home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Handbook of Infosec Terms 2.0
/
Handbook_of_Infosec_Terms_Version_2.0_ISSO.iso
/
text
/
virusl
/
vl04_018.txt
< prev
next >
Wrap
Internet Message Format
|
1996-09-04
|
28KB
From: Kenneth R. van Wyk (The Moderator) <krvw@CERT.SEI.CMU.EDU>
Errors-To: krvw@CERT.SEI.CMU.EDU
To: VIRUS-L@IBM1.CC.LEHIGH.EDU
Path: cert.sei.cmu.edu!krvw
Subject: VIRUS-L Digest V4 #18
Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU
--------
VIRUS-L Digest Friday, 1 Feb 1991 Volume 4 : Issue 18
Today's Topics:
Re: Text in MLTI virus (PC)
Boot Sector/Partition Table Protection (PC)
Hardware damage?
Virex 3.0 init problems? (Mac)
Table of Contents for Virus-L Digest
Virus Proctection in Real Time
Re: Text in MLTI virus (PC)
STONED in files (PC)
RE: Anti-virus policies
Re: Word Perfect and change checkers (PC?)
New viruses (PC)
re: Antiviral product contact list (PC);
Re: Infected vendor software (Mac)
Weird Thing With F-Prot (PC)
Re: Problem with virus checker (PC)
Re: Stoned virus in partition table (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU.
Ken van Wyk
---------------------------------------------------------------------------
Date: Wed, 30 Jan 91 17:28:00 +0200
From: Y. Radai <RADAI@HUJIVMS.BITNET>
Subject: Re: Text in MLTI virus (PC)
Fridrik Skulason asked about the meaning of the following text in
the MLTI virus:
> This programm was written in the city of Prostokwashino
> (C) 1990 RED DIAVOLYATA
The following info was supplied to me by a co-worker who recently
emigrated from the USSR:
"RED DIAVOLYATA" is a partial translation of "Krasnie Dyavolyata".
It and "Prostokvashino" are the names of well-known Soviet films.
"Dyavolyata" was apparently too hard for the virus-writer to
translate. It means something like "little devils", and "Krasnie
Dyavolyata" refers to the youth who fought against the White Army
during the Russian Revolution. The village "Prostokvashino" is a
fictitious one, which explains why Brian McMahon didn't find it in the
books he consulted.
Y. Radai
RADAI@HUJIVMS.BITNET
------------------------------
Date: 30 January, 1991
From: Padgett Peterson <padgett%tccslr.dnet@uvs1.orl.mmc.com>
Subject: Boot Sector/Partition Table Protection (PC)
>>From: gt1546c@prism.gatech.edu (Gatliff, William A.)
>>To help combat this, what would be the possibility of 'delibrately'
>>infecting ones boot-sector with a piece of code that would display
>>some kind of 'ok' message if it hadn't been tampered with?
Exactly what I was talking about in issue 17 except the "partition
table" sector (absolute sector one) should be used, not the boot
sector. More, such code can be used to prevent any tampering with
itself, the real partition table, or the active boot sector. At one
extreme I have tried on a system with C: & D: drives was to put all
executables on the C: drive and prohibit ANY writes or formats to that
drive (except with a special maintenance program). The D: drive just
has its low area protected and contains mutable programs and data.
A university or corporate environment might allow writing only to
floppies or bernoullis, protecting the hard disk. While such software
techniques alone cannot prevent an infected boot from occurring from a
floppy - only hardware can do this - they do allow such intrusion to
be detected prior to the load of the OS and can block any such
infection thereafter.
I hope that this will stimulate some activity on the part of the
vendors to provide such protection - it is not difficult to write, but
for me, I would no longer consider any product complete unless some
such form of low level protection was included.
Padgett
ps: This is my hobby - you should see my job.
------------------------------
Date: Tue, 29 Jan 91 17:10:38 +0000
From: hagins@gamecock.rtp.dg.com (Jody Hagins)
Subject: Hardware damage?
