VIRUS-L Digest   Tuesday, 21 Jun 1994    Volume 7 : Issue 40

Today's Topics:

Hobbes McAfee File Infected??? (PC)
Stealth and Self-encryption
Nomenclature
Good viruses/Bad viruses
Integrity Checking
Re: The truth about good viruses
ARJ-, ZIP-viruses ?
Bad and good viruses...
OS/2 Viruses? Are there any of those? (OS/2)
WinRX (PC)
FLIP and CANSU (V-SIGN) viruses (PC)
Re: FORM and SPANISH Telecom? (PC)
MtE Virus info wanted (PC)
** Date recovery after Michelangelo virus infection ** (PC)
dir/reg (PC)
UNIX antivirus & Monkey disinfector (PC)
Re: PowerPC Virus?? (PC) (Mac)
Re: DIR-Virus? (PC)
Computer viruses for Sale (PC)
Thunderbyte Antivirus (PC)
Re: ** Date recovery after Michelangelo virus infection ** (PC)
Re: vbait12.zip - Simple virus bait, detects COM infecting virus (PC)
Re: Help: W-boot or Swiss Variant Virus (PC)
Thanks To ALL of you + solution (PC)
Help! Checksums keep changing .......... (PC)
Re: xFwd: CD-ROM Virus-Alert (PC)
Monkey Virus (PC)
Aragon Virus (PC)
<HELP>f-prot strange behavior (PC)
More information about Evolution 2001 Virus (PC)
WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC)
HELP: How add code into .EXE ? (PC)
files updated on risc (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart.  Discussions are not limited to any one hardware/software
platform - diversity is welcomed.  Contributions should be relevant,
concise, polite, etc.  (The complete set of posting guidelines is
available by FTP on CERT.org or upon request.)  Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list.  A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).

Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@ASSIST.IMS.DISA.MIL.

All submissions should be sent to: VIRUS-L@Lehigh.edu.

   Ken van Wyk

----------------------------------------------------------------------

Date:    Tue, 31 May 94 00:47:48 -0400
From:    ldhagen@crl.com (Lance D. Hagen)
Subject: Hobbes McAfee File Infected??? (PC)

[Moderator's note: Since this message was posted several days ago, I
presume that the problem - if there was indeed a problem - has been
fixed.  I'd appreciate it, however, if someone could follow-up with a
verification.]

I just downloaded the HOBBES Internet FTP site (hobbes.cdrom.com) McAfee 
OS/2 Ver 1.14 and upon unzipping the file got virus-like problems and a 
"SCUM OF EUROPE" message and warning.  The file is located in the 
/pub/hobbes which ports you to "/.1/os2" as current directory, then under 
2_x/diskutil:  ocln114.zip 291584 McAfee Virus Clean for OS/2 version 
1.14 

Upon PKUNZIP"ing" my system locked, and needed rebooting.  Next my my
default path failed and no longer held PKUNZIP.  Then with the successful
unzipping I got a wrapper message from "Scum of Europe" and lots of cold
pricklies.  I've deleted all associated files and see no sign of Virus
using McAfee OS/2 ver 1.09 found locally. Any ideas, help? 

                                                                     
            
                     /<<<<<<<<<<<>>>>>>>>>>>\
                    /     Lance D. Hagen     \
                   / 73500.2276@compuserve.com\
                   |     ldhagen@crl.com      |
                    \       San Antonio      /
                     \    (210) 366-3382    /
                      \>>>>>>>>>><<<<<<<<<</ 

------------------------------

Date:    Thu, 26 May 94 08:07:47 -0400
From:    itxcs@upsyc.psychology.nottingham.ac.uk (Chris Sexton)
Subject: Stealth and Self-encryption

Hi,

This may be an ignorant question, but can anyone please explain
the difference between stealth techniques and self-encryption?

Is either one something to do with making a DIR command (for 
example) not include the extra size due to the virus?

What does either method involve?

