Hackers Underworld 2: Forbidden Knowledge

home *** CD-ROM | disk | FTP | other *** search

/ Hackers Underworld 2: Forbidden Knowledge / Hackers Underworld 2: Forbidden Knowledge.iso / VIRUS / VI900906.TXT < prev next >

Wrap

Text File | 1990-11-23 | 188KB | 5,239 lines

Msg#: 2473 *Virus Info* 08-19-90 09:46:00 (Read 11 Times) From: PATRICIA HOFFMAN To: KEN DORSHIMER Subj: RE: CRC CHECKING <KD>the deal is that the invading program would have to know how the CRC <KD>your <KD>program uses works. otherwise it would have a (bytes changed!/bytes in <KD>file!) <KD>chance of succeeding, or somewhere in that neighborhood... <KD> Except in the case of Stealth Viruses....CRC checking doesn't work with them. Patti --- msged 1.99S ZTC * Origin: Sir Dep's Dungeon 714-740-1130 Adult Links Network (1:103/158) Msg#: 2474 *Virus Info* 08-19-90 09:50:00 (Read 9 Times) From: PATRICIA HOFFMAN To: SHEA TISDALE Subj: FILE ECHO? <ST>Hey, what happened to connecting my system to the file echo? <ST> <ST>I have sent numerous netmail messages to you since you sent the info <ST>on setting it up and have not had a reply yet. Recheck your netmail, I sent a reply after receiving the message "What is Tick?" indicating that you need to be running Tick in order to be able to participate in the file echo since that is how the files are processed and extra files go with the .zip files that carry the description. Tick is available from most SDS nodes. Patti --- msged 1.99S ZTC * Origin: Sir Dep's Dungeon 714-740-1130 Adult Links Network (1:103/158) Msg#: 2475 *Virus Info* 08-16-90 11:56:00 (Read 8 Times) From: MIKE DURKIN To: WARREN ANDERSON Subj: RE: INTERNET WORM > I am interested in obtaining the list of passwords used by the > Internet worm in the US. I am the administrator of several The list is in the McAfee/Haynes book ("computer viruses, worms...threats to your system") (pgs 89-91)... I'll type it in for you if you can't find the book locally... Mike --- RBBSMail 17.3A * Origin: The TeleSoft RBBS (RBBS 1:143/204) Msg#: 2476 *Virus Info* 08-19-90 14:51:00 (Read 9 Times) From: MIKE DURKIN To: JAMES DICK Subj: REPLY TO MSG# 2473 (RE: CRC CHECKING) > You might want to take a look at McAfee's FSHLD*.ZIP. This is a new > anti-virus program from the creator of SCAN that is designed > specifically for developers. It will build a 'shield' into an > application such that the application _cannot_ be infected and if it > does become infected, will remove that infection after execution but > prior to running. You will find it in the virus scanners area of many Jim... this is a little mis-leading... all programs will become infected but FSHLD will remove it for most viruses.. for viruses like 4096, FSHLD won't remove or even know/announce that the file is infected... When FSHLD can remove a virus, 'after execution but before running' really makes no difference since a resident virus will still go TSR and a direct action virus will still do it's infecting of other programs... But all things considered... I definately agree that FSHLD is a must have... Mike --- RBBSMail 17.3A * Origin: The TeleSoft RBBS (RBBS 1:143/204) Msg#: 2477 *Virus Info* 08-20-90 04:44:00 (Read 8 Times) From: KEN DORSHIMER To: PATRICIA HOFFMAN Subj: RE: SCANV66B RELEASED On 19-Aug-90 with bulging eyes and flailing arms Patricia Hoffman said: <KD>>does this mean i should erase the old scanv66 that i just d/l'd from <KD>>SDN? <KD>>:-( <KD>> PH> Yep, ScanV66 has a bug or two in it involving the validate codes it PH> can add to the end of files. The validate codes were not being PH> calculated correctly in PH> swell. think i'll wait for the next release. ps, you have net-mail waiting. :-) BTW why on earth would anyone take time off from a disneyland vacation to call a bbs? <grin> ...Your attorney is in the mail... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 2478 *Virus Info* 08-20-90 04:46:00 (Read 9 Times) From: KEN DORSHIMER To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 2476 (RE: CRC CHECKING) On 19-Aug-90 with bulging eyes and flailing arms Patricia Hoffman said: <KD>>the deal is that the invading program would have to know how the CRC <KD>>your <KD>>program uses works. otherwise it would have a (bytes changed!/bytes in <KD>>file!) <KD>>chance of succeeding, or somewhere in that neighborhood... <KD>> PH> Except in the case of Stealth Viruses....CRC checking doesn't work PH> with them. PH> i'd have to see that for myself. i think a complex enough algorithm would keep them at bay. the probability factor is just too low for such a stealth scheme to work. ...Your attorney is in the mail... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 2479 *Virus Info* 08-20-90 04:50:00 (Read 9 Times) From: KEN DORSHIMER To: MIKE DURKIN Subj: REPLY TO MSG# 2478 (RE: CRC CHECKING) On 19-Aug-90 with bulging eyes and flailing arms Mike Durkin said: >> You might want to take a look at McAfee's FSHLD*.ZIP. This is a new >> anti-virus program from the creator of SCAN that is designed >> specifically for developers. It will build a 'shield' into an >> application such that the application _cannot_ be infected and if it >> does become infected, will remove that infection after execution but >> prior to running. You will find it in the virus scanners area of many MD> Jim... this is a little mis-leading... all programs will become MD> infected but FSHLD will remove it for most viruses.. for viruses like MD> 4096, FSHLD won't remove or even know/announce that the file is MD> infected... When FSHLD can remove a virus, 'after execution but before i have some misgivings about this particular protection scheme myself. i don't like embedding someone else's stuff into my executables, partly for licensing reasons. not to knock what is probably a good idea... ...Your attorney is in the mail... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 2653 *Virus Info* 08-20-90 17:09:00 (Read 10 Times) From: TALLEY RAGAN To: MIKE MCCUNE Subj: RE: REMOVING JOSHI In a message to Philip Laird <08-16-90 14:09> Mike Mccune wrote: MM>> Just be sure to boot off a clean diskette to remove the MM>>virus from memory, otherwise the virus will not be removed. MM>> If RMJOSHI is used on an unifected hard drive, it will MM>>destroy the partition table. This next program, RETURN.COM MM>>will restore the partition table. MM>> I will post this program in my next listing...<MM>. Does this mean that RMJOSHI.COM, if run on an uninfected hard drive by it self is a virus? Talley --- ZAFFER v1.01 --- QuickBBS 2.64 [Reg] Qecho ver 2.62 * Origin: Southern Systems *HST DS* Tampa Fl (813)977-7065 (1:377/9) Msg#: 2654 *Virus Info* 08-21-90 09:32:00 (Read 10 Times) From: PATRICK TOULME To: MIKE MCCUNE Subj: RE: HAVE ANYONE TRIED SECURE ? MM> I have tried Secure and have found it to be the only interrupt moniter MM> that will stop all the known viruses. Mike perhaps you should add a caveat to that statement. Secure neither detects, nor does it stop, Virus-101. --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2655 *Virus Info* 08-21-90 12:11:00 (Read 8 Times) From: PAUL FERGUSON To: HERB BROWN Subj: KEYBOARD REMAPPING (AGAIN)... Herb, I stand corrected on that last bit of dialogue....You are correct, indeed.....But, you know what I mean along those lines of getting what you don't expect, whether damaging or not, NO ONE wants the unexpected on thier system.....Touche! -Paul ^@@^........ --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2656 *Virus Info* 08-21-90 22:29:00 (Read 10 Times) From: PATRICIA HOFFMAN To: YASHA KIDA Subj: AKA AND BBS HANDLES YK> What is the rule in this message echo concerning BBS HANDLES? YK> Would like some clarification, I have users expressing interest in YK> using bbs handles in this echo, since they are seeing them used . YK> As you can see I have not allowed this, feeling this echo to be YK> professial in nature. YK> YK> I understand the use of AKA names in this echo maybe needed. YK> YK> Example : YK> After my SITE Manager saw my interest in viruses, I was called in to YK> his office. After explaining my reseach, was to protect not to infect, YK> he relaxed. YK> [Note: the above quote is muchly editted....] Yasha, Aliases are ok in this echo, as long as the Sysop of the system where the messages originate knows who the user is and can contact him if the need arrises. I fully understand the sitation that you describe about your Site Manager...which is a fully valid reason to use an alias here. I used to use the alias of "Merry Hughes" for exactly that reason! Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2657 *Virus Info* 08-21-90 22:32:00 (Read 9 Times) From: PATRICIA HOFFMAN To: KEN DORSHIMER Subj: REPLY TO MSG# 2477 (RE: SCANV66B RELEASED) KD> swell. think i'll wait for the next release. KD> ps, you have net-mail waiting. :-) BTW why on earth would anyone take KD> time KD> off from a disneyland vacation to call a bbs? <grin> <laughing> I was eating dinner or lunch while entering those messages, then we went back to Dizzyland and Knott's. Besides, I had to see what you guys were up to while I was gone.....Mom instinct....what can I say? Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2658 *Virus Info* 08-22-90 18:21:00 (Read 8 Times) From: HERB BROWN To: PAUL FERGUSON Subj: REPLY TO MSG# 2655 (KEYBOARD REMAPPING (AGAIN)...) With a sharp eye <Aug 21 12:11>, Paul Ferguson (1:204/869) noted: PF>Herb, PF> I stand corrected on that last bit of dialogue....You are PF>correct, indeed.....But, you know what I mean along those lines of PF>getting what you don't expect, whether damaging or not, NO ONE wants PF>the unexpected on thier system.....Touche! PF>-Paul ^@@^........ I knew what you meant. Glad to know you do too. :-) ( No flame intended ) --- QM v1.00 * Origin: Delta Point (1:396/5.11) Msg#: 2659 *Virus Info* 08-22-90 05:37:00 (Read 8 Times) From: KEN DORSHIMER To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 2657 (RE: SCANV66B RELEASED) On 21-Aug-90 with bulging eyes and flailing arms Patricia Hoffman said: KD>> swell. think i'll wait for the next release. KD>> ps, you have net-mail waiting. :-) BTW why on earth would anyone take KD>> time KD>> off from a disneyland vacation to call a bbs? <grin> PH> <laughing> I was eating dinner or lunch while entering those PH> messages, then we went back to Dizzyland and Knott's. Besides, I had PH> to see what you guys were up to while I was gone.....Mom PH> instinct....what can I say? PH> did you go on the roller coaster at Knotts that looks like a corkscrew? my personal favorite after a big dinner. <erp!> in other news there was a report <<unconfirmed>> that there is a hack of lharc floating around called lharc190. might want to keep an eyeball open for it. what am i doing up at this hour? just got thru writting the docs for a program <yawn>. as usual, the program looks better than the docs. have fun, see ya. ...All of my dreams are in COBOL... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 2660 *Virus Info* 08-20-90 15:40:00 (Read 9 Times) From: RON LAUZON To: PAUL FERGUSON Subj: RE: KEYBOARD REMAPPING.... yes, it is possible to re-map the keyboard from a remote system. However, most people are protected by this because the term program rather than ANSI.SYS is handling the ANSI escape sequences. If you are using a "dumb" terminal that has no terminal emulation and allowing ANSI.SYS to handle your screen formatting, you may be in trouble. --- Telegard v2.5i Standard * Origin: The Flight of the Raven (313)-232-7815 (1:2200/107.0) Msg#: 2661 *Virus Info* 08-21-90 20:29:00 (Read 8 Times) From: MARTIN NICHOL To: MICHAEL TUNN Subj: WHAT'S THE SOLUTION? mt said => It seems to me our Virus checking programs will just mt said => get bigger and bigger as more viruses and strains of mt said => the same viruses are discovered. If so (and if their mt said => development is excelerating) then we may find in the mt said => near future that it has become impossiable to deal mt said => with the outbreaks! mt said => Do we do develop new Operating Systems which are far mt said => more secure! Develope different virus scanning programs. Make them more generic where virus signatures/characteristics can be kept in a seperate file and the virus scanner just reads the file and interprets it accordingly. --- * Origin: JoJac BBS - (416) 841-3701. HST Kettleby, ON (1:250/910) Msg#: 2683 *Virus Info* 08-22-90 22:55:00 (Read 8 Times) From: FRED ENNIS To: ALL Subj: VIRUS-486COMP.* FORWARDED BY James Dick of 1:163/118 QUOTE ON I've been informed by "reliable sources" that there's a file floating around called 486COMP.* (select your favourite packing method) which claims to "show you the difference between your machine and a 486". . When run, the program flashes a "too big for memory" message, and aborts. . Then, the next time you boot, you're informed that you have the "Leprosy 1.00" virus which then hangs the machine. . After you manage to boot from a floppy, you find that COMMAND.COM has been altered, although the date, time, and size appear not to have been changed. Just thought you'd like to know. Cheers! Fred --- msged 1.99S ZTC * Origin: Page Six, POINT of order Mr. Speaker (1:163/115.5) Msg#: 2684 *Virus Info* 08-22-90 11:07:00 (Read 8 Times) From: SHEA TISDALE To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 2474 (FILE ECHO?) Thanks Patricia... I am all ready to go now. Just poll your board? --- * Origin: >- c y n o s u r e -< 919-929-5153 <XRS> <HST> (1:151/501) Msg#: 2685 *Virus Info* 08-20-90 21:50:00 (Read 9 Times) From: TOM PREECE To: PAUL FERGUSON Subj: RE: KEYBOARD REMAPPING VIA COMMUNICA I can't help but wonder if Herb was experiencing something that suggested that kind of remapping. Lately I have been experiencing keyboard problems that seem to act like that. When I use my down or left arrow the \ and | symbols toggle. I can correct this when it happens by hitting the left hand shift key - but not the right. And tonight it seems as if I am occaissionaly transposing caps on and off. If either of you hears a virus like this I'd like to know. Q&A tested my memory and keyboard fine. Scanv66 detected nothing. --- TBBS v2.1/NM * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 (1:161/208) Msg#: 2738 *Virus Info* 08-23-90 23:49:00 (Read 7 Times) From: PHILLIP LAIRD To: PATRICIA HOFFMAN Subj: ONTARIO VIRUS Patty, have you heard of such a Virus? I was in the TAG Support Echo and saw a message about a TAG Sysop who contracted that virus. Any Info? Supposedly the Virus is scanned in version SCANV66.ZIP. ???? --- TAGMAIL v2.20 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49) Msg#: 2739 *Virus Info* 08-22-90 12:55:00 (Read 7 Times) From: PAUL FERGUSON To: EVERYONE Subj: MOM! Patti- Mom, huh?...What can you say?..It seems it has already been said! -Paul <wide grin on this one> --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2740 *Virus Info* 08-23-90 12:06:00 (Read 8 Times) From: PAUL FERGUSON To: TOM PREECE Subj: REMAPPING... Hello, Tom... . More than likely there was nothing like that at all. Keyboard remapping is an extremely complicated process and would take more than forethought on the part of the programmer. What you have seen us talking about here is figurative at best and personally, I would have to see it to believe it. (you know the old saying: "Believe none of what you hear and only half of of what you see."?) Although I do believe that is quite possible under the proper circumstances, it would indeed be a rare occurance. Sometimes when receiving odd characters during telecommunications or not getting the exact same keys that you typed could be attributed to disparity (parity differences), differing data bits, stop bits, or even simply ANSI interpretation problems between Comm Programs. I've seen the smallest, simplest things like that have people pulling their hair out by the roots! . .....Clarke's Third Law Any sufficiently advanced technology is indistinguishable from magic. . . -Paul ^@@^........ --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2741 *Virus Info* 08-17-90 01:51:00 (Read 8 Times) From: YEN-ZON CHAI To: DOUG BAGGETT Subj: ANTI VIRUS VIRUSES DB> well..here is a question..where exactly did viruses originate DB> anyway..was it in this country or others? Probably where hacker exists, virus exists. --- outGATE v2.10 # Origin: SIGnet International GateHost (8:7501/103) * Origin: Network Echogate (1:129/34) Msg#: 2742 *Virus Info* 08-22-90 17:49:00 (Read 8 Times) From: KEVIN HIGGINS To: MIKE MCCUNE Subj: REPLY TO MSG# 2654 (RE: HAVE ANYONE TRIED SECURE ?) I took a look at it, but to be realistic, when you run a BBS, or are continuously updating your files as new releases come out, you could easily get to the point where you spend more time reconfiguring the anti-virus program than you would getting any work done. I find it much more efficient to scan every file for viruses as soon as I get it on my system, then rezip it, if I'm not going to use it... a simple .bat file can be used such that if you want to check multiple files, you can just feed the file names on the command line and let the .bat file take care of unzipping, scanning and rezipping the file. Be best if someone would write a program that would do this, but I haven't found one yet. Kevin --- TAGMAIL v2.40.02 Beta * Origin: The Hornet's Nest BBS (1:128/74) Msg#: 2743 *Virus Info* 08-22-90 21:52:00 (Read 8 Times) From: CY WELCH To: PAUL FERGUSON Subj: REPLY TO MSG# 2660 (KEYBOARD REMAPPING....) In a message to Everyone <16 Aug 90 6:32:00> Paul Ferguson wrote: PF> Isn't it possible to remap some (or any) keyboard functions via PF> communications with some funky ANSI control characters?....I seem to PF> remember mention of this somewhere.....I really can't remember if was PF> in the form of a question, though, or an answer.....It also made PF> mention of PKWares' Safe-ANSI program...Somebody help us out here... I think most of the "FAST" ansi replacements do not have the keyboard remapping so that danger is removed in those cases. --- XRS! 3.40+ * Origin: Former QuickBBS Beta Team Member (99:9402/1.1) (Quick 1:125/122.1) Msg#: 2744 *Virus Info* 08-24-90 15:14:00 (Read 8 Times) From: PATRICIA HOFFMAN To: ALL Subj: VIRUS RESCUE & F-PROT RELEASES The latest version of Fridrik Skulason's F-PROT anti-viral program is now available for download from my system as FPROT112.ZIP. The program can also be file requested as F-PROT, which will always return the latest copy I have available. This program is actually a "suite" of programs for use in preventing and detecting viruses and trojans. The program originates in Iceland, and so updates to it reaching my system for distribution have been rather sporatic. The other new anti-viral program available on my system is Virus Rescue. Virus Rescue is from Tacoma Software, and is a shell for invoking ViruScan, CleanUp, and VCopy from McAfee Associates. Unlike other shell programs I've seen, this one should not require updates every time a new release of Scan comes out. It picks up its virus information from the VIRLIST.TXT file which is packaged with Scan and CleanUp. It will be handy for those who have trouble with the Scan and CleanUp command line switches, or who want the VIRLIST.TXT information converted to english sentences. This is a first public release, so I expect we may see some changes in this product in the future. Virus Rescue can be downloaded from my system as RESQ01.ZIP. Both programs are also file requestable by other systems. File requests should ask for magic file names as follows: F-PROT for the latest copy of F-PROT (currently FPROT112.ZIP) RESCUE for the latest version of Virus Rescue Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2745 *Virus Info* 08-24-90 23:37:00 (Read 9 Times) From: KEN DORSHIMER To: KEVIN HIGGINS Subj: REPLY TO MSG# 2742 (RE: HAVE ANYONE TRIED SECURE ?) On 22-Aug-90 with bulging eyes and flailing arms Kevin Higgins said: KH> I took a look at it, but to be realistic, when you run a BBS, or are KH> continuously updating your files as new releases come out, you could KH> easily get to the point where you spend more time reconfiguring the KH> anti-virus program than you would getting any work done. I find it KH> much more efficient to scan every file for viruses as soon as I get it KH> on my system, then rezip it, if I'm not going to use it... a simple KH> .bat file can be used such that if KH> KH> you want to check multiple files, you can just feed the file names on KH> the command line and let the .bat file take care of unzipping, KH> scanning and rezipping the file. Be best if someone would write a KH> program that would do this, but I haven't found one yet. Kevin KH> sounds like a plan to me. it would actually be fairly simple to write a program to look at all the files in your upload directory, unpack them based on the extension, scan them, then re-compress them (if needed). of course you'd still have to manually put the now scanned files into the proper catagory directories yourself. when do you need it and what's it worth? :-) ...All of my dreams are in COBOL... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 2746 *Virus Info* 08-23-90 15:23:00 (Read 8 Times) From: MIKE MCCUNE To: TALLEY RAGAN Subj: REPLY TO MSG# 2653 (RE: REMOVING JOSHI) No, it just modifies the partition record to remove the virus. If the virus isn't there, it still modifies the partition record. Return.com just reverses the modifications done to the partition table. I will post an improved version of RMJOSHI that scans the partition record for the virus before modifying it...