From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #79 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Wednesday, 1 Apr 1992 Volume 5 : Issue 79 Today's Topics: Re: FTP site for Virus Simulations! (PC) Re: polymorph virus questions (PC) Re: Virus Question (PC) Re: Stupid questions about booting (PC) Re: Patricia Hoffman (PC) Re: virus scanners (PC) Re: Which Package is Best? (PC) Re: virus scanners (PC) Fprot & 2to1 (PC) warning about mutation engine (PC) PS/2, 639K Ram reported (PC) help - green catepillar! (PC) Question about Central Point VSAFE message (PC) Re: Microsoft Word 5.0 Installation Instructions (Mac) Re: Microsoft Word 5.0 Installation Instructions (Mac) XCOPY under OS/2 (OS/2) heuristic scanners Virus Icon/Logo Re: Origins of viruses International Virus Symbol... New Anti-Viral Site!! VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 31 Mar 92 21:32:34 +0000 From: Jim.Baltaxe@vuw.ac.nz (Jim Baltaxe) Subject: Re: FTP site for Virus Simulations! (PC) IO10968%MAINE.MAINE.EDU@VM1.gatech.edu (I'M NOT JUST A NUMBER!) writes: >I came across an interesting file the other day. And I thought some >of you would enjoy these too! > >File Name: virsimul.zipp > >This file contains simulations of: > >None of these files are infectious, and are not detected by any anti-virus >software. > >This was my first oportunity to experience any of these viruses, and what >more could you ask for..they're not infectious. (It's like sex w/o protection) > >Anyway, Cascade is pretty impressive and the others are interesting too! > >Maybe these programs could help you with a practical joke on April 1st? >__ooOO >None of my friends are safe!! >OO >Good Luck and Good Fun. Just what we really need, a joker who still thinks that these things are funny :-( The simulations are there so that you can demonstrate what they do, not play games that make viruses seem like harmless pranks, at best, and even worse, spread false alarms around that encourage people to ignore sympotoms and/or warnings. Too many of use are spending too much of our time trying to fight off such attitudes to be amused. I also noticed that the coward wouldn't even put his name on his note. Perhaps I can think of a more descriptive number for him, something slightly less than 70, perhaps? Jim Baltaxe Victoria University of Wellington, Computing Services Centre Wellington New Zealand - -- Jim Baltaxe - jim.baltaxe@vuw.ac.nz Computing Services Centre - Victoria University of Wellington - New Zealand - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Time is such a valuable commodity because they're not making it any more. ------------------------------ Date: Thu, 26 Mar 92 23:02:12 +0000 From: ukcy@sunyit.sunyit.edu (Kevin Yager) Subject: Re: polymorph virus questions (PC) sander@engin.umich.edu (Scott D Anderson) writes: >I am looking for information on the ibm PC 'polymorph' virus, which is >self-encrypting, self mutating, and overwrites random sectors on the >hard drive. Supposedly, the only way to find an infection of this >virus is to notice an unexplained growth in COM files. > >Has anyone heard of this virus? Is it true that there are currently no >means of detecting it other than mentioned above? If this isn't true, >how would I go about detecting such a virus? I am also interested in learning more about polymorph. My boss read about it in a magazine and had me write a program that will document the length of every com and exe. On subsequent runs it will check to be sure the file length is the same and add or delete executables that have been created or deleted. Since I wrote the program I have learned that some of the "stealth" viruses are smart enough to change the length data so that when a dir listing is done you will so the old length of the file instead of the actual length. How many viruses can really do this?? How usefull is the program that I wrote?? Kevin Yager ------------------------------ Date: 27 Mar 92 07:10:14 +0000 From: makbil@lehi3b15.csee.lehigh.edu (Metin Akbil [900524]) Subject: Re: Virus Question (PC) This does happen if the internal battery is getting weak. If you run install from a reference diskette for that particular IBM model, the problem should disapperar - at least until you switch off the PC. The solution is to installa new battery. Metin Akbil ------------------------------ Date: 27 Mar 92 10:23:14 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Stupid questions about booting (PC) LIBBIE%PUCC.BITNET@BITNET.CC.CMU.EDU (Libbie Counselman) writes: > Here is what I feel I already understand: > - There are boot sectors on both hard disks and floppies. On all formatted floppies, yes. > - If a floppy is in the A: drive when the machine is booted, the > machine will read its boot sector even though the floppy may not > be a bootable diskette. The machine will -try- to read the boot sector. If the diskette is not formatted, it obviously won't succeed. In this case it will proceed as if no diskette is present. > If the floppy is infected with a boot > sector virus, this action will infect the hard disk. Not "will". "Might". Some viruses (Stoned, Michelangelo) infect the hard disk immediately, while others (Ping Pong, Typo) wait until DOS is loaded and infect the hard disk when DOS accesses it for the first time (during the device initialization process). And, of course, if the boot sector virus is a floppy-only infector (Brain, Den Zuk), it won't infect the hard disk at all. > - The partition table, which defines partitions on the hard disk, > is in the Master Boot Record on the hard disk. It may or may not > become infected, depending on the virus. Right. > Here are some of my confused loose ends: > - What is the difference between the Master Boot Record and the > boot sector? The MBR is the first physical sector of the hard disk. That is, Track 0, Side 0, Sector 1. The boot sector is the 0th logical sector of each partition. There are as many boot sectors as there are partitions, although only one of them can be active (bootable) at a given moment. > - Do only hard disks have Master Boot Records? Yes. > Or are they found on floppies, too? No. It's probably possible to create a floppy with a hard disk structure (with MBR, partitions, and so on), but it is generally useless. The initial idea of the partitions was to provide the possibility to have multiple operating systems on your hard disk and boot from the one you select. It's a bit difficult to put two different operating systems on one diskette... :-) > - If a disk has a Master Boot Record, does it *also* have a *separate* > boot sector, or does the Master Boot Record house the boot sector? Yes, always. There is always one MBR and as many boot sectors as there are partitions. In fact, it is possible that only one of those boot sectors contains executable code. Even more - in theory it is possible that none of them contains executable code - if you wish to have a non-bootable hard disk. > - If a hard disk has only one partition (e.g. a "C:" drive, but no > others, right?), is there a partition table? In the partition table there is place for exactly 4 entries. No more, no less. If you have only one partition, then only one of the entries contains data (although not necessarily the first one). If you want more than 4 partitions (possible with DOS 3.3 and above), one of the 4 partitions is marked as "extended". In fact, it points to another partition table sector (chained to the MBR), which contains yet another 4 PT entries and so on. > - I assume that DOS's 2 hidden files are stored in either the boot > sector and/or the Master Boot Record (MBR), correct? Which one? No, you are wrong. There is just no place for them there - the two hidden files can occupy more than 100 Kb and a sector is only 0.5 Kb. The two hidden DOS files are stored usually at the beginning of the bootable DOS partitions. More exactly, in its data area. Each DOS partition consists of a boot sector, FAT(s), root directory, and the rest is the data area. > What else, besides the partition table, and viruses, can be > found there? The MBR contains a small program to fetch the entry of the active partition from the PT, to locate its boot sector, to load it in memory and to transfer control to it. In the DOS boot sector there is the BIOS Parameter Block (describing the parameters of the disk) and a small program to locate the two hidden DOS files, to load the beginning of the first one, and to transfer control to it. Sometimes some protection programs put their own code in the boot sectors. I don't know what's the contents of the boot sectors of the other operating systems (UCSD Pascal, CP/M, Unix...) > - What exactly happens when the machine reads the boot sector? Or > the Master Boot Record? For example, does it first look for DOS's > hidden files? Does it look for something else? Where does it go > next and how does it know where to go next? First the MBR gets loaded by the BIOS. The program there finds the active partition, loads its boot sector and transfers control to it. The boot sector is responsible for loading the operating system in memory. Hope the above helps. Feel free to ask me more questions if something is still not clear. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 27 Mar 92 10:52:49 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Patricia Hoffman (PC) ROY@mvax1.me.liverpool.ac.uk (Roy Coates) writes: > 2. Where can I contact Patricia Hoffman ?? The following is from VSUM 2.02: Patricia M. Hoffman 3333 Bowers Ave Suite 130 Santa Clara, CA 95054, USA Tel.: +1-408-988-3773 Fax: +1-408-246-3915 BBS: +1-408-244-0813 CompuServe: 75300,3005 I guess that her Internet address should be 75300.3005@compuserve.com, but I haven't verified it. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 27 Mar 92 11:01:33 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: virus scanners (PC) vail@tegra.com (Johnathan Vail) writes: > But shouldn't we learn the lesson of the Godnet Raider? Scanning for > known virus signatures has never been a good strategy for combatting > viruses and is now becoming obsolete. Changing and re-encrypting > known signatures does not change any of the shortcomings of the > technique. At best it just makes GR's list useless, at worst it > perpetuates the myth of the scanner. Yes, you are right. With one slight correction - encrypting the scan strings -does- change one of the (many) shortcommings of this technique. If you don't encrypt them, and other virus scanner which scans the whole file and uses the same signatures will flag your program as infected. > What really bothers me is that he succeeded to post on a moderated > newsgroup... I would like to know how exactly he did it... > Not all that hard. Consider that it was crossposted to alt.hacker. > This is a moderated group with no moderator. This makes the group > self-moderated since if you can't figure out how to post to it you > don't deserve to in the first place. Yes, I know. It definitively is possible. I just don't know how. I guess I don't classify as a hacker... :-) > The problem with the scanner is when people scan their disks and come > up clean they might think they really are clean. If a virus has been > tweaked, changes itself, or is a new program the scanner is worse then > useless. Yes, I fully agree with you. > What are needed are better system integrity checks and monitors. Here I slightly tend to disagree. First of all, monitors alone are even more useless than known-virus scanning. -Any- monitor can be bypassed, if there is no memory protection. And if you rely -entirely- on an integrity checker, there is still some chance that a virus can pass unnoticed. A good protection scheme must consist of multiple levels. Scanners, monitors, resident scanners, integrity shells, integrity checkers, backups. All of them have their place, although the accent must be on the integrity checkers, since they are the strongest line of defense. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 27 Mar 92 11:16:22 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Which Package is Best? (PC) 72571.3352@CompuServe.COM (Wolfgang Stiller) writes: > Slightly faster? According to Y. Radai's own numbers, IM executed a > full check ":28" faster than UT. Using IM's time of 1:59 as a base, > this is roughly 25% faster. Well, people do not "feel" in percetages and 28 secs is not that much, is it? :-) While I played with the two products I almost didn't notice any difference, but again, my results might be flawed because of the computer configuration I used. > IM has the quick check for a totally different reason than UT's. > Actually IM calls it a "quick integrity update". This does not do a > sampling as UT does, but provides a fast way to do a full check of all > files which are new and do a full check also of any files which show > signs of having changed such time/date stamps or file size changes. > The idea here is that it provides a fast way to bring your integrity > information quickly up to date and still do full known virus and > integrity checking on the files the IM does fully process. The quick Oh, I see... A nice idea. As I said, both products can learn from one another. > I agree; I was quite disappointed in this review. The following > review of a security product which prevents booting from the hard disk > was equally flawed by not mentioning how easily this protection can be > bypassed. The following? But the review of Stealth Bomber was the last article in the bulletin. Or, do you mean the previous review, that of PC Armour? Well, they said quite fairly that it does not provide great security and that when you boot from a floppy, the hard disk is not accessible to MS-DOS. It is not, indeed! The fact that the user can start Norton Utilities in /Manintnance mode and do whatever he wishes with the hard disk, using only BIOS calls, is a completely different story... :-) > I think anyone who makes claims which can have disastrous results for > their customers deserves more than just anger. After someone > irretrievably loses some critical programs, will they feel better > because of "angry experts? Well, yes, you are right, but have in mind that the silly claims have been made by the company that markets the product, not by the developpers (who have done a pretty good job). > Please keep in mind that Integrity Master has a different focus that UT. > Integrity Master is first and foremost a data integrity product. Well, so is in fact the UT's integrity checker, regardless that they are using it mainly to fight viruses. > Integrity Master will continue to evolve and learn from its competition. As somebody wrote on one of the newsgroups, the best thing for the user is if there are two main competing products for the task s/he needs done... :-) Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Fri, 27 Mar 92 13:36:20 +0000 From: Albert-Lunde@nwu.edu (Albert Lunde) Subject: Re: virus scanners (PC) vail@tegra.com (Johnathan Vail) writes: >But shouldn't we learn the lesson of the Godnet Raider? Scanning for >known virus signatures has never been a good strategy for combatting >viruses and is now becoming obsolete. Changing and re-encrypting >known signatures does not change any of the shortcomings of the >technique. At best it just makes GR's list useless, at worst it >perpetuates the myth of the scanner. This is a questionable statement - scanners have never been a way of dealing with new viruses. There are feasible ways to change an existing virus so it will not be detected by a scanner without "cracking" the scanner. However, the risk from old viruses and varients is likely to continue to be significant, and scanners are fine for this. This hack, like the prior program that created test files containing virus signatures, demonstrates nothing new except to people who do not understand how virus scanners work, and the limits this implies. - -- Albert Lunde Albert-Lunde@nwu.edu alunde@nuacvm.bitnet ------------------------------ Date: Fri, 27 Mar 92 09:32:37 -0500 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Fprot & 2to1 (PC) >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) >Subject: Re: Fprot & 2to1 (PC) (During execution of F-Prot 2.02d on SafeMBR.COM & 2to1.COM) >>> Both programs were reported as "Possibly a dropper program for a >>>new variant of Stoned." (Vess) >Hmm, I'm sorry, but as far as I know, the above message is NOT caused >by the heuristic analyser (Frisk?). I beg to differ - this IS generated by the base F-Prot but the wording ("Possibly") indicates that Frisk is, through a "heuristic" (serving to stimulate investigation or thought) analysis, picking up a specific bit of code in SafeMBR.com & 2to1.com that replaces the MBR. Most good systems are gravitating toward a tree based heuristic analysis for speed - first determine if a program is "suspicious", then try to identify a specific signature if something is questionable. The text of the message indicates that F-Prot has found "suspicious" behaviour (which it has) that does not match any of the known signatures (which it does not) but has warned the user that it is similar to that used by MBR "droppers" (which it is). Incidently, the original SafeMBR.com and its removal tool 2to1.com have been superceeded by the much more capable FixMBR program which does not trip F-Prot 2.02d. Personally, I think this is a *good* but possibly the messages could be improved e.g. "Program contains BIOS manipulation code similar to a MBR dropper." Will be even better when he can add "check manufacrurer's documentation for validation codes" 8*) Warmly, Padgett ------------------------------ Date: Thu, 26 Mar 92 19:00:00 -0500 From: Mike Opzoomer Subject: warning about mutation engine (PC) VB>mcafee@netcom.com (McAfee Associates) writes: > Three new viruses have appeared in the past two months that > utilize the Bulgarian Dark Avenger Mutation Engine. The source > code for this mutation engine has appeared on numerous virus- > exchange bulletin boards and is now in the hands of virus writers. VB>The source?! Are you sure? What we have here is a virus development VB>kit, which contains the MtE as a compiled, ready to link OBJ file, The source IS available as after a great concern about the polymorphic engine and a call the McAffee in Canada I found out THEY have a copy of the code for the engine and virus. VB>C'mon, let's be serious. There is no such virus against which there is VB>no protection. Any integrity checker that is worth the price of the Yes.. the Pogue was detected and cleaned (most of the time) but the NEW polymorphic engine (not the one that spawned Pogue and the others) has a way of wiggling its way through vshield or any other memory resident checker. The polymorphic engine is just that, and once infected it mutates on an ongoing basis, rendering any scan utility useless (unless you have a copy of the size of the original file) Regards, Mike - --- ~ DeLuxe} 1.12 #9745 ~ I tried the rest but bought the best!!!! - -- Canada Remote Systems - Toronto, Ontario/Detroit, MI World's Largest PCBOARD System - 416-629-7000/629-7044 ------------------------------ Date: Fri, 27 Mar 92 10:30:48 -0600 From: miguel@roxanne.nuclecu.unam.mx (Miguel de Icaza A.) Subject: PS/2, 639K Ram reported (PC) This kilobyte is used internally in the ABIOS of IBM PS/2 (Advanced BIOS). ------------------------------ Date: Fri, 27 Mar 92 22:48:40 +0000 From: hurd@sfu.ca (Peter L. Hurd) Subject: help - green catepillar! (PC) Howdy, I just noticed one of those dreaded anonymous posters appeared on our departmental mailboxes. Found GReen Catepillar virus. Scan 86B (I think) I'm running doesn't include it in the virus list, and F-prot says it isn't analyzed (what does this mean). Anyway since my PC has been running ominously slowly of late I thought I'd panic. What scans for Green Catepillar?, What removes it? Thanks for the help - -P. - -- Pete Hurd, hurd@sfu.ca | My field season starts early April, Behavioural Ecology Research Group | I will be incommunicado except by Dept.Biol.Sci., Simon Fraser Univ. | snail mail (address to the left here) Burnaby B.C. V5A 1S6 Canada | or phone (604)-428-3260 messages only. ------------------------------ Date: Fri, 27 Mar 92 16:40:43 -0800 From: CHUCKM@UCRDG.UCR.EDU (Chuck McDaniels, UCR Academic Computing) Subject: Question about Central Point VSAFE message (PC) Hi: A professor here at UCR reported the following message on his PC, running Central Point's VSAFE (I'm told that this is roughly equivalent to McAfee's VSHIELD): COMMAND.COM was changed What he's been doing is deleting his COMMAND.COM, and reloading it from a master DOS floppy. He asked me today if he needs to do this, since his scanning software can't find a virus (he says he's just had it for a month, and that it can detect Michelangelo). So, does this seem symptomatic of a virus? The next time I talk to him, I'll try to get a copy of his "modified" COMMAND.COM, if that would help in tracking this down. Thanks! Chuck ++++ Chuck McDaniels, Microcomputer Facilities Manager ++++ ++++ Academic Computing/Services, Univ. of California, Riverside ++++ ++++ BITNET: ChuckM@UCRVMS Internet: ChuckM@UCRAC1.UCR.EDU ++++ ++++ Disclaimer: I don't speak for UCR. Go ahead. Ask anybody! ++++ ------------------------------ Date: Fri, 27 Mar 92 13:47:42 +0000 From: Albert-Lunde@nwu.edu (Albert Lunde) Subject: Re: Microsoft Word 5.0 Installation Instructions (Mac) karyn@cheetah.llnl.gov (Karyn Pichnarczyk) writes: >I read a short note in the RISKS forum about this, and thought I would >check it out. > >In light of the PC Michelangelo distribution-by-vendors problem, I'd >like to note this problem to the readers of this forum. > >I just called Microsoft, and their support person said it is NECESSARY >to remove virus protection programs before installation. This is due >to the fact that they use the Apple Installer program to install their >product, and the anti-viral programs will interfere with the >installation process. > >Is this true? Is it NECESSARY to remove virus protection to install >products such as Microsoft Word on a Macintosh??? What can be done to >allow virus protection to still operate on a system while an >installation is in progress? They could have stated it more narrowly. Gatekeeper is a (rather paranoid) suspicion activity detector, and might well interfere unless appropriate permissions were granted. It's not really a product for novice users. On the other hand the Disinfectant INIT, because it targets a list of known viruses rather specifically, is much less likely to interfere. It is rather difficult to detect unknown virus activity while installing new software. All this would not apply if one booted from a floppy with a system first. - - -- Albert Lunde Albert-Lunde@nwu.edu alunde@nuacvm.bitnet ------------------------------ Date: Fri, 27 Mar 92 12:13:15 -0500 From: Joe Simpson Subject: Re: Microsoft Word 5.0 Installation Instructions (Mac) karyn@cheetah.llnl.gov (Karyn Pichnarczyk) says: >In the "JumpStart" instructions for Microsoft Word, the first >instruction is: > > 1. Make sure no programs are running on your computer that might > interfere with installation. Turn off startup programs (INITs) > and remove virus protection programs such as Gatekeeper from your > System folder. Then restart your computer. > >Is this true? Is it NECESSARY to remove virus protection to install >products such as Microsoft Word on a Macintosh??? What can be done to >allow virus protection to still operate on a system while an >installation is in progress? Yes and No. Most "installation" programs are glorified file movers. Vendors could simply note which files/folders to copy where, but prefer to rely on Installer to do this in a uniform way. Anti-viral programs will interfer with the Installer. You can scan the vendor disks for viruses before removing virus protection from your computer. This provides limited protection because much of the code on commercial diskettes is in a compressed format these days. For maximum protection I would do the following: 1. Scan the vendor diskettes for viruses. 2. Defeat virus protection. 3. Install software 4. Scan new software for viruses. 5. Run the new software. In practice I rely on backups and assume that viruses on commercial disks are a relatively rare phenomenon. There is no protection program or procedure that can absolutely protect from viruses with the exception of abstenance. A good backup procedure can reduce the cost of recovering from viral attack. ------------------------------ Date: Fri, 27 Mar 92 15:13:49 -0500 From: Kevin_Haney@NIHCR31.BITNET Subject: XCOPY under OS/2 (OS/2) csvcjld@nnomed.bitnet writes... >I'm running OS/2 1.3. Under OS/2, XCOPY does not change the >dates of the files it copies. In the DOS box, the files created by >XCOPY have their dates set to the current date. The resulting files >are the same size as the originals and COMP says they are the same. >Is this a known OS/2 1.3 bug? Or, do I have a virus? I tried this on my system which has IBM OS/2 1.3 Standard Edition, and XCOPY in the DOS box did not change the file dates. You could possibly have a virus. DOS viruses can usually run in the DOS box of OS/2 and your DOS command files could be infected. You can easily determine this by scanning your system with a recently updated scanner after booting up from a clean DOS diskette. There are still no OS/2-specific viruses that I know of. If this checks out negative, I would say that it is a bug that might be due to the particular CSD level of OS/2 you have (the most likely explanation). You should report it to IBM, though (if you are using IBM's OS/2, that is). Hope this helps! Kevin Haney Internet: khv%nihcr31.bitnet@cu.nih.gov ------------------------------ Date: Fri, 27 Mar 92 02:11:00 +0000 From: Joshua Proschan <0004839378@mcimail.com> Subject: heuristic scanners Upon reflection, I must side with those who want the heuristic scanners to continue to be available. The problems of avoiding a deluge of inquiries from casual users with false positives can be avoided by including a prominent warning in the documentation that false positives can occur; and by the previous suggestion of including it in the FAQ and simply not responding. Joshua H. Proschan Internet: 0004839378@mcimail.com JProschan@MCIMail.com ------------------------------ Date: Thu, 26 Mar 92 22:42:48 -0500 From: Charles Hope Subject: Virus Icon/Logo My suggestion for a virus logo would be a skull-n-crossbones superimposed on a larger, approximately-spherical polyhedron, like a buckyball or something. Isn't that sort of what viruses look like (sans the bones) ? It's not really too identifiable by someone with no clue, but then it isn't an easy concept to iconify! Charles Hope ------------------------------ Date: 27 Mar 92 10:13:56 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Origins of viruses vail@tegra.com (Johnathan Vail) writes: > In 1980 and early 81 after reading about the Xerox PARC "Worm" program > I came up with the idea of writing one for the Apple ][. I succeeded > in writing a simple version of what we now call a boot sector > infector. Actually it was a modified version of Apple DOS that when > activated with the "CATALOG" command would check to see if the disk > was infected, and then JSR (6805?) to the part of the INIT code that > copied the DOS to a new diskette. We have here information from a guy called Joe Dellinger, who claims to have written the first Apple ][ virus (Elk Cloner). According to him, it happened in 1981. It seems that there have been three versions of it (which fixed some of the bugs that made the virus sometimes cause unvoluntary damage). Do you have more information about that? Who exactly has the priority? Is Joe Dellinger reading this list and could he comment on this? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Fri, 27 Mar 92 16:33:27 +0000 From: "Pete Lucas" Subject: International Virus Symbol... I dont know of an international virus symbol; I mark all my diskettes that contain live viruses with a strip of BIOHAZARD tape.... This is yellow with a red symbol of intersecting crescents, and the word BIOHAZARD in red. Biohazard tape is available from most laboratory suppliers. >< Pete Lucas >< P.LUCAS@UK.AC.NSW.UA P.LUCAS@UK.AC.NSW.UA ------------------------------ Date: Fri, 27 Mar 92 13:35:22 -0600 From: John Perry Subject: New Anti-Viral Site!! Hello Everyone! I have recently created a new anti-viral FTP site on campus at University of Texas Medical Branch. The name of the site is eugene.gal.utexas.edu with a IP address of 129.109.9.21. Eugene supports anonymous FTP logins and carries up-to-date anti-viral software. I invite everyone to log in and get the latest in anti-viral computer software. If you encounter any problems, please send mail to perry@eugene.gal.utexas.edu. I'll be looking forward to your connect! - -- John Perry - perry@eugene.gal.utexas.edu ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 79] *****************************************