VIRUS-L Digest Friday, 18 Aug 1989 Volume 2 : Issue 177 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: Response to query from A.Berman, Yale,8-14-89 (PC) 1701/4 Disinfector Need info on Datacrime virus (PC) Correction to the Swap Virus report (PC) --------------------------------------------------------------------------- Date: 16 Aug 89 21:43:49 +0000 From: berman-andrew@CS.YALE.EDU (Andrew P. Berman) Subject: Re: Response to query from A.Berman, Yale,8-14-89 (PC) I want to thank everyone who mailed/posted responses to my posting about the virus which infected my friend's disks. She think's she's cleaned it out by copying only the source codes to new disks, zapping the hard drives, and recompiling everything on the clean hard disks. BTW, there is an article in this month's Popular Science on computer viruses. Once again, Thanks Andrew Berman ------------------------------ Date: Wed, 16 Aug 89 08:36:09 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: 1701/4 Disinfector Forward from John McAfee ============================================================================= Hi folks. I've had a large number of panicky calls, and Ken van Wyk has had at least one 'emergency' message about a possible 1701 virus in the M-1704.EXE disinfector program. What's happening is VIRUSCAN is identifying the 1701 virus code within the disinfector product. The 1701/4 disinfector is the only one of our disinfectors that causes this problem, and because of the very small de-garbling code within the 1701/4 virus, there is no practical way around it. Our choices are: 1. Remove the 1701/4 disinfector from circulation and let people disinfect manually; 2. Change VIRUSCAN to ignore the program (it's the only non-virus program we know of that looks like a virus to VIRUSCAN); or 3. Continue as is. I definitely do not want to change VIRUSCAN to start and 'exclusion' list. This defeats the purpose of the scan program and reduces its reliability. I also believe that the value of the disinfector outweighs the confusion factor. I have stated up front in the documentation for M-1704 that the user should contact us BEFORE trying to use the program so that we can verify over the phone whether there is a possibility that the program really is infected (a slim probability if downloaded from SIMTEL or other reputable source). A second point I'd like to bring up is that people do not need to stockpile disinfector programs. Many of these programs are dangerous if used on uninfected systems and even in infected systems, certain disinfectors can have unpleasant side effects if used improperly. A disinfector should be used AFTER an infection has been verified. It appears that many people are collecting disinfectors and trying them out so that they are prepared for an infection if one occurs. I don't think this is a good idea. My final recommendation is: Read the documentation and follow the instructions. If you're using the M-1704 program, then call before you do anything with it. John McAfee ------------------------------ Date: Thu, 17 Aug 89 10:20:54 -0600 From: Subject: Need info on Datacrime virus (PC) Sorry if you get this message twice, I'm not sure if the first attempt will get to you (its been one of those days :^) I'm sure this has been discussed, but I just got back from vacation and missed the info (we're low on disk and things get purged quickly). Can anyone tell me how to detect if a machine has been infected with the Datacrime virus, what it does (I've heard that it is supposed to erase files on a particular date), and how to get rid of it. I'd appreciate a response to this. It will give me a good opportunity to demonstrate to our security gurus that Usenet can be beneficial to security (instead of the open door that is usually portrayed by the media). Terry Ingoldsby ctycal!ingoldsb@calgary.UUCP Land Information Systems or The City of Calgary ...{alberta,ubc-cs,utai}!calgary!ctycal!ingoldsb ------------------------------ Date: Fri, 18 Aug 89 17:14:11 +0300 From: "Yuval Tal (972)-8-474592" Subject: Correction to the Swap Virus report (PC) Hello all! I don't know how many of you had noticed the few small mistakes in the report about the "Swap Virus" but anyway, I am correcting it now. The only mistake I found was in the INFECTION part section C. 1) Instead of bytes 2B4-2E4 correct it to bytes 00B7-00E4 (A sector has only $200 bytes on it. 2) The correct message at the end of the virus is: "The Swapping-Virus. (C) June, 1989 by the CIA" I hope there are no more mistakes! - --Yuval ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253