<MM>. --- KramMail v3.15 * Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0) Msg#: 2747 *Virus Info* 08-23-90 15:26:00 (Read 8 Times) From: MIKE MCCUNE To: PATRICK TOULME Subj: REPLY TO MSG# 2745 (RE: HAVE ANYONE TRIED SECURE ?) Maybe I should say all virus that are in the "public domain". Virus 101 is a research virus that only a few people have (and you wrote). Nothing is fool proof but Secure is better than any other interrupt moniter. --- KramMail v3.15 * Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0) Msg#: 2748 *Virus Info* 08-23-90 07:01:00 (Read 8 Times) From: YASHA KIDA To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 2656 (AKA AND BBS HANDLES) In a message of <21 Aug 90 22:29:34>, Patricia Hoffman (1:204/869) writes: PH> PH> Yasha, Aliases are ok in this echo, as long as the Sysop of the system PH> where the messages originate knows who the user is and can contact him PH> if the need arrises. I fully understand the sitation that you PH> describe about your Site Manager...which is a fully valid reason to PH> use an alias here. I used to use the alias of "Merry Hughes" for PH> exactly that reason! PH> PH> Patti I understand AKA names like "MERRY", but I speak of HACKER HANDLES. like "LINE RUNNER", "DATA BYTE" etc... I must have misunderstood FIDO ECHO POLICY either way I will drop the subject. Yasha Kida --- msged 1.99S ZTC * Origin: Bragg IDBS, (FT. Bragg, NC - we're gonna kick some booty) (1:151/305) Msg#: 2749 *Virus Info* 08-08-90 23:23:00 (Read 7 Times) From: ALAN DAWSON To: DAVID SMART Subj: RE: VIRUS SCANNERS.... DS> You can't win on this! I've been downloading for quite a while DS> - always running a virus checker on the information. So, where DS> did our virus come from? Off a shrink-wrapped anti-virus DS> diskette one of our guys picked up in the US! Nothing new about this, as people learn all the time. One MAJOR company (really big, really well known) has shipped shrink-wrapped viruses twice -- once on purpose! Shrink wrap doesn't keep the bugs out. --- Opus-CBCS 1.13 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0) Msg#: 2750 *Virus Info* 08-08-90 23:31:00 (Read 7 Times) From: ALAN DAWSON To: PATRICIA HOFFMAN Subj: SCAN WEIRDNESS (All answers gratefully received despite the TO: line) Anybody heard of this? I've got a floppy with some viruses on it, among them a SCAN-known Dark Avenger. I SCAN this floppy from the C drive, and the "hey, nothing to worry about there" report comes back. Strange. I SCAN it again. This time 'round, SCAN barfs after 64K of the memory check, telling me Dark Avenger is in memory, power down, load the .45, get the cyanide tablet ready and so on. But DA of course is NOT in memory or active in any way. It is, however, on the floppy, unrun. The above occurred with SCANV64. Out of curiosity, I cranked up SCAN-54 and -- EXACTLY the same result. AST Bravo 286, no TSRs, nothing else loaded, clean (normal) boot just performed. I have a bunch of viruses that I don't expect SCAN to find -- ever. But this kind of thing has never happened to me before. Can anyone match this story, or event? --- Opus-CBCS 1.13 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0) Msg#: 2751 *Virus Info* 08-26-90 00:59:00 (Read 7 Times) From: STEVEN TREIBLE To: KEN DORSHIMER Subj: VOICE NUMBER Ken, I haven't mailed the disk yet as you can see. I'd like to have your voice # so I can talk to instead of sending Net Mail. Thanks, Steve. --- ZMailQ 1.12 (QuickBBS) * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0) Msg#: 2752 *Virus Info* 08-25-90 06:10:00 (Read 8 Times) From: SANDY LOCKE To: HERB BROWN Subj: RE: COMMUNICATION VIRALS PH> However, unless one of the above is occurring, just connecting via PH> telecom to a system won't directly transmit a virus.... PH> HB> Well, that is not exactly what I meant. Sorry for the miscommunicatio HB> should have used an example. I'll have to dig for some old documentat HB> about z-modem when it first came out. I seem to remember it stating t HB> locked the directory that a file was able to go to when being download HB> has something to do with the structure of a .EXE file, or something. HB> to also remember that it was possible to have the .exe "go were it wan HB> as defined by this structure. Thus, having some of the file go to a c HB> part of a drive or memory. It seems wild, but without the docs I read HB> can't give any details. Thought maybe you could shed some light on th Well considering that I am hosting chuck forsberg today ... hes down here for the sco developer forum I will put the question to him directly... but as one of the suggestors for feature addition to the protocol in another personna... ZMODEM will INDEED allow one to transmit a FULL path name... however this is mitigated by the ability on the receiving end to override the transmitted pathname spec... I dont really see a problem here... and when I put the question to chuck I dont see where he will see one either... btw READ the DSZ DOCS and register the product... that will turn on ALL the neat zmodem features... sandy --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2753 *Virus Info* 08-25-90 06:18:00 (Read 15 Times) From: SANDY LOCKE To: SKY RAIDER (Rcvd) Subj: RE: VIRUS ORIGINALS SR> Doug, SR> It is my belief that viruses originated in the early days of computing SR> effort to see what kind of stuff could be done with them, a group of SR> programmers (financed by the US government as I recall) institued a se SR> programs that would attempt to 'beat' others in taking over a computer SR> system. These programs led to a gaming system known as the CORE WARS. SR> today there is an International Core Wars Society. SR> I think it can be easily seen how a program to destroy/circumvent a st SR> operating system can develope into a virus. SR> I tried to double check this information for accuracy, names, dates, e SR> but it seems I have deleted this file. I will try to get further info SR> you, but beleive this info is shrouded in secrecy, and may be hard to SR> relocate. SR> So, the original viruses did come from the US (and even possibly with SR> government help). SR> Ivan Baird SR> * Origin: Northern Connection, Fredericton, N.B. Canada <HST 14.4K> SR> (1:255/3) WHAT a LOAD of UNADULTERATED CRAP... redcode is simply a GAME created by bored programmers... ORIGINAL CORE WARS games were created as far back as 1969 back on the OLD IBM 360 architectures under both OS/MFT and OSMVT OS's... neither had anything to do with so-called secret financing by the US government...BTW I was AROUND and A Systems Programmer during that period... we created our own versions when we heard of the rumours... it was an old system programmers game designed to give Egotistal programmers some lighthearted fun... at this point ALL code ran in real Address space and redcode hadnt even been though of... the MUCH later article by Scientific American in 1979 gave this fun with out harm via the redcode interpreter implemented on early 6502 and 8080 systems... really... I am going to have to move to canada... sounds like there are some really potent and fun drugs in circulation up there... jeese... what a simp... sandy --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2754 *Virus Info* 08-25-90 06:19:00 (Read 14 Times) From: SANDY LOCKE To: STEVE HOKE Subj: REPLY TO MSG# 2752 (RE: COMMUNICATION VIRALS) SH> In a message to Herb Brown <15 Aug 90 17:44:00> Patricia Hoffman wrote PH> The only way a virus could be directly transmitted via a PH> telecommunications link ... PH> is if the particular "service" has a feature where they upgrade PH> their software on your system when you connect. SH> Is there any commercial system that does this? I don't know of one, bu SH> like to know what types of systems to be wary of. SH> Steve just one word for you... PRODIGY avoid it like the plague... sandy --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2755 *Virus Info* 08-25-90 06:25:00 (Read 9 Times) From: SANDY LOCKE To: MIKE MCCUNE Subj: REPLY TO MSG# 2747 (RE: HAVE ANYONE TRIED SECURE ?) MM> I have tried Secure and have found it to be the only interrupt moniter MM> that will stop all the known viruses. It won't stop the boot viruses, MM> obviously (because a boot virus loades before Secure does), but it wil MM> detect them as soon as Secure is loaded. Secure is hard to configure, MM> but once it is configured, it will give few false alarms. With string MM> scanners becoming increasingly easy to defeat, Secure may be the way t MM> go for virus protection...<MM>. well kiddies... a certain couple of anti-viral types on HOMEBASE BBS managed to sting SECURE with modified version of JER-B... one of them continues to find holes with the same tool... SECURE is simply NOT SECURE... sandy --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2756 *Virus Info* 08-25-90 06:31:00 (Read 9 Times) From: SANDY LOCKE To: KEN DORSHIMER Subj: REPLY TO MSG# 2479 (RE: CRC CHECKING) KD> On 19-Aug-90 with bulging eyes and flailing arms Patricia Hoffman sai KD> <KD>>the deal is that the invading program would have to know how the KD> <KD>>your KD> <KD>>program uses works. otherwise it would have a (bytes changed!/by KD> <KD>>file!) KD> <KD>>chance of succeeding, or somewhere in that neighborhood... KD> <KD>> PH> Except in the case of Stealth Viruses....CRC checking doesn't work PH> with them. PH> KD> i'd have to see that for myself. i think a complex enough algorithm wo KD> keep them at bay. the probability factor is just too low for such a st KD> scheme to work. KD> ...Your attorney is in the mail... check out Gilmore Data Systems in LA authors of the OLD FICHECK and XFICHECK... the techniques is called CRC padding after the addition of the viral code the file is padded with a given number of bytes to make the CRC Polynomial come out with the same result... the FCB is then Patched to the original file length leaving nothing for standrad CRC checkers to detect... Childs play really... sandyp.s. in the case of most stealth viruses... the file read code is simply altered to disinfect the file as the CRC checking program reads it... agains simply childs play... --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2757 *Virus Info* 08-25-90 06:32:00 (Read 10 Times) From: SANDY LOCKE To: PATRICK TOULME Subj: REPLY TO MSG# 2755 (RE: HAVE ANYONE TRIED SECURE ?) MM> I have tried Secure and have found it to be the only interrupt moniter MM> that will stop all the known viruses. PT> Mike perhaps you should add a caveat to that statement. Secure PT> neither detects, nor does it stop, Virus-101. Right on Patrick... sandy p.s. Damn nice design on the code complex as HELL.... --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2758 *Virus Info* 08-25-90 06:36:00 (Read 9 Times) From: SANDY LOCKE To: PAUL FERGUSON Subj: REPLY TO MSG# 2740 (RE: REMAPPING...) PF> Hello, Tom... PF> . PF> More than likely there was nothing like that at all. Keyboard PF> remapping is an extremely complicated process and would take more than PF> forethought on the part of the programmer. What you have seen us PF> talking about here is figurative at best and personally, I would have PF> to see it to believe it. (you know the old saying: "Believe none of PF> what you hear and only half of of what you see."?) Although I do PF> believe that is quite possible under the proper circumstances, it woul PF> indeed be a rare occurance. Sometimes when receiving odd characters PF> during telecommunications or not getting the exact same keys that you PF> typed could be attributed to disparity (parity differences), differing PF> data bits, stop bits, or even simply ANSI interpretation problems PF> between Comm Programs. I've seen the smallest, simplest things like PF> that have people pulling their hair out by the roots! PF> . PF> .....Clarke's Third Law PF> Any sufficiently advanced technology is indistinguishable from PF> magic. PF> . PF> . PF> -Paul ^@@^........ well paul normally on hombase you are quite lucid... but as a long time programmer I can testify the keyboard mapping is really quite simple... no real problem and the business of using terminal control code is quite as simple... sandy --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2759 *Virus Info* 08-25-90 06:39:00 (Read 9 Times) From: SANDY LOCKE To: CY WELCH Subj: REPLY TO MSG# 2743 (RE: KEYBOARD REMAPPING....) CW> In a message to Everyone <16 Aug 90 6:32:00> Paul Ferguson wrote: PF> Isn't it possible to remap some (or any) keyboard functions via PF> communications with some funky ANSI control characters?....I seem to PF> remember mention of this somewhere.....I really can't remember if was PF> in the form of a question, though, or an answer.....It also made PF> mention of PKWares' Safe-ANSI program...Somebody help us out here... CW> I think most of the "FAST" ansi replacements do not have the keyboard CW> remapping so that danger is removed in those cases. Well if you are referring to FANSI.SYS by hershey Microsystems it too is vunerable to remap effects... and since it implemnt FULL ANSI 3.64 terminal control codes plus some extensions it is even more vunerable to a whole class of tricks that go way beyond noremally keyboard remapping... but to there credit they ahve include a way to turn this "FEATURE" OFF... just most users get it off a BBS and never order or look at the 50.00 set of docs that come when you pay for the products... sandy --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2760 *Virus Info* 08-25-90 08:49:00 (Read 9 Times) From: PATRICIA HOFFMAN To: PHILLIP LAIRD Subj: REPLY TO MSG# 2738 (ONTARIO VIRUS) PL> Patty, have you heard of such a Virus? I was in the TAG Support Echo PL> and saw PL> a message about a TAG Sysop who contracted that virus. Any Info? PL> Supposedly the Virus is scanned in version SCANV66.ZIP. Yep, I've heard of this one....I was the one that named it after it was submitted by Mike Shields (Sysop of 1:244/114). Ontario is a memory resident generic infector of .COM and .EXE files, including COMMAND.COM. Infected .COM files will increase in length by 512 bytes. Infected .EXE files will increase in length between 512 bytes and 1023 bytes on disk drives with standard 512 byte sectors. When files are infected, the virus adds itself to the end of the program, and then places a jump at the beginning so that the virus's code will always execute before the program that was infected. Ontario is not a low-system memory TSR, it goes memory resident installing itself at the top of free memory, but below the 640K line. Available free memory will decrease by 2,048 bytes. Once the virus has installed itself in memory, any program which is executed will then become infected. It was reported with the sample I received from Mike that infected systems may experience hard disk errors, but I was unable to duplicate that here. This may only happen in severe infections, I try not to let them get that severe when I'm working with a virus :-). Scan V66 and above can detect the Ontario Virus on both .COM and .EXE files. Unfortunately, Ontario is one of the viruses that uses a "double-encryption" technique to prevent scanners from being able to use a search string to detect it, so there isn't a simple way to find it with a hex string and a utility such as Norton Utilities. As of right now, there aren't any disinfectors available for the Ontario virus, so if you happen to be infected with it you need to remove the infected programs and replace them with clean copies from your uninfected backups or original write-protected distribution diskettes. A more complete description of the Ontario virus is in VSUM9008, which was released on August 10. The above is just off of the top of my head, which happens to hurt right now. Hope it is understandable..... Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2761 *Virus Info* 08-25-90 09:02:00 (Read 10 Times) From: PATRICIA HOFFMAN To: YEN-ZON CHAI Subj: REPLY TO MSG# 2741 (ANTI VIRUS VIRUSES) YC> DB> well..here is a question..where exactly did viruses originate YC> DB> anyway..was it in this country or others? YC> YC> Probably where hacker exists, virus exists. YC> Well, the two oldest known viruses for MS-DOS are the Pakistani Brain and VirDem. The Brain is from Pakistan, VirDem from West Germany. Both of these originated in 1986. Both have known authors. The viruses from 1987 include Jerusalem and the Suriv series from Israel, Alameda/Yale from the United States, and 405 from Austria or Germany. Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2762 *Virus Info* 08-25-90 09:07:00 (Read 10 Times) From: PATRICIA HOFFMAN To: KEVIN HIGGINS Subj: REPLY TO MSG# 2757 (RE: HAVE ANYONE TRIED SECURE ?) KH> I took a look at it, but to be realistic, when you run a BBS, or KH> are continuously updating your files as new releases come out, you KH> could easily get to the point where you spend more time reconfiguring KH> the anti-virus program than you would getting any work done. I find it KH> much more efficient to scan every file for viruses as soon as I get it KH> on my system, then rezip it, if I'm not going to use it... a simple KH> .bat file can be used such that if you want to check multiple files, KH> you can just feed the file names on the command line and let the .bat KH> file take care of unzipping, scanning and rezipping the file. KH> Be best if someone would write a program that would do this, but I KH> haven't found one yet. You might want to take a look at CheckOut and Shez. CheckOut uses ViruScan to check .ARC, .PAK, .ZIP, .LZH, and other archive formats for viruses by automatically creating a temporary directory and unarchiving the file to it. It then invokes Scan to check the executable files. One of its nice features is that it will never invoke a program in that temporary directory, as well as you can have it either delete an infected file or move it to a badfiles directory. It will also find archives which are damaged for you. It can be invoked easily from a .BAT file, such as if you want to run it at midnight against all new uploads. Shez is another program which can be used to scan inside archives. It is interactive, so you need to manually invoke it. After you have selected the archive and listed the contents, hitting ctrl-Z will result in Scan checking the contents. There are other scanning shells which handle archived files, though these are the two that I've used regularly and are the most familiar with. I was also involved in the beta testing of CheckOut with some known to be infected files, and it does function properly in that instance. I've also tested Shez with infected files, and it works well.... Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2763 *Virus Info* 08-24-90 16:53:00 (Read 8 Times) From: PRAKASH JANAKIRAMAN To: ALL Subj: LEPROSY Exactly what is the Leprosy virus supposed to do? I was informed that it had been included in McAfee's latest version of Scan, but, having never used Scan before in my life, and never having encountered a virus, are there "symptoms", shall we say, caused by the Leprosy virus, or for any virus? If there is a textfile explaining what each virus is capable of doing, and how it can be detected, I'd like to get a copy of it, if any of you know where I can get something of that sort. Also, does anyone have the number to McAfee's BBS? I'd like to become a user over there as well. (I remember it being in the 408 area code, but I can't recall the actual number). Anyways, thanks a bunch, all... Prakash --- TBBS v2.1/NM * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 (1:161/208) Msg#: 2896 *Virus Info* 08-26-90 20:55:00 (Read 9 Times) From: HERB BROWN To: SANDY LOCKE Subj: REPLY TO MSG# 2754 (RE: COMMUNICATION VIRALS) With a sharp eye <Aug 25 06:10>, Sandy Locke (1:204/869) noted: SL> Well considering that I am hosting chuck forsberg today ... hes down SL>here for the sco developer forum I will put the question to him SL>directly... but as one of the suggestors for feature addition to the SL>protocol in another personna... ZMODEM will INDEED allow one to SL>transmit a FULL path name... however this is mitigated by the ability I have the understanding that other protocols would do this, not by choice. Without the security on the recieving end, this could be disasterous, to say the least.. I would be happy to hear what you find.. Speaking of registering zmodem, is it still free to sysops? You can asnwer that in net-mail.. :-) --- QM v1.00 * Origin: Delta Point (1:396/5.11) Msg#: 2897 *Virus Info* 08-24-90 13:39:00 (Read 7 Times) From: MIKE MCCUNE To: VESSELIN BONTCHEV Subj: REPLY TO MSG# 2746 (REMOVING JOSHI) In your recent letter to me you wrote to me you suggested that I check for the virus before trying to remove it. Now that I've got a working copy of the Joshi (and don't have to let someone else test RMJOSHI), I rewrote the program to check for the virus first. mov dx,80h mov cx,1h mov bx,200h mov ax,201h int 13h or ah,ah jnz read_error es: cmp w[bx],1feb jnz no_virus mov cx,000ah mov ax,301h int 13h or ah,ah jnz write_error mov cx,9h mov ax,201h int 13h or ah,ah jnz read_error mov cx,1h mov ax,301h int 13h or ah,ah jnz write_error mov ah,9h lea dx,remove_message int 21h int 20h remove_message: db 'Joshi Removed$' no_virus: mov ah,9h lea dx,virus_message int 21h int 20h virus_message: db 'Joshi not found$' read_error: mov ah,9h lea dx,read_message int 21h int 20h read_message: db 'Read Error$' write_error: mov ah,9h lea dx,write_message int 21h int 20h write_message: db 'Write Error$' I wrote it for the shareware A86, but it should assemble under MASM, TASM or WASM with minor modifications. Next I will scan the memory for the virus because the remover won't work while the virus is active in memory....