VIRUS-L Digest Friday, 28 Feb 1992 Volume 5 : Issue 45 Today's Topics: Re: Houston Chronicle report on Michelangelo (PC) Silly Season is Early (PC) FProt a good bet for unexperienced user? (PC) Re: Boot Sector Virus Infections (In General) (PC) Re: Stoned, Michaelangelo, Boot Sector ReLocation (PC) Re: Jeff virus!!!!! (PC) Re: Will Write Protection Prevent Virus Infection? (PC) Scan False Alert (PC) Re: Possible virus? (PC) Re: Possible virus? (PC) Re: Quick way to check for Mich on PC's (PC) Re: viruses in general-=help Possible virus? (PC) Re: What does Ping Pong B virus do? (PC) Re: Will Write Protection Prevent Virus Infection? (PC) mutated FORM? (PC) Re: Question on Michelangelo Date-Trigger (PC) Re: Disinfectant 2.6 (Mac) Amiga Virus ? (Amiga) Re: Virus Calendar Re: Houston Chronicle, Edmonton Journal and the media in general VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 26 Feb 92 01:56:11 +0000 >From: rslade@sfu.ca (Robert Slade) Subject: Re: Houston Chronicle report on Michelangelo (PC) treeves@magnus.acs.ohio-state.edu (Terry N Reeves) writes: >>You just reformat the disk and >>re-install everything from your backups. You have spent at most one >>day doing this, and at most one day of your work is lost (if you have >>a good backup scheme). Nothing disastrous. Actually, it may be. We have seen that PCTOOLS (and how many others?) uses a non-standard disk format for speed and storage reasons. All well and good, except that Michelangelo (and Stoned) will infect the disk anyway. Which renders it unusable. Therefore, if you backup from an infected machine, and then play "Michelangelo roulette", you just might end up with a dead hard disk ... and a dead backup to boot. ============= Vancouver | "Remember, by the Institute for Robert_Slade@sfu.ca | rules of the game, I Research into rslade@cue.bc.ca | *must* lie. *Now* do User CyberStore Dpac 85301030 | you believe me?" Security Canada V7K 2G6 | Margaret Atwood ------------------------------ Date: Tue, 25 Feb 92 22:21:07 -0500 >From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: Silly Season is Early (PC) Heard that MTV is now warning about a "Super bad heavy virus that's going down on March 6th...". What's next, the Mickey Mouse Club ? Warmly, Padgett ------------------------------ Date: 26 Feb 92 07:07:46 +0000 >From: gasser@eniac.seas.upenn.edu (Nathan Gasser ><> ) Subject: FProt a good bet for unexperienced user? (PC) Hi all, I'm pretty much a user, period, of a PS/2 and would like to enter the safe-computing era with a complete virus protection package. I'm considering installing FProt -- does this sound like a good bet? Will it ask me too many things I don't understand? Will it work without my constant attention? Also, does it snag Michaelangelo and the latest crop of baddies? I've got fprot201.zoo from the net. Any/all replies greatly appreciated (Email is fine, thanks) Nate. - -- Nathan Gasser ><> gasser@eniac.seas.upenn.edu ------------------------------ Date: 26 Feb 92 10:46:42 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Boot Sector Virus Infections (In General) (PC) martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) writes: > Yes, The hard drive would already be infected. The virus would not be > in memory if you reboot from a non-infected floppy disk, but it will > install itself in memory each time you boot from the (infected) hard disk, > or any other infected disk for that matter. > This is typical of any boot sector viruses I have found "in the wild": > stoned, michelangelo, the Empire family, bloody!, .... In fact, it is typical for most -master- boot sector infectors. The DOS boot sector infectors (e.g. Ping Pong) usually require a successful boot in order to infect the disk. This is not a rule of course, I think that Disk Killer infects even on unsuccessful boot attempts. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Wed, 26 Feb 92 11:02:18 +0000 >From: heli@eichow.tuwien.ac.at (Helmut Dier) Subject: Re: Stoned, Michaelangelo, Boot Sector ReLocation (PC) austin@tecnet1.jcte.jcs.mil writes: >karyn@cheetah.llnl.gov (Karyn Pichnarczyk) writes: [...] > >The question I have concerns what appears to me to be conflicting >information from the two sources above. One source states that the >Stoned virus and the Michaelangelo virus both copy the original boot >sector information to the same location. The second source states >that the two viruses copy the original boot sector information to two >different locations. Am I reading this wrong? Which one is correct? [...] Due to my results on a machine that stated it was stoned an had Michelangelo the two viruses use differnt locations. I was able to restore