VIRUS-L Digest Monday, 17 Jul 1989 Volume 2 : Issue 153 Today's Topics: Re: NEW VIRUS?? (PC?) Forward Message from J. McAfee Re: VIRUSCAN FAT recover Corporate culture shift resulting from virus mis(?)information Re: 2 remarks Re: Virus Identification Software FluShot+ and 1701 virus (PC) Re: 2 remarks Request for boot sector information --------------------------------------------------------------------------- Date: Sat, 15 Jul 89 14:34:04 -0500 From: dnewton@carroll1.cc.edu (Dave Newton) Subject: Re: NEW VIRUS?? (PC?) That's not a virus, someone broke in or did it as a joke. -- "If I cannot create it, I do not understand it" -Richard Feynman David L. Newton (414) 524-7253 dnewton@carroll1.cc.edu =8-) (smiley w/ a mohawk) (414) 524-7343 uunet!marque!carroll1!dnewton ------------------------------ Date: Sat, 15 Jul 89 19:28:34 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: Forward Message from J. McAfee Re: VIRUSCAN The following message is forwarded from John McAfee: ============================================================================= I would like to thank the Virus-L subscribers for their response to the VIRUSCAN program. I have just released the production version which fixed a few bugs found in the earlier versions and includes all the viruses I know about. I would hope that those of you with large virus collections would check it against the virus versions that you have collected. We have received no reports of false positive identifications as yet, but it is certainly possible that new variations of existing viruses will slip by. I have collected only one version each of the 3066 (Traceback) and the FuManchu for example, and I don't have a good feel for the types of variations that might appear with these viruses. The tests for these viruses may therefore be weak. Also, the test for the Icelandic virus was developed and implemented by Frank Nalls, who reports that it works fine. Since I do not yet have a copy of the Icelandic, I can only take his report on faith. I would be interested in anyone else's experience with VIRUSCAN's ability to identify the Icelandic. Again, thank you all for your support and voluminous feedback. John McAfee Data - 408 988 4004 Voice - 408 988 3832 4423 Cheeney Street Santa Clara, CA 95054 USA ------------------------------ Date: Mon, 17 Jul 89 13:10:04 +0300 From: "Yuval Tal (972)-8-474592" Subject: FAT recover I am using UNVIRUS to exterminate viruses. UNVIRUS also exterminates the Bouncing Balll Virus. This program deletes the virus from the boot sector but it *DOES NOT* fix the FAT so that the sector which was marked as bad would be un-marked. Is there a program to un-mark the bad sector??? - -Yuval Tal (NYYUVAL@WEIZMANN) +-----------------------------------------------------------------------+ | BitNet: NYYUVL@WEIZMANN CSNet: NYYUVAL@WEIZMANN.BITNET | | InterNet: NYYUVAL%WEIZMANN.BITNET@CUNYVM.CUNY.EDU | | | | Yuval Tal "Mjolnir, My fateful hammer, | | The Weizmann Institute Of Science return to me at once!" - Thor | | Rehovot, Israel "Aiwa, Manafee" - Udi Schlessinger | +-----------------------------------------------------------------------+ ------------------------------ Date: Sat, 15 Jul 89 15:36:00 -0500 From: Subject: Corporate culture shift resulting from virus mis(?)information I am actively involved with a large microcomputer BBS for Mechanical Engineers (CIME-ISE, 608-233-5378). I will be giving a talk on the BBS at the International Computers in Engineering Conference this August in Anaheim, and am preparing a piece that will appear in the magazine Mechanical Engineering, the main organ (as they say) of the American Society of Mechanical Engineers (circ. approx. 130,000). I understand that the messages here are in general somewhat academic and technical, but perhaps the following line of discussion may spark some interest. I am intrigued by what can only be called the return of MIS: we all know the corporate Kulturkampf that took place not so many years ago when microcomputers became readily available--the MIS people (in large corporations) kicked and screamed, but eventually their power was diluted. Now, I am seeing reports that their day has returned. Relatively techno- illiterate upper management sees reports on viruses in Time, etc., and puts a call in that all decisions on software must be blessed from a newly power- ful management structure. Consider the following case, which I consider emblematic: a project engineer at a large chemical installation plant can 1) sign off on $50,000 daily, but igf but if he wants a $200 copy of wordstar, e.g., he must ask his piping supplier to buy it and bury it in an invoice; 2) he must use some cock-a-mamie line editor on his central computer; he, and many other engineers, circumvent this by burying their favorite programs on some hidden directory (of course against compnay policy) 3) he is being hassled about using the engineering BBS, and all BBS's in general. A valuable resource is being maligned and his productivity will suffer. I have no doubt that such corporate shenanigans are taking place all the time, and would be interested in any comments. Thanks for your time in reading this, Robert Braham E-mail: DCD@CUNYVMS1.BITNET Home: 1315 Third Ave., 4D New York, NY 10021 (212) 879-1026 ------------------------------ Date: Sat, 15 Jul 00 19:89:11 +0000 From: biar!trebor@uunet.uu.net (Robert J Woodhead) Subject: Re: 2 remarks DLV@CUNYVMS1.BITNET (Dimitri Vulis) writes: >1. The English language has certain traditional ways of naming groups >of animals, e.g., a goggle of goblins, a school of fish, a pack of >wolves, etc. Since both `virus' and `Trojan horse' have some kind of >animal overtones, I wonder what other people (preferably English >majors) think is a good way to name a group of those beasts. 