VIRUS-L Digest Tuesday, 3 Mar 1992 Volume 5 : Issue 53 Today's Topics: Re: New virus????? (PC) New virus SLOVAKIA 3.00 (PC) Re: What does the Tequilla virus do? (PC) Re: What is the best way to protect against Michelangelo (PC) Re: Which Package is Best? (PC) Re: Who knew his Birthday? (PC) FDISK/MBR (PC) Viruses and Operating System Manufacturers (PC) Re: Problem with McAfee CLEAN against the FORM virus (PC) Michaelangelo and Stoned (PC) a question re PKLITE and LZEXE (PC) Michaelangelo (PC) Michelangelo on Nightline and thank you for information (PC) Question about TP44 (PC) Need info on No-Int (Stoned) virus (PC) Shipping Michaelangelo (PC) Vshield and OS/2 (PC) (OS/2) Antiviral features in operating systems? VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 03 Mar 92 11:51:46 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: New virus????? (PC) jesse@gumby.Altos.COM (Jesse Chisholm AAC-RjesseD) writes: > jaflrn!jaf@uunet.UU.NET (Jon Freivald) writes: > : bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > : > : > diaz@leland.stanford.edu (Kathy Diaz) writes: > : > > : > > I have a question it seems that I have come across some sort of virus. > : > > My Dos Machine has in every directory a file called aux. It seems also > : > > : > I don't know how exactly have you managed to "find" this "file". On > : > the previous DOS versions it usually appeared when you execute > : > Norton's FileFind and look for aux*.*. Unfortunately, I'm using MS-DOS > : > 5.0 right now, so I can't confirm this. > : > > : I'm also running MS-DOS 5.0 -- if I do a "dir aux" (or com1, com2, prn, > : lpt1, etc) I see a 112 byte file no matter what directory I'm in. Yes, > : these are just the reserved names showing up, but you can see them > : indeed! > I find this thread a little confusing. I also am running MS-DOS 5.00 and > when I do "dir aux" or "dir aux*.*" I get told "File not found". Oops, I forgot to state something important. Mea culpa. I am using NDOS 6.01 (roughpy equivalent to 4DOS 3.30 with some bugs fixed and other brand new ones introduced) as command interpretter. So, to be clear: 1) You will NOT see the AUX file, if you do DIR AUX*.* 2) You will NOT see the AUX file, if you do DIR AUX and your command interpretter is COMMAND.COM. 3) You WILL see the AUX file, if you do DIR AUX and you command interpretter is 4DOS (or equivalent). You will also see the file, if you perform a directory search for a file named AUX (no wildcards!) with SOME file managers or file finders. 4) You WILL see the AUX file, if you scan for a file named AUX. (note the point) with Norton Comander or FileFind (from Norton Utilities 6.01). Is it clear enough? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Tue, 03 Mar 92 10:02:38 +0700 >From: Milan Mancel Subject: New virus SLOVAKIA 3.00 (PC) At our university (Slovak Technical University in Bratislava) we have discovered a new virus. Its name is SLOVAKIA version 3.00. This virus is non-resident infector of EXE files and its only activity is infecting files. Sometimes it will display a message. When a program infected with Slovakia is executed, it will infect one EXE file. First of all virus will search the current directory. If no suitable file is found or current directory is root (\), virus will search directories along the system path. Infected files will increase in lenght by 2000 to 2200 bytes and the last four bits of length are set to 1101bin. Virus remains inactive in infected program ten days or till the end of the month. Slovakia is encrypted. The decryption code has eight mutations and the only suitable string for identification is 'E8 B9 07' (you can try 'B? 03 00 5?' or 'B? B7 07' too). Suitable file for infection must meet some criteria: - length is between 4500 and 262143 incl. - name doesn't begin with letters SC, CP, NO, DC, AS, PK, TN, LH (for example SCAN, CPAV, ASTA, NOD, TNT ...) - last four bits of length different from 1101bin. Slovakia will not infect any file if exists directory C:\SLOVAKIA on your disk. Since March 1992, from time to time, but only on Monday, Wednesday or Friday virus will display the following message: "SLOVAKIA virus version 3.00 (c) 1991-1992 by??. All Rights Reserved. Greeting from Bratislava, SLOVAKIA. Type the word SLOVAKIA : ........" Now you must type SLOVAKIA. Next message is displayed if you are four times wrong: "Type word SLOVAKIA, not CZECH, YUGOSLAVIA or SLOVENIA !! Press Esc." If you want to remove Slovakia, you must delete infected files. If you don't want to delete files you must make directory