<MM>. --- Opus-CBCS 1.13 * Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0) Msg#: 2898 *Virus Info* 08-25-90 23:46:00 (Read 6 Times) From: TALLEY RAGAN To: MIKE MCCUNE Subj: REPLY TO MSG# 2897 (RE: REMOVING JOSHI) In a message to Talley Ragan <08-23-90 15:23> Mike Mccune wrote: MM>>No, it just modifies the partition record to remove the virus. MM>>If the virus isn't there, it still modifies the partition MM>>record. Thanks for the information. That clears up the question just fine. Talley --- ZAFFER v1.01 --- QuickBBS 2.64 [Reg] Qecho ver 2.62 * Origin: Southern Systems *HST DS* Tampa Fl (813)977-7065 (1:377/9) Msg#: 2899 *Virus Info* 08-23-90 17:31:00 (Read 6 Times) From: DAVID BURGESS To: MARTIN NICHOL Subj: REPLY TO MSG# 2661 (WHAT'S THE SOLUTION?) In a message to michael tunn <21 Aug 90 20:29:00> Martin Nichol wrote: MN> mt said => It seems to me our Virus checking programs will just MN> mt said => get bigger and bigger as more viruses and strains of MN> mt said => the same viruses are discovered. If so (and if their MN> mt said => development is excelerating) then we may find in the MN> mt said => near future that it has become impossiable to deal MN> mt said => with the outbreaks! MN> mt said => Do we do develop new Operating Systems which are far MN> mt said => more secure! MN> Develope different virus scanning programs. Make them more generic MN> where virus signatures/characteristics can be kept in a seperate MN> file and the virus scanner just reads the MN> file and interprets it accordingly. That opens the door to having the virus scanner or part of the virus scanner to become contaminated. --- [Q] XRS 3.40 * Origin: Eurkea! I've found the secret elephant playground (RAX 1:124/3106.6) Msg#: 2900 *Virus Info* 08-17-90 21:06:00 (Read 6 Times) From: CHRIS BARRETT To: PATRICIA HOFFMAN Subj: RE: VIRUCIDE V1.2 Thanks for the info.. If ya remeber the name could ya tell us it.. I think i'll stick with the ScanV?? and CleanP?? for now then.. Chris.. --- TBBS v2.1/NM * Origin: 1990 MultiLine Perth Western Australia - 09-370-3333 - (690/654) Msg#: 2901 *Virus Info* 08-17-90 06:26:00 (Read 6 Times) From: ZEBEE JOHNSTONE To: ALL Subj: MAC VIRUS Anyone know anything about a mac virus which: Sets the delete flag on any folder with a name which starts with the letter "o" or higher (eg system...) IT doesn't actually delete the folder, the machine will still boot, but the folder is missing from the desktop and the delete flag is set. Weird one hmm? --- * Origin: Lighten up! What man can make, man can break! (3:680/813) Msg#: 2902 *Virus Info* 08-19-90 22:31:00 (Read 6 Times) From: BRENDON THOMPSON To: PATRICIA HOFFMAN Subj: "STONED 2" Patti, I sent you a message the other day about a new variant of "Stoned" that I found in Christchurch, New Zealand. It had reference to some "S & S program for testing anti-virus software" and the phone number 0494 791900 in it. I have since had the time to pull it to bits, and it is only the original "Stoned" virus. The code at the start of the sector is still the same, but some clown has modified the message after location 65H. I'm still pleased to send you a specimen by airmail if you like, but it ain't "Stoned 2". Regards.. ... Doon. --- Via Silver Xpress V2.26 * Origin: TONY'S BBS - Gateway to New Zealand. (3:770/101) Msg#: 2903 *Virus Info* 08-19-90 09:25:00 (Read 6 Times) From: DONALD ANDERSON To: FRIAR NESTOR Subj: RE: LOOKIN' FOR FUN? I always looking for fun --- KramMail v3.15 * Origin: get real (3:621/221.0) Msg#: 2904 *Virus Info* 08-26-90 23:36:00 (Read 7 Times) From: GLENN JORDAN To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 2761 (ANTI VIRUS VIRUSES) PH> The Vacsina Viruses were written in Bulgaria to seek out and destroy PH> certain other viruses, or at least that was their original purpose. In examples of the VACSINA virus I have investigated, I have found the following odd behavior, which I wonder if you have also noted : .COM files of over a certain size are infected at first bite, but .EXE files are different. It takes two Exposures to infect an .EXE file, each of which adds a bit to the file length, but only at the second exposure do you get a live virus, signaled by a short beep. A tiny .EXE will take the first exposure, but never complete on a subsequent exposure to become a live virus. I wonder if in some way this behavior, which I have not seen in any other viruses so far, is in some way related to the original "anti-virus" nature of this beast ? --- XRS 3.30-DV (286) * Origin: Jordan Computer Consulting (RAX 1:151/223.3) Msg#: 2905 *Virus Info* 08-26-90 07:54:00 (Read 6 Times) From: KEN DORSHIMER To: SANDY LOCKE Subj: REPLY TO MSG# 2756 (RE: CRC CHECKING) On 25-Aug-90 with bulging eyes and flailing arms Sandy Locke said: SL> check out Gilmore Data Systems in LA authors of the OLD FICHECK and SL> XFICHECK... the techniques is called CRC padding after the addition of SL> the viral code the file is padded with a given number of bytes to make SL> the CRC Polynomial come out with the same result... the FCB is then SL> Patched to the original file length leaving nothing for standrad CRC SL> checkers to detect... Childs play really... sandyp.s. in the case of SL> most stealth viruses... the file read code is simply altered to SL> disinfect the file as the CRC checking program reads it... agains SL> simply childs play... SL> could you send me this article? i still believe that the virus would have to know your crc algorithm in order to perform this magic. additionally if the file is padded, it's size would increase and would be detected that way. correct? sooo, the person writting the virus would require a copy of your file to disassemble, see how you performed your checks, then create a means to circumvent it. sounds like a lot of trouble to me for very little gain. catch ya on the rebound. ...All of my dreams are in COBOL... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 2906 *Virus Info* 08-26-90 23:58:00 (Read 6 Times) From: KEN DORSHIMER To: STEVEN TREIBLE Subj: REPLY TO MSG# 2751 (RE: VOICE NUMBER) On 26-Aug-90 with bulging eyes and flailing arms Steven Treible said: ST> Ken, I haven't mailed the disk yet as you can see. I'd like to have ST> your voice # so I can talk to instead of sending Net Mail. Thanks, ST> Steve. you got it look for it in a net-mail-o-gram. i'd rather not leave it in the public msg area as everyone would try to call and shoot the breeze. :-) ...All of my dreams are in COBOL... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 2907 *Virus Info* 08-26-90 13:09:00 (Read 6 Times) From: PAUL BENDER To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 2744 (VIRUS RESCUE & F-PROT RELEASES) * Replying to a message originally to All PH> Both programs are also file requestable by other systems. PH> File requests should ask for magic file names as follows: PH> PH> F-PROT for the latest copy of F-PROT (currently PH> FPROT112.ZIP) PH> RESCUE for the latest version of Virus Rescue PH> Would it be possible for you to hatch these out into SDS or arrange for the authors to do so? Paul --- RemoteAccess 0.04a via QEcho 2. * Origin: -=* Rassi's Retreat *=- 10pm to 8am Only! (615) 831-1338 (1:116/37) Msg#: 2908 *Virus Info* 08-26-90 12:44:00 (Read 7 Times) From: PATRICIA HOFFMAN To: ALL Subj: VIRUS_INFO INTRODUCTION & RULES Welcome to the VIRUS_INFO echo. The purpose of this echo is to allow BBS users and sysops to ask questions about computer viruses and to be able to get back up-to-date information. Discussion topics may include, but is not necessarily limited to: - what are viruses - how to prevent getting infected - how to determine if your system is infected - how to clean up an infected system and salvage as much information as possible - reviews and announcements of new anti-viral products and product releases. There was a lot of hysteria in the press over the Columbus Day/ DataCrime/October 12 virus, for example, but little mentioned of how rare the virus is or how to determine if a system is infected with it and how to remove it. This type of information is an example of what this echo is intended to carry. Some messages appearing in this conference may be cross-postings from the Dirty_Dozen echo which is sysop only. Cross-postings may only be done by the originator of the message. For example, several of my messages posted in the Dirty_Dozen echo will be cross-posted here. Messages from the HomeBase/CVIA BBS run by Mr. John McAfee in Santa Clara, CA and/or CVIA bulletins may be posted here by Patricia Hoffman, these are being done with Mr. McAfee's permission. Replies to these messages, as well as netmail received at 1:204/869 for Mr. McAfee, is manually transferred to his system as it is received. Conference rules are very simple..... 1. Discussions of how to write a virus, specific technical discussions of how a virus works, or anything of an illegal nature, are not allowed. This rule is *not* open to debate. 2. Messages with a sexually suggestive nature are not allowed, please keep in mind that minors as well as adults participate in this conference. 3. Discussions of a ethical or retorical nature that lead into a debate are considered off-topic in that they will not ever be resolved and do not help anyone. An example in this category would be a discussion in the area of "Should live viruses or virus disassemblies be made available to the public?". These questions and topics will be allowed until such a point that they start to severely disrupt the echo, or start a flame war. At that point, the moderator will request that the discussion be discontinued. 4. Be courteous to your fellow echo participants, and remember there is no such thing as a dumb question, except for the question that some- one is afraid to ask. Everyone needs to help everyone else understand viruses and why they are a problem. 5. This conference is not to be distributed thru Group-mail or any other mail processor which will obscure the ability to track a message back to an originating system. All messages must have seen-bys and path statements if the BBSs participatings software can generate them. 6. If you have a question or problem of an extremely sensitive nature, consider sending it NetMail to 1:204/869 or 99:9403/2 instead of posting it here. If you are netmailing a file that you think is infected, be sure to send a message in NetMail with it so I know what it is, I'll be sure it gets to someone to get analysed for you. Do not under any circumstances host route a file that you think is infected. Suspect files may also be sent on diskette via US Mail to the following address: Patricia Hoffman 1556 Halford Avenue #127 Santa Clara, CA 95051 7. This conference is available to FidoNet and EggNet systems. The conference echomail tag in FidoNet is VIRUS_INFO, in EggNet the conference is available as E_VIRUS_INFO. 8. This conference is available on the FidoNet Backbone. While you are welcome to freely pass this echo along to other systems, out of region links must be approved by moderator of the echo. Gating the echo into another network or Zone must be approved by the conference moderator. 9. Opinions are welcome in the conference, however the ethics of the behavior of people that write viruses, or name calling, is frowned upon. Likewise, accusations of virus writing are strictly forbidden. Please keep opinions down to a single message, and do not repeatedly post them, as these messages tend to water down the purpose of the conference and degrade the level of information that is being presented. 10. Handling of off-topic messages or messages that violate the conference rules will be done by the moderator. First and second warnings on these messages will be in private Netmail. Please do not respond to the off-topic messages so that the conference doesn't get further off-track. Let the moderator do the moderating. 11. Handles are allowed in this conference, however sysops of boards carrying the conference are expected to be able to determine which of their users entered a message if a problem arises. This in effect means, for example, that Opus systems must not set this echo up to allow anonymous messages. 12. If a matter arises where the moderator needs to contact a participant in the echo, the moderator will contact the system where the message was entered and request that the sysop allow the user netmail access, or call the participant with a request for them to logon to the moderator's system or provide a phone number with the participant's permission. Sysops are not expected to provide their users' phone numbers to the moderator without the user's express permission, their privacy is important. There are times, however, when a phone call or chat can resolve a problem much faster than any other route. This is the only reason for this rule. 12. This echo is not a programming echo for answering questions on how to code programs in assembler. If you want to exchange assembler (or any other program language) techniques, please locate an appropriate programming echo or start your own echo. Patricia M. Hoffman is the moderator of the VIRUS_INFO echo conference. She has previously used the name "Merry Hughes" in moderating this conference, and is the originator of the conference and the original moderator. Patricia Hoffman is also the author of the Virus Information Summary List, and is an independent anti-viral researcher. Please contact the moderator, Patricia Hoffman, at 1:204/869 or 99:9403/2 if you need assistance on setting up an echofeed for this echo to your system. thanks... Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2909 *Virus Info* 08-26-90 15:13:00 (Read 7 Times) From: PATRICIA HOFFMAN To: PRAKASH JANAKIRAMAN Subj: REPLY TO MSG# 2763 (LEPROSY) PJ> Exactly what is the Leprosy virus supposed to do? I was informed that PJ> it had been included in McAfee's latest version of Scan, but, having PJ> never used Scan before in my life, and never having encountered a PJ> virus, are there "symptoms", shall we say, caused by the Leprosy virus, PJ> or for any virus? If there is a textfile explaining what each virus is PJ> capable of doing, and how it can be detected, I'd like to get a copy of PJ> it, if any of you know where I can get something of that sort. The Leprosy virus is a non-resident overwriting virus. It infects .COM and .EXE files, overwriting the first 666 bytes of the file. Symptoms of it include that infected files will not execute properly...instead of what they are supposed to do, they will upon execution, infect other files then display a message and end. A complete description of this virus and all (with the exception of V2P2, V2P6, V2P6 and Stoned II) known MS-DOS viruses as of August 10, 1990 is available in the Virus Information Summary List. Its current version is VSUM9008.ZIP. It is available on my system at 408-244-0813, as well as many other systems, including McAfee's BBS. Check around your area before you make the long distance call, it could save you the phone call cost. PJ> PJ> Also, does anyone have the number to McAfee's BBS? I'd like to become a PJ> user over there as well. (I remember it being in the 408 area code, but PJ> I can't recall the actual number). Anyways, thanks a bunch, all... The number of the HomeBase BBS is 408-988-4004. The 9600 HST number is 408-988-5138. Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2910 *Virus Info* 08-24-90 23:05:00 (Read 7 Times) From: CY WELCH To: TALLEY RAGAN Subj: REPLY TO MSG# 2898 (REMOVING JOSHI) In a message to Mike Mccune <20 Aug 90 17:09:00> Talley Ragan wrote: >MM>> Just be sure to boot off a clean diskette to remove the >MM>>virus from memory, otherwise the virus will not be removed. >MM>> If RMJOSHI is used on an unifected hard drive, it will >MM>>destroy the partition table. This next program, RETURN.COM >MM>>will restore the partition table. >MM>> I will post this program in my next listing...<MM>. TR> Does this mean that RMJOSHI.COM, if run on an uninfected hard TR> drive by it self is a virus? Actually I think it would fit the description of trojan rather than virus as it doesn't replicate. --- XRS! 3.40+ * Origin: Former QuickBBS Beta Team Member (99:9402/122.1) (Quick 1:125/122.1) Msg#: 2911 *Virus Info* 08-26-90 21:13:00 (Read 6 Times) From: TOM PREECE To: SANDY LOCKE Subj: REPLY TO MSG# 2758 (RE: REMAPPING...) As you may see by looking at my other entry's, I have been loading a cache program that is clearly implementing software to remap my keys to s certain extent. If this is possible as a glitch, its is obviously possible as an attack. Let's hope it never comes to that. --- TBBS v2.1/NM * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 (1:161/208) Msg#: 2993 *Virus Info* 08-27-90 07:54:00 (Read 7 Times) From: JAMES DICK To: KEN DORSHIMER Subj: REPLY TO MSG# 2762 (RE: HAVE ANYONE TRIED SECURE ?) On Fri, 24 Aug, 1990 at the ungodly hour of 23:37, while ducking Broccoli Jello and drinking jolt, Ken Dorshimer wrote to Kevin Higgins, TO WIT... KD > sounds like a plan to me. it would actually be fairly simple to write KD > a KD > program to look at all the files in your upload directory, unpack them KD > based KD > on the extension, scan them, then re-compress them (if needed). of Sounds like CHECKOUT....available here, homebase excaliber! and others as CKOT11.* -={ Jim }=- --- QM v1.00 * Origin: The Clipperist - Home to happy Clippheads in Ottawa, Canada (1:163/118.0) Msg#: 2994 *Virus Info* 08-27-90 19:34:00 (Read 6 Times) From: PHILLIP LAIRD To: ALAN DAWSON Subj: REPLY TO MSG# 2750 (RE: SCAN WEIRDNESS) ** Quoting Alan Dawson to Patricia Hoffman ** >among them a SCAN-known Dark Avenger. I SCAN this floppy from >the C >drive, and the "hey, nothing to worry about there" report comes >back. >Strange. I SCAN it again. This time 'round, SCAN barfs after > >--- Opus-CBCS 1.13 > * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand >(3:608/9.0) ** End of Quote ** Allan, I NEVER SCAN from the C Drive or any hard disk. I always scan from a write protected Floppy Diskette in Drive A. I also have a third system (Yep that's right a third system to do all my scanning from. However, I have never had happen to me what happened to you. I did one time find Scan.EXE infected at my place of employment when I didn't write protect the floppy and scanned the b drive, PLEASE write protect the floppy or SCAN.EXE on the hard drive... --- TAGMAIL v2.20 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49) Msg#: 2995 *Virus Info* 08-27-90 19:50:00 (Read 10 Times) From: PHILLIP LAIRD To: SANDY LOCKE Subj: REPLY TO MSG# 2753 (RE: VIRUS ORIGINALS) Sandy, maybe this might help. I have read an excellent book on the Subject of Origins of Viruses, but let me quote you guys first... ** Quoting Sandy Locke to Sky Raider ** >SR> effort to see what kind of stuff could be done with them, >a group of >SR> programmers (financed by the US government as I recall) >institued a se >SR> programs that would attempt to 'beat' others in taking >over a computer >SR> system. These programs led to a gaming system known as >the CORE WARS. >SR> today there is an International Core Wars Society. > >SR> I think it can be easily seen how a program to destroy/circumvent >a st >SR> operating system can develope into a virus. > >SR> I tried to double check this information for accuracy, >names, dates, e >SR> but it seems I have deleted this file. I will try to get >further info >SR> you, but beleive this info is shrouded in secrecy, and >may be hard to >SR> relocate. > >SR> So, the original viruses did come from the US (and even >possibly with >SR> government help). > >SR> Ivan Baird >SR> * Origin: Northern Connection, Fredericton, N.B. Canada ><HST 14.4K> >SR> (1:255/3) >WHAT a LOAD of UNADULTERATED CRAP... redcode is simply a GAME >created by >bored programmers... ORIGINAL CORE WARS games were created >as far back >as 1969 back on the OLD IBM 360 architectures under both OS/MFT >and >OSMVT OS's... neither had anything to do with so-called secret >financing by the US government...BTW I was AROUND and A Systems >Programmer during that period... we created our own versions >when we >heard of the rumours... it was an old system programmers game >designed >to give Egotistal programmers some lighthearted fun... at this >point >ALL code ran in real Address space and redcode hadnt even been >though >of... the MUCH later article by Scientific American in 1979 >gave this >fun with out harm via the redcode interpreter implemented on >early 6502 >and 8080 systems... really... I am going to have to move to >canada... >sounds like there are some really potent and fun drugs in circulation >up there... jeese... what a simp... > sandy > > >--- QM v1.00 > * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 >(1:204/869.0) ** End of Quote ** O.K. The above message is what I am quoting to you.... If you get a chance, you can pick this book up at Wladen Software at the following locations in California and maybe other bookstores near you can order the book, too: Viruses, A High Tech Disease By Ralph Burger Published by Abacus ISBN 1557550433 Retails at 18.95 US Can be picked up at the following Walden Software Stores: Doly City, Ca (415) 756-2430 San Leandro, Ca (415) 481-8884 It starts from way back when... Phillip Laird --- TAGMAIL v2.20 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49) Msg#: 2996 *Virus Info* 08-27-90 19:58:00 (Read 7 Times) From: PHILLIP LAIRD To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 2760 (RE: ONTARIO VIRUS) ** Quoting Patricia Hoffman to Phillip Laird ** >after it was submitted by Mike Shields (Sysop of 1:244/114). > Ontario is a memory resident generic infector of .COM and >.EXE files, including COMMAND.COM. Infected .COM files will >increase in length by 512 bytes. Infected .EXE files will >A more complete description of the Ontario virus is in VSUM9008, >which was released on August 10. The above is just off of >the top of my head, which happens to hurt right now. Hope >it is understandable..... > >Patti > > >--- QM v1.00 > * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 >(1:204/869.0) ** End of Quote ** Yea, I think Mike was the one the message came from I read about. He Was instrumental in helping us with another problem he found, too. I am sure that he is on the up and up about the hard disk problems. Nope, I don't have the Ontario Virus that I know of! I read about the Virus after I had posted to you, Thanx for the info. Nice to know where it loads in Mem, that would make a util easier to write once I had a fix on what you have already told me. I will see if I can locate that message from Mike about the Virus originally and let you read it... --- TAGMAIL v2.20 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49) Msg#: 3029 *Virus Info* 08-26-90 14:01:00 (Read 7 Times) From: RICK WILSON To: SANDY LOCKE Subj: RE: CORE WARS yep core wars was something that a bunch of people that had access to systems messed with after hours, there was a artical in DDJ a few years ago about a bunch of em out a Berkely of Stanford or something. really weired how these folks that have recently ( within the last 8 to 10 years ) become such experts on micros and mainframes and their history. later... Rick --- Telegard v2.5 Standard * Origin: Telegard BBS (000-000-0000) (1:161/88.0) Msg#: 3030 *Virus Info* 08-26-90 16:45:00 (Read 7 Times) From: JOE MORLAN To: CY WELCH Subj: KEYBOARD REMAPPING. In addition to PKWares's Safe-ANSI, ZANSI does not support keyboard remapping. However, NANSI.SYS does have keyboard remapping. --- Telegard v2.5 Standard * Origin: Telegard BBS (000-000-0000) (1:161/88.0) Msg#: 3070 *Virus Info* 08-30-90 23:11:45 (Read 9 Times) From: SKY RAIDER To: SANDY LOCKE Subj: REPLY TO MSG# 2753 (Re: VIRUS ORIGINALS) Firstly, I did not wish to anger you (although I seem to have done just this), but only sought to answer your question to the best of my abilities (which you seem to doubt). Secondly, I stand by my original assertions that viruses were developed through the original Core Wars gaming system. This has been corroborated by various 'virus gurus' here at the local university. In fact, without prompting, one mentioned Bell Labs. Since, as you state, you are a Systems Programmer - it should be obvious to yourself that a RedCode program could be easily adapted to the microcomputer world. It should also be equally as obvious that these RedCode experiments have laid the groundwork for many of the various virus types infecting micros today (ie. trojans, worms, etc.). Thirdly, I did not state, nor did I mean to imply (as you seem to believe), that these RedCode 'fighter programs' are in fact the viruses we see today - merely that they (RedCode fighters) provided the techniques for the micro viruses. Furthermore, since the RedCode experiments were "old system programmers games designed to give Egoistical programmers some lighthearted fun", and since it is generally accepted that virus writers are in this for the same reasons (the egotistical, not the fun), I find it hard to beleive that you cannot equate the two. If you will note in the extract below, I am not the only person who who beleives the RedCode experiments were the forerunners of the modern viruses (in fact, it may be noted they refer to these as viruses - which, of course, they were); From the Sept./89 issue of Popular Science; Despite all the recent publicity, viruses aren't new. In the 1950's researchers studied programs the called "self-altering automata," says Mike Holm... In the 1960s computer scientists at Bell Laboratories had viruses battling each other in a game called Core Wars. The object was to create a virus small enough to destroy other viruses without being caught.... Also, just for the record, allow me to mention that this is an American publication (apparently there are strange drugs down there too). Again, for the record, allow me to mention that it is fact that Robert Morris, Sr. was a participant in the Core Wars games. Is it a coincidence that his son wrote the Internet Virus, or did his father give him the building blocks to build upon? (With my apologies to the Morris family, but I felt this example might carry some weight with Know-it-all System Programmers). To answer your original question, in a form that you may deem acceptable (ie. no RedCode, no mainframe systems, the US is not the origin - all those naive things), the original micro virus was (at least in the IBM world, I can not be sure this applies to early Apple ][ systems, or even the Pets from Commodore) the "Pakistani Brain", released in Jan. '86. But it must be noted (although I feel you will reject this also (ie. mainframe, US, etc)), in Nov. '83, Fred Cohen, in 8 hours wrote a virus which attached itself to users programs, and proceeded to use this program to gain access to all system rights (in an average time of 30 mins). Also, although I don't have a date (the computer name itself may give some indication of age) - on a UNIVAC 1108, with a secure operating system using the Bell-Lapadula model for OS security, a virus was created that: infected the system in 26 hours, used only legitimate activity with the Bell-Lapadula rules, and the infection took only 250 (approx.) of code (From "Computer Security: Are Viruses the AIDS of the Computing Industry?", by Prof. Wayne Patterson, Chairman, Dept. of Computer Science, University of New Orleans.). I am not interested in a war of words, so I will suggest some reading before you go off half cocked to this reply - "Computer Security; A Global Challenge," J.W. Finch & E.G. Douglas, eds., Elsevier Science Publishers, North-Holland - especially the chapters by Fred Cohen. I have not read this, but will try to when it becomes available to me. Also see the message posted by Phillip Laird. --- TBBS v2.1/NM * Origin: Northern Connection, Fredericton, N.B. Canada <HST 14.4K> (1:255/3) Msg#: 3154 *Virus Info* 08-28-90 06:33:00 (Read 7 Times) From: PATRICIA HOFFMAN To: ALAN DAWSON Subj: REPLY TO MSG# 2994 (SCAN WEIRDNESS) AD> Anybody heard of this? I've got a floppy with some viruses on it, AD> among them a SCAN-known Dark Avenger. I SCAN this floppy from the C AD> drive, and the "hey, nothing to worry about there" report comes back. AD> Strange. I SCAN it again. This time 'round, SCAN barfs after 64K of AD> the memory check, telling me Dark Avenger is in memory, power down, AD> load the .45, get the cyanide tablet ready and so on. AD> But DA of course is NOT in memory or active in any way. It is, AD> however, on the floppy, unrun. AD> The above occurred with SCANV64. Out of curiosity, I cranked up AD> SCAN-54 and -- EXACTLY the same result. AD> AST Bravo 286, no TSRs, nothing else loaded, clean (normal) boot AD> just performed. AD> I have a bunch of viruses that I don't expect SCAN to find -- AD> ever. But this kind of thing has never happened to me before. Can AD> anyone match this story, or event? There are a couple of possibilities here. First, if the virus is on a non-executable file, such as one with a .VOM or .VXE extension, Scan won't find it since it is not one of the file extensions it checks for Dark Avenger. In this case, a subsequent run of Scan may find it in memory anyways since the DOS buffers in memory are not cleaned out between program executions. If this is the case, running Scan with the /A option will find it on any file, regardless of extension. Likewise, if your copy of Dark Avenger has ever had a disinfector run against it, it may have some "dead" Dark Avenger code after the end of file mark, but within the last sector of the program as allocated on disk. In this case, Scan won't find it on disk, but may later find it in memory since the code after the end of file mark was read in with the rest of the last sector of the program to memory. This is what is sometimes referred to as a "ghost virus", it isn't really the virus, just dead remnant code remaining in the slack space in the sector. It can't be executed. Running a disk optimization utility such as Speed Disk from Norton Utilities will get rid of the "ghost virus". They are caused by the way DOS fills out the end of the buffer before it writes it out to disk, doesn't always occur when disinfecting programs, but it sometimes will occur. The other case is if your copy of Dark Avenger does not occur at the correct place in the file. Dark Avenger always adds its code to the End Of Programs. If your copy happens to have it at the beginning of the program, or perhaps imbedded in the middle where it shouldn't be, it may not get found. In this case, your copy doesn't match either of the Dark Avenger's that McAfee has. Hope that helps....those are the only three cases that I've heard of a similar problem to yours. Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 3155 *Virus Info* 08-28-90 15:16:00 (Read 5 Times) From: KEN DORSHIMER To: JAMES DICK Subj: REPLY TO MSG# 2993 (RE: HAVE ANYONE TRIED SECURE ?) On 27-Aug-90 with bulging eyes and flailing arms James Dick said: JD> On Fri, 24 Aug, 1990 at the ungodly hour of 23:37, while ducking JD> Broccoli Jello and drinking jolt, Ken Dorshimer wrote to Kevin JD> Higgins, TO WIT... KD >> sounds like a plan to me. it would actually be fairly simple to write KD >> a KD >> program to look at all the files in your upload directory, unpack them KD >> based KD >> on the extension, scan them, then re-compress them (if needed). of JD> Sounds like CHECKOUT....available here, homebase excaliber! and JD> others as CKOT11.* JD> thanks but you might want to tell kevin higgins about that. :-) as for me, hell i'll write the bloody thing myself. just wouldn't be a day without some programming in it. ...All of my dreams are in COBOL... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 3156 *Virus Info* 08-27-90 14:14:00 (Read 5 Times) From: MICHAEL CHOY To: ALL Subj: IN THE MAC WORLD Disinfectant 2.0 was released in July...it has the Disinfectant INIT, which is like SAM only it removes viruses as well as detecting them..it catches the Frankie virusa whoch in an old virus that ran on mac emulators for Atari..I guess nobody has to worry about that...it also has much more info on protecting yourself from virus and such.. --- Telegard v2.5 Standard * Origin: Telegard BBS (000-000-0000) (1:161/88.0) Msg#: 3157 *Virus Info* 08-27-90 20:25:00 (Read 5 Times) From: JOE MORLAN To: ALL Subj: LHARC114? I had heard that and infected version of LHARC was released last year under the name LHARC114. I also heard that because of that, the next release of LHARC was expected to be LHARC200 to avoid confustion with the virus. This week a file appeared on a local board called LHARC114. I left a message to the sysop to check it out and he says it's clean. The docs say that this is version 114b, the latest version. Does anybody know what the deal is or was here? Is LHARC114 safe to use? Is there a virus associated with this program? Thanks. --- Telegard v2.5 Standard * Origin: Telegard BBS (000-000-0000) (1:161/88.0) Msg#: 3158 *Virus Info* 08-28-90 15:01:00 (Read 6 Times) From: KEVIN HIGGINS To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 3155 (RE: HAVE ANYONE TRIED SECURE ?) Thanks for the info on CheckOut. I'd seen the file description usage included in a .bat for for TAG, but never implemented it, or d/l'd the checkout file because on my XT it sometimes takes awhile to dearc. a large .zip file--a real pain for L/D types... Probably be wise to start using something like that, though, since the BBS can do all the checking automatically following uploads.... Guess most users won't mind waiting a minute or so, if it makes their d/l's almost certifiably safe. Kevin --- TAGMAIL v2.40.02 Beta * Origin: The Hornet's Nest BBS (1:128/74) Msg#: 3177 *Virus Info* 08-28-90 18:10:00 (Read 6 Times) From: RICK PERCIVAL To: KEVIN HIGGINS Subj: REPLY TO MSG# 3158 (RE: HAVE ANYONE TRIED SECURE ?) > command line and let the .bat file take care of unzipping, scanning > and rezipping the file. Be best if someone would write a program > that would do this, but I haven't found one yet. > Kevin Hi there, you guys must be behind the times or something but there is a very good program which does exactly what you are looking for. Its called CHECKOUT. The version we are using over here is called CKOT11.ZIP and it is a little pearler!! What it does is, unzips a file, scans it and rezips it, menu driven or command line driven. Try it, you'll love it. --- FD 1.99c * Origin: The Cyclops BBS Auckland NEW ZEALAND (3:772/170) Msg#: 3178 *Virus Info* 08-14-90 09:39:00 (Read 7 Times) From: DAN BRIDGES To: KEN DORSHIMER Subj: RE: CRC? I've been reading, with interest, the messages about a program that provides a demo of circumventing a single CRC generating program. I thought that its name would be common knowledge, but apparently it isn't. You were told the name of the file was MCRCx. May I suggest that you look for it as FICHECKx. The one I got is v5 and has program called PROVECRC which demonstrates the problem. ********************** * FICHECK Ver 5.0 * * MFICHECK Ver 5.0 * ********************** (C)Copyright 1988,1989 Gilmore Systems P.O. Box 3831, Beverly Hills, CA 90212-0831 U.S.A. Voice: (213) 275-8006 Data: (213) 276-5263 Cheers, Dan (no connection with the above firm). --- Maximus-CBCS v1.02 * Origin: Marwick's MadHouse (3:640/820) Msg#: 3179 *Virus Info* 08-18-90 14:19:00 (Read 7 Times) From: YVETTE LIAN To: FRED GOLDFARB Subj: RE: VIRUS GROUPS.... FG> writing viruses". The idea I got was that there are actual FG> "virus groups" similar to the game cracking groups you hear FG> of occasionally, who's sole purposes are to write viruses, FG> not for research's sake, but to infect people. Has anyone FG> else heard of this before? Are there really such groups? FG> Imagine, when a new virus comes out three or four groups FG> claiming to be the writers.. Kinda like terrorist bombings FG> only different. Come to think of it, I remember reading a That'd be right... you would think that if these people were intelligent enough to program something such as a virus they'd probably be better off not wasting their time with it... --- QuickBBS 2.64 (Eval) * Origin: Virus Info .. how to do it and not get it ! (3:640/886) Msg#: 3180 *Virus Info* 08-18-90 14:42:00 (Read 7 Times) From: ROD FEWSTER To: KERRY ROBINSON Subj: RE: VIRUS CHECKERS > In a message of <12 Jun 90 7:31:31>, Patrick Curry (1:133/425) writes: > > Rarely does a MAC get a virus It is an IBM phonomonum ^^^^^^^^^^^^^^^^^^^^^^^ Tell it to an Amiga user !! B-) --- FD 1.99c * Origin: The Edge of Reality .. THE NIGHTMARE BEGINS ! (3:640/886) Msg#: 3181 *Virus Info* 08-30-90 13:01:00 (Read 7 Times) From: BRIAN WENDT To: ALL Subj: NEWSPAPER CLIPPING The following item appeared in a newspaper in Brisbane, Austsralia yesterday. Anyone care to comment? VIRUS ATTACKS STATE'S PERSONAL COMPUTERS A sophisticated computer virus is feared to have infected Queensland Government and home computers. The COMPUTER VIRUS INFORMATION GROUP at the QUEENSLAND UNIVERSITY OF TECHNOLOGY has issued it first major warning to personal computer users about the virus. The virus, initially detected by the Israeli defence force, freezes computers on September 22, the birthday of a character in Tolkien's book, 'Lord of the Rings'. A computer virus is a program designed to attach copies of itself to software and disable a computer system, or destroy files. Acting technologist, MR EMLYN CREEVY said the warning was issued after a State Government public servant gave the virus to the group for investigation. Mr Creevy said somputers infected with the virus - known as FRODO, 4096, or CENTURY - would freeze on September 22 or until the end of the year unless it was removed. He said the group expected to know if the virus had infected computers in Queensland next week after users report the results of searches they were requested to conduct. The group warned all personal computer operators that there was a bug in the FRODO virus which prevented it from displaying a message 'FRODO LIVES' on September 22 and instead caused the computer to 'hang' or freeze. "It is from the FRODO name that the significance of the 22nd September can be identified," they said. "This is the birthday of Frodo Baggins in Tolkien's story. Users are advised to theck for the virus as soon as possible. Mr Creevy said the virus had the ability to avoid detection and spread but was not 'seriously destructive'. He said it could become damaging if an expert could disassemble the virus and change the instructions to wipe the computer's disk. "I'd say there's people working on it somewhere although probably not in Australia," Mr Creevy said. An expert would have created the Frodo virus because it had only one bug while most viruses had more. Mr Creevy said more than 100 viruses were believed to exist worldwide. ENDS Brian Wendt Sysop SUNMAP BBS --- Maximus-CBCS v1.02 * Origin: Sunmap BBS Node 5 (HST/DS) - Brisbane - Australia (3:640/206) Msg#: 3182 *Virus Info* 08-28-90 19:33:00 (Read 7 Times) From: SANDY LOCKE To: PATRICK TOULME Subj: REPLY TO MSG# 3177 (RE: HAVE ANYONE TRIED SECURE ?) MM> Maybe I should say all virus that are in the "public domain". MM> Virus 101 is a research virus that only a few people have (and MM> you wrote). Nothing is fool proof but Secure is better than any MM> other interrupt moniter. PT> PT> I agree with you, Mike. and I have to concur with patrick, out of all the TSR type monitor programs out there , SECURE is indeed the best of the group... BUT PLEASE do NOT depend upon this as your ONLY protection... as on part of a multilayered protection scheme it would be fine... I guess my real problems with it stem from the NAME the Mark wasburn has chosen...it can mislead the neophyte too easily...into thinking that it really is the be-all and end-all of protection...I wouldnt hestitate to recommend it over the socalled commercial products in this class... BUT again NOT as a SOLE protection against viruses... sorry for any confusion my comments may have caused... cheers sandy --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 3183 *Virus Info* 08-28-90 19:35:00 (Read 6 Times) From: SANDY LOCKE To: ALAN DAWSON Subj: REPLY TO MSG# 2749 (RE: VIRUS SCANNERS....) DS> You can't win on this! I've been downloading for quite a while DS> - always running a virus checker on the information. So, where DS> did our virus come from? Off a shrink-wrapped anti-virus DS> diskette one of our guys picked up in the US! AD> Nothing new about this, as people learn all the time. One MAJOR AD> company (really big, really well known) has shipped shrink-wrapped AD> viruses twice -- once on purpose! Shrink wrap doesn't keep the bugs AD> out. UH ALAN... you mind sending the NAME of this vendor via private e-mail... accidentally I can understand BUT ON PURPOSE??? what end would this kind of action serve??? cheers sandy --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 3184 *Virus Info* 08-28-90 19:44:00 (Read 6 Times) From: SANDY LOCKE To: KEN DORSHIMER Subj: REPLY TO MSG# 2905 (RE: CRC CHECKING) well close... without discussing HOW its done... the file length is altered back to the original length... its not that hard and does point out one of the MAJOR problesm with crc scanners...that is that the critical information that tells the operating system how long the file is can be altered at will... as far as the comments of a virus author disassembling the CRC package its commonly done during product testing to find out ahead of time what algorithms are in use by the product... it really depends on the level of security one wants for ones PC... I really wouldnt put it past a good virus author to specifically target anti-viral programs in this fashion... as far as disassemblies being hard... well I do an average of 5-6 per day with files ranging in size from 2k to 90k(although I will admit that some of the trickier ones do cause head scratching occasionally...) note that i said programs and not specifically viruses... cheers sandy --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 3185 *Virus Info* 08-28-90 19:53:00 (Read 6 Times) From: SANDY LOCKE To: TOM PREECE Subj: REPLY TO MSG# 2911 (RE: REMAPPING...) TP> As you may see by looking at my other entry's, I have been loading a c TP> program that is clearly implementing software to remap my keys to s ce TP> extent. If this is possible as a glitch, its is obviously possible as TP> attack. Let's hope it never comes to that. Tom, without adding too much fuel to any fire... certain non-communication programs are susceptible to the ANSI programmable attack... on my end I run no program that implements ANSI3.64 terminal control language without having a way to turn thoses "FEATURES " off... certain programs without mentioning brand names do allow this. if the echo moderator allows I will post a list of good and bad programs in this regard... so that you can all protect yourselves better...