Please forgive my ignorance on this subject...
Is it possible for a virus, etc to cripple physical hardware
components? I ask as I have recently experienced an abrupt halt of my
system, frying my power supply. This occurred after aquiring a piece
of software from a supposedly very reliable source. Just wondering if
this is related, or a coincidence.
Thanks for any help!
Jody Hagins
hagins@gamecock.rtp.dg.com
Data General Corp.
62 Alexander Dr.
RTP, N.C. 27709
(919) 248-6035
Nothing I ever say reflects the opinions of DGC.
------------------------------
Date: Wed, 30 Jan 91 13:10:47 -0600
From: "Stan Kerr" <stankerr@uiuc.edu>
Subject: Virex 3.0 init problems? (Mac)
I just received Virex 3.0 a few days ago, and as soon as I installed
it, Gatekeeper (1.1) started going crazy, complaining about things I
had specified to allow in its configuration menu. As an example, I got
NUMEROUS complaints that DA Handler was violating 'Res(other)'
privileges against various applications. As soon as I turned off the
Virex init, the complaints stopped.
- --------------------------------------------------------
Stan Kerr Internet: stankerr@uiuc.edu
University of Illinois BITNET: stankerr@uiucvmd
Computing Services Office Phone: (217) 333-5217
1304 W. Springfield
Urbana IL 61801
------------------------------
Date: Tue, 29 Jan 91 15:44:41 -0500
From: Colin Lay <CMLHD%UOTTAWA@acadvm1.uottawa.ca>
Subject: Table of Contents for Virus-L Digest
Being a dedicated listener, and occasional contributor, to VIRUS-L
Digest, I sometimes want to find out what was said, when, and by whom.
There is no index to the Digest topics I am aware of, and therefore I
decided to start the process, at least for myself, by creating a Table
of Contents on a month by month basis.
I routinely download and ZIP the Digest and store the results on
floppies (720K), in 1 month groups. The big problem is where to find
what I am looking for, a month or so later. My partial solution is to
use the following WordPerfect 5.1 macros to strip out all but the
topic list and individual submission Date, From and Subject entries.
So far in the month of January 1990, issues 1 to 16 are reduced to a
Table of Contents file of 35,161 bytes, while the ZIPped digests are
148,044 bytes long, and the originals take 335377 bytes.
Following the macros in this submission I am including a sample of the
output from Vol.4 Issue 1. If there is sufficient interest, I can
submit the Table of Contents on a regular basis to the Digest or some
other appropriate repository.
[Ed. You might want to also take a look at Anthony Appleyard's index
system.]
=============================================================
Macro: Action
File VIRUSL.WPM
Description cleanup Virus-L Digest for Tbl of Con.
--------------------------------------------------------
{DISPLAY OFF}{Block}{Search}{Enter}
virus{Home}-l {Search}{Home}{Left}{Backspace}y{Enter}
{Search}{Search}{Home}{Left}{Block}{Search}{Enter}
Date: {Search}{Home}{Left}{Backspace}y
{CHAIN}vira~
--------------------------------------------------------
Macro: Action
File VIRA.WPM
Description Clean indiv.submiss. to Date,From,Subj
--------------------------------------------------------
{DISPLAY OFF}
{ON NOT FOUND}{GO}end~~
{Search}{Enter}
Subject: {Search}{Home}{Left}{Down}{Enter}
{Block}{Search}{Enter}
Date: {Search}{Home}{Left}{Backspace}y
{CHAIN}vira~
{RETURN}
1 {LABEL}end~
{CHAIN}virb~
{RETURN}
--------------------------------------------------------
Macro: Action
File VIRB.WPM
Description Cleanup last submission to eof