SLOVAKIA in the root directory on disk C:. Then virus will be inactive. Slovakia has its own Critical Error Handler and will not display message "Critical Error" when trying to write on locked disk. If you try to debug Slovakia, you must run part of code with full speed, because virus has two time checks. Regards, Milan. ----------------------------------- Milan Mancel Slovak Technical University Bratislava, CSFR mancel@elf.stuba.cs EUNET mancel@cspuni12.bitnet BITNET/EARN mancel@aci.cvut.cs INTERNET ----------------------------------- ------------------------------ Date: 03 Mar 92 12:15:54 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: What does the Tequilla virus do? (PC) fredrick@acd.ucar.edu (Timothy Fredrick) writes: > Does anyone have any experiences or comments about the Tequilla virus? Yep... :-) > Does it have a trigger date? Not a date. It has a trigger time. Some time after it has been loaded in memory, it displays a rough fractal image, using text mode and pseudographic characters. I have to admit that I have never seen the image personally. The virus causes another damage. If it finds a file, to which a SCAN checksum is appended (using the /AV option), it will remove the checksum. This is done always and does not depend on any date or time. > How does it spread? When you execute an infected file, it will infect the master boot sector of your hard disk. When you boot from an infected hard disk, the virus will install itself in memory and infect EXE files as you execute them. > Are there any machines or operating systems that are "immune"? Yes. Those without a hard disk. > How long has the virus been around? About a year. > Is it a particular problem in Belgium or has it > been more prevalent here? It is a particular problem in Western Europe. It has been created by two kids in Switzerland. Their father was (is?) a shareware distributor, and they managed to (unvoluntary) infect his diskettes. That's how the virus got a large initial distribution. > Any information would be appreciated. Hope the above helps. > I guess the publicity over the Michelangelo virus is helping us to > ferret out the other ones. Yeah, the whole Michelangelo panic is, of course, silly, but at least it has some good implications. Like forcing the users to actually take some anti-virus measures. Or at least check their computers with a scanner... > Thanks in advance. You are welcome. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 03 Mar 92 12:31:08 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: What is the best way to protect against Michelangelo (PC) MILLER_C@PLU.BITNET (OLD FOGIE) writes: > already been answered, but... What EXACTLY is the best way to protect > against the Michaelengelo virus? I have SCAN and CLEAN and I also use The best way to protect against this particular virus (and any other boot/master boot sector infectors) is to never ever try to boot from a floppy. That is, be careful not to forget a diskette in drive A: when you are booting your computer. It doesn't matter whether the diskette contains DOS or any executable files. As to the other viruses, the best way to protect against all of them is to never use new software... Unfortunately, this is quite unrealistic, so you have to do a lot more inconvenient things, like practicing safe computing and using anti-virus tools (integrity checkers, scanners, etc.). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 03 Mar 92 12:43:15 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Which Package is Best? (PC) RADAI@HUJIVMS.BITNET (Y. Radai) writes: > Note 1: As opposed to most "quick checks" and "Turbo modes", UT's > quick check is performed in such a way that for all practical purposes > there is no loss of security, *regardless of how the virus infects*.) Regardless?! Hmm, it's a little bit hard for me to believe that... I'll discuss this with you in private. > Note 2: UTScan's speed is not decreased by addition of more viruses. You probably mean that the spead is not decreased proportionally to the number of viruses added. I hope you won't claim that if you add 100,000 new virus signatures, the program will run at -exactly- the same speed... :-) > I don't know how good the IM scanner rates, but according to the Feb. > issue of the Virus Bulletin (p. 23), Ver. 19.04 of the UTScan compo- > nent of UT detected 73% of the viruses in their "standard" set and 81% > in their "acid" test. According to my own tests, the program Unvirus 2.0, part of V-Analyst III (which, as far as I understand, is equivalent to the UT), detects