Return-Path: Received: from csmes.ncsl.nist.gov (macbeth.ncsl.nist.gov) by csrc.ncsl.nist.gov (4.1/NIST) id AA19093; Sat, 30 May 92 13:13:35 EDT Posted-Date: Sat, 30 May 1992 12:57:31 EDT Received-Date: Sat, 30 May 92 13:13:35 EDT Received: from IBM1.CC.Lehigh.EDU by csmes.ncsl.nist.gov (4.1/NIST(rbj/dougm)) id AA08879; Sat, 30 May 92 13:11:53 EDT Message-Id: <9205301711.AA08879@csmes.ncsl.nist.gov> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 8850; Sat, 30 May 92 13:05:34 EDT Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 1534; Sat, 30 May 92 13:05:20 EDT Date: Sat, 30 May 1992 12:57:31 EDT Reply-To: VIRUS-L@ibm1.cc.lehigh.edu Sender: Virus Discussion List Comments: Warning -- original Sender: tag was krvw@CERT.ORG From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V5 #111 Comments: To: VIRUS-L@ibm1.cc.lehigh.edu To: Multiple recipients of list VIRUS-L Status: R VIRUS-L Digest Saturday, 30 May 1992 Volume 5 : Issue 111 Today's Topics: Re: different viruses causing 2k loss in memory (PC) Re: Can a virus survive being pkzipped or otherwise compressed (PC) Re: Zipped Viruses (PC) Re: changed virus names in scan (PC) Re: Detecting the MtE (PC) Re: different viruses causing 2k loss in memory (PC) Re: Zipped Viruses (PC) Warning: Troi Two (PC) 2k memory loss (PC) Re: different viruses causing 2k loss in memory (PC) re: different viruses causing 2k loss in memory (PC) Re: Different viruses causing 2K loss in memory (PC) Re: changed virus names in scan (PC) Virus or hard disk problems ? (PC) VIRx version 2.3 released (PC) Re: PC\MS DOS based Viruses & OS\2 2.0 (PC) (OS/2) Looking for virus researchers in China VIRX23.zip (VIREX-PC update) (PC) McAfee VIRUSCAN V91 uploaded to SIMTEL20 (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 27 May 92 04:10:38 +0000 >From: anspjw@qdpii.comp.qdpi.oz.au (Peter Welsby) Subject: Re: different viruses causing 2k loss in memory (PC) ISKAR5@TRMARUNV.BITNET (Cem S. Sutcu) writes: >Here in our univ's computer labs, we have a virus (or more?) causing 2k loss >in conventional memory. >We have found out it by using chkdsk. It showed 653K instead of 655360 bytes. >Scanv89b has alerted no suspicious finding. Neither CPAV 1.1 did. Gidday Cem Are you sure that it IS a virus if it does not show up ??? For example, some recent Unisys's bought here showed the same symtom - 2 Kb lost (from the top of normal RAM) but no allerts. (btw, these were shipped this way). A bit of investigation showed that the 2 Kb was being grabbed by the SCSI drive controllers! Those without SCSI controllers were OK. It might be worth wile checking this out ... Pete - -- =*=--=*=--=*=--=*=--=*=--=*=--=*=--=*=--=*=--=*=--=*=--=*=--=*=--=*=--=*=--=*= Peter Welsby (Snr.Lab.Tech - PC.Dev) email: anspjw@qdpii.comp.qdpi.oz.au Ag.Chem, Dept.Primary.Ind, Meiers Rd, voice: + 61-7-877-9489 Indooroopilly, QLD, 4068, AUSTRALIA fax : + 61-7-371-6436 ------------------------------ Date: 27 May 92 08:16:32 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Can a virus survive being pkzipped or otherwise compressed? (PC) rslade@sfu.ca (Robert Slade) writes: > A virus can and will survive being ZIPped, ARCed, ARJed, LZHed, > UUENCODEd, Binhexed or otherwise encrypted, decoded or compressed. The virus - maybe, but the program (if infected by some viruses) might not... If the program is infected by viruses like Number of the Beast, 1963, Int13, or Dir II, and if the virus is not active in memory when you archive the infected files, these filess will not be able to run after you unarchive them. They will be still able to release the virus, though... Regards, Vesselin P.S. Just a thought - most companion viruses will probably not survive if you compress the "infected" files - at least if you specify the right extensions... :-) - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Wed, 27 May 92 10:26:26 +0200 >From: Magnus Olsson Subject: Re: Zipped Viruses (PC) David_Conrad@MTS.cc.Wayne.edu writes: [excellent description of stealth viruses deleted] Thanks for a very informative article! There's one point I think you're missing, though, when describing the dangers of using scanners on an infected system: >Here's what happens: Your virus scanner is infected with a stealth, >fast infecting virus. It isn't currently active. You run the scanner, >telling it to scan your entire hard drive. First the virus gets control: >It goes resident, takes over, then runs the scanner. Now the scanner >attempts to perform a self-check on