VIRUS-L Digest Wednesday, 20 Sep 1989 Volume 2 : Issue 198 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: Macintosh Virus datacrime question (PC) Possible virus? (VAX/VMS) RE: VirusDetective questions (Mac) RE: Centel Corp. and ViruScan Re: VirusDetective questions (Mac) DataCrime antidote: NOCRM11.ARC availability (PC) --------------------------------------------------------------------------- Date: 20 Sep 89 11:56:23 +0000 From: shull@scrolls.wharton.upenn.edu (Christopher E. Shull) Subject: Re: Macintosh Virus In article <0001.8909191859.AA09184@ge.sei.cmu.edu> JOHN P. BRADLEY writes that he has found the Macintosh Scores virus, and asks about how to proceed with eradication and user education. Since the Decision Sciences Department teaches the largest Mac-based course at the University of Pennsylvania, we have taken the lead in user education. Who else on campus has a captive audience of >600 students each year? :-) Our instructors encourage students to drop Vaccine 1.1.1 into their system folders (explaining that it was like practicing safe sex, but less intrusive). We also taught them how to use Disinfectant 1.2. Although we resent having to take time from teaching to cover this, the peace of mind of the students is well worth the effort. Furthermore, the hot-line and walk-in consulting staff have many fewer problems since students are encouraged to pass along the programs and the minimal knowledge required to use them. If we didn't have a captive "seed" group, I would probably try to run some special noon-time seminars on Mac virus detection, removal, and prevention. We are just now trying to get offices which have frequent contact with student diskettes to go further than just protecting themselves, and perform first tier advice to their "clients". (In some cases, we are still trying to get them to protect themselves -- one Mac II user I worked with yesterday had 44 nVIR A and B infections on his hard disk, and didn't have the foggiest idea!) At the very least, the latest versions of the tools mentioned above, plus GateKeeper (for sophisticated users) should be readily available in a well publicized location. (My teaching lab remains the only one on campus. :-( ) Good luck, - -Chris Christopher E. Shull shull@scrolls.wharton.upenn.edu Decision Sciences Department shull@wharton.upenn.edu The Wharton School University of Pennsylvania Philadelphia, PA 19104-6366 215/898-5930 - --------------------------------------------------------------------------- "Damn the torpedoes! Full speed ahead!" Admiral Farragut, USN, 1801-1870 - --------------------------------------------------------------------------- ------------------------------ Date: Tue, 19 Sep 89 19:13:00 -0400 From: IA96000 Subject: datacrime question (PC) if you use fdisk to create a dummy partition of lets says 2 cylinders and then create a second normal active dos partition will this prevent the virus from destroying track zero? seems like it might to me...how about some comments! ------------------------------ Date: Wed, 20 Sep 89 08:59:00 -0400 From: System Manager Subject: Possible virus? (VAX/VMS) I recieved this from Info-VAX today. I think it may be of interest. Damian Hammontree System Programmer, Johns Hopkins School of Medicine MANAGER@JHUIGF.BITNET Message follows: Comments: From IVERS@CMR.MFENET on 19-SEP-1989 23:36:02.73 EDT Comments: To: info-vax@kl.sri.com On Monday morning, our users (including the system manager) were surprised to find that they could no longer log in to our VAX 11/750 (VMS V4.5). Coincidentally, one user reported the appearance of several files in his directory with names like WARNING., VIRUS., and ATTACK.. He thought it was a joke and said nothing at the time the files appeared. The system was booted with UAFALTERNATE =1. It appeared that SYSUAF.DAT was intact, but the passwords were no longer valid. A SYSUAF.DAT file was restored from a backup set and new passwords were issued. The problem is that now when more than 2 users attempt to use the system, a message of the type LICENSED NUMBER OF SYSTEM USERS EXCEEDED appears. As for the "virus" files - all that remains are subdirectories of names similar to the files reportedly seen by the user (one of them is called [.DEADLY-VIRUS]). Any ideas as to the cause or cure of the LICENCED NUMBER OF... problem, or insight into the nature of the "virus" would be appreciated. Thanks in advance, Tom Ivers (system manager) Columbia U. Plasma Physics Lab Internet: IVERS@CUPLVX.APNE.COLUMBIA.EDU MFEnet: IVERS@CMR ------------------------------ Date: Wed, 20 Sep 89 09:22:55 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: RE: VirusDetective questions (Mac) What version are you using? The latest and greatest is 3.0.1. I've been using it with no problems. [On the other hand, the systems I am using it on are clean according to it and Disinfectant 1.2...] ------------------------------ Date: Wed, 20 Sep 89 09:36:26 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: RE: Centel Corp. and ViruScan Why does McAfee's note about Centel and Viruscan bug me? Correct me if I'm wrong, but is not Viruscan shareware? I certainly understand John's concern about the possible loss of revenue because people mistakenly believe they have "purchased" Viruscan, rather than paid Centel for the distribution cost (as an aside, I somehow find $25 to be awfully high for what Centel is purporting to be doing). In any event, it strikes me that the tone of John's message is to the effect of "I want you to get your information from me and no one else". If my interpretation is indeed correct (and I apologize in advance if it is not), is this the type of attitude VIRUS-L wishes to promote? It is not in anyone's interest to restrict the flow of information on countering viruses. [Ed. VIRUS-L wishes to _facilitate_ the open discussion of virus issues and information, neither endorsing nor condemning the opinions of its contributors.] Disclaimer: Dis is soup. Dis is Art. Soup. Art. [Apologies to L. Tomlin.] David Gursky ------------------------------ Date: Wed, 20 Sep 89 14:33:49 +0000 From: yale!slb-sdr!sdr.slb!shulman@uunet.UU.NET (Jeff Shulman) Subject: Re: VirusDetective questions (Mac) awinterb@udenva.cair.du.edu (Richard Nixon) writes: >Has anyone used VirusDetective for the Mac? We've >used it, but it seems to detect viruses in files that >we doubt are affected. I have (but then again I wrote it! ). VirusDetective (VD) is only as good as the search strings used. VD 3.0.1 (the latest) is distributed with search strings that detect all known *active* Mac viruses. With the latest search patterns I have seen NO cases of "false" alarms. Some earlier search strings (say CODE Size xxx) to test for a virus *could* match legitimate CODE resources. So, without knowing what version you are running nor the search strings you are using you may very well be getting matches where no virus actually exists. Standard example of Garbage In, Garbage Out. >How reliable is this bit of software? I have not seen any known virus get past VD 3.0.1. VD is the only program (to my knowledge) that can be user configured to search for any new virus (or *any* resource for that matter) as soon as a virus is discovered thus you do not need to obtain a new version (costing $$ from commercial vendors) when a new virus is discovered. NOTE: I *do* send out notification of new search strings to my registered users but you are apt to see them in Usenet first. Jeff Shulman VirusDetective author - -- uucp: ...rutgers!yale!slb-sdr!shulman CSNet: SHULMAN@SDR.SLB.COM Delphi: JEFFS GEnie: KILROY CIS: 76136,667 AppleLink: KILROY Disclaimer: VD has absolutely nothing to do with my "day" job at SDR and opinions, etc. herein should not be construed as coming from SDR. ------------------------------ Date: Wed, 20 Sep 89 11:09:27 -0500 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: DataCrime antidote: NOCRM11.ARC availability (PC) Version 1.1 of NoCrime has been sent to the IBMPC anti-viral archive sites. This program is meant to combat the DataCrime virus strains receiving so much publicity lately. This file, NOCRM11.ARC, replaces version 0.1 sent out previously under the name NOCRIME.ARC. NOCRM11.ARC Fights the DataCrime viruses. Jim ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253