VIRUS-L Digest Monday, 2 Mar 1992 Volume 5 : Issue 49 Today's Topics: Just wondering re Jerusalem-B, Michelangelo? (PC) Re: exact damage of Michelangelo on 3-06 (PC) Request for information re Brain, Jerusalem B, Stoned (PC) New Viruses ? Bloomington,FLOM (PC) McAfee's CLEAN and F-Prot against FORM virus (PC) Damage Tally Proposal - Michelangelo (PC) Michelangelo virus (PC) Who knew his Birthday? (PC) Re: Which Package is Best? (PC) What is the best way to protect against Michelangelo (PC) ircop!Help! (PC) Drug Rehab - Stoned (PC) Print screen virus? (PC) Re: F-prot and non-executable files (PC) Re: New virus????? (PC) Re: Surviving warm reboot (PC) McAfee SCAN or VSHIELD pickup Michelangelo? (PC) Disabling boot from floppy? (PC) Re: bulk eraser Virus-L on a CD-ROM? VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 28 Feb 92 02:46:31 -0500 >From: I'M NOT JUST A NUMBER! Subject: Just wondering re Jerusalem-B, Michelangelo? (PC) Maybe I just have bad luck. But in the past 11 months, I've been infected with Jerusalem-B virus....11 times!!!! Since I have VSHIELD installed, I'm not so worried about any viruses spreading, but quite frankly, I'm bored with Jerusalem-B...Where is the infamous Michealangelo? If anyone else has been infected more than 11 times, and you want to take the time to let me know, please do! I'd love to here about it, It might make me not feel so unfortunate. O O Thanks in advance! o >-----------------------< __o Andre Comeau in Maine! | __|__|__ IO10968@MAINE.maine.edu | ______/ | ^^^^^^ ^^^^^^ >-----------------------< ===--->LIFE<---=== GOES ON (So I'm outa here!) ------------------------------ Date: Thu, 27 Feb 92 20:01:52 -0600 >From: steve@lawton.lonestar.org (Steven Tucker) Subject: Re: exact damage of Michelangelo on 3-06 (PC) Vesselin, have a quick question for ya. Regarding virii in general but perhaps the Michelangelo virus in particular (as it seems to be the most popular right now), one always reads about "booting from a clean floppy" and my question is this: If one boots from an infected floppy and then scans the disk (floppy or hard) will the memory-resident virus disable the scan program rendering it unable to detect the virus in question? Or will the scanner still pick it up? If it renders the scanner useless then how does one with only a single computer get a "clean" copy of a scanner (shareware) to scan a system since all diskettes must be considered "suspect until they are proven otherwise". I had an infection with Jerusalem B last year but it wasn't near as nasty as this Michelangelo one seems to be and was very easy to detect and remove. I appreciate your help on this probably silly question but it is something I have been wondering about. Thanks, Steve - --- DOMAIN: steve@lawton.lonestar.org (Steven Tucker) UUCP: ...!rwsys!lawton!steve (Steven Tucker) Good News II BBS Lawton, OK USA +1 (405) 357-0478 ------------------------------ Date: Thu, 27 Feb 92 13:54:00 -0500 >From: racarlton@acs.harding.edu Subject: Request for information re Brain, Jerusalem B, Stoned (PC) Now that our name address has been published I'll try this again. I am looking for a site with information about the Brain, Jerusalem-B, and Stoned viruses which would be appropriate for a seminar. Mainly I'm looking for code samples of the aforementioned viruses. I appreciate any help I can get Rodney Carlton@acs.harding.edu ------------------------------ Date: Fri, 28 Feb 92 13:21:36 +0000 >From: laski@hauk.hsr.no.\\ (Skj\ Subject: New Viruses ? Bloomington,FLOM (PC) Hi all, Does anyone have any information on the Bloomington and the FLOM virus ? Which scanners can detect & kill them ? Any kind of information will be most welcome !!! *--------------------------------------------------------------------------* | Lars Kaare Skjoerstad | E-Mail : laski@hauk.hsr.no | | Rogaland University Center | Tlf. : +47-4-874220 ,Fax. : +47-4-874300| | P.B. 2557, ULLANDHAUG | postmaster@hauk.hsr.no | | 4040 STAVANGER , NORWAY | NetWork Coordinator/Supervisor | *--------------------------------------------------------------------------* ------------------------------ Date: 28 Feb 92 14:08:10 +0000 >From: mmeijer@accucx.cc.ruu.nl (Maarten Meijer) Subject: McAfee's CLEAN and F-Prot against FORM virus (PC) We - at Academic Computing Centre of Utrecht University (ACCU), the Netherlands - tried to remove the FORM virus from several hard disks using McAfee's CLEAN version 8.3B86. All disks were larger than 60 MB, formatted with DOS 5.0, some with one large partition, others with multiple partitions (C:, D:, etc.). CLEAN always reports removal of the [FORM] virus, but completely destroys the boot sector of partition C:, making it unreachable at the next bootstrap. Although FORM puts the original bootsector at the end of the hard disk, CLEAN doesn't seem to be able to find it. So does F-PROT 2.02D of Fridrik Skulason, but at least this program correctly reports that it can't find the original bootsector, instead of messing up the system. It seems quite simple to locate the original bootsector at the very end of the hard disk. Why then do both these programs not succeed? Of course, the simple remedy against most boot sector viruses is the DOS SYS command. But CLEAN even makes things worse! May be could someone from McAfee Associates explain what's wrong? - -- Maarten Meijer, ACCU, Budapestlaan 8, De Uithof, 3584 CD Utrecht, Postbus 80011, 3508 TA Utrecht. Fax: 030-531633 E-mail: mmeijer@cc.ruu.nl ------------------------------ Date: Fri, 28 Feb 92 08:30:02 -0600 >From: Mickey Waxman Subject: Damage Tally Proposal - Michelangelo (PC) March 6 is a Friday. I expect someone will ask me on Monday, the 9th: "So, heard of any disks ruined by Michelangelo, or was this just another hysteria special-interest groups are so fond of whipping up?" (No, our anti-virus campaign was a complete success ;-) I'd like to have an answer that encompasses more than just my little corner of the world so here's what I propose: If you have (what you feel are) believable reports of Michelangelo-trashed disks in your vicinity, keep a tally of the numbers until about Thursday (12th) or Friday and then send me the totals. Include, if possible, A) Environment of affected computers, e.g., industrial, educational, home; B) Some indication of reliability of the info, e.g., Solid, Not-sure,-but-I-believe- it; C) City, State/Province/Canton, Country; D) details of any particularly tragic losses. Don't let my tone fool you. I'm serious about this. Write following on a scrap of paper and tape to your computer: Send tally to: Mickey@UKANVM.CC.UKANS.EDU or Mickey@UKANVM.bitnet I will compile the results, if any, and report here. As a survey, this will be almost worthless, but it may give some idea whether this virus earned its rep, and the distribution might be interesting. Do not worry, I will not post names of institutions. Mickey@Ukanvm Mickey Waxman Mickey@Ukanvm.cc.ukans.edu University of Kansas USA ------------------------------ Date: Fri, 28 Feb 92 15:31:59 +0700 >From: Eric Lambermon Subject: Michelangelo virus (PC) Dear reader, Perhaps this is a too simple question for the regular users of this list (I am new here) but I would like to ask it anyway. I recently bought Novell Netware and network hardware and now I here that there's a risk that this software is infected. My question is this: What do I need to scan our computer for virusses? Is there a list of hex-sequences to import into anti-virus programs? Is there some public domain wherefrom I can download anti-virus programs? Thanks in advance, greetings from Holland, Eric Lambermon ------------------------------ Date: Fri, 28 Feb 92 08:50:02 -0600 >From: Mickey Waxman Subject: Who knew his Birthday? (PC) Here we don't celebrate Michelangelo's birthday and I doubt anybody here would have known the signif of 6 March. Is it different in other places (Italy?)? For history's sake ... did the disassembler(s) who named this virus just happen to know this was M's birthdate or was there maybe some input from the virus' author as to its significance? Mickey@ukanvm Mickey Waxman Mickey@Ukanvm.cc.ukans.edu Univ. of Kansas USA ------------------------------ Date: Fri, 28 Feb 92 17:06:00 +0200 >From: Y. Radai Subject: Re: Which Package is Best? (PC) Wolfgang Stiller writes (in reply to Vesselin Bontchev): > For the benefit of those who are not aware of my product, >Integrity Master verifies the data integrity of your files and system >sectors and also contains a very high speed virus scanner under the >covers. I do not personally have a copy of Untouchable, but I have >customers who use both this product and Integrity Master. They report >that Integrity Master is more thorough and faster than Untouchable. My tests do not bear out these claims, at least as regards speed. Here are the times it took for Integrity Master and UnTouchable to check all executable files on my hard disk (I threw in McAfee's SCAN also): Known-virus scanner component: SCAN 86b 3:49 IM 1.02 2:13 UTScan 21.00 1:02 Generic checker: UT full check 2:27 IM 1:59 UT quick check 1:09 Note 1: As opposed to most "quick checks" and "Turbo modes", UT's quick check is performed in such a way that for all practical purposes there is no loss of security, *regardless of how the virus infects*.) Note 2: UTScan's speed is not decreased by addition of more viruses. >It apparently detects more known viruses with its scanner component I don't know how good the IM scanner rates, but according to the Feb. issue of the Virus Bulletin (p. 23), Ver. 19.04 of the UTScan compo- nent of UT detected 73% of the viruses in their "standard" set and 81% in their "acid" test. Now these percentages are relatively low (although I think they would be considerably higher if only commonly occurring viruses were used in the comparison). But how important is this factor in the case of Untouchable? For a user who depends *only* on a KVS (Known-Virus Scanner), ability to keep up with all the latest viruses is essential, and such a low percentage could not be tolerated. As for IM, it is generic with respect to detection, hence a KVS is not needed to detect the fact that infection has occurred. However, IM can *restore* files only if they are infected by viruses which it *specifically recogni- zes* (assuming backups are not available), hence a KVS is just as necessary for IM as for those who use a KVS alone. In fact, IM is even *more* dependent on a KVS, for (like all programs based on modi- fication detection) IM must ensure that the files and boot records are uninfected when checksums are initially computed. On the other hand, UT performs *generic restoration* of files and boot records, hence it requires a KVS only for the second purpose, not for the first. With UT, a KVS need be performed on a given file only once, namely before it is added to the checksum database (or is re- placed by a new version of the file). Now suppose the worst happens and some files or boot records are al- ready infected at installation time by a rare virus which is not re- cognized by the KVS. What would be lost then? In practice, not as much as people think. In almost all cases, one can be sure the boot records are uninfected by using SYS and FDISK/MBR. Moreover, if some files happen to be infected by an unknown virus when their checksum is first computed, that fact will be detected as soon as the virus in- fects other files. So the number of viruses recognized is less impor- tant for Untouchable than for almost any other type of anti-viral software. (Nevertheless, because of criticisms of its low scanning percentage, I am told that the next version of UTScan will detect many more viruses than the present one; in fact, the version I have (21.00) is already considerably improved.) Summary: UT performs generic disinfection of files; IM does not. Untouchable is faster than IM, especially with respect to their known- virus scanners. IM's scanner probably detects more viruses than UT's, though I don't think that's as significant as most people assume it is. (Btw, I'm not trying to "knock" IM; it seems to be one of the best packages of its kind. But then so was V-Analyst 2.3, the prede- cessor of UT.) >and finds other discrepancies which Untouchable misses (I'll go into >these via private mail if you wish). I'd be glad to hear what you think UT misses. I'm willing to bet that there are a couple of types of potential viruses that IM misses. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI@HUJIVMS.BITNET RADAI@VMS.HUJI.AC.IL ------------------------------ Date: Fri, 28 Feb 92 08:54:00 -0800 >From: OLD FOGIE Subject: What is the best way to protect against Michelangelo (PC) Hello. This may be a completely stupid question, or one that has already been answered, but... What EXACTLY is the best way to protect against the Michaelengelo virus? I have SCAN and CLEAN and I also use PCTOOLS Virus Protect but I am still concerned. What are the steps to be taken to prevent this virus (and others).? Thanks! Chris Miller Pacific Lutheran University Bitnet: MILLER_C@PLU.bitnet ------------------------------ Date: Fri, 28 Feb 92 19:44:04 +0200 >From: Segal Livian Subject: ircop!Help! (PC) Hello! 1.I had a diskette infected by Aircop Virus for a long time,and i didn't knew about it(i dont have HD so i dont care very much about viruses) and now every time the drive read this diskette i get a message "Divide overflow" or "Divide error"(i don't remember exactly).I cant do ANYTHING with that diskette,because the drive can't read the disk.Maybe somebody knows what is the problem,and how can i save the disk(maybe with other PC?). 