(n.b. after being chewed out by the moderator I am constraining my comments carefully...) cheers sandyp.s. these attacks have been common since programmable terminals came into being during the middle 1970's the problem is that when these features were implemented in comm programs the possibility arose that it was possible for malicious individuals to finally do some real damage...the way to protect yourself is to STOP using programs that implement such features and switch to others that are more secure in their usage of such features... --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 3186 *Virus Info* 08-29-90 05:44:00 (Read 6 Times) From: PATRICIA HOFFMAN To: SANDY LOCKE Subj: REPLY TO MSG# 3185 (RE: REMAPPING...) SL> attack... on my end I run no program that implements ANSI3.64 SL> terminal control language without having a way to turn thoses "FEATURES SL> " off... certain programs without mentioning brand names do allow SL> this. if the echo moderator allows I will post a list of good and bad SL> programs in this regard... so that you can all protect yourselves SL> better...(n.b. after being chewed out by the moderator I am SL> constraining my comments carefully...) Please feel free to go ahead and post the list. Was just trying to keep you out of trouble, you do sometimes get over excited in messages...didn't mean for it to be "chewing out". Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 3187 *Virus Info* 08-29-90 06:27:00 (Read 7 Times) From: PATRICIA HOFFMAN To: PHILLIP LAIRD Subj: REPLY TO MSG# 2996 (RE: ONTARIO VIRUS) PL> Nope, I don't have the Ontario Virus that I know of! I read about the PL> Virus after I had posted to you, Thanx for the info. Nice to know PL> where it loads in Mem, that would make a util easier to write once I PL> had a fix on what you have already told me. PL> Ontario loads into the top of free memory, right below the 640K boundary. It takes up 2,048 bytes. If you run chkdsk after it is in memory, both total system memory and free available memory will have decreased by 2,048 bytes. Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 3326 *Virus Info* 08-30-90 15:05:00 (Read 6 Times) From: KEN DORSHIMER To: SANDY LOCKE Subj: REPLY TO MSG# 3184 (RE: CRC CHECKING) ...at a time when Western civilization was declining too rapidly for comfort, yet too slowly to be very exciting Sandy Locke was saying: SL> well close... without discussing HOW its done... the file length is SL> altered back to the original length... its not that hard and does SL> point out one of the MAJOR problesm with crc scanners...that is that interesting why don't you drop me some net-mail on this (see origin line) SL> the critical information that tells the operating system how long the SL> file is can be altered at will... as far as the comments of a virus SL> author disassembling the CRC package its commonly done during product SL> testing to find out ahead of time what algorithms are in use by the i think that's one of the things i mentioned; that they would have to have pre-existing knowledge of the crc scheme in order to make that work. SL> product... it really depends on the level of security one wants for SL> ones PC... I really wouldnt put it past a good virus author to SL> specifically target anti-viral programs in this fashion... as far as one of the reasons i am interesting in developing my own anti-viral utils for my software business. i figure if they stay primarily in house, the chance that some bozo will screw around with them and try to break them is reduced. SL> disassemblies being hard... well I do an average of 5-6 per day with SL> files ranging in size from 2k to 90k(although I will admit that some SL> of the trickier ones do cause head scratching occasionally...) note SL> that i said programs and not specifically viruses... cheers sandy heh, yup source to assembled is always easier than the reverse process, of course there's head scratching that goes on at that end too. :-) the client said he wanted it to do what?! ...just part of the food chain... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 3327 *Virus Info* 08-29-90 11:37:00 (Read 6 Times) From: PAUL FERGUSON To: EVERYONE Subj: FLOPPY MBR BACKUP I had originally posted this question to the moderator, but after a little thought decided that I would be sure to receive a myriad of answers from the ECHO participants if asking the question here, also..... It is simply this: Does anyone have any decent (and simple) suggestions for extraction of the floppy MBR???.....There are several very good utilities in the public domain for strictly Hard Drive Boot Sector (ie. ST0) and other utilities contained within, say for instance, PCTools, that can back-up the HARD Drive Partition Table (I forgot to mention several PD programs to back-up the FAT).....But, almost all of these that I have seen pertain to the HDU! I realize that there are ways to write it to a file using certain SPY-type programs, but what I am really interested in is a simplified program that is easy to use at the lowest end of the USER pyramid -Thanks in advance for your suggestions and assistance..... -Paul ^@@^......... --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 3328 *Virus Info* 08-29-90 18:46:00 (Read 6 Times) From: PAUL FERGUSON To: EVERYONE Subj: STEALTH FAMILY I have read with great interest the July editions of VIRUS-L digest (along with about the first week or so of August) and cannot, for the life of me, figure the almighty hype with The (noticed that I capitolized that!) Stealth Family of Virus....Only a Trojan should deserve such attentention.....If one takes appropriate precautionary measures, then the virus will (theoretically) be caught in memory.. ...that is, it will make (and reside) a noticeable difference in vectoring.....I truly believe WAY too much hype (Ok, maybe that is a little strong!) has been given to this.....Yes, it can be a true menace if one does not expect such a rogue, but come on.......I downloaded some code today....Yes, I must say it IS quite ingenius, but at the same time, I must also say, I enjoy the work I do, etc.... PS.....Patrick Toulme, Check your E-Mail.... ........"The Delicate Sound of Thunder"....... --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 3329 *Virus Info* 08-29-90 22:07:00 (Read 6 Times) From: PAUL FERGUSON To: EVERYONE Subj: LATENITE Ok, so we're up again in the pale moonlite (unquote)... Next question (in paticular, to you, Sandy) is: What diverse opinions do you have concerning those that, also, fight the battle on the front lines (I'm noy alluding to who has any more experience, to wit)...I feel that many of us (Tech Support/Slash/Gov't Contractors)(No, We're not scum, nor unknowledgable) have done much to benefit the Anti-Viral Research Community.....I would like a little input on this topic..... .......We're not all BAD guys!........ --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 3330 *Virus Info* 08-31-90 13:05:00 (Read 6 Times) From: HERB BROWN To: ALL Subj: PKZ120.ZIP I was informed that there is a bad version of PKZIP floating around by the name of PKZ120.ZIP.. I am not sure if it is viral or not, but delete it if you find it.. --- QM v1.00 * Origin: Delta Point (1:396/5.11) Msg#: 3331 *Virus Info* 09-01-90 11:34:00 (Read 7 Times) From: DEREK BILLINGSLEY To: ALL Subj: POSSIBLE VIRUS? This just hit me today - I am not sure if it is some kind of system error or a potential virus. Last night (September first) and before gave me no indication of any virus being present on my system. It is now september 1st and now, whenever a file is written to disk (I noticed the text files first, but a downloaded zip'd file was also garbled...) it took out about 10 bytes from the beginning of each line... When I realized this may be set to occur on this date, I set my DATE back a night and everything worked fine... I made a sample text file with a known pattern of characters -- any date past september 1st 1990 leaves the file altered as mentioned above. Any date previous is written unharmed... SCANV56 reports only that the SCAN program is damaged - no disk presence of the source is evident. Has anyone heard of something like this happening? Derek Billingsley --- SLMAIL v1.36M (#0198) * Origin: Atlantic Access SJ/NB 1-506-635-1964 HST You can Run With Us ! (1:255/1) Msg#: 3354 *Virus Info* 08-29-90 09:02:00 (Read 6 Times) From: CY WELCH To: SANDY LOCKE Subj: REPLY TO MSG# 2759 (KEYBOARD REMAPPING....) In a message to Cy Welch <25 Aug 90 6:39:00> Sandy Locke wrote: >CW> In a message to Everyone <16 Aug 90 6:32:00> Paul Ferguson wrote: > PF> Isn't it possible to remap some (or any) keyboard functions via > PF> communications with some funky ANSI control characters?....I seem to > PF> remember mention of this somewhere.....I really can't remember if was > PF> in the form of a question, though, or an answer.....It also made > PF> mention of PKWares' Safe-ANSI program...Somebody help us out here... >CW> I think most of the "FAST" ansi replacements do not have the keyboard >CW> remapping so that danger is removed in those cases. SL> Well if you are referring to FANSI.SYS by hershey Microsystems it too SL> is vunerable to remap effects... and since it implemnt FULL ANSI 3.64 SL> terminal control codes plus some extensions it is even more vunerable SL> to a whole class of tricks that go way beyond noremally keyboard SL> remapping... but to there credit they ahve include a way to turn this SL> "FEATURE" OFF... just most users get it off a BBS and never order or SL> look at the 50.00 set of docs that come when you pay for the SL> products... Actually I was refering to zansi.sys which is a high speed replacement which part of what they did to do it was to remove the keyboard remapping functions. --- XRS! 3.40+ * Origin: Former QuickBBS Beta Team Member (99:9402/122.1) (Quick 1:125/122.1) Msg#: 3355 *Virus Info* 08-26-90 15:45:00 (Read 6 Times) From: MIKE MCCUNE To: SANDY LOCKE Subj: SECURE Sandy, Thanks for the information. I suspected that Secure probably had some holes in its protection scheme and that someone knew about it. I am curious about how the modified Jerusalem-B got around it. I'm pretty sure how Virus 101 does it (the Air Force uses it) but I would like to know if there are any other hole in secure...<MM> --- Opus-CBCS 1.13 * Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0) Msg#: 3477 *Virus Info* 09-01-90 15:56:00 (Read 6 Times) From: KEN DORSHIMER To: HERB BROWN Subj: REPLY TO MSG# 3330 (RE: PKZ120.ZIP) > > I was informed that there is a bad version of PKZIP floating > around by the name of PKZ120.ZIP.. I am not sure if it > is viral or not, but delete it if you find it.. seem to remember seeing something about this a couple of months ago. mostly, i wanted to drop a line and say "hey". got your net-mail, hopefully if the routing is working right, you got a response. :-) how's new orleans this time of year? later. --- Opus-CBCS 1.12 & NoOrigin 3.7a --- QM v1.00 * Origin: Ion Induced Insomnia (1:203/42.753) Msg#: 3478 *Virus Info* 09-02-90 10:45:00 (Read 6 Times) From: JAMES KLASSEN To: PRAKASH JANAKIRAMAN Subj: REPLY TO MSG# 2909 (LEPROSY) I have a copy of the Leprosy virus along with its source and "documentation". What it does is copies itself to 4 exe or com files each time it is run and produces a memory error code so the user thinks there is a problem with memory and runs it again. After all the com and exe files have been infected, it displays a message that they have a virus and "Good luck!"... It increases file sizes by 666 but when I tested it on a floppy, the bytes didn't increase... --- W2Q v1.4 * Origin: The C.F.I BBS * Norfolk, Va. * (804)423-1338 * (1:275/328) Msg#: 3479 *Virus Info* 09-01-90 07:18:00 (Read 6 Times) From: YASHA KIDA To: PAUL FERGUSON Subj: REPLY TO MSG# 3329 (LATENITE) In a message of <29 Aug 90 22:07:29>, Paul Ferguson (1:204/869) writes: PF> EID:6368 151db0ee PF> Support/Slash/Gov't Contractors)(No, We're not scum, nor PF> unknowledgable) have done much to benefit the Anti-Viral Research PF> Community.....I would like a little input on this topic..... PF> I am a Private contractor for a Large Network installation an support company. I work for the good of the Customer and the population (users). I hear the phrase " SLIMY CONTRACTOR" " M.F.C." everyday. I also heard "Can this be done", "Would you look into this...", "What are your suggestions so I can put them in my report" when things get deep. We are the WHIPPING BOYS and EMERGENCY 911 all in one. I am sure there are Software contractors who have planted or released a virus at contract renewal time. To show how much they are needed. There are also those of us the that want to see their job sites safe from such problems. We are the ones who own our time (Non-Paid) Compile information on ways to safe guard our data from compermise or viral attacks. The Anti-Viral reseach done by Mrs. Hoffman (PAT) and John McAfees group is carefully read and evaluated on my end. I am sure it has saved many a rear from a bear trap. --- msged 1.99S ZTC * Origin: Bragg IDBS, (FT. Bragg, NC - we're gonna kick some booty) (1:151/305) Msg#: 3480 *Virus Info* 09-02-90 19:19:00 (Read 6 Times) From: HERB BROWN To: KEN DORSHIMER Subj: REPLY TO MSG# 3477 (RE: PKZ120.ZIP) With a sharp eye <Sep 01 15:56>, Ken Dorshimer (1:203/42.753) noted: > > I was informed that there is a bad version of PKZIP floating > around by the name of PKZ120.ZIP.. I am not sure if it > is viral or not, but delete it if you find it.. KD> KD>seem to remember seeing something about this a couple of months ago. KD>mostly, i wanted to drop a line and say "hey". got your net-mail, KD>hopefully if the routing is working right, you got a response. :-) KD>how's new orleans this time of year? later. KD> Hmmmm, first time I heard of this file. How long ago did it appear? Rained Sunday and had to BBQ inside. Made watching TV a little hard, but we managed. --- QM v1.00 * Origin: Delta Point (1:396/5.11) Msg#: 3630 *Virus Info* 09-01-90 20:49:00 (Read 6 Times) From: PAUL FERGUSON To: KEN DORSHIMER Subj: REPLY TO MSG# 3326 (RE: CRC CHECKING) Ken... I've GOT to agree with you on this one....only preconceived CRC defeaters are just that...preconceived....no such luck... --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 3813 *Virus Info* 09-01-90 13:11:00 (Read 6 Times) From: KEVIN HIGGINS To: JAMES DICK Subj: SECURING YOUR UPLOADS I've got checkout, and while its a pretty neat program, there are a few things I don't like about it, the main one being the initial memory scan. I also don't like the auto-pause that seems to be at the beginning of it. That means running gateway, which means the user may be able to get into DOS and party. (have heard of Key-fake, but never seen it around to play with it..). TAG calls a file named postul.bat after every upload (if the .bat file is present), so I hacked up this .bat file to auto-check for virii. But I'm not smart enough to know how to use the %%f in a batch file to have it run through for all the files in the active directory (for batch uploads)... Maybe there's a genius out there who can help. FYI the parameters passed to the .bat file are: [Baud] [ComPort] [User#] [U/L Dir] [Filename]. Here it is. Chuckle, then help make it better <grin>. echo off cd\bbs\uploads echo Verifying latest Pkzip version...... > com2 REM This program checks file integrity. ozf -v %5 > com2 echo : > com2 REM These are the directories I don't want checked. if %4 == D:\ZIPSTUFF\WRITERS\ goto end if %4 == D:\ZIPSTUFF\AMIGA goto end echo Testing file integrity, and checking for virii. > com2 echo Please wait..... (this is the scary part, eh?) > com2 echo : > com2 echo Moving the suspect file to a sterile cell for interogation.... > com2 REM This moves the file to an empty directory for the examination. move %4%5 d:\bbs\bads echo File is now undergoing interrogation... > com2 cd\bbs\bads pkunzip -x D:\bbs\bads\%5 *.exe *.com > com2 scan d:\bbs\bads\*.exe /NOMEM > com2 scan d:\bbs\bads\*.com /NOMEM > com2 if errorlevel 1 goto Oops echo Alright! (whew) File passed. > com2 del *.exe del *.com echo Almost finished. Releasing innocent file back into public. > com2 move %5 d:\bbs\uploads echo : > com2 echo Now adding (Nested) zip comment to file... > com2 cd\ REM This adds the Hornet's Nest comment to the .Zip file. call d:\commentr.bat cd\bbs echo Thanks for waiting!.. goto end :Oops echo Arrrrgghhhhh! File had a virus! File deleted! > com2 erase *.* echo Logging your name to Scumbag.lst! > com2 echo Hey, Kato! User number %3 tried to upload a virus infected file! >> d:\fd\scumbag.lst echo Maybe you need to leave a message to Kato, eh? > com2 cd\bbs :end (Note: the fourth line from the end is a continuation of the line above it.) Also, I have a program that will make a .com fil out of a .bat file, for faster processing. Any reason why this couldn't be done with the above .bat file? How about after the %%f is added? Kevin --- TAGMAIL v2.40.02 Beta * Origin: The Hornet's Nest BBS (1:128/74) Msg#: 3814 *Virus Info* 09-03-90 23:40:00 (Read 5 Times) From: RICK THOMA To: HERB BROWN Subj: REPLY TO MSG# 3480 (RE: PKZ120.ZIP) > Hmmmm, first time I heard of this file. How long ago did it > appear? I have a copy, and think it came out around March, or so. At the time, SCANV detected no virus, but I thought better of running it. Sorry, folks. Whatever it is, it isn't available for downloading, so please don't ask. I'm just waiting for the time to pick it apart, to see just what kind of hack it is. --- FD 2.00 * Origin: Village BBS, Mahopac, NY 914-621-2719 *HST* (1:272/1) Msg#: 3815 *Virus Info* 09-03-90 03:38:00 (Read 5 Times) From: KEN DORSHIMER To: PAUL FERGUSON Subj: REPLY TO MSG# 3630 (RE: CRC CHECKING) ...at a time when Western civilization was declining too rapidly for comfort, yet too slowly to be very exciting Paul Ferguson was saying: PF> Ken... I've GOT to agree with you on this one....only preconceived CRC PF> defeaters are just that...preconceived....no such luck... PF> that's what i figured. that is if you're responding to the msg i think you're responding to. what the hell does that mean? ...space is merely a device to keep everything from being in the same spot... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 3816 *Virus Info* 09-03-90 18:03:00 (Read 5 Times) From: KEN DORSHIMER To: HERB BROWN Subj: REPLY TO MSG# 3814 (RE: PKZ120.ZIP) ...at a time when Western civilization was declining too rapidly for comfort, yet too slowly to be very exciting Herb Brown was saying: HB> Hmmmm, first time I heard of this file. How long ago did it appear? HB> Rained Sunday and had to BBQ inside. Made watching TV a little hard, HB> but we managed. i think it was a couple of months ago. which means any mention of it has long since been renumbered off my system. yup BBQing indoors does have a certain mystique. i know dinner is ready when the smoke alarm goes off. ...space is merely a device to keep everything from being in the same spot... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 3817 *Virus Info* 09-03-90 18:08:00 (Read 7 Times) From: KEN DORSHIMER To: DEREK BILLINGSLEY Subj: REPLY TO MSG# 3331 (RE: POSSIBLE VIRUS?) ...at a time when Western civilization was declining too rapidly for comfort, yet too slowly to be very exciting DEREK BILLINGSLEY was saying: DB> This just hit me today - I am not sure if it is some kind of system DB> error or a potential virus. DB> DB> Last night (September first) and before gave me no indication of any DB> virus being present on my system. It is now september 1st and now, DB> whenever a file is written to disk (I noticed the text files first, DB> but a downloaded zip'd file was also garbled...) it took out about 10 DB> bytes from the beginning of each line... DB> could you send a copy of what you believe is infected to me? i'd like to analyse this myself, thanks. my address is: Dorshimer Software Systems P.O. Box 191126 Sacramento, Ca. 95819-1126 USA ...space is merely a device to keep everything from being in the same spot... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 3818 *Virus Info* 09-03-90 20:57:00 (Read 4 Times) From: JOHN HERRBACH To: ALL Subj: PUBLIC KEY ENCRYPTION Does anyone know the status or progress in regards to public key encryption? Thanks. John {|-) --- ME2 * Origin: The Lighthouse BBS/HST; Lansing, MI; 517-321-0788 (1:159/950) Msg#: 3819 *Virus Info* 09-01-90 20:26:00 (Read 5 Times) From: SEAN SOMERS To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 3186 (RE: REMAPPING...) Off topic here, anybody out there encounter the French Revoloution virus? I was the first out here to discover it. What it does is nuke your HD while displaying an anti Western/English speaking Canadians. --- outGATE v2.10 # Origin: SIGnet International GateHost (8:7501/103) * Origin: Network Echogate (1:129/34) Msg#: 3938 *Virus Info* 09-06-90 11:51:00 (Read 13 Times) From: YASHA KIDA To: SKY RAIDER (Rcvd) Subj: REPLY TO MSG# 2995 (RE: VIRUS ORIGINALS) GLAD TO SEE SOMEONE does their homework... Well written.. If you don't mind I wish to post it as a bulletin on my System (BBS).. Re written to as a document instead of a msg reply... ' Yasha sysop 151/305 "What do you do when all of your users are in the sand lands, without a phone." --- Maximus-CBCS v1.00 * Origin: Bragg IDBS, We hunt bugs for the 82nd Airborne (1:151/305) Msg#: 3974 *Virus Info* 09-08-90 13:42:35 (Read 5 Times) From: SKY RAIDER To: YASHA KIDA Subj: VIRUS POST ON BBS Yasha, You write: GLAD TO SEE SOMEONE does their homework... Well written.. If you don't mind I wish to post it as a bulletin on my System (BBS).. Re written to as a document instead of a msg reply... Sure, no problems in rewritting and posting on your system. I try not to enter into this type of a conversation without at least a bit of a footing in fact. I wish I could find the original document I had quoting these things (it had names, dates, etc.). How about giving me your system number so I can call and see the finished form (never been quoted in this manner before). A questor of knowledge, Sky Raider Ivan Baird, CET --- TBBS v2.1/NM * Origin: Northern Connection, Fredericton, N.B. Canada <HST 14.4K> (1:255/3) Msg#: 4025 *Virus Info* 09-06-90 13:32:00 (Read 6 Times) From: JONO MOORE To: JOE MORLAN Subj: REPLY TO MSG# 3157 (LHARC114?) JM >I had heard that and infected version of LHARC was released JM >last year under the name LHARC114. I also heard that JM >because of that, the next release of LHARC was expected to JM >be LHARC200 to avoid confustion with the virus. This week a JM >file appeared on a local board called LHARC114. I left a JM >message to the sysop to check it out and he says it's clean. JM >The docs say that this is version 114b, the latest version. LHARC v1.14b is a real release. The author brought it out after the controversy on the fake 1.14 release. --- outGATE v2.10 # Origin: SIGnet International GateHost (8:7501/103) * Origin: Network Echogate (1:129/34) Msg#: 4026 *Virus Info* 09-05-90 19:47:00 (Read 5 Times) From: PATRICIA HOFFMAN To: PAUL FERGUSON Subj: LET ME REPHRASE THAT..... PF> Actually, I really should have said "virtually preconceived". PF> From what I can gather on the topic (I don't yet have a copy of 4096), PF> they actually redirect CRC/Checksum interrogators to a "snapshot" of PF> the original file as it appeared before infection.