its file. This detects nothing, >because the virus disinfects the file as it reads it. Now your scanner >goes through your entire hard drive, reading all programs. Not only >does it have no chance of catching the virus in any program, but every >program (even ones which weren't infected before) will get infected!!! At least McAfee's scanner doesn't only check files on the disk and make a self-check, but also scans memory for viruses before doing anything else. Doesn't this cure the above problem, as the memory-resident stealth virus would be detected in memory? Magnus Olsson | \e+ /_ Dept. of Theoretical Physics | \ Z / q University of Lund, Sweden | >----< Internet: magnus@thep.lu.se | / \===== g Bitnet: THEPMO@SELDC52 | /e- \q ------------------------------ Date: 27 May 92 08:22:12 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: changed virus names in scan (PC) 8326442@AWIWUW11.BITNET (Martin Zejma) writes: > Recently I got a floppy containing a sample of the Ghostball Virus, > named so by an austrian anti-virus program. When I SCANed it , Scan V > 89b told me it was contanimated with the Lisbon Virus. So I took it > home, compared it with other samples and voila it was exactly the same > as the old Vienna Dos 62 Virus. So I digged through my ancient Scan > versions, and ran each against the same sample : SCAN is -very- unreliable for virus identification. NEVER believe it anything it says about the virus name, number of viruses found, or the virus' properties (in VIRLIST.TXT). The only thing it does pretty good is to tell you whether the object (file or boot sector) is infected (with anything) or not. > So I tried other scanners , too ( only newest versions ) > Virex detects "Vienna 2 - 1", Htscan using the Virscan signatures detects > "Vienna Related" (fits always :), and Fprot says "Vienna (Reboot)". Your later description shows that F-Prot guessed it right. Dr. Solomon's Anti-Virus ToolKit has better identification, but still not good enough (it doesn't always make the difference between variants which differ only in some text or constant fields). > Only using one scanner, you can get up to 6 different versions of a virus > without changing a single bit. Yes, this shows very well the existing naming problem... We are working on a standard set of virus names; you can get the current results from our ftp site (directory pub/virus/texts/tests). > BTW, the sample was different in one point from all other different samples > of the Vienna Virus: > When destroying a program , the begin is being overwritten with > 'EA 0FFF00 F0' , resulting in a warmboot when the program gets started. > And in the new sample the 'EA' is replaced with '20' resulting in junk code > which hangs the computer. Fprot detects this as 'Vienna - D', all others > don't seem to care about that byte.So is this a 'official' variant or > has someone viewing the code just scrambled that piece ? Hmm, difficult to say... I didn't know about the existence of this variant. The "original" Vienna.648, as published in Ralf Burger's book, had five times '20' there (and a slight bug in the PATH environment searching routine). The Vienna.648.Reboot variant has 'EA 0FFF00 F0', as you mentioned. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 27 May 92 08:44:06 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Detecting the MtE (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > MtE. Of those 9,471 infected examples 3 turned out to be duplicates, > which yelded to 9,468 different instances of the virus. It also means Correction: a fourth duplicate has been found later. Therefore the total number of generated different mutations used during the test is only 9,467. > Currently I am aware of the existence of at least three other scanners > which claim 100 % detection of the MtE. One comes with the new version > of V-Analyst III, the second has been designed by IBM, and the third > is Dutch scanner. As soon as we get them we'll re-run the tests. We tried out the Dutch scanner. Its authors were present during the test. When they saw the results, they decided that the program is not ready to be tested yet and promised to send us a fixed version soon... :-) We just received the V-Analyst III scanner; we haven't tested it yet. As soon as the test is performed, I'll post the results. Meanwhile we received and tested yet another scanner which claims "100 % detection of the MtE-based viruses". It is a German product, called AntiVir IV and produced by H+BEDV. The version tested was 4.03 of May 15, 1992, beta version. It missed 584 mutations (6.17 %). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 27 May 92 08:52:08 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: different viruses causing 2k loss in memory (PC) ISKAR5@TRMARUNV.BITNET (Cem S. Sutcu) writes: > We have found out it by using chkdsk. It showed 653K instead of 655360 bytes. You mean that it showed 638 Kb, instead of 640. (653312 bytes instead of 655360.) > Some people say this virus is sigalit, and some say it is cocain > virus and fina lly some say it is cansu virus (a turkish name - > probably the first turkish virus|). As they say each of them causes > the same problem : 2k loss. I have NEVER heard about ANY of the three viruses mentioned. Can you supply more information? Are they file or boot sector infectors? How to the Western anti-virus programs call them? Do they detect them at all? > My questions : 1. might they be the same virus? I can answer this question only if I get a copy of all the three viruses. > 2. Is there an antivirus package that can clean either of them? > thanks I can't answer this question until I learn more about these viruses. If they are master boot sector viruses (like Stoned), then you don't need an anti-virus program - boot from a DOS 5.0 system diskette and run FDISK /MBR - this will disinfect your hard disk. If they are boot viruses, boot from the same DOS version as the one which is installed on your disk and run SYS C:. If they are stealth file infectors, I can show you a method to disinfect the files by using only an archiver (ARJ). But I need more information about the viruses... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 27 May 92 09:22:45 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Zipped Viruses (PC) padgett@hobbes.dnet.mmc.com (A. Padgett Peterson) writes: > And then of course we have the new order: compressed disks e.g. > SuperStor & Stacker. These work just fine since what a scanner "sees" > is the uncompressed code so don't really count. (IMHO this is going to > put individual file compression out of use since you can only compress > once effectively - recently Individual file compression is still useful if you need to put as many program on as few floppies as possible... This is often a requirement for a travelling virus buster... :-) > saw an advt for "something" that purported to compress 2:1 on each > pass & 8 passes would give 16:1 compression. Not only is something > wrong with the math The way it was advertized was silly, of course. The truth is that the method is rather good for compressing some kind of visual information - - like aerophotos. It approcsimates the picture with fractals and then stores only the functions that generates the fractals. Of course, it does not work for ANY files, as it has been advertized... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Wed, 27 May 92 09:56:44 +0000 >From: brian@probitas.cs.utas.edu.au (Brian Marriott) Subject: Warning: Troi Two (PC) I've just isolated what seems to be a new strain of PC virus, which isn't picked by the most recent readily available versions of SCANV (89) or F-PROT (203). It has been infecting our laboratory of public-access PC's. Briefly, the virus has been found infecting .EXE files, where it appends itself to the end, adding 512 bytes. I haven't found it in a .COM file yet, but neither have I had a chance to check this thoroughly nor to deliberately expose one to infection. It seems to infect programs as they are executed. It's sufficiently buggy that it renders most programs inoperable after infection. I haven't yet attempted to disassemble it to find out what it's supposed to do. The most obvious symptom of infection is that the PC hangs trying to write to a write-locked floppy disk, if an attempt is made to run a program from that disk. The 512 bytes includes the string 'Troi Two', so I presume that's what to call it. I've so far been able to get positive identification (with F-PROT) using the signature string: '1E06B42ACD2181F9C8077211770681FA' but I've no guarantee that this will pick up an infected .COM file, if one were to exist. Brian - ----------------------------------------------------------------------- Brian Marriott, Department of Computer Science, University of Tasmania Mail: GPO Box 252C, Hobart, Tasmania 7001, AUSTRALIA. Ph: +61-02-202929 Internet: B.W.Marriott@cs.utas.edu.au Fax: +61-02-202913 ------------------------------ Date: Wed, 27 May 