--------------------------------------------------------
{DISPLAY OFF}{Home}{Home}{Down}
{Up}{Up}{Up}{Up}{Up}{Backspace}y{Down}
{Down}{Down}{Block}{Home}{Home}{Down}{Backspace}y{HPg}
--------------------------------------------------------
==============================================================
VIRUS-L Digest Wednesday, 2 Jan 1991 Volume 4 : Issue 1
Today's Topics:
EXE file compression with LZEXE and PKLITE (PC)
Macvirus index? (Mac)
Disk Utilities (PC)
Re: Virus Protection (PC)
more about the conference in Hamburg
ZeroHunt Virus (PC)
Re: Viruses for the holidays & admin note
please stop the requests
Re: (1) GAO Report on Computer Security
Zmodem infected with Violator (PC)
UK Computer Crime Unit
MIBSRV downtime
WP viri and bugs (PC)
Unix and Mainframe Viruses
New virus (PC)
Date: 20 Dec 90 14:22:50 +0000
From: Mark Scase <coa44@seq1.keele.ac.uk>
Subject: EXE file compression with LZEXE and PKLITE (PC)
Date: Thu, 20 Dec 90 11:58:36 -0800
From: rrk@planets.risc.com (Richard Killion)
Subject: Macvirus index? (Mac)
Date: Thu, 20 Dec 90 15:14:00 -0400
From: Bill Thater <THATERW@SNYSYRV1.BITNET>
Subject: Disk Utilities (PC)
Date: Thu, 20 Dec 90 22:06:33 -0800
From: sulistio@sutro.SFSU.EDU (Sulistio Muljadi)
Subject: Re: Virus Protection (PC)
etc.
etc.
etc.
Colin M. Lay,Assoc. Prof.
Fac. of Administration, Univ. of Ottawa
Tel. (613)564-7015 FAX (613) 564-6518
"Any opinions expressed are mine, not necessarily those of my employer."
Acknowledge-To: <CMLHD@UOTTAWA>
------------------------------
Date: Tue, 29 Jan 91 10:50:00 -0800
From: "David M. Ung x57408 <CSMIDMU%MVS.OAC.UCLA.EDU@BITNET.CC.CMU.EDU
Subject: Virus Proctection in Real Time
Does anyone know about existing software packages that watch for suspicious
viral activities in real time?
Ken, if you have any of these info, could you please send it to me. Thank you.
My address is CMSIDMU@UCLAMVS (this is a BITNET address).
------------------------------
Date: Wed, 30 Jan 91 16:32:36 +0000
From: morgan@ms.uky.edu (Wes Morgan)
Subject: Re: Text in MLTI virus (PC)
>>The MLTI virus contains this text - clearly a reference to the "Eddie"
>>virus, but what does "RED DIAVOLYATA" mean ? (I want to emphasize
>>that "Dark Avenger" is the name of the author of the "Eddie" virus -
>>not the name of the virus itself.)
>>
>> Eddie die somewhere in time!
>> This programm was written in the city of Prostokwashino
>> (C) 1990 RED DIAVOLYATA
>> Hello! MLTI!
Perhaps our virus author is a heavy-metal fan. "Eddie" is the mascot
of the group Iron Maiden. Eddie happens to be a {corpse, undead, zom-
bie}. (I'm not sure which word to use. That group's discography in-
cludes an album titled "Somewhere In Time".
Hmmmm.....a techno-metalhead conspiracy, perhaps? Subliminal messages
in rock albums inciting teenagers to digital terrorism? Hmmmmmmm.....
| Wes Morgan, not speaking for | {any major site}!ukma!ukecc!morgan |
| the University of Kentucky's | morgan@engr.uky.edu |
| Engineering Computing Center | morgan%engr.uky.edu@UKCC.BITNET |
Lint is the compiler's only means of dampening the programmer's ego.
------------------------------
Date: 30 January, 1990
From: Padgett Peterson
Subject: STONED in files (PC)
For those wanting to check for STONED in executables as
mentioned earlier using the McAfee /ext switch, I would suggest trying
the string "a1 4c 00 *(2) a3 ? ? a1 4e 00 a3" <name>
While this may generate some "false positives", I would like to
know about ANY files that try to do this since it may indicate a low level
(not through DOS) access of the INT 13 vectors.