(Someone, I'm sure, PF> will correct me if I'm wrong or at least add enlightenment.) You are correct.....What the CRC/Checksum interrogator sees, if 4096 is in memory, is the disinfected version of the program in memory, not what is actually out on disk. Fish 6 also does this, as do a couple of other viruses using Stealth techniques. PF> The infected file, in the case of 4096, has in reality grown by 4096 PF> bytes and would more than likely hang the system, therefore, which PF> would lead me to believe that running the CRC check without the virus PF> TSR would allow you to identify the actual infected files. Also, it PF> seems like the only way to catch it TSR is to trace the interrupt PF> vectors (although everyone seems to have a little bit of differing PF> ideas on this '->) Lots of 4096 infected files will run without hanging the system....the virus disinfects the program when it is read into memory so that anti-viral packages can't find the virus as easily. CRC checkers and scanners won't be able to find it in the infected file if the virus is in memory, in fact, these viruses usually infect on file open as well as execute. Run a CRC checker or Scanner that doesn't check memory for the virus with it present and you'll infect everything that is openned that meets its infection criteria. If the virus isn't in memory, the CRC checker technique will work to identify the infected files in 99% of the cases. I'm not going to say 100% because I believe some of the 512 virus variants can get around it due to the way it attaches to the files in some cases, but not all. Some CRC checkers don't actually CRC the entire file either....and as soon as I state it is a fool proof way of doing it, someone will write a virus that gets around it perfectly in all cases. Patti PF> Until I can get my hands on this little fellow, I guess that I'll PF> just follow the more logical explanations from the sources with PF> credibilty and make a judgement from that! Sounds credible. But, as I'v PF> said before- I sure would like to see it. PF> PF> I've been following several different message base threads on PF> this particular virus, with input from users at the basic levels to BBS PF> SysOps to the AntiViral research community.......I must say, it gets PF> overwhelming at times to keep objective. *:) PF> PF> -Paul PF> PF> PF> --- QM v1.00 PF> * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 PF> (1:204/869.0) PF> --- W2Q v1.4 * Origin: The C.F.I BBS * Norfolk, Va. * (804)423-1338 * (1:275/328) Msg#: 4027 *Virus Info* 09-07-90 12:48:00 (Read 4 Times) From: MICHAEL ADAMS To: RICHARD HUFFMAN Subj: RE: ARC.EXE Thank you for the warning .... Kill keep an eye out for it. --- Maximus-CBCS v1.00 * Origin: The Southern Star - SDS/SDN/PDN - 504-885-5928 - (1:396/1) Msg#: 4028 *Virus Info* 09-07-90 20:21:00 (Read 5 Times) From: HERB BROWN To: JONO MOORE Subj: REPLY TO MSG# 4025 (LHARC114?) JM >I had heard that and infected version of LHARC was released JM >last year under the name LHARC114. I also heard that JM >because of that, the next release of LHARC was expected to JM >be LHARC200 to avoid confustion with the virus. This week a JM >file appeared on a local board called LHARC114. I left a JM >message to the sysop to check it out and he says it's clean. JM >The docs say that this is version 114b, the latest version. JM>LHARC v1.14b is a real release. The author brought it out after the JM>controversy on the fake 1.14 release. JM> Now, how is someone going to know the difference? That is about as dumb as BBQ'ing indoors and forgetting to open the windows... Sheesh.. --- QM v1.00 * Origin: Delta Point (1:396/5.11) Msg#: 4029 *Virus Info* 09-07-90 20:25:00 (Read 4 Times) From: HERB BROWN To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 4026 (LET ME REPHRASE THAT.....) PH>can't find the virus as easily. CRC checkers and scanners won't be PH>able to PH>find it in the infected file if the virus is in memory, in fact, these PH>viruses PH>usually infect on file open as well as execute. Run a CRC checker or PH>Scanner PH>that doesn't check memory for the virus with it present and you'll PH>infect PH>everything that is openned that meets its infection criteria. I seem to be missing something here. As I understand it, to check for virii with a scanner, such as SCAN, or whatever, you boot from a uninfected floppy that has scan residing on it. Ok, now, how would a virus that works as a TSR, that probably is loaded from the boot sector from the hard disk be loaded, if you are booting from the floppy? Which, the floppy being write protected, of course, would not have this viral infection. I was under the assumption that the BIOS first checked drive A: at bootup for a disk, etc. It seems that it would be impossible to find a virii in memory with this type of scheme.. Please enlighten me.. --- QM v1.00 * Origin: Delta Point (1:396/5.11) Msg#: 4030 *Virus Info* 09-07-90 17:03:00 (Read 5 Times) From: TALLEY RAGAN To: MIKE MCCUNE Subj: REPLY TO MSG# 2910 (RE: REMOVING JOSHI) In a message to Talley Ragan <09-04-90 16:04> Mike Mccune wrote: MM>>I have posted a new version that checks for the virus MM>>before MM>>trying to remove it (now that I have a working copy of the MM>>virus). It will not damage the partition table on MM>>uninfected MM>>hard disks...<MM>. Thanks for the information. This was very educational, as I have had one case of a virus. I don't know how it workedbut the screen would show all garbage and then the computer would hang. I low level formatted the hard disk and restored from good backups. I sure would like to know how it got to me and where it came from!!... Thanks again. Talley --- ZAFFER v1.01 --- QuickBBS 2.64 [Reg] Qecho ver 2.62 * Origin: Southern Systems *HST DS* Tampa Fl (813)977-7065 (1:377/9) Msg#: 4031 *Virus Info* 09-05-90 21:23:00 (Read 5 Times) From: TOM PREECE To: HERB BROWN Subj: REPLY TO MSG# 3816 (RE: PKZ120.ZIP) I seem to remember running into this file several months ago. I don't remember concluding that it had a virus - just that it didn't work properly. The sysop on the sytem that had it apparently reached the same conclusion or something similar because it disappeared here (SF Bay Area.) --- TBBS v2.1/NM * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 (1:161/208) Msg#: 4032 *Virus Info* 09-06-90 19:15:00 (Read 5 Times) From: KEN DORSHIMER To: PAUL FERGUSON Subj: REPLY TO MSG# 4029 (RE: LET ME REPHRASE THAT.....) ...at a time when Western civilization was declining too rapidly for comfort, yet too slowly to be very exciting Paul Ferguson was saying: PF> Ken- This is a continuation of msg.# 156 (I dropped the just FYI the msg numbers don't have much bearing here. on my system is was #75 or something. :-) PF> don't yet have a copy of 4096), they actually redirect CRC/Checksum PF> interrogators to a "snapshot" of the original file as it appeared PF> before infection.(Someone, I'm sure, will correct me if I'm wrong or interesting. seems there would be some simple method of circumventing what the virus does. (i don't have a copy of that one yet either) PF> system, therefore, which would lead me to believe that running the CRC PF> check without the virus TSR would allow you to identify the actual PF> infected files. Also, it seems like the only way to catch it TSR is to PF> trace the interrupt vectors (although everyone seems to have a little i've always thought that by having your own tsr grab the interupts first might be a good way to stop unwanted tsr's from grabbing them. (i'm sure someone will argue the point tho) ...space is merely a device to keep everything from being in the same spot... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 4278 *Virus Info* 09-08-90 13:51:00 (Read 5 Times) From: DUANE BROWN To: PHILLIP LAIRD Subj: REPLY TO MSG# 3813 (SECURING YOUR UPLOADS) PL>present. I have the Key fake program if it will help you! PL>That file will enter the "Y or N" Question when the batch PL>file comes to Are you sure? Y or N. Meaning you had the PL>batch file to delete all programs in the temp check That's easy to fix the problem about del *.* -- just do echo y | del *.* then the Y gets placed in there automatically...no keyfake, nothing! --- * Origin: End of the Line. Stafford, Va. (703)720-1624. (1:274/16) Msg#: 4279 *Virus Info* 09-07-90 12:45:00 (Read 5 Times) From: CHARLES HANNUM To: PHILLIP LAIRD Subj: REPLY TO MSG# 4031 (RE: PKZ120.ZIP) >Didn't someone say that because someone had already hacked an earlier >version of PKZIP that 120 would be the next scheduled release? >Anybody have any info? Yes. Phil Katz said it. --- ZMailQ 1.12 (QuickBBS) * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0) Msg#: 4280 *Virus Info* 09-08-90 10:49:00 (Read 4 Times) From: JAMES BARRETT To: ALL Subj: SEPTEMBER 18-20, 1990 I have heard somebody mention that there will be a major virus in the next couple of weeks. What's the scoop? I'm involved in a college campus computer lab and need to know what's coming and how to prepare for it. Will ScanV66 catch it???? Thanks in advance... --JCB --- XRS 3.40+ * Origin: >- c y n o s u r e -< 919-929-5153 <HST><XRS> (RAX 1:151/501.14) Msg#: 4281 *Virus Info* 09-08-90 17:39:00 (Read 4 Times) From: HERB BROWN To: KEN DORSHIMER Subj: REPLY TO MSG# 4032 (RE: LET ME REPHRASE THAT.....) With a sharp eye <Sep 06 19:15>, Ken Dorshimer (1:203/42.753) noted: KD>i've always thought that by having your own tsr grab the interupts KD>first KD>might be a good way to stop unwanted tsr's from grabbing them. (i'm KD>sure KD>someone will argue the point tho) Depends on who got there first, I would presume.. Also, multiple TSR's would be a nightmare, colliding and such. --- QM v1.00 * Origin: Delta Point (1:396/5.11) Msg#: 4535 *Virus Info* 09-07-90 08:04:00 (Read 4 Times) From: PAUL FERGUSON To: DOUG EMMETT Subj: SCAN FROM C: Hello, Doug.... Doug, I must tell you that it is not advisable to run ViruScan from your hard disc....It really should ALWAYS be run from a WRITE PROTECTED FLOPPY....Scan can become easily infected when ran in an infected environment on a HD. BTW....Software that "Write Protects" you r hard disc may work in some cases, but can be circunvented. Be safe..... -Paul --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 4536 *Virus Info* 09-07-90 08:06:00 (Read 4 Times) From: PAUL FERGUSON To: LONNIE DENNISON Subj: WELCOME... Glad to have you........ Welcome aboard.... -Paul ^@@^........ --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 4537 *Virus Info* 09-07-90 08:09:00 (Read 4 Times) From: PAUL FERGUSON To: RICHARD HUFFMAN Subj: REPLY TO MSG# 4027 (ARC.EXE) Richard, Please E- me out of the conference....I would like to discuss this a little further......Better yet, contact me at the NCSA BBS in DC (202) 364-1304 at 1200/2400, 8,N,1.....I can be reached in the VIRUS Conference.....Thanks, -Paul --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 4538 *Virus Info* 08-16-90 08:30:00 (Read 5 Times) From: ALAN DAWSON To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 3183 (RE: VIRUS SCANNERS....) PH> I just wish the people writing this viruses would find more PH> useful things to do with their talents....such as trying to PH> help people instead of harm their systems. Hear, hear! The frustrating, rug-chewing, desk-beating, monitor-smashing, stomp-down crying SHAME is that some of these viruses, on a technical level, are tremendously slick, wonderous programs. The people writing them are wonderful programmers. Just think what these people could be doing to help our PCs work better by writing a different kind of program -- and, potentially, how much money they might be able to make. They obviously have inventive minds, many of them. Such inventiveness could be put to such great use. --- Opus-CBCS 1.13 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0) Msg#: 4539 *Virus Info* 08-16-90 08:36:00 (Read 5 Times) From: ALAN DAWSON To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 4538 (RE: VIRUS SCANNERS....) PH> I'd agree with that. The anti-viral program should be able to PH> detect that it is infected and produce a warning, though it may PH> still execute. By the time the anti-viral program has PH> determined its been infected, you've already infected system PH> memory or spread the virus. Sure. Something ELSE has infected it. No reason not to let it run so long as it still works. One of our local youngsters wrote a wonderful remover of the Dark Avenger -- about 1400 bytes and worked like a charm. Only one teensy-weensy trouble -- the remover got infected and didn't warn you. That's not really one of the more useful programs to have around. Since it seems to be the constant topic of conversation here, SCANV's routine of warning of infection and continuing its duties is great. A common cause of re-infection is forgetting to remove the tools you used in the disinfection process -- stuff like LIST, just for example, that you might have used to examine the virus. --- Opus-CBCS 1.13 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0) Msg#: 4540 *Virus Info* 08-16-90 08:52:00 (Read 5 Times) From: ALAN DAWSON To: MICHAEL TUNN Subj: REPLY TO MSG# 2899 (RE: WHAT'S THE SOLUTION?) MT> It seems to me our Virus checking programs will just get bigger MT> and bigger as more viruses and strains of the same viruses are MT> discovered. If so (and if their development is excelerating) Right. Question of the Year (1991??): What can you call it after you've hit the SCANV999 wall? MT> Do we do develop new Operating Systems which are far more MT> secure! Well, at least a new DOS which allows 9-character names? Then we could do SCANV9999. [joke]. MT> Do we crawl in a hole and hope it wont happen to us? No, in a metaphor placed in 1970 terms, we get to the airport two hours before flight time for the security checks. And for the same reason, too -- the unwillingness of the many to take the resolve to remove the few. We have, most of us, helped the virus writers build up their existing sick belief that we are willing participants in some kind of game here. They win if they manage to steal our time, programs, disk space and data. They only do it because they had an unhappy childhood, right? One tangible result of allowing them to feed on this warped view is this echo, where we're all trying to get to the airport two hours early for the security check -- AND WE'RE ALL WASTING TWO HOURS because somebody we don't know might try to hurt us. We should have sympathy for Robert Morris, of course, because after all, he was just experimenting and not REALLY trying to hurt anyone, right? I have a one-word, two-syllable response to that but FidoNet policy frowns down upon me for thinking of using it. --- Opus-CBCS 1.13 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0) Msg#: 4541 *Virus Info* 08-16-90 09:25:00 (Read 4 Times) From: ALAN DAWSON To: KEN DORSHIMER Subj: RE: VIRUSES, WHAT ELSE... KD> not sure on that one, who knows what menagerie of thoughts KD> wander through clients minds.. :-) actually, i was unaware of KD> Corporate Vaccine (maybe I should get out more). I'm a little KD> concerned that the commercial programs may not be aware of some KD> of the newer viruses which crop up from time to time. This is just a thought, too. But why not take your clients into your confidence, and point out to them that it is virtually impossible for anyone to match the up-to-dateness of a BBS distribution system? You're a BBSer. You know, just for example, that without BBSes McAfee couldn't have a program-of-the-week. Distribution of what your clients think of as commercial software simply isn't up to this standard -- isn't meant to be; never was; probably never will be. Seems to me if your clients like the SCANV concept, you should explain to them why they should be using SCANV. Why reinvent the wheel? If it wasn't that commercial messages which mention something other than SCANV often seem to get flamed here, I'd tell you about my commercial, non-BBS, wholly generic virus detector that doesn't need upgrading, which is available in North America and which soon will be launched there. But I don't want to get flamed, so I won't. --- Opus-CBCS 1.13 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0) Msg#: 4542 *Virus Info* 08-29-90 12:26:00 (Read 5 Times) From: ALAN DAWSON To: KEN DORSHIMER Subj: REPLY TO MSG# 3815 (RE: CRC CHECKING) PH>> Except in the case of Stealth Viruses....CRC checking doesn't work PH>> with them. PH>> KD> i'd have to see that for myself. i think a complex enough KD> algorithm would keep them at bay. the probability factor is KD> just too low for such a stealth scheme to work. Roger that. A program (such as a virus) can possibly figure out a checksum or CRC and "fool" your checker. But complex and random checksumming or CRCing is beyond the real-world possibility of defeat by a PC virus -- it would have to be too big and complex itself. Our strategy on our anti-virus program is to have eight different algorithms, and to use two of them on each checksum pass. Which two, even we do not know. Your virus then would have to take into account 64 reasonably complex algorithmic possibilities to defeat it. Patti is technically correct that this can be done -- but not in the real world. I'd tend to be slightly suspicious if my word processor suddenly grew by the size of THIS virus. Most programs would, in fact, be incapable of loading it. As you say -- make it complex (which isn't so difficult) and keep churning out hundreds of different algorithms. Then you can forget about "stealth" viruses succeeding. - From Thailand, a warm country in more ways than one. --- Opus-CBCS 1.13 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0) Msg#: 4543 *Virus Info* 09-01-90 21:26:00 (Read 5 Times) From: ALAN DAWSON To: PHILLIP LAIRD Subj: REPLY TO MSG# 3154 (RE: SCAN WEIRDNESS) PL> Allan, I NEVER SCAN from the C Drive or any hard disk. I PL> always scan from a write protected Floppy Diskette in Drive A. This is absolutely correct, of course, and EXACTLY what's recommended in the doc. I was just curious whether others had had the experience. I do do some experimenting with viruses and anti-virus stuff, because Bangkok's a "virus capital" (dumb dealers plus a whole raft of pirates) and because I'm involved in a commercial anti-virus project. This was just a weird thing that happened to me when I was "playing" with Dark Avenger. I do wonder how many people follow that "write-protected floppy" recommendation (order???) in the SCAN docs, though. One note on your comment: it might be hard for some people to follow the recommendation, i.e. those with one floppy. The total beauty of SCAN, really, is to look over that new stuff. A lot of machines go to new people with one floppy drive. A lot also go with two different floppy drives (my own setup) although this of course is combatted simply by having TWO write-protected diskettes with SCAN aboard. - From Thailand, a warm country in more ways than one. --- Opus-CBCS 1.13 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0) Msg#: 4544 *Virus Info* 09-01-90 23:00:00 (Read 5 Times) From: ALAN DAWSON To: SANDY LOCKE Subj: REPLY TO MSG# 3819 (RE: REMAPPING...) SL> long time programmer I can testify the keyboard mapping is SL> really quite simple... no real problem and the business of SL> using terminal control code is quite as simple... SL> sandy Finally, some sanity, sandy. [grin] (no pun intended until after I read that). The letter bomb, as a friend calls it, is alive, well and could certainly flourish. I wouldn't lay a huge amount of money on the ability to write a *virus* with remapping, but a bomb's a piece of cake. I THINK this thread started with the ability to put one directly over a terminal BBS-to-user connection, and in general there seem by my own experiments to be two chances of this: slim and fat. But, like a virus, a letter bomb can be transmitted via a BBS to a user, and then set off by that user in a number of pernicious ways that occur to me right off the top of my head. None of which you will see writ here, you understand -- but after watching this thread for a few weeks, I'm glad you leapt in with both feet. - From Thailand, a warm country in more ways than one. --- Opus-CBCS 1.13 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0) Msg#: 4545 *Virus Info* 09-06-90 18:59:00 (Read 5 Times) From: ALAN DAWSON To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 4543 (RE: SCAN WEIRDNESS) PH> There are a couple of possibilities here. First, if the virus PH> is on a