Date: Mon, 7 Jan 91 15:20:53 EST From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #5 To: Multiple recipients of list VIRUS-L VIRUS-L Digest Monday, 7 Jan 1991 Volume 4 : Issue 5 Today's Topics: Re: University Policy Re: Virus Vaccine (PC) re: Virus Vaccine (PC) Re: Virus Protection (PC) nVIR-like resources... (Mac) Strange Problem Running Disinfectant 2.4! (Mac) Apple //gs "Die!" Virus Re: Apple //gs Virus (Followup - READ ME FIRST) Grapes virus? (Mac) PVALIDAT.ZIP - Portable VALIDATE using McAfee algorithms (PC) QEMM Virus? (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 03 Jan 91 19:14:55 +0000 From: goodwin@casbah.acns.nwu.edu (David C Goodwin) Subject: Re: University Policy For a while last year we were hit with a lot of IBM viruses, all at once. We have Novell networks, that use individual boot disks, and that's how it spread from floppy to floppy. Every time a user asked for a boot disk, we grabbed any floppies they had and SCAN'ed them. The average user didn't carry more than two or three floppies at a time. Good luck. ------------------------------ Date: Thu, 03 Jan 91 18:05:11 From: microsoft!c-rossgr@uunet.UU.NET Subject: Re: Virus Vaccine (PC) >From: Evelyn Duncan > >A friend of mine has an IBM-compatible computer and wants to dial into >the VM system here, but he needs a program that will prevent viruses >from infecting his system at home. He would like a program such as >Virex. He called Virex's 1-800 number, but it was disconnected. > >If you know of any program, please contact me. You might want to try calling the Virex people at 919-490-1277. I know there's a 1-800 number, but for me it's just a FastDial code on my phone. Try calling up 1-800 information and ask for either Microcom in Durham, N.C., or for HJC Software (former name until Microcom bought them out). I can probably answer any questions you might have regarding Virex-PC. Ross M. Greenberg Author, Virex-PC & FLU_SHOT+ Views expressed herein are not representative of Microsoft. ------------------------------ Date: Thu, 03 Jan 91 22:05:34 -0400 From: pham@px3.stfx.ca (Hai Pham) Subject: re: Virus Vaccine (PC) In reply to Evelyn Duncan's question for a PC Virex equivalent. I could be very wrong (if there's away to do it, someone will find away to), but as far as I know, your friend should not need a virus shield to protect himself from infection if all he's going to do is dial in and use your VM system interactively. This is because for a virus to enter a computer through a modem, it must enter via an infected program which was downloaded into his computer. If he does download programs into his system, then all he would have to do is to check it over with a virus scan program, such as McAfee's "scan". This is because before a virus can infect the system, the infected program would have to be ran first, so if you scan for virus infection before you run the program, you will catch them before they can do any harm. There is no way in which your friend could be infected by something like the Internet Worm, if he is only using a terminal emulator. The reason the Internet Worm was able to infect all those Internet sites was because the computers involved all ran a common operating system (UNIX), and it took advantage of a bug in the UNIX mail program to get into the remote system. If I am wrong on any of the above points, I would appreciate immediate feed back (so I can take steps to protect my computer). ******************************************* Hai Pham TPI, Physics Dept. Box 383, Saint Francis Xavier University Antigonish, Nova Scotia, Canada, B2G 1C0. Email: pham@phoenix.stfx.ca (Internet) ******************************************* ------------------------------ Date: 04 Jan 91 14:53:35 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Virus Protection (PC) sulistio@sutro.SFSU.EDU (Sulistio Muljadi) writes: >Michael_Kessler.Hum@mailgate.sfsu.edu wrote in VIRUS-L volume 205: >> The one negative comment about F-Prot is that the updates appear to be less >> frequent than one might wish. Well, yes, I admit I send out updates less frequently than would be desirable, but I expect to send out a new version every 4 weeks or so in the future. The next version (1.14) should be ready any day now - I am busy adding routines to detect and remove all the viruses I received at the conference in Hamburg. > One other negative comment about F-Prot is: > >F-driver.sys does not check drive A for any possible boot sector virus >when we warm boot the machine. The V-Shield does check drive A for >any possible boot sector virus and will denied the warm boot if there >is any boot sector virus in the floppy drive A. Hopefully frisk will >implement