Note: use your own <name> since duplication of one of Mr. McAfee's
names may result in SCAN not checking for the virus otherwise.
Padgett
------------------------------
Date: Thu, 31 Jan 91 10:57:00 +0100
From: "Nick FitzGerald" <CCTR132@csc.canterbury.ac.nz>
Subject: RE: Anti-virus policies
In V4 #17 (Mon, 28 Jan 91) rtravsky@CORRAL.UWyo.Edu (Richard W Travsky) wrote:
>[deletions]
> 1. Viral Software
> a. Viral scanning/cleaning software will not be used unless the
> accompanying documentation has been read by the support person
> doing the scan/cleanup.
> b. Viral scanning/cleaning software should be kept reasonably up to date.
>[As stated, we've had fairly low virus activity, so being up to date with
>the latest is not real important - yet.]
> c. More than software product should be used for cross checking purposes.
> d. After removal of a virus, the machine/disk should be re-scanned to
> verify removal.
I would disagree on point b. - you should keep as up to date as there is.
Whilst the virii you are most likely to experience are "old" and widely
distributed, the newest scanner might one day save you from a very recent
hard disk trasher. Unfortunately, it is difficult to convince most users
(and "the powers that be") to go to the little extra trouble of updating
their external virus file (or the software itself) as often as possible
(unless they have been caught already).
> 2. Maintenance
>[good practices deleted]
> c. All diagnostic disks will have write protect tabs.
NO!! All such disks should be UNNOTCHED. Get one of your tech's to
bypass the write-protect switch on drive B: on ONE machine that is in
a very secure place. Make copies of diagnostics disks, installation
disks (more below) etc onto disks that have not been notched. It may
take a bit of effort on your part to find a supply, but do so and use
them. (We found a ready supply in our safe - multiple copies of
obsolete software packages like PC (IBM) DOS, PC-SAS.) For 3.5" disks
pry the slide thingy out. (That's what I don't like about 3.5" disks
compared to notchless 5.25" disks - a user with malicious intent can
easily disable write-protection and then enable it without leaving any
obvious signs of it).
> d. If software is being restored to someone's machine (like a backup,
> format, and then a restore) the disks should be checked for infection.
>
> 3. Installs
>[We install software - like PC SAS - on users' machines.
> a. When possible, install disks will have write protect tabs.
> b. When write protect tabs can not be used, the install disks will be
> checked for infection upon return.
>[Some software, like dBase 4 we found, writes to the install floppy during
>installation.]
> c. User's machine should be checked for infection.
>[This would take care of b .]
Similar comments as above re write-protect tabs. Installation
procedures that write to the installation disks are the pits. The
sooner that vendors take the virus threat seriously, and start
distributing their software on *unnotched* disks the better - McAfee
Associates, are you listening? Some software licences we have allow
us to install on many machines - we copy the original disks to
notchless ones and distribute these to the users who want to install
the programs. (We only do installation ourselves if specially asked -
we would spend all our time doing them otherwise.) This may seem
paranoid, but (before I started here) there was a case of the notched
but write-protected disks our working copy was on coming back
infected. The user had taken the tabs off the disks - because of past
experience with install programs that required write access to the
distribution disks - and dutifully stuck them back on when the
installation was complete. This was not an intentionally malicious
act.
>[further good practices deleted]
My recommendations above may seem a little strong for some, but I
would say you're kidding yourself if you think you don't have to go to
these lengths. Possible exception - *everyone* at your site who will
*ever* have access to your disks and/or machines *always* does
*everything* that *perfect* users *should* do. Get the point?
Can't remember where, but I read the following somewhere:
"Once is happenstance, twice is coincidence, three times is enemy action".
With virii, "Once is enemy action", and you have to be very careful if you
want to prevent that one event.