92 08:13:42 -0400 >From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: 2k memory loss (PC) >From: Cem S. Sutcu >Subject: different viruses causing 2k loss in memory (PC) >Here in our univ's computer labs, we have a virus (or more?) causing 2k loss >in conventional memory. >We have found out it by using chkdsk. It showed 653K instead of 655360 bytes. >2. Is there an antivirus package that can clean either of them? I have not seen a "cansu" virus (though suspect that I will shortly) however the 2k loss from the Top of Memory (TOM) (reduction in "655360 total bytes memory) is almost certainly an MBR or Boot Record virus. When dealing with something "unknown", manual tools work well e.g. DEBUG. My first action would be to use DEBUG to examine the "missing" memory with the D(ump) command: "D 9F80:0 L 800" (800h = 2k). If mostly nulls, then it may just be a ROM data area such as DOS 4.x uses (though that is only 1k). If full of code, I get suspicious. The only "code" use of this area I know of is 1) the transient portion of COMMAND.COM - but the memory won't be missing. or 2) some access control programs (e.g. my DISKSECURE but you should know if that is present). Note: some MBR infectors practice "stealth" with regard to disk access. "stealthing" absolute memory locations is much more difficult. Next, if the area was full of unknown code, I might just zero it out: "F 9F80:0 L 200 0" and see if the system crashes on the next disk access. (Won't crash if transient COMMAND.COM). More likely, I'll pull out a known clean bootable floppy with DEBUG and start looking at the MBR and DBR sectors for "suspicious" code. Once I've determined that what is in one or more sectors is not what is supposed to be there, I extract the "necessary" information (Partition table if MBR or BPB if Dos Boot Record, place it into known safe code, and replace the questionable sectors. The MBR process is automated with FixMBR (available for FTP as FixUtil3.ZIP on many archives) but I have not completed FixDBR yet so you have a choice of using the SYS.COM that came with DOS or rebuilding it by hand. If you have DOS 5.0, you can also use FDISK /MBR to replace the MBR code. The final case exists if you can boot with the hard disk but booting from floppy does not find the partitions. Luckily, there are only a few viruses that exhibit this behaviour but special virus-specific techniques are needed. Warmly (90+ today) Padgett ps Now that the virus is removed from the machine, it will most likely be necessary to examine mountains of floppy disks since sich viruses are usually (not always !) transmitted this way. -app ------------------------------ Date: Wed, 27 May 92 13:00:03 +0000 >From: awoodhull@hamp.hampshire.edu Subject: Re: different viruses causing 2k loss in memory (PC) ISKAR5@TRMARUNV.BITNET (Cem S. Sutcu) writes: >Here in our univ's computer labs, we have a virus (or more?) causing 2k loss >in conventional memory. >We have found out it by using chkdsk. It showed 653K instead of 655360 bytes. This *could* be a virus, one of the ways viruses go memory resident is by altering the apparent size of memory in order to guarantee a spot where the virus code will not be overwritten. ...*but*... before you panic, make sure that the cause isn't a benign one. Some systems reserve some space at the top of memory for system use. My own experience has been with an XT-clone in which CHKDSK shows 2K missing. I found by booting with several different DOS versions on virus-free floppy disks that the 2K was always reported missing; it was in fact the ROM BIOS that was setting the area aside. As a first step I would advise that you try booting from a known-good write-protected floppy disk (i.e., an original DOS system disk) and then execute a known-good copy of CHKDSK (it will be present on the original DOS system disk). If under these conditions you find that 2K is still missing you can assume that the space was reserved by the ROM BIOS or by your version of DOS. If the space is not reserved then maybe you should worry. Run a good copy of CHKDSK (from a write-protected floppy) after each of the programs you normally use. In this way you can find which of your programs is altering the system parameters. It was reassuring in the case of my own XT to examine the part of memory in question and verify there was no meaningful code hidden there. On a 640K system you can see the upper 2K of memory by running DEBUG and displaying the contents of this part of memory with