VIRUS-L Digest Friday, 19 Apr 1991 Volume 4 : Issue 66 Today's Topics: F-Prot (PC) Re: Is virus infection by inserting floppy disk possible? (PC) (Mac) Trying find a good anti-viral software (PC) 3Com Attack? (PC) F-PROT 1.15 - Can't find Stoned (PC) Manual CASCADE-removal? (PC) Re: Do any viruses affect Novell? (PC) Re: HyperCard anti-virus script bad (Mac) FORM virus (PC) Re: AF/91 and April Foolism in general Re: Viraphobia (Re: AF/91 and April Foolism in general) Error in F-PROT 1.15 (PC) LANs vs. viruses VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 18 Apr 91 11:57:25 >From: (Steven W. Smith) Subject: F-Prot (PC) I just received FPROT115.ZIP and installed it. I found a very minor glitch: I ran the f-test program, and it reports "F-DRIVER is not installed or not working!". I tested it against Cascade, and it is in fact working. I am using DR DOS 5.0 on a Rycom "3060" 80386 with 4 meg RAM; F-driver is installed with: device=c:\qemm\loadhi.sys /h/s c:\f-prot\f-driver.sys _,_/| \o.O; Steven W. Smith, Programmer/Analyst =(___)= Glendale Community College, Glendale Az. USA U SMITH_S@GC.BITNET *poof* My opinions are now your opinions, so you'd better get used to it! ------------------------------ Date: Thu, 18 Apr 91 11:56:18 -0700 >From: ntg!slandrum@apple.com (Stephen Landrum) Subject: Re: Is virus infection by inserting floppy disk possible? (PC) (Mac) CAH0@gte.com (Chuck Hoffman) writes: > [ ... ] WDEF is >benign, and is easily deleted, [ ... ] The Hitchiker's Guide to Computer Virii entry for the WDEF virus is "Benign". Ford Prefect and I would like to change the entry to "Mostly Benign". :-) We have a lot of Mac IIci's at work, and there is a bug in WDEF (yea, a bug in a virus :-) ) that causes it to crash the IIci when a disk with WDEF on it is inserted in the floppy drive. Fortunately, this flaw means it never gets installed on the IIci, but it can be frustrating if you don't have some INIT installed that catches WDEF and removes it before it crashes the machine. - -- Stephen H. Landrum VOICE: (415) 813-8909 UUCP: ...apple!ntg!slandrum USNAIL: New Technologies Group Inc. 2468 Embarcardero Way, Palo Alto CA 94303 ------------------------------ Date: Thu, 18 Apr 91 15:45:00 -0500 >From: "Sant." Subject: Trying find a good anti-viral software (PC) Can someone please help with the following problem? I would like to know which of the following virus protection programs are the most reliable: McAfee's SCAN/VSHIELD/CLEAN Norton's Anti-Viral program Virex-PC Since I do download quite a bit from ftp sites, I need to protect my system from viruses. Currently, I have been using McAfee's VSHIELD & SCAN programs. Before I register the programs, I want to know if Norton's programs are just as good or better? Registering for the three McAfee's programs would be more expensive than buying Norton's program. I recently missed a sale pricing Norton at $50. If Norton is not as good, then I'd rather pay more for the better protection. So, can someone tell me what is the most reliable software to get? I should state that I do use Window over half the time. Is there something similar to MAC's SAM? I like how the program automatically checks any removable disks which has been inserted into the drive. Is there a PC version of this software which does the same thing? +------------------------------------------------------------------------------ + | Santanu Sircar BITNET: ssircar@umaecs.bitnet | | University of Massachusetts/Amherst INTERNET: ssircar@ecs.umass.edu | +------------------------------------------------------------------------------ + ------------------------------ Date: Thu, 18 Apr 91 15:58:33 -0600 >From: rtravsky@CORRAL.UWyo.Edu (Richard W Travsky) Subject: 3Com Attack? (PC) The current issue of Network World (April 15th) has a front page item on 3Com's campus net being hit by a virus (a 5,000 node network). Interesting article, but nowhere can I find what virus was involved. Any one have any 'inside' information? Richard Travsky Division of Information Technology Internet: RTRAVSKY @ CORRAL.UWYO.EDU University of Wyoming (307) 766 - 3663 / 3668 ------------------------------ Date: Thu, 18 Apr 91 16:35:00 +0000 >From: Jim Schenk Subject: F-PROT 1.15 - Can't find Stoned (PC) Hello, I just downloaded the latest version of F-PROT, version 1.15, from beach.gal.utexas.edu. Before upgrading my old 1.14, I decided to test the new version. It was able to detect and disinfect Israeli/Jerusalem, as well as Yankee (TP-44); however, when I ran F-DISINF on a known "Stoned" -infected floppy, I got the message: "This boot sector is infected with a new virus." I then ran F-DISINF from version 1.14, which gave me the expected "This boot sector is infected with the Stoned virus. Disinfect?" message. Scratching my head, I took a peek at the sign.txt