- ---------------------------------------------------------------------------
Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z.
Internet: n.fitzgerald@csc.canterbury.ac.nz Phone: (64)(3) 642-337
------------------------------
Date: Thu, 31 Jan 91 03:53:55 +0000
From: hampster@wyatt.ksu.ksu.edu (Kip J Mussatt)
Subject: Re: Word Perfect and change checkers (PC?)
p1@arkham.wimsey.bc.ca (Rob Slade) writes:
>csw76@seq1.keele.ac.uk (J.C. Kohler) writes:
>
>> I'm using a Dutch version of WP 5.1, does anybody has an ideay why
>> F-XLOCK can't lock them, it displays an error message, which contains
>> something about a illegal header.
>
>All versions of Word Perfect (at least since 4.2) have had a self
>testing module on them. Neither F-XLOCK nor SCAN /AV nor any other
>slef checker that adds code to the program can be used on it, since
>the added code invalidates the internal self test.
If I am understanding you correctly, WP 4.2 and later versions should
be virus proof? If this is your assumption then why did we have an
epidemic of the Jeru II virus that infected almost every wp 4.2, 5.0,
and 5.1 at work? Again, if I am misunderstanding what you are saying
about WP product, then please clarify. If not, then could you please
shed some light on my question. Thanx
-KJM
------------------------------
Date: Thu, 31 Jan 91 09:29:14 +0000
From: frisk@rhi.hi.is (Fridrik Skulason)
Subject: New viruses (PC)
Well, folks - we now have around 400 PC viruses - currently we get on
the average one new virus per day, and the rate is increasing...maybe
we will have 1000 before the end of the year.
Anyhow - for users of F-PROT 1.14 - please add the following encrypted
signatures to the SIGN.TXT, to provide detection of the viruses I have
received since Jan 15th.
Hybryd iglMWj8jKMNAUHcZbj2AgYSdg9nmFsp7Ueys-pc3-ha7Iv
Akuku 3Ux5pMu5858HMj5MgXdA19n8x4ybN5YtMmkm6PpykupSZ6
SVC3.1 3Hxnv5u5uM749Lydm-SnY4PoYnOwIt7V5fUuMFxBWfZa9j
Paris iH15v5umAmruKeV504HK8eHKjrG8wEEjT5m2M5DsdwO+UO
Doom2 zU1MCmKMA5m8UVPmT5Xpp3cMgB7jUE0MTmURMVc5zv5nOk
Wolfman ZUo5pjKmujwA5fwOvjMMxl08fifY55pip5JWdwxhDU1eA7
MIX2 zw1NW58mAjwH4AuFV51rm6AtQlj5j62fXXjXFujf8gQelB
403 zHTkvju5AmvVgbS8Jl75nmwlrKxNc5N5gbED3mk5GKlYYn
ACAD-2576 3g6jpmKMAMa62XAcz5hkFSwRqqUNd0m5HNimvOSWGrAHYb
Ontario ZHJnWM-MimyuCuAwkj-28UnjxYjLwlMEWm1vRgKqE47UYK
Leprosy iHNjpjKmumoXO8rHxotuxiWmtHW5mK4bD51CMK4Em5tnCG
Perfume-731 Zwbjvju585fhqt5jjm7YpyNufwmMWj1jhOFtM53cOrmNYW
Spyer ZgJnC58Mu5O8JVTjTmEmih4YV+vPmo74O810TMkjYd3tFW
Ussr-1594 iUCTpmSMzmUkiMt26N5MURjKz7jaVpT8thP0bjfZcqbLHQ
Sentinel zHJkpM8mum4YIPgBEPjMNMfPgBRsB5NmauFwe6At5j+8ol
Monxla-B zHbmvjujKMSKWaQTjjWdfBe4Nb5uQg35XiMNWtMvSdIsbE
Xmas Viol 3HRmvjuMAjnN4saOj5m8BhgDStp5MMFPUD6i9UBHDhTVHV
------------------------------
Date: 31 Jan 91 09:32:51 -0500
From: "Otto.Stolz" <RZOTTO@DKNKURZ1.BITNET>
Subject: re: Antiviral product contact list (PC);
You wrote:
> The following is a list of antiviral product vendors, mostly for the
> PC line. [...]
