VIRUS-L Digest Thursday, 12 Dec 1991 Volume 4 : Issue 235 Today's Topics: Re: Washburn and Ethics Untouchable From Fifth Generation Systems (PC) Re: password program (PC) Not a virus / Generic Boot virus (PC) Booting from clean floppy (PC) re: VSHIELD testing boot drives during warm boot (PC) "Bloomington" Virus (PC) Scan for Win3 & Ver. 85 (PC) TBSCAN does odd things on my computer (PC) Name that VIRUS? (PC) Re: M.Angelo Virus (PC) A good low-cost Macintosh anti-virus... (Mac) McAfee files on risc (PC) Revision to Product Test--VirusDetective/VirusBlockade II (MAC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 10 Dec 91 12:17:02 -0800 >From: Eric_Florack.Wbst311@xerox.com Subject: Re: Washburn and Ethics Y. Radai >In the case of SECURE, I was faced with a similar dilemma. Ok, what Washburn did was unethical. But boycotting Washburn would hardly act as a deterrent in any similar case since it's highly unlikely that other authors of anti-viral software would be naive enough to admit to having written a virus.<< Kinda depends how that information got out to the public, doesn't it? Perhaps just the fear of being found out would prevent them from writing more, assuming a strong reaction to a Wasburn, for example. >>Therefore the deterrent power of boycotting software of known virus writers seems to be nil. I suspect that the main motive for the demand to boycott Washburn is simply to get re- venge on him, and such considerations do not particularly interest me.<< I'm not so sure that such actions were personal in motivation, as much as an attemp to signal other writers that their actions would not be tolerated. It stands to reason that anyone who knows enough about computers to create a virus, does other 'above board' programming. If word got to such people their paycheck would be affected if word got out about their 'under board' activity, it stands to reason that less virus programs would be created. In the case of Washburn, it would appear to be a situation of him being the cure for the problem he secretly created, if I read your statements correctly. Your position seems, on the surface, to allow such, regardless of your specific delema. >>Suppose we are at war<< I'd bet you couldn't think of any other examples under which virus release would be ethical. I know I can't. >> As I said a couple of times, this subject has little to do with the facts,<< To the contrary; half of the effort to combat against virus programming is in the tech area, but only half. The other half, it seems to me, is in the area of ethics, and how we respond to such people as create such monsters. To: Gene; You from Rochester? Your name is known to me... ------------------------------ Date: Tue, 10 Dec 91 14:37:38 -0600 >From: A-GROS@vm1.spcs.umn.edu Subject: Untouchable From Fifth Generation Systems (PC) I recently received an ad for an antivirus program called Untouchable from Fifth Generation Systems which I have not heard of or seen before. Does anyone have any positive or negative experiences with this program. We use FPROT and SCAN here for the most part but I am open to using other programs if they are decent for the $$. The price of this one is $149 in the ad. Thanks so much for any information anyone can provide. ==Audrey N. Grosch Bitnet: A-GROS@UMINN1 == ==(612) 624-7038 voice Internet: A-GROS@VM1.SPCS.UMN.EDU == ==(612) 624-4318 BBS FidoNET: 1:282/32 == == Home of the University of Minnesota Libraries BBS == ------------------------------ Date: Wed, 11 Dec 91 11:28:00 -0500 >From: chuck@npdiss1.stpaul.NCR.COM Subject: Re: password program (PC) >We have recently found on our public pc's some sort of password >program that I think has somehow been put into the cmos. It seems to >be a "commercial type product" that has been put on for fun. Does >anyone know of this and abviously more importantly, how do I get into >the pc to get it off. Booting from floppy does not work as cmos is >run before this. The best way to get rid of something like this is to power down the PC and then disconnect the CMOS battery for about ten minutes. After that, hook the battery back up, reconfigure the CMOS, and you're on your way. Good luck. - -- Chuck Rissmeyer - charles.rissmeyer@StPaul.NCR.COM KE0VG - KE0VG @ WB0GDB.mn.usa.na.earth NCR/CCS - NPG PM&S (Product Team) (612) 638/I652/-7669 ------------------------------ Date: Wed, 11 Dec 91 12:41:00 -0500 >From: Eric Carlson Subject: Not a virus / Generic Boot virus (PC) Thanks for the responses to what I thought might have been a virus. My message in VIRUS-L issue 227 asked if the message "Slyder Says..." in dBase III might be a virus. It was NOT a virus. I was finally able to go to the other campus and determine that someone had merely added it to the PROMPT command in the CONFIG.DB file. Now I will know where to tell the lab supervisor to look in the future. - ----------------------------- I also ran into a floppy that SCANv84 said had a GENERIC BOOT SECTOR VIRUS I also tried CPAV 1.0, NAV, and F-Prot 2.01. The only thing that said anything (other than SCAN) was the ANALYZE function in F-PROT 2.01 and it agreed with scan. I didn't do anything to the disk after that, but I saved a copy of the BOOT sector to a file using NORTON 6.01 DISKEDIT. I have that file if anyone wants it. Just tell me how to transfer it (if that is possible). What should I have done to the disk? It was some sort of spreadsheet file disk used in some courses. ------------------------------ Date: Wed, 11 Dec 91 20:06:12 +0100 >From: Mikael Larsson Subject: Booting from clean floppy (PC) ===================================================================== = This letter is a forward from the echo "VIR_DIGEST.INT" in VirNet = = Since we don't have any functional gateway yet, I am manually = = forwarding all replys from VirNet back to Virus-L. Please note = = that the messages I forward has nothing to do with neither me or = = Virus Help Centre. Mikael Larsson, ZoneHost VirNet = ===================================================================== In Message Mon, 09 Dec 91 10:43:58 +0000 Fridrik Skulason writes: > The first ability is the reason it is recommended to boot from a "clean" > floppy before you run a virus scanner. Hello Let me disagree with You. I think if "virus scanner" can realy desinfect virus in memory it does not matter from where You booted computer, for example it is very easy to stop activity of 4096 just replace 3rd call to jmp in virus and it will stop activity, and "virus scanner" can try to scan any file. Of course if "virus scanner" can not cure virus in memory it is very dangerous to scan files... BTW should do users who has no floppy drives ? :-) > - -frisk \/ictor Smith ------------------------------ Date: Wed, 11 Dec 91 20:09:00 +0100 >From: Mikael Larsson Subject: re: VSHIELD testing boot drives during warm boot (PC) ===================================================================== = This letter is a forward from the echo "VIR_DIGEST.INT" in VirNet = = Since we don't have any functional gateway yet, I am manually = = forwarding all replys from VirNet back to Virus-L. Please note = = that the messages I forward has nothing to do with neither me or = = Virus Help Centre. Mikael Larsson, ZoneHost VirNet = ===================================================================== In Message Wed, 20 Nov 91 23:29:12 +0000 from mcafee@netcom.com (McAfee Associates) Aryeh Goretsky writes: > VSHIELD is designed to intercept "warm boots" (Ctrl Alt Del's) and > then check the boot drives (A: and C:) for a boot sector or partition > table virus before allowing the reboot to continue. VSHIELD then does Hello Aryeh, Only one thing You forgot, for example my computer has very interesting key - "Reset" :-). I mean that usualy people reboot computer by pressing this key or switching power on, of course I agree that it is very useful feature, but somethimes it does not work. Greetings \/ictor Smith ------------------------------ Date: Wed, 11 Dec 91 19:22:59 +0000 >From: david.lannigan@dsp.analog.com (David K. Lannigan) Subject: "Bloomington" Virus (PC) Having just purchased Norton Anti-Virus, we discovered a strain of the "Bloomington" virus on a floppy we have. The strange thing is that we can't find it on any hard drives we have, just a floppy that we copied some files onto. Can anyone tell me more about this "Bloomington" virus? Any and all info will be much appreciated, via email perferably. Thanks in advance. /****************************************************************** Analog Devices Inc. David K. Lannigan Digital Signal Processing Division david.lannigan@analog.com 1 Technology Way (617)461-3128 Norwood, MA 02062-9106 USA ******************************************************************/ ------------------------------ Date: Wed, 11 Dec 91 15:51:52 -0600 >From: Andy Berkvam Subject: Scan for Win3 & Ver. 85 (PC) Does the new version of VIRUSCAN (85) work with Scan for Windows? I replaced VIRLIST.TXT and SCAN.EXE with the new versions and it seemed to work. Is a new version coming out that supports the new switches? What does the B mean in WSCAN84B.ZIP? Beta? Just out of curiosity... =============================================================================== Andy Berkvam aberkvam\@helios.uwsp.edu University of Wisconsin be215645\@uwspmail.uwsp.edu Stevens Point, WI 54481 \\//_ =============================================================================== ------------------------------ Date: 10 Dec 91 19:47:45 +0000 >From: rstanton%garnet.Berkeley.EDU@ucbvax.Berkeley.EDU (Richard Stanton) Subject: TBSCAN does odd things on my computer (PC) I have just tried to use the new TBSCAN virus scanner, v. 3.0 (though this used to happen with older versions, too). When I try to run it, using TBSCAN C:\ it runs through all the files OK, but there are two problems: 1) It tells me it is "SKIPPING" every executable - not too useful 2) My 3 1/2" floppy drive light comes on and the drive makes a noise during the entire scan. When I remove all device drivers and TSRs, 2) is cured but 1) is still a problem. My machine is a PS/2 model 90 (486). Has anyone else noticed this, or alternatively, how do I send mail to the fidonet addresses listed in the DOC file? Richard Stanton ------------------------------ Date: Thu, 12 Dec 91 10:53:25 -0600 >From: rollins@cajun@bb1t.monsanto.com Subject: Name that VIRUS? (PC) HALP! Any idea what virus, if any, displays semi-random multi-colored reverse-video cells on the pc screen and then locks up the pc? (semi-random = distribution tends toward the left.) And if you recognize it, any idea what software might be able to "heal" the system? thanks muchly! matt rollinson ROLLINS@LLG013.MONSANTO.COM ------------------------------ Date: 12 Dec 91 19:21:00 +0000 >From: "ANGIOLELLA, NICOLA" Subject: Re: M.Angelo Virus (PC) JOHNSON@tarleton.edu writes... >We have been infected with the M.Angelo virus in our student computer >lab. I would like to know what this virus does and how to remove and >innoculate against it. The M.Angelo virus infects the Disc Partition Table,the fixed Disc Boot Sector and it installs itself into memory. This virus also corrupts the program or overlay files, it affects the system run-time operation and it directly or indirectly corrupts file linkage. On March 6, M.Angelo's birthday, it FORMATS the hard disc of the infected PC. If you can get your hands on McAfee SCAN, they have the antidote to remove such a virus. Nick (The DVS1) n_angio@pavo.concordia.ca ------------------------------ Date: Wed, 11 Dec 91 20:40:29 +0000 >From: csfed@ux1.cts.eiu.edu (Frank Doss) Subject: A good low-cost Macintosh anti-virus... (Mac) On my campus, we have started getting Macintoshes. My experience with the anti-viral effort has been primarily on the PCs. Can anyone tell me what a GOOD low-cost Macintosh anti-virus package would be? Thanks in advance. Frank E. Doss Academic Computing csfed@eiu.edu Eastern Illinois University Please respond by E-mail. If anyone wishes, I'll sumarize. ------------------------------ Date: Thu, 12 Dec 91 09:08:49 -0600 >From: James Ford Subject: McAfee files on risc (PC) The following files have been placed on risc.ua.edu (130.160.4.7) for anonymous FTP in the directory pub/ibm-antivirus: scanv85.zip (update) vshld85.zip (update) netscn85.zip (update) vshld85.zip (update) Question: The latest version of vcopy on risc.ua.edu is v82. Is there a later version around? - ---------- Poise is the act of raising the eyebrows instead of the roof. - ---------- James Ford - Consultant II, Seebeck Computer Center The University of Alabama (in Tuscaloosa, Alabama) jford@ua1vm.ua.edu, jford@risc.ua.edu ------------------------------ Date: Wed, 27 Nov 91 08:05:17 -0700 >From: Chris McDonald ASQNC-TWS-R-SO Subject: Revision to Product Test--VirusDetective/VirusBlockade II (MAC) ****************************************************************************** PT-30 May 1991 Revised November 1991 ****************************************************************************** 1. Product Description: VirusDetective and VirusBlockade II are shareware programs to detect and to delete known viruses and trojan horses for the Macintosh. This product test addresses VirusDetective 5.0 and VirusBlockade II 2.0. 2. Product Acquisition: Both programs are available from their author Jeffrey S. Shulman through Shulman Software CO., 364 1/2 Patteson Drive, Suite 300, Morgantown, WV 26505-3202. The cost for registering VirusDetective is $40.00 for U.S. customers and $45.00 for others. If one registers VirusDetective and VirusBlockade II at the same time the cost is $70.00 for U.S. customers and $75.00 for others. A registered user receives a program diskette, an overview guide, a user license, and automatic notification of future malicious code search strings. Registered users also receive a discount on any future upgrade to either program. Site licenses are available. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. [Ed. The remainder of this review is available by anonymous FTP from cert.sei.cmu.edu in the pub/virus-l/docs/reviews/mac directory, under the filename mcdonald.virusdetective.] ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 235] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253