this for his next version of F-PROT. It is a great program. Sounds like a good idea - I am not sure I will have time to add it in version 1.14, but if not then it will certainly appear in the next version after that. - -frisk ------------------------------ Date: Fri, 04 Jan 91 16:03:12 -0500 From: Alan Pierce Subject: nVIR-like resources... (Mac) I'm somewhat new to the world of Macs, so I hope someone can shed some light for me. A user recently reported a virus on their Mac SE. Using SAM 2.0, I scanned the volumn and received the following messages: Examined file 'System' in folder 'System Folder'. Warning! This file contains nVIR-like resources(nVIR). It was last modified on 9/17/90 at 3:57 PM. The most interesting thing is we never purchased the machine until November and I installed the system software that came with it. Thinking I may have an infected system disk, I scanned all 4 (v6.0.5) disks and came up empty. Next, I re-installed the system and scanned the volume again--same messages. I hope someone here can help me. Either post to this list(as I am an avid reader, or respond directly. Thank you. Alan Pierce Technical Consultant <-- Huh? Division of Nutritional Sciences Cornell University Ithaca, NY APP@CORNELLA -- Bitnet APP@CORNELLA.CIT.CORNELL.EDU -- Internet ------------------------------ Date: Fri, 04 Jan 91 16:04:00 -0400 From: Michael Greve Subject: Strange Problem Running Disinfectant 2.4! (Mac) I'm having problems running Disinfectant 2.4. We have one Mac lab consisting of 16 SE/30's with 40 mg hard drives that are partitioned into two hard disks. During my normal maintenance of the lab I do a routine virus check using Disinfectant 2.4. The program works great on 15 of the machines. When I run it on the last machine, the program calls up fine, but in the upper right hand corner where it should normally tell you which drive/partition you are currently scaning, the program comes up with a blinking message saying insert a disk to be checked. This lab is networked using Appleshare and I do the virus check from the network. On the other 15 machines the name of the server comes up, I then switch to the 2 partitions and scan them. On this last machine, the name of the server shows up for a quick second then it changes to the flashing message. I've tried running it from diskette and the hard drives and still get the same message. I can't get it to work at all. Could this be some kind of virus?? I've never seen this before and have no clue as to what could be causing this. I have had no problem with this particular machine, everything else runs fine on it. Does anybody have ideas about what may be causing this. I've run out of ideas. Thanks for any assistance. Michael Greve University of Pa. The Wharton School greve@wharton.upenn.edu ------------------------------ Date: Sun, 06 Jan 91 17:17:05 -0500 From: davidbrierley@lynx.northeastern.edu Subject: Apple //gs "Die!" Virus This appeared on Info-Apple: - -------------------------------------------------------------- Date: 6 Jan 91 21:06:19 GMT From: pasteur!euler.Berkeley.EDU!benji@ucbvax.Berkeley.EDU (Benji Rudiak-Gould ) Organization: University of California, Berkeley Subject: Computer virus! Message-Id: <10039@pasteur.Berkeley.EDU> References: <1991Jan5.014646.26135@ux1.cso.uiuc.edu>, <1991Jan6.201242.10199@watdragon.waterloo.edu> Sender: info-apple-request@apple.com To: info-apple@apple.com I am posting this for a friend with a IIGS who recently fell victim to a virus attack. The symptoms (I think they were in this order): 1) A pop-up window appeared in the Finder with the message, "Die!" 2) When he tried to open his text viewer DA, it froze and the words "Ha! Ha! Ha!" appeared all over it. 3) Now, just about everything is bombing. He has done a complete reformat of his hard drive and restored from backups, but the virus was still there. He has Lode Runner, and downloaded the L. R. virus killer (while he still could), but hasn't tried it yet. These symptoms may be slightly skewed, since they were told to me quickly by phone. Can someone identify this virus? Thank you thank you thank you for your help. - -- \\ I think, therefore I am. |___|___| Disclaimer: Benji Rudiak-Gould // I am, therefore I think. |_|___|_| Take with benji@euler.berkeley.edu \\ Therefore, I think I am. |___|___| a grain /////////////////////////// Therefore I am -- I think... |_|___|_| of :-) ------------------------------ Date: Sun, 06 Jan 91 19:15:44 -0500 From: davidbrierley@lynx.northeastern.edu Subject: Re: Apple //gs Virus (Followup - READ ME FIRST) This correction to a virus warning posted to Info-Apple: - ------------------------------------------------------------- Date: 6 