the command: - -d9000:f800 ffff If I do this immediately after boot-up (before running any programs that use large quantities of memory) I see mostly zeros, with a scattering of bytes of other values. The zeros are left from the power-on self-test. The other values are, I suppose, the result of whatever use the ROM BIOS makes of that memory area. I had no difficulty convincing myself that no executable code was present. Albert S. Woodhull School of Natural Science, Hampshire College, Amherst, MA 01002 413-549-4600 ext 581 (office), 413-549-4740 (home) awoodhull@hamp.hampshire.edu, woodhull@dawn.hampshire.edu ------------------------------ Date: 27 May 92 11:27:13 -0400 >From: "David.M.Chess" Subject: re: different viruses causing 2k loss in memory (PC) Cem S. Sutcu asks about the CANSU virus, and three signatures that have been given for it in Turkey. The virus is indeed a master boot infector that takes 2K and does a simple self-modification. Of the three signatures that you give, only the first will ever appear in the master boot record, and it will appear in only about one-third of infections. The other two signatures are in the non-boot-sector part of the virus, but they will be visible in memory if the virus is active in the system. Here are three better signatures for the virus; at least one will be found in every infected MBR, and in memory if the virus is active: 31C0 8ED0 8ED8 8EC0 48 89C4 30E4 CD13 72FA %s the Cansu virus. Boot records. No mutants. 31C0 8ED8 8EC0 8ED0 48 89C4 30E4 CD13 72FA %s the Cansu virus. Boot records. No mutants. 31C0 8EC0 8ED0 8ED8 48 89C4 30E4 CD13 72FA %s the Cansu virus. Boot records. No mutants. (This is the format that the IBM Virus Scanning Program uses, but it should be readily convertible.) If you have the IBM Virus Scanning Program version 2.2.1 or better, it will detect the virus. The Cansu doesn't seem to have any destructive effects; it will sometimes display a sort of "logo" when booting an infected machine, but this shouldn't be counted on for detection. As for disinfection, since it's a normal master-boot-record infector, you can use FDISK /MBR, or anything else that can fix the master boot record code without altering the partition table data (see previous talk in VIRUS-L about this). DC ------------------------------ Date: Wed, 27 May 92 21:27:35 +0700 >From: frisk@complex.is (Fridrik Skulason) Subject: Re: Different viruses causing 2K loss in memory (PC) I was unable to reply directly to a post by Cem S. Sutcu, as my mailer just gave the following reply: > ERROR: trmarunv not in EARN/BITNET routing tables > 554 ... Service unavailable So, I apologize for posting the following reply here... In comp.virus you write: >Some people say this virus is sigalit, and some say it is cocain virus and >finally some say it is cansu virus (a turkish name - probably the first >turkish vir I have not heard of any of those, but it is possible that my anti-virus package (F-PROT) detects the virus(es) under a different name. Have you tried that program ? Even if the scanner does not detect it, the heuristic analysis part should be able to detect it - it seems to detect around 88% of totally new viruses. > 2. Is there an antivirus package that can clean either of them? Well, not as far as I know, but if you send a sample (either on a floppy disk or as a xx/uuencoded E-Mail file) to any of the anti-virus software producers, a disinfector should be available soon thereafter. > -frisk ------------------------------ Date: 27 May 92 22:45:00 +0000 >From: frisk@complex.is (Fridrik Skulason) Subject: Re: changed virus names in scan (PC) 8326442@AWIWUW11.BITNET (Martin Zejma) writes: >Scan Vrs 0- 60 "Vienna (DOS 62) Version A " > 62- 72 "Vienna (DOS 62) Version B " ( very interesting...) > 75- 84 " Vienna / Violator Virus " > 85 " Lisbon Virus " & "VHP Related Virus" (twice found) > 86b " Lisbon Virus " > 89b " Lisbon Virus " & "Generic Virus" ( twice again) Not surprising, really - SCAN does not attempt any serious variant identification. It is pretty good at finding out if a file contains a virus signature, but don't rely on it for accurate identification. In that respect, the best program is Alan Solomon's FINDVIRU, simply because it calculates a checksum for the virus body in most cases. It is not foolproof - in a few cases he has included a variable byte in the checksumming range, so he occasionally (but VERY rarely) identifies the same virus as the a and b variant (or whatever). My own