about 60 % (maybe slightly less) of our virus collection. But, this includes every virus we have been able to get a copy of (even the one that arrived yesterday), not a standard set, or a set of the most common ones. Unfortunately, I didn't have the time to test the IM's known virus scanner. > Now these percentages are relatively low (although I think they > would be considerably higher if only commonly occurring viruses were > used in the comparison). I agree with both statements. > But how important is this factor in the case of Untouchable? Quite important, IMHO, although not as much as for a user, who depends entirely on KVS. > and such a low percentage could not be tolerated. As for IM, it is > generic with respect to detection, hence a KVS is not needed to detect > the fact that infection has occurred. Correct, but you have to ensure that you are installing the integrity checker on a clean (non-infected) system. Do you know a better way to ensure this than to scan for known viruses? (I -know- that this is not a good solution, but do you know a better one?) > However, IM can *restore* files > only if they are infected by viruses which it *specifically recogni- > zes* (assuming backups are not available), hence a KVS is just as > necessary for IM as for those who use a KVS alone. No. In fact, IM (and any integrity checker) does not need to restore the infected files at all. I don't know why it does it; it is not necessary. There are plenty of good backup/restore programs on the market. One (a rather bad one) even comes with DOS. Everything an integrity checker has to do is to detect changes, and to do this fast, secure, and conveniently. UT is more secure than IM and that is all. > In fact, IM is > even *more* dependent on a KVS, for (like all programs based on modi- > fication detection) IM must ensure that the files and boot records are > uninfected when checksums are initially computed. I fail to see why UT does not need this. > On the other hand, UT performs *generic restoration* of files and > boot records, hence it requires a KVS only for the second purpose, not > for the first. Unfortunately, the generic restoration is a bad idea, which does not always work. IMHO, it is even worse than virus-specific disinfection. OK, I agree that at least UT will not try to disinfect a file incorrectly, but still the best solution is to use a backup/restore program. > With UT, a KVS need be performed on a given file only > once, namely before it is added to the checksum database (or is re- > placed by a new version of the file). The same goes for IM. > records are uninfected by using SYS and FDISK/MBR. Moreover, if some > files happen to be infected by an unknown virus when their checksum is > first computed, that fact will be detected as soon as the virus in- > fects other files. Not necessarily. Consider a Lehigh-type virus. Or a virus, which infects only -one- object on the hard disk and then every executable file being created or modified. Some of the existing viruses already do that, we won't wait long until we see viruses, which attack checksum-based defences. And don't forget that the generic disinfection will simply not work, if the file has been previously infected. > So the number of viruses recognized is less impor- > tant for Untouchable than for almost any other type of anti-viral > software. More exactly: the number of viruses recognized is less important of integrity checkers than for the virus-specific software. Both UT and IM are integrity checkers. What really matters for the integrity checkers is their security, and UT is more secure than IM. I hope that the author of IM will soon fix the small loopholes in this product. > (Nevertheless, because of criticisms of its low scanning > percentage, I am told that the next version of UTScan will detect many > more viruses than the present one; in fact, the version I have (21.00) > is already considerably improved.) I'll try to help you about that, as far as I can. > Summary: UT performs generic disinfection of files; IM does not. But this is not so important. To put it in another way: BACKUP/RESTORE can restore an infected file in 100 % of the cases, when it has been applied before infection. UT can't. > Untouchable is faster than IM, especially with respect to their known- > virus scanners. But this is not important! The important is to compare the checksum checking speed. I understand that UT is fater than IM in this case. Am I right? > IM's scanner probably detects more viruses than UT's, > though I don't think that's as significant as most people assume it > is. Right. > I'd be glad to hear what you think UT misses. I'm willing to bet that > there are a couple of types of potential viruses that IM misses. You are right... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 03 Mar 92 13:15:42 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Who knew his Birthday? (PC) MICKEY@UKANVM.BITNET (Mickey Waxman) writes: > Here we don't celebrate Michelangelo's birthday and I doubt > anybody here would have known the signif of 6 March. Is it different > in other places (Italy?)? > For history's sake ... did the disassembler(s) who named this virus > just happen to know this was M's birthdate or was there maybe some > input from the virus' author as to its significance? He just happened to know the date. BTW, does anybody know who exactly named the virus like that? My own theory is that March 6 was the date of the creation of the virus (recall that it has been detected in April 1991). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Tue, 03 Mar 92 08:23:49 -0500 >From: James_Williams%ESS%NIAID@nih3plus.BITNET Subject: FDISK/MBR (PC) I have seen the command FDISK/MBR mentioned in various messages recently. I have scanned all of my DOS 5.0 documention and find no mention of it. Hence, I have three questions. 1. Is this simply the DOS FDISK command with a /MBR option, or is this some special program? 2. Where is it documented? 3. When it builds a new MBR, does it have any affect on the information on the rest of the hard disk? - -------------------------------------------- | James Williams | | Bitnet: JWW%ESS%NIAID@NIH3PLUS.BITNET | | Internet: JWW@ESS.NIAID.PC.NIAID.NIH.GOV | | CompuServ: 70304,2462 | - -------------------------------------------- ------------------------------ Date: Tue, 03 Mar 92 09:19:46 -0500 >From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Viruses and Operating System Manufacturers (PC) >From: "Mark W. Schumann" >padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes: >> Incidently it takes a whole 10 (decimal, not hex) generic bytes at >> BIOS time to detect every MBR infector I have seen thusfar (including >> Brain, Yale, Evil Empire, Stoned, Joshi, Michelangelo, and all their >> cousins). "Stealth" just makes it easier. When are the O/S >> manfacturers going to wake up ? >Is it practical to include virus protection in an operating system? Boy am I glad you asked: not only is it possible, given the viruses we have seen thusfar, it is downright easy ! - maybe not to get 100% protection, but certainly to eliminated at least 1000 viruses including ALL the common ones right off the mark. Ted Coppel asked this question on Nightline last night and it did not get answered by the experts surveyed (they did not ask me though). For example, it is MORE difficult to detect viruses from outside the operating system than from inside & I have found it bl**dy easy to find all that I have seen from the outside. Generically. Item: every .EXE header contains a field for CHKSUM information yet the only known use has been for some viruses to store their this-program-is- already-infected flag. Item: my SafeMBR code (Freeware) detects every MBR infector known - Brain, Yale, Stoned, Azusa, Merrit, Aircop, Empire, etc, etc, etc, and including Michelangelo, and takes fewer butes than Michelangelo to do it (had to be compatable with overwriting controllers). Item: my SafeFBR (Freeware) code does the same thing for every known Floppy Boot Record Infector known (am working on a bootable version and a fixed disk boot record now but are not Ready for Prime Time - remember, this is not what I get paid for). Of course, the real place for this kind of checking is in IO.SYS (IBMIO.COM) - can use the same code there but I have to work with what I have. (BTW all of these programs seem to weork with every DOS from 2.0 - 5.x - have deliberately avoided the "undocumented" interrupts though they would have made life easier. Item: my NoFBoot (Freeware) would eliminate 99+% of all accidental floppy reboots that spread most MBR and BSI viruses. - only one of this series of my programs mentioned that "goes resident" (TSR) and takes up a whole 512 bytes (max.) Item: my CHKMEM can catch nearly every virus that goes resident at the TOM (just below the 640k boundary) - based on the "flawed" Six Bytes but handles nearly all of the "stealth" viruses (do not have the 1963 so haven't tested that one). (Am I starting to sound like a fanatic ? - move over Mr. Janney) Point is that not a single one of these programs has