn't find any hint in Patricia Hoffman's VSUM list...
Has anyone heard/seen this virus before?
Greetings,
Harrie Overdijk Internet : overdijk@ecn.nl
ECN - Petten BITNET : Not any more
The Netherlands Noisenet : ++31-2246-4597
Europe Fidonet : 2:500/43.1902 (At home!)
------------------------------
Date: Tue, 07 Jan 92 21:18:33 +0000
From: arg@netcom.netcom.com (Greg Argendelli)
Subject: Joshi Virus and IDE Hard Drives (PC)
How are people removing the Joshi virus from IDE hard drives? Based
on what I have read in Patricia's VSUM program, the only way to reomve
the virus is via a low-level format. Since we can't do such a format
on an IDE, do we wind up trashing the drive? Inquiring minds need to
know. McAfee's scan/clean find it, and claim to clean it, but
don't....
- -arg
(arg@arghouse.uucp)
- --
"By this time my lungs were aching for air..." |The Listening Post BBS
MST3K |arg@arghouse.uucp
------------------------------
Date: Tue, 07 Jan 92 21:34:39 +0000
From: forbes@cbnewsf.cb.att.com (scott.forbes)
Subject: Looking for info on "Friday the 13th" virus (PC)
I'm a Macintosh owner and UNIX programmer with little experience
dealing in MS-DOS viruses, but I seem to remember hearing about a
virus which attacked hard drives on Friday the 13th.
I also have a PC which recently lost its hard drive, at approximately
the stroke of midnight on Friday, December 13. :-) I don't think this
is a coincidence, and would like to find out more about the virus in
question to prevent a recurrence.
The hard disk received a low-level format, but I still don't know the
source of infection and could re-infect the machine at any time.
E-mail pointers would be greatly appreciated.
====
=---====
Scott Forbes AT&T Network Wireless Systems =-----====
forbes@toolserv.att.com ==---=====
========
UNIX is a trademark of UNIX System Laboratories. ====
AT&T is a modem test command.
------------------------------
Date: Tue, 07 Jan 92 15:39:00 -0600
From: Ken De Cruyenaere 204-474-8340 <KDC@UOFMCC.BITNET>
Subject: Avoid false alarms/ don't run SCAN when VWATCH is active(PC)
I thought I would post this to help someone else avoid the virus
"scare" I had over Christmas. When I tried to scan (McAfee V85) a
diskette I had just recd in the mail from Australia, Scan told me I
had three viruses
BRAIN
LOZINSKY
INVADER
active in memory and to power down immediately and reboot from
a clean floppy.
To make a long story (Scan kept finding them but Clean and other
antivirals did not) short, I eventually phoned the McAfee number
and spoke to Aryeh Goretsky. He immediately diagnosed my problem:
I had (Central Point's) VWATCH running (on my IBM PS/1).
It seems VWATCH's search strings are not encrypted and SCAN finds
things it thinks are viruses.
When I subsequently tried the same thing on my PC at work
(UNISYS model 300), SCAN only "found" the BRAIN virus, so
I guess different platforms get different false alarms...
Ken
- ---------------------------------------------------------------------
Ken De Cruyenaere - Computer Services
University of Manitoba - Winnipeg, Manitoba, Canada, R3T 2N2
Bitnet: KDC@CCM.UManitoba.CA Voice:(204)474-8340 FAX:(204)275-5420
------------------------------
Date: Wed, 08 Jan 92 08:06:37 -0500
From: Tom Coradeschi <tcora@PICA.ARMY.MIL>
Subject: (forwarded) Is it a virus or is it memorex (Mac)
Forwarded from Info-Mac Digest.
tom coradeschi <+> tcora@pica.army.mil
- ----- Forwarded message # 1:
Date: 7 Jan 92 14:06:38 EDT
From: "Eric Rick" <EFR@vetmed1.vetmed.ufl.edu>
Subject: Is it a virus or is it memorex
A challenge for all ye guru types and Apple virologists.
The following disturbing message has started showing up on my mac
lately:
_____________________________________________________________________
| _ * |
| ____/ |
| / \ |
| | | |
| \__/ |
| So sad, too bad, I just run pro |
| |
| |
| ID = 2 |
|___________________________________________________________________|
...it then locks up which kills anything you were doing, must reboot.
The ID number may be different but the message is exact. The thing in
the left corner that looks like an acorn is the typical Apple bomb.
It seems to happen mostly in Microsoft Excel, but has happened in
ZBASIC also.
