VIRUS-L Digest Thursday, 26 May 1994 Volume 7 : Issue 37 Today's Topics: xFwd: CD-ROM Virus-Alert (PC) Re: The truth about good viruses Disabled viruses? UNIX anti-virus scanners (UNIX) problem w/A&B drives..is it viral? (PC) Information requested on Doom virus (PC) Help needed: Generic Boot Sector virus problem (PC) DANGEROUS VIRUS (PC) Re: virus remover, Armor (PC) Re: Cascade Virus at Trident BBS? (PC) InVirible (???) (PC) ** Date recovery after Michelangelo virus infection ** (PC) vbait12.zip - Simple virus bait, detects COM infecting virus (PC) CURSE_IV virus (PC) Re: Need info on Coffee Shop / April Fools (PC) FAT trashed - Virus ??? - HELP needed !! (PC) Help: W-boot or Swiss Variant Virus (PC) mirror update: McAfee.com (PC) RE: SMEG.Pathogen and SMEG.Queeg (PC) re: Monkey Virus (PC) re: "Jack-the-Ripper" (PC) DIR-Virus? (PC) Sim Salabim? IBM PC Virus? (PC) Re: Help with Form Virus (PC) The CD-IT Trojan (PC) Re: ANSI bomb (PC) Re: B1 (or NYB) Virus (PC) Re: antivirus products (PC) URGENT HELP: damaged FAT by flip-virus (PC) Re: ANSI bomb (PC) Anti-CMOS virus.... (PC) Re: Stone virus - stone.stonheng (PC) Re: ANSI bomb (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Thu, 19 May 94 01:52:49 -0400 From: Subject: xFwd: CD-ROM Virus-Alert (PC) CD-Rom manufacturer Chinon America, Inc. says computer vandals have ilegally put its name on a virus-ridden file and released it on the INTERNET. Chinon warns NOT to download the file called CD-IT.ZIP, saying it will corrupt the hard disk. In a statement from Torrance, CA., Chinon says "The program, allegedly a shareware PC utility that will convert an ordinary CD-ROM drive into a CD-Recordable (CD-R) device, which is technically impossible, instead destroys the files on the PC hard drive. The program also immediately crashes the CPU, forces the user to reboot and stays in memory. The virus has proven thus far to be _undetectable_ by traditional virus checkers." Chinon says that the CD-IT.ZIP file 'promises to enable read/write to your CD-ROM drive', and lists the program as being authored by Joseph S. Shriner, couriered by HDA, and copyrighted by Chinon Products. Saying that it has no division by that name, Chinon management speculates that the vandals picked its company name to make it seem that the software was being endorsed by a well known and reputable CD-ROM manufacturer. Chinon is urging people with information that could lead to the arrest and prosecution of those associated with the CD-IT program to call the company at 310-533-0274. - ---------------------------------- Just thought I'd pass it along as a warning and a heads-up. You may want to pass this info along. ________________________________________________________________________. | Enrique S. Ignarra | | Barry University | | 11300 N.E. 2nd Avenue | | P.O. Box 1293 | | Miami Shores, FL 33161 | | | | BITNET: S0496872@BARRYU INTERNET: S0496872@BUVAX.BARRY.EDU | | | | Signature v1.64 | *------------------------------------------------------------------------* +----------------------------------------------------------------------+ | REALITY.SYS is either corrupt or missing! | | Reboot Universe (Y/n)? | +----------------------------------------------------------------------+ - -- ...^^^^^.. ********************************** A U S T R I A . Linz : * Geological Survey, Austria * : * * : * * :* Vienna: * jilka@gbaws4.zamg.ac.at * :^^^.........:. Salzburg : * * : * Innsbruck : * Phone: +43/222/712-56-74/85 * ........... HOME Graz : * Fax: +43/222/712-56-74/56 * :.. * * ...: * * :........: ********************************** ! Enjoy life, you'll be dead long enough ! ------------------------------ Date: Fri, 13 May 94 15:13:54 -0400 From: rmk4@midway.uchicago.edu (Robert Knippen) Subject: Re: The truth about good viruses I understand that the parties involved have a much deeper understanding of the myriad of philosophical issues surrounding the writing of virus code. I just wonder if they have lost sight of the level at which simple facts clearly do exist. If my machine has instructions stored that I have not authorized in some way, especially if someone practiced some form of deception in order to bring about this state of affairs, I would say this is unquestionably a bad thing, whether the writer of those instructions