From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #63 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Monday, 16 Mar 1992 Volume 5 : Issue 63 Today's Topics: Re: a question re PKLITE and LZEXE (PC) Re: Michaelangelo and Stoned (PC) DOS version Backward incompatibility (PC) 5.0's FDISK /MBR on lower versions (PC) Re: Which Package is Best? (PC) Re: Measuring Michelangelo (PC) Re: F-prot and non-executable files (PC) Disk Compression (PC) (maybe Mac) Michelangello effects around the world (PC) Probably bogus warning & virus reporting (PC) Has anyone seen this before? (PC) The cost of Michelangelo (PC) Re: recover from michelangelo? (PC) Re: Frodo (PC) Re: Frodo (PC) Re: Need info on No-Int (Stoned) virus (PC) New files on Risc (PC) Is F-PROT on CompuServe? (PC) Virus Signatures and other research data? Michelangelo Virus Hysteria Syndrome (humor) (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 09 Mar 92 14:54:21 -0500 From: Otto Stolz Subject: Re: a question re PKLITE and LZEXE (PC) On Wed, 04 Mar 92 19:40:00 +0000 Nick Hilliard said: > There are two ways in which a file compressed with PKLITE or LZEXE (or > other file compression programs) can be infected. > ... > Finally, if the file was infected both before and after compression, > then it is necessary to disinfect it, decompress it, and then disinfect > the decompressed file. I think, this part of Nick's recent contribution should go into the FAQ file. Thank you, Nick, for this concise and lucid explanation! However, the question Nick had responded to was unintelligible to me. Could some- one please supply a suitable question for this answer? (As the answer is not "42", a question should be derivable with little effort :-) > I don't think, though, that any of the major virus disinfectors will > disinfect compressed files yet (Frisk, Aryeh - there's a nice job for > you ;-) I don't think, though, that disinfecting program-files is such a good idea, after all. There are too many things that can go wrong (remember Murphy's law?). It is always safer (and easy enough) to re-install clean copies from the original, write-protected distribution-disks -- and everybody has such disks for all software he/she is using, or, at least, they are supposed to having those disks... Still, I do think that it is a good idea for a virus-scanner to scan also for internal infections in self-extracting compressed program-files, as these are perfectly capable of replicating, and of delivering their pay- load (if any) -- and, in many instances, the user cannot unpack those files on his/her own (e.g. because they were already packed before they were distributed to him/her). Hence, I am glad that F-PROT 2.03 will be able to scan into some sorts of packed files (if I'm not mistaken), and I hope that Frisk will cover even more packing schemes in future releases. As I have explained, on 11 July 91, 09:43:29 +0200 (MESZ), it is not enough to scan both for external and internal infections; rather, a good virus scanner should be prepared for multiple layers of packing and con- sequently check for multiple layers of internal infections. Good luck, Otto Stolz ------------------------------ Date: Mon, 09 Mar 92 15:28:56 -0500 From: Otto Stolz Subject: Re: Michaelangelo and Stoned (PC) On Tue, 03 Mar 92 10:23 -0500 Brian Seborg said: > ... Now imagine the following scenario, the Stoned virus infects > a hard drive placing a copy of the clean MBR in sector 7 and its own > code in sector 0. Next, this same machine becomes infected with the > Michaelangelo, it places what it believes to be the clean MBR in > sector 7, and its own code in sector 0. What has now happened is that > Michaelangelo has taken the Stoned virus code and placed it in sector > 7, effectively overwriting the clean MBR code which Stoned had > previously stored there. Now, ... How could this machine be booted after such double infection, at all? > ... copy whatever is in sector 7 to sector 0. In this case this > copies the Stoned virus code back into sector 0. I then rescan and > find I now have removed the Michaelangelo virus, but now have the > Stoned virus. So I repeat the procedure. ... So you can see, virus > software packages which use this technique have some real problems > when it comes to multiple infections of boot sector viruses using the > same tricks. Or, put it in other words: the disinfector simply has revealed that this machine had lost its viable MBR long before... Best regards, Otto Stolz ------------------------------ Date: Mon, 09 Mar 92 18:26:29 +0000 From: lunde@casbah.acns.nwu.edu (Albert Lunde) Subject: DOS version Backward incompatibility (PC) While dealing with distribution of anti-virus software on