Jan 91 17:05 -0600 From: "H. Grant Delaney" To: info-apple@apple.com, benjl@euler.berkeley.edu Message-Id: <53*delaneyg@wnre.aecl.ca> Subject: RE Virus Not a virus ( Writeit NDA ) What was discribed was a window appearinf with DIE in it. Well this sounds exactly how Write It ! NDA crashes. This is usually due to insufficient memory and is part of the NDA. It is not the first tome this has confused people. This may have been removed from the latest version. ------------------------------ Date: Mon, 07 Jan 91 16:47:01 +0000 From: NDG503@csc1.anu.edu.au (Nick Guoth) Subject: Grapes virus? (Mac) Hi, or should I say what is going on? We are using MacFortran on some of our Macintoshs here and just over the last few days, we seem to have contracted a strange virus or something. Now I'm never confident about viruses affecting us here in Australia as the protection software generally arrives before the virus. What is happening is that the icons for the Fortran executable files have turned into bunches of grapes. Now it doesn't seem to harm the programs but it soon will become a nuisance. We have SAM with all the latest virus definitions installed on each of the Macs. Can anyone tell me whether this is a virus or not, and if not what is causing the problem. Ta, nick ndg503@csc.anu.edu.au "Happiness is a piece of fudge caught on the first bounce" - Snoopy ------------------------------ Date: Sat, 05 Jan 91 17:27:42 -0400 From: bnrgate!bcars53.bnr.ca!mussar@UUNET.UU.NET (G. Mussar) Subject: PVALIDAT.ZIP - Portable VALIDATE using McAfee algorithms (PC) I have uploaded to SIMTEL20: pd1: PVALIDAT.ZIP Portable VALIDATE using McAfee algorithms Portable VALIDATE is a file authentication program which can be used to check software for signs of tampering. The program calculates two check codes over the data in a file by using two different CRC algorithms. Portable VALIDATE uses the same CRC algorithms as McAfee Associates VALIDATE. The McAfee VALIDATE module only runs on IBM (and compatible) machines. Portable VALIDATE is written in C language and can be compiled and run on many non-IBM platforms. - ------------------------------------------------------------------------------- Gary Mussar |Bitnet: mussar@bnr.ca | Phone: (613) 763-4937 BNR Ltd. | UUCP: ..uunet!bnrgate!bcars53!mussar | FAX: (613) 763-2626 ------------------------------ Date: Mon, 07 Jan 91 08:13:28 -0700 From: rtravsky@CORRAL.UWyo.Edu (Richard W Travsky) Subject: QEMM Virus? (PC) This appeared in a recent Info-Ibmpc digest. Figured I'd pass it on. I have not seen any mention of this in recent virus-l postings so hopefully I'm not passing on old news. Then again, I hope I'm not also spreading panic! Date: Tue, 1 Jan 91 10:58:09 -0500 From: David Kirschbaum Subject: Reported QEMM virus Received from the Fido Dr. Debug Echo, 1 Jan 91. David Kirschbaum Toad Hall FROM: Richard Crain Area # 23 ( Dr. Debug ) TO: ALL SUBJECT: Virus I have found what appears to be a virus on the factory supplied disk from Quarterdeck on the QEMM386 V5.1 diskette in the Optimize.com amd install.exe programs. These 2 programs contain a HEX signature of EAF0FF00F0 which indicates the possible presence of the 648 virus. This virus is supposed to infect overlay programs, which I have had MAJOR problems with lately. In the last 18 hours, every program that I have used that uses overlays has had its CRC change, or worse yet, totaly crash on invocation locking the system. Further, it has been only the EXE files that have changed. Also, in doing a byte by byte compare of a corrupted file with a good version on backup (tape) I find an absolute pattern of corruption in the files. These changes are the substitution of a HEX 00 00 at loctaions 68B8, 68BC, 78B8, 78BC, 88B8, 88BC, Etc..... This problem started yesterday (again) after running the Optimize program that comes with Qemm386 V5.1 . This problem occured before causing me to panic and wipe out my hard disk, secure erase, reformat, and reload without doing serious research as to the cause, I ASSUMED that a new program that I had just added was the cause. This time, I have found what I believe to be the true cause with some advise from Chris Anderson. Further, Quarterdeck has been notified and the original disk is being returned to them for replacement and analysis. Also, the disk was never written onto by me at any time, the diskette was copied and the copy underwent the registeration process. The HEX string to look for is EAF0FF00F0 - --- msged 1.99S ZTC * Origin: DinoPoint 2 (1:104/114.2) ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 5] **************************************** Downloaded From P-80 International Information Systems 304-744-2253