VIRUS-L Digest Tuesday, 26 Nov 1991 Volume 4 : Issue 227 Today's Topics: Request for help on getting ".CVP" documents. PC Week's Skatt Column of Nov 11th: Word Perf. & Virus? (PC) "Tequila" virus (PC) What the user wants (was Re: Disk Compression) (PC) Latest version of McAfee Scan?? (PC) What's special about LAN's? (PC) Re: McAfee84 fails on Stone, Azusa and Joshi? (PC) Telefonica (PC) Michelangelo Virus (PC) VIRUS: DIR-II (PC) Lamer Exterminator (Amiga) Re: Washburn Possible Virus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Sat, 23 Nov 91 22:19:59 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Request for help on getting ".CVP" documents. cooper%apache.decnet@hsdp1.brooks.af.mil (APACHE::COOPER) writes: > Dear Gentlemen of Virus-L. > > When I was subscribed to the list, someone (sorry I forgot > your name) was posting instructional files with the extension of > ".CVP". Is there somewhere that I can do a database search for that > string? Or do I have to download all the archives via FTP then > search? Or maybe the kind gentleman can send me all those files? While the kind gentlemen is glad that his writing is appreciated, no, he is not going to send copies all over the net. He hasn't the time, nor the bandwidth. The .CVP files are archived on the bulletin boards of both Microcom and McAfee Associates. They are also available on Cyberstore, the X.75 address of which is contained in my sigblock. On the question of where to find the Bontchev article, I refer you to the original posting by Ken. cert is cert.sei.cmu.edu. If you need more help than that, wait for Jim Wright's excellent postings overy month or contact Ken. ============= Vancouver p1@arkham.wimsey.bc.ca | "If a train station Institute for Robert_Slade@mtsg.sfu.ca | is where a train Research into CyberStore | stops, what happens User (Datapac 3020 8530 1030)| at a workstation?" Security Canada V7K 2G6 | Frederick Wheeler ------------------------------ Date: Sat, 23 Nov 91 21:58:54 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: PC Week's Skatt Column of Nov 11th: Word Perf. & Virus? (PC) RTRAVSKY@corral.uwyo.edu (Rich Travsky) writes: > This certainly sounds goofy. Anyone have any idea what the Katt's > talking about? I think you hit it bang on the money. Spencer's rumour's regarding viri generally rank in accuracy with the Weekly World News. ============= Vancouver p1@arkham.wimsey.bc.ca | "If a train station Institute for Robert_Slade@mtsg.sfu.ca | is where a train Research into CyberStore | stops, what happens User (Datapac 3020 8530 1030)| at a workstation?" Security Canada V7K 2G6 | Frederick Wheeler ------------------------------ Date: Sun, 24 Nov 91 23:11:13 +0700 >From: Myron Seto Subject: "Tequila" virus (PC) I used a software by the Ikarus Corp. and found a virus called "TEQUILA" on my hard-disk. Would anyone know what is available to get rid of this virus and where I can get it. Any help is greatly appreciated| (I would much prefer a private e-mail response due to the large number of postings to this newsgroup.) Myron ------------------------------ Date: Mon, 25 Nov 91 16:41:00 +1300 >From: "Mark Aitchison, U of Canty; Physics" Subject: What the user wants (was Re: Disk Compression) (PC) padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) writes: > I take a more optomistic view: DOS is just a program and when properly > understood can be both controlled and trusted. The hard part is > designing a mechanism that is applicable to 60+ (or whatever) million > existing platforms, installs automatically & seamlessly, is compatable > with all known applications, and uses no memory. I agree. Firstly that DOS can be made a lot more secure, and secondly the problem with existing hardware & software being made safe enough. Not that the problem is entirely the lack of special hardware on the older machines, although a 386 or better is preferrable, rather it is hard to get existing users to bother with any virus protection at all, whether it is 100% perfect or not. I appreciate what Vesselin Bontchev is saying, but it is from the perspective of total security, and what some future viruses (and a few present ones) might be able to do. It is worthwhile spending some time on such questions, but it is also reasonable to answer questions like: "What use is a virus protection system that only offers partial protection?". It shouldn't be a rhetorical question; this is what I think the answer is... As I see it, it is hard to get users to make the effort unless it is either built into the operating system or provides some other advantage that is worthwhile (like extra disk space), or preferably both. If it is possible to knock the main viruses on the head, by (for once) having the majority of PC's stopping/slowing the spread of the main viruses, then this could have a major impact both on those individual viruses that have reached epidemic proportions PLUS (I guess) a psychological effect to discourage new virus production. NOTES: (1) The combination of read-protection (via DMDRVR.BIN or DISKSECURE or DISKGARD) plus SuperStore (I had included Stacker as an option; I think only SuperStore works with DMDRVR partitions - someone may like to check that), that I mentioned, isn't enough in itself. You need virus protection and something like F-PROT as well. However, the important point is that it is a good starting point, not so much from the anti-virus perspective - an unlikely combination, since the main ingredients weren't designed as such - rather from the question of what is attractive to the majority of users that have ignored anti-virus products in the past. (2) You could argue that making it tougher for a virus to survive makes it more of a game for virus writers. Well, it is tougher still for viruses on Unix and VMS systems, but you don't see a lot of viruses there. Unix systems are a special case perhaps, due to hardware differences, but I suspect the main reasons there aren't plagues of VMS viruses are: (a) Virus writers don't give the idea of tackling VMS a second thought, and (b) Users of the system are more security conscious, because they know the operating system is "serious" about security. PC's are considered "easy meat" by virus writers. It seems to me that discussing relatively simple, cheap, POPULAR antivirus techniques would be rewarding for the PC user community as a whole. Sure, we have to avoid people thinking they have a totally secure system, so long as a lot of people adopt at least a reasonable amount of security. Possibly a new "secure DOS" is it. Possibly a hardware add-on that gives security plus something else that is attractive. Overall, the problem is selling the idea to users... not only the idea of any security at all, but the concept that it is not (can never be) 100% effective (as anyone determined enough, with a big enough sledgehammer, can always beat any security system) - yet is worth having. Mark Aitchison. ------------------------------ Date: Mon, 25 Nov 91 04:58:54 +0000 >From: simone@trace.eng.wayne.edu (Simone Douglas 577-0108) Subject: Latest version of McAfee Scan?? (PC) What is the latest version of McAfee Scan? Also is there a program that can check floppies for viruses using McAfee Scan immediately upon placing the floppy in the drive? thank you ------------------------------ Date: Sun, 24 Nov 91 21:55:00 -0700 >From: TED SHAPIN Subject: What's special about LAN's? (PC) What if anything is special about virus on a LAN? Is it simply a matter of needing to scan all the network drives when looking for possible virus? ------------------------------ Date: 25 Nov 91 13:36:05 +0000 >From: Robert.Turner@brunel.ac.uk (Robert Turner) Subject: Re: McAfee84 fails on Stone, Azusa and Joshi? (PC) mcafee@netcom.com (McAfee Associates) writes: >If you want to prevent your PC's from being booted from a floppy disk, >you may want to consider a new BIOS that will allow you to "lock out" >boots from the floppy drives, or a card that will do something similar. The simplest form of protection from booting from floppies that we have found is hard-wiring the floppy disc to be the 'b' drive, then assigning it back as part of boot-up. Combining this with a partitioned disc, and a write-protect on the 'C' drive, means that our classroom machines are (almost) impervious to viruses. However, we have had to write a new front end to FORMAT, this procedure will only work on single drive machines, and the command 'COPY A: B: will no longer work. Small cost for a uninfected environment. Rob - -- ________________________________________________________________________ / | \ | Rob Turner | email : Robert.Turner@brunel.ac.uk | | Brunel University | | | London, England | Tuppence of trivia | \____________________________|___________________________________________/ ------------------------------ Date: 25 Nov 91 13:57:38 +0000 >From: Robert.Turner@brunel.ac.uk (Robert Turner) Subject: Telefonica (PC) hi We have recently been inundated with a new (to us) virus, called Telefonica (AKA Spanish Telecom, Anti-Tel). Before new software was acquired, this virus managed to run its' course on a few machines, and we have been left with some dead PCs. Does anyone have experience of this virus, and if so, can they tell me how to recover a totally corrupted hard disc. Also, is there any way of removing this virus safely from a floppy disc? Norton is erratic, and seems to wipe the contents of the disc two or three times more than saving the data. Scan (McAfee) recognises the virus but cannot remove it. We have been removing all files, re-formatting the disc, then replacing files, but there must be a more elegant method than this. Thanks in advance, Robert Turner - -- ________________________________________________________________________ / | \ | Rob Turner | email : Robert.Turner@brunel.ac.uk | | Brunel University | | | London, England | Tuppence of trivia | \____________________________|___________________________________________/ ------------------------------ Date: Mon, 25 Nov 91 17:14:07 -0500 >From: Scott Bringen Subject: Michelangelo Virus (PC) I recently discovered that my 386 compatable was infected with the Michelangelo virus. I had downloaded the Windows version of McAfee's VSCAN84.ZIP and ran a quick test after installing it into Windows. I had been running a previous version of VSCAN and had not detected viruses. But version 84 picked the