From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V3 #173 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Friday, 19 Oct 1990 Volume 3 : Issue 173 Today's Topics: Cascade virus? (PC) "Common" viruses (PC) Regular McAfee posts.... Checking during Desktop Rebuild (Mac) Probably not a virus (Mac) Pascal Virus? Help!!! (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 18 Oct 90 12:00:08 -0700 From: warren@mdcbbs.com Subject: Cascade virus? (PC) All of the files in my comm directory deleted themselves in one fell swoop. I was able to unerase them and run the comm program again. This time beautiful graphics began scrolling by. It was geometric, scrolled upward, contained many different patterns, some of them looked like rockets. It continued for several minutes. I tried a soft reboot without success. A hard reboot worked. Everything seems OK. I ran Norton Utilities Sysinfo on the disk. I noticed one of the hardware interrupts is named [Cascade]. I seem to remember reading about a virus of this name. FYI, the interrupt looks like this: IRQ 02 0c28:0219 [Cascade] DOS System Area Do I have a bug? (I sure had something out of the ordinary!) Is there anything I can do to get rid of it without buying software? Thanks for your help, Connie ------------------------------ Date: 18 October,1990 From: Padgett Peterson Subject: "Common" viruses (PC) The following is a list of those viruses considered "common" as of September 1990 as extracted from Pamela Hoffman's VSUM9010. As may be seen, the list has now increased to 21 with the Stoned accounting for most of the sightings (subjective judgement) at present. In each case, the primary name is given first, followed by other names that the virus is known as (e.g. Jerusalem - 1813). I am surprised that the Brain & Ashar still make the "common" list. I would suggest that newcomers to Virus-L review available literature on these contageons prior to asking for a "dump" or reporting a "new" virus. 4096 aka Century Virus, FroDo, IDF Virus, Stealth Virus, 100 Years Virus AirCop Ashar aka Shoe_Virus, UIUC Virus Brain aka Pakistani, Pakistani Brain Cascade aka Fall, Falling Letters, 1701, 1704 Cascade-B aka Blackjack, 1704-B Dark Avenger aka Black Avenger, Eddie, Diana Den Zuk aka Search, Venezuelan Disk Killer aka Computer Ogre, Disk Ogre, Ogre Jerusalem aka PLO, Israeli, Friday 13th, Russian, 1813(COM), 1808(EXE) Jerusalem B aka Arab Star, Black Box, Black Window, Hebrew University Joshi aka Happy Birthday Joshi, Stealth Virus Korea aka LBC Boot Microbes Murphy aka Murphy-1, V1277, Stealth Virus Ohio Ping Pong-B aka Bouncing Ball Boot Stoned aka Hawaii, Marijuana, New Zealand, San Diego, Smithsonian, Stoned II aka Donald Duck Sunday Yankee Doodle aka TP44VIR, Five O'clock Virus ------------------------------ Date: Thu, 18 Oct 90 15:45:39 -0400 From: kenm@maccs.DCSS.McMaster.CA (...Jose) Subject: Regular McAfee posts.... Would some kind soul please post/e-mail the address of a reputable anonymous-ftp archive site which carries the latest releases of the McAfee virus software? I've heard that simtel20 (and mirrors, too then?) carry it, but, for the life of me, I couldn't find anything. Any info will be greatly appreciated.... ....Ken [Ed. Take a look in the VIRUS-L/comp.virus archives.] - ----------------------------------------------------------------------------- ".sig quotes are dippy"|Kenneth C. Moyle kenm@maccs.dcss.mcmaster.ca - Kenneth C. Moyle |Department of Biochemistry MOYLEK@MCMASTER.BITNET |McMaster University ...!uunet!mnetor!maccs!kenm ------------------------------ Date: Thu, 18 Oct 90 17:58:36 -0400 From: Joe McMahon Subject: Checking during Desktop Rebuild (Mac) John Costello asks about Virex's automatic checking when Norton Utilities is rebuilding the Desktop. Virex (and SAM, and other anti-WDEF programs) hook the OpenResFile trap and look for the Desktop file being opened (which, obviously, it is when it is being created). These programs can then look for "implied loader" viruses before the application has a chance to make a call that might wake them up - opening the Desktop adds the Desktop to the top of the current resource search order, where bogus, viral executable resources could override the desired ones. --- Joe M. ------------------------------ Date: Thu, 18 Oct 90 18:18:20 -0400 From: Joe McMahon Subject: Probably not a virus (Mac) Hi. Your problem sounds like a DA which does not clean up properly when closed, leaving a bad handle to a "menu" (now garbage) in the menu list. It may be bad, incompatible with the current system, or damaged. I have also seen applications do this. If you can, try to get together with your user and see if you can duplicate the error. You may also want to check the level of system she is running (some very old programs will fail spectacularly under new systems/ROMs, and some new programs will do likewise under old systems). Reinstalling the System and the DA's might also be useful. Getting a first-hand look at the problem should be your first priority. Also, if she uses other Macs, do they fail in the same way? Might be a bad application or system disk. Do other disks (formerly OK) start acting up after she has used them in her machine? If so, it may be a virus. --- Joe M. ------------------------------ Date: 18 Oct 90 22:37:08 +0000 From: pevans@lucy.claremont.edu Subject: Pascal Virus? Help!!! (PC) I have discovered a probable virus on my clone. Recently I obtained McAfee's Scan66 and placed CRC codes on my executables and my boot record and FAT. Today, McAfee's scan67 said that the boot record and boot sector had become corrupted, but did not name a virus. I then used scan without the /cv option and it found nothing. Then I tried scan with the /x option and it found nothing. Could Norton's speed disk utility or spinrite have altered the boot record and boot sector. I had a similar problem a month ago. My file slowly became crosslinked, yet scan found nothing. A segment of code approx. 912 bytes long became attached to all files with the .PAS extention. When I did a directory of my subdirectory with my pascal complier in it (Purchased from my book store), it displayed my root directory. Thus I had an infinite number of directories. I reformated my hard drive(high level) and reinstalled my software. Has anyone ever heard of "Dr. Pascal"? After reading Hoffmans virus list, I am thinking maybe some version of Anti-Pascal? Or maybe a new version of 4096? I am pulling my hair out. Let me know what you think? Has anyone suffered similar symptoms? Thanks, Paul Evans PEvans@HMC_VAX.claremont.edu ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 173] ******************************************