files for both versions. F-PROT 1.14's sign.txt had an entry: Stoned yMAoWM85aMkPEkvm8p8WVs7NW5H5hk70JqdKUh4YVYCslmfA While version 1.15's sign.txt had the entries: Stoned-379 PmAcC5wma5utNjB5R7QqEV2ew8ErtdMmF3wRDKb5o3umMKyY7jVz0mKUakrP Stoned-fam PM8oCju535LdT555sd5Km5I40NVsjajLns0Np58WedJu I added the 1.14 signature into 1.15's sign.txt file, ran F-DISINF again, and sure enough, it was able to find and disinfect Stoned. Has anyone had any similar experiences with 1.15? By the way, I've been using F-PROT on campus here since version 1.10, and it is by far the best anti-virus program I've tested. Jim Schenk University Computer Services Florida International University Bitnet: jims@servax Internet: jims@servax.fiu.edu ------------------------------ Date: Thu, 18 Apr 91 18:31:03 +0200 >From: SI0_AB90038@DEBET.NHH.NO Subject: Manual CASCADE-removal? (PC) I had for some time a few programmes that were not backup-ed. During this period, my PC was infected by the CASCADE-1701 *COM-virus. I have planned just destroying the files; they are not worth as much as the price of a disinfector; but hope that someone here can assist me in manually removing this virus. If this implies a lot of work, I'd rather destroy the files, but if anybody can help me, I'd be grateful. If you find out that the workload will be to heavy, please mail me anyway so I can start deleting... TNX in advance from Audun Bringsvor Norwegian School of Economics si0_ab90038@debet.nhh.no ------------------------------ Date: Thu, 18 Apr 91 17:32:17 -0700 >From: jesse%altos86.Altos.COM@vicom.com (Acer - Jesse Chisholm) Subject: Re: Do any viruses affect Novell? (PC) |dweissman@amarna.gsfc.nasa.gov (WiseGuy) writes: |> What viruses (if any) affect Novell local area networks? Any DOS |> virus? Over a broadband/ethernet LAN? About 1.5 years ago, our NOVELL network was infected with Jerusalem-B. What happened was MicroSoft-Word needs to be writable because it can reconfigure itself for some user options. What we think happened is the supervisor ran MSW from a workstation that was infected. From MSW the whole company was soon infected. Since MSW remained writable to itself, it infected itself 70 someodd times. The infection was not detected until a TSR that was being developed in the R&D department started showing eratic behavior. It worked fine the first time it was compiled and run, but never again. Because of this, and the three weeks it took to clean house, our MIS department purchased a battery of protection programs and scanning programs. We have had no network infections since. We have been infected by Stoned, Jerusalem-B, Disk-Killer at various times since then, but only on a limited number of workstations before it was detected and cleaned. We have a problem trying to keep suspect floppies out of our system, since the Taiwan office is always sending floppies to us and not everyone knows about viral protection. Its an uphill battle, but so far we are winning. - -- Jesse Chisholm | "I've UNDERSTOOD IT! Well, that is, ..., jesse@Altos86.Altos.COM | I'm not exactly sure WHAT I've understood, Tel 1-408-432-6200x4810 | but I have the impression I've understood Fax 1-408-434-0273 | SOMETHING." -- Anselm Lanturlu ------------------------------ Date: Fri, 19 Apr 91 00:02:59 +0000 >From: mike@pyrite.SOM.CWRU.Edu (Michael Kerner) Subject: Re: HyperCard anti-virus script bad (Mac) You know, I've been doubting my own infallibility for the past few days since Bruce posted the "sorry, but it won't work", so I tried to send set and the params directly to HC, only it isn't happening, guys. Now I really would like to put this whole thing to rest, so try it: Try to send the set command directly to HC and change the script of a stack. I have yet to be able to do it. In other words, the theory is, of course correct, but it ain't working in practice, and I'm out of ideas, so please, all ye doubters, try it and then send me your scripts because all I'm getting are error messages with no results. Don't send me your ideas, I want working, syntactically correct scripts. If they work for me I'll withdraw my previous comments. Until then, please prove me wrong. Mikey. Mac Admin WSOM CSG CWRU mike@pyrite.som.cwru.edu ------------------------------ Date: Fri, 19 Apr 91 03:10:41 +0000 >From: woodd@spot.Colorado.EDU (WOOD DEREK H) Subject: FORM virus (PC) A local Community College I work at was just dropped dead by the FORM virus (as detected by Norton Anti-virus). Any help you can throw at me as soon as possible would be appreciated. We are entering the Finals week next week, and students need the units in order to finish projects. Either here or e-mail would be greatly appreciated. We have identified about 150 machines that are infected, and hope to find a fix. We are fairly much novices when it comes to