non-executable file, such as one with a .VOM or .VXE Nope, wasn't either of these Patti. I tried to put in everything, and then forgot to say it was a regular file called AVENGER.COM -- a small utility I infected to harbor the virus when I ran it for tests. The utility originally was a small screen shell for looking at files a la LIST. It USED to be 3K, but now it's a little bigger [grin] PH> The other case is if your copy of Dark Avenger does not occur PH> at the correct place in the file. Dark Avenger always adds its PH> code to the End Of Programs. If your copy happens to have it at Roger. This is right up against the end of the file. PH> Hope that helps....those are the only three cases that I've PH> heard of a similar problem to yours. OK, no biggie. It was just that it was so weird I thought maybe you'd heard of it. I'll try it again when we get SCAN66B just for fun. It's not the kind of "bug" that's detrimental -- it's just one of those hey-it's-not-supposed-to-do-that things. Stupid machines. - From Thailand, a warm country in more ways than one. --- Opus-CBCS 1.13 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0) Msg#: 4546 *Virus Info* 09-06-90 19:00:00 (Read 5 Times) From: ALAN DAWSON To: SANDY LOCKE Subj: REPLY TO MSG# 4539 (RE: VIRUS SCANNERS....) SL> UH ALAN... you mind sending the NAME of this vendor via private SL> e-mail... accidentally I can understand BUT ON PURPOSE??? what SL> end would this kind of action serve??? SL> cheers SL> sandy This was before the Great Virus Scare of 1989 of course -- it was, if my tremendously failing memory isn't failing me, in 1986. A Toronto magazine put the virus in as a joke -- every time you started an infected program, a brief ad for the mag jumped up. Ald. . . whoops, the company name almost slipped out there, thought this was hilarious, left it in and shipped the thing. I'll send full details your way. This same company, the next time it shipped viruses, claimed that a guy in the shipping department was playing a game and accidentally infected the shipment (exclaimer!!!!). Is this a company with a weird sense of security, or what? - From Thailand, a warm country in more ways than one. --- Opus-CBCS 1.13 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0) Msg#: 4746 *Virus Info* 09-09-90 14:33:00 (Read 4 Times) From: CHARLES HANNUM To: PHILLIP LAIRD Subj: RE: MAKING SCAN READ ONLY. > Patti, is it feasible to make Scan.Exe Read only? Doug Emmett was > wondering about doing that. Couldn't you change the archive bits to > read only? Also, doesn't scan have an internal routine to determine > if it is damaged? Setting the "Read-only" attribute wouldn't even *phase* a decent virus, and SCAN's internal checksum is VERY weak. (It quite literally is a checksum. It simply checks to see if all the words in the files add up to 0.) --- ZMailQ 1.12 (QuickBBS) * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0) Msg#: 4747 *Virus Info* 09-09-90 07:35:00 (Read 5 Times) From: JERRY MASEFIELD To: CHARLES HANNUM Subj: REPLY TO MSG# 4279 (RE: PKZ120.ZIP) > >Didn't someone say that because someone had already hacked an earlier > >version of PKZIP that 120 would be the next scheduled release? > >Anybody have any info? > > Yes. Phil Katz said it. No, Phil Katz said there WOULDN'T be a 120 release because of the same reason. This would eliminate any confusions between the real and phony versions. Also, Katz is offering a reward for any info leading to the arrest of the perpetrator of this hacking. --- TosScan 1.00 * Origin: On A Clear Disk You Can Seek Forever! (1:260/212) Msg#: 4748 *Virus Info* 09-09-90 23:16:00 (Read 5 Times) From: PHILLIP LAIRD To: CHARLES HANNUM Subj: REPLY TO MSG# 4747 (RE: PKZ120.ZIP) ** Quoting Charles Hannum to Phillip Laird ** >Yes. Phil Katz said it. > >--- ZMailQ 1.12 (QuickBBS) > * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0) ** End of Quote ** That is what I thought. As soon as he went and said it, somebody appearently decided to hack it, huh? --- TAGMAIL v2.20 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49) Msg#: 4749 *Virus Info* 09-08-90 17:42:00 (Read 4 Times) From: PAUL FERGUSON To: KEN DORSHIMER Subj: YEAH, BUT... You're on the right track, Ken....But TSR's have a nasty habit of fighting for control amongst each other. Some do not behave very well. -Paul --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 4750 *Virus Info* 09-09-90 08:43:00 (Read 6 Times) From: PATRICIA HOFFMAN To: PHILLIP LAIRD Subj: JERUSALEM B AND CLEANP64.ZIP PL> I cleaned 17 infected files today with clean version 64. I have a good PL> question. While the program removes the file, some where removed the PL> first time around, others were scanned several times before the virus PL> was actually removed. Can you tell me why? The programs that were scanned several times probably were infected multiple times with Jerusalem virus. A lot of the variants of Jerusalem B will infect .EXE files repeatedly, eventually the program will get too large to fit into memory. On files that are infected multiple times with Jerusalem, you'll see a message come up for each infection as it is removed. That is my guess as to what you observed... Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 4751 *Virus Info* 09-09-90 11:01:00 (Read 5 Times) From: PATRICIA HOFFMAN To: HERB BROWN Subj: REPLY TO MSG# 4281 (LET ME REPHRASE THAT.....) HB> I seem to be missing something here. As I understand it, to check for HB> virii with a scanner, such as SCAN, or whatever, you boot from a HB> uninfected floppy that has scan residing on it. Ok, now, how would a HB> virus that works as a TSR, that probably is loaded from the boot sector HB> from the hard disk be loaded, if you are booting from the floppy? HB> Which, the floppy being write protected, of course, would not have this HB> viral infection. I was under the assumption that the BIOS first HB> checked drive A: at bootup for a disk, etc. It seems that it would be HB> impossible to find a virii in memory with this type of scheme.. Please HB> enlighten me.. The memory resident viruses that are a real problem when they are in memory and any antiviral, whether a scanner or CRC checker, is run are not boot sector infectors....4096, Fish-6, Dark Avenger, and many others which infect on file open are file infectors. There are three that are file infectors but can also infect and replicate from the partition table and/or boot sector: V2100, Anthrax, and Plastique 5.21. (These last three are extremely rare, fairly new, and not known in the United States.) All of the viruses mentioned about use "Stealth" techniques to avoid detection or infect on file open. If you are booting from an uninfected diskette when powering on the computer, you wouldn't ever find a virus in memory. However, if you are performing a warm reboot from a floppy, you could have a virus in memory still. The real point here was that most people do not run scan or other anti-viral utilities after powering on and booting from a floppy, so it is always possible for the virus to be in memory. In that particular case, for a CRC checker which is what was being discussed, there are definite cases (the "Stealth" viruses) where the virus can get around the CRC checker simply because if the virus is in memory it disinfects the infected programs as they are read into memory. The CRC checker, since it is performing file reads, reads the DOS buffers to check the program, so the program it sees isn't infected and isn't the same as what is actually on the disk. In the case of viruses that infect on file open, running an anti-viral product against all the programs on a system with the virus active in memory can very well result in all the programs becoming infected. I'm not against CRC checkers, I use one all the time on several of my systems. These systems all have master boot diskettes with clean system files, the CRC checker, and the log of all the expected crc values to be returned. Most people simply do not have that type of diskette setup for their systems since they feel they'll never be infected with a virus. In fact, the probability that a person will be infected with a virus is fairly low, though it does change depending on the person's computing habits and how often they exchange diskettes and/or programs with others. I was trying to point out that NONE of the current anti-virals will absolutely protect a user from getting a virus....all the techniques currently used by anti-viral products can be circumvented by some of the newer, more technologically advanced viruses. Not to point that out would be like burying one's head in the sand, especially when the discussion has to do with someone thinkin of writing a new anti-viral who needs to know what can currently be circumvented. It is easier to fix the design before the program is written then to fix it later after the hole is found.... Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 4967 *Virus Info* 09-10-90 16:55:00 (Read 5 Times) From: CHARLES HANNUM To: JERRY MASEFIELD Subj: REPLY TO MSG# 4748 (RE: PKZ120.ZIP) >> >Didn't someone say that because someone had already hacked an earlier >> >version of PKZIP that 120 would be the next scheduled release? >> >Anybody have any info? >> >> Yes. Phil Katz said it. > No, Phil Katz said there WOULDN'T be a 120 release because of the > same reason. This would eliminate any confusions between the real > and phony versions. Also, Katz is offering a reward for any info > leading to the arrest of the perpetrator of this hacking. Err, <retracting foot from mouth> I must have misread the original note... --- ZMailQ 1.12 (QuickBBS) * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0) Msg#: 4968 *Virus Info* 09-10-90 17:54:00 (Read 5 Times) From: CHARLES HANNUM To: WHOM IT MAY CONCERN Subj: LHARC 1.14B(ETA) The 'b' is actually a beta, which makes me think he released it for testing and it got loose, but is not yet an "official" release. At any rate, I NEED AN ANSWER!! I have "LHarc 1.14b(eta)", and I really need a definitive answer. IS IT REAL OR NOT? --- ZMailQ 1.12 (QuickBBS) * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0) Msg#: 4969 *Virus Info* 09-10-90 23:13:00 (Read 4 Times) From: PHILLIP LAIRD To: DUANE BROWN Subj: REPLY TO MSG# 4278 (RE: SECURING YOUR UPLOADS) ** Quoting Duane Brown to Phillip Laird ** > >That's easy to fix the problem about del *.* -- just do > >echo y | del *.* > >then the Y gets placed in there automatically...no keyfake, >nothing! > >--- > * Origin: End of the Line. Stafford, Va. (703)720-1624. (1:274/16) ** End of Quote ** Thanx.... Using the pipe redirection will do just that like you say. I use the KEYFAKE Program for a reason with KEY.DAT in the program I just finished that will check for bugs in uploads. It calls the routine externally from the Execute file. --- TAGMAIL v2.20 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49) Msg#: 4970 *Virus Info* 09-10-90 23:21:00 (Read 6 Times) From: PHILLIP LAIRD To: ALAN DAWSON Subj: REPLY TO MSG# 4545 (RE: SCAN WEIRDNESS) ** Quoting Alan Dawson to Phillip Laird ** > >This is absolutely correct, of course, and EXACTLY what's recommended > >in the doc. I was just curious whether others had had the experience. > >I do do some experimenting with viruses and anti-virus stuff, >because >Bangkok's a "virus capital" (dumb dealers plus a whole raft >of >pirates) and because I'm involved in a commercial anti-virus >project. >--- Opus-CBCS 1.13 > * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand >(3:608/9.0) ** End of Quote ** I totally agree that most people do not read the docs. I work for a University in South East Texas. Some of the Micros have been plagued with viruses. I have setup a routine for the Labs to Scan the Floppies coming in with SCAN. This has just taken Place. Next thing I know, the clerk decides to run SCAN From her hard drive on her desktop! Then Alameda hit her! The SCAN Program has gone over good at the University. We are getting an order ready for a Site License Agreement with MCafee and Associates. I do a little research on some of the strains. However this BBS keeps me busy after work! Weird thing about CLEAN.EXE the program to remove the Viruses. I am using Clean Version 66 and sometimes the program will scan the file numerous times before the virus is eventually removed. I guess the Marker is trying to move around in the file? Anybody know? --- TAGMAIL v2.20 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49) Msg#: 4971 *Virus Info* 09-09-90 10:59:00 (Read 5 Times) From: MIKE BADER To: MARC SHEWRING Subj: INFORMATION Several anti-virus programs use signature files. IBM (yech) for one, but VirHUNT by DDI alos uses a file for signatures and goes into quite a bit of detail in their manual. I'll look up a better address and phone. Mike --- FD 1.99c * Origin: P-1 BBS ][ (313) 542-9615 Ferndale, MI (HST) (1:120/45) Msg#: 4972 *Virus Info* 09-06-90 20:56:00 (Read 8 Times) From: CY WELCH To: DEREK BILLINGSLEY Subj: REPLY TO MSG# 3817 (POSSIBLE VIRUS?) In a message to All <01 Sep 90 11:34:00> Derek Billingsley wrote: DB> This just hit me today - I am not sure if it is some kind of system DB> error or a potential virus. DB> Last night (September first) and before gave me no indication of any DB> virus being present on my system. It is now september 1st and now, DB> whenever a file is written to disk (I noticed the text files first, DB> but a downloaded zip'd file was also garbled...) it took out about DB> 10 bytes from the beginning of each line... DB> When I realized this may be set to occur on this date, I set my DATE DB> back a night and everything worked fine... I made a sample text file DB> with a known pattern of characters -- any date past september 1st DB> 1990 leaves the file altered as mentioned above. Any date previous DB> is written unharmed... DB> SCANV56 reports only that the SCAN program is damaged - no disk DB> presence of the source is evident. DB> Has anyone heard of something like this happening? Can't say I have heard of that but it sure sounds like a virus. I would recommend getting a copy of scan v64 and see what it says. It might even be something new. --- XRS! 3.41+ * Origin: Former QuickBBS Beta Team Member (99:9402/122.1) (Quick 1:125/122.1) Msg#: 4973 *Virus Info* 08-14-90 18:15:00 (Read 5 Times) From: JAMES BLEACHER To: DOUG BAGGETT Subj: REPLY TO MSG# 2904 (ANTI VIRUS VIRUSES) * Replying to a message originally to Patricia Hoffman DB>well..here is a question..where exactly did viruses DB>originate anyway..was it in this country or others? DB>Doug According to want I've read Dr. Fred Cohen at MIT developed the first virus back in 1964 or so. This was to prove that code could actually replicate and spread throughout a mainframe. My question is why on earth would he want to do that in the first place? --- * Origin: "Hey! Why's my COMMAND.COM larger than normal?" (1:151/801) Msg#: 4974 *Virus Info* 08-14-90 18:23:00 (Read 5 Times) From: JAMES BLEACHER To: PAUL FERGUSON Subj: REPLY AND ADDENDUM TO MSG 145 * Replying to a message originally to Alan Dawson PF>You can always be sure of an uninfected SCAN IF you download PF>from the PF>authors' BBS....The program itself will terminate upon PF>detection and PF>has safeguards written into it to protect against such PF>occurances....Of PF>course, there are ways for an unsuspecting user (You know PF>who) to PF>infect the programs themselves and then re-archive PF>unwittingly a PF>viral Scan that will never know (depending upon the WRONG! Scan checks itself upon startup and will give you a message to the effect of: FILE DAMAGED! "C:\SCAN.EXE" But will continue to operate. If you see that message then you're in big trouble. Viruses like the Dark Avenger will use scan's file checking (since it opens all the files it's checking) to spread itself all over your floppy/hard drive. Unless you've got a totally new virus that scan can't detect you don't have anything to worry about if it's already infected when you get it. (Except that it's probably detecting the virus all over your drive because it just helped put it there!) --- * Origin: "Hey! Why's my COMMAND.COM larger than normal?" (1:151/801) Msg#: 4975 *Virus Info* 09-10-90 18:02:00 (Read 6 Times) From: JAMES BLEACHER To: DEREK BILLINGSLEY Subj: REPLY TO MSG# 4972 (POSSIBLE VIRUS?) DB>SCANV56 reports only that the SCAN program is damaged - no DB>disk presence of the source is evident. DB> DB>Has anyone heard of something like this happening? Well, first of all you've got an old version of scan. Try downloading scanv66b from someone. I have it if you can't locate it elsewhere. Second if scan ever reports being damaged there's a 99% chance that you've got a virus! Better check into it quick! Hope you don't find that you have one but it sure sounds like you do! --- * Origin: "Hey! Why's my COMMAND.COM larger than normal?" (1:151/801) Msg#: 5238 *Virus Info* 09-10-90 15:11:00 (Read 6 Times) From: JOE MORLAN To: JONO MOORE Subj: REPLY TO MSG# 4028 (RE: LHARC114?) I have learned from other sources that the latest official release of LHARC is LH113D. The 'new' LHARC114 is said to be another unauthorized hack. It evidently is NOT a virus. Yoshi has been quoted as stating on GENIE that the next official release will be ver. 2.0. I hope this helps. --- Telegard v2.5i Standard * Origin: Telegard BBS (000-000-0000) (1:161/88.0) Msg#: 5239 *Virus Info* 09-10-90 15:12:00 (Read 6 Times) From: JOE MORLAN To: HERB BROWN Subj: REPLY TO MSG# 5238 (RE: LHARC114?) Exactly. LHARC v1.14b is not a real release. Just another unauthorized hack. --- Telegard v2.5i Standard * Origin: Telegard BBS (000-000-0000) (1:161/88.0) Msg#: 5240 *Virus Info* 09-07-90 20:35:00 (Read 6 Times) From: CHRIS BARRETT To: SIMON FOSTER Subj: RE: MYSTERY VIRUS?? Could I ask wy the buffers would be causing the Boot Block to be altered. I have since removed the val checks using ScanV66B and put some new ones on using ScanV66B. Could it be possible that someone has altered a bit of the code and as ScanV66 uses a string (or is it hex search) it doesn't find it? eg In the Virus it originaly said "Your disk is stoned' and the person converted it to say 'Your disk is now stoned'. If ScanV66 happens to look for the original string to my knowlegde the virus would not be recognized. Chris. --- TBBS v2.1/NM * Origin: 1990 MultiLine Perth Western Australia - 09-370-3333 - (690/654) Msg#: 5241 *Virus Info* 09-12-90 22:11:00 (Read 6 Times) From: PHILLIP LAIRD To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 4751 (RE: LET ME REPHRASE THAT.....) ** Quoting Patricia Hoffman to Herb Brown ** >If you are booting from an uninfected diskette when powering >on the computer, you wouldn't ever find a virus in memory. > However, if you are performing a warm reboot from a floppy, >you could have a virus in memory still. The real point here >was that most people do not run scan or other anti-viral utilities >after powering on and booting from a floppy, so it is always >possible for the virus to be in memory. ** End of Quote ** THat is exactly the way I have found some of the Virii I researched as being. If the virus is present in memory, then it is possible the the file will infect, however, if the Scan Diskette is write protected and the diskette is bootable, Like oyu say. It is BEST to cut the power to the system and then re-boot the system. However, if you wanted to go a step further, it is possible to clear all volatile RAM if you want to do a warm boot. The Warm Boot can result in infection, since the ram is not cleared. The various hardware interrupts are still performed and cotrol passed to Command.com, but the System files are still present in memory, along with a virus possibly. Too many people are now taking the virus issue too lightly. It can effect you, take precaution and use the Floppy to boot up on with a Write Protect on the Diskette. Then scan the drive from there. --- TAGMAIL v2.20 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49) Msg#: 5242 *Virus Info* 09-12-90 22:16:00 (Read 6 Times) From: PHILLIP LAIRD To: PATRICIA HOFFMAN Subj: RE: JERUSALEM B AND CLEANP64.Z ** Quoting Patricia Hoffman to Phillip Laird ** > PL> I cleaned 17 infected files today with clean version 64. > I have a good > PL> question. While the program removes the file, some where >removed the > PL> first time around, others were scanned several times before >the virus > PL> was actually removed. Can you tell me why? > >The programs that were scanned several times probably were >infected multiple times with Jerusalem virus. A lot of the >variants of Jerusalem B will infect .EXE files repeatedly, >eventually the program will get too large to fit into memory. > On files that are infected multiple times with Jerusalem, >you'll see a message come up for each infection as it is removed. > > >That is my guess as to what you observed... > >Patti > ** End of Quote ** That is exactly what I had suspected. I assumed the file was re-infected several times as the size of the Original WP.EXE files that were infected once was for example 112K, and the ones that were infected several times was around 173K. Some of the programs were non functional after clean ws performed on the file. We just delte the file and re-copy it when that happens. The only safe way to do it I have found is to go ahead anuse scans' /D option and delete the file and re-copy it. --- TAGMAIL v2.20 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49) Msg#: 5887 *Virus Info* 09-14-90 14:05:00 (Read 5 Times) From: MIKE MCCUNE To: PATRICK TOULME Subj: MOTHER FISH Everybody was talking about the Mother Fish a few weeks ago. Now that it has been out for mor than a week, nobody is saying anything about it. What's the deal with this virus? --- Opus-CBCS 1.13 * Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0) Msg#: 6048 *Virus Info* 09-14-90 07:05:00 (Read 4 Times) From: JOE MORLAN To: CHARLES HANNUM Subj: REPLY TO MSG# 4968 (RE: LHARC 1.14B(ETA)) According to folks posting on the technical echo, Yoshi has stated on Genie that the next official release after LHarc 1.13c will be LHarc 2.xx. Beta versions of LHarc 2.0 are said to have been released in Japan. It is illogical that 114b would be a valid release. The main change is the same as the known unauthorized hack, ICE. There are a few people on that echo that seem to believe that the release is "real" based mostly on the source where the file had been posted. It seems clear to me that it is just another unauthorized hack. --- Telegard v2.5i Standard * Origin: The Twilight Zone (415)-352-0433 (1:161/88.0) Msg#: 6659 *Virus Info* 09-15-90 08:13:00 (Read 4 Times) From: RICHARD HECK To: ALL Subj: CLEAN UP I think that the newest version of cleanup was alot better then the version before it. Oh and watch out for that Sunday Virus. --- outGATE v2.10 # Origin: SIGnet International GateHost (8:7501/103) * Origin: Network Echogate (1:129/34) Msg#: 6660 *Virus Info* 09-16-90 11:28:00 (Read 5 Times) From: SATYR DAZE To: CHRIS BARRETT Subj: REPLY TO MSG# 5240 (RE: MYSTERY VIRUS??) Sorry to butt in ..... you aparently have been infected by the Stoner-Marijauna Virus , quite a few people here in florida myself included have seen this little beauty. After disinfecting yourself the damaged caused by the virus is unaltered. Backup your harddrive and reformat it, after restoring it. Delete and redo Autoexec.bat and Config.sys they have both also been altered. Your Hardrive should now be back to snuff .... but before i forget run a utility to mark and lock out bad sectors the Virus may have caused. These unfortunaly are not always recoverable. G'Day ....................... The Satyr Daze --- TBBS v2.1/NM * Origin: Eclectic Multi-BBS System / Miami FL (305)662-1748 (1:135/2) Msg#: 6661 *Virus Info* 09-16-90 11:39:00 (Read 4 Times) From: SATYR DAZE To: GARY MOYER Subj: REPLY TO MSG# 4546 (RE: VIRUS SCANNERS....) Well you can Download a Virus scanner from a reputable BBS -- one that actually checks all of it's files for viruses --- or go out and purchase a Virus Scanner. Most of the downloadable stuffis by Mcaffe Associates, You can purchase Virucide (commercial version) which checks and disinfects your files, also by Mcaffe Associates for about $30.00. Not a bad buy when you consider the consequences of not having a good scanner. Just make sure that after Downloading a file, unarc-unzip-unwhatever it, But under no circumstance activate it --- run it --. Run the scanner, if the file checks clean go ahead and run it then. If it dosn't the program will warn you and disinfect it. The reason you must open the file (unzip) is because scanners can't look into an archived file. The Satyr Daze --- TBBS v2.1/NM * Origin: Eclectic Multi-BBS System / Miami FL (305)662-1748 (1:135/2) Msg#: 6662 *Virus Info* 09-16-90 13:40:00 (Read 4 Times) From: SATYR DAZE To: CHARLES HANNUM Subj: REPLY TO MSG# 4973 (RE: ANTI VIRUS VIRUSES) Actually the Honor of creating Viruses Belongs to John Conway, he was trying to develop software that emulated living organisms. He developed the first "Game of Life". As he created these new programs they became more and more complex having intricate enviroments that the elements would have to over come in order to survive. But these were never allowed to get beyond that scope, Virus programs where never destructive untill the "Core Wars". Opposing Programmers would create self-replicating programms that when they encountered other self-replicaters would try to devour them. Incidently it was called "Core Wars" because the game itself took place in Core Memory . These young Programmers were actually quite small in number and never publicly discussed what they were doing. If any blame is to be attached it should be to Ken THompson who went public with the process in 1983..... at that point it was "Discovered" by university students who began creatingthe real nasties ..... Today many strains are just variation of their original work. Just a little History............... The Satyr Daze --- TBBS v2.1/NM * Origin: Eclectic Multi-BBS System / Miami FL (305)662-1748 (1:135/2) Msg#: 6663 *Virus Info* 09-14-90 19:31:00 (Read 5 Times) From: RAJU DARYANANI To: ALL Subj: NETWARE BYPASSING JERUSALEM VIRUS Does anyone have any details on the CERT announcement that it has isolated a version of the Jerusalem virus that can bypass Novell Netware's file protection settings and infect files ? Anyone know of actual infections, how common it is and whether McAfee's SCAN detect this virus ? Raju --- via Silver Xpress V2.24 [NR] --- QM v1.00 * Origin: TAIC Maximus - DVNet Asia, PEP/V.32 High Speed PathFinder (3:700/1.0) Msg#: 6664 *Virus Info* 09-16-90 00:41:00 (Read 4 Times) From: ALAN DAWSON To: PHILLIP LAIRD Subj: REPLY TO MSG# 4970 (RE: SCAN WEIRDNESS) PL> been plagued with viruses. I have setup a routine for the Labs PL> to Scan the Floppies coming in with SCAN. This has just taken PL> Place. Next thing I know, the clerk decides to run SCAN From PL> her hard drive on her desktop! Then Alameda hit her! The SCAN The next "killer-ap" should be the anti-stupidity program. If ever it needed to be proved that "a little knowledge is a dangerous thing," computer users prove it to their techies daily! PL> Weird thing about CLEAN.EXE the program to remove the Viruses. PL> I am using Clean Version 66 and sometimes the program will scan PL> the file numerous times before the virus is eventually removed. I really don't like the whole idea of a "popular" virus remover. (A specific cure for a specific virus on one site is different.) Any yo-yo with PC-Tools or Norton can make a "new" virus and this makes the possible results from a removal program very iffy. I really believe in brute-force removal i.e. DEL VIRUS.COM, and re-install. It's safer that way, and certain (after you check the floppies, of course). - From Thailand, a warm country in more ways than one. --- Opus-CBCS 1.13 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0) Msg#: 7165 *Virus Info* 08-31-90 20:15:00 (Read 4 Times) From: CHRIS BARRETT To: ALL Subj: BOOKS ON VIRUSES Could someone tell me somenames of books on Viruses and their authors. As I am in Australia getting hold of them may be a problem though. Hope you can help... Chris.. --- TBBS v2.1/NM * Origin: 1990 MultiLine Perth Western Australia - 09-370-3333 - (690/654) Msg#: 7166 *Virus Info* 08-31-90 20:21:00 (Read 5 Times) From: CHRIS BARRETT To: ALL Subj: REPLY TO MSG# 6660 (MYSTERY VIRUS??) At my school we have some XT's with 2 360K FDD each. Lately we have noticed that some of the students disks are being over written by the program disk they were using. Eg some people have found the Turbo pascal files on their data disks. I brought in a copy of ScanV66 and placed a validation check on the program disks (Not the data disks). Scanning showed no viruses (well known ones anyway). But when we scanned them a week later we found some had had their Boot Blocks altered. In some cases the files on the data disk are just renamed to one on the program disk. Eg we listed "TURBO.EXE" and found it to contain a students pascal source code. Could someone shed some light please.. I have told the teacher it is most likely home grown and he is sh*tting himself. Chris. --- TBBS v2.1/NM * Origin: 1990 MultiLine Perth Western Australia - 09-370-3333 - (690/654) Msg#: 7167 *Virus Info* 09-01-90 18:28:00 (Read 4 Times) From: DOUG EMMETT To: PHILLIP LAIRD Subj: REPLY TO MSG# 6664 (RE: SCAN WEIRDNESS) For the new boy would you mind explaining how to write protect Scan.Exe on the C: drive-Thanks --- Opus-CBCS 1.13 * Origin: The U.S.A. Connection-*HN-NZ*-(+64-71-566851) (3:772/260.0) Msg#: 7168 *Virus Info* 09-02-90 14:18:00 (Read 4 Times) From: WARREN ANDERSON To: MIKE DURKIN Subj: REPLY TO MSG# 2475 (INTERNET WORM) Hi, No I have never come across the book. I would appreciate it if you could provide a copy of the password list (just in case I can't get hold of a copy of the book). Thanks again. Regards \/\/ /\/\ Anderson --- Telegard v2.5 Standard * Origin: InfoBoard BBS - Auckland - New Zealand (3:772/140.0) Msg#: 7169 *Virus Info* 09-04-90 06:12:00 (Read 4 Times) From: PAUL FERGUSON To: YASHA KIDA Subj: REPLY TO MSG. 134 Right on, Yasha......I couldn't have said it better myself.....This town (DC) seems to have a real problem concerning this. That's OK, though, as you have said, we shall see who they come running to when the going gets rough..... -Paul --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 7170 *Virus Info* 09-05-90 12:50:00 (Read 4 Times) From: MICHAEL ADAMS To: RICK THOMA Subj: RE: PKZ120.EXE Rick .. I had one uploaded to my Board called "PKZ120.exe". The File looks Authentic. Even went to the point of -AV and the Pkware registeration number on the last line after self extraction. If it were not for the file "Warning.txt" put out by "Pkware" I'd still be using it. Really went through alot of trouble authenticating it! Michael Adams Baud Horizons (504) 436-9590 --- Maximus-CBCS v1.00 * Origin: The Southern Star - SDS/SDN/PDN - 504-885-5928 - (1:396/1) Msg#: 7171 *Virus Info* 09-05-90 16:06:00 (Read 4 Times) From: LONNIE DENISON To: ALL Subj: HEY Just letting you know that I have joined my board (The Maze) to this echo.. hope we can contribute some info here! Lonnie Denison --- Telegard v2.5i Standard * Origin: => The Maze <= 916-391-6118 "Would ya Believe" (1:203/60.0) Msg#: 7172 *Virus Info* 09-05-90 18:28:00 (Read 4 Times) From: PHILLIP LAIRD To: KEVIN HIGGINS Subj: REPLY TO MSG# 4969 (RE: SECURING YOUR UPLOADS) Kevin, nice batch file for testing files for virrii. I am now Alpha testing my new program that will work with TAG at present. I have the Key fake program if it will help you! That file will enter the "Y or N" Question when the batch file comes to Are you sure? Y or N. Meaning you had the batch file to delete all programs in the temp check directory. I plan on a new realease of the program to several BBSES that will work to help all Sysops keep out the Virii. If you want Keyfake Program, just Tell me, and I will netmail it to you... I had a run in with Jerusalem B [jeru] today at Lamar University. Seems the Chemistry Department stockroom manager had already infected 17 files on his hard drive. Clean removed the virus. --- TAGMAIL v2.20 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49) Msg#: 7173 *Virus Info* 09-05-90 18:30:00 (Read 5 Times) From: PHILLIP LAIRD To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 4750 (JERUSALEM B AND CLEANP64.ZIP) Patti: I cleaned 17 infected files today with clean version 64. I have a good question. While the program removes the file, some where removed the first time around, others were scanned several times before the virus was actually removed. Can you tell me why? --- TAGMAIL v2.20 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49) Msg#: 7174 *Virus Info* 09-05-90 18:32:00 (Read 4 Times) From: PHILLIP LAIRD To: RICK THOMA Subj: REPLY TO MSG# 4967 (RE: PKZ120.ZIP) Didn't someone say that because someone had already hacked an earlier version of PKZIP that 120 would be the next scheduled release? Anybody have any info? --- TAGMAIL v2.20 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49) Msg#: 7175 *Virus Info* 09-05-90 18:37:00 (Read 4 Times) From: PHILLIP LAIRD To: ALL Subj: PROCOMM 3.10 Beware, there is a version of Procomm.zip going around in our area here in Texas which boasts Procomm 3.10. After consulting with my friend at Datastorn Technologies, he called my BBS and downloaded the file. I had a user complain that the file hung and said "NUKE" at the lower left of his terminal. Datastorm Technologies stated that this version doesn't exist, I.E.... the latest was 2.4.3. The same user told me that the file one night then put a message on his screen that stated "Does this IBM PC or Compatible have more than one drive? Y or N " He immediately turned off the computer and didn't answer the question. Althought we scanned this program and found no virus, we disassembled it and also didn't find anything suspicious either. Be careful, it might be a time bomb. If you know of this program, let me know at 1:19/49. I would like to keep tabs on it. --- TAGMAIL v2.20 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49) Msg#: 7176 *Virus Info* 09-04-90 16:04:00 (Read 4 Times) From: MIKE MCCUNE To: TALLEY RAGAN Subj: REPLY TO MSG# 4030 (RE: REMOVING JOSHI) I have posted a new version that checks for the virus before trying to remove it (now that I have a working copy of the virus). It will not damage the partition table on uninfected hard disks...<MM>. --- KramMail v3.15 * Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0) Msg#: 7177 *Virus Info* 09-04-90 13:31:00 (Read 4 Times) From: PAUL FERGUSON To: KEN DORSHIMER Subj: REPLY TO MSG# 5241 (LET ME REPHRASE THAT.....) Ken- This is a continuation of msg.# 156 (I dropped the keyboard....Looong day, you know)..... Actually, I really should have said "virtually preconceived". From what I can gather on the topic (I don't yet have a copy of 4096), they actually redirect CRC/Checksum interrogators to a "snapshot" of the original file as it appeared before infection.(Someone, I'm sure, will correct me if I'm wrong or at least add enlightenment.) The infected file, in the case of 4096, has in reality grown by 4096 bytes and would more than likely hang the system, therefore, which would lead me to believe that running the CRC check without the virus TSR would allow you to identify the actual infected files. Also, it seems like the only way to catch it TSR is to trace the interrupt vectors (although everyone seems to have a little bit of differing ideas on this '->) Until I can get my hands on this little fellow, I guess that I'll just follow the more logical explanations from the sources with credibilty and make a judgement from that! Sounds credible. But, as I'v said before- I sure would like to see it. I've been following several different message base threads on this particular virus, with input from users at the basic levels to BBS SysOps to the AntiViral research community.......I must say, it gets overwhelming at times to keep objective. *:) -Paul --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 7178 *Virus Info* 09-05-90 09:20:00 (Read 4 Times) From: PAUL FERGUSON To: EVERYONE Subj: DETAILED INFO ON 4096... The description in VSUM (August 15 release) of the 4096 virus has gotten my usual curiousity arouser, along with a plethora of discussion on this particular virus within many message conferences and viral echos......Since I have not had the opportunity, yet, to obtain a sample to personally examine, I must post a few questions to the field: 1.) Would someone like to elaborateon the structure of "Phases" that the CVIA uses to catorgorize viruses? Please? ;-) 2.) I seem to remember mention (No, I don't have my copy of VSUM in front of my now) of the virus (4096) containing it's own boot sector. Could someone enlighten me on this , also? 3.) And, under what ? circumstances does the 'FRODO LIVES' msg. appear and when does it not? No offense, Patti, but I did think that on a couple of these points that the VSUM doc was kinda sketchy (I know that is ALOT of work to compile that baby and continually update, etc.!). Perhaps with a little more detail, I will have settled my curiousity and returned to other problems at hand... -Paul Patti- Any luck with last U/L? ,-) --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 7179 *Virus Info* 09-05-90 20:34:00 (Read 5 Times) From: PATRICIA HOFFMAN To: SEAN SOMERS Subj: REPLY TO MSG# 4544 (RE: REMAPPING...) SS> Off topic here, anybody out there encounter the French Revoloution SS> virus? I was the first out here to discover it. What it does is nuke SS> your HD while displaying an anti Western/English speaking Canadians. Haven't seen or heard of that one before.... What does it infect? .COM, .EXE, overlays, boot sectors, only floppies? If you want to send me a copy of it, I'd be happy to take a look at it as well as pass it along to John McAfee's group. Snail mail address is: Patricia M. Hoffman 1556 Halford Avenue #127 Santa Clara, CA 95051 It can also be sent in a .ZIP file to my system, though be sure you don't route it thru anyone, or directly uploaded here to a suspect area that is secured. Not off-topic at all, that is what this conference is for.... Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 7180 *Virus Info* 09-05-90 20:01:00 (Read 5 Times) From: PATRICIA HOFFMAN To: PAUL FERGUSON Subj: REPLY TO MSG# 7178 (DETAILED INFO ON 4096...) PF> 1.) Would someone like to elaborateon the structure of "Phases" that PF> the CVIA uses to catorgorize viruses? Please? ;-) PF> VSUM doesn't necessarily use the McAfee or CVIA categorization techniques to classify viruses. VSUM's categorization is a bit finer than McAfee's since in many cases he can group things together for detection/removal purposes. However, in describing them they don't make much sense that way. I haven't seen a copy of the CVIA categorization in some time, but I believe they classified by: boot sector infector parasitic file infector overwriting file infector Partition table infectors were (I think) thrown in with boot sector infectors since at the time the only partition table infector was Stoned, which also infected floppy boot sectors. They also classified by memory resident or non-resident. Generally, VSUM classified by memory resident/non-resident, what it infects, file length change, symptoms, and other characteristics, as well as what virus the new entry is based on if applicable. In the case of memory resident viruses, there is a code to indicate how or where it is memory resident. McAfee and I had a loooonnnnnggggg discussion on classification and naming awhile back, and "agreed we could disagree" since how he uses the names in Scan isn't workable for VSUM, and using the VSUM naming in Scan would not serve his purposes since he needs to group variants in many cases. If possible, though, we try to use the same names. If VSUM differs, the name that will be indicated by Scan is indicated as an alias. McAfee's current classification methods as indicated in VIRLIST.TXT which comes out with Scan also differs from the CVIA classifications, and is fairly close to VSUM. PF> 2.) I seem to remember mention (No, I don't have my copy of VSUM in PF> front of my now) of the virus (4096) containing it's own boot sector. PF> Could someone enlighten me on this , also? PF> Yes, it includes a boot sector, though do to an error in the virus, the included boot sector isn't ever written to the hard disk or floppy boot sector. This boot sector is where the "FRODO LIVES" message is.... PF> 3.) And, under what ? circumstances does the 'FRODO LIVES' msg. PF> appear and when does it not? PF> Normally, due to a bug in the virus, the message is never displayed. If one copies the boot sector from within the 4096 virus to a floppy diskette as sector 0, and boots from it, the message will appear. Of course, the above bugs may be fixed in a later version of the virus....but the versions I've seen hang on September 22 when they were meant to activate the Frodo Lives message. PF> PF> No offense, Patti, but I did think that on a couple of these points PF> that the VSUM doc was kinda sketchy (I know that is ALOT of work to PF> compile that baby and continually update, etc.!). PF> Perhaps with a little more detail, I will have settled my PF> curiousity and returned to other problems at hand... PF> No problem....A lot of time what makes perfect sense to me doesn't make sense to others :-). There is always this question with VSUM on where to draw the line on the descriptions. PF> Patti- Any luck with last U/L? ,-) PF> Not yet....I'm busy working on analysing a new virus right now, and it is going to take awhile....will probably be a Whale of a tale when I get done....and I don't want to say anything prematurely on it. Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 7181 *Virus Info* 09-06-90 11:33:00 (Read 4 Times) From: TONY JOHNSON To: ALL Subj: REPLY TO MSG# 3029 (CORE WARS) Core Wars was a simulation system, it was not per se' a breeding ground for the type of viri that you see today attacking systems and PCs. The programs tested were called viri in the way they attacked and behaved while operating within the Core Wars environment. I believe the "arena" used for the "viruses" was an 8K memory grid, and that the programs/"viri" were limited to that area. While those programs were not the same thing as what we see today chewing up our beloved computers, I can say that Core Wars was an extremely enlightening experience that had the programmers thinking about how a similiar type of situation could apply to the actual computing world. --- QM v1.00 * Origin: The 286 Express (504-282-5817) (1:396/30.0) Msg#: 7182 *Virus Info* 09-06-90 13:09:00 (Read 5 Times) From: CHARLES HANNUM To: CHRIS BARRETT Subj: REPLY TO MSG# 7166 (RE: MYSTERY VIRUS??) >At my school we have some XT's with 2 360K FDD each. Lately we have >noticed that some of the students disks are being over written by the >program disk they were using. Eg some people have found the Turbo >pascal files on their data disks. This could happen (and has) if you are using disk caching software. That would be a good place to look first. --- ZMailQ 1.12 (QuickBBS) * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)