VIRUS-L Digest Tuesday, 5 Sep 1989 Volume 2 : Issue 185 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Anti-Virus/Virus Listing Re: Is this a virus? (PC) RE: capturing viruses (Mac) Columbus Day Virus and Lehigh (PC) Re: Is this a virus? (PC) Virus or no? Help please (PC) Re: is this a virus? (PC) Kim's question concerning FATs (PC) removing a floppy then Retry (PC) Columbus Day "virus" (PC) Re: Virus Naming Appleshare and viruses ? --------------------------------------------------------------------------- Date: Fri, 01 Sep 89 06:28:54 -0700 From: portal!cup.portal.com!Chuck_SirVAX_Staatse@apple.com Subject: Anti-Virus/Virus Listing I teach a class on hard disk management. Naturaly I cover virues, but do not have a list of virus names and what programs are currently available to combat these viruses. Coulde someone please post a list of this information. Could you also include some information about the CV group who are working to combat these viruses. Thanks, Chuck ------------------------------ Date: 01 Sep 89 00:00:00 +0000 From: David M. Chess Subject: Re: Is this a virus? (PC) > ...if I answer "r" to the > massage and puting a non-protected diskette, then the FAT and > DIRECTORY of the protected diskette is transfered to the second non > protected diskette(and the files that I copied to). DOS has always done this, I think. I believe some versions of the documentation Strongly Warn against switching diskettes during the "Abort, Retry..." message. I realize that may not be much consolation! But it's not a virus, at least... DC ------------------------------ Date: Fri, 01 Sep 89 10:19:00 -0400 From: "Alex Z." Subject: RE: capturing viruses (Mac) Well, with a virus (take scores for example), you could identify the infected files and then view them with a utility like Fedit+. I think that would be a better way to view the code than Resedit. Alex Z... . . . ------------------------------ Date: Fri, 01 Sep 89 08:11:05 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: Columbus Day Virus and Lehigh (PC) Ken van Wyk asks about the Columbus day Virus. It's the same as the DataCrime virus versions one and two (not to be confused with the DataCRime II). Columbus day is October 12. The Datacrime versions 1 and 2 activate on October 12. I would discourage the use of "Columbus Day Virus" as a name, since DatCrime has been an accepted name for quite some time. Also, the Lehigh original virus has been sporadically reported at dozens of installations outside of the university for over a year. It is not a particulary successful replicator -- probably because of the extremely short activation fuse - and it is difficult to detect and report because there are few symptoms prior to activation. Buit there should certainly be no surprise that it's in the public domain. In John McAfee's report to the CVIA on epidemiology he writes - "The belief that viruses can be contained by early counter-action is belied by the Lehigh University experience. I have spoken to a number of individuals at the University who belived that the virus had somehow been contained because "no copies of the virus were distributed to outside organizations". This assumed, of course, that the original virus writer gave up after being foiled at Lehigh and did not insert the virus at any other location, and that all copies of the virus at Lehigh had indeed been accounted for. The first issue rests solely in the hands of the perpetrator and is beyond any containment controls. The second issue relies on an error-free containment process - allowing no possibility for overlooking, losing or mistaking an infected diskette. In any case, the Lehigh virus was by no means contained. I received a copy, as did virtually every virus researcher, in mid-1988, and infection reports issued throughout the year from universities, corporations and individual computer users." I think John said it better than I could, but my sentiments exactly. Alan ------------------------------ Date: Fri, 01 Sep 00 11:51:00 -0400 From: Bob Babcock Subject: Re: Is this a virus? (PC) >When I copy some >files to a floppy but I misput a write protected diskette, I find the >error massage "retry, ...". At this time, if I answer "r" to the >massage and puting a non-protected diskette, then the FAT and >DIRECTORY of the protected diskette is transfered to the second non >protected diskette(and the files that I copied to). Is this a DOS's >bug or a virus? This is a known behavior of MS-DOS. The directory and FAT have already been read before the write protect error is sensed, and when you say retry, DOS doesn't know that you have changed disks, so it doesn't reread the directory info. ------------------------------ Date: Fri, 01 Sep 89 12:31:00 -0400 From: Subject: Virus or no? Help please (PC) At our university a student came in and described a problem with his AT compatible and wondered if it was a virus. The symptoms follow: 1. lots of garbage on screen. 