VIRUS-L Digest Friday, 28 Feb 1992 Volume 5 : Issue 46 Today's Topics: Re: Preventing virus infection by disabling the hard disk (PC) Kamikaze virus? (PC) 3.5 Michaelangelo (PC) Re: Quick way to check for Mich on PC's (PC) Re: What does Ping Pong B virus do? (PC) Automatic Virus Removal Question (PC) re: A quick Michelangelo question (PC) DOS PC Virus? Help? (PC) Commercially-Available Michelangelo (PC) False Rumor about Virus (PC) Help me identify a virus? (PC) Symantec AntiVirus (Michelangelo only) code? (PC) V2P6 VIRUS (PC) Re: A quick Michelangelo question (PC) CIAC Bulletin C-17: MBDF A on Macintosh (Mac) Re: WDEF infection at a school (Mac) Cornell MBDF Press Release (Mac) Mac MDBF and SAM 3.0 (Mac) fixutil3 from A. Padgett Peterson (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 26 Feb 92 09:46:14 -0600 >From: martin@datacomm.ucc.okstate.edu Subject: Re: Preventing virus infection by disabling the hard disk (PC) > Before testing new software on my 286/386 machines, I disable the hard > disk by changing the CMOS hard disk type to 0 and reboot from a First of all, I make this statement without ever having experimented with a present generation system containing the CMOS hardware configuration setup ability so my opinions are worth just what you paid for them, but I would say, with some confidence that it is possible for a sophisticated virus to bypass any CMOS settings. After all, it is possible for any running program to determine the type of system which is running it. If anything about this system can be set by software, it can be a potential mark for attack. Basically, if you set something from the keyboard or a disk file, somebody else can set it also with their program. Remember, we aren't talking about following all the rules or doing things according to the book. We are talking about field expedience and getting the job done any way one can. If this means doing something totally unorthodox, such as loading "incorrect" values into a BIOS routine, somebody will do it if it makes their sabotage program stealthier or more destructive. I believe that the only sure defense against unwanted software making its way onto a disk is physical hardware control over the ability to write to that disk. If the drive in question is installed and the only thing between it and normal operating conditions is the setting of a few registers, you can be sure that it is vulnerable. Lightening is the only thing I have seen that can bypass an open switch without the operator's consent and lightening sort of renders all other questions academic. Martin McCormick Amateur Radio WB5AGZ Oklahoma State University Computer Center Data Communication sGroup Stillwater, OK ------------------------------ Date: Wed, 26 Feb 92 16:54:26 +0000 >From: miss059@uxa.ecn.bgu.edu (Pug) Subject: Kamikaze virus? (PC) OK, I'm confused. I was running virus dectors on mine and a friends computer last night because the school got infected with a couple this semester. When I run scan, it comes up with nothing. When I run f-prot, it comes up with TURBO.TPL possibly being infected with the Kamikaze virus. I understand that it's possible that the signature for a virus COULD randomly appear, but for some reason I doubt it. This was in turbo pascal 6.0 and we checked it right off the installation disks as well. Anyone have any ideas on this? - -- Richard Bainter Mundanely | "Teachers are supposed to Phelim Utred Gervas Society | teach you *HOW* to learn Pug Generally | not *WHAT* to learn." miss059@uxa.ecn.bgu.edu | pug@ccwf.cc.utexas.edu | pug@wixer.UUCP ------------------------------ Date: Wed, 26 Feb 92 10:52:21 -0600 >From: THE GAR Subject: 3.5 Michaelangelo (PC) Vesselin - I did indeed "swap" from a 5.25" A: drive to a 3.5" A: drive. I have only seen the virus on 360K and 1.2MB disks. Because of this, I have only been able to infect hard drives on machines that use a 5.25" A: drive. After the hard drive is infected, and I confirm the infection by scanning with McAfee SCAN 85, and by infecting a 360K in the A: drive, I turn the machine off, open the case, swap the drive cables around, so that the 3.5" disk is now the A: drive. Then I try everything I can think of on the A: drive, which is now a 3.5", and it won't infect. I format the disk, copy files to it, delete files on it, do directories, all with the virus in memory, and it won't infect the A: drive. I have now tried this on a Zenith 386 running Zenith DOS 4.0, a Zenith 386 running MS-DOS 5.0, a Zenith 159 (8088) running Zenith DOS 3.21, and an IBM PC running PC-DOS 3.2. Nothing will infect A:. /++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\ ! Later + Systems Programmer ! ! Gary Warner + Samford University Computer Services ! ! + II TIMOTHY 2:15 ! \+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/ ------------------------------ Date: Wed, 26 Feb 92 20:03:48 +0200 >From: Tapio Keih{nen Subject: Re: Quick way to check for Mich on PC's (PC) >In either case, is there a quick way to determine if the PC's in my >group have been infected with Michelangelo? Some memory location? >SOmething I can check. One quick way to check if your PC is infected with Michelangelo, Stoned or some other viruses is run CHKDSK on it. If the 'total memory' line tells that the computer got 2048 bytes less RAM than usually, there might be Michelangelo or any other virus which reduces 2048 bytes from the memory. On machines with 640+ kb RAM this would be 653 312 bytes when it is normally 655360 bytes. There are some other things which reduce the amount of total free RAM (for example some device drivers), so you if you find an unexpected value, you should check the suspecting computer with a good antivirus program (F-Prot and Scan are both good av programs, IMHO) before yelling 'VIRUS!'. - -- Tapio Keihanen / Mesiheinank 2B6 / 33340 Tampere / Finland - -=-=-=-=-=-=-=-=-=-=-=-= /---\ /---/ / /\ -=-=-=-=-=-= I WANT TO BUY YOUR RARE =|| | =|| | =| | RECORDINGS! - -=-tapio@nic.funet.fi-=- /---/ /---\ \/_/ =-=-=-=-=-=- ------------------------------ Date: Wed, 26 Feb 92 20:14:58 +0200 >From: Tapio Keih{nen Subject: Re: What does Ping Pong B virus do? (PC) >We managed to eradicate the virus from her hard disk and the floppy >(she said she hadn't tried to use any other floppy since the problem >started, so we only needed to contend with the one floppy). I would check every floppy... Ping Pong B infects every accessed non-write protected floppy. That means, if you got an disk which is not write protected and do a DIR on it, Ping Pong B will infect it at the same time. >Is there anything else that Ping Pong B does to a system? Ping Pong B produces a bouncing ball on the screen after being resident for some time (If my memory serves, the time is 30 minutes but I'm not sure) and if the disk is accessed at the same time. - -- Tapio Keihanen / Mesiheinank 2B6 / 33340 Tampere / Finland - -=-=-=-=-=-=-=-=-=-=-=-= /---\ /---/ / /\ -=-=-=-=-=-= I WANT TO BUY YOUR RARE =|| | =|| | =| | RECORDINGS! - -=-tapio@nic.funet.fi-=- /---/ /---\ \/_/ =-=-=-=-=-=- ------------------------------ Date: Wed, 26 Feb 92 12:21:27 -0500 >From: Greg Monroe Subject: Automatic Virus Removal Question (PC) I am brand new to this list so if this has been a constant re-occuring topic, please pardon me. First some background: Here at Duke's Fuqua School of Business, we are getting ready to add hard disks to our student network PCs. Of course, we are conserned about Virus detection and removal on these. For a variety of reasons, we had decided on using a scan and fix approach rather than TSR monitoring. In other words, when a HD machine logs into the student network, it is scanned for viri and if infected, automatic corrective action is taken. Now for the question, do any of you viri-busters see major problems with the following scheme for corrective action? Once a Virus is found, via our scan program (VIREX from Microcom), the PC's Master Boot record, the partition table, and CMOS are restored from a Novell RO protected directory (Virex supplies such a utility). The hard disk is reformatted (students are told repeated not to store stuff here). The files are restored from the network. Finally, the PC is forced to do a cold reboot. The prototype for this process only takes about 3 minutes. This should take care of most of the common viri that I know about. However, you never know.... Also, the format process used is DOS 5.0's "Quick format". Is the danger of not clearing the data area greater than the time savings it generates? Thanks for any comments on this scheme. Greg Monroe Duke's Fuqua School of Business Durham, NC 27706 ------------------------------ Date: Wed, 26 Feb 92 14:36:36 -0500 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: re: A quick Michelangelo question (PC) >From: LARRY MATEO > A recent article in >a local newspaper sta ted that the virus can be spread from a floppy >diskette to a hard drive simply by doing a DOS dir of the floppy disk. >I think this is an incorrect statement. I could but it can't so you are right (hey folks, the Michelangelo is just another nastily hacked STONED by an antisocial individual, it is not the virus that ate Cleveland.) Incidently it takes a whole 10 (decimal, not hex) generic bytes at BIOS time to detect every MBR infector I have seen thusfar (including Brain, Yale, Evil Empire, Stoned, Joshi, Michelangelo, and all their cousins). "Stealth" just makes it easier. When are the O/S manfacturers going to wake up ? Warmly, Padgett padgett%tccslr.dnet@mmc.com Opinions are all my own... ------------------------------ Date: Wed, 26 Feb 92 16:32:17 -0500 >From: mds1@ihlpb.att.com (Marc D Sayre) Subject: DOS PC Virus? Help? (PC) Please Help! I have a Zeos 386sx portable with a 3.5inch - 1.44MB floppy drive and 30MB hard disk. If I boot off of the hard drive I encounter sector read errors when trying to access the floppy drive (A:). Further investigation with a PC tool show that the machine thinks my drive A: is a 360K 5 1/4" drive. If I boot off of a DOS disk in the A: drive I have no read errors on the floppy and the PC tool shows that the drive is a 3.5" 1.44MB drive. If I go into the CMOS setup it reports a 3.5" - 1.44 MB drive for A:. I have seen many of the postings regarding Michaelangelo and other boot viruses so I ran the DOS CHKDSK command. The total memory reported was 649,xxx instead of 655,360. This leads me to believe that something is in memory that should not be. I ran SCAN 8.1V85 and came up with no viruses found. I also ran something called Vaccine III (Ahn Cheolsoo) and it reported that the system probably has an unknown boot virus. ???????????????????????????????????????????????????????????????? Does this scenario sound familiar to any known viruses? Will SCAN 8.1V85 pick up the 'Mike' virus and other 'Stoned' type viruses. Is there something I can get 'freeware' or 'cheapware' to find the latest viruses? ???????????????????????????????????????????????????????????????? Any help, hints, suggestions would be appreciated. =========================================================================== | Marc Sayre | | | AT&T Bell Labs | If you continue to do what you have | | Naperville, IL | always done, you will continue to get | | att!ihlpb!mds1 | what you always have! | | (708) 224-7506 | | =========================================================================== ------------------------------ Date: 26 Feb 92 15:58:00 -0600 >From: "William Walker C60223 x4570" Subject: Commercially-Available Michelangelo (PC) Two more: 1. R.S. Means Company, Inc. has sent a notice to many of its customers, including 5.25" and 3.5" diskettes with McAfee's ViruScan and CleanUp and a 5-day license to use them. The company indicated that it had found Michelangelo on some of the firm's computers, and was sending the anti-virus software to its customers as a service to them. The notice did not specifically name any software which may have been distributed with the virus. It may be possible that no software at all was distributed infected. If this is the case, then this is truly "dedication to service to our customers" (their words). The two versions of the R.S. Means estimating software which we use here (FY91 and FY92) were both clean, as were the associated data disks and the registration disk. 2. We have had one computer infected with Michelangelo here, which we were fortunately able to catch before it spread. The APPARENT source was a write-protected diskette which came with a Chicony keyboard with built-in trackball. The diskette is labelled "Tracking-Ball Utility Diskette Version 1.00." The documentation had no phone number or address (not a Good Thing), but we did notify the distributor and report our suspicions, who will notify Chicony in turn if they uncover anything. Can anyone else confirm this? How many does that make now? Bill Walker ( WALKER@AEDC-VAX.AF.MIL ) | OAO Corporation | "Some days you just can't get Arnold Engineering Development Center | rid of a bomb!" M.S. 120 | -- Adam West, "Batman" Arnold Air Force Base, TN 37389-9998 | ------------------------------ Date: 26 Feb 92 14:55:00 -0800 >From: "LUSTIG, ROB L." Subject: False Rumor about Virus (PC) Hi, I read some disturbing news in a SIG on a BBS that said if you type HAPPY BIRTHDAY MICHELANGELO at the DOS prompt, it would disable the virus. I posted a reply stating that it was FALSE and if they have a copy of the virus that responds to that then send it to me so I can forward it on. The person reported that their company (based in Santa barbara) told them this in prevention of the virus. If ANYONE can give a confirmation about this, please let me know, or I will continue to 'educate' the masses B*) Regards, Rob Lustig ------------------------------ Date: Wed, 26 Feb 92 19:30:42 -0500 >From: Sid Subject: Help me identify a virus? (PC) Sorry i don't read this newgroup... Why would anyone unless you like answering frantic people's questions? Anyway... My mother called me saying that here 200 Meg harddrive (yes I do hate her) was dead. She took it to someone who I am sure charged her alot and said "Umm it had a virus which replaced information is sectors 2-35 with "E5"." She, wishing to know more contacted me, can anyone identify this virus and will MacAffe find it? Thanks for any info on the Virus. +------------+---------------------------------------------------+ | Sid | SSowder@kiwi.ucs.indiana.edu | +------------+---------------------------------------------------+ | Lyric of the Week: "...I've got a strong urge to fly, but I | | got nowhere to fly to" -Roger Waters | +----------------------------------------------------------------+ | Flying Leap NEW ADDRESS sl291003@silver.ucs.indiana.edu | | Server commands SELLLIST, BOOTLIST, and BOOTHELP are working. | +----------------------------------------------------------------+ ------------------------------ Date: Thu, 27 Feb 92 00:02:09 +0000 >From: raj@ics.uci.edu (Richard A. Johnson) Subject: Symantec AntiVirus (Michelangelo only) code? (PC) Symantec Corp. is giving out ("free" if you pay $9 for shipping and handling) special copies of their program AntiVirus which detect and remove only the Michelangelo virus. They also have it available from their publicly accessible bulletin board, however I don't seem to have access to a dialout line in such a way that I can run kermit on it (I can do text, but no file transfers). Does anyone have a copy of this antivirus program which would be publicly FTPable on the Internet? Just curious. (I don't normally read this bboard so please respond to me directly. If there's enough interest I'll post a summary...) - ----------------------------------------------------------------------------- U.S. Postal Monopoly address: Other addresses: Richard A. Johnson raj@ncgia.ucsb.edu (Internet) NCGIA Computing Resources Manager ucbvax!ucivax!raj (UUCP) Geography Department raj@VOODOO (via BITNET) U. C. Santa Barbara (805) 893-4677 (Phone) ------------------------------ Date: Thu, 27 Feb 92 03:20:53 +0000 >From: segrove@pbhya.PacBell.COM (S. E. Grove) Subject: V2P6 VIRUS (PC) One of my co-workers ran virex-pc 2.0 on his 486 and it declared that powermenu was infected by the virus v2p6. He doesn't beleive he has done anything to infect the pc, and he hasn't had it very long. The same program on his old pc is clean and that is where he got powermenu from. Questions: 1) What does V2P6 do to a pc? 2) Is it possible that virex-pc 2.0 is in error? Stephen Grove Comm. Tech. ESS Pacific Bell segrove@pbhya.PacBell.COM PacBell.COM!{rtpkh0,rtpkh1,rtpkh3,rtpkh4}!segrove ------------------------------ Date: Thu, 27 Feb 92 10:49:10 +0100 >From: Martin_blas Perez Pinilla Subject: Re: A quick Michelangelo question (PC) LARRY MATEO writes: > From information I've read about the Michelangelo virus, it seems that > the virus can be spread from an infected floppy diskette to a hard > drive only by attempting to boot from the floppy. A recent article in > a local newspaper sta ted that the virus can be spread from a floppy > diskette to a hard drive simply by doing a DOS dir of the floppy disk. > I think this is an incorrect statement. You are right. The viral code _must_ be executed to get infected, that is, you must boot from a infected floppy to infect the HD. Then, a DIR A: will infect any floppy. _Never_ trust the newspapers (or the CNN :-)) as information source in virus affairs; they are absolutely unreliable. Regards, - -mb M.B. Perez Pinilla | mtppepim@lg.ehu.es | Write 10^6 times: Departamento de Matematicas | "I'll never waste bandwidth" Universidad del Pais Vasco | SPAIN ------------------------------ Date: Wed, 26 Feb 92 11:08:45 -0800 >From: karyn@cheetah.llnl.gov (Karyn Pichnarczyk) Subject: CIAC Bulletin C-17: MBDF A on Macintosh (Mac) NO RESTRICTIONS _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ INFORMATION BULLETIN New Virus on Macintosh Computers: MBDF A February 25, 1992, 1130 PST Number C-17 ________________________________________________________________________ NAME: MBDF A virus PLATFORM: Macintosh computers-except MacPlus and SE (see below) DAMAGE: May cause program crashes SYMPTOMS: Claris applications indicate they have been altered; some shareware may not work, unexplained system crashes DETECTION & ERADICATION: Disinfectant 2.6,Gatekeeper 1.2.4, Virex 3.6, VirusDetective 5.0.2, Rival 1.1.10, SAM 3.0 ________________________________________________________________________ Critical Facts about MBDF A A new Macintosh virus, MBDF A, (named for the resource it exploits) has been discovered. This virus does not appear to maliciously cause damage, but simply copies itself from one application to another. MBDF A was discovered at two archive sites in newly posted game applications, and has a high potential to be very widespread. Infection Mechanism This virus is an "implied loader" virus, and it works in a similar manner to other implied loader viruses such as CDEF and MDEF. Once the virus is active, clean appliacation programs will become infected as soon as they are executed. MBDF A infects only applications, and does not affect data files. This virus replicates under both System 6 and System 7. While MBDF A may be present on ALL types of Macintosh systems, it will not spread if the infected system is a MacPlus or a Mac SE (although it does spread on an SE/30). Potential Damage The MBDF A virus has no malicious damaging characteristics, however, it may cause programs to inexplicably crash when an item is selected from the menu bar. Some programs, such as the shareware "BeHierarchic" program, have been reported to not operate correctly when infected. Applications written with self-checking code, such as those written by the Claris corporation, will inform the user that they have been altered. When MBDF A infects the system file, it must re-write the entire system file back to disk; this process may take two or three minutes. If the user assumes the system has hung, and reboots the Macintosh while this is occuring, the entire system file will be corrupted and an entire reload of system software must then be performed. This virus can be safely eradicated from most infected programs, although CIAC recommends that you restore all infected files from an uninfected backup. Detection and Eradication Because MBDF A has been recently discovered, only anti-viral packages updated since February 20, 1992 will locate and eradicate this virus. All the major Macintosh anti-viral product vendors are aware of this virus and have scheduled updates for their products. These updates have all been available since February 24, 1992. The updated versions of some products are Disinfectant 2.6, Gatekeeper 1.2.4, Virex 3.6, SAM 3.0, VirusDetective 5.0.2, and Rival 1.1.10. Some Macintosh applications (such as the Claris software mentioned above) may contain self-verification procedures to ensure the program is valid before each execution; these programs will note unexpected alterations to their code and will inform the user. MBDF A has been positively identified as present in two shareware games distributed by reliable archive sites: "Obnoxious Tetris" and "Ten Tile Puzzle". The program "Tetricycle" (sometimes named "Tetris-rotating") is a Trojan Horse program which installs the virus. If you have downloaded these or any other software since February 14, 1992 (the day these programs were loaded to the archive sites), CIAC recommends that you acquire an updated version of an anti-viral product and scan your system for the existence of MBDF A. For additional information or assistance, please contact CIAC: Karyn Pichnarczyk (510) 422-1779 or (FTS) 532-1779 karyn@cheetah.llnl.gov Call CIAC at (510)422-8193/(FTS)532-8193. Send e-mail to ciac@llnl.gov PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Some of the other teams include the NASA NSI response team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team. Your agency's team will coordinate with CIAC. CIAC would like to thank Gene Spafford and John Norstad, who provided some of the information used in this bulletin. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. ------------------------------ Date: Wed, 26 Feb 92 19:26:39 +0000 >From: djrank00@mik.uky.edu Subject: Re: WDEF infection at a school (Mac) Since WDEF rides the Desktop file (the basic directory file), to get rid of a WDEF infection on a disk, all you have to do is rebuild the Desktop of the suspected disk. For a floppy, hold the Option and Command keys down as you insert the disk, or for a hard drive as the machine starts or the Finder restarts. Also, System 7.x is immune to WDEF, because the Desktop for the new system behaves differently than for 6.0.x. (Info courtesy Disinfectant help files) Since rebuilding the Desktop is recommended by Apple every month or so anyway, it's an easy way to make sure that WDEF doesn't sneak in on you anyway. ------------------------------ Date: Wed, 26 Feb 92 15:32:02 -0500 >From: mha@baka.ithaca.ny.us (Mark Anbinder) Subject: Cornell MBDF Press Release (Mac) _____________________________________________________ PRESS RELEASE ISSUED BY CORNELL NEWS SERVICE 2/25/91 Students charged with releasing computer virus By Linda Grace-Kobas Following a university investigation that tracked a computer virus and its originators, two Cornell students were arrested and charged with computer tampering for allegedly launching a computer virus embedded in three games into national computer archives. Arraigned Feb. 24 in Ithaca City Court were David S. Blumenthal, 19, a sophomore in the College of Engineering, and Mark Andrew Pilgrim, 19, a sophomore in the College of Arts and Sciences. They were charged with computer tampering in the second degree, a Class A misdemeanor. The pair is being held in Tompkins County Jail with bail set at $2,000 cash bond or $10,000 property bond. At a hearing Tuesday afternoon, Judge Sherman returned the two to jail with the same bond and recommended that they remain in jail until at least Friday pending the federal investigation. A preliminary hearing is set for April 10. Both students were employed by Cornell Information Technologies, which runs the university's computer facilities. Pilgrim worked as a student operator in an Apple Macintosh facility from which the virus is believed to have been launched. The university's Department of Public Safety is working with the Tompkins County district attorney's office, and additional charges are expected to be filed. The Federal Bureau of Investigation has contacted the university to look at possible violations of federal laws, officials said. The Ithaca Police Department is also assisting in the investigation. "We absolutely abhor this type of behavior, which appears to violate the university's computer abuse policy as well as applicable state and federal law," commented M. Stuart Lynn, vice president for information technologies, who headed the investigation to track the originators of the virus. "Cornell will pursue all applicable remedies under our own policies and will cooperate with law enforcement authorities." Lynn said Cornell was alerted Feb. 21 that a Macintosh computer virus embedded in versions of three computer games, Obnoxious Tetris, Tetricycle and Ten Tile Puzzle, had possibly been launched through a Cornell computer. A virus is normally embedded in a program and only propagates to other programs on the host system, he explained. Typically, when an infected application is run, the virus will attack the system software and then other applications will become infected as they are run. The virus, MBDF-A, had been deposited on Feb. 14 directly and indirectly into several computer archives in the U.S. and abroad, including SUMEX-AIM at Stanford University and archives at the University of Texas, the University of Michigan and another in Osaka, Japan. These archives store thousands of computer programs available to users of Internet, the worldwide computer network. Macintosh users who downloaded the games to their computers were subject to a variety of problems, notably the modification of system software and application programs, resulting in unusual behavior and possible system crashes. Apparently, there was no intent to destroy data, Lynn said, but data could be destroyed in system crashes. Reports of the virus have been received from across the United States and around the world, including Wales, Britain, Lynn said, adding that he has no estimate for the number of individuals who might have obtained the games. As soon as the virus was identified, individuals and groups across the country involved with tracking viruses sent messages across computer networks to alert users who might have been affected by the virus, Lynn added. The virus has since been removed from all archives and "disinfectant" software available to the Internet community has been modified so that individual Macintosh users can purge their computers of it. "Our sense is that the virus was controlled very rapidly," he said. In 1988, Cornell received national attention when graduate student Robert T. Morris Jr. launched a computer virus into important government and university research networks. That virus, actually considered a "worm" since it was self-perpetuating, caused major damage in high-level systems. Morris was convicted under the 1986 Computer Fraud and Abuse Act and fined $10,000, given three years probation and ordered to do 400 hours of community service by a federal judge in Syracuse, N.Y. The new virus differs greatly from the Morris worm, Lynn said. "This virus is not to be compared with the Morris worm, which independently moved from machine to machine across the network," he explained. All Macintosh users should take appropriate measures to be certain their systems are not infected with the virus. News Service science writer William Holder also contributed to this report. - -- Mark H. Anbinder 607-257-2070 - FAX 607-257-2657 BAKA Computers, Inc. QuickMail QM-QM 607-257-2614 200 Pleasant Grove Road mha@baka.ithaca.ny.us Ithaca, NY 14850 ------------------------------ Date: Wed, 26 Feb 92 14:58:03 -0800 >From: dan@lclark.edu (Dan Revel) Subject: Mac MDBF and SAM 3.0 (Mac) Will SAM 3.0 detect the MDBF virus? Thanks. - -- Dan Revel (dan@lclark.edu) Network Manager Me transmittem sursum, Caledoni! Lewis & Clark College ------------------------------ Date: Wed, 26 Feb 92 22:28:00 -0500 >From: HAYES@urvax.urich.edu Subject: fixutil3 from A. Padgett Peterson (PC) Hi. Just received and will make available an update for A. Padgett Peterson's FIXUTIL series. The program is now named FIXUTIL3.ZIP Site: urvax.urich.edu, IP# 141.166.1.6 Directory: msdos.antivirus Login: anonymous Password: your_email_address At login, the user is in the anonymous directory. typing: cd msdos.antivirus will place the user in the proper directory for this file. Best, Claude. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 46] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253