Date: Tue, 8 Jan 91 14:30:48 EST From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V4 #6 To: Multiple recipients of list VIRUS-L VIRUS-L Digest Tuesday, 8 Jan 1991 Volume 4 : Issue 6 Today's Topics: possible macintosh virus Reported QEMM "virus" (PC) MacVirusIndex (Mac) Addition to monthly postings? WordPerfect "virus"--summary of responses Re: UK Computer Crime Unit Strange Problem Running Disinfectant 2.4! (Mac) Prevent hard disk infection? (PC) Auto-scanning Virus Vaccine? (PC) Fish Virus Activation (PC) Grapes (Mac) Re: Grapes virus? (Mac) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 07 Jan 91 20:43:44 +0000 From: Subject: possible macintosh virus Does anyone know of a Macintosh virus that will make all floppy disks appear to be locked to the computer? At first, we thought the problem was with the disk drive, but when it started surfacing on other computers, we've become a little suspicious. Any help would be appreciated. Matt Wu mwu@teri.bio.uci.edu ------------------------------ Date: 07 Jan 91 16:01:10 -0500 From: "David.M.Chess" Subject: Reported QEMM "virus" (PC) That person has some serious misinformation, I'm afraid; the 648 virus, while it does contain those 5 bytes, doesn't infect EXE files or overlays (unless they have the extension "COM"), and doesn't write zeros into files as he describes. The five bytes he gives as the "sign of the virus" are just five bytes that cause the machine to reboot. The 648 sometimes inserts this into programs, but there are many legitimate programs out there that contain those five bytes for good non-viral reasons (they want to reboot the machine, for instance). My guess would be (can't be anything like sure at this distance, of course) that he's just got something mundane, like a conflict between QEMM and his disk driver software... DC ------------------------------ Date: Mon, 07 Jan 91 14:27:04 -1000 From: jwright@uwila.cfht.hawaii.edu (Jim Wright) Subject: MacVirusIndex (Mac) Andreas "Pandy" Holmberg (pandy@spiff.hut.fi) has pointed out to me that there is a MacVirusIndex available from nic.funet.fi in the directory /pub/mac/doc. Does anyone know if this is available from an archive site in the U.S.? (Please don't everyone grab this file from Finland. Wait until it shows up a bit closer to you.) I haven't seen this, so I don't know how it compares to the Virus Encyclopedia Stack. Jim ------------------------------ Date: Mon, 07 Jan 91 14:32:30 -1000 From: jwright@uwila.cfht.hawaii.edu (Jim Wright) Subject: Addition to monthly postings? It has been suggested that I add a section to the monthly postings of archive sites that would explain what to do with ZIP, ZOO, ARC, HQX, SIT, etc. files. Would you find this information useful? Would you like to see it added to the monthly postings? I'm trying to see if many people are interested in this. Jim ------------------------------ Date: Tue, 08 Jan 91 07:11:27 +0000 From: jkelly@violet.berkeley.edu (John Kelly) Subject: WordPerfect "virus"--summary of responses Report on WordPerfect "Virus" Over the last month or two over a dozen people (thank you all) have posted articles responding to queries about a possible "WordPerfect virus" which was to blame for certain problems with WordPerfect-- specifically: Trashed floppy disks, Documents duplicated many times within a single file, Screwy pagination, Slow repositioning, and Control codes mysteriously appearing in files, often in conjunction with the other problems. Here's the summarized wisdom of the group: (1) There's no virus involved. It's just bugs and design flaws in WP. (2) The trashed-floppy problem is extremely common and most likely results from users switching floppies too fast for WordPerfect to keep track of them. The remedy is (a) don't switch floppies; (b) if you do, save first, exit from the document, switch floppies, and _immediately_ List Files () so WP will know that it's dealing with a new disk. WordPerfect's autosave feature can be part of the problem or part of a solution; one writer recommended disabling it and saving yourself. I would recommend hanging on to it _if_ you can make it save to a different drive from the one your documents are on (i.e., if you have hard disk space on your machine or on a network). If you and autosave write to the same disk, you're likely to interfere with each other; if you and autosave write to different disks, you're backing each other up. (3) The other problems are less common and not readily explained. It's worth pointing out that no one wrote in to say WP was a crappy program; indeed, one writer took pains to say it was still his word-processor of choice, warts and all. I just hope the next version is a bit more careful about writing to removable media. (I'm not a sophisticated programmer, so will some hotshot tell me: is WP taking a shortcut there around the DOS file- writing functions, and is that what's trashing all those floppies?) ------------------------------ Date: Tue, 08 Jan 91 09:26:17 +0000 From: ccx020@cck.cov.ac.uk (James Nash) Subject: Re: UK Computer Crime Unit XPUM04@prime-a.central-services.umist.ac.uk (Anthony Appleyard) writes: >>"The UK Computer Crime Unit hasn't got an email-address, nor do they >>read these UUCP-news. Pandy >>pandy@spiff.hut.fi" > >If they aren't in contact with the computing world, how can they operate >effectively? If they can't email, and have to rely on GPO mail and the >phone and personal visits, and can't get email circulars, they are going to >be way behind developments. Can't they afford a microcomputer and a modem? The reason why the UK CCU has such a small budget is because their superiors do not believe there is a problem. If more people in the UK actually reported viral infections as crimes then the police might be interested in solving those crimes. We are years behind America and other nations in this respect. Also, if (and hopefully when) the "worms" are caught who write viruses, they can be prosecuted for the damage they have caused. If no-one has reported a crime, no action can be taken. - -- James Nash, Coventry Polytechnic, England ------------------------------ Date: Mon, 07 Jan 91 04:26:51 -1200 From: Mark Anbinder Subject: Strange Problem Running Disinfectant 2.4! (Mac) (Original poster described problem with Disinfectant launching and immediately showing a flashing message asking the user to insert a disk.) I have a suggestion on how to handle the problem you've been having. It sounds like someone has turned on the setting that makes that copy of Disinfectant an auto-starting scanning station. This is designed to allow a facility manager such as yourself to set up a single Mac with no mouse and no keyboard (tamper-proof, in other words) that can be started up with a disk containing a Disinfectant that will automatically go into this mode. The solution I'd suggest is that you throw away the Disinfectant Prefs file in the System Folder of the hard drive in question. Then, Disinfectant will use its default settings, and you should be fine. Another solution is to do your checks by shutting down each computer, and then starting up from a locked startup floppy containing only a stripped-down System, a Finder, and Disinfectant. This will ensure that the settings remain the same from one session to the next. - -- Mark H. Anbinder mha@baka.uucp BAKA Computers, Inc. 607-257-2070 - FAX 257-2657 200 Pleasant Grove Road QuickMail QM-QM 257-2614 Ithaca, NY 14850 Memory Alpha BBS * 607-257-5822 ------------------------------ Date: Mon, 07 Jan 91 16:44:29 -0500 From: MONAT%UOTTAWA@acadvm1.uottawa.ca Subject: Prevent hard disk infection? (PC) Is there any way to prevent a virus from infecting a hard disk when you cold boot with an infected diskette in drive a: ? (I should have written "when you unfortunately have left a diskette in drive a:" or "when you leave your computer unattended and someone boots from a diskette"). Paul M. Monat Lab Manager Phone: 613-564-6895/6500 Faculty of Administration Fax: 613-564-6518 Canada K1N 6N5 Bitnet: Monat @ Uottawa ------------------------------ Date: Tue, 08 Jan 91 13:52:32 +0000 From: Mr Gordon S Byron Subject: Auto-scanning Virus Vaccine? (PC) I am interested in finding a DOS antivirus program which would automatically scan disks as they are inserted. ideally, something like SAM II on the Mac. I noticed a reference to a program called McAfee's scan. Is that an auto-scan antivirus program? ------------------------------ Date: Tue, 08 Jan 91 15:19:19 +0100 From: swimmer@rzsun4.informatik.uni-hamburg.de (Morton Swimmer) Subject: Fish Virus Activation (PC) I'm not sure whether this is generally known, but the Fish virus's damage is activate starting from this year (1991). The virus will (or should) display the message: FISH VIRUS #6 - EACH DIFF - BONN 2/90 '~knzyvo}' ( ^^^^^^^^ VB claims this translates to TADPOLES ) and the virus halts the machine. This is I believe similar to what Frodo is supposed to do. One question remains: is there perhaps another virus (perhaps Whale) that will continue from that point, via the timer interrupt perhaps, I haven't looked at whale that closely yet. Far fetched? Well I fail to be surprised by anything these viruses do nowadays. Cheers, Morton (and thanks to Stefan Tode for the information.) PS: In light of this: Happy New Year! ------------------------------ Date: Tue, 08 Jan 91 09:32:08 -0500 From: Joe McMahon Subject: Grapes (Mac) Try rebuilding your desktop file. Someone may have been playing with ResEdit and changed the icon for Fortran files to that. If one of them was changed, the first one copied onto a new disk will make the rest of them look that way, too. --- Joe M. ------------------------------ Date: 08 Jan 91 20:23:13 From: pandy@niksula.hut.fi (Pandy Holmberg) Subject: Re: Grapes virus? (Mac) NDG503@csc1.anu.edu.au (Nick Guoth) writes: - -> We are using MacFortran on some of our Macintoshs here and just over - -> the last few days, we seem to have contracted a strange virus or - -> something. Now I'm never confident about viruses affecting us here in - -> Australia as the protection software generally arrives before the - -> virus. What is happening is that the icons for the Fortran executable - -> files have turned into bunches of grapes. As I can't examine your machine from here all I can do is come with guesses. I haven't heard of this behaviour before so what I suggest is. Use ResEdit or some other Resource editor to determine from which program the grape icon originates. Then study that program closely. Another explanation would be that another application has the same creator name i.e. if you make a program of your own and make the creator name WILD all hypercard stacks will have the same icon as your program and versa. (OK. It's not THAT simple, but close enough.) Third guess: Check that the original icons still are in the MacFortran application. Some wise guy might have redisigned them. I would be interested in hearing what you discover. Tsaukki says Pandy - -- "Don't worry, ski happy" - Skischule Arlberg ****************************************************************************** /I I Andreas "Pandy" Holmberg pandy@spiff.hut.fi /-I-I Helsinki University of Technology pandy@otax.hut.fi / I I Faculty of Electrical Engineering s37775d@taltta.hut.fi ****************************************************************************** ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 6] **************************************** Downloaded From P-80 International Information Systems 304-744-2253