From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V3 #95 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Tuesday, 15 May 1990 Volume 3 : Issue 95 Today's Topics: Re: New anti-viral programs from McAfee re: MAC Portable/SUM II nVIR Question (Mac) New Virus (PC)? (Iss 82) DOS viruses under OS/2 (PC) Possible bug in CleanUp V62 (PC) Bogus SCAN.EXE (PC) CUCKOO'S EGG Review Re: Morris Sentenced - Washington Post Article Re: MAC Portable/SUM II nVIR Question (Mac) Re: Virus attack? (PC) new virus detection time (Mac) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Mon, 14 May 90 01:32:04 From: coerper@lognet2.af.mil (SSgt Elliott J. Coerper) Subject: Re: New anti-viral programs from McAfee I downloaded ACS Virus scan from simtel20 and by doing a avs c:\ /a /e I'm told I have the 12 Trick type B virus. However, Scan soes not show this, plus it also said this about my brand new copy of PCTOOLS Version 6.0 My question, does AVS give false signals? I find it hard to belive Central Point would be distributing a virus. It only appears in the pc-cache.com, descktop.exe and hotkey.ovl. However, every copy I checked showed this type of virus. For example, my masters to 5.5 and 6.0 showed this along with my back ups. Help. Elliott ------------------------------ Date: Mon, 14 May 90 08:00:00 -0500 From: O MH KATA MHXANHN Subject: re: MAC Portable/SUM II nVIR Question (Mac) It seems very likely that the system distribution disks, or something else, was infected at some point. I have used a Macintosh portable since January, and protected it with Virex, which detected neither virus nor trojan horse under 6.0.4 or 6.0.5...the former system came with the machine, the latter was downloaded from a BBS. Your friend should update his system to 6.0.5, by the way, because it incorporate a few important bug fixes, such as better control of the serial ports after coming out of the sleep mode. W. McCarthy Washington, D.C. ------------------------------ Date: Sun, 13 May 90 22:40:47 +0100 From: Matthew Smith (C1) Subject: New Virus (PC)? (Iss 82) This seems very similar to a program called PANIC.EXE which was included on the WHAT PERSONAL COMPUTER Magazine disk (UK), issue for March 1990. It is included along with five other 'joke' programs. The programs on this disk are indeed jokes, i.e. not viruses, their details are: ALIENMES.EXE 30224 9-01-87 1:32p APRIL.EXE 2890 14-03-87 10:16p BUGRES.COM 5120 23-07-85 5:11p FUNNYDOS.EXE 8704 2-04-87 8:18p MONSTER.COM 2971 5-06-88 1:50p PANIC.EXE 30224 9-01-87 1:32p What Personal Computer Magazine (UK) can be contacted on +44 71 251 6222 for those outside the UK 071 251 6222 for UK callers (Note the new London code!) +============================+==================================+ |From: Matthew Smith | Internet: msmith@mcs.dund.ac.uk | | MSoft UK | or AP7601@pa.dund.ac.uk | | | JANET: msmith@uk.ac.dund.mcs | | | or AP7601@uk.ac.dund.pa | +----------------------------+----------------------------------+ |Postal: MSoft, G/L, 272, Blackness Road, | | Dundee, Tayside, Scotland, DD2 1RW. | +---------------------------------------------------------------+ |MAT SMITH @ BABBS (Probably the best BBS in the world....) | | (+44 / 0) 394 276306 v22bis; SEARCHLIGHT software | +===============================================================+ ------------------------------ Date: Mon, 14 May 90 09:09:24 -0400 From: Subject: DOS viruses under OS/2 (PC) Here is a very important question which I have not yet seen answered authoritatively: Could any of the common DOS viruses (e.g., Jerusalem, Stoned) execute, infect other programs or disks, and do their diry work when run in the DOS comaptibility box of OS/2? We will assume that IOPL=YES. I imagine separate consideration should be given to boot-sector viruses and program-infecting viruses. I do not want to be able to answer this question from first-hand experience. ------------------------------ Date: Mon, 14 May 90 16:58:59 +0300 From: Guy Sirton Subject: Possible bug in CleanUp V62 (PC) Hello, I have found two machines around here infected with the 4096 virus. I have used an older version of cleanup (V60) on one of the machines and it seems to have gotten rid of the virus and left some of the files corrupted. On the other machine I have used CleanUp V62. When running SCAN, after a power off and on, there were still files which scan claimed to be infected. Another run of CleanUp simply corrupted all these files. Any explanation??? Guy ------------------------------ Date: Mon, 14 May 90 22:10:05 +0300 From: Yuval Tal Subject: Bogus SCAN.EXE (PC) A file called SCAN.ZIP has been uploaded to one of the BBSs here, in Israel. I noticed that the file was very small (about 7K of ZIP) and the description said that it can detect 103 viruses. I, ofcourse, downloaded this file and checked it right away. This program seems to be identical to SCAN.EXE from first look except for two things: 1. The bogus SCAN was not written in C - it's write_to_screen routine is much faster than the real SCAN's one. 2. The screen is cleared before the bogus SCAN.EXE activates itself. The bogus SCAN size is 28720 bytes long - much smaller than the original one. The version of this bogus SCAN is 9.4V65. When you execute SCAN C: for instance, it seems