scanner performs a decent variant identification - just enough to make sure the program does not damage the original program by incorrectly disinfecting, but I don't necessarily notice insignificant minor modifications. > So I tried other scanners , too ( only newest versions ) > Virex detects "Vienna 2 - 1", Htscan using the Virscan signatures detects >"Vienna Related" (fits always :), and Fprot says "Vienna (Reboot)". >When destroying a program , the begin is being overwritten with >'EA 0FFF00 F0' , resulting in a warmboot when the program gets started. Yes, this is the standard "Reboot" variant. >And in the new sample the 'EA' is replaced with '20' resulting in junk code >which hangs the computer. Fprot detects this as 'Vienna - D', all others >don't seem to care about that byte. Well, that fits - this single byte is the only difference, and yes, it is an "official" variant - I have had it for a long time, but I think only I and Alan detect it as a special variant. - -frisk ------------------------------ Date: Thu, 28 May 92 14:03:08 +0000 >From: unx.sas.com!sasaer@mcnc.org (Andy Ravenna) Subject: Virus or hard disk problems ? (PC) Last night my whole system seemed to go on the fritz... I booted off of a clean floppy and started to investigate things. First I ran "Qaplus" which came with my Gateway, and the DMA testing on the Main Components menu seemed to freeze up. Does this mean the DMA chip has gone bad ? Secondly, I ran Norton Disk Doctor II and when Norton got to the last 55% of my 80 meg hard drive, it started marking every sector as "BAD". Is it possible to have a "partial" disk crash ? I did run a virus check on the system and nothing was found. HELP ! Does this sound like a virus problem or a hardware problem ? Thanks, Andy. - -- ############################################################################### ## ## Andy Ravenna ## "Some really clever or unusual ## SAS Institute Inc. SASAER@UNX.SAS.COM ## ## SAS Campus Drive X-6120 ## remark in quotations..." ## Cary, NC 27513 ## ## ############################################################################### ------------------------------ Date: Tue, 26 May 92 18:51:57 +0000 >From: trent@rock.concert.net (C. Glenn Jordan -- Virex-PC Development Team) Subject: VIRx version 2.3 released (PC) The Virex for the PC Development Team is proud to announce the release of our detection-only, mostly-free anti-virus utility VIRx, version 2.3. Copies uploaded from the source are available from the anti-viral FTP sites, CompuServe, GEnie, Fido-Net and our support BBS. What's New In VIRx Version 2.3 ============================== Date: 05/22/92 1. This release of VIRx detects 73 new viruses, bringing the total to 925 total strings. 2. VIRx now detects all files encrypted with the "Mutating Engine" attributed to the Dark Avenger that are not already destroyed by the Engine's attempts to encrypt them (and most of those, as well). If you find executable programs with MtE encryption that we miss, please advise us at Microcom. As always, the BBS number is: (919) 419-1602 v.32bis. We can be reached through the Internet at trent@rock.concert.net, and through FIDONet NetMail at "Glenn Jordan@1:3641/1.201". 3. Due to an intensive reworking of the code, we have sped up the scanner's raw speed by yet another 20%. 4. VIRx v2.3 will start to warn users it is getting dated in July. ------------------------------------------------------------------------- Searching ZIP: VIRX23.ZIP Length Method Size Ratio Date Time CRC-32 Attr Name ------ ------ ----- ----- ---- ---- ------ ---- ---- 911 Implode 554 40% 05-22-92 00:00 7c83bcb4 --w $TOC 7129 Implode 2615 64% 05-22-92 00:00 505730b1 --w VIREX.TXT 13184 Implode 5516 59% 05-22-92 00:00 f79005aa --w README.VRX 129432 Implode 72059 45% 05-22-92 00:00 0cb06241 --w VIRX.EXE 13184 Implode 5114 62% 05-22-92 00:00 bc4cc488 --w OLD_NEWS.TXT 4480 Implode 2032 55% 05-22-92 00:00 28f0f5f0 --w WHATSNEW.23 ------ ------ --- ------- 168320 87890 48% 6 ------------------------------ Date: Thu, 28 May 92 19:40:30 +0000 >From: dab6@po.CWRU.Edu (Douglas A. Bell) Subject: Re: PC\MS DOS based Viruses & OS\2 2.0 (PC) (OS/2) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) says: >MCHLG%CUNYVM.BITNET@mitvma.mit.edu writes: > >>I have a few questions for Ken, Vesselin, and the other GURU's as well as any >>one who is knowledgable enough about PC\MS-DOS, Viruses, & OS\2 2.0. > >Unfortunately, my knowledge about OS/2 2.0 is near to nothing, but >let's