From VIRUS-L@ibm1.cc.lehigh.edu Wed Mar 4 15:23:19 1992 Return-Path: Received: from csrc.ncsl.nist.gov by brutus.ncsl.nist.gov (4.1/NIST) id AA01201; Wed, 4 Mar 92 15:23:17 EST Received-Date: Wed, 4 Mar 92 15:23:17 EST Received: from csmes.ncsl.nist.gov (MACBETH.NCSL.NIST.GOV) by csrc.ncsl.nist.gov (4.1/NIST) id AA29480; Wed, 4 Mar 92 15:22:08 EST Organization: National Institute of Standards and Technology (NIST) Sub-Organization: Computer Security Division Posted-Date: Wed, 4 Mar 1992 14:52:52 EST Received: from IBM1.CC.Lehigh.EDU by csmes.ncsl.nist.gov (4.1/NIST(rbj/dougm)) id AA05727; Wed, 4 Mar 92 15:29:23 EST Message-Id: <9203042029.AA05727@csmes.ncsl.nist.gov> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 6775; Wed, 04 Mar 92 15:14:41 EST Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 8149; Wed, 04 Mar 92 15:13:37 EST Date: Wed, 4 Mar 1992 14:52:52 EST Reply-To: VIRUS-L@ibm1.cc.lehigh.edu Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V5 #54 Comments: To: VIRUS-L@IBM1.CC.LEHIGH.EDU To: Multiple recipients of list VIRUS-L Status: RO VIRUS-L Digest Wednesday, 4 Mar 1992 Volume 5 : Issue 54 Today's Topics: Michelangelo down south (way down south!) (PC) Re: F-prot and non-executable files (PC) F-PROT shows - SBC virus? (PC) Maltese Amoeba virus (PC) Re: Will Write Protection Prevent Virus Infection? (PC) List of Viruses and Effects??? (PC) Re: exact damage of Michelangelo on 3-06 (PC) Re: Michelangelo question (PC) Michelangelo found - Symbol Technologies (PC) Re: Possible virus? (PC) DOS total memory check says we're infected but... (PC) Re: Possible virus? (PC) Re: mutated FORM? (PC) another simple Michaelangelo question (PC) Re: Kamikaze virus? (PC) Re: Drug Rehad - Stoned (PC) Will these find Mich? (PC) WARNING: MBDF-A can spread on Plus and SE using System 7 (Mac) WARNING: Macintosh users of PC-emulators, beware of PC-viruses (Mac) Bulk Erasers Re: Manufacturing of software (GENERAL) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 03 Mar 92 12:08:42 -0500 >From: garmenjm@arvx01.dnet.dupont.com (Jaime Garmendia) Subject: Michelangelo down south (way down south!) (PC) If anyone is keeping track of Michelangelo's geographical spread, it may be of interest to know that it has appeared in Argentina. I've found one of my group's computers infected, and apparently it has surfaced in several other sites in the country. I couldn't find the vector, but the machine in question is accessible to a large number of persons. Argentina is also a haven for pirates, so it is not surprising. I used F-Prot 2.02D to detect it and clean it. Nice program! Jaime Garmendia DuPont Argentina **Standard disclaimer: The above opinions are my own, etc, etc...** ------------------------------ Date: Tue, 03 Mar 92 12:17:32 -0500 >From: David_Conrad@MTS.cc.Wayne.edu Subject: Re: F-prot and non-executable files (PC) In the VIRUS-L Tapio Keih{nen writes: (Note: Tapio quoted the following without any attribution:) >We were using F-prot here and we noticed that it doesn't scan non >executable files. This raises the question, can a virus hide in a >text file, and then transfer itself elsewhere? This is incorrect. In the "Scan" window select "Files:" and then select either "All files" or "". This is not normally necessary, however. No, a virus cannot hide in a text file. The virus has to be in a file that will at some point be executed. There are some types of files, however, that are not normally checked by virus scanners, but can be infected. The .BGI graphics device driver files used by the various compilers from Borland Intl. contain executable code, and are, in fact, essentially overlays, but no virus scanner I've seen checks them by default. You can, however, tell all of the good ones additional extensions that you want checked. The good ones include F-Prot and McAffee's Scan. Regards, David R. Conrad David_Conrad@mts.cc.wayne.edu ------------------------------ Date: Tue, 03 Mar 92 16:44:17 +0000 >From: next2.oit.unc.edu!akers@mcnc.org (Roger K. Akers) Subject: F-PROT shows - SBC virus? (PC) F-PROT 202D has indicated "SBC virus found" on a couple of machines. There is no info with F-PROT that describes an SBC virus. I noticed that there is information regarding an "SVC" virus. Is there an SBC virus? If so, where can I find a description of it? If not, why does F-PROT indicate that SBC is found? Many thanks Roger Akers UNC - Chapel Hill ------------------------------ Date: Tue, 03 Mar 92 17:43:25 +0000 >From: SYSTEM@engvax.picker.com (Dennis Leiterman) Subject: Maltese Amoeba virus (PC) In the March 2, issue of PC Week is an article about the Maltese Amoeba virus, it's activation date is scheduled for March 15. Is there anyone that knows about this virus and what scanners are effective on it??? - ----------------------------------------------------------------- | Dennis Leiterman | Picker International | | VAX System Manager | 595 Miner Road | | e-mail: leiterman@engvax.picker.com | Highland Heights, OH | - ----------------------------------------------------------------- ------------------------------ Date: Tue, 03 Mar 92 12:45:24 -0500 >From: David_Conrad@MTS.cc.Wayne.edu Subject: Re: Will Write Protection Prevent Virus Infection? (PC) gt1280b@prism.gatech.edu (ELGHARIB,HESHAM MOHIEDDIN ABOBAKR) writes: >If I set the attributes of all the executables, overlays, and COM >files in my hard drive to be read-only, will this reduce the chances >of getting virus infection? > >I understand that viruses usually get transmitted by modifying these >files. And since these files are rarely required to be read-write, >(maybe during the installation only) I do not think that the >applications would mind setting the attributes to read-only. >======================== >Hesham Elgharib The subject should ask about "Marking Read-Only" instead of "Write Protection." Marking files as RO will stop only a very few very stupid viruses. Do not rely on it. However, it will stop those few viruses and will also stop the accidental deletion of any executables so marked. There's nothing wrong with doing it IN ADDITION to making frequent backups and scanning and checksumming your files. The only program I've encountered which minds being marked RO is the Tempra paint program that came with my Paradise SVGA card, which forgets its configuration info, presumably because it can't open its executable to read it. Of course, any programs which WRITE to their executables will have to be marked Read-Write, at least while installing or configuring them. As long as you remember that most viruses will just flag the file as writable, infect it, and then restore its attributes, there's no harm in obtaining this extra protection. But don't let it replace the other methods of protection. By itself, it does very, very little. Regards, David R. Conrad David_Conrad@mts.cc.wayne.edu ------------------------------ Date: Tue, 03 Mar 92 18:28:38 +0000 >From: moore@iastate.edu (Brian J Moore) Subject: List of Viruses and Effects??? (PC) Is there a list of the known viruses and what they do anywhere? Not just Michaelangelo will destroy the disk (like it says on TV), but when and what specifically does each virus do. I have one list like this, but its pretty old. Thanks, Brian - -- ________________________________________________________________________ / / / / Brian J. Moore / moore@iastate.edu / /__________________________________/____________________________________/ ------------------------------ Date: Tue, 03 Mar 92 09:41:00 -0800 >From: "a_rubin@dsg4.dse.beckman.com"@BIIVAX.DP.BECKMAN.COM Subject: Re: exact damage of Michelangelo on 3-06 (PC) steve@lawton.lonestar.org (Steven Tucker) writes: >Vesselin, have a quick question for ya. Regarding virii in general but >perhaps the Michelangelo virus in particular (as it seems to be the >most popular right now), one always reads about "booting from a clean >floppy" and my question is this: If one boots from an infected floppy >and then scans the disk (floppy or hard) will the memory-resident >virus disable the scan program rendering it unable to detect the virus >in question? Michelangelo doesn't seem to make any attempt to hide itself on the disk (although it makes a primative attempt to hide in memory). Many viruses, however, _do_ hide. - -- Arthur L. Rubin 216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal) a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea My opinions are my own, and do not represent those of my employer. ------------------------------ Date: Tue, 03 Mar 92 18:15:21 +0000 >From: mathews@kong.gsfc.nasa.gov (Jason Mathews - 514) Subject: Re: Michelangelo question (PC) VANCLEEF@MPS.OHIO-STATE.EDU writes: >Does the Mich virus spread from executable files (such as the >Jerusalem B virus)? In other words, can the virus be spread through >distribution of executable files, or does it require a boot sector to >be present to spread it? In general, Michelangelo and the other boot sector viruses do not come from executable