intended them to do harm, or intended them to facilitate my use of my machine, (or even intended them to be stored on my machine at all). It seems like a privacy issue to me, and I never seem to see this aspect in the discussion. ps--As I said, I haven't checked in in a while. If someone has recently made this point, forgive me. Bob Knippen r-knippen@uchicago.edu ------------------------------ Date: Wed, 18 May 94 15:08:06 -0400 From: iolo@mist.demon.co.uk (Iolo Davidson) Subject: Disabled viruses? Ralph Stockhausen writes: > I would like to check out the functioning of my anti-virus setup. Are there > any "disabled" viruses available that my program could detect, but would be > safe have on a test floppy? This is a FAQ. Every six months or so someone comes up with a "virus test set" containing no viruses, and we have to go through the same explanations. If the "disabled" viruses are disabled enough to be "safe" then they won't reproduce themselves. If they won't reproduce themselves, they are not viruses. Any good anti-virus can tell the difference. Reporting such damaged, altered, or incomplete pieces of a virus is a false alarm, and only the least intelligent of anti-virus products will do this. If you just want to test that your anti-virus is properly installed and working, some of them have facilities to make such a test. Both F-Prot and Dr. Solomon's have a file which will be detected and reported as an installation test. - -- Iolo Davidson (no club, lone wolf) ------------------------------ Date: Fri, 13 May 94 17:15:20 -0400 From: Richard Foley Subject: UNIX anti-virus scanners (UNIX) any suggestions/recommendations for anti-virus products for use under UNIX? ------------------------------ Date: Fri, 13 May 94 02:52:28 -0400 From: witko@ACFcluster.NYU.EDU Subject: problem w/A&B drives..is it viral? (PC) I am having a problem with my A & B floppy drives on my ibm clone the problem occurs whenever I try to install or copy anything from the floppy drives to my C or D hard drives. At first I believed it to be the I/O board , it was replaced but the problem still exists still are occuring Chould this be caused by a virus? The message I get when trying to use the drives (a/b) tells me that the disks involved have a bad allocation table or that the fat is not readable Does this sound like anything that anyone else has come across? Help despratelly needed Any help with this problem whould be greatly appreciated ! Please reply to Witko@nyu.edu or witko.acfcluster.nyu.edu Thanks ------------------------------ Date: Fri, 13 May 94 07:22:20 -0400 From: Unknown Subject: Information requested on Doom virus (PC) Does anyone know of the Doom virus, supposedly undetectable (!), and corrupts PC FAT's on Friday 13th (my goodness - that's today, panic) Worried of Birmingham ------------------------------ Date: Fri, 13 May 94 09:48:59 -0400 From: joe@solomon.technet.sg (Joseph Doo) Subject: Help needed: Generic Boot Sector virus problem (PC) Advice needed; I've got a diskette from a friend which has a virus on it! I realised about the virus after Vshield reported it. Scan v114 "failed" to report it when I did a scan a: and it reported the drive unreadable and no virus! Clean a: [Genb] reported the same message as scan. How do I know the virus is there? Well, it's when I do a "a:" and "dir" there that Vshield tells me about [Genb] and to shutdown. I'm not so certain if my c: drive is not infected. What should I do to fix help? Any kind soul out there to help? regards, Joseph Doo ------------------------------ Date: Fri, 13 May 94 14:12:00 -0400 From: slash@ccinet.ab.ca (Dale) Subject: DANGEROUS VIRUS (PC) Chinon America Inc. last week reported the existence of a virus named "CD-IT" that reportedly surfaced on the Internet. A file identified as CD-IT.ZIP is listed as a shareware PC utility that converts an ordinary CD-ROM drive into a CD-Recordable device (which is technically impossible). Instead, it unleashes a virus that destroys critial system files on a hard drive, immediately crashes the CPU, forces the user to reboot, stays in memory and has thus far proved undetectable by traditional virus checkers. The program is listed as being copyright by "Chinon Products". Chinon America, Torrance, Calif., has no division with that