Michelangelo virus on the boot sectors of my C: HD and about half of the floppies used on my A: drive. I quickly down loaded CLEAN84.ZIP and cleaned my hard drive and floppies. After doing a cold reboot VSCAN reported 'no viruses found'. Later, I ran the validation program included in the ZIP file. The HEX patterns matched. Since this is my first run in with computer viruses, will someone please explain what Michelangelo(a boot sector virus) does to PCs. And can I be confident that CLEAN84 did *really* remove it from the disinfected disks. Thanks for any replies, Scott Bringen (ZMSKB@SCFVM.BITNET) ------------------------------ Date: Tue, 26 Nov 91 09:14:03 +0700 >From: avi enbal Subject: VIRUS: DIR-II (PC) HELLO THERE !!! I heard & read abaut the viruses above,(DIGEST-4). We tryed all kind of anti viral softwer (CLEAN 84,F-PROT,etc). all of them infformed me abaut "my" virus's, NO ONE of them CLEAN this virus. your concept requested KUICKLY as possible. Avi Enbal University of Haifa Computer Center 972-4-240777 ------------------------------ Date: Tue, 26 Nov 91 11:30:39 +0000 >From: d90mb@efd.lth.se (Maarten Berggren) Subject: Lamer Exterminator (Amiga) (Posting this to both to comp.virus and to comp.sys.amiga.misc, because it seems like just a few amiga-owners read comp.virus) Yeasterday, my amiga locked up when I booted it. (After some loading from the disc, the AmigaDos-window just freezed.) I found out that the cause of this was the ARP 'mount ff0: ff1:'. Futher investigations revealed that it was the 'Lamer Exterminator'-virus that caused the lock-up. My Amiga has the 1.2 kickstart; I don't know if the virus will lock-up later versions as well. So, if you have a Amiga with kickstart 1.2 and you use ARP and the cli/shell-windows freezes when you mount FastFileSystem, it might be the 'Lamer Exterminator'-virus... M}rten Berggren (d90mb@efd.lth.se) ------------------------------ Date: Tue, 26 Nov 91 16:46:00 +0200 >From: Y. Radai Subject: Re: Washburn Bill Murray challenges my posting opposing Frisk's recommendation to ignore the software of Mark Washburn or any other virus author. Well well, Bill, I felt pretty sure that my posting would bring you out of the woodwork, and I see I wasn't wrong. >>And Mark's viruses are not destructive. > >Patently false. When making a statement like this, it is customary to produce *evi- dence*, not merely to rely on words like "patently" as if that set- tled everything. My statement that they are *not* destructive can be checked in any of the usual virus catalogs. (Of course, they and I are using the term "destructive" in its usual sense of deleting or overwriting files, destroying the FAT, formatting disks, etc.) > we must, in our own collective interest, punish the >behavior, without regard to its perpetrator, his intent, or subsequentot >his meaning. .... > We should ignore, indeed we should >ostracise, any and all who intentionally or knowingly release a virus. These statements are not truths, but merely opinions. My opinion is that we should weigh the benefit of such punishment against the bene- fit of providing knowledge of (what I believe to be) a good product. >The author of this posting clearly believes that the intent of the author >is important; it is not. Again, that's just opinion, and I disagree. And so does the law; otherwise there would be no difference between murder and manslaugh- ter. The end result is the same, but the punishment is different, and that's what we're talking about here: punishment. >While the author of a virus can be expected to know a little bit about >the machine in which some copies of his creation will execute, he cannot >know about all of them. While he may may be able to predict how it will >behave in a particular machine, he can only speculate as to how it will >behave in a population, all the salient characteristics of which he >cannot possibly know. Agreed. Therefore (1) Washburn's release of the virus was a mistake, and (2) I would never *encourage* releasing of a virus. But *given the fact that it HAS ALREADY BEEN RELEASED*, I question the value of boycotting a good product. >To assert otherwise is hubris. Funny, I would have sworn that to assert otherwise was arrogance. And here it turns out to be hubris! Just goes to show that you learn something new every day .... Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Tue, 26 Nov 91 10:32:13 -0500 >From: Eric Carlson Subject: Possible Virus (PC) Microcomputer software support Northern Virginia Community College, Annandale Virginia In one of our computer labs some students have been getting a message while using dBase. The message says "slyder says ..." with quotes. It is at another campus, so I won't be able to check it out this week for specifics. Scanv84 says the PC is clean. I haven't had a chance to run F-PROT analyze on the machine yet to look for suspicious code. It may just be something that one of the students did, or it could be a virus.The message seems to be on the ASSIST line at the bottom. Did someone just add a message to dBase III+. - - Thanks - Eric ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 227] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253