VIRUS-L Digest Monday, 8 May 1989 Volume 2 : Issue 108 Today's Topics: Comments on SYS from John McAfee (PC) Comment on SYS command (PC) Re: thoughts on comp.virus (and admin notes) --------------------------------------------------------------------------- Date: Fri, 5-May-89 14:23:40 PDT From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: Comments on SYS from John McAfee (PC) I too often assume understanding which isn't there, and it always gets me in trouble. At the risk of boring nearly everyone, I'd like to expand briefly on the SYS command. It only works if the system is first powered down (soft re-boot will not work), then re-booted from a clean, preferably original, system master dskette. Otherwise, the virus will remain in control and you will accomplish nothing with most viruses. The Search virus (Den Zuk) has been found with variations that specifically disable loading of the SYS program. When a SYS command is entered, a sector read is made to the home device (so that the access light will come on), then multiple sector reads are done to the target device so that it looks like something is happening, and then it displays the message - "System Transferred". I know you all already knew this but better safe than sorry. John McAfee >From the HomeBase BBS 408 988 4004 ------------------------------ Date: Fri, 5-May-89 16:51:01 PDT From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: Comment on SYS command (PC) Original-From: Tim Sankary The comment on Virus-L about the SYS command not removing boot infectors is disconcerting. Not because it's true, but because it is so misleading. Any competent programmer knows that the SYS command has to overwrite the boot sector. It's used to specifically upgrade versions of DOS. So if you have, say, version 3.0 running (which means a 3.0 boot sector as well - check it out with Norton if you're skeptical), and you're upgrading to 3.3, then you have to overwrite the boot sector, else you'll have a 3.0 boot with a 3.3 DOS - a meaningless situation. If anyone reading this still doubts it, then simply run the Norton Utilities and erase or overwrite part of the boot sector and then run SYS. The boot will be magically restored. We have advised over 300 infected corporations involving over 20,000 infected computers and 100,000 infected floppies to use this technique to remove their boot infectors. I'm not aware of any instance where it did not work. To publish a statement in a virus forum that is distributed to thousands of readers, when the statement is patently absurd and damaging to the efforts of the CVIA and other groups is irresponsible. The virus situation is not a joke, a game or a playground. Many of us have dedicated full time efforts for over a year to understand and deal with waht's happening. In this area I recommend the the advice of Mark Twain - It is better to remain silent and be thought a fool, than to speak up and remove all doubts. ------------------------------ Date: Sat, 6 May 89 00:19:14 EDT From: msmith@topaz.rutgers.edu (Mark Robert Smith) Subject: Re: thoughts on comp.virus (and admin notes) Two thoughts on the comp.virus addition: Would it be possible to have the comp.virus side of the list distributed as individual articles, rather than a digest. Granted, it's harder, but it reads much easier on UseNet, where vnews does not undigestify digests. [Ed. I've gotten *lots* of requests for this, and it is something that I plan on doing shortly (as time permits). If anyone wants to write a VMS DCL script to receive a mail file, undigestify it (maintaining appropriate NNTP headers for each message), and then post it, I'd be eternally grateful, and the process will move much faster. Otherwise, it'll have to wait until I can get around to tackling it.] Also, when those of us who get comp.virus Unsubscribe from the LISTSERV list, should we remain on VALERT-L, or will those articles have some "get it to UseNet quick" mechanism? [Ed. Readers who get Usenet news will probably want to unsubscribe from VIRUS-L and read comp.virus. VALERT-L is *not* currently sent to the newsgroup immediately, however. Any VALERT-L (other than a SUB John Doe, etc...(heavy sigh!)) posting will get included in the next outgoing comp.virus/VIRUS-L digest. So, if you want to read VALERT-L in as timely a manner as possible, don't unsubscribe from it. To UNSUBSCRIBE from VIRUS-L and/or VALERT-L, send MAIL to LISTSERV@LEHIIBM1.BITNET (not to the list) stating: SIGNOFF listname. (Where listname is either VIRUS-L or VALERT-L.) While on the subject of VALERT-L, I'd like to ask everyone to please *PLEASE* not reply to subscription requests, etc. there. A note to the author of the request would be fine, but please do not send anything to the list. The list is only to be used for urgent alerts when and if they arrise.] Mark - -- Mark Smith (alias Smitty) "Be careful when looking into the distance, RPO 1604; P.O. Box 5063 that you do not miss what is right under your nose." New Brunswick, NJ 08903-5063 rutgers!topaz.rutgers.edu!msmith (OK, Bob?) msmith@topaz.rutgers.edu ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253