programs. Most boot sector viruses are spread by leaving an infected disk in the floppy drive, which activates the virus. However, some file infecting viruses, can contain a boot sector payload and copy it onto the boot sector (as does the actual boot sector virus). The trojan/virus copies the boot sector to where the boot sector virus will find it and copies the virus boot sector to sector 0. There has been no report of any program or virus doing this for Michelangelo. Jason - ------------------------------------------------------------------------------- Jason Mathews | Mission Operations Division NASA/Goddard Space Flight Center| Internet: mathews@kong.gsfc.nasa.gov Greenbelt, MD 20771-0001 | jason@phoenix.gsfc.nasa.gov - --------------------------------+ CPU time flies when you're having fun. ------------------------------ Date: 03 Mar 92 19:09:44 +0000 >From: cbracy@lehi3b15.csee.lehigh.edu (Chris Bracy) Subject: Michelangelo found - Symbol Technologies (PC) Symbol Technologies Corp has confirmed that it has been distributing disks infected with the Michelango virus. Chris. ------------------------------ Date: 03 Mar 92 19:52:01 +0000 >From: bhollon@oucsace.cs.ohiou.edu (Brett Hollon) Subject: Re: Possible virus? (PC) rslade@sfu.ca (Robert Slade) writes: > VM@CSPGIG11.BITNET (Vera Marvanova) writes: > > >caused by a virus? In two computers (386-SX AND 386 - 33) after some > >time of operation suddently all look like CAPS LOCK would be touched. > >All letters changes to upper case. After "SHIFT" all is O.K., but > > Actually, this is extremely common behaviour in MS-DOS machines in > general. I have often had machines that would suddenly behave as if > all the keys were "shift"ed, "ctrl"ed or "alt"ed. Some could be > recovered, and some couldn't (at least I never found a way to do it.) > None were virally infected. I am no genius on the subject of viruses, but I feel you may have dismissed Ms. Marvanova's question too quickly. We here have also seen this problem popping up a lot lately (a great deal more than say a month ago). We have about 45 AT&T PC clones here (20 386s & 25 88s) and it seems to have hit the 88s first, then moved to the 386s. This makes sense as access to the 386s is more restricted. Additionally, should we manage to isolate the thing, who should we send it to? Thanks in advance. """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" " bhollon@oucsace.cs.ohiou.edu " Purgamentum init, exit purgamentum " """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" ------------------------------ Date: Tue, 03 Mar 92 20:21:26 +0000 >From: jbs@rti.rti.org Subject: DOS total memory check says we're infected but... (PC) The local paper said CHKDSK without CONFIG.SYS or AUTOEXEC.BAT in place should show 653,312 bytes total memory if the machine has Michelangelo, and 655,360 if it does not. We have at least 2 machines at RTI which show 653,312 but are pronounced Michelangelo-free by the Norton and PCCSCAN programs we downloaded from CompuServe. What's the story? Could something else cause the 2K to be missing, or could Norton or PCCSCAN be somehow missing Michelangelo? -joe ------------------------------ Date: Tue, 03 Mar 92 20:51:57 +0000 >From: st910856@pip.cc.brandeis.edu Subject: Re: Possible virus? (PC) this has happened to me on several occasions. Though it is Possible that this is a virus, it is Highly unlikely.(also there are no known (at least by me) viruses that behave in this way). What will ussualy cause it is software that set up weird things in the keyboard buffer. Some games will do it and I would assume that some other types of software would do that. So don't pull your hair out about it. Mike Yalter ------------------------------ Date: Tue, 03 Mar 92 21:03:32 +0000 >From: st910856@pip.cc.brandeis.edu Subject: Re: mutated FORM? (PC) it is very possible that you have come accross an unknown variant of the "form" virus. Though I don't knwo much about this particular virus, it would seem that the variant leaves the same signature in memory but not on disk. Suggestion: sned it to McAffee or Vesslin. and I would also not trust any of those computers either. Mike Yalter ------------------------------ Date: Wed, 04 Mar 92 10:08:00 +1300 >From: PSYXSGP@otago.ac.nz Subject: another simple Michaelangelo question (PC) Having been unfortunate enough to tempt fate recently and reset system date to March 6th .. and wipe out our hard disk with the Michaelangelo virus .. I leant my lesson , and now run regular