1) A Plague of Viruses. 2) A Herd of Trojan Horses. [Ed. name for "group" of Trojans deleted...] (^;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-;^) Robert J Woodhead, Biar Games, Inc. !uunet!biar!trebor | trebor@biar.UUCP ``I can read your mind - right now, you're thinking I'm full of it...'' ------------------------------ Date: Mon, 17 Jul 89 09:24:33 -0700 From: rogers@marlin.nosc.mil (Rollo D. Rogers) Subject: Re: Virus Identification Software Last thursday i spoke with the author of the VIRUSCAN software Mr. McAfee. Based on that conversation i would like to present the following info concerning the scan program: 1. There is indeed a slight problem when running scan.exe with a DOS version of 2.11 and perhaps any version under 3.0. The scan results apparently are not correct when scanning/searching "multiple" diskettes in Drive A. So the apparent fix for the problem is to either a) type the "dir" command before inserting and scanning succeeding diskettes or b) hit the Ctrl C keys before running scan on the next disk. If the user does not do this they will probably NOT get an acccurate scan and report of the files on the disks following the first diskette searched. And you could possibly have infected files on a diskette that would not be identified. This problem is easy to duplicate if you run scan.exe on multiple disks using DOS V2.11. I was able to duplicate the problem on my NCR PC-6 machine. One other user also reported in a previous VIRUS-L posting that he had experienced the same thing. 2. Also according to Mr. McAfee V019 was a beta test version and Version020 is now available on the HOMEBASE BBS for downloading. Maybe someone could grab V020 and check it out. If OK then send it to SIMTEL20 for people on the Internet to obtain. REgards, RollO~~ ------------------------------ Date: Mon, 17 Jul 89 13:43:40 -0400 From: HAUPTMAN@DMRHRZ11.BITNET Subject: FluShot+ and 1701 virus (PC) Things I've learned since my first message on our virus: There is a 'Virus Epidemic Center' at University Hamburg (Prof. Brunnstein) and their VIRUS-KATALOG list something called Herbstvirus or Blackjack. It's description sounds similar to our symptoms although it increases *.COM files by 1704 bytes while our virus needs 1701. On one mailing list I found an announcement: 'DVIR1701.EXE -- detects and removes 1701 from COM files' After installing Flushot+ and executing one of the infected files FSP brought up the message: 'An attempt is being made to infect your system by: Cascade Virus (aka 1704 Virus) ' Beside that experiment no further problems were revealed by FSP and our system is still up and running. Things I still would like to know: Did someone unassemble this virus? What was it supposed to do? Can infection be caused by other programs than those identified by 01 FA 8B EC? Can other files be already corrupted by this virus? --- Klaus Hauptmann (msommer on BIX, HAUPTMAN@DMRHRZ11 on Earn/Bitnet) ------------------------------ Date: Mon, 17 Jul 89 11:01:20 -0700 From: arc!steve@apple.com (Steve Savitzk{) Subject: Re: 2 remarks an infection of viruses (plague is another possibility, perhaps reserved for widespread infections) an ambush of Trojan horses and, of course, a can of worms - -- Steve Savitzky | steve@arc.uucp | apple.com!arc!steve ADVANsoft Research Corp. | (408) 727-3357(w) / 294-6492(h) 4301 Great America Parkway | #include Santa Clara, CA 95054 | May the Source be with you! ------------------------------ Date: 13 Jul 89 19:18:08 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Request for boot sector information I need an answer to the following question: In the boot sector of every diskette and hard disk there is a short string starting at the fourth byte. This string contains information about the version of DOS used to format the disk/diskette. Typically it is something like "IBM 3.0" or "MSDOS2.0". What I need to know is: What other possibilities are there ? The reason I'm asking this question is as follows: I'm working on a package of programs for fighting computer viruses on the PC. One program in this package tries to determine if the boot sector has been infected by some virus. Since some viruses modify the label described above, it is one of the things I check on each diskette. For example, one well-known virus will write 1234 in this place, and another (the Pentagon virus) will write "HAL" there. Now - my problem is that one person who was using a beta-test version of the program told me that the program would flag diskettes formatted on a Cordata machine as "Possibly infected by an unknown virus". Examination revealed that the reason was the string "CDS" instead of "IBM" or "MSDOS". Therefore I am asking for a bit of assistance. If you have a machine from somebody other than IBM, please take a look at this portion of the boot sector, using NORTON or some similar program. If it contains a string different from "IBM", "MSDOS" or "CDS", please send me information on the string and the machine type. Of course - the package will be distributed freely when finished - Expect it to appear on comp.binaries.ibm.pc or in some accessible place. I just need to obtain a few more viruses to test it against first. Currently I have only tested it (and found it 100% effective) against Brain, Ping-Pong, 1704 and a new Icelandic (I think) virus. This message would have been posted to comp.virus, but since it is not operating right now, I am posting it here. Fridrik Skulason University of Iceland frisk@rhi.hi.is Guvf yvar vagragvbanyyl yrsg oynax ................. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253