VIRUS-L Digest Tuesday, 25 Feb 1992 Volume 5 : Issue 40 Today's Topics: Possible virus? (PC) Query about peculiar CHKDSK results (PC) Jeff virus!!!!! (PC) Basics (PC) Re: Houston Chronicle report on Michelangelo (PC) Re: Simple IBM PC virus (PC) Re: Houston Chronicle report on Michelangelo (PC) Re: Boot Sector Virus Infections (In General) (PC) Re: CIAC Bulletin (PC) On reformatting floppies to remove infections (PC) Re: F-Prot 2.02D/DOS 2.11 (PC) Quick way to check for Mich on PC's (PC) Possible virus? (PC) What does Ping Pong B virus do? (PC) Re: WDEF infection at a school (Mac) Re: WDEF infection at a school (Mac) Distributing info and shareware RE: "Executive Guide to Computer Viruses" from NCSA? Re: General Virus information ? Disinfectant 2.6 (Mac) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 20 Feb 92 10:25:09 -0700 >From: ZEM0%ARGCNEA2.BITNET@BITNET.CC.CMU.EDU Subject: Possible virus? (PC) In some programs I see this word 'MSDOS' and i do not if that is a virus all the progrmas that has that , has 5 byte more I know that if we immunize a program, is going to have 5 byte more, but when i run scan say that in the memory i have 5 byte (the word (MSDOS)) i dont understand that. i would like to know if is good to immunize programs When i immunize a program with the tnt and after i run scan ,say that i have the ohio in memory i would like to know aslo if SCAN immunize porgram and if it is good and also when i immunize i have 5 byte more? Person say that on march 6 is going to be a virus that no exist a anti virus yet .I would like to know more about that. THANK ------------------------------ Date: Fri, 21 Feb 92 14:46:51 +0000 >From: Ms Marilyn B Nash Subject: Query about peculiar CHKDSK results (PC) To Subscribers of Virus-L; I have a query which arose as a result of one of our technicians running VISCAN (Bates Assoc.) on his departmental PC's. On two machines he discovered several files which could not be read and when exploring using XTREE Gold found 16 files in the directory which contains our menuing software. These were identical and named tttttttt.ttt (for 't' read the Greek tau). All had +RASH attributes set which could not be changed using that version of XTREE -although an earlier one worked but each file had to be deleted immediately after the attributes were changed. I ran CHKDSK /F afterwards to try and tidy up the disk and on one machine got the message: Invalid directory entry... for our menu directory and on the other: Probable non-DOS disk (although FDISK insisted it was a DOS partition). I did not proceed with CHKDSK as a bitter experience after having gotten the same message on a previous occasion resulted in everything in that particular partition being deleted irrecoverably. If anyone has seen anything similar or has an explanation for the above especially if a virus was involved, I would appreciate if they would contact me (either E-mail or post). My thanks in advance, Marilyn Scott MBN1@UK.AC.STIRLING.FORTH Biology Dept. University of Stirling Stirling, Scotland FK9 4RP ------------------------------ Date: Fri, 21 Feb 92 16:10:51 +0000 >From: dale@garfield.cs.mun.ca (Dale Fraser) Subject: Jeff virus!!!!! (PC) I hope someone can help me. My PC just got infected by the Jeff virus. How do I get rid of it? I know I am supposed to remove the infected files, but I ran the latest version of SCAN (86B) and it never found it. PLease respond ASAP!!! Thanks. Dale |-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-| | "Why sex is so popular | Dale Fraser dale@garfield.cs.mun.ca | | Is easy to see: | Memorial University of Newfoundland | | It contains no sodium | CS Undergrad - Class of '92 | | And it's cholesterol free!" |-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-| | Shelby Friedman | THIS SPACE FOR RENT-REASONABLE RATES! | |-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-| | *OPINIONS EXPRESSED ABOVE DO NOT BELONG TO ME OR THIS INSTITUTION!* | |-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-| ------------------------------ Date: Fri, 21 Feb 92 12:00:13 -0500 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Basics (PC) >From: austin@tecnet1.jcte.jcs.mil (lengthy desription of multiple infection deleted) >The question I have concerns what appears to me to be conflicting >information from the two sources above. One source states that the >Stoned virus and the Michaelangelo virus both copy the original boot >sector information to the same location. The second source states >that the two viruses copy the original boot sector information to two >different locations. Ok, what happens is that virus A (Stoned or Michelangelo) infects the disk moving the Original Boot Record (OBR) to sector 7 and placing itself in sector 1. Virus B (the other one) comes along and infects moving virus A to sector 7 (losing the OBR) and putting itself in secor 1 however, now the disk is unbootable since the OBR is lost. Each virus contains a signature to avoid multiple infections by itself but since Stoned and Michelangelo (or Joshi or...) use different signatures, such multiple infections by different viruses are possible. In the case of Stoned and Joshi or Mich & Joshi the disk may remain bootable since different sectors are used and the OBR might not be over-written Enough ? Padgett ------------------------------ Date: Fri, 21 Feb 92 17:18:00 +0000 >From: treeves@magnus.acs.ohio-state.edu (Terry N Reeves) Subject: Re: Houston Chronicle report on Michelangelo (PC) >You just reformat the disk and >re-install everything from your backups. You have spent at most one >day doing this, and at most one day of your work is lost (if you have >a good backup scheme). Nothing disastrous. I venture to say that only a tiny percentage of pc users make backups once a day or even once a week. Yes they should. They don't and it will be a disaster for them. Many have no backup at all and couldn't reinstall it if they did. They would rely on company tech support for this. ------------------------------ Date: 21 Feb 92 11:21:00 -0600 >From: "William Walker C60223 x4570" Subject: Re: Simple IBM PC virus (PC) This sounds like the Jerusalem virus, which adds 1808 or so bytes to program files (a little less than 2K), and contains the string "sUMsDos" somewhere in the code. This virus is ancient (as far as viri go), so just about any anti-virus package you happen across should be able to clean things up. Hope this helps. Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | "If 'pro-' is the opposite of OAO Corporation | 'con-,' then is 'progress' the Arnold Engineering Development Center | opposite of 'Congress?'" M.S. 120 | - Gallagher Arnold Air Force Base, TN 37389-9998 | ------------------------------ Date: Fri, 21 Feb 92 12:48:14 -0700 >From: martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) Subject: Re: Houston Chronicle report on Michelangelo (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >There are much more devious viruses, like Phoenix and Nomenklatura. >They spread every day, every hour, every minute. The corrupt >information every day. But they corrupt it -slightly-. So, when you >finally notice that something has gone wrong, you can no more rely on >your backups - since you don't know when the infection occured, and >which files are corrupted... Apparently (I haven't seen it yet) the Edmonton Journal had an article about Michelangelo yesterday, as well. Vesselin's concern is particularly apt here in Edmonton. The Empire viruses are much more common here, than is Michelangelo. And three of the Empire variants never announce themselves: they just diddle away at data, byte by byte. I wonder if I can get the Journal to write about that, though: it isn't so dramatic, nor is it international news. Tim. ------------------------------------------------------------- Tim Martin * Soil Science * These opinions are my own: University of Alberta * My employer has none! martin@cs.ualberta.ca * ------------------------------------------------------------- ------------------------------ Date: Fri, 21 Feb 92 13:06:14 -0700 >From: martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) Subject: Re: Boot Sector Virus Infections (In General) (PC) austin@tecnet1.jcte.jcs.mil writes: >I have some curiosity questions about the way "boot sector" viruses >infect the "hard drive" and "the system (memory)", (or is it "the >system (memory)" and then the "hard drive"?), only because I have been >reading the Digest for awhile and do not recall this being addressed. >I understand how the floppy does not need to be "bootable" because the >virus can exist on the floppy in the area where the computer "looks" >first when attempting to "boot" from any floppy in drive "A". .... >Second example: >We have the same "powered-off", non-infected, MS DOS based, PC computer >system with one 5.25" floppy drive and one hard drive. Let's say I >have an infected (Michaelangelo virus) 5.25", 360K, "NON-bootable" >floppy. Let's put it into our "A" Drive and close the door. Now, turn >on the power to the computer and let it attempt to "boot" up. Instead >of a DOS Prompt, we now have "Non-system disk or disk error; replace >and strike any key when ready" or something like that--you get the >idea. NOW, instead of replacing and rebooting, let's turn the power >off. >1. Is the virus in memory? I believe no, since the power is off. >2. Has the virus infected the hard drive? (I do not know. Can > someone answer for me?) Yes, the virus is on the hard drive. The typical sequence of events, for many boot sector viruses (a sequence inherited from "stoned") is as follows: When you start the computer from any infected disk, 1. the virus "makes space" for itself in memory. (Sets the top-of- memory indicator, sets up the required interrupt vectors) 2. the virus copies itself to upper memory, and the program control jumps to the copy. 3. the virus checks if it booted from a floppy: if YES, it infects the hard drive. 4. the virus loads the "clean" boot sector of the disk you are booting from, from its hiding place on disk, into memory. 5. Processor control is given to that boot sector. Hereafter, bootup is "normal", except that the virus is installed and watching whatever BIOS interrupts it was designed to watch. At this point, if the disk wasn't a boot disk, or if you turn the computer off doesn't really matter: the virus is already installed on the hard disk, waiting for you to reboot from the hard disk. >If we were to turn the system power off, killing the virus in memory, >and then reboot from a "non-infected" floppy disk, would the hard drive >already be infected? Yes, The hard drive would already be infected. The virus would not be in memory if you reboot from a non-infected floppy disk, but it will install itself in memory each time you boot from the (infected) hard disk, or any other infected disk for that matter. This is typical of any boot sector viruses I have found "in the wild": stoned, michelangelo, the Empire family, bloody!, .... Tim. ------------------------------------------------------------- Tim Martin * Soil Science * These opinions are my own: University of Alberta * My employer has none! martin@cs.ualberta.ca * ------------------------------------------------------------- ------------------------------ Date: Fri, 21 Feb 92 13:23:41 -0700 >From: martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) Subject: Re: CIAC Bulletin (PC) karyn@cheetah.llnl.gov (Karyn Pichnarczyk) writes: >I wrote in my bulletin: > > The infection mechanism of this virus may also cause read errors > > to occur upon some high density (1.2 M) diskettes. >I have seen a case where a 1.2M diskette was rendered unreadable by >the virus on a specific older PC. I actually saw this happen. When I >brought the unreadable diskette to a newer-model PC, the disk was read >with no problem. I tried to read this diskette on a variety of PC's, >and the older model PCs sometimes had trouble reading it, whereas the >newer models didn't. The real strange thing was that >sometimes< the >drive would read the disk, and >sometimes< it wouldn't. The disk >was readable by that drive prior to infection, according to the >user. The message received was a General Failure error. >shrug? At great risk of decapitation I'll "stick my neck out" and make a comment. (I assume Karyn is responding to Vesselin's (?) challenge on this point.) What we observe here is a typical problem in virus "analysis": there are two approaches that can be taken. One can disassemble the virus and thereby "know" its every characteristic, in principle, or one can rigorously test the virus, and "observe" a set of behaviors. Each method has drawbacks. If we analyse the code, we may fail to take into account how each byte of code might cause the virus to behave with unusual hardware. (Viruses have bugs, too, and they aren't always identified by reverse engineering.) Another error is one I fell into early into the "Empire" virus studies: I rather haughtily declared that the Empire virus does not change bytes in data files, because I thought I had seen and studied all (three) variants of the Empire virus. I was grossly mistaken: there where at least 14 other variants I hadn't yet come across, three of which DO "diddle" data. I'm sure Vesselin wouldn't make such a mistake, though! The problem with the second approach to virus analysis is that the virus may have all manner of "latent" surprises, the conditions of which haven't yet occured. Come to think of it, I once got hit by this error, too! With the "Happy Halloween" virus, I found out quite by accident that its "bomb" was set to go off not only on Halloween, but also on Christmas Day! Fortunately I was testing on a properly isolated system. In the case under discussion, I think the observed 1.2Mb effect was a hardware coincidence, probably. Though I suspect michelangelo might mess up 720k floppies, the way the Empire does, but I haven't tested this - by either analysis method! Tim. ------------------------------------------------------------- Tim Martin * Soil Science * These opinions are my own: University of Alberta * My employer has none! martin@cs.ualberta.ca * ------------------------------------------------------------- ------------------------------ Date: Fri, 21 Feb 92 14:14:48 -0600 >From: martin@datacomm.ucc.okstate.edu Subject: On reformatting floppies to remove infections (PC) Someone recently raised the question of reformatting infected diskettes. Believe me, you can do it successfully and there is no need to physically destroy any useable magnetic disks. While simply reformatting from a __known__ clean system will, more than likely, be adequate, another good trick is to zap the disk with a bulk tape eraser. These devices are sold in electronics stores and from vendors of audio and video equipment. The idea, here, is to expose the diskette to the alternating field of a very powerful electromagnet. The field is many times more powerful than the field emitted by the read-write head on your disk drive and it totally obliterates any vestiges of formatting