name. Note: This was taken from Communications Week, May2, 1994. Under News Briefs. ------------------------------ Date: Fri, 13 May 94 19:17:46 -0400 From: Richard Foley Subject: Re: virus remover, Armor (PC) bzhai@mason1.gmu.edu (BIAO ZHAI) wrote: > >Could somebody tell me what the top 5 virus removal >software are? Ever heard of Armor by Norman Data >Defense Systems? Thanks in advance. > >- - Bob the top 6 could read as follows: Thunderbyte AV Utilities Dr. Solomon's AV Toolkit F-Prot Sweep IBM Virus Checker McAfee .... these are given in no particular order as there is no BEST anti-virus scanner, although there are some pretty bad ones.F-Prot & Thunderbyte also use heuristic analysis, which is the way scanners have to go, and as such are possibly more secure in the protection they offer. hope this is of some help. REgards, RF. ------------------------------ Date: Sat, 14 May 94 02:21:23 -0400 From: ab950@FreeNet.Carleton.CA (Linden Mason) Subject: Re: Cascade Virus at Trident BBS? (PC) In a previous article, ab950@FreeNet.Carleton.CA (Linden Mason) says: >A few day ago, I asked for drivers for my Trident 9000c card. >Some helpful individual provided me with the number for the >Trident BBS [(415)691-1016] and I promptly called and downloaded >the drivers for Windows. Everything seemed fine. However, today >I called again and downloaded the DOS drivers. This is when the >problems started. After unzipping the files, and running a .bat file >[which didn't work, by the way] I scanned my drive with McAfee's >scanner version 1.14. My memory had been infected with the Cascade >virus. So I foolishly rebooted, and ran MS-Anti Virus. My mouse.com >and win.com files had been changed. So I wiped them, and re-installed >from my back-ups. Then I ran McAfee Clean. Everything now seems fine. >Clean didn't detect any viruses. I hope it's not mistaken. The above is a repost of what I wrote in alt.binaries.multimedia. I'm not sure about the actual sequence of scan/reboot/clean events but it seemed to me that after detection [Cascade was only detected in the memory, and not in the apparently changed .com files] the virus disappeared. When I ran clean, nothing was detected, so therefore nothing was cleaned. I know that Cascade is self-encrypting. Could it possibly be hidden in my memory and/or hard drive [which is double spaced] and undetectable to clean or scan? The only reason that I know that the .com files were changed was from the MSAV checksum files. Help. I need to know more about the Cascade virus [170x in McAfee terms.] I know that it resides in memory and infects .com files. I know that it is self-encrypting. Is it severe? I've had an unfortunate encounter with the Michaelangelo [sp?] virus, and frankly I'm scared. Few people seem to post here, so I would mail from the moderator or any others. Sorry if this is inappropriate for this group [not technical enough, etc....] - -Linden C. Mason, Esq. - -- ------------------------------ Date: Sat, 14 May 94 19:57:18 +0000 From: FNGCHENG@1308.watstar.uwaterloo.ca (Francis Ng-Cheng-Hin) Subject: InVirible (???) (PC) A while ago on Fido, I heard of a program called InVirible (or something like that) that was an integrity checker or something similar to that. Anyways I think the author was from the Middle East. I haven't been able to find this program at oak.oakland.edu and do remember the author saying it was available for FTP somewhere, but I can't remember where. I would appreciate if someone could point me in the direction of an FTP site that has this file. Thanks. Also is it just me or does this newgroup have very few if any posts? - ------------------------------------------------------------------------------ Francis Ng-Cheng-Hin East 2, R110 ------------------------------ Date: Sun, 15 May 94 15:44:10 -0400 From: schoudhu@ucunix.san.uc.EDU (Spandan Choudury) Subject: ** Date recovery after Michelangelo virus infection ** (PC) For a hard disk infected with the M. virus, does anyone have info on * Whether there is a shareware/commercial_software that will recover most/all the data present on the damaged hard-disk. ------------------------------ Date: Sun, 15 May 94 20:39:53 -0400 From: heilfort@ap01.physik.uni-greifswald.de (Matthias Heilfort) Subject: vbait12.zip - Simple virus bait, detects