our campus, we have run into questions of incompatabilties between DOS versions. We initially gave out bootable disks formatted with /S under DOS 5. (To remove viruses in general, one wants to boot from a clean system.) There are clearly some systems that this is incompatable with. I am trying to find informed opinion on the limits of this problem. The most sweeping assertion I've found is that writing to a hard disk formatted with a version of DOS before 4.0 while booted from DOS 5 will damage the disk because of changes in the FAT format. Other possibilities are that this only applies to: 1 - Disks larger than 32M 2 - Disks with partitions larger than 32M (created with OEM dos versions and disk managers) If we want to approach this problem by distributing bootable disks multiple DOS versions: 1 - how many versions do we need? (I know having everyone bring in a disk formatted with their DOS version would be one approach, but I'm looking for a middle ground.) 2 - Is there disk duplicating software that could take a file on a hard disk and write bootable DOS disks for a different DOS version, assuming we had previously given in a master copy? At the moment we are using .BAT files with a FORMAT/S, but this only works to produce bootable disks for one version of DOS. Other suggestions? - -- Albert Lunde Albert-Lunde@nwu.edu alunde@nuacvm.bitnet ------------------------------ Date: Mon, 09 Mar 92 12:42:00 -0500 From: CALANA95@SNYBUFVA.CS.SNYBUF.EDU Subject: 5.0's FDISK /MBR on lower versions (PC) I have a question concerning the use of MS-DOS 5.0's FDISK /MBR. Is it possible to use this feature on machines running lower versions of DOS? And, if it is, will it then designate the machine as a 5.0 machine? ADVthanxVANCE, mcc +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ | Michael C. Calanan -- SUNY College at Buffalo, N.Y. | | Computer Information Systems | | VAX/PC Consultant/User Support | +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ | Bitnet ID : CALANA95@SNYBUFVA - DECnet ID : SBUFVA::CALANA95 | | Internet ID : CALANA95@SNYBUFVA.CS.SNYBUF.EDU | +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ ------------------------------ Date: 09 Mar 92 13:05:19 -0500 From: Wolfgang Stiller <72571.3352@CompuServe.COM> Subject: Re: Which Package is Best? (PC) Y. Radai writes: >The idea is this: When a quick check is requested, UT obeys only with >respect to 90% of the files; it randomly selects 10% of the files for >a full check anyway. Since the virus-writer can never know which >files will be full-checked on any given execution, he cannot take >advantage of the fact that the other 90% are not full-checked on that >execution. It's clear then that if 90% are not fully checked there IS a loss of ability to detect an infected file. Since you were comparing two products, my Integrity Master and Untouchable, it was vital to compare similar modes if you're going to make a speed comparison. You've got to compare apples with apples! *** When Integrity Master fully checks all files it is significantly *** faster according to your own benchmark! Please let's compare like modes of operation where possible. >What I said was that *for all practical purposes* there is no loss of >security. Some people might feel uneasy about waiting an average of >10 executions of UT in order for a given file to be full-checked, so >the full check exists for them. But in practice this is not something >that the average user need be worried about. I think that a 10% check is totally unacceptable. Keep in mind that both IM and UT often are used to detect other causes of file and sector corruption. Also 10 executions would NOT quarantee that all files were checked (nor would 100 executions)! This mode is of limited use and certainly was not a fair basis for comparison with Integrity Master's full check mode. Every last byte of every file is checked! >VB>And don't forget that the generic disinfection will simply not work, >VB>if the file has been previously infected. > YR> Of course. I'm glad to that you admit the deficiency of genreric detection in at least this instance. >VB> The important is to compare the checksum >VB>checking speed. I understand that UT is fater than IM in this case. Am >VB>I right? > >That's what my test showed if one uses UT's quick check: >>> IM 1:59 >>> UT quick check 1:09 >I didn't notice that IM had a quick check (as Wolfgang writes). > You didn't answer Vesselin's question and you ommitted part of the statistics you posted before. The stats showed how long UT required in full check mode. When you compare UT and IM in full check modes IM is :28 faster. A significant improvement since it means that people will check their system more frequently if the product is faster. >WS>Since you quote the Virus Bulletin's report, let me do so also. > ..... >WS> In tests UT was found to be unaware of stealth viruses and reported >WS> no changes to files when Tequila, Haifa, 4K and a host of other >WS> stealth viruses were memory-resident." > ..... >WS> Integrity Master will detect these viruses if >WS>resident in memory or on disk. (I know, I know -- they should cold >WS>boot from a known good copy of DOS on diskette, but the fact remains >WS>that many users won't do this) > >First, I can't help mentioning that I saw the *draft* version of the >review (by Mark Hamilton) of Untouchable which appeared in the VB, and >I must say I have never seen so many errors and confusion in a product >review. In particular, he had a preconceived impression that UT could >not detect stealth viruses because he completely ignored UT's "safe >test". To his credit, Mark was open to corrections (much more than I >can say for the VB's most frequent evaluator, Keith Jackson), and in >the final review he corrected about 90% of the errors Who cares how many errors were in the draft review? What matters is that they were correct. I certainly wasn't quoting from the draft review but from the published version. >I haven't seen the claim that it can disinfect *any* virus. If that's >what the ads say, then I am against them just as strongly as you are. I'm glad we agree on this point. Please check their full page display advertisements in the major PC publications. >What I have found *so far* is that it fails on viruses which overwrite >code (understandably) and on those which overwrite stack space (not so >understandably, but this will be corrected in the next version). How will this be done? Do they plan to save even more than the 40 bytes they copy from the front of the file? It seems the only way they could do this would be to backup the entire file. Regards , Wolfgang Stiller Stiller Research 2625 Ridgeway St. Tallahassee, FL 32310 USA ------------------------------ Date: 10 Mar 92 15:04:05 +0000 From: jmann@vineland.pubs.stratus.com (Jim Mann) Subject: Re: Measuring Michelangelo (PC) WHMurray@DOCKMASTER.NCSC.MIL writes: > > Unfortunately, we have not stamped out viruses. We will have such an > opportunity again. I suggest that the next time we have the public's > attention, we focus on diskettes. It is diskettes that hold the > majority > of the copies of viruses and it is on dikettes that they are most > persistent. I agree. However, I'm not sure that there will be a "next time we have the public's attention." Most of the TV and radio stations I've listened to have played up the Michelangelo scare as "the boy who cried wolf." I have a feeling people aren't going to listen next time. - -- Jim Mann jmann@vineland.pubs.stratus.com Stratus Computer ------------------------------ Date: 08 Mar 92 13:00:32 +0000 From: John.Hamm@kcufgat.fidonet.org (John Hamm) Subject: Re: F-prot and non-executable files (PC) In regards to your question, "Can viruses hide in non-executeable files...such as .txt?" Appears so - ANSI files could recode keypress to do something else such as 'format.' Seems to me Phil Katz has a program out to detect changing of function key assignments. - --- * Origin: The Carnegie Hall (913)832-1011 14.4k HST/DS/V32b (1:280/106) ------------------------------ Date: Tue, 10 Mar 92 10:28:46 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Disk Compression (PC) (maybe Mac) Recently there have been a number of questions on the net about disk compression and scanners. To explain we first must make a distinction between the two types: 1) File compression - this refers to the compression of individual programs using techniques such as LZEXE and PKZIP. In the former, the decompression is attached to the program so that on execution, the file is first decompressed, then executed. With the latter, programs are first unZIPped and then used. 2) Disk Compression - the technique of applying compression to an entire disk or partition. In this case all programs on the disk/partition are archived into a single file (usually hidden) that generally will occupy nearly the entire disk/partition. When a program is requested, a special device driver that captures such calls searches its archive, locates the requested file, decompresses the file, and presents it to DOS. Since DOS does not care where the program comes from, everything is happy (why Networks look to DOS like still more disks). In recent months major improvements have been made to what appear to be the two market leaders (Stak Electronics "Stacker" and Addstor Inc. "SuperStor" so that there is very little performance differential between them and bare DOS. One major caveat: since these utilities have their own internal structures, anything that corrupts these (as some viruses will) may result in the entire partition becoming unreadable, much like a corrupt ZIP file - all of the data may still be there but you will not be able to get to it. On the plus side, compression houses are rapidly developing utilities that can defragment (vveerryy ssllooww - takes me an hour per week per drive) and repair such problems. IMHO it will be these secondary "pluses" that will make or break compression products. Meanwhile a persistant question on Virus-L has been one of the effectiveness of virus scanners on compressed partitions. The correct answer is that they work as well on a compressed partition as they do with an uncompressed one. Since the files are all presented to DOS in decompressed form, to the Scanner operating above DOS, there is no difference between a compressed partition and a normal one. (Have tried Novi, IBM Viruscan, McAfee Scan, F-Prot, Enigmal-Logic Virus-Safe, Virus-Buster, CPAV, Xtree, & Dr. Solomon's - chosen because I *had* them - - without any problems though have not tried to disinfect any files). Further, they are fully compatable with BIOS level anti-virus programs as well since to the BIOS, the compressed partition simply looks like a very large data file. In fact, the only potential problem might be with an anti-virus program that tried to replace DOS calls for disk access with its own (do not know of any that do but some access control programs might). In this case success/failure would depend on what it tried to do. (have been running SuperStor for some time & my BIOS programs have proven compatable. Do not have Stacker in my den closet so haven't tried it). IMHO existing anti-virus programs and scanners seem to be fully compatable with disk compression techniques and work both better and faster than with individual compressed files. The major virus danger at the moment would be from those that "lie" to DOS (4096, Dir-II) since their infection methods may be totally incompatable with the compression structure (haven't tried it myself - we NEED a National Laboratory). Warmly, Padgett usual disclaimers apply ------------------------------ Date: Mon, 09 Mar 92 19:56:43 -0700 From: rbravo@dcfcen.edu.ar (Ricardo Bravo) Subject: Michelangello effects around the world (PC) Hello fellows, we are preparing an article on the effects due to last March 6th. "wake up" of Michelangelo. We are interested in learning about which countries were attacked, and the reach of the loses made by this virus, specially the economic loses. Please, any information please tell us at gisvi@zorzal.edu.ar Thanks a lot, Fabian Garcia Grupo de Investigacion en Seguridad y Virus Informatico gisvi@zorzal.edu.ar ------------------------------ Date: 10 Mar 92 18:44:32 +0000 From: spaf@cs.purdue.edu (Gene Spafford) Subject: Probably bogus warning & virus reporting (PC) March 3rd, Roy Lurie posted a warning to this newsgroup stating that the disks distributed with the book "Neural Networks and Fuzzy Systems" by Bart Kosko, published by Prentice-Hall, contained the Michelangelo virus. I asked Marcia Horton, the chief editor of Prentice-Hall computer books, to comment on this report. She said that Prentice-Hall runs virus check software on their disks when they are made. They also pulled some random samples of the Kosko book from the warehouse and checked them. None were contaminated with any virus, including Michelangelo. This is not to say that Mr. Lurie did not get the Michelangelo, nor is to say that he did not find the virus on those disks. However, it is possible that he got the virus some other way and accidentally infected his disks before he did the check; there are many other possible scenerios, too. I've known Marcia and other people at Prentice-Hall for some time, and believe what she says, so I am fairly confident that they didn't find the virus on their disks as implied in the posted warning. The reason for my post? Well, on March 6th, I was speaking with Marcia, in person, about the virus (at the ACM annual conference). I also talked with some other publishers who ship diskettes with their textbooks. They are all very aware of the dangers of viruses and do what they can to check for them. They will respond to any complaint about what is on the disk. However, they (like any other firm) do not like to be accused of something that isn't true. Causing a panic among their customers is not a nice thing to do. A problem with any such warnings is that they get passed on from person to person and bbs to bbs, and they get changed along the way. For months or years to come, people