Thanks in advance,

Chris

==========================.===========================================.
|       Chris Sexton       |  *       *          *      *              |
|   ICL Institute of I.T.  |     *             ^___^                   |
|   Nottingham University  |_______________mm_(_o o_)_mm_______________|
|      University Park     |___l___l___l___l___l___l___l___l___l___l___|
|    Nottingham, NG7 2RG.  |_l___l___l___l___l___l___l___l___l___l___l_|
- --------------------------.-------------------------------------------.
|    csx@cs.nott.ac.uk     | "I'd rather have a full bottle in front   |
|  itxcs@psyc.nott.ac.uk   |      of me than a full frontal labotomy." |
==========================.===========================================.

------------------------------

Date:    Thu, 26 May 94 08:31:47 -0400
From:    "Fredrick B. Cohen" <fc@Jupiter.SAIC.Com>
Subject: Nomenclature

How about this for a way to differentiate different types of viruses:

Malicious viruses

Benevolent viruses

OR - if you prefer the medical analogy:

Benign viruses

Malignant viruses

I think this is less misleading than the term "Real viruses", and it clearly
indicates both the meaning (which Real does not) as well as educating the
reader (there may be either kind) and retaining a short and readable text.

The problem with the term Real is that it is misleading in the sense that
it somehow implies that benign viruses are imaginary, which they are not.

As to the person who posted that this stuf isn't interesting compared to which
new strain of Jerusalem MacAfee's virus defense gives a false positive for in
scanning version 3.4.5 of the newest package by Xray Inc, I disagree.

As to the difficulty of teaching people about two kinds of viruses, try this
little bit of text:

Computer viruses are computer programs that reproduce.  Some of these viruses
are intended to harm people by damaging their information systems, and we call
them malignant.  Other viruses are intended to demonstrate a concept, to
explore issues in artificial life, or even to do useful functions.  We call
them benign.

This doesn't seem much harder to understand than this version which is wrong:

Real viruses are malicious little programs that, unbeknownst to the user,
enter their computer system, modify their programs, and destroy their information.

The point is, we can present the right information in a readable way if we
just try to.

	Now I do understand that the term hacker has been misinterpreted by
most of the computing community.  Some people call the malicious hackers
crackers, which I think is a better term, and which I use to differentiate
benevolent hackers from malicious hackers.  I too have been a hacker (as opposed)

to a cracker) and hope to change the usage of those terms just as I hope to
get people to use the correct usage of virus.  And the best way to do this is
to get the members of this group to start using the terms correctly, because
this group is influential, and you have to start somewhere.

	As to the existence of good biological viruses, of course there are.
Haven't you heard of genetic therapy yet?  And if life itself is good, then
every living creature has at its heart a benevolent virus.  But those who
think there are no benevolent biological viruses probably read a biology
book somewhere that told them that all viruses were bad.  My biology book
told me that they were small genetic life forms, and that in a world of
competition for survival, living creatures survive by killing their neighbors,
whether directly (as in people who kill things and eat them) or indirectly
(as in most plants, which merely refuse to allow competitors to thrive by
depriving them of light, minerals, etc.).

	As to where my books can be found, try any major book chain, or order
direct from John Wiley and Sons in New York.
FC

------------------------------

Date:    Thu, 26 May 94 13:16:43 -0400
From:    Adam Jenkins <Adam.Jenkins@dbce.csiro.au>
Subject: Good viruses/Bad viruses

Vesselin Bontchev writes:

>Agreed. What I (and several others; the original term has been 
>proposed by Dr. Alan Solomon) call "real viruses" is not an 
>exact definition, it is not a scientific term at all, and can't 
>be found in any serious scientific paper about computer viruses. 
>In short, it's useless from the scientific point of view.

Who cares what you call "real viruses"?  Since when were you an 
authority on the English language?  A real virus as defined by a 
dictionary is an organism that is able to reproduce.  

>Fact is that for most people the term "computer viruses" means 
>those nasty little programs that invade their computers without 
>authorisation, that often destroy data, and that always waste a 
>lot of time and efforts. 

Hmmmm these views aren't necessarily an accident, it is in both 
the media and the anti-virus industry's interests to promote 
these views.  And viruses like KOH do not waste time or effort; 
like any other software, viruses can be useful and save time and 
effort.  They are a medium not a philosophy.

>You can't hope to change those people's view, so let's try to at 

Why not?  It's a misconception, let's correct it, it is unethical 
to let anti virus vendors sell millions of copies of their 
software on the basis of people's ill founded fears.

>New York Times article entitled "Bank Loses $10 Million Due to 
>Computer Viruses. Are We All Doomed?". :-)

Perhaps it should read "Bank Loses $10 Million Due to Negligence 
in their Computer Security".  Oh no, far easier to blame viruses, 
everyone knows that us mortals are helpless to stop these evil 
pieces of work by the twisted youth who strive tirelessly to 
destroy the threads of our society.

>fact that the media has twisted the noble word "hacker" to mean 
>"a twit with no life who enjoys breaking into other people's 
>computers". 

Hmmm I've seen this argument before.  The way I see it, the 
confusion arises because in the early days of computing, hacking 
meant using things that weren't known, and this often meant 
breaking into systems etc.  In those days it seems people had 
better perspective, and realised that hacking to get more 
computer time or for the challenge was more a misdemeanour than a 
federal offence.  I still don't understand why a 14 year old 
breaking into a bulletin board system is investigated by the same 
law enforcement agencies that investigate drug cartels and 
matters of national security.  The blame should be as much on the 
administrators not the hackers.

>Well, maybe that the ticket! Since the term "computer virus" is
>already loaded with negative sense in the view of the public oppinion,
>maybe you should use a different term when you are talking about
>"useful replicating programs".

You keep saying this.  But to do this would continue the deceit 
and why should the general public be kept in the dark just 
because they are already in the dark?

>You will discover that most of them understand a computer virus 
>as "something that came when I didn't want it".

Or "something that came when I was leeching several megs of 
software that I didn't pay for".  There seems a much higher 
incidence of viruses transmitted in pirated software than in 
original copies, who are we protecting here?

>Dr. Cohen, I am sorry to disappoint you, but relatively very few 
>people have read the paper you are talking about. It's too 
>technical for most. Most people prefer their morning newspaper 
>as a source of information.

He mentioned it as a reference; and I would think it a much more 
valid reference than a morning newspaper.  I shudder to think at 
what people would think if they believed everything that was 
found in the newspapers.

>Nope, the group are are talking about is not a profit 
>organization, so money doesn't play that much importance in it. 
>In fact, several of the members of this group work for bitterly 
>competing companies and often those companies don't like much 
>some of the sharing of information that goes into this group. 

Perhaps not money, but it is in the groups common interest that 
all viruses be regarded as dangerous and unwanted.  I think this 
is why people like yourself keep sniping at the virus researchers 
that are looking at things with a more realistic perspective and 
are not as closely affiliated with groups that profit from public 
fear.  

Regards,
Adam

- -- 
No fate but what we make                | Adam Jenkins
                                        | Phone: +61-3-252-6000
Finger jenky@192.35.153.200 for PGP key | Email: adamj@mel.dbce.csiro.au 

------------------------------

Date:    Fri, 27 May 94 04:07:43 -0400
From:    sikkid@axpvms.cc.utexas.edu
Subject: Integrity Checking

I saw a post a few days ago about the best and worst antivirus
programs...  I noticed that Vesselin stated that TBAV's integrity
checker was "mediocre."  I was just wondering why he said that, and
what makes for a good CRC checker... I know a lot about viruses, but
my knowledge of CRC calculation techniquesw is pretty limited...

  Regards,
  sikkid

------------------------------

Date:    Sat, 28 May 94 15:34:37 -0400
From:    39534@chopin.udel.edu (Scott Ste Beardsley)
Subject: Re: The truth about good viruses

Robert Knippen <rmk4@midway.uchicago.edu> wrote:
>I understand that the parties involved have a much deeper understanding
>of the myriad of philosophical issues surrounding the writing of virus
>code.  I just wonder if they have lost sight of the level at which
>simple facts clearly do exist. 
>
>If my machine has instructions stored that I have not authorized in
>some way, especially if someone practiced some form of deception in
>order to bring about this state of affairs, I would say this is
>unquestionably a bad thing, whether the writer of those instructions
>intended them to do harm, or intended them to facilitate my use of my
>machine, (or even intended them to be stored on my machine at all).
>
	This is a bad judgement if you need to decid between good and
bad instructions on your system.  By this token MS-Windows is a
horridly evil virus, and much of what people use today are
"unquestionably a  bad thing."  Most of the users outthere have no
idea of what code does, they can't knwo what things do in their
instruction set, they don't know how to give authority, they just put
a diskin and type "install"  In this way the majority of commercial
software is evil...
	BUT, I think  beter judgment would be to throw out the idea of
good/bad and go with helpful, or hurtful, and leve behind the
connotations of good and bad, after all can a 1 or 0 be bad or good?

	Someone already mentioned the KOH virus, that encrypts and
protects your HD.  It is a virii but it's replication and it's
infection, even tho it is a cntrolled infection, you could say it is
like a vaccine, tho it doesnt protect against itslf as a vaccine
would, but it is a controlled infection designed to be helpful.  The
vaccine contains code that could be dangerous(rna) but it is designed
to be helpful and it is crippled so as not to replicate as much.  Much
like a "elpful" virus wouldbe crippled not to overthrow your system.

	Just like rna code wether it's in a vaccine or in the HIV
virus can';t really be called evil or bad, I don't think you can call
1's and 0's bad or even good.

>It seems like a privacy issue to me, and I never seem to see this
>aspect in the discussion.
>
	Tis is a innacurate view I think, privac has different
connotations than this discussion contains.  

I think the way that I look at it is that "virus" is not good or evil
or any connotaion liek that, those are judgment calls of the
particular user/victim/whatever.  It's just another string of code
that can either do things good or bad.  If you don't want your systm
executing that code, than you may see it as bad, but if you want your
system to execute it(KOH) than it might be good to you.  BUt if yor
going to judge your basis of wether a virus is good or bad on wther or
not youknow what instructions ar ebieng executed, than unles you are
an asemlby wiz, you've just made all software pretty much "evil"

------------------------------

Date:    Mon, 30 May 94 01:55:11 +0400
From:    Kazatski Oleg Nikolaevitch <kazatski@kartaly.chel.su>
Subject: ARJ-, ZIP-viruses ?

                          Hi, all !

      Otto Stolz <RZOTTO@NYX.UNI-KONSTANZ.DE> wrote:

>  On the other hand, it is essential for a scanner to scan inside
>  compressed, self-extracting programs (such as PKLITE, LZEXE, and ...)

     Are  there  scanner   which   scan   viruses   in   incompressed,
self-extracting programs and .ARJ (.ZIP) files ? What is  his  name  ?
Are there viruses which really infect .ARJ and .ZIP files ?

                           All the best !

+-------------------+--------------------------+-----------------+
|      Leading      |   Russia, Oleg Kazatski  | Game walks into |
| relcom.comp.virus | kazatski@kartaly.chel.su |    one's bag    |
+-------------------+--------------------------+-----------------+

------------------------------

Date:    Mon, 30 May 94 01:56:06 +0400
From:    Kazatski Oleg Nikolaevitch <kazatski@kartaly.chel.su>
Subject: Bad and good viruses...

                             Hi !

    12 May   bradleym@netcom.com (Bradley) wrote:

> How about KOH?  Also the Potassium Hydroxide virus.  It will encrypt your
> HD for you using the IDEA algorythm.

       Tell me please about Potassium Hydroxide virus.

> A virus by nature is what? It's intention is to produce copies
> of itself and attach these copies to your programs (without you
> knowing) and either display a message, play a tune, fill up your
> disk, destroy data etc... How can this be good? NOT POSSIBLE!!!

      I am agree. There are not good and harmless viruses.  Also  boot
viruses modify my boot sector without my wishes.

> Any program that functions to work without the owners approval is
> harmful.

       YES, and once more YES !

                           All the best !

+-------------------+--------------------------+-----------------+
|      Leading      |   Russia, Oleg Kazatski  | Game walks into |
| relcom.comp.virus | kazatski@kartaly.chel.su |    one's bag    |
+-------------------+--------------------------+-----------------+

------------------------------

Date:    Fri, 27 May 94 12:03:12 -0400
From:    "." <AMIR77@taunivm.tau.ac.il>
Subject: OS/2 Viruses? Are there any of those? (OS/2)

Hi,

I'd like to know if there are any OS/2 viruses?

As far as I know, DOS viruses use TSR in order to stay in memory
and infect other programs. OS/2 doesn't have TSRs so any "out-of-the
ordinary" apps can be detected by task-list. I know
that it is possible to write trojan horses for OS/2, but is it
possible to write viruses?

Thanks, Rann Glaser - amir77@taunivm.tau.ac.il
Acknowledge-To: <AMIR77@TAUNIVM>

------------------------------

Date:    Wed, 25 May 94 12:30:07 -0400
From:    S1083509@cedarville.edu (Joe Brown)
Subject: WinRX (PC)

Does anyone have any information on how good WinRX, I believe the name is, 
is at detecting and cleaning virus's.

- --Joe Brown
- --Anglo-Saxon American And Proud Of It
- --Tiny Toons Are Awesome
- --
- --Cedarville College
- --Cedarville, Ohio  
- --s1083509@cedarville.edu

------------------------------

Date:    Thu, 26 May 94 05:15:09 -0400
From:    itxcs@upsyc.psychology.nottingham.ac.uk (Chris Sexton)
Subject: FLIP and CANSU (V-SIGN) viruses (PC)

Hi All,

After having a recent _nightmare_ with my PC (work deadlines
and a virus attack) I found *TWO* of the critters on my machine.
These were the FLIP virus and CANSU (or V-SIGN).

When one of them acted, it savaged my partition table and FAT,
meaning I couldn't access any files. If it wasn't for Norton
Utilities and Mcafee I'd be up the Khybosh without a paddle.
NU completely rebuilt my FATs and Partition table, and saved 
the day. I thought it was a general hardware failure of the
hard drive, not a virus.

My 260Mb h/d suddenly became 33Mb, and unreadable, and I can't
work out which of these viruses actually did the damage. I've
got a feeling it was FLIP, as CANSU seems a pretty harmless 
beast (wiping system files is harmless compared to major
h/d failure ;-) ). 

Anyway, I'd appreciate any suggestions as to which one caused
me so much hassle, and also any other stories of run-ins with
either of these babies.

Cheers in advance,

Chris.

==========================.===========================================.
|       Chris Sexton       |  *       *          *      *              |
|   ICL Institute of I.T.  |     *             ^___^                   |
|   Nottingham University  |_______________mm_(_o o_)_mm_______________|
|      University Park     |___l___l___l___l___l___l___l___l___l___l___|
|    Nottingham, NG7 2RG.  |_l___l___l___l___l___l___l___l___l___l___l_|
- --------------------------.-------------------------------------------.
|    csx@cs.nott.ac.uk     | "I'd rather have a full bottle in front   |
|  itxcs@psyc.nott.ac.uk   |      of me than a full frontal labotomy." |
==========================.===========================================.

------------------------------

Date:    Thu, 26 May 94 05:29:29 -0400
From:    gerace@ucsu.Colorado.EDU (Jerry Gerace)
Subject: Re: FORM and SPANISH Telecom? (PC)

Alan Coombe <a.coombe@east-anglia.ac.uk> wrote:
>We run diskless PC's on a Novell server. We have a Ram drive.
>
>Does anyone know if these viruses have stealth capabilities, whereby they can
>survive a RESET (Either RESET button or CTRL+ALT+DEL)

I just got done disinfecting several PC's that had the Form virus on it.
Happy to say, it's a pretty tame virus.  No stealth at all, isn't harmful,
just sits there duplicating with itself.

I did a warm boot and it just couldn't make it.  Easily disinfected with
F-prot, although apparantly (before I arrived on the scene), Norton Anti-Virus
screwed up a few floppies while attempting to disinfect (it somehow screwed
up the MBR instead of just using the stored copy the virus makes) but the
disks were fairly easily recovered.

------------------------------

Date:    Thu, 26 May 94 09:00:32 -0400
From:    "Jeff E. Lewis" <U12585@uicvm.uic.edu>
Subject: MtE Virus info wanted (PC)

I would appreciate information on "MtE" which I "found" on my
machine with Norton Antivirus 2.1. THis was NOT indicated by
 
cpav (1991?)
microsoft anti-virus (1993)
mcafee scan 106
mcafee scan 108
 
but there was no doubt that something was present since scandisk
recovered 90 mb of hard disk space 11 days after I started using
the indicated infected program.
Thanks,
Jeff E. Lewis

------------------------------

Date:    Thu, 26 May 94 16:10:16 -0400
From:    iolo@mist.demon.co.uk (Iolo Davidson)
Subject: ** Date recovery after Michelangelo virus infection ** (PC)

> For a hard disk infected with the M. virus, does anyone
> have info on
>
>         * Whether there is a shareware/commercial_software
>           that will recover most/all the data present on the
>           damaged hard-disk.

If the virus has triggered, the first 17 sectors on the first 4 heads on 
the first 256 cylinders will have been overwritten with garbage and are 
gone for good.  This may not be the whole of the disk.  Something may be 
recoverable, especially if a large disk has been partitioned into 
several volumes.  However, the recovery will require skill; there is no 
magic program that you can run that will give it to you on a plate.  
Better to restore a backup or seek professional help.

If the virus has not triggered, but merely infected the hard disk, then 
the data will not have been damaged (yet).  Most anti-virus software can 
clean a disk of Michelangelo.

- --
Iolo Davidson
(no club, lone wolf)

------------------------------

Date:    26 May 94 16:08:47 -0500
From:    sullivan@cobra.uni.edu
Subject: dir/reg (PC)

Hi,

Just a word to the wise...

We received a demo diskette from Network Computing Inc. for a program called
LAN Page.  It was version 1.0.5.  When it arrived, it was taken out of the
package, write protected, and inserted in a workstation protected by VIRSTOP
2.12.  The intercept immediately reported a FORM infection in the boot sector. 
F-Prot 2.12 was able to remove the virus and everything seems to be fine.

We called the company's tech support line and reported it.  They said that it
isn't the current shipping version, but they will check out the duplicator
stations to be safe.

Thought you'd like to know.

Diane
============================
sullivan@uni.edu
Diane Sullivan
ISCS NTS
University of Northern Iowa
Cedar Falls, Iowa 50614-0121
(319) 273-6814

------------------------------

Date:    Thu, 26 May 94 17:56:35 -0400
From:    jaf@jaflrn.Morse.Net (Jon Freivald)
Subject: UNIX antivirus & Monkey disinfector (PC)

> Date:    Fri, 13 May 94 17:15:20 -0400
> From:    Richard Foley <ralf@iol.ie>
> Subject: UNIX anti-virus scanners (UNIX)
> 
> any suggestions/recommendations for anti-virus products for use 
> under UNIX?

Tripwire by Gene Kim/Gene Spafford of Purdue is a very good integrity
management system.  It's available in source form and runs on most
flavors of *nix (I'm running it on Linux).

> Date:    Wed, 18 May 94 09:39:06 -0400
> From:    "David M. Chess" <chess@watson.ibm.com>
> Subject: re: Monkey Virus (PC)
> 
> >From:    Jeff K Landauer <jlaf+@andrew.cmu.edu>
> >
> >Well, Scan shows that I have this, but I can't get rid of it.  It
> >reports that I need to boot from a floppy in order to clean the system,
> >but when I do that, I can't access my hard drive.
> 
> When you boot a Monkey-infected system from a clean diskette,
> DOS can't see the hard drive, but an anti-virus program should be
> able to.  I don't know about scan/clean in particular, but just
> try it as though the C: drive were visible, and it ought to
> work.  With the standalone program of IBMAV, for instance,
> you would do "IBMAVSP *" or whatever, as usual.              DC

Also, Tim Martin's killmonk will safely clean it even when it's active
in memory.  I know this isn't recommended practice, but I sent a user
killmonk and he used it that way before calling me for instructions -
worked just fine.  (Available most places as killmnk3.zip)

Jon
- -- 
Jon Freivald ( jaf@jaflrn.Morse.Net )
PGP V2 - 22A829/40 DA 9E 8E C0 A1 59 B2  46 3B 73 81 2B 7B 83 1F
Nothing is impossible for the man who doesn't have to do it.

------------------------------

Date:    Thu, 26 May 94 18:16:39 -0400
From:    bgrubb@freedom.NMSU.Edu (Bruce Grubb)
Subject: Re: PowerPC Virus?? (PC) (Mac)

Andrew Brown (asbrown@raptor.swarthmore.edu) wrote:
: In article <bobk-200594110636@