or data. The end result is a diskette which is probably magnetically cleaner than it was the day it was made. It will, of course, need to be reformatted before use. There is absolutely no way in the universe that any sabotage program can survive this process, nor for that matter, any data so be sure you want to do this. Finally, there is a correct way to use a bulk eraser for maximum effectiveness. Don't turn the magnet on or off while near the diskette that you are erasing. This will leave the disk magnetized when you are finished. After holding the eraser at arm's length, turn it on and bring it and the doomed diskette together. Wipe the bulk eraser in a circular motion over the diskette a few times and then move the two objects apart before turning the eraser off. Martin McCormick Amateur Radio WB5AGZ Oklahoma State University Computer Center Data Communication sGroup Stillwater, OK ------------------------------ Date: Fri, 21 Feb 92 14:22:00 -0600 >From: SESTRAUSS@stthomas.edu Subject: Re: F-Prot 2.02D/DOS 2.11 (PC) Lynne Meeks wrote... >We're having some trouble getting F-Prot (2.02D) to run successfully >with AT&T DOS 2.11 (Yes, I know this is very old but fiscal >constraints what they are not everyone has upgraded to a modern >version of DOS) > >What happens is we run F-Prot and get the message: >'*.TX0 not found' >then we get the DOS prompt > >The English.TX0 file IS there; the same F-prot disk works fine on >the same machine with 3.2 or 3.3 DOS. > >BTW,yesterday, the same experiment with 2.02B yielded > * >and then the DOS prompt. > > Anyone else with old DOS experiencing this? I KNOW the correct answer >is to upgrade DOS, but any insights on how to cope with what we've got >would be much appreciated! Thanks. I have had the same problem on a Northgate 286 running MS-DOS 3.3. F-Prot runs fine off the floppy drive, but will not run from the hard disk. We successfully installed the same version of F-Prot 2.02 on several other PCs. Sharon Strauss University of St. Thomas Computing Center ------------------------------ Date: Fri, 21 Feb 92 23:05:52 +0000 >From: russur@convex.com (Russ Urquhart) Subject: Quick way to check for Mich on PC's (PC) This is my first time on this groups, so if this has been asked before, please forgive me! In either case, is there a quick way to determine if the PC's in my group have been infected with Michelangelo? Some memory location? SOmething I can check. I tried someone's suggestion of fdisk /mbr, but since we have Dos 3.3, this didn't have any effect! Any help is appreciated! Thanks again Russ ------------------------------ Date: Sat, 22 Feb 92 01:25:07 +0000 >From: bjpocock@descartes.waterloo.edu (Beastor the Mad) Subject: Possible virus? (PC) Ok... here is the problem. I have just put up a BBS, and have just started downloading files from other BBS's. I bought myself Central Point Anti Virus, and just recently got an update, since I knew that BBSing was dangerous. I have recently (yesterday) had this problem with my system... it states COMMAND.COM is invalid, cannot load COMMAND system halted. Then I have to reboot. Now, I've been playing around with the system, and when I copy the command.com file from my disk to my HD, it sometimes is alright for a while (until I run about half a dozen programs). The times it doesn't work is when I have the following statement in my config.sys file: DEVICE=C:\ra\bnu.sys (fossil driver for my BBS) When this statement is in there, it doesn't work at all. I keep getting that message appearing when I boot. Now, I've done lots a crap to try to figure out what is going on... VSAFE is installed, BOOTSAFE is installed, I've done a slow detection on all files with the CPAV, I've recopied all my dos files from my originals, I've copied all my friends DOS files from their originals, I've deleted my BNU.SYS file and downloaded another copy, i've done a hard disk analysis, etc... I've noticed that something might be wrong with my command.com and autoexec files, cause when I copy them to my System disks the system goes down again. There is nothing wrong with the files though, as I haven't changed them for 6 months, until my bbs, then only moderately. When I change back to my old Auto and Config files, the system still doesn't work. I've deleted all my auto and config files, and made new ones up... still to no avail. ANYONE OUT THERE HAVE AN IDEA WHAT IS WRONG... IF THERE IS A VIRUS WITH THESE SYSTEMS? Another question here... I know that this one guy is producing viruses and uploading these files to other systems. I've found that these viruses have come out of his computer: 1. Michelangelo's 2. Yankee Doodle 41, 39, 24, 25 3. Aids 2 4. Stoned 5. Joshi 6. Ghost Balls 7. April 1st D Thing is, all his programs work fine for him, I've asked him if his system is alright (while he was on my BBS). He said yeah. Now unless he scans every time he downloads something, and forgets to clean them before he uploads, then something funny is going on... WHAT SHOULD I DO? CALL THE COPS? -BEASTOR THE MAD (virus killer) ------------------------------ Date: Sat, 22 Feb 92 07:56:01 +0000 >From: wales@CS.UCLA.EDU (Rich Wales) Subject: What does Ping Pong B virus do? (PC) What does the "Ping Pong B" virus do to a system? A friend of mine got "Ping Pong B" on her PC from another system via a floppy. She asked me for help after she was no longer able to run WordPerfect (4.2 or 5.0). We managed to eradicate the virus from her hard disk and the floppy (she said she hadn't tried to use any other floppy since the problem started, so we only needed to contend with the one floppy). After doing this, she could once again use WordPerfect. All I've been able to find out about Ping Pong B is that it's a boot sector virus, reduces available system memory by 2K bytes (just like Michelangelo), and keeps WordPerfect from running. Is there anything else that Ping Pong B does to a system? If my friend's brother (whose system was probably where she got the virus from) doesn't act quickly to eliminate it on his machine, what kind of risk is he facing? - -- Rich Wales // UCLA Computer Science Department 3531 Boelter Hall // Los Angeles, CA 90024-1596 // +1 (310) 825-5683 ------------------------------ Date: Fri, 21 Feb 92 15:59:13 +0000 >From: samba.acs.unc.edu!Jesse.Taylor@mcnc.org (Jesse Taylor) Subject: Re: WDEF infection at a school (Mac) I would say talk to the computer lab person at your child's school and see if you can find a way to find out te person who put it there in the first place... Run a virus-checker init off the startup disk and have it check all the disks people bring in... ------------------------------ Date: Fri, 21 Feb 92 17:25:37 +0000 >From: st910856@pip.cc.brandeis.edu Subject: Re: WDEF infection at a school (Mac) sure, the method we use here at Bradeis to keep our startups clean is a program called Disinfectant by John Nortstad. The detector/stopper is free distribution but the disinfectant might not be. Works fairly well. Mike Yalter ------------------------------ Date: Sun, 09 Feb 92 22:31:36 -0500 >From: FRYSTD@ACAD.LVC.EDU (Michael Fry) Subject: Distributing info and shareware We would like to distribute information and make shareware available to PC users in the area, to help reduce the possibility of March 16 carnage to hard disks around here. Maybe not all whom we'd like to reach are familiar with the shareware concept. We want to include a disclaimer and a short explanation (and plea). (In addition to materials included with each package, which we are distributing intact.) Stole from one shareware package to get this: XXXXX College does not guarantee reliablilty or offer support for use of these packages, nor does the College endorse them. These are being made available only as a service. Each of these packages is copyrighted, and is distributed under the Shareware concept. This allows users to evaluate software for a short time to determine if it is useful to them. If you decide the software is of value to you and decide to keep and use, you are required to register it with the owner of the copyright (not XXXXX College). Information can be found in the accompanying .DOC files. If Association of Shareware Professionals members have a canned version of this for an institution to use to help with shareware cooperation, we'd be glad to use it. Mike Fry Math Sci Dept. Lebanon Valley College Annville PA 17003 frystd@acad.lvc.edu ------------------------------ Date: Thu, 20 Feb 92 19:32:00 -0500 >From: Subject: RE: "Executive Guide to Computer Viruses" from NCSA? In Virus-L (137) Rich Travsky writes: >In an article on the Michelangelo virus, the February 12th Network World >mentions an "Executive Guide to Computer Viruses" ($24.95 from the NCSA). >Anyone seen this guide? Is it a worthwhile thing to pursue? Actually, I'm the author of this book. It is targeted toward the corporate or government microcomputer manager (as well as individual users and aims to educate them to the problem and provide ways to combat it. It's written in a straight-forward manner, which should be easily comprehensible to users of all levels. It seemed (a year or two ago when the book was conceived) that there was a void in the available literature: most was written for either highly technical users or complete neophytes. The Executive Guide fits somewhere in between. I've reproduced the table of contents here: Table of Definitions and Abbreviations Virus Overview Computers and Biology The Viruses Virus Prevalence Viruses and Computer Networks Detection and Removal A Peek into the Other Side Virus Research Virus Legislation Practical Suggestions Policy Recommendations The Future of Viruses Appendix A: Cures for Common Viruses Appendix B: The Boot Process Appendix C: Creating and Anti-Viral Diskette The second edition has just entered publication this week. Call the National Computer Security Association (NCSA) at 1-800-488-4595 to order. Hope this helps... Charles ********************************************* *RUTSTEIN@HWS.BITNET (Charles B. Rutstein) * * "Fourty-Two" -- Ford