will be posting and reposting warnings about how discs from publisher X have virus Y in place, and how it has wiped out hundreds of disks. It is a way to start urban legends, really. This just adds to virus hysteria, and in this case, needlessly. I would suggest that before anyone come to this or any other forum with a virus report, they do the following: 1) be very sure of the source of their copy of the virus 2) contact the suspected vendor FIRST for their comment 3) give the vendor the opportunity to post the warning, first 4) don't post any warnings without some verification Yes, many virus distributed by some vendors have been distributed with Michelangelo in place. Yes, PH could have done the same (but claim to not have done so). Yes, other vendors may do the same in the future. But please do them the courtesy of checking with them first before crying "Wolf," and give them the opportunity of checking and responding. Try to keep viruses from claiming more indirect victims, please. I know if I were Bart Kosko, I would be *very* unhappy about having my book mentioned like this.... - -- Gene Spafford Software Engineering Research Center & Dept. of Computer Sciences Purdue University, W. Lafayette IN 47907-1398 Internet: spaf@cs.purdue.edu phone: (317) 494-7825 ------------------------------ Date: Tue, 10 Mar 92 10:09:00 -0500 From: "IS OBAIR-LA\\ TO\\ISEACHADH" Subject: Has anyone seen this before? (PC) Does anyone know of a PC virus that (a)clobbers files on a hard drive and (b)displays the message "I'm hungry. Feed me." Unfortunately I can't be any more specific than this. These are symptoms that were reported to me by my brother who lives in Dallas (@1000 miles away from here), so I have not actually seen this. Any info y'all could give would be appreciated (whether this is a known virus, what it is, how it works, what kind of damage it does, how to get rid of it, how to undo any damage it causes, etc.) Please respond by e-mail as I don't have the time to read this group very often. Thanks in advance. John Fiskio-Lasseter ------------------------------ Date: 10 Mar 92 09:58:20 -0500 From: "David.M.Chess" Subject: The cost of Michelangelo (PC) >From: cpbeaure@descartes.waterloo.edu (Chris Beauregard) > >Second, somehwat related question. If this relatively stupid virus >can spread this much this fast, how is it the average super-stealth >virus, many times smarter, doesn't? Is it a fluke, (dumb question -of >course not) or what? Actually, it *is* a fluke in some sense. How well a virus spreads seems to have very little to do with any qualities of the virus. As long as a virus has a certain minimum "competence" (which seems to include being resident, not doing anything like printing a message *too* often, and having no more than one or two really serious bugs), how widespread it will become seems to depend on random factors not associated with the virus code itself. "Stealthing" and other snazzy-sounding things, in particular, seem to have no impact at all; this makes sense, I think, since "stealth" viruses are just as easy to detect in general as non-stealth, once you know what you're looking for. (Also, "stealth" viruses are not easy to write, and therefore tend to be buggier, and perhaps -less- likely to prosper!) It would be interesting to know what event caused the Michelangelo to become widespread in the population, when other basically-equivalent viruses (the Swedish Disaster, the "Sanded" text-variant of the Stoned, and so on) are extremely rare. We're unlikely ever to find out, though. DC P.S. I've claimed this on VIRUS-L before, and at least one person held that I was wrong, and that "higher tech" viruses were not common simply because they hadn't been around long enough. We concluded that only time would give us enough evidence; I would point to the Michelangelo, a young and stupid virus that nevertheless got widespread, as a datapoint supporting my side of the question... ------------------------------ Date: Tue, 10 Mar 92 17:25:27 +0200 From: Tapio Keih{nen Subject: Re: recover from michelangelo? (PC) C.Zahn write: >a friend of mine has lost his hard disk this morning. He thinks it was >the michelangelo virus and asked me, whether its possible, to get some >of his data back. What data destroys michelangelo? Does it overwrite >the FAT, the partition table, the files or all sectors? It is practically impossible to get any data back from disk destroyed by Michelangelo. Upon activation, Michelangelo overwrites the beginning of the hard disk (it depends on the hard disk how long part of it is overwritten; usually it is about 11Mb) with garbage it gets from some certain location from memory. - -- Tapio Keihanen / Mesiheinank 2B6 / 33340 Tampere / Finland - -=-=-=-=-=-=-=-=-=-=-=-= /---\ /---/ / /\ -=-=-=-=-=-= I WANT TO BUY YOUR RARE =|| | =|| | =| | RECORDINGS! - -=-tapio@nic.funet.fi-=- /---/ /---\ \/_/ =-=-=-=-=-=- ------------------------------ Date: Tue, 10 Mar 92 17:50:39 +0200 From: Tapio Keih{nen Subject: Re: Frodo (PC) >Although I rarely believe the people on the news today, I just heard a >supposed expert say that on Sept. 21 a virus called Frodo would hit. >No big deal, but he also said that It could not be detected by virus >scanners. period. Any truth to these claims? Yes, Frodo / 4096 virus will activate on September 21st. It can be well detected by all common scanners (Scan, F-Prot, VIRx, TbScan etc.) if the system is booted from clean floppy. If there virus is resident in memory, it can't be detected in files (=stealth virus, a virus which prevents the user from seeing the virus code in infected files; it can also remove itself from file every time when the file is loaded (Frodo does just this)). It can be detected in memory, though. Frodo tries to place a new boot sector over the original on Sept. 21st but the code which should place the boot sector is garbled in all seen variants of this virus. Frodo will only hang the computer when it tries to do this. - -- Tapio Keihanen / Mesiheinank 2B6 / 33340 Tampere / Finland - -=-=-=-=-=-=-=-=-=-=-=-= /---\ /---/ / /\ -=-=-=-=-=-= I WANT TO BUY YOUR RARE =|| | =|| | =| | RECORDINGS! - -=-tapio@nic.funet.fi-=- /---/ /---\ \/_/ =-=-=-=-=-=- ------------------------------ Date: Tue, 10 Mar 92 16:10:56 -0500 From: Otto Stolz Subject: Re: Frodo (PC) On 06 Mar 92 23:16:35 +0000 ARCHER, PHILLIP EDDINGS said: > Although I rarely believe the people on the news today, I just heard a > supposed expert say that on Sept. 21 a virus called Frodo would hit. Actually, it's September 22 (according to F-PROT's Virus Info) -- and "hit" does not mean what your supposed expert probably thinks: it does not do intentional harm to data. I've sent you a file with more (though, admittedly, incomplete) information about Frodo, this morning. Lest I be misunderstood: I do *not* say that this virus is harmless. Actually, no virus is ever harmless, as you cannot predict how it will behave in a new environment (perhaps an environment still to be invented), and you cannot predict into which environment a given virus will ever spread. Hence my advice: eradicate all copies of all viruses you encounter, no matter how harmless you consider them. And, having found a virus, search for additional copies of it on all disks that possibly were accessable to it, including all hard disks of all computers that were in contact with any disk found infected, and again all floppy disks that were in contact with any computer found infected, and again... > No big deal, but he also said that It could not be detected by virus > scanners. period. Never say "never" (nor "period")! If a virus has a name, then somebody has named it -- usually because he detected it in some way. And shortly (more or less :-) afterwards, the leading virus scanners will be able to detect it, as well. In the file I've sent you, there's a claim of 21. September 1990 that FINDVIRU (from Dr. Solomon's Toolkit), Scan (McAffee), and F-FCHCK (from Frisk's F-PROT, pre-2.0 Release) all were able to detect it. So, this apparently is an old hat, and you may calm down. Just run your favourite scanner and see to it that "Frodo does not live" any more :-) Good luck, Otto Stolz ------------------------------ Date: Tue, 10 Mar 92 17:55:47 +0200 From: Tapio Keih{nen Subject: Re: Need info on No-Int (Stoned) virus (PC) S.Steinberg writes: >I also found No-Int (with Stoned) on 15 out of 50 PCs. I'm not sure >about what it does. I pushed the date ahead to Fri. the 13th >(3/13/92) and nothing happened. No-Int doesn't do anything except spread. But, when I was testing virus scanners on the other day, I noticed that Scan 8.3B86 says that all my disks which are infected with different versions of No-Int and Stoned are all infected with No-Int (Stoned) virus. I'm sure that previous versions of Scan did make a difference between those viruses. F-Prot names those No-Ints and Stoneds just correctly. - -- Tapio Keihanen / Mesiheinank 2B6 / 33340 Tampere / Finland - -=-=-=-=-=-=-=-=-=-=-=-= /---\ /---/ / /\ -=-=-=-=-=-= I WANT TO BUY YOUR RARE =|| | =|| | =| | RECORDINGS! - -=-tapio@nic.funet.fi-=- /---/ /---\ \/_/ =-=-=-=-=-=- ------------------------------ Date: Tue, 10 Mar 92 10:07:58 -0600 From: James Ford Subject: New files on Risc (PC) The following files have been placed on risc.ua.edu (130.160.4.7) for anonymous ftp: /pub/ibm-antivirus/i-m111a.zip - Integrity Master v1.11a /pub/ibm-antivirus/vsumx202.zip - Virus Information Summary List - ---------- Don't wear earmuffs in a land of rattlesnakes. - ---------- James Ford - Consultant II, Seebeck Computer Center The University of Alabama (in Tuscaloosa, Alabama) jford@ua1vm.ua.edu, jford@seebeck.ua.edu Work (205)348-3968 fax (205)348-3993 ------------------------------ Date: 10 Mar 92 15:04:16 -0400 From: Subject: Is F-PROT on CompuServe? (PC) FROM: Don Robinson Yes. FPR202.ZIP in the IBMSYS forum, library 3. 