any idea what a virus is. What they do know is what the "envelope" of the IBM-PC architecture is and check for & prevent deviations. Now these will not remove the necessity for anti-virus technicians armed with professional grade tools. However, they will provide warning and their installation utilities will remove those viruses causing over 50% of all reported infections. What they will do is to detect such infection immediately so that you know that *something* has happened. Since viruses rely on invisibility to multiply and become widespread, this IMHO should stop them. It will not wipe out viruses, but it will take care of the current crop and make future ones considerably harder to write. It may not be the *one true answer* but it will take care of the Michelangelo today. Hotly, Padgett padgett%tccslr.dnet@mmc.com Obviously my own opinions ------------------------------ Date: 03 Mar 92 15:05:59 +0000 >From: acd!fredrick@ncar.ucar.edu (Timothy Fredrick) Subject: Re: Problem with McAfee CLEAN against the FORM virus (PC) mmeijer@accucx.cc.ruu.nl (Maarten Meijer) writes: . We - at the Academic Computing Centre of Utrecht University (ACCU), . the Netherlands - have tried to remove the FORM virus from several . hard disks using McAfee's CLEAN version 8.3B86. All disks were larger . than 60 MB, formatted with DOS 5.0, some with one large partition, . others with multiple partitions (C:, D:, etc.). CLEAN always reports . removal of the [FORM] virus, but in the meanwhile it often destroys . the boot sector of partition C:, making the partition unreachable at . the next bootstrap. Although the FORM virus puts the original . bootsector at the end of the hard disk, CLEAN isn't able to find it. . It seems quite simple to locate the original bootsector at the very end of . the hard disk. Why then do both these programs not succeed? We had the same experience with the Tequila virus [Teq]. I had to use Norton Utilities' Disk Doctor (from v6.01) to rebuild the bootsector and partition table. What do people without Norton Utilities do? Is there a way to find out if clean is going to destroy the boot sector before it actually does the damage? (we simply executed the command "clean c:"). Thanks. --Tim Fredrick (fredrick@ncar.ucar.edu) Ntl Center for Atmospheric Research, Boulder, CO 80307-3000 ------------------------------ Date: Tue, 03 Mar 92 10:23:02 -0500 >From: Brian Seborg Subject: Michaelangelo and Stoned (PC) There is an interesting problem with certain virus packages which take advantage of knowing the characteristics of specific viruses to perform their clean up. For example, a collegue of mine recently called me and told me that he had just used McAfee to rid a machine of the Michaelangelo virus. Upon re-scanning the machine, Scan reported that the machine was infected with the Stoned virus. When my collegue tried to clean the Stoned virus with McAfee he couldn't. Why is this, he asked me. I felt that the answer may be of interest to some of you and so here it is: as most of you know, the Stoned and Michaelangelo viruses both use essentially the same spreading technique, that is they move the old MBR to sector 7 and place their own code in the 0 sector. Now imagine the following scenario, the Stoned virus infects a hard drive placing a copy of the clean MBR in sector 7 and its own code in sector 0. Next, this same machine becomes infected with the Michaelangelo, it places what it believes to be the clean MBR in sector 7, and its own code in sector 0. What has now happened is that Michaelangelo has taken the Stoned virus code and placed it in sector 7, effectively overwriting the clean MBR code which Stoned had previously stored there. Now, if I clean this machine with McAfee or any other virus cleaning program which strictly takes advantage of the characteristics of viruses this is what happens: First, since I know the virus is the Michaelangelo, I know that it (like the Stoned) has stored the old MBR in sector 7, so, instead of rebuilding the MBR I simply copy whatever is in sector 7 to sector 0. In this case this copies the Stoned virus code back into sector 0. I then rescan and find I now have removed the Michaelangelo virus, but now have the Stoned virus. So I repeat the procedure. I know that the Stoned virus stores the clean MBR in sector 7, so I copy whatever is in sector 7 back to sector 0. But, Stoned is in sector 7 so the computer will be re-infected with Stoned etc. etc. So you can see, virus software packages which use this technique have some real problems when it comes to