2.Can anybody recommend me a Very very good and powerfull Anti-Virus which don't costs too much? 3.What can be done with a HD with virus/es on it?To throw it away? Thanx a lot,all Livian ------------------------------ Date: Fri, 28 Feb 92 13:13:25 -0500 >From: James_Williams%ESS%NIAID@nih3plus.BITNET Subject: Drug Rehab - Stoned (PC) An office which I do some computer support for has a batch of computers infected with Stoned. These are Northgate 286s. Someone found stoned on the computers using McAfee. They ran clean, and now can only access select files on the computer. They are going to reformat the HD and reload everything. My question is this, I'm probably going to be asked to get stoned off the remaining computers. What is the best way to do this? Any thoughts would be appreciated. - -------------------------------------------- | James Williams | | Bitnet: JWW%ESS%NIAID@NIH3PLUS.BITNET | | Internet: JWW@ESS.NIAID.PC.NIAID.NIH.GOV | | CompuServ: 70304,2462 | - -------------------------------------------- ------------------------------ Date: Fri, 28 Feb 92 13:08:55 -0500 >From: JOHNSON@tarleton.edu Subject: Print screen virus? (PC) We have found a previoulsy unknown virus in our computer lab called "Print Screen 2". We are using FPROT202. Can anyone tell me about this virus? ******************************************************************** DANNY JOHNSON, COMPUTER SYSTEMS MANAGER, TARLETON STATE UNIVERSITY,* STEPHENVILLE, TEXAS. * ******************************************************************** ------------------------------ Date: 28 Feb 92 19:17:23 +0000 >From: jaapv@accucx.cc.ruu.nl (Jaap Verhage) Subject: Re: F-prot and non-executable files (PC) IQUILD92@IRLEARN.UCD.IE (Ivan Quill) writes: >Hello, >We were using F-prot here and we noticed that it doesn't scan non >executable files. This raises the question, can a virus hide in a >text file, and then transfer itself elsewhere? We have no reason to >believe that this is happening, just curious. You can instruct F-Prot to scan *all* files, if you want to. Choose Scan, hit , and see. - -- Regards, Jaap. Jaap Verhage, Academic Computer Centre, State University at Utrecht, Holland. jaapv@accucx.cc.ruu.nl +<-*|*->+ I claim *every*thing and speak for myself ------------------------------ Date: 28 Feb 92 16:49:07 +0000 >From: jesse@gumby.Altos.COM (Jesse Chisholm AAC-RjesseD) Subject: Re: New virus????? (PC) jaflrn!jaf@uunet.UU.NET (Jon Freivald) writes: : bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: : : > diaz@leland.stanford.edu (Kathy Diaz) writes: : > : > > I have a question it seems that I have come across some sort of virus. : > > My Dos Machine has in every directory a file called aux. It seems also : > : > I don't know how exactly have you managed to "find" this "file". On : > the previous DOS versions it usually appeared when you execute : > Norton's FileFind and look for aux*.*. Unfortunately, I'm using MS-DOS : > 5.0 right now, so I can't confirm this. : > : I'm also running MS-DOS 5.0 -- if I do a "dir aux" (or com1, com2, prn, : lpt1, etc) I see a 112 byte file no matter what directory I'm in. Yes, : these are just the reserved names showing up, but you can see them : indeed! I find this thread a little confusing. I also am running MS-DOS 5.00 and when I do "dir aux" or "dir aux*.*" I get told "File not found". This whole thing indicates that some people have this bogus aux file and others don't. Now I'm really curious about it. Why do Jon and Kathy have a plethora of "aux" files, while Vesselin and I do not? And at least three of us are running MS-DOS 5.0, so I doubt it is DOS itself causing this. Perhaps running different smartdrv.sys? DOS comes with one, but WINDOWS 3.0 replaces it with another one. I am using the WINDOWS one. Jesse Chisholm | Disclaimer: My opinions are rarely understood, let jesse@altos86.altos.com | tel: 1-408-432-6200 | alone held, by this company. jesse@gumby.altos.com | fax: 1-408-435-8517 |----------------------------- ======== This company has officially disavowed all knowledge of my opinions. - -- "I woke up one morning on the old Chisholm Trail; A rope in my hand and a cow by the tail. Come a ti-yi-yippy-yippy-ay yippy-ay. Come a ti-yi-yippy-yippy-ay." -- from an old song, "The Chisholm Trail" ------------------------------ Date: 28 Feb 92 16:08:45 -0500 >From: "David.M.Chess" Subject: Re: Surviving warm reboot (PC) >From: paraska@oasys.dt.navy.mil (Peter Paraska) > >Won't a system reset which goes throught the POST overwrite all the >memory during the testing? Wouldn't this eradicate the virus from >memory. I'm refering to hitting the "RESET" button. That depends on just what your "RESET" button does; vanilla IBM PC's and PS/2's don't have such a thing (last time I looked!). If it really causes a COLD boot (and I imagine many/most of them do), that should indeed clear memory just like a power-cycle does (and with less stress on the components!). If you're incredibly paranoid (as I tend to be, I admit), a cold boot is still somewhat nicer, as it forcibly resets all the adapter cards and stuff on the bus as well; this doesn't matter for any current virus that I can think of, but someday... - - -- David M. Chess mI' jIHbe' jay'! High Integrity Computing Lab loD tlhab jIH! IBM Watson Research -- qama''e' ------------------------------ Date: 28 Feb 92 23:06:26 +0000 >From: dfh@dwx3bs.att.com (D442-D. F. Haertig (Dave) x3040) Subject: McAfee SCAN or VSHIELD pickup Michelangelo? (PC) A quick question on the virus-du-jour "Michelangelo". Will either of the following McAfee products pick it up? SCAN 7.9V84 -or- VSHIELD 3.9B80 These are the two products that our in-house PC support group uses. I think they install VSHIELD on all new PCs before delivering them to the users (we must have a site liscense). But other than knowing that VSHIELD is on my PC and is invoked out of my autoexec.bat, I don't know exactly what these products are supposed to do or what they're supposed to protect against. VSHIELD appears to be a TSR, but does it detect currently infected disks, or just prevent future infections *after* it is installed? SCAN looks like it scans every file on my disk, but is the version I have current enough to pick up the latest viruses? As you can tell, I'm pretty "virus ignorant". I've pretty much ignored the various virus scares since I don't use BBS's or shareware. The PC group says run these programs, so I run them like a good little engineer. However, my PC now accesses a PC network in our plant and I heard that Michelangelo has been found on a few PCs at our work location ... Thanks, Dave Haertig dwx3bs.att.com ------------------------------ Date: Fri, 28 Feb 92 22:55:02 +0000 >From: kondor@ee.ualberta.ca (Ran Kondor) Subject: Disabling boot from floppy? (PC) I have often wondered, is it possible to disable the drive capable of booting from a floppy? If this is done, much heartache can be spared as most viruses, that I have seen, rely on a boot to load up to memory. This would be used to help those who, much to their dismay, find out, only too late, that they have booted with a floppy in drive A. They would now be at the mercy of a possible virus. My question is this: Is is possible to disable a boot from a floppy and then enable upon demand? Could it be done by just executing some batch or .EXE file? This should take care of the Michaelangelo virus! Ran ------------------------------ Date: Fri, 28 Feb 92 00:04:00 -0700 >From: Jeff Cox Subject: Re: bulk eraser "frank@evax2.engr.arizona.edu"@Arizona.edu writes: >>bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >> >>>washer@sequent.com (Jim Washer) writes: >>> >>> I am know the proud and happy owner of an infected 3.5" 1.44Mb floppy. >>> Should I immediately burn it in a large bonfire, or will re-formatting >>> exorcise it adequately. >> >>Formatting should be enough - if you don't have a virus in memory. >>Otherwise you'll destroy everything... except the virus. :-) > > Does anybody know if a bulk tape eraser would be practical for erasing > floppies? If so, it would be the ideal solution for quandaries like > this one. I have on occasion used a bulk eraser and then (re)formated both 3.5 and 5.25 floppies. Sometimes I even have noticed that "lost" or bad data blocks are "found" and useable. ------------------------------ Date: Fri, 28 Feb 92 13:40:06 +0000 >From: "Christopher J. Wells" Subject: Virus-L on a CD-ROM? Hi netlanders! Just wondering, does there exist a CD-ROM with the Virus-L digests on, and if not, are there any plans to do so? Virus-L is an ideal source to track the spread of virii, and it seems a pity to have to keep on requesting the articles from ftp sites. Many thanks, Chris ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 49] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253