checks. Today I discovered it(Mich) on the boot sector of our drive. Question is .. how does it get there ? Was the file distributed originally as an infexted boot sector .. or is there code which comes indirectly infects the boot sector? - -- Stephen Pearce, University of Otago, Dunedin, New Zealand. ------------------------------ Date: Tue, 03 Mar 92 21:13:25 +0000 >From: st910856@pip.cc.brandeis.edu Subject: Re: Kamikaze virus? (PC) I beleive that Fprot will also check for programs that SEEM to Run like viruses, but that would not tell you you are infected but rather This program is suspicious. Now, also if you did not use Scan c: /A then scan only checked exe and com files. And not all files including *.TPL. This might be the problem. Also the version of Fprot you are using might have a bug in it. many reasons. Mike Yalter ------------------------------ Date: Tue, 03 Mar 92 15:30:25 -0500 >From: James_Williams%ESS%NIAID@nih3plus.BITNET Subject: Re: Drug Rehad - Stoned (PC) Vesselin Bontchev writes: >Two possibilities. Either get a better disinfector, Which disinfector would you recommend? I thought that McAfee was one of the better. >or (preferred) get a MS-DOS 5.0 system diskette (should be write >protected). Go to every computer, boot from that diskette, and run >FDISK /MBR. Should remove the virus without problems. Most of the infected computers are running DOS 3.3, will using a MS-DOS 5.0 system disk and FDISK /MBR work on these computers? - -------------------------------------------- | James Williams | | Bitnet: JWW%ESS%NIAID@NIH3PLUS.BITNET | | Internet: JWW@ESS.NIAID.PC.NIAID.NIH.GOV | | CompuServ: 70304,2462 | - -------------------------------------------- ------------------------------ Date: Tue, 03 Mar 92 14:32:00 -0600 >From: Bernadette Feyerharm Subject: Will these find Mich? (PC) Will F-prot 2.01 or vshield72 or scanv72 detect the Mich virus? Bernadette ------------------------------ Date: Wed, 04 Mar 92 10:12:56 -0600 >From: Werner Uhrig Subject: WARNING: MBDF-A can spread on Plus and SE using System 7 (Mac) further investigation into the matter has revealed, that the earlier posted information (that MBDF is inert on Plus and SE) applies only when using a System earlier than 7. on a Plus or SE running under an os version 7.0 or later, the virus does indeed spread (I am told). But there is no excuse for not having installed the latest version of some anti-viral by now even on a 512... ;-) - ---- Internet: werner@rascal.ics.utexas.edu BITnet: werner@UTXVM UUCP: ...!uunet!cs.utexas.edu!werner AppleLink: werner@rascal.ics.utexas.edu@Internet# - ----- He who will not reason, is a bigot; he who cannot is a fool; and he who dares not is a slave. --- Sir William Drummond ------------------------------ Date: Wed, 04 Mar 92 10:32:43 -0600 >From: Werner Uhrig Subject: WARNING: Macintosh users of PC-emulators, beware of PC-viruses (Mac) Macintosh users of PC-emulating hardware or software should be conscious and aware that they are threatened by PC-viruses (such as Michelangelo) and that as part of their emulation environment set-up it is HIGHLY RECOMMENDED to install some mix of PC-antiviral software. Installation of anti-virals in your Macintosh System Folder may (MAY!!) protect your Macintosh partitions, but they are (probably) of little or no help when your PC disk partitions is attacked by PC critters. If and when I have more specific information needed by the user community to protect from the threat of PC critters in an emulation environment running on a Macintosh, I will post such information here again. - ---- Internet: werner@rascal.ics.utexas.edu BITnet: werner@UTXVM UUCP: ...!uunet!cs.utexas.edu!werner AppleLink: werner@rascal.ics.utexas.edu@Internet# - ----- He who will not reason, is a bigot; he who cannot is a fool; and he who dares not is a slave. --- Sir William Drummond ------------------------------ Date: Tue, 03 Mar 92 12:52:05 -0600 >From: martin@datacomm.ucc.okstate.edu Subject: Bulk Erasers Using a permanent magnet to erase disks is not really a good idea. While the magnetic field definitely will destroy the data and formatting of the disk, it will not really erase the disk. The medium is left in a state of magnetization in which all the particles are either set to 1 or 0, so to speak. Moving it around in a wiping motion will most likely result in a large portion of the media being magnetically oriented one way and another large portion oriented another way. When the disk spins, the effect on the