> I would appreciate feedback on any errors or ommissions
I did not see one of my favourite products on your list:
Vendor: S&S International Ltd.
Berkley Court, Mill Street
Berkhamsted, Herts. HP4 2HB
England
Phone: +44 442 877 877
Fax: +44 442 877 882
(Note that address & phone have been changed around New Year
1991, so anybody having the old address in Chesham Bucks.,
please update your files!)
BBS: +44 494 724 946 (used to be -- still valid??)
E-Mail: Dr. Alan Solomon <DRSOLLY@IBMPCUG.CO.UK>
Product: Dr. Solomon's Anti-Virus Toolkit
A German variant of this product is also available:
Vendor: perComp Verlag GmbH
Holzm&LU17.hlenstra&LS61.e 84
2000 Hamburg 70
Germany
Phone: +49 40 693 2033
Fax: +49 40 695 9991
E-Mail: G&LU17.nter Mu&LS61.topf <percomp@infohh.rmi.de>
Product: Dr. Solomons Anti-Viren-Werkzeuge
where "&LU17." is u-Umlaut (looking like a small letter u with diaeresis)
and "&LS61." is German sharp-s (resembling a greek small beta)
I know, Ken's system will trash genuine Umlauts and sharp-s, so I had to
resort to this device ... :-(
The toolkit is regularly updated & comes with a detailed documentation.
It comprises tools for preventing, finding and removing viruses.
The virus-scanner provided with this toolkit is the fastest I've ever
seen; it's search-patterns are derived from the vendor's own research.
Please do not regard the above as advertising: I'm not affiliated or
otherwise economically connected to S&S, nor to perComp; I'm just a
satisfied user.
Btw, as it has been asked in VIRUS-L befor for information of this kind:
We also use F-PROT, and I'm pleased with it. I try to convince as many
users as possible to install F-DRIVER and F-OSCHK on their own computers
(so far I've not been successful enough), and I use Dr. Solomon's
FINDVIRU to cope with heavy virus incidents. I also use ancillary tools
from both packages.
A general remark:
For virus-specific tools, particularly virus-scanners, your final product
list should state
1. how often the tools will be updated;
2. where the virus-specific information is derived from.
ad 1: These days, we are experiencing an ever increasing flood of new
virus strains and variants. To cope with these new viruses, a
virus-specific tool has to be updated regurlarly -- actually more
often than any other product in the EDP market. I'd guess that we
will have to arrive at monthly updating in the near future.
ad 2: Many vendors take their search string from public sources. Now, two
virus-specific tools from two different vendors are essentialy the
very same thing when they exploit search patterns from the same
external source. Only a vendor who does his own research into
viruses and derives his own search patterns can offer a genuinely
particular product. And the more different scanners a user
applies, the more unknown variants of known viruses he is likely
to spot.
Best regards
Otto Stolz
------------------------------
Date: Thu, 31 Jan 91 10:30:43 -0500
From: Joe McMahon <XRJDM@SCFVM.GSFC.NASA.GOV>
Subject: Re: Infected vendor software (Mac)
THE GAR <GLWARNER@SAMFORD.BITNET> writes:
>BUT . . . SIMWARE's "SimMac 3.1 Application Disk" (Master Program),
>which I received on or about Jan 11 was infected! SAM reports that it
>was last altered on 12/21/90 at 12:55 PM. This INFURIATES me, as I
>had up until today always trusted the programs that come straight from
>the manufacturer sealed in the "Read Carefully BEFORE Opening" license
>envelope!
We have, many times, emphasized that manufacturers are human, too.
Always scan *everything* you get, no matter what the source!
--- Joe M.
------------------------------
Date: Thu, 31 Jan 91 10:05:43 -0700
From: rtravsky@CORRAL.UWyo.Edu (Richard W Travsky)
Subject: Weird Thing With F-Prot (PC)
This Wednesday I visited our Law school to check on problem with the
pong virus in their computer lab (three machines, not a big lab).
Each machine had a 5.25" drive and a 20 meg hard disk. I scanned the
machines, booting off a tabbed write-protected floppy in the A: drive.
I ran McAfee's Scan (version 4.5V6-B), said everything was ok. Out of
curiousity, I also ran F-FCHK and F-BOOT from the F-PROT package
(version 1.13). A funny thing happened: when F-FCHK came across the
file INSTALL.EXE from the PCPANEL package (something to do with
redirecting printer output) I got an error message saying it couldn't
write to the A: drive (the familiar "abort, retry, fail"). I ran it
again, same result. I ran it on another machine, same result when it
came across that file.
This is a bit weird. Didn't happen using Scan. Why should scanning a
file provoke a write attempt? I realize these are not the latest
versions of the packages, but I feel that to be irrelevant. Anyone
have any ideas?
+-----------------+ Richard Travsky
| | Division of Information Technology
| | University of Wyoming
| | Bitnet: RTRAVSKY @ UWYO
| | Internet: RTRAVSKY @ CORRAL.UWYO.EDU
| U W | (307) 766 - 3663 / 3668
| * | "Wyoming is the capital of Denver." - a tourist
+-----------------+ "One of those square states." - another tourist
Home state of Dick Cheney, Secretary of Defense of these here UNITED STATES!
------------------------------
Date: 31 Jan 91 17:31:37 +0000
From: jesse@altos86.Altos.COM ( Jesse Chisholm)
Subject: Re: Problem with virus checker (PC)
PERETTI%auvm.auvm.edu@VM1.gatech.edu (Brian J. Peretti) writes:
>A friend of mine is using the McAfee virus scan program on his computer. When
>he attempts to run the program, however, the program does not run. As soon as
>the line with the phone number comes up, some funny characters come onto the
>screen and then the c: prompt reappears. Whenever he puts a clean disk into
> the computer, the disk, when scanned on another machine, the stoned virus is
>on the disk. Does anyone have an answer to this problem?
>
>Thanks,
>Brian J. Peretti
Sounds to me like two things have happened.
(1) his machined has the STONED virus in its partition table
(2) the copy of SCAN that he has is damaged. He should call the
McAfee BBS and down load the current version as soon as
possible.
Since the STONED virus is there, he could go ahead and run the
CLEAN program to remove it. Then see if SCAN could detect any
more.
========================================================================
Jesse Chisholm | "Belief without understanding is superstition;
jesse@Altos86.Altos.COM | Understanding without belief is theology;
Tel 1-408-432-6200x4810 | It takes both for a living faith."
Fax 1-408-434-0273 | -- Dr. Wolfgang Gross
------------------------------
Date: 31 Jan 91 17:36:51 +0000
From: jesse@altos86.Altos.COM ( Jesse Chisholm)
Subject: Re: Stoned virus in partition table (PC)
The STONED (and other partition table) virus is tricky to get
rid of. I recommend getting the CLEAN program from McAfee
Associates.
McAfee Associates
4423 Cheeney Street
Santa Clara, CA 95054
408 988 3832 (voice)
408 988 4004 (BBS)
The current versions of SCAN and CLEAN may be downloaded. With
these the STONED virus can be removed without the hassle of
removing/losing data on the hard disk.
========================================================================
Jesse Chisholm | "Belief without understanding is superstition;
jesse@Altos86.Altos.COM | Understanding without belief is theology;
Tel 1-408-432-6200x4810 | It takes both for a living faith."
Fax 1-408-434-0273 | -- Dr. Wolfgang Gross
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 18]
*****************************************