to work fine - It scanns the memory (much faster than usual, tough - false check) and starts checking the files (also, much faster). The reason for the quick files scan is that the files are actually being replaced with a 14 bytes text file which contains the message: "Next time...". Note that this file came as a stand alone file without all the documentations and validation program. Also note that all the messages from the real SCAN has been copied to the bogus SCAN. Just from looking at the messages, you can't tell if it's a real SCAN or a bogus one (you can always check the version number, though). I do not think that this file will not leave Israel but I would like to warn everyone, anyway. - -Yuval Tal (NYYUVAL@WEIZMANN.BITNET) +--------------------------------------------------------------------------+ | BitNet: NYYUVAL@WEIZMANN Domain: NYYUVAL@WEIZMANN.WEIZMANN.AC.IL | | InterNet: NYYUVAL%WEIZMANN.BITNET@CUNYVM.CUNY.EDU | +----------------------+---------------------------------------------------+ | Yuval Tal | Voice: +972-8-474592 (In Israel: 08-474592) | | P.O Box 1462 | BBS: +972-8-471026 * 20:00-7:00 * 1200 * N81 | | Rehovot, Israel | FidoNet: 2:403/143 | +----------------------+---------------------------------------------------+ | "Always look on the bright side of life" *whistle* - Monty Python | +--------------------------------------------------------------------------+ ------------------------------ Date: Mon, 14 May 90 12:34:15 -0500 From: Mark Parr Subject: CUCKOO'S EGG Review A review of Stohl's THE CUCKOO EGG is available by sending the the command GET CUCKOO REVIEW to LISTSERV@BITNIC - ---------- Mark Parr [Ed. Note that BITNIC is a BITNET node. Those not on BITNET (e.g., Internet) may have to send the message to LISTSERV%BITNIC.BITNET@IBM1.CC.LEHIGH.EDU (or some such - contact your local Computing Center for more details if this doesn't work).] ------------------------------ Date: Mon, 14 May 90 17:05:24 -0400 From: Yary Richard Phillip Hluchan Subject: Re: Morris Sentenced - Washington Post Article Forget Morris, how about a negligence suit against the people who put the trapdoors there in the first place? ------------------------------ Date: 15 May 90 00:42:24 +0000 From: blob@apple.com (Brian Bechtel) Subject: Re: MAC Portable/SUM II nVIR Question (Mac) galsterm%tcj1.decnet@gw1.hanscom.af.mil (TCJ1::GALSTERM) writes: > When he runs utilites from this package it reports that he has the nVIR > virus in his system file(v6.0.4). If SUM reports that he has nVIR on his machine, then he almost certainly has nVIR on his machine. The Portable has no particular compatibility problems that would show up with SUM. > Is this viral report due to a problem running the utilities on an > unsupported processor, or were his system distribution disks infected? > He has had no 'outside' contact he is aware of. I would strongly suspect that, like all other such cases so far, his system has had "outside" contact. His system distribution disks, if they came with the Portable and were absolutely positively not used before, were not infected. This is a big assumption; for instance, did his dealer do any setup on the machine? Apple spends an enormous amount of time and effort to ensure that software distributed with our machines is not infected in any way. The Portable Macintoshes that our group has received direct from the same distribution channels as end users have no infections. You can get an upgrade to SUM II by calling Symantec. The number is in the documentation accompanying SUM. - --Brian Bechtel blob@apple.com "My opinion, not Apple's" Advanced Technology Group ------------------------------ Date: Tue, 15 May 90 06:15:27 -0700 From: jhblank@ncrclm.Clemson.NCR.COM Subject: Re: Virus attack? (PC) It does not sound like a virus. What is in your autoexec? What type of machine do you have? Sounds more like a compatibility problem, hard ware bug, or soft- ware bug. Personally I think that the virus scare is a little overstated. I am not ruling it out, but I really don't think you are infected. Try this: Edit your autoexec.bat and turn ECHO on. This way all of the commands will showon the screen. Each time your computer reboots itself, take note of where in the autoexec it occurred. If it is the same place each time, then it is probably not a virus. ------------------------------ Date: Tue, 15 May 90 13:00:52 -0400 From: Yary Richard Phillip Hluchan Subject: new virus detection time (Mac) How long does a virus have to be in the general population before it is detected? Does it have to reach a research center before it's noticed? (Right now my backspace key doesn't work, my hard drive free space fluctuates by two megs, sometimes my inits won't load on bootup, and the computer will reboot without warning for no apparent reason... this could be explained by indiscriminate use of ResEdit back in January) I think I can explain all the above symptoms, and repair via a reformat and download from backups. But then, many Mac virus systems can be explained as a "bad system file" or "memory resident program conflicts". So, how long does a bug have to go around before it is detected? ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 95] *****************************************