253K, dated 2/92. ------------------------------ Date: Tue, 10 Mar 92 14:37:45 -0700 From: FORRESTC@CC.SNOW.EDU (Forrest W. Christian) Subject: Virus Signatures and other research data? I was wondering if anyone could tell me where I could get the following information. I would perfer an internet source. 1) A listing of Virus Signatures..... 2) Information on detecting and scanning for some of the stealth viruses, like those that return the original boot sector when the boot sector is read from the disk. 3) Any other information that would be helpful in writing a public domain virus detector. Thanks. INTERNET: Forrestc@cc.snow.edu BITNET : Forrestc%cc.snow.edu@usu ------------------------------ Date: Mon, 09 Mar 92 10:30:14 -0600 From: James Ford Subject: Michelangelo Virus Hysteria Syndrome (humor) (PC) This was taken from Nutworks... JF - ------------------------------------------------------------------------ MICHELANGELO VIRUS HYSTERIA SYNDROME Mass hysteria about a virus named "Michelangelo" has been spreading rapidly in MS-DOS-based personal computer users around the world. This scare is "triggered" each year slightly before March 6, Michelangelo's birthday. No one is immune... people ranging from university students to the staff of _Nightline_ have been affected. According to various psychologists, the Michelangelo Virus hysteria is spread though almost any media channel... written, electronic, oral, computer networks, or on-line services. Once a person is "infected", he will attempt to automatically spread the hysteria to every person he sees. The hysteria also corrupts base reasoning and logic, so loss of common sense is often a symptom. This is unfortunate, since the hysteria can be eliminated at any time with common sense. This means that ONCE ACTIVATED, the hysteria cannot be easily removed; the easiest thing to do is to let it dissipate naturally on March 7. There have been numerous known occurrences of this hysteria at the University of Pittsburgh's campus. This has been caused by saturated distribution of virus protection and detection software, and repeated and redundant email messages. We advise you NOT to attempt to trick people into believing that March 6 has already passed in order to avoid the hysteria. (Even though we tell you about 3 paragraphs later that we tried it anyway.) The Michelangelo virus hysteria displays pronounced symptoms, which makes it easy to detect. Some possible symptoms of this virus hysteria include, but are not limited to... 1. Running virus-checking runs 6,000 times (per disk.) 2. Sending repeated and redundant email messages. 3. Sending repeated and redundant email messages. 4. Sending repeated and redundant email messages. 5. Photocopying 50,000 flyers and distributing them in every possible location on campus. 6. Irrational fear/paranoia of or destructive behavior towards computers. (Pushing them off of rooftops, etc.) 7. Using typewriters. In addition, Dr. Ima Quak of the Bureau of Useless and Lame Laws advises that "we have determined that this hysteria seems to have an almost annual cycle to it. Perhaps this can help us in detecting it." Any person that is not infected and has common sense can also detect the Michelangelo Virus hysteria. SOLUTION There are many trained psychologists that can detect and/or remove the Michelangelo virus hysteria. However, these steps are usually not necessary. The following techniques have been used to combat the hysteria: 1. Vigorous shaking and/or slapping. 2. Large quantities of cold water (a fire hose, for example.) 3. Avoiding watching _Nightline_. 4. Accurate, brief, and non-redundant information. Rest assured that some steps *are* being taken to help prevent this hysteria. In fact, just yesterday University of Pittsburgh Chancellor J. Dennis O'Connor approved $82,000 to form a committee to appoint a committee to call a meeting to look into the matter. FOR MORE INFORMATION Watch for future bulletins. If you believe you might be infected with the Michelangelo virus hysteria, please slap yourself once or twice, and ask someone to hose you down with a fire hose. ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 63] *****************************************