VIRUS-L Digest Monday, 6 May 1991 Volume 4 : Issue 74 Today's Topics: Found Tester Virus [TV] in LOG.COM (PC) Found Tester Virus [TV] in LOG.COM (PC) Virus lists for misc machines Re: Viruses and Database Systems F-prot v1.13 (PC) Trident Microsystems/Packard Bell (PC) F-PROT and FluShot problems Re: can we trust diskette write-protection? (PC) Listing of MIBSRV files. (PC) help with mac "virus"? (Mac) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 02 May 91 09:48:58 -0500 >From: Subject: Found Tester Virus [TV] in LOG.COM (PC) Interesting: We just obtained the new version of SCAN, NETSCAN, VSHIELD, & CLEAN. Thru FTP. Version numbers: CLEAN.EXE 6.9V75, SCAN.EXE 7.2C76, NETSCAN.EXE V76, VSHIELD.EXE 3.3C76, VSHIELD1.EXE VSCRC 0.2 When I try: SCAN c:\utils\log.com f:\utils\log.com no virus... However!! When I try: NETSCAN C:\utils\log.com f:\utils\log.com Virus is found!!: C:\UTILS\LOG.COM Found Tester Virus [TV] F:\UTILS\LOG.COM Found Tester Virus [TV] BUT! I try to clean: CLEAN C:\UTILS\LOG.COM [TV] We get: Sorry, I don't know any thing about the [TV] Virus. Question#1: Why does NETSCAN find the virus & SCAN not find the virus? ---- -------- Question#2: Why doesn't CLEAN get rid of the virus? Should I UUENCODE the file LOG.COM and send it to someone for testing? Question#3: What harmful stuff will the Tester Virus [TV] do to us? Question#4: Why is it only the LOG.COM file from PC-Magazine that I've had for several years that shows up and infected? Is it really not infected and just a bug in NETSCAN? - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - The note above contains my personal views and ideas. The above should not be considered in any way a view of Columbus College. - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - Brian Daniel @ Columbus College, Computer Center, Woodall Hall Rm 113 BDaniel@USCN Cougar Court, Columbus GA 31993-2399 (404)568-2063 ------------------------------ Date: Thu, 02 May 91 11:16:23 -0500 >From: BDANIEL@USCN.BITNET Subject: Found Tester Virus [TV] in LOG.COM (PC) More news on Tester Virus [TV] I downloaded CLEAN76.ZIP from 128.237.253.5 /pub/virus_scan & ran it: CLEAN C:\UTILS\LOG.COM (I ran norton wipefile f:\utils\log.com Cleaning [TV] earlier to fix the file server...) Scanning C:\utils\log.com Found Tester Virus [TV] Virus cannot be safely removed from this file. Do you want to overwrite and delete "LOG.COM" [Y/n] I had a backup of the file incase there is a fix for this in the future. I labeled the disk 'DANGER Found Tester Virus [TV]' I'll redownload scanv76.zip and see if that solves the problem of scan.exe not finding the virus. Vshield didn't find it either. hmmm... - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - The note above contains my personal views and ideas. The above should not be considered in any way a view of Columbus College. - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - _ - Brian Daniel @ Columbus College, Computer Center, Woodall Hall Rm 113 BDaniel@USCN Cougar Court, Columbus GA 31993-2399 (404)568-2063 ------------------------------ Date: 02 May 91 16:36:17 +0000 >From: scott@hsvaic.boeing.com (Scott Hinckley) Subject: Virus lists for misc machines If you know of/have a list of viruses affecting various machines (Mac, IBM, AMIGA, UNIX, etc). I would be interested in getting it. I am not looking for the code persay, merely a list of names and the machine(s) they can infect. A description of their effects would be appreciated, but by no means necessary for this compilation. (I will of course post a summary) Thank you, - -- <<<<<<<<<<>>>>>>>>>VW&Apple][Forever!!!>>>>>>>>>> Internet:scott@hsvaic.boeing.com|UUCP:...!uunet!uw-beaver!bcsaic!hsvaic!scott DISCLAIMER: All contained herein are my opinions, they do not|+1 205 461 2073 represent the opinions or feelings of Boeing or its management| BTN:461-2073 ------------------------------ Date: 02 May 91 22:10:27 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Viruses and Database Systems Ramzi A. Haraty writes: >Greetings, > Does anybody know how to handle viruses in a database system? Well, for now you can just ignore them - they don't exist. :-) Seriously though - a virus can only INFECT executable code, not data items in a database. The data items can be CORRUPTED by a virus, but not in a way that will spread the infection. For example, there exist two viruses targeted against dBASE, known as 'dBASE-virus' and 'DBF-blank virus'. Both are extremely rare, and it is doubtful if they exist "in the wild". They both corrupt database information, but they do not infect the database itself. - -frisk ------------------------------ Date: Thu, 02 May 91 21:16:02 -0700 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: F-prot v1.13 (PC) hemmo@machina.hut.fi (Juha Hemminki) writes: > I would like to know why the version of F-chk I have (1.13) wants to > write a temporary file called LZ__TEMP.TMP to DOS current directory. F-FCHK will check compressed LZEXE format files. In order to do so, it has to decompress it. ============= Vancouver p1@arkham.wimsey.bc.ca | "Don't buy a Institute for Robert_Slade@mtsg.sfu.ca | computer." Research into (SUZY) INtegrity | Richards' First User Canada V7K 2G6 | Law of Data Security | Security ------------------------------ Date: Fri, 03 May 91 10:39:46 -0400 >From: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Subject: Trident Microsystems/Packard Bell (PC) If the reports I am getting can be believed, Packard-Bell computers are STILL being sent out and sold with virus(es) on the distribution disks. When first reported last December, it was bad enough and I have had the opportunity to receive some sealed distribution disks that, when opened, did contain the MusicBug virus. For the condition to continue nearly six months later would seem to me to be actionable. Since the MusicBug now seems to have been replaced (or possible augmented, they should be able to co-exist) by the Azusa on the SVGA disks is bordering on the ridiculous but is not unique: Recently I received a set of Video driver disks that a user brought in with his laptop labeled CAF. These were infected by the Aircop in such a way as to indicate to me that the disks were infected before the files were copied onto the disk. I am not sure what the remendy is for manufacturers who distribute viruses, but have felt for some time that our legal system needs to get involved. Warmly, Padgett (obviously, my employer may not share my opinion on this matter) ------------------------------ Date: Fri, 03 May 91 17:10:20 +0000 >From: umbc3!umbc3.umbc.edu!cs106132@uunet.UU.NET (cs106132) Subject: F-PROT and FluShot problems Hello, I was testing the new release of F-PROT 1.15a the other day, and came across an interesting problem. It happened when a variant of 4096 was active. Since F-PROT did not know this strain, it could not detect it. This is expected as the documentation hints. However, when I ran F-OSCHK, the virus infected the system files (IBMBIO....), the result was a non-bootable hard disk. This indicates that F-PROT can actually contribute to the spread of this kind of viruses. This is not a bug type of thing, it is a design flaw! I repeated the same test using FluShot+ (1.81), the same thing happened in a slightly different manner. But the system again became impossible to boot from the hard disk. I had to run SYS C: to restore the sanity of the system. Any comments? Regards, Tarkan ------------------------------ Date: Fri, 03 May 91 09:44:12 -0700 >From: jesse%altos86.Altos.COM@vicom.com (Acer - Jesse Chisholm) Subject: Re: can we trust diskette write-protection? (PC) PHYS169@csc.canterbury.ac.nz (Mark Aitchison, U of Canty; Physics) writes: | Possibly, the reason why it sometimes fails, other than obvious loose | wires, is because of light bouncing around the diskette drive. | ... | Someone may be able to answer the | question as to whether the circuitry uses synchronised pulsed light, | or plain light (the latter would mean daylight from outside the | computer could nullify the protection system). I don't know about the pulsed or steady light, but I do know that if I leave the cover off my machine, the flourescent lights totally confuse the drive as to whether there is or isn't a write protect tab on the floppy. I have had no trouble with silvered tabs, but then, the brand I buy usually comes with black ones. ------------------------------ Date: Sat, 04 May 91 14:09:33 -0500 >From: James Ford Subject: Listing of MIBSRV files. (PC) This is a listing of files available for downloading from 130.160.20.80 (MIBSRV). This list is current as of May 2, 1991. Sorry for not posting the IP address in the earlier announcment. James Ford - JFORD@UA1VM.UA.EDU - -------------------- uploads to 00uploads ----------------------------- 00uploads/ htscan12.zip unvir902.zip vc200ega.zip vshld77.zip 0REVIEWS/ innoc.zip uu-help.text vcheck11.zip vstop54.zip 0files.9104 m-disk.zip uudecode.pas vcopy74.zip vsum9104.txt INDEX.291 navupd01.zip uuencode.pas vdetect.zip vsum9104.zip MsDosVir.291 netscn77.zip uxencode.pas virpres.zip vtac48.zip MsDosVir.690 pkz110eu.exe vacbrain.zip virsimul.zip wp-hdisk.zip MsDosVir.790 scanv77.zip vaccine.zip virstop.zip xxdecode.bas avs_e224.zip secur222.zip vaccinea.zip virusck.zip xxdecode.c clean77.zip sentry02.zip validat3.zip virusgrd.zip xxencode.c fprot114.zip shez59.zip validate.crc vkill10.zip xxencode.cms fshld15.zip trapdisk.zip vc140cga.zip vshell10.zip zzap54a.zip ------------------------------ Date: 05 May 91 04:44:21 +0000 >From: billj@uop.uop.edu (Snugglupagus) Subject: help with mac "virus"? (Mac) recently, we've come across a problem with one of the macs in our lab. we really don't know if it's a virus or not, but it does act something like one. anyway, here are the symptoms: - - the mac has a 40 meg hard disk - - there is only about 16 meg of software installed - - both the finder and mactools report 38 meg used, 2 meg free - - disinfectant can't find anything, and neither can virus detective - - there are no hidden files anywhere on the disk (if there are, neither mactools nor resedit can find them) - - the "virus" hasn't spread to any of our other macs what we really want to know is: is this some sort of new virus, or is our mac just confused? thanks in advance, snugglupagus - -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= "Steppin' on toes is a common routine | Send email/flames to: Sneakin' up from behind | billj@uop.edu You won't get anywhere |----------------------------------- Dancin' out of time" - Deborah Gibson | Disclaimer: It's all mine! =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 74] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253