COM infecting virus (PC) I have uploaded to the SimTel Software Repository (available by anonymous ftp from the primary mirror site OAK.Oakland.Edu and its mirrors): SimTel/msdos/virus/ vbait12.zip Simple virus bait, detects COM infecting virus VIRBAIT v1.2 verifies if it was modified, e.g. by an virus. Since a lot of viruses have a 'incubation period' in which they actually infect files, but don't yet start destructiv activity, the recognition of their spreading (= modification of executable files) is an fair protection. In contrast to any scanning software this works with future viruses, too. At present VIRBAIT only responds on viruses, which infects *.COM files. One should run VIRBAIT daily before turning off the computer, since at this time the probability that a virus resides in memory is maximal. Special requirements: None FreeWare. Uploaded by the author. Matthias Heilfort heilfort@ap01.physik.uni-greifswald.de ------------------------------ Date: Wed, 11 May 94 20:21:00 +0200 From: Peter_Hoste@f0.n319.z9.virnet.bad.se (Peter Hoste) Subject: CURSE_IV virus (PC) Has anybody information about this virus? And so yes.... please post it. Grtz. Peter. - --- FMail 0.96 * Origin: FreeLinK.. Een nieuwe kijk op netwerken (9:319/0) ------------------------------ Date: Tue, 17 May 94 11:40:03 -0400 From: glratt@is.rice.edu (Glenn Forbes Larratt) Subject: Re: Need info on Coffee Shop / April Fools (PC) In article <> jkarhune@cc.helsinki.fi (Jarkko K Karhunen) writes: >David Mitchell (mitchell@ncsa.uiuc.edu) wrote: >: it was keyed for April Fool's Day, or Good Friday. Please > ^^^^^^^^^^^ >Last time I looked, Good Friday was on different date each year! ...which, however, is calculable with a bit of work - instead of a simple pattern match on, for example "04 01", one would need to calculate "the Friday before the first Sunday following the first full moon after March 21". Tedious, but doable - an easier wrinkle, if a virus writer was so inclined, would be to trigger on any Friday between March 19 and Apr 21 (the latter date is a ballpark for the last possible one on which Good Friday could fall). - -- Glenn Forbes Larratt x5474 LAN Specialist, Rice U, User Services OCS The Lab Ratt (not briggs :-) "Passing Mach 1, all you do is watch the glratt@rice.edu (Internet) machometer go up, and burn a lot of gas." Neil Talian? NAS Connolly, elevation 33' ------------------------------ Date: Tue, 17 May 94 17:13:28 -0400 From: goebel@quantum.de (Ulrich Goebel) Subject: FAT trashed - Virus ??? - HELP needed !! (PC) Please forgive me if I'm wrong with this newsgroup but I'm a newcomer in posting articles. I have a difficult problem using my msdos pc running dos 6.2 and Windows NT. On April, 15th I deleted some unneeded data using norton commander. While doing his work he told me something about an umformatted disk/drive and was unable to remove all the data required. I tried once more and it succeeded. After this I tried to run "defrag", but it told me that I had to run "scandisk" because of some sort of FAT problems. When I did my task "scandisk" informed me of various problems with my FAT. o wrong file size in directory entry o invalid first block reference for various files o cross linked references o abaout hundreds of unreferenced blocks I told "scandisk" to repair the FAT and he did his work well. I verfied the repaired data to my backup copy and it was fairly correct. On Sunday the 17th of April I tried to archive some data with "arj" and maybe dos told me that there is an error in my arj.exe file which i executed successfully some minutes ago. I run scandisk once more and it found the same problems as 2 days ago but after reconstructing my FAT ("scandisk" did it) I had much loss of data. I run McAFFEE's SCAN too, but without any success. Could this be some sort of virus DESTROYING periodically my FAT table ??? Please help me ! I don't know what to do further. Thanx in advance ... ------------------------------ Date: Tue, 17 May 94 17:31:59 -0400 From: DARREN.JABBA@law.mail.cornell.edu (DARREN) Subject: Help: W-boot or Swiss Variant Virus (PC) A student here has a notebook (and obviously on various floppies) that apparently has a boot sector virus on it (caught by VIRSTOP 2.12). F-Prot 2.12 identifies it as "W-boot - unknown" and apparently cannot get rid of it. The docs also say it cannot be disinfected. SCAN/CLEAN 1.14 identifies it as "Swiss Variant" and also can't get rid of it (safely -- I guess that under other circumstances it could). Anyways, as I can't seem to find any specific info on either, my questions are: 1. Are they actually the same virus? 2. What does it/they do? 3. Will using SYS or FDISK/MBR get rid of it safely? or 4. Will we just have to kill/reformat everything? Thanks! - --------------------------------------------------------------- darren lee julao "i spent a little time on the mountain cornell law school spent a little time on the hill 374 myron taylor hall things went down we don't understand ithaca, ny 14853 but i think in time we will" (607) 255-7069 darren@law.mail.cornell.edu ------------------------------ Date: Wed, 18 May 94 01:44:09 -0400 From: James Ford Subject: mirror update: McAfee.com (PC) The following files have been updated on risc.ua.edu: From: To: - -------------------------- -------------------------------------------- (mcafee.com:/pub/antivirus -> /pub/ibm-antivirus/Mirrors/mcafee/antivirus) Got 00-Index 1908 Got clean115.zip 273990 Got ocln115.zip 291509 Got oscn115.zip 258703 Got scanv115.zip 254508 Got virdt115.zip 75486 Got vsh115.zip 146415 The following files have been removed. unlink /pub/ibm-antivirus/Mirrors/mcafee/antivirus/vshld114.zip unlink /pub/ibm-antivirus/Mirrors/mcafee/antivirus/scanv114.zip unlink /pub/ibm-antivirus/Mirrors/mcafee/antivirus/oscan114.zip unlink /pub/ibm-antivirus/Mirrors/mcafee/antivirus/clean114.zip unlink /pub/ibm-antivirus/Mirrors/mcafee/antivirus/ocln114.zip - ---------- James Ford - Seebeck Computer Center jford@seebeck.ua.edu, jford@risc.ua.edu The University of Alabama (in Tuscaloosa, Alabama) (205) 348-3968 (205) 348-3993 (fax) ------------------------------ Date: Wed, 18 May 94 07:04:59 -0400 From: gcluley@nose.sands.co.uk Subject: RE: SMEG.Pathogen and SMEG.Queeg (PC) virusbtn@vax.ox.ac.uk (Dicky Ford) writes: >A couple of questions. Firstly, I've had a sample of Pathogen >(gathered from a site in the UK) for some time - long enough to >publish a full `Virus Analysis' in the May edition of Virus Bulletin. >I've only had it reported to me from *one* site. How many reports of >the thing have you actually had? The trigger routine is fairly obvious >- - if it was common out there, IMHO we would have had rather more >reports. We have round about 15 reports of Pathogen and Queeg from the field. Most of these occured *before* we distributed the extra drivers. Some of these reports were from large institutions and included a number of infected PCs. Although if either of these viruses do trigger they are extremely obvious I don't think they are as likely to trigger as you are suggesting. In the case of Pathogen it isn't just a case of the virus triggering between 5 and 6 on a Monday, other factors come into effect (the 32nd spore etc). Similarly Queeg is even less likely to be seen because there is an additional 1 in 32 chance. Furthermore there is reason to believe the virus author, The Black Baron, infected an anti-virus shareware package and uploaded it to at least one BBS. If this is true the virus could be spreading rather better than would normally be expected. >Why the two drivers? The only explanation I can think of is that the >first does not get all instances of the virus, and the second gets >false positives. Is this right? No. The first driver detected the 2500 instances of Queeg and Pathogen we created 100 per cent. The second driver went straight into Generic Decryption and is a more thorough method. We're not aware of any viruses missed by the first driver, but the second was available all the same. Both drivers are extremely unlikely to give false positives, and we have had no reports of that occuring. Regards, Graham - --- Graham Cluley gcluley@sands.co.uk Product Specialist S&S International, Berkley Court S&S International Mill Street, Berkhamsted, Herts Tel: +44 (0)442 877877 UK HP4 2HB [NB. S&S International are moving to larger premises in Aylesbury at the end of the month] ------------------------------ Date: Wed, 18 May 94 09:39:06 -0400 From: "David M. Chess" Subject: re: Monkey Virus (PC) >From: Jeff K Landauer > >Well, Scan shows that I have this, but I can't get rid of it. It >reports that I need to boot from a floppy in order to clean the system, >but when I do that, I can't access my hard drive. When you boot a Monkey-infected system from a clean diskette, DOS can't see the hard drive, but an anti-virus program should be able to. I don't know about scan/clean in particular, but just try it as though the C: drive were visible, and it ought to work. With the standalone program of IBMAV, for instance, you would do "IBMAVSP *" or whatever, as usual. DC ------------------------------ Date: Wed, 18 May 94 09:45:29 -0400 From: "David M. Chess" Subject: re: "Jack-the-Ripper" (PC) >From: hudspeth@jarhead.eng (Todd Hudspeth) >Could anyone provide any information on the "Jack-the-Ripper" virus? >From the IBMAV help files: When you boot from an infected hard disk or diskette, the virus loads into memory and infects hard disks and diskettes later used in the system. On roughly one disk-write in one thousand, the virus will randomly swap two bytes in the write buffer, leading to gradual system corruption. Attempts to read an infected boot record while the virus is active will be altered to show the original uninfected boot record. So it's a nastily-destructive boot virus; if your system has been infected by it, you'll want to carefully check all important files for damage after removing the virus, particularly if you think you were infected for a significant length of time. (This is all assuming, of course, that you have exactly the same Ripper virus that we've analyzed; if you actually have a variant, or some other virus entirely, all bets are off...) DC ------------------------------ Date: Wed, 18 May 94 09:54:33 -0400 From: hoens@gmd.de (guenter hoens) Subject: DIR-Virus? (PC) Some days ago i gave a floppy to a friend, but when he tried to read it, there was nothing. I got the floppy back, and i could read this floppy very well. We had a next try, but the same happend. The Dir-Command on his computer reported, that there were no files. But he could use that floppy, put his own files on it, and he could find the files an the floppy again. We had no similiar problem before. Is a virus known with such behavior? *----------------------------------------------------- * Guenter Hoens, GMD - WTI.iT * German National Research Center for Computer Science * hoens@gmd.de Tel: (02241) 14-2408 ------------------------------ Date: Wed, 18 May 94 10:28:18 -0400 From: jrosenbe@welchlink.welch.jhu.edu (Jason Rosenberg) Subject: Sim Salabim? IBM PC Virus? (PC) Guys in the lab next to me have been having computer glitches for ~10 days. Windows just crashed upon exiting. Norton Disk Doctor revealed that the hidden DOS files had been corrupted/cross linked to other files. FAT table had also been messed up, and some other files had been corrupted (all in the past ~10 days). When they tried to restore the corrupted files, all that was visible in the ASCII data was the cryptic message, "Sim Salabim", which to me sounds suspiciously like the signature of a virus. Heard of this one? Know what it does, how to stop it, programs available to fix it? I've got limited PC experience and haven't had any viruses yet, but I seem to know more about it then they do. Any programs via. anon FTP that will clean their hard drive? Recommendations for vaccines? Please respond by e-mail. Thanks in advance. Jason ------------------------------ Date: Wed, 18 May 94 10:59:26 -0400 From: jleslie@igate.com (Jerry Leslie) Subject: Re: Help with Form Virus (PC) CMSHERGE@UGA.cc.uga.edu wrote: : I tried to read the disk and everything seemed to be ok. Now, a few days : later I tried to read the disk again and the computer can't see the disk : at all. Have you tried: 1. Booting from a DOS floppy ? 2. running CMOS setup, and seeing if it shows that the disk is defined ? Perhaps the CMOS has been reset ? We've had that problem occasionally with our luggable PCs. - --Gerald (Jerry) R. Leslie Staff Engineer Dynamic Matrix Control Corporation (opinions are my own) P.O. Box 721648 9896 Bissonnet Houston, Texas 77272 Houston, Texas, 77036 713/272-5065 713/272-5200 (fax) gleslie@isvsrv.enet.dec.com jleslie@dmccorp.com ------------------------------ Date: Wed, 18 May 94 12:05:36 -0400 From: frisk@complex.is (Fridrik Skulason) Subject: The CD-IT Trojan (PC) When I received a copy of the CD-IT Trojan that received all the publicity recently, it turned out to be just an old Trojan that several anti-virus programs (at least F-PROT and DSAVTK) already detected, and named Warpcom-2. so....no big deal... - -frisk ------------------------------ Date: Wed, 18 May 94 13:05:06 -0400 From: padgett@tccslr.dnet.orl.mmc.com (padgett peterson) Subject: Re: ANSI bomb (PC) >From: dasheiff+@pitt.edu (Richard M Dasheiff M.d.) >Subject: ANSI bomb (PC) >I just read an article by Brett Glass in the May 2, 1994 INFOWORLD about >ANSI bombs. It's a sequence of characters imbedded in a text file which can >be interpreted by ansi.sys to do something unexpected, like redefining >the keyboard to replace the enter key with deltree c:\*.* /y > ANSI bombs rely on ANSI.SYS keyboard remapping to work. Since there is little use for ANSI.SYS anymore, they are not a problem (if you just want different screen colours, that takes a one byte change to COMMAND.COM - if you must use ANSI.SYS, a one byte change to *it* will render it immune to ANSI bombs e.g. change the "p" to "something else"). >Does this qualify as a virus? No, with a lot of stretching it might be used to execute a virus that existed somewhere else, but not by itself. Padgett ------------------------------ Date: Wed, 18 May 94 13:14:30 -0400 From: padgett@tccslr.dnet.orl.mmc.com (padgett peterson) Subject: Re: B1 (or NYB) Virus (PC) >From: Mike Albrecht >Subject: B1 (or NYB) Virus (PC) > >F-Prot discovered what it identified as the B1 virus on a machine. It >was unable to disinfect and I could find no documentation on this >virus. I downloaded a copy of McAfee Scan and Clean V114. Scan >identified the virus as NYB [Genp] and was able to clean. Anything identified as [Genp] (generic partition) can usually be most easily removed with FDISK/MBR after a clean boot. >I also >noticed that just scanning an infected diskette either with F-Prot >or Scan, caused the virus to appear in memory though it wasn't active. > This kind of virus puts its code into the boot sector of a diskette. Any operation on a floppy (even just a DIR) causes DOS to read the boot sector into memory to determine what kind of disk it is & how to read the directory. This puts the virus code into memory where it is detected by the scanner. During a memory scan, the scanner has no way to tell if the virus is active or not, just whether it is there & so the ghost positive. Do a DIR of a clean disk and the report should go away (if it doesn't, you might really have a virus). Some time ago I wrote a FreeWare program (FixFBR - found in the FixUtil - FixUtil6.zip is current) to clean boot sectors of floppies. Padgett ------------------------------ Date: Wed, 18 May 94 14:44:28 -0400 From: tracker@netcom.com (Craig) Subject: Re: antivirus products (PC) Christopher W Outtrim (cs90cwo@brunel.ac.uk) wrote: : project6 SAFE Thunderbyte Antivirus : Untouchable Virusbuster Vaccine : Virex VirucidePlus Bootx : Antivirus(fink enterprises) PC-cillin : Chasseur II Control Room Central Point Antivirus : Fcheck Fprot Hyper access/5 : AntivirusPlus(Techmar) Immunizer : Viruscan suit of programs VET antiviral : Virusafe Vkiller Watchdog7 These're still made: 1)Thunderbyte Antivirus 2)Virex 3)Central Point Antivirus 4)Viruscan 5)Fprot ------------------------------ Date: Wed, 18 May 94 15:07:57 -0400 From: iolo@mist.demon.co.uk (Iolo Davidson) Subject: URGENT HELP: damaged FAT by flip-virus (PC) DE KERPEL SVEN writes: > My computer had flip-virus. I removed it but my FAT is still damaged. > > Does anyone have experiance in resolving this problem? Probably not the FAT. Flip has a bug that did not affect DOS 3's 32Mbyte hard disk volumes, but truncates the larger DOS 4+ volumes. It is easily cured with a disk sector editor. If you use DOS 4, 5, or 6.x and your disk volume is supposed to be larger than 32Mb then look at the two bytes at offsets 13h and 14h in the DOS boot sector of the disk. If these are FA FF, then change them to 00 00, and you should get your disk contents back. - -- Iolo Davidson (no club, lone wolf) ------------------------------ Date: Wed, 18 May 94 17:50:52 -0400 From: datadec@ucrengr.ucr.edu (Kevin Marcus) Subject: Re: ANSI bomb (PC) Richard M Dasheiff M.d. wrote: >I just read an article by Brett Glass in the May 2, 1994 INFOWORLD about >ANSI bombs. It's a sequence of characters imbedded in a text file which can >be interpreted by ansi.sys to do something unexpected, like redefining >the keyboard to replace the enter key with deltree c:\*.* /y > >Does this qualify as a virus? >Has anyone seen one? Are they, or will they be common? > >He spoke of a defense against it with a program by PKware called PKSFANSI >Is that s/w, and if so, what ftp site? Well, that exact definition above is *NOT* a virus. It would be more along the lines of a trojan horse. A few things to clear up before anyone gets huffy: 1) mostly all term programs filter out ANSI bombs. (i.e. Telix, Qmodem, LCom, Procomm, etc...) Also, most BBS's filter out ANSI bombs. 2) NANSI.SYS, is an option to eliminating ansi bombs. 3) If you don't install your ansi driver, you have nothing to worry about. 4) Most ANSI bombs out there available from BBS's (or those created with The Jolly Anarchist's ANSI Bomb Generator) do not work with their original intentions. They are not very common -- I think the most interesting thing I have ever seen with an ansi bomb was hex-editing a zip file's contents to have an ansi sequence in it. - -- --=> Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu "ciafn syoo,u yroeua da rteh icso?o l ." <- Email for solution. Computer Science Dept., University of California, Riverside. .oOo.oOo. T H I E V E S S U C K .oOo.oOo. ------------------------------ Date: Wed, 18 May 94 19:12:31 -0400 From: jeff@lab.bus.utah.edu Subject: Anti-CMOS virus.... (PC) I need help desparately... In the last week I have had four computers in our lab infected by a virus called Anti-CMOS. So far the only way to disinfect it has been a low-level format which is not the option I want. If anyone has any experience with this virus I would appreciate any information you can give me. Jeff Hassett email-- jeff@lab.bus.utah.edu P.S. This virus has only shown up since we updated our virus scan (we are using F-Prot). ------------------------------ Date: Wed, 18 May 94 20:49:30 -0400 From: nhirsch@panix.com (Norman Hirsch) Subject: Re: Stone virus - stone.stonheng (PC) >McAfee's v2 reports that I have the stone virus (stone.stonheng) >How do I kill it? Is there a vacine? >When I use the /clean option it is reported that there is no >remover for the virus. Does this mean a hard drive format is >in order? The Version 2 of McAfee's program does not yet have all the detection and cleaning capabilities of the "classic program" (current version = 115B) so I would definitely get the new version of the "classic program" and use that until the programmers finish adding the detection and cleaning capabilities for the new version. At that point or some time shortly thereafter, the Version 2 program will take over and replace the "classic" program. You can ftp the programs from mcafee.com and the "classic" program will detect and clean stoned virus. Best regards, Norman Hirsch Phone: 212-304-9660 NH&A, authorized McAfee agent Fax: 212-304-9759 577 Isham St. #2-B BBS: 212-304-9759,,,,,,,3 New York, NY 10034 CompuServe: 72115,661 USA Internet: nhirsch@panix.com ------------------------------ Date: Wed, 18 May 94 22:38:52 -0400 From: gandalf@pipeline.com (Tom Neumann) Subject: Re: ANSI bomb (PC) dasheiff+@pitt.edu (Richard M Dasheiff M.d.) wrote: >I just read an article by Brett Glass in the May 2, >1994 INFOWORLD about ANSI bombs. It's a sequence of >characters imbedded in a text file which can be (edited for brevity) >Does this qualify as a virus? >Has anyone seen one? Are they, or will they be common? At one time they were fairly common, though I haven't heard of any for a long time. I suppose it could be considered a virus in a very loose sense, in that it alters your computers actions. I doubt whether ansi characters can be distributed over Internet as straight text. They used to be sent in messages to BBS's but this would usually affect the bbs first since they have ANSI installed, also most common BBS qwk style mailreaders view ansi and you would see the escape characters. If your worried just don't put ansi.sys in your config. GANDALF ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 37] *****************************************