Prefect * ********************************************* ------------------------------ Date: Fri, 21 Feb 92 20:09:00 +0700 >From: MARK Subject: Re: General Virus information ? Hello, I would appreciate if anyone could send some general information regarding behavioural characteristics of viruses. In particular,characterisation of those properties that would be detectable by an experienced programmer if they were given a virus-infected source code program. Also characteristics of viruses and characterisation of clues to virus-like behaviour. Mark Tierney University College Dublin Ireland. ------------------------------ Date: Sat, 22 Feb 92 05:37:41 -0600 >From: j-norstad@nwu.edu (John Norstad) Subject: Disinfectant 2.6 (Mac) Disinfectant 2.6 February 22, 1991 Disinfectant 2.6 is a new release of our free Macintosh anti-viral utility. Version 2.6 detects the new MBDF virus and Trojan horse. The MBDF virus was discovered in Wales. Several popular Internet archive sites contained some infected games for a short period of time, so a number of people around the world were affected. The games were named "10 Tile Puzzle" and "Obnoxious Tetris." In addition to these two games, a third game named "Tetricycle" or "tetris-rotating" was a Trojan horse which installed the virus. Disinfectant identifies both infected files and the Trojan horse as being infected by the MBDF virus. Repairing an infected file removes the virus and returns the file to the state it was in before being infected. Repairing the Trojan horse renders it ineffective and inoperable. The MBDF virus is similar to the MDEF virus. It infects both applications and the System file. It also usually infects the Finder and several other system files. The System file is infected as soon as an infected application is run. Other applications become infected as soon as they are run on an infected system. The MBDF virus is non-malicious, but it can cause damage. In particular, the virus takes quite a long time to infect the System file when it first attacks a system. The delay is so long that people often think that their Mac is hung, so they do a restart. Restarting the Mac while the virus is in the process of writing the System file very often results in a damaged System file which cannot be repaired. The only solution in this situation is to reinstall a new System file from scratch. We also have reports that the MBDF virus causes problems with the "BeHierarchic" shareware program, and reports of other menu-related problems on infected systems. The MBDF virus is named after the type of resource it uses to infect files. MBDF resources are a normal part of the Macintosh system, so you should not become alarmed if you see them with ResEdit or some other tool. Special thanks to the people at Claris who included self-check code in their Macintosh software products. Their foresight resulted in an early detection of the virus, and has thus helped the entire Mac community. We strongly encourage other vendors to consider doing the same with their products. There are a few other minor changes in version 2.6: We improved the "busy file" error message. In particular, we no longer advise System 7 users to "try again without MultiFinder." The document was revised. In particular, we now mention more System 7 issues in the main body of the document, not just in the special "System 7 Notes" section. In previous versions of Disinfectant, we recommending creating a special "virus tools" startup disk. With newer versions of the Mac system, and with System 7 in particular, this is no longer possible. The document has been revised appropriately. Disinfectant 2.6 is available now via anonymous FTP from site ftp.acns.nwu.edu [129.105.113.52]. It will also be available soon on sumex-aim.stanford.edu, rascal.ics.utexas.edu, comp.binaries.mac, America Online, CompuServe, GEnie, Delphi, BIX, MacNet, Calvacom, AppleLink, and other popular sources of free and shareware software. Macintosh users who do not have access to electronic sources of free and shareware software may obtain a copy of Disinfectant by sending a self-addressed stamped envelope and an 800K floppy disk to the author at the address given below. People outside the US may send an international postal reply coupon instead of US stamps (available from any post office). Please use sturdy envelopes, preferably cardboard disk mailers. People in Western Europe may obtain a copy of the latest version of Disinfectant by sending a self-addressed disk mailer and an 800K floppy disk to macclub benelux. Stamps are not required. The address is: macclub benelux Disinfectant Update Wirtzfeld Valley 140 B-4761 Bullingen Belgium John Norstad Academic Computing and Network Services Northwestern University 2129 Sheridan Road Evanston, IL 60208 USA Internet: j-norstad@nwu.edu John Norstad Academic Computing and Network Services Northwestern University j-norstad@nwu.edu ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 40] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253