Equipment: 512KE, YAH that's right 512KE, with a MacRescue board with
2megs, one external diskette drive, System 6.0.4 or 5, Imagewriter,
mouse, and a confused/angry user.
By the way, I have tried Disinfectant(I think version 1.5) on it and
it finds nothing.
Thanks for you help in advance.
EREric Rick
Univ of Florida
Coll of Vet Med
efr@vetmed1.vetmed.ufl.edu
------------------------------
Date: Tue, 07 Jan 92 19:10:00 -0500
From: <RUTSTEIN@HWS.BITNET>
Subject: RE:Theoretical Literature on Viruses
George:
The most likely place to start would be Fred Cohen's doctoral thesis
on the topic. One caveat, however: the price.
I had wanted to do some research on the topic, and had contacted Dr.
Cohen as a student. I asked where I might be able to get a copy of
his thesis (or other writings on the topic), and was told that he had
not permitted the issuing institution to keep a copy of it, nor had he
registered it with the media services center in Ann Arbor. He had
copywrited it and told me that the only way I could take a look at it
(for research as a student, remember) was to buy it from him for some
absurd price. I've since gotten a copy, and it does contain some
interesting information...if you're at all interested in the theory.
There have been several experts who have argued against some of Cohen's
conclusions, and many of them appear to be correct. It is, however, a
good introduction to the theory.
Hope this helps...If I ever get around to doing my own research, I'll
pass it along to everyon...for free!
Charles
*****************************************************************************
Rutstein@HWS.BITNET
*****************************************************************************
------------------------------
Date: Wed, 08 Jan 92 00:49:27 +0000
From: rslade@cue.bc.ca (Rob Slade)
Subject: Re: Geraldo Show: Claims Viruses can blow up Monitors
gerry@dialogic.com (Gerry Lachac) writes:
>featured viruses. One so-called expert who has testified before
>Congress and has some book out claimed that there are viruses out now
>that can blow up monitors.
>
>Anyone know what the name of this one is? :-)
I believe that would be the
"No-that's-not-a-monitor-that's-a-TV-stupid" virus. Extremely
infective. Transmits from TV to brain causing instant mush.
Well, sorry for the flamelike resonse (certainly not directed at Gerry
:-), but I post my columns on Fidonet as well, and you should see the
nonsense I'm getting back from the recent one on hardware damage ...
=============
Vancouver p1@arkham.wimsey.bc.ca |
Institute for Robert_Slade@sfu.ca | The user interface
Research into rslade@cue.bc.ca | is the boundary of
User CyberStore Dpac 85301030 | trustworthiness.
Security Canada V7K 2G6 |
------------------------------
Date: Tue, 07 Jan 92 15:07:22
From: <2wsa115@gc.bitnet>
Subject: Virus Reserce
Well I've decided that viruses will be the topic for my English 102
couse, so I need to get some questions answered. First of all, are
there any positive neads for Viruses and are any of the major software
developers researching and creating new Viruses. If anyone knows of
books that would provide good research material let me know please
Thanx
Jeff Harris
------------------------------
Date: 07 Jan 92 17:11:55 -0500
From: "David.M.Chess" <CHESS@YKTVMV.BITNET>
Subject: re: theoretical literature on viruses?
> From: ctika01@mailserv.zdv.uni-tuebingen.de (George Kampis)
>
> Is there any work out there on a *theoretical* treatment of
> computer viruses?
I'd recommend (to everyone) the book "Rogue Programs", edited by Lance
Hoffman*. It's a collection of papers by various reasonably
legitimate folks (well, including me), and includes a section on
theory that has the two basic Fred Cohen papers, which will address at
least some of what you want.
> I suspect the latter will lead to halting-problem-like questions -
> would be interested to see if anybody did work on that (pls don't mix
Yep, Fred Cohen proves that perfect detection (given a program, is it
a virus?) is about equivalent to the halting problem. Of course, this
doesn't say anything about 99.99% detection, or perfect detection on
any program smaller than 64 megabytes, or... *8)
> (pls don't mix it with self-reproducing automata a la von Neumann
> etc)
Why not? I would think that some of von N's results might be
directly relevant to computer virus theory?
DC
* ISBN 0-442-00454-0, Van Nostrand Reinhold, 1990
------------------------------
Date: 06 Jan 92 23:54:15 -0500
From: Wolfgang Stiller <72571.3352@CompuServe.COM>
Subject: New data integrity anti-virus product (PC)
I've just confirmed that Integrity Master(tm) my new data integrity
and anti-virus product is available on SIMTEL20 (I-M102B.ZIP).
Integrity Master(tm) is an easy to use, data integrity, change
management, security, and anti-virus program. It is a descendant of
PC Magazine's PCdata integrity toolkit which is still available as
free software. Unlike my PCdata toolkit, Integrity Master is
shareware ($35 US). Integrity Master detects known viruses
specifically using scanning techniques and generically by indentifying
specific changes. Cluster (Dir-2) and companion type viruses are
specifically recognized.
Integrity Master is a high performance assembly language program,
providing function and performance far beyond any other data integrity
software, yet is easy enough for novice users.
Some distinguishing features:
1) Integrity Master recognizes known viruses by name and will describe
their characteristics and then guide you through their removal.
2) It can detect not only existing viruses, but will detect as yet unknown
viruses, by virtue of its ability to detect changes to any file or
system sector.
3) Integrity Master will detect any form of file or program corruption, not
just that caused by viruses. This makes Integrity Master a useful tool
to provide PC security, change management and hardware error detection.
4) Integrity Master understands which files and areas on your disk are
special and provides specific diagnosis and recovery if these areas
have changed.
5) Integrity Master can reload system sectors, even on disks which are
so badly damaged that DOS can no longer recognize them.
Integrity Master is also available through any ASP BBS, SDN BBS and
on CompuServe IBMSYS lib 3 file I-M102.EXE.
Wolfgang Stiller (Author of Integrity Master(tm) and PCdata)
------------------------------
Date: Tue, 07 Jan 92 08:21:00 -0500
From: HAYES@urvax.urich.edu
Subject: WSCANV85.ZIP (PC)
The new version of McAfee Associates SCAN for Windows is now available for FTP
processing from our site as WSCANV85.ZIP. The file was fetched from McAfee's
BBS.
Site: University of Richmond
Address: urvax.urich.edu, IP# 141.166.1.6
Directory: [.msdos.antivirus]
Filename: WSCANV85.ZIP
User: anonymous
Password: your_email_address
Regards, Claude.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET)
University of Richmond hayes@urvax.urich.edu (Bitnet or Internet)
Richmond, VA 23173
------------------------------
Date: Mon, 06 Jan 92 12:38:30 -0800
From: p1@arkham.wimsey.bc.ca (Rob Slade)
Subject: Write protection - hardware
DEFMTH4.CVP 920105
Write protection - hardware
Generally, in the microcomputer world, write protection is held
to mean write protection implemented by hardware. Although it
is a truism that "whatever the hardware people can do, the
software people can emulate, and whatever the software people
can do the hardware people can emulate", it is physically
impossible to overcome a "sufficient" hardware protection with
software. Note, however, that not all hardware protection
devices are as safe as they may seem at first glance.
First, the universal write protect "tab" on floppy disks. It
*is* possible to write to *some* write protected drives.
Certain systems (MS-DOS is not one) check for write protection
in software rather than hardware. Thus, even though the write
protect device is hardware, the software checking can be
circumvented by a virus. (In systems where the write protection
*is* effective, it is still the case that the notification of an
attempt to write to the drive is done through software, and so
the warning that something may be going on may be trapped by the
virus.
However, even on some MS-DOS systems, write protection may not
be reliable. Some manufacturers use an optical, rather than
mechanical, sensor for the write protect tab or notch. Using
"translucent" floppy disks, the "silvered" write protect tabs or
even the shiny black ones on 5 1/4" diskettes, may allow
sufficient light to get through to the sensor as to leave the
disk unprotected. It is interesting to note that, because of
the two different protect tab designs, the hardware write
protection circuits for 5 1/4" diskettes generally "fail safe"
in a write disabled configuration, whereas 3 1/2" diskette
drives "fail" into a writable configuration.
(A pity. I prefer the ability to protect and enable repeatedly
without building up gobs of tape adhesive around the notch. And
when I did protect 5 1/4s, I used to use "magic" tape as it was
easier to remove. These days I'm using "Post-it" notes ...)
As in the past, so again I will deplore the failure of drive
manufacturers to provide write protect switches on "fixed media"
hard drives. Tape and cartridge media do have tabs or switches.
Those knowledgeable about hardware and drive cabling can
"retrofit" switches, but recent tests at various sites with
hardware write protect switches have indicated problems with
certain types of drives. No one procedure has been proposed
that works for all types of
Downloaded From P-80 International Information Systems 304-744-2253