2. repeat of dos prompt across the screen. 3. I view all my files with .sys and found word BUG . 4 I could't do any work at the time, but following day all seemed okay. Any of you IBM specialists have any ideas on this one? Alex Z... . . . Library Mac Software Chief SMU ------------------------------ Date: Fri, 01 Sep 89 16:55:59 -0500 From: Joe Simpson Subject: Re: is this a virus? (PC) In response to the question about the FAT from a locked disk being written to another disk this is a feature of MS-DOS, not a virus. Another chilling scenario conserns running an application such as a word processor, opening a document, exchangeing data diskettes, and saving a "backup" of the file. This often hoses the "backup" disk and sometines affects the origional file. ------------------------------ Date: 01 Sep 89 15:41:00 -0400 From: "Damon Kelley; (RJE)" Subject: Kim's question concerning FATs (PC) In response to Kim: I'm no expert at MS-DOS or software-stuff, but I've been poking around in my computer's memory long enough to believe that what you are describing may be normal with MS-DOS. Often I see that within memory, data stays in its assigned spot until something moves or writes over it. I notice this effect with a certain software word-processing/graphing/spreadsheet package I have. Sometimes when I am retreiving data with my package, I place a data disk first before putting in the main program disk. The program needs to do something with the disk with the main program first, so the package asks for the main program disk. Whe the directory pops up for the main program disk, it shows a conglomeration of the files on the curent disk PLUS the files that were on the removed data disk and some random garbage. Nothing grave has happened to my files with this package (It came with my computer. It wasn't PD/Shareware, either.), so I feel that this may be either a DOS bug (not writing over completely the FAT) or something normal. Of course, I've never really had an opportunity to look at the directory track on any disks, so I can't confirm that this is absolutely true. I can find out. Has anyone out there found mixed FATs affecting the performance of their disks? jnet%"damon@umbc" damon@umbc.bitnet damon@umbc2.umbc.edu "Would anyone dare let me represent their views? I think not!!!" ------------------------------ Date: Sat, 02 Sep 89 00:00:00 +0000 From: "Prof Arthur I. Larky" Subject: removing a floppy then Retry (PC) > I 'm a college student studying physics. Now I have discovered a > suspicious thing about MS-DOS's behavior in my sense. When I copy some > files to a floppy but I misput a write protected diskette, I find the > error massage "retry, ...". At this time, if I answer "r" to the > massage and puting a non-protected diskette, then the FAT and > DIRECTORY of the protected diskette is transfered to the second non > protected diskette(and the files that I copied to). Is this a DOS's > bug or a virus? It's a "feature" of MSDOS - when you attempt to write on a floppy, MSDOS reads the FAT and Directory and re-writes it when you are done. If you swap floppies, you get the old information on the new disk. The rule is: NEVER NEVER replace a floppy with another in the middle of a write or a write protect error. Pick the Abort option, not the Retry option; then start the process all over. Anyway, it's not a virus, it's just Bill Gates getting even with the world for making him a billionaire. Art Larky CSEE Dept Lehigh University ------------------------------ Date: Sat, 02 Sep 89 16:05:53 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: Columbus Day "virus" (PC) Yes, I have heard of the "Columbus Day 'virus'". What I have heard is a pronouncement from a certain Dr. S. that this thing exists and on Friday, October 13th, this bugger is going to strike and start causing problems. IMO, this sounds suspiciously like the Jerusalem/Hebrew University virus, *at this point*. Emily Lonsford, a fellow MITRE-ite and contributor here, has meet Dr. S., and was less then impressed with him and his techniques. Of course, none of this means that this virus does not exist as a seperate strain from existing viruses. Barring independant confirmation of this virus, my opinion is that no extraordinary action is needed. [Ed. Thanks for the info - in fact, I received a number of replies about the Columbus Day virus. Most replies indicated that it was the DataCrime virus. Thanks to all those who replied!] ------------------------------ Date: 03 Sep 89 18:58:31 +0000 From: dav@eleazar.dartmouth.edu (William David Haas) Subject: Re: Virus Naming In article <0001.8909011255.AA07043@ge.sei.cmu.edu> ttidca.TTI.COM!hollombe%sdc svax@ucsd.edu (The Polymath) writes: