VIRUS-L Digest Tuesday, 1 Feb 1994 Volume 7 : Issue 8 Today's Topics: Re: Virus/gun analogy doesn't work Statistics on virus infections good viruses Re: "Good Viruses?" Help on Tierra.Z Something that -isn't- a new idea for an antivirus virus Telescript Agents Re: "Good Viruses?" Re: What is a virus ? Virus in MBR, which cannot be found? (PC) noint info please (PC) independent testers (PC) Kennedy virus (PC) Re: Removing Form Virus (PC) Re: SCAN 109 False Positive (PC) McAfee versus F-prot (PC) Re: EMD Enterprises PC Armor Beta Test Survey (PC) MCAFFEE SCANV109 FIND (PC) SKISM 14 (PC) Green Caterpilar (PC) Question... (PC) re: Help in removing Monkey virus from hard disk (PC) virus called JUS ?? (PC) TBAV 6.10 (antivirus) now available (PC) 3.4 Weird behaviour (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 21 Jan 94 11:54:16 -0500 From: swimmer@rzddec2.informatik.uni-hamburg.de (Morton Swimmer) Subject: Re: Virus/gun analogy doesn't work ktark@src4src.linet.org wrote: : in response to:bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) : Vesselin Bontchev (bontchev@fbihh.informatik.uni-hamburg.de) writes: : >> ... : >cause damage) in some environments. Some of the existing viruses are : >written with the intent to be harmful, while others cause harm : >non-intentionally. : Using your argument: ANY piece of software, in theory (and in real life) : has an environment in which it will be harmful! : And most software has not been written with the intent of causing damage! : This argument proves nothing, as it is just a theoretical generalization : of operating system / software interaction. Right, but in the case of published software you can complain to the publisher, sue them or trample on their toes, because they are known and dont hide behind a cloud of anonymity as do virus writers. (Of course that doesn't go for MicroSoft if you get problems with DoubleSpace :-) Cheers, Morton - -- ..morton swimmer.(virus-test-center..university of hamburg)...odenwaldstr. 9.. ...20255.hamburg...frg......internet: swimmer@fbihh.informatik.uni-hamburg.de. ...God grant me the solemnity to accept the things I cannot change/Courage to. .change the things I can/And the wisdom to tell the difference..R. Niehbuhr... ------------------------------ Date: Sun, 23 Jan 94 12:44:47 -0500 From: adamsb@un.org Subject: Statistics on virus infections A couple of folks have asked about virus infection statistics. We have some simple statistics. The organization has 80 LAN's with a total population of 2,000 users. Last year (1993) four percent of our users reported to the Help Desk that they "thought they had a virus infection." Three percent of our total user population actually proved to have a virus which had to be removed. The other one percent usually had PC memory management or PC configuration problems, which they mistook for a virus. We have not had a single infection by a "good" virus. Every virus infection did some damage, and in some cases caused delays in projects which benefit a large number of people. Bernard Adams Network Administrator (Telecomm. Engr.) Electronic Services Division United Nations, N.Y. ------------------------------ Date: Tue, 25 Jan 94 16:48:57 -0500 From: barnold@watson.ibm.com Subject: good viruses ktark@src4src.linet.org writes: >Mistake #1: >This is one of the myths & fantasies about computer viruses and computer >virus authors. >Most virus writers are NOT in their adolescent stage. >Most of them are university students, some are pursuing Master Degrees, >som have PhD degrees. >I have examples to prove my point. >This adolescent nonsense is another scheme by bigwigs with monetary stakes >in the matter to make themselves appear on top of the knowledge heap, which >is in fact not true. I differ; we have no real clue about the demographics of virus writers. Small personal samples prove nothing, and it would be nearly impossible to acquire good statistics. We have some rough clues from the members of the subset of the virus-writer population that have been caught or have boasted publicly about their activities, but that's it. We have no clue how many people write and release viruses and don't get caught (though there are a *lot* of coding styles represented in the large PC virus collections), and we have even less of an idea how many people write and *don't* release viruses. Personally I have absolutely no quarrel with those who write and/or test and/or play with viruses in a carefully controlled environment, but as soon as they release even a benign newly-written virus to virus collectors of any sort, they've changed matters. Why? Because they henceforth have no control over the spread of their creation, through whatever channels. And eventually a virus will appear in an anti-virus reviewer's test set. Which means that basically any competitive vendor of anti-virus products will have to make sure that their product can handle it. Which means at minimum 50-100 bytes more bloat (including documentation) for any product that can identify the virus by name. Multiplied by, say, 1-10 million instances of detectors (probably an underestimate). And this happens even if the virus never appears on an end-user's machine, and even if the virus isn't subsequently modified maliciously by some miscreant, unknown to the original author. (Warning, this is the biased point of view of a developer of an anti-virus product, so you might want to ignore the paragraph that you just read. :-) >Mistake # 2 >Curiosity? Temporary frustation? >How about ridiculing pseudo-professional slick-marketed, poorly >designed products that rip people off their money? >(I am talking about AV software of course..) >Writing viruses is not something you grow out of.. like your clothes >or your hairstyle, as there is nothing to outgrow, as long as there is >dishonest people making money off garbage software, there will be >computer viruses. These sorts of insults have kept a lot of people out of this discussion. Dishonesty and chicanery and shoddy overpriced products/services can be found in most walks of life and professions. (My will is just barely strong enough today to resist naming professions. :-) One unique (in the software industry) problem anti-virus software has is the very short development cycles, for products with wide distribution. The only other examples I have seen are the products that break commercial copy protection schemes; they are a similar product, in that they embody knowledge about a large amount of software known to the developers at particular time, and they get "stale" fairly quickly, like fish left on a shelf. (Other examples of fast-aging products welcome.) Bill Arnold (IBM AntiVirus development) ------------------------------ Date: Tue, 25 Jan 94 18:12:31 -0500 From: datadec@ucrengr.ucr.edu (kevin marcus) Subject: Re: "Good Viruses?" wrote: >>There is NO SUCH >>THING AS A NON-DESTRUCTIVE VIRUS, PERIOD!!!!! If even the most benign virus >>gets out of the lab, it's a problem. > >Let's look at the following scenario: >An isolated computer (No networking capabilities, all removable media is >not shared with any other computer) >I contend that there exists a virus for this system such that this virus >will infect all files that 'can be' infected without inhibiting their >ulterior execution and then 'dwell' on the system without causing ANY damage >to ANY stored media. >Yes, performance will be affected, but the system will retain all >functionality. >prove my theory. Even then, I still think you're wrong. the way you are describing your ystem infection, a file gets infected. And, if a file gets infected, then some resources are absorbed. These resources, the disk space, could have been occupied by a recently deleted file. If another program were to become infected before I write any more data to the drive, then ti is possible that the remains of the deleted file could be overwritten, and thus uncovereable. Also, please describe in detail exactly what damage is. I could say writing to memeory damages a horribly written program. You might overwrite a section of my program or something. >Let us add some more world perspective to this: >You have an economical and personal interest in making all computer viruses >appear as evil incarnate, you make a living out of this premise, whether >you like it or not. >Let us hear from someone who has no stakes in this matter.. I do not work for any antivirus company, I don't have any real antivirus product otu (though I have written a few little things here and there which I distributed freely some time back.) People are edgy about a lot fo things. It's quite possible that antivirus people just happen to have morals that differ from yours and they think they are doing humanity some good by trying to get rid of viruses that inflict damage on other people. Even if there were some completely undamaging viruses, then they wouldn't have much purpose -- the system would actually be better without them, because less resources would be used. And resources = $ in the real world. - -- -- Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu CSLD Room Monitor, Thurs 10-12p, Sunday 5-10p (909)/787-2842. Computer Science Dept., University of California, Riverside. "The best angle to use on a problem is the try-angle. If that doesn't work, try the wrecked-angle..." ------------------------------ Date: Wed, 26 Jan 94 13:22:01 -0500 From: s1104145@cedarville.edu (Daniel Hatfield) Subject: Help on Tierra.Z I downloaded Tierra.Z, onto my ms-dos machine and uncompressed it. Now, it appears all in text the first few pages of it appears to be instructions to a Unix to set up different files...Is this the case? ------------------------------ Date: Wed, 26 Jan 94 13:37:33 -0500 From: "David M. Chess" Subject: Something that -isn't- a new idea for an antivirus virus >From: A.APPLEYARD@fs1.mt.umist.ac.uk > From periodical `New Scientist', 15 Jan 1994, p18:- > [Virus busters get a shot in the arm] by Jonathan Beard, New York. > Computers could soon fight off viruses that attack them by using > an in-build "immune system", For a user, this should mean ... Not an anti-virus virus. Or rather, not *really* one. There are two notions of "virus" around, and their differences can cause some confusion. The formal mathematical notion of virus, developed by Fred Cohen in his pioneering work in the field, is roughly "any data object at one place in a computing environment that increases the probability that a related data object will appear in the environment at another place at a later time" (this is a rough translation from math to English, and I apologize to Dr. Cohen in advance, but I think it captures the spirit of the formalism). This notion fits some parts of the immune system that we envision. It also fits the beneficial programs that Mr. "Kohntark" refers to. But it also fits the XCOPY command, COMMAND.COM, and could be stretched to cover this very post! So while it's quite useful in doing theory, it's not the notion that I think most of us on VIRUS-L are concerned with. The ordinary notion of "virus" as it's used on VIRUS-L is something like "code desiged to spread from system to system without the knowledge or consent of the system owner". This fits FORM, 1575, NVir, and the many other viruses that trouble current computer users. It does not fit XCOPY, COMMAND.COM, or any component of our immune system design. I consider the writing of code designed to spread between systems without the system owners' consent to be irresponsible; we would certainly not include such code in a product! So I'd definitely resist the label "anti-virus virus" for the idea, to avoid confusion... - - -- - David M. Chess Spinning in your head High Integrity Computing Lab Listen to the Argonauts IBM Watson Research Don't we like trombones? ------------------------------ Date: Wed, 26 Jan 94 19:08:48 -0500 From: rdaily@cbnewsg.cb.att.com (ronald.r.dailey) Subject: Telescript Agents There has been a lot of comment in the press lately regarding the agents to be used by Telescript when it is released by General Magic. I don't see these agents as viruses, but rather self modifying worms. I doubt if they even modify there own code. They seem pretty safe, yet powerful to me. Anybody got different ideas on their potential threat? If this isn't the correct group for this discussion, where might I find interest? Thanks, Dick Dailey ------------------------------ Date: Thu, 27 Jan 94 04:49:55 -0500 From: bradleym@netcom.com (Bradley Maris) Subject: Re: "Good Viruses?" ktark@src4src.linet.org wrote: > Brian Seborg writes: > >It's been quite a while since I last fealt compelled to post to Virus-L, > >but I thought that recent discussions regarding the legality of viruses > >and liability were interesting enough that I'd like to jump back into the > >fray. > Well, here is another person who does not feel like this thread is a > 'waste of bandwith' > [personal statistical figures & data deleted] > >There is NO SUCH > >THING AS A NON-DESTRUCTIVE VIRUS, PERIOD!!!!! If even the most benign virus > >gets out of the lab, it's a problem. > Let's look at the following scenario: > An isolated computer (No networking capabilities, all removable media is > not shared with any other computer) > I contend that there exists a virus for this system such that this virus > will infect all files that 'can be' infected without inhibiting their > ulterior execution and then 'dwell' on the system without causing ANY damage > to ANY stored media. > Yes, performance will be affected, but the system will retain all > functionality. > The existence of one such virus will prove your point wrong. > Perhaps with time I will be able to conduct this experiment and > prove my theory. > >Who's liable? The distributor of the > >virus, can you find him/her? Even if I do put a disclaimer, there is such a > >thing as strict liability, and even if it is not applicable to software like > >computer viruses, you can disclaim all liability, but this does not mean that > >you do not have any liability! I hope this adds some real-world perspective > >to the discussion. > >Brian Seborg > >VDS Advanced Research Group > Let us add some more world perspective to this: > You have an economical and personal interest in making all computer viruses > appear as evil incarnate, you make a living out of this premise, whether > you like it or not. > Let us hear from someone who has no stakes in this matter.. Ok... I have no stake in the "business". I'm just a student that likes playing with computers. :) I've only posted on Virus-L once before. But I think that I have a clear idea of what viruses do and are. In my opinion, ANY computer virus sould be considered a threat. Even if the virus is know to be non-destuctive, there is always the posibility that it "dislikes" my system. Even if the damage is as slight as lost CPU time or a file that I was going to delete any way, it's still taking SOMETHING. If you think of your computer as a house, would you like it if something occasionally moved things on you? I think it would at least iratate me. So, I don't care if there is *>ONE<* system that *>A<* virus can be on without causeing damage. That system might not be mine. Now off that subject... I'd like to thank the people that responded to my question about Windows viruses. I guess I missed that September issue while I was away for the summer. Regards, Bradley I don't have a .Sig file.... go away! ------------------------------ Date: Thu, 27 Jan 94 08:09:50 -0500 From: esveb@csv.warwick.ac.uk (Jon Ribbens) Subject: Re: What is a virus ? Simon Callan (on GN57 at Borehamwood) writes: >I recenly came across this in a document that describes viruses that >run on the Acorn Archimdes computer. It is part of the description of >a not-uncommon virus. Is there anyone out there who thinks that this >is a valid reason for not calling it a virus? And if so, what is it? > > This is not a virus as such, due to the fact no actual harm is down to > your discs. It is merely a desktop 'silly' hat is capable of replicating > amongst any application NOT already having a !Boot file. The above description is written by somebody who at first claimed they had written this virus but it wasn't a virus, then they claimed they hadn't written it at all, despite distributing a virus killer which, in the documentation, he admitted he had written it ;). (The virus killer claimed to kill 'all known viruses' despite only listing about twenty or so, most of which the author admitted he hadn't seen.) The program is indeed a virus, the above excuse is ridiculous. Apart from anything else, it did do damage. It made the monitor picture distort - just a temporary software effect, but several people thought their monitors were broken and wasted time and money trying to get them fixed. - -- // Jon Ribbens // Email: esveb@csv.warwick.ac.uk or j.ribbens@warwick.ac.uk // // Term time: E09 Draycott House, Rootes Residences, University of Warwick, // // Coventry, CV4 7AL // Home: 59 Upper Belmont Road, Chesham, Bucks HP5 2DD // ------------------------------ Date: Fri, 21 Jan 94 14:23:14 -0500 From: jej@cc.jyu.fi (Jukka E Jarvinen) Subject: Virus in MBR, which cannot be found? (PC) I bought a new hard disk drive, Seagate 340 MB IDE. I got it in an opened package and there was DOS installed. I deleted the partitions and made new ones. When quitting FDISK in the middle of the screen blinked: BootSector Write !!! Possible VIRUS: Continue (Y/N)?" I answered Y. I made same operations once more and I got the same text. Also FDISK /MBR gives the same. McAfee's SCAN 109 and F-PROT 2.10 cannot find any virus. What's the problem and how can I fix it? ------------------------------ Date: Sun, 23 Jan 94 04:25:50 +0000 From: chbell@badlands.NoDak.edu (Charles E Bell) Subject: noint info please (PC) What can everyone tell me about the noint virus, and can it be destroyed? Charles ------------------------------ Date: Sun, 23 Jan 94 08:40:13 -0500 From: Pat Bitton <100015.422@compuserve.com> Subject: independent testers (PC) Following the untimely demise of the UK Computer Virus Certification Centre run by Simon Shepherd at Bradford University, we are looking for a new source of independent comparative anti-virus product testing. Of course, we do do tests internally ourselves, but independent tests are of more value both to our customers and to us in terms of continually improving our product (Dr Solomon's). Testers must have a strong virus library and be able to test products for all types of infection, including polymorphics, on standalone PCs and across networks, and on DOS, Windows, OS/2 platforms. Anyone interested or who knows of a suitable tester, please contact me. Pat Bitton, Head of International Marketing at S&S International Compuserve: 100015,422 Email: pbitton@sands.co.uk Dr Solomon's Marketroids - We Try Harder ------------------------------ Date: Mon, 24 Jan 94 04:28:10 -0500 From: "WELDINGH K" <2868@et.aarhus.ih.dk> Subject: Kennedy virus (PC) When peeking around in VSUM I noticed that the description for the Kennedy virus (Danish_Tiny.Kennedy) indicated that the trigger message was 'Kennedy is deal - long live 'The Dead Kennedys''. I know that 'deal' is wrong but has anybody seen this message written in english in the virus - and not 'Kennedy er d*d - l*nge leve 'The Dead Kennedys'' - written in danish (* indicating danish letters)? Karsten Weldingh ------------------------------ Date: Mon, 24 Jan 94 16:16:05 -0500 From: FWF%GISA.UUCP@GERMANY.EU.NET Subject: Re: Removing Form Virus (PC) >ALLENTAYLOR@delphi.com wrote (VIRUS-L Digest Volume 7: Issue 5) > > > 3. You can use the appropriate virus cleaner [TBAV-TBUtility], [and > with DOS 5 or higher; FDSIK /MBR command] or [DOS Sys Command] or, >< > [McAfee MDisk] to restore the boot sector. No, no, no !!!! FDISK/MBR restores only the MBR and n o t the boot sector. Therefore you must use the DOS Sys command for removing the FORM-Virus. Regards Frank W. Felzmann - ---------------------------------------------------------------- Bundesamt fuer Sicherheit in der Informationstechnik, Bonn - ---------------------------------------------------------------- G German I Information <> Voice +49-228-9582-248 S Security <> FAX +49-228-9582-400 A Agency - ---------------------------------------------------------------- "It's a Snark!" ... Then the ominous words, "It's a Vir---" - ---------------------------------------------------------------- ------------------------------ Date: Mon, 24 Jan 94 16:15:42 -0500 From: FWF%GISA.UUCP@GERMANY.EU.NET Subject: Re: SCAN 109 False Positive (PC) The message of SCAN 109 "Found the 1008-B Dropper [1008Drop] Virus" in the MODE.COM file of DOS version 3.3 is a false positive. A test was performed with different original versions of Microsoft, IBM, Tandon, Zenith etc. But it is curious, that the false positive occurs only by using the /A switch (Scan ALL Files). There must be an other strategy used by McAfee SCAN on scanning only executables (default) or all files. Regards Frank W. Felzmann - ---------------------------------------------------------------- Bundesamt fuer Sicherheit in der Informationstechnik, Bonn - ---------------------------------------------------------------- G German I Information <> Voice +49-228-9582-248 S Security <> FAX +49-228-9582-400 A Agency - ---------------------------------------------------------------- "It's a Snark!" ... Then the ominous words, "It's a Vir---" - ---------------------------------------------------------------- ------------------------------ Date: Tue, 25 Jan 94 19:01:41 -0500 From: jlj@cs1.bradley.edu (Joel Johnson) Subject: McAfee versus F-prot (PC) I would like to know if there are significant differences between McAfeee and F-Prot antiviral software. Currently Looking into site license and want to know is F-Prot considered as through as McAfee and will it catch as many virus's. Any input on this would be appreciated. Thank you. jlj@cs1.bradley.edu - -- jlj@cs1.bradley.edu or jlj@camelot.bradley.edu ------------------------------ Date: Tue, 25 Jan 94 19:27:02 -0500 From: "R. Wallace Hale" Subject: Re: EMD Enterprises PC Armor Beta Test Survey (PC) On Mon, 24 Jan 1994 08:52:21 EST, Sunondo Ghosh wrote: > Subject: EMD Enterprises PC Armor Beta Test Survey (PC) > > I am posting this for someone without access to the internet. Please > reply to them directly. Appears to me to be more of a market survey than a legitimate invitation to competent beta testers. R. Wallace Hale "Thinking is the hardest work there is, halew@nbnet.nb.ca which is the probable reason why so few BBS (506) 325-9002 engage in it." - Henry Ford ------------------------------ Date: Wed, 26 Jan 94 07:34:07 -0500 From: greg.mcclure@mwcsinc.muug.mb.ca (Greg Mcclure) Subject: MCAFFEE SCANV109 FIND (PC) MH> Rich Chong (U41602@uicvm.uic.edu) wrote: MH> : I just got SCANV109.ZIP off of oak.oakland.edu and started a scan MH> : on a few of my systems. On a DOS 3.3 system, it finds 1008drop MH> : in MODE.COM. I don't have a reference copy of the old mode.com MH> : Does anyone know if this could be real for me? or just a known MH> : false alarm? No other files werte flagged as sick. Thanks MH> : rich MH> What they mean by it being a dropper is that it is not actually "infected" MH> but has been "booby-trapped" to release a virus once it is run. Do you MH> know where the file came from??? If not, I suggest you delete it. This is a know bug as is indicated from the follwoing message on Compuserve: #: 26522 S1/Virus Q&A 17-Jan-94 15:31:45 Sb: #26512-#New virus Fm: Mike Albers(McAfee) 73321,2776 To: Mike McKercher 76467,771 (X) Dear Mr. McKercher, The [1008Drop] virus is actually a false alarm with indeed version 109 of SCAN, I recommend for you to download SCAN 9.21V111, however this may not be available currently, it will be put up on CompuServe shortly. For now you can either remove the MODE.COM file, or maybe get version 9.21V111 from our BBS at (408) 988-4004. Feel free to contact me if any problems occur. Regards, Michael Albers Tech Support - ------------------------------ cut here --------------------------- Scan v111 is now up on McAfee's BBS. Greg... 22:32 01/25/94 Internet: greg.mcclure@wpcusrgrp.mb.ca greg.mcclure@mwcsinc.muug.mb.ca Compuserve: 75170,1100 * RM 1.3 B0337 * I WILL procrastinate, if I can just get started! - ---- Muddy Waters Computer Society Inc. Winnipeg, Manitoba, Canada (204)943-6507,08,09 (204)942-0227 (204)956-4997 (all nodes USR 16.8K D/S) ------------------------------ Date: Wed, 26 Jan 94 07:34:16 -0500 From: Pearson Russel Subject: SKISM 14 (PC) Text item: Text_1 Hi everybody! We have encountered an virus detection of SKISM 14 by Central Point Anti-Virus V2 beta 1. The problem is that only this software give us this alert and nobody seems to have a description of this virus. Does anyone could give me a description of the symptoms of this SKISM 14 Please!!! Respond to me directly please! Russel Pearson Defense Research Establishment Valcartier ------------------------------ Date: Wed, 26 Jan 94 11:56:34 -0500 From: jgrays1@gl.umbc.edu (grayson john) Subject: Green Caterpilar (PC) I am looking for information on the Green Caterpilar virus. I am taking Brian Seborgs class on viruses and the project involves testing a virus to see what it does. The first step in the project is to decide what it is supposed to do, and then I can test it to see what I can make it do Thanks John Grayson ------------------------------ Date: Wed, 26 Jan 94 12:53:02 -0500 From: dtieu@gmuvax.gmu.edu (Eddie Tieu) Subject: Question... (PC) Hi I've got a question, my hard drive's been acting funny lately, it seems to get stuck sometimes when I launch an application such as chkdsk for DOS; but then the program works after. Could a virus cause the hard disk to do this? Comments, help would be greatly appreciated, Thanks, Eddie ------------------------------ Date: Thu, 27 Jan 94 05:06:42 -0500 From: masjol@dou.ou.dk (J. Olsen) Subject: re: Help in removing Monkey virus from hard disk (PC) In #7 the estemed editor of virus bulletin tries his hand on a more technical problem: >Date: 24 Jan 94 21:53:01 +0000 >From: virusbtn@vax.oxford.ac.uk >Subject: re: Help in removing Monkey virus from hard disk (PC) > >Dear All, > >Maybe I have missed the thread somewhere here, but in case I have not, >here are some step-by-step instructions for removing viruses like >Monkey. Forgive any technical screw-ups, but I'm working from home, >(unsupported by a safety net here folks!). > >Problem: If I boot from the hard drive, the hard disk appears to be okay, >but I have a MBS virus in memory. If I boot from the floppy disk, DOS >cannot >see the hard drive. If I use FDISK /MBR, I screw up my disk. > >Answer: >Dicky Ford >Editor, Virus Bulletin. Your procedure seems to work - BUT: a) either the folks out there just have the virus active, and then it would be easier for them to use either the specific cure KILLMNK3, or one of the available scanners that can also do the trick of disinfection (a bit more difficult to get through, but easier than your procedure), or b) the have already used the (some believe) universal remedy - FDISK /MBR, [DO'NT DO THAT !!] and then it is too late/complicated to do anything! But it looks like - there is a need for a tutorial on the subject! Maybe some editor somewhere might consider writing it for his pulbication and later maybe donate it to the FAQ!! J Olsen Odense University Denmark ------------------------------ Date: Thu, 27 Jan 94 09:00:06 -0500 From: Dave Spitz Subject: virus called JUS ?? (PC) A user just informed me that a **brand new** computer, just installed and never used was found to contain a virus identified by Mcafee Scan V109 as JUS. The user turned off the pc , then rebooted with a clean write protected floppy (CWPF), and scanned the pc. The scan then indicated that four viruses were found. She again turned off the pc, and rebooted with a CWPF. This time the computer refused to boot. So once again she turned it off, and back on. this time it booted and scanned the computer only to find **no** viruses. (This story, by the way is second hand, I may have something events out of sequence, but the jist of the story is correct, I hope). So, being the campus V-MAN ( a title I was given by my rather jovial supervisor) I took a 2 clean, write protected floppies to the lab. McAfees Scan V109 and F-PROT V2.10C, and scanned the computer twice. Guess what? No viruses. I explained that if the computer was indeed infected with a virus, it was probably a memory resident virus the died when the PC was turned off. But this does not explain why the PC refused to boot, or why, when it did boot up, that scan identified 4 more viruses. I also explained that is was possible the Murphy sent a gremlin to plague us, and that the gremlin has now left. Any one want to offer a now correct possibility? And... can anyone identify the virus JUS. I found JOS and JUSTICE but not JUS. HELP Dave Spitz VOICE: 1-414-297-7698 Computing Services FAX: 1-414-297-8313 M.A.T.C., Milwaukee, WI. Internet: SPITZ_DAVE@MUSIC.LIB.MATC.EDU "Everything was fine 'till they put hard drives in PCs" ------------------------------ Date: Thu, 27 Jan 94 05:23:32 -0500 From: bondt@dutiws.TWI.TUDelft.NL (Piet de Bondt) Subject: TBAV 6.10 (antivirus) now available (PC) Hi, Recently, TBAV v6.10 was released. The file on the bulletin board from Thunderbyte, and maybe on some internet-ftp-sites, however, contained a small bug. This concerned the invocation of TbScanX with the EMS parameters, without actually having EMS-memory available. This bug was corrected in this release, which I'm going to make available in the normal way. NOTE: the version on the bulletin board is *not* updated. The version I have *is*. Thanks to Robin Bijland of ESaSS... Second note: tbavx610.zip and tbavu610.zip are not available. They will become available (as v6.11 !) when TBAV v6.11 is released. This will be done in about three weeks.. Along with this release is one file (the main distribution): tbav610.zip Complete version Procedure: 1- Extract the files from the E-mail I get from ESaSS B.V. 2- Move the files to ftp.twi.tudelft.nl:/pub/msdos/virus/tbscan 3- Inform the TBAV list (that's you !) 4- Upload files to oak.oakland.edu, garbo.uwasa.fi and nic.funet.fi and inform the FTP Admins of the above sites 5- Inform USENET groups dut,twi.misc (local news), comp.virus (== VIRUS-L) and comp.archives.msdos.announce 6- sit down and relax :-) As you read this, all steps have been completed (as of 94-jan-27) Greetings, Piet de Bondt E-mail: bondt@dutiws.twi.tudelft.nl =================================================================== FTP-Admin for MSDOS Anti-virus software at: ftp.twi.tudelft.nl ------------------------------ Date: Mon, 24 Jan 94 03:16:10 -0500 From: "Rob Slade" Subject: 3.4 Weird behaviour (CVP) BEGPAND.CVP 931111 3.4 Weird Behaviour As I have mentioned, there are a great many things that computers do which have nothing to do with viral programs. People are all too ready to cry virus for every oddity they see. The truth is, most viral programs do not display any overt signs. The viri that do are self-limiting, because they alert the user to something wrong, and therefore get destroyed before they have a chance to spread. The Stoned virus, for example, is said to display the message, "Your PC is now Stoned," on the screen. It does--very rarely. The only time it might display is when the computer is booted from an infected floppy disk. Even then, there is only a one in eight chance that it will display. Once the infection is resident on the hard drive, unless you boot from an infected floppy disk again you will never see the message display. The MacMag virus was said to display a "universal message of world peace." This, however, would only happen on the target date of March 2, 1988. At any time before that, there was no overt sign of any change. The Scores virus, on the other hand, did make some overt changes to both folders and icons. These changes, though, were not very spectacular, and unless you knew the virus and its effects, it was not something many users noticed. Some changes, of course, are inevitable: that is the idea behind change detection software. The Monkey virus affects the hard disk such that, when the computer is booted from a clean disk, the hard disk is inaccessible. Of course, most security software does the same thing. Both Stoned and Michelangelo reduce the "total memory" as reported by DOS. Of course, a lot of computers do the same thing. High density disks infected by Stoned may become unreadable. Of course, lots of disks become unreadable for no apparent reason. Windows programs will refuse to run if infected by a virus. Of course, Windows seems to take random "time outs" anyway. If you suspect a virus simply on the basis of odd behaviour, please get a scanner and check it out. Get a very new, very good scanner. If you still want to report odd behaviour, please give all details of your computer, your operating system, your resident programs, any device drivers, and which specific antiviral programs you have used to assess the problem. Get the behaviour to reproduce, and give specific details of how you do it. (Reports of intermittent oddities are almost useless.) copyright Robert M. Slade, 1993 BEGPAND.CVP 931111 ============== Vancouver ROBERTS@decus.ca | "It says 'Hit any Institute for Robert_Slade@sfu.ca | key to continue.' Research into rslade@cue.bc.ca | I can't find the User p1@CyberStore.ca | 'Any' key on my Security Canada V7K 2G6 | keyboard." ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 8] ****************************************