multiple infections of boot sector viruses using the same tricks. Perhaps this provides an answer to the previous issues question about the FORM virus as well. Regards, Brian Seborg ------------------------------ Date: Tue, 03 Mar 92 17:24:16 +0700 >From: rajwan@brachot.jct.ac.il (yair rajwan (IBM lover)) Subject: a question re PKLITE and LZEXE (PC) i have a qustion: is pklite or lzexe change file and infected file? if yes: is there any program that clean the virus from the compressed file? - -- Yair Rajwan ------------------------------ Date: Tue, 03 Mar 92 10:32:58 -0500 >From: Brian Seborg Subject: Michaelangelo (PC) I know that some people have recommended setting your computer dates ahead so that one can avoid March the 6th altogether. Other than the good points not to do this brought up by Vesslin and others, there is one other reason not to expect this to work if your PC is connected to a network. Many networks specifically, Banyan, and I believe Novell as well, make sure that there is a consistent "network time" among all machines on the network. This is for logging purposes as well as other administrative reasons. On Banyan, I can set my PC date and time to anything, but when I logon to the network, the date and time in my PC automatically gets set to that of the network. I believe the same is true for Novell networks, but since I am not a Novell expert, someone else might want to confirm this. The date and time change affects the CMOS values so that the time change on the PC is "permanent" until I change it again. Therefore, if I set my date and time to avoid March the 6th and this is the only protection I use, then when I logon to the network on March 6th I could be in for a rude awakening! So, use virus scanning software, and use common sense, and don't set the time and date forward!!! It won't work well for networks. Regards, Brian Seborg ------------------------------ Date: Tue, 03 Mar 92 11:19:00 -0500 >From: Dan Sline Subject: Michelangelo on Nightline and thank you for information (PC) In case any of ya'll were not watching Nightline last night (Monday night) they did a special report on Michelangelo. It was a good special report. If any of ya'll want a description I will post one to you as soon as I can. Also, thanks to all of you who gave me information for my article, and it was a big success. Unfortunately, I could not get an copy on disk to post to the list. Thanks again, Dan Sline ------------------------------ Date: Tue, 03 Mar 92 10:58:00 -0600 >From: "Tim T. Preston" Subject: Question about TP44 (PC) Could anyone tell me anything about the TP44 virus? I had never encountered it before I found seven copies of the same virus on one machine. It seems to have infected all of the major executables on the hard drive and had made itself resident in memory. I used NAV to get rid of it, but I am still curious as to what TP44 does. /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ *To Be is To Do. * Tim T. Preston * * - I. Kant * Box 654 Buena Vista College * *To Do is To Be. * 610 West 4th Street * * - A. Sartre * Storm Lake, IA 50588 * *Yabbadabbadoo! * * * - F. Flinstone * INTERNET : PRESTONTIM@BVC.EDU * /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ ------------------------------ Date: Tue, 03 Mar 92 17:14:11 +0000 >From: evans@aplcen.apl.jhu.edu (Robert Evans) Subject: Need info on No-Int (Stoned) virus (PC) I apologize if this question is a FAQ, but I am posting for an anxious friend. With the Michelangelo scare, he has used SCANv86b, which has reported a virus found "No Int [Stoned]" and is wondering is the the strain to which Michelangelo belongs, or is it a different one? Also, if it is not Michelangelo... 1) What damage does it do? 2) How does it get activated? Again I apologize if this is a FAQ, but he is unfortunately a bit panicky :-) - -- - ----------------------------------------------------------------------- | Robert B. Evans | My opinions are MINE, MINE, MINE! | | | I'm a greedy little monster! | | (evans@aplcen.apl.jhu.edu) | ~ D. Duck | ------------------------------ Date: Tue, 03 Mar 92 14:00:03 -0500 >From: Charlie MOORE (703)425-5122 Subject: Shipping Michaelangelo (PC) For those of you keeping score on how many and what vendors have shipped the Michaelangelo Virus, add Intel. Below is a message (edited by me) that appeared on a technically oriented BBS in the Washington DC area--it triggered my queries. ________________________________________________________________ SUBJECT: Michaelangelo is Here!