see... > >>1.Is it possible for a DOS based Virus to survive & thrive on a system >> running OS\2 2.0 using the (HPFS file system) instead of the (FAT system)? > >To infect files - certainly not. Even some of the existing scanners >cannot access the HPFS partitions. This is not true. Some dos viruses can infect files on an hpfs partition when running in an os/2 dos window. A good rule of thumb is that if the virus can infect files on a network drive, it should be able to infect files on an hpfs partition. - -- Ren and Stimpy for President in '92 !!!! ------------------------------ Date: 27 May 92 09:38:14 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Looking for virus researchers in China Hello, everybody! One of the VTC members is going to visit China in August. He would like to contact some computer virus-experienced people from there. If anybody from China is reading this and if you happen to know any virus researcher, especially in the Peking area, please contact me by e-mail. Thanks. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Wed, 27 May 92 15:15:00 -0400 >From: HAYES@urvax.urich.edu Subject: VIRX23.zip (VIREX-PC update) (PC) Hi. This short note to signal the availability of VIRX23.ZIP, the update for VIREX-PC. The file was sent to me directly by C. Glenn Jordan, a member of the Virex-PC Development Team. Thanks Glenn! ===== Site: urvax.urich.edu, [141.166.1.6] (VAX/VMS using Multinet) Directory: [anonymous.msdos.antivirus] FTP to urvax.urich.edu with username anonymous and your email address as password. You are in the [anonymous] directory when you connect. cd msdos.antivirus, and remember to use binary mode for the zip files. ===== Best, Claude - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: Thu, 28 May 92 19:21:22 -0400 >From: mcafee@netcom.com (McAfee Associates) Subject: McAfee VIRUSCAN V91 uploaded to SIMTEL20 (PC) I have uploaded to WSMR-SIMTEL20.Army.Mil: pd1:: SCANV91.ZIP SCAN V91 virus scanner CLEAN91.ZIP CLEAN-UP V91 virus remover VSHLD91.ZIP VSHIELD V91 infection prevention TSR NETSCN91.ZIP NETSCAN V91 network server virus scanner VIRUSCAN VERSION 91 RELEASED Version 91 of the VIRUSCAN series has been released. This release replaces Version 90 which had several minor bugs. GENERAL This release adds detection of 52 new viruses, bringing the total number of known viruses to 586, or counting variants, 1,302. VIRUSCAN Two new DOS ERRORLEVEL's have been added for creating enhanced batch files. An ERRORLEVEL of 3 is returned if an uncertified file is found when SCAN is run with the /CERTIFY switch. An ERRORLEVEL of 4 is returned if a user aborts the scan with a Ctrl-C or Ctrl-Brk. A /HISTORY option has been added. This option functions similarly to the /REPORT option except that if a report file exists it will not be overwritten, instead, the new report will be appended to the end of the existing report file. Three new options have been added to the validation (checksum) suite of commands: /AF, /CF, and /RF. These options allow SCAN to Add, Check, and Remove validation (checksum) data from a user-specified file. The file can then be stored offline to create a secure database and act as a recovery disk in case of infection. CLEAN-UP The 696, 1339 and Troi viruses have been added to the list of viruses that can be disinfected by CLEAN. One new option has been added, the /GRF option. When CLEAN is run with this switch it removes nonspecific (new or unknown) viruses using recovery information stored by VIRUSCAN program in a separate file. VSHIELD Version 91 adds a /NOREMOVE option to prevent VSHIELD from being unloaded from memory (a frequently requested option from network administrators). NETSCAN NETSCAN has been updated to detect the new viruses. VALIDATE VALUES FOR VERSION 91: CLEAN-UP V91 (CLEAN.EXE) S:96,570 D:05-27-92 M1: D0F7 M2: 1AA1 NETSCAN V91 (NETSCAN.EXE) S:75,050 D:05-27-92 M1: 33DA M2: 1AD1 VIRUSCAN SCANV91 (SCAN.EXE) S:75,801 D:05-27-92 M1: 18FA M2: 127D VSHIELD VSHLD91 (VSHIELD.EXE) S:41,005 D:05-27-92 M1: 194F M2: 11CF Aryeh Goretsky McAfee Associates Technical Support - - - - McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 3350 Scott Blvd, Bldg 14 | FAX (408) 970-9727 | ObQuote: "Log... from Blammo" Santa Clara, California | | 95054-3107 USA | BBS (408) 988-4004 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | USR Courier DS 14.4Kb| or GO VIRUSFORUM ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 111] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253