head is like a very low frequency alternating current being introduced into the system. The reason that an electro magnet is the best choice is that the field is in a constant state of flux, never staying the same magnetic orientation or intensity. As the disk is moved away from it, the fields become progressively weaker until they have no more effect. The end result is a magnetic medium with no magnetic orientation or bias on it, at all. All the advantages of an electromagnet, however, are for nothing if you cut the power to it while the disk is within a few centimeters of the eraser. This will leave the disk magnetized just like a permanent magnet would have done. If you do accidentally turn off the eraser while using it on a disk, just re-erase that disk again properly to demagnetize it. Martin McCormick Amateur Radio WB5AGZ Oklahoma State University Computer Center Data Communications Group Stillwater, OK ------------------------------ Date: Tue, 03 Mar 92 20:53:20 +0000 >From: s_fuller@iastate.edu (Steve Fuller) Subject: Re: Manufacturing of software (GENERAL) MOPURC01@ULKYVM.LOUISVILLE.EDU (Michael Purcell) writes: > Can anyone respond to (a) How do software publishers tend to produce >the physical disks -- in house or by contract to another business, (b) >How is this software copied to the disks (xx thousands of copies), and >(c) How often and what type of quality checks are being performed? This is how software duplcation was done at the small company I worked for this past summer. It is not an official policy or statement from that company. a) We produced our own disks in house. Usually this was done by anywhere from one to three people in a duplication room. b) The equipment used was made by a company called, I believe, Trace or Tracer. It consisted of a dedicated UNIX box and a bunch of duplication units. When the programmers finished the program and were ready to duplicate it, they brought down a master disk for us to copy onto the UNIX box. One image for 720K disks and one for 360k disks. The machine was then programmed as to how many copies we wanted to make of each disk, and what tracing units each program was being duplicated on. If we had 10 duplication units hooked up to the system, we could use all of them to make one program, duplicate a different program on each unit, or any combination there-of. The disks were loaded into hoppers by hand after being labeled and counted. Then run was then started and all we had to do was wait for it to finish and occasionally replentish the hoppers. The majority of the disks are write protected straight from the disk maker itself. The copiers are able to copy the disk w/o worrying about the notches or tab positions The disks themselves were duplicated and then verified by the unit it was copied on. If it failed, it got chucked into a separate holind are from the good ones. The bad disks were sent back to the manufacturer for replacement. As a side note, the particular machines we ran took 15 seconds to duplicate and verify a 360K disk and 30 seconds to do the same on a 720K disk. c) As far as quality checks perfromed, there was the verification of the disk by the duplication unit itself. The company also made it's own anti-viral software, so I am assuming that the masters were carefully checked, as were all of the machines that the programmers worked on, but I do not know this for sure. The company itself is small. Every one knows everyone so worrying about virii getting into the software is not an every day occurance. There are also security badges that are required to be worn by every one that works there. > I'm sure that there are as many variations as there are companies, >but I'm wondering what the normal practice is. Personally, I never >trust any software with regards to viruses irregardless of the source. >But it is frustrating to hear of these reports of Michelangelo being >distributed via commercial software. Maybe it is time for the lawyers >to test the laws concerning merchantability. I hope that this sheds some light on what at leat ONE company does in order to duplicate software... - ---------------------=--------------------------------------------------- Steve Fuller = Critics are like eunuchs in a harem. They know Net.nerd = how it's done, they've seen it done every day, s_fuller@iastate.edu = but they're unable to do it themselves. B. Behan ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 54] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253