/? DATE: 03/02/92 Today I received a Fed Ex package from Intel. Here's part of what the enclosed letter said: "Dear LANSpool user, Like a number of commercial hardware and software vendors, we have been struck by the Michelangelo virus. We have discovered the Michelangelo virus on the 5 1/4 inch diskettes shipped with LANSpool 286 version 3.01 and LASNSpool 386 version 3.01".... They included a disk with a custom written utility to check for the virus, and a fact sheet about it. They also set up a toll free hotline 800-228-4561 to provide assistance with fighting it. They are also offering affected LANSpool customer's a free copy of LANProtect, their server based network virus protection (lists at $999)! The fact sheet provided with the letter said they estimated about 800+ disks were shipped. So, Intel, has sold a number of production, shrink wrapped software packages with the virus. ________________________________________________________________ Before posting this message, I called Intel for verification. Intel asked me to contact their public relations (PR) firm for further info. Their PR firm was remarkably straight forward with me--in essence they said this: We slipped up; we (Intel) and our disk duplicating contractor failed to keep our commercial anti-virus software [not Intel's own product] up to date and it failed to detect Michaelangelo (the master disk sent for duplication was infected and the disk-duplication contractor also failed to detect Michaelangelo). When I suggested that it might be especially embarrassing for Intel, since they also have an anti-virus product, I was told that Intel's anti-virus product was still in testing during this period and hence, not installed on their own systems. ------------------------------ Date: Tue, 03 Mar 92 07:54:59 -0500 >From: "Christine M. Bouchard" Subject: Vshield and OS/2 (PC) (OS/2) Hello I have a server running OS/2 connected to 25 work stations running DOS 4.0. I am running vshield on the work stations. Will Vshield run on my OS/2 server? Is there another virus protection program out for OS/2? Any help you could give will be greatly appreciated. Thanks in advance Christine - -- [ Christine M. Bouchard ] [ Christine@Merrimack.edu ] ------------------------------ Date: Tue, 03 Mar 92 09:18:28 -0500 >From: Kevin_Haney@NIHCR31.BITNET Subject: Antiviral features in operating systems? Mark W. Schumann asks the question "Is it practical to include virus protection in an operating system?" The answer is yes, not only is it practical but I think it is a gross deriliction of duty of operating system manufacturers not to have included even the basic antiviral features yet. DOS 5.0 doesn't contain any integrity checking or antiviral features--neither will OS/2 2.0 nor (probably) the workstation version of Windows NT. When DOS or OS/2 is booted, it could perform a simple check to insure the integrity of its essential components, including the partition table and boot sector, employing a secure cryptographic algorithm. Some DOS application programs do this now and it is even more important for an operating system to have this capability. Of course, someone would eventually write a virus to subvert such protection, but 95% of virus damage is caused by the 10 most common viruses today, e.g., Stoned, Jerusalem, Joshi. Protection against 95% of viruses is better than protection against 0%. I think the main reason operating system manufacturers haven't yet included security features in PC operating systems is that their customers (i.e., you and me) have not clamored for it loud enough, which I hope will change. If I was a corporate PC manager in charge of implementing a mission-critical application on PCs, and IBM or Microsoft came to me and tried to get me to base it on DOS or OS/2, I would refuse because of the total lack of built-in security features. And telling me that I could use an add-in security package wouldn't satisfy me because while that may work for me, only when a large percentage of the general PC computing population uses such features, as would happen if they were built into the base operating system, will the spread of virues begin to be curtailed. Organizations and PC users who entrust mission-critical applications to supposedly "advanced" operating systems have a right to expect built-in security and antiviral features. I hope PC users will begin to stick up for their rights. Kevin Haney, Computer Specialist Internet: khv%nihcr31.bitnet@cu.nih.gov ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 53] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253