the original bootsector with CLEAN from McAfee first deleting stoned and after that delting Michelangelo. So it's obvious that the two viruses use different locations. Helmut - ---------------------------------------------------------------------- Helmut Dier, | E-Mail: sutdent of computer science, | Internet: HELI@EICHOW.UNA.AC.AT Technical Universitiy of Vienna | Bitnet: E13690B@AWITUW01 Austria, Europe | - ---------------------------------------------------------------------- ------------------------------ Date: 26 Feb 92 11:12:35 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Jeff virus!!!!! (PC) dale@garfield.cs.mun.ca (Dale Fraser) writes: > I hope someone can help me. My PC just got infected by the Jeff virus. > How do I get rid of it? I know I am supposed to remove the infected > files, but I ran the latest version of SCAN (86B) and it never found > it. Hmm, SCAN 86-B -does- detect the Jeff virus. BTW, this is a rather silly non-resident COM infector and I seriously doubt that it can spread very widely... My bet is that you are not really infected and have a false positive alarm. Why did you decide that you are infected (i.e., what program reported this virus)? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Wed, 26 Feb 92 11:58:32 +0100 >From: Martin_blas Perez Pinilla Subject: Re: Will Write Protection Prevent Virus Infection? (PC) gt1280b@prism.gatech.edu (ELGHARIB,HESHAM MOHIEDDIN ABOBAKR) writes: > If I set the attributes of all the executables, overlays, and COM > files in my hard drive to be read-only, will this reduce the chances > of getting virus infection? Change the attributes is _absolutely_ useless. Only some very old and very stupid viruses can be stopped with such trick, but all well-written (:-)) viruses (Jerusalem, Yankee Doodle...) can change the attributes, infect the programs and reset the attributes to its original state. Regards, - -mb M.B. Perez Pinilla | mtppepim@lg.ehu.es | Write 10^6 times: Departamento de Matematicas | "I'll never waste bandwidth" Universidad del Pais Vasco | SPAIN ------------------------------ Date: Wed, 26 Feb 92 11:41:45 +0000 >From: keith@comp.lancs.ac.uk (Mr K C Craig) Subject: Scan False Alert (PC) I have a problem with a false virus alert (15xx) to be exact from MacFee's Scan V8.3B86. The program claims the virus is in memory. When the /M option is used to check memory for all virii. I know that there is no virus present. (If anyone's interested I can explain how I know this but it's a bit superfluous to my question.) Problem History. The virus warning occured on two machines in a lab of 15 PS2 model 30s. Each machine is of standard configuration but with a Western Digitial 8 bit ethernet card in them. In the lab we use a technique called Rebuilding to keep a constant software set on the machines. This works by letting each machine, when reset, to logon to a server which contains a software backup set and copying any files which differ on the remote machine, from the file server to the remote machine. I have used Macfee's latest version of Netscan to check the network and it reports no virii. The two PS2s in question both report a 15xx virus in memory but not on any files. Clean 8.1v85 fails to spot or remove the virus and running scan without the /M option stops the error report. Findvirus from Solomon's does not find the virus. The only way that these two machines differ from the other fifteen is that they did have multiple partitions under Dos 3.3 and when I upgraded them to dos 5 I used fdisk on dos 5 to remove these partitions. Could this be the problem? Should I have used Dos 3.3 fdisk? I would low-level format these machines but no-one seems to know how to access the facility on a PS2 model thirty. Is there a problem with Scan. I am positive that the virus alert is a false alarm. Keith Craig. Lancaster University. Microcomputer Consultant. ------------------------------ Date: 26 Feb 92 11:21:24 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Possible virus? (PC) ZEM0%ARGCNEA2.BITNET@BITNET.CC.CMU.EDU writes: > In some programs I see this word 'MSDOS' and i do not if that is a > virus all the progrmas that has that , has 5 byte more I know that if > we immunize a program, is going to have 5 byte more, but when i run Let me guess - you are using TNTVIRUS in "immunize" mode and the actual string is "MsDos", right? > scan say that in the memory i have 5 byte (the word (MSDOS)) i dont Of course. How do you think that word got on the disk? It has been written there by a program (TNTVIRUS in this case), which first had it in memory. After you quit the program, it does not clean the memory it uses, so it is no wonder that you keep finding parts of it there... Side note. Stop using TNTVIRUS. NOW! This is a very buggy program. Sometimes it can even damage your data (I have verified this personally for version 6.80A, so I know what I am speaking about). BTW, as far as I know, the program has been discontinued and its authors now produce Central Point Software's Anti-Virus. So it is an old scanner on the top of that. Forget it and obtain something more recent and more reliable. > understand that. i would like to know if is good to immunize programs No, it is a VERY BAD IDEA. First, you cannot immunize against all possible viruses. (In our particular case, TNTVIRUS "immunizes" only against some Jerusalem variants, Stoned, Brain, and Ping Pong, I think.) Second, some viruses use contradictory checks, so you cannot immunize against both of them. For instance, how you can immunize files against two viruses, the first of which looks for the string "MsDos" at the end of the files, while the second looks for " Terror" at the same place? Third, some viruses are just impossible to immunize against, since they simply check whether their whole body is present in the file, and if it receives control. The only way to "immunize" the files against such thing is to actually infect them. > When i immunize a program with the tnt and after i run scan ,say that > i have the ohio in memory This is another silly thing in TNTVIRUS (which is still present in CPAV) - it does not encrypt the scan strings it uses, and does not clean the memory after itself. Therefore, other signature scanning program can produce false positive alarms. > i would like to know aslo if SCAN immunize > porgram and if it is good and also when i immunize i have 5 byte more? No, it is NOT GOOD to add anything to your files. SCAN cannot "immunize", but it can either (1) add 10 bytes checksum to the files, or (2) add 52 bytes for "general virus removing". Both are bad ideas, DON'T USE THIS POSSIBILITY. > Person say that on march 6 is going to be a virus that no exist a anti > virus yet .I would like to know more about that. Nonsense. What everybody is talking about is the Michelangelo virus, which will activate its destructive payload on March 6. The recent versions of most well-known scanners/removers are able to detect and remove it. F-Prot 2.02d, CLEAN 86-B, Dr. Solomon's Anti-Virus ToolKit 5.54 all can remove it - I have tested this personally. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Wed, 26 Feb 92 12:40:53 +0100 >From: Martin_blas Perez Pinilla Subject: Re: Possible virus? (PC) ZEM0%ARGCNEA2.BITNET@BITNET.CC.CMU.EDU writes: > In some programs I see this word 'MSDOS' and i do not if that is a > virus all the progrmas that has that , has 5 byte more I know that if > we immunize a program, is going to have 5 byte more, but when i run Some "antivirus" programs add the 'MSDOS' signature as "vacunation" against the Jerusalem virus. This is absolutely useless (even for Jerusalem). Wipe the "antivirus". > understand that. i would like to know if is good to immunize programs NO. Change programs is a bad idea (see Vesselin's messages in previous issues of VIRUS-L). > When i immunize a program with the tnt and after i run scan ,say that > i have the ohio in memory i would like to know aslo if SCAN immunize > porgram and if it is good and also when i immunize i have 5 byte more? (a) Wipe TNT. (b) Possible false alarm, but don't trust. Boot from a clean floppy and SCAN with the /M option. (c) SCAN/AV adds a 10-byte CRC. No good (see above). > Person say that on march 6 is going to be a virus that no exist a anti > virus yet .I would like to know more about that. The Michelangelo. Can be detected and eliminated with SCAN 85. Regards, - -mb M.B. Perez Pinilla | mtppepim@lg.ehu.es | Write 10^6 times: Departamento de Matematicas | "I'll never waste bandwidth" Universidad del Pais Vasco | SPAIN ------------------------------ Date: 26 Feb 92 13:07:54 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Quick way to check for Mich on PC's (PC) russur@convex.com (Russ Urquhart) writes: > In either case, is there a quick way to determine if the PC's in my > group have been infected with Michelangelo? Some memory location? > SOmething I can check. It depends what you are able to check... Do you know how many users cannot make the difference between a boot sector and a master boot sector? Well, in general, look at your master boot sector, or at the boot sector of a non-write protected diskette. If you don't see any plain text messages, this is already suspicious... > I tried someone's suggestion of fdisk /mbr, but since we have Dos 3.3, > this didn't have any effect! Right, you need version 5.0 for that. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 26 Feb 92 13:17:05 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: viruses in general-=help an565@cleveland.Freenet.Edu (Gregory Grosshans) writes: > Is it not true that checking on weekly or bi-weekly intervals for a > virus infection is not dangerous? It depends whether you are practicing safe computing or not. If you do, then checking a already scanned machine is usually unnecessary. You should only: 1) Check -very- carefully any new software that you get, regardless of the way you have got it (commercial or not). What "very carefully" means, depends on what you are able to do. For me it is inspecting some vital places of the diskette (the boot sector, the last sector of the root directory, the first copy of the FAT, the last sector of the diskette) with a sector editor; inspecting some vital areas of the executable files (their beginning, their end, the beginning of thesion of their favourite scanner on it. 2) NEVER leave a diskette in drive A: while the machine is rebooting. It is easy to forget one there; but you just must get the habbit to remove all diskettes from the drives as soon as you have finished copying to or from them. Or at least to open the drive door. 3) Run a checksummer often enough - say once per week. Do this only after having booted from a non-infected write-protected system diskette. 4) Use some kind of simple virus prevention tool, like Padgett's utitlities or the ShrDog program (available from our ftp site). 5) Use a good backup scheme. This means keeping three sets of full backups and making a full backup once per week and an incremental backup every day. If you follow the above steps, you don't need to scan for viruses on every reboot and will probably catch a new virus, if one appears. > Does anyone know how long it takes for a "new" virus to enter the > market (public domain) after the latest anti-virus software package is It depends on the virus. If it is a bad infector (non-resident, overwriting, with a visible payload, etc.), it will probable never spread. Otherwise, it can get spread very quickly, since there exist several virus exchange BBSes around the world, which are used by the hackers to swap viruses. This way it is relatively easy for a malicious person to obtain a new virus and to infect your system... I have observed something like this myself - the DataLock virus, which originated somewhere in the States, was find in the wild in Bulgaria even before I got a copy for my virus collection from the other anti-virus researchers... :-( > released (i.e. do the virus-writers wait until the latest anti-virus > software is released before they come up with a new virus)? No, they usually don't do this, since (thank goodness), the different anti-virus software is updated on different dates. > Methods of virus infection, or types of virus infection, can include: > boot sector, .EXE and .COM files, device drivers. Are there any You forgot the master boot sector and the .BAT files. > others that I'm missing? Can non-executable (i.e. data files) be No. Non-executable files cannot spread a virus. The problem is that a lot of things that you usually don't consider as being executable, are executed or interpretted by the computer. This includes .OBJ files, libraries, sources of programs in any programming language, macro files for several packages (MS Word, Lotus 1-2-3, etc.), and so on. All those objects are potential virus carriers, although some of them are quite difficult to infect, and won't help a lot to spread the virus. > infected with escape character sequences, etc? Theoretically - yes. In practice, I have seen several trojan horses, implemented in this way, but no viruses. Anyway, there is a simple cure for that - just disable the ability of your ANSI driver to reprogram the keyboard. > Any information is greatly appreciated! Hope the above helps. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Wed, 26 Feb 92 14:58:17 +0000 >From: Vera Marvanova Subject: Possible virus? (PC) Please could someone tell me, if such a behavior of computers could be caused by a virus? In two computers (386-SX AND 386 - 33) after some time of operation suddently all look like CAPS LOCK would be touched. All letters changes to upper case. After "SHIFT" all is O.K., but after some time this appears again. Scan86b shows nothing. Any help is appreciated! Many thanks in advance. Vera Marvanova VM at CSPGIG11 Geophysical Institute Praha Czechoslovakia ------------------------------ Date: 26 Feb 92 13:49:28 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: What does Ping Pong B virus do? (PC) wales@CS.UCLA.EDU (Rich Wales) writes: > What does the "Ping Pong B" virus do to a system? > A friend of mine got "Ping Pong B" on her PC from another system via a > floppy. She asked me for help after she was no longer able to run > WordPerfect (4.2 or 5.0). (The following information should probably be mentioned in the FAQ.) Please, when reporting a virus infection, be as specific as possible and report as much information as you can. Especially: - The name of the virus; - The name of the program that detected it; - The version of the program that detected it; - Any other anti-virus software that you are running and wether it has been able to detect the virus or not, and if yes - how did it call it; - Your software and hardware configuration (computer type, kinds of disk(ette) drives, amount of memory and configuration (extended/expanded/conventional), TSR programs and device drivers used, DOS version, whether it has been loaded high, etc.) (End of the introductory FAQ info. Now let's go back to the virus.) There are about 7 different variants of the Ping Pong virus. I don't know what "Ping Pong B" means exactly in your case, but I suspect that it was SCAN who reported it. And SCAN is very unreliable when reporting virus names, so the only thing that is certain is that the disk is really infected, and probably by one of the Ping Pong variants. None of the known Ping Pong variants is intentionally destructive. One of them (sometimes called Typo) introduces spelling mistakes when you are printing a file. The others display a bouncing ball (ASCII 7, one of the variants uses ASCII 4) on the screen, when certain conditions are met (a tiny time window, which appears once in about 30 minutes, combined with disk access). The virus is a boot sector infector (-unlike- Michelangelo, which is a MASTER boot sector infector), allocates a cluster, marked as bad, where it stores its second part and the original boot sector. Most variants of the virus do not run on a 80286 or above, because they contain an illegal instruction, but at least one of the variants has this bug fixed. I have no ides why the virus causes WordPerfect to stop working. It can sometimes hang DOS 3.30, however. Ah, and it does not infect DOS 4.x and above volumes. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 26 Feb 92 14:06:56 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Will Write Protection Prevent Virus Infection? (PC) gt1280b@prism.gatech.edu (ELGHARIB,HESHAM MOHIEDDIN ABOBAKR) writes: > If I set the attributes of all the executables, overlays, and COM > files in my hard drive to be read-only, will this reduce the chances > of getting virus infection? This will stop only very few and very simple viruses. Most of the existing ones will easily get around this kind of "protection". > I understand that viruses usually get transmitted by modifying these > files. And since these files are rarely required to be read-write, > (maybe during the installation only) I do not think that the > applications would mind setting the attributes to read-only. A very reasonable assumption. Unfortunately, in Messy-DOS it is equally easy to switch the ReadOnly attribute on and off. If you can turn it on, a virus can turn it off, infect the file, then restore the previous state of the attribute. In fact, most viruses do exactly that. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 26 Feb 92 14:53:26 +0000 >From: jgunders@copper.denver.colorado.edu (James P. Gunderson) Subject: mutated FORM? (PC) At the University of Colorado Denver we have run across an interesting situation. On a routine scan of a users disk, we found FORM in memory with no detection on the disk it self. After making a disk copy of the disk (5 1/4 HD formatted at 360K) we again scanned. No image on the disk, but the machine was reinfected. I then took a machine and completely cleaned it, booted from a clean, write-protected floppy, and rescanned. The machine was clean. I scanned the 'suspect' disk; it was clean according to both f-prot202d and scan86b. After several accesses, (not booting, just dir, and running command.com) a scan of the machine showed FORM in memory. What gives? Needless to say, any help would be appreciated. No signature, just a name. JIM ------------------------------ Date: 26 Feb 92 15:04:06 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Question on Michelangelo Date-Trigger (PC) TENCATI@NSSDCA.GSFC.NASA.GOV (NSI Security Manager +1-202-434-4541) writes: > This question may have been asked/answered already, but does merely > setting the system date ahead on the 5th (to the 7th) cause the > trigger mechanism never to go off? No. The trigger mechanism will go off the next March 6 (after one year) too. "Never say never"... :-) > It would seem that if true, as an interim measure until all systems > could be scanned, that the systems just be set so that Friday, the 6th > of March never comes.... Yeah... And on March 13 (Friday) the Jerusalem virus (a quite widespread one, maybe more than Michelangelo) will delete files. And on March 15 the Maltese Amoeba virus (quite widespread in the UK, but also in other places in the world) will destroy your hard disk... Are you going to change the date in these cases as well? Not to forget the few hundreds other viruses, which cause destruction every day, every hour... Some of them are -very- widespread (Dark Avenger). Are you going to turn your computer on at all? No, you must take proper anti-virus measures. Not because one silly virus happens to activate in a few days, but because computer viruses do exist and because the -are- widespread. You -must- take those measures -now- and not wait till the next panic, or rely on changing the system date. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Wed, 26 Feb 92 05:53:01 +0000 >From: Norman Paterson Subject: Re: Disinfectant 2.6 (Mac) I've been having trouble running Disinfectant 2.6 on an Apple Quadra. There are several other applications that might be involved, including TELNET 2.4 and CAP/AUFS. Symptoms include crashing during hard disc scan with "unimplemented trap" error and sporadic unmounting of file server volumes. Has anyone else come across this? The Quadra seems to have a number of peculiarities. Norman Paterson ------------------------------ Date: Wed, 26 Feb 92 13:00:43 >From: "" Subject: Amiga Virus ? (Amiga) I have a A500 with 1.2 Kickstart, 512 Kb memory extension and i have the following problem : When a normal bootable and readable disk is inserted during a CLI/WB session *sometimes* the bootblock is filled with zeroes. I suspect that for this to happen some command/command sequence must be executed. Also if I try to repair the Bootbl. with SECTORAMA for example, the write is trapped and the bootblock gets filled with zeroes again. this does'nt happen when I boot from a 'Clear' disk. I frequently use ARPDos1.3 with CONMAN 1.1 together with MESSYDOS for MSDOS file transfers. It never tried to kill any MSDOS disks. ------------------------------ Date: 26 Feb 92 15:11:57 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Virus Calendar ROY@mvax1.me.liverpool.ac.uk (Roy Coates) writes: > I am compiling a 'calendar' of signifcant dates with respect to PC > viruses. I figured that this could be a handy tool in helping to > prepare for possible outbreaks. the response so far from the UK has > been good with people sending both dates, and requests for the > finished list. First, the idea is not new. One of our students, Morton Swimmer, has already compiled such a callendar. It is published by perComp Verlag, Hamburg, and costs about 20 DM. For more information, ask Guenter Musstopf, perComp Verlag GmbH, High-Tech-Center, Holzmuehlerstrasse 84, 2000 Hamburg 70, tel. +49-40-6932033, fax +49-40-6959991, e-mail percomp@infohh.rmi.de. The calendar contain three different kind of red spots on some dates, indicating different level of damage, caused by some viruses. A very limited virus subset is used (limited, compared to the number of existing variants), but there are more days with red spots, than days without... Second, a cross reference by activation date exists in Patricia Hoffman's VSUM document, but it is by no means exchaustive. Hope the above helps. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Wed, 26 Feb 92 02:05:11 +0000 >From: rslade@sfu.ca (Robert Slade) Subject: Re: Houston Chronicle, Edmonton Journal and the media in general At the recent DECUS Symposium in Calgary, Ray Kaplan made an interesting point in this regard. He suggested that the media, particularly the "news" media, works on "spikes" in the signal: the unusual and out of the ordinary. The rise of the computer virus problem has been rapid, but consistent (as opposed to the "cracker" problem, where a new "team" or a big break-in makes the news). The "signal" has therefore been on a steady and steep rise, but hasn't had many "spikes" to trigger the media. I was on the local CBC morning show yesterday, and tried the theory out on them. They figured it was about right. ============= Vancouver | Lotteries are a tax Institute for Robert_Slade@sfu.ca | on the arithmetically Research into rslade@cue.bc.ca | impaired. User CyberStore Dpac 85301030 | Security Canada V7K 2G6 | ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 45] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253