dealing with viruses, so any info from the simple to the technical will be appreicated. THX! Derek Wood ------------------------------ Date: Wed, 17 Apr 91 22:29:27 +0000 >From: jkp@cs.HUT.FI (Jyrki Kuoppala) Subject: Re: AF/91 and April Foolism in general [ someone writes lots of babbling about lawsuits and such for an april fools joke ] If people lack knowledge about the things they're reading and in general take everything they read from newspapers as the Truth without checking it first with someone competent enough to know what's it all about, in my opinion they deserve all what they get. You're in much more trouble than some lost time if you blindly believe anything you happen to read in a publication. It seems to me that especially in the computer virus field the lack of knowledge about computer security in general is often exploited by various venturers. Sure, there's nothing inherently wrong with wasting your money spending it on various virus detection programs, populist books and such. Computer viruses in themselves are not a big problem. The big problem is persons with no knowledge of the risks involved and no proper training and/or usage policies using computer systems with nil (or worse, security-by-obscurity ones) operating system and application program access controls, with the programs often written by persons with equal lack of knowlegde. Add to that the lack of source code and then even if the users were competent enough they couldn't find or fix the holes and lacks of controls. //Jyrki ------------------------------ Date: Fri, 19 Apr 91 10:08:00 +0000 >From: "A.M.MAIR" Subject: Re: Viraphobia (Re: AF/91 and April Foolism in general) epan@jarthur.Claremont.edu (Eric C. Pan) writes: > I am getting tire of all the people whose hair stand on ends > at the mentioning of viruses. I think April Fool's Day is a nice way > to relax.... > I believe some people are too easily paniced by any mentioning > of virus. I am beginning to wonder if you will believe me if I claim > that the human acquired immune deficiency syndrome, i.e. the HIV virus > is spreading to computer. Gosh, I am tired of all the people who ask > me to check their disks for viruses everytime they get a system error, > or their drive makes a funny sound. > Track Record so far? Out of 20 some people I helped, none of > them have ANY VIRAL INFECTION. NONE! And yet everyday, someone would > scream "Computer Virus" because they crashed their system, sometimes > because they pushed their reset button. > Is there someway we can stop this PARANOIA? I think sueing > anyone who bring up virus as a joke is definitely not a solution. Consider yourself lucky not to be dealing with virus. We now *have* to scan publically used machines daily at this university. Personally, I find "ping" or "stoned" (now being reported as "stoned/swedish") being brought in on students' floppies. Ann ------------------------------ Date: Fri, 19 Apr 91 10:13:39 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Error in F-PROT 1.15 (PC) An error was discovered in version 1.15 of F-PROT. Symptoms: F-TEST would report that F-DRIVER was not installed or not working, when in fact it was. Reason: F-TEST was locked by F-XLOCK, but it should not have been. Fix: Either just give the command F-UNLOCK F-TEST.COM or replace the F-TEST.COM with the following program. begin 755 f-test.com hY70u1U4o0QoVi+-AnG349IFGGJN3IW-dQm-iPrEUOKtnR43gP4JY64xm64tj BR0-rPr7fOKtb6Eo87034 + end - -frisk ------------------------------ Date: Fri, 19 Apr 91 09:58:26 -0400 >From: Kenneth R. van Wyk Subject: LANs vs. viruses There has been some renewed talk recently about viruses infecting LANs. I would just like to toss in the following observation. LANs (specifically LAN file servers) are, in essence, multi-user systems. As with other multi-user systems (e.g., UNIX), there are many administrative issues involved with virus protection in addition to the basic integrity of the LAN operating system. Most importantly, file and directory protections become critical. A single world-writable and publicly available file can quickly become a vector for a virus without the virus having ANY knowledge that it is indeed infecting a LAN; most LAN interfaces are, after all, designed to look just like DOS to the average application program and to the user. Also, privileged users can bypass file protections. If a privileged user executes an infected file, the LAN may become infected - again without the virus having any knowledge that it is infecting a LAN. These issues are CRITICAL! Before we jump to conclusions about any LAN being susceptible to a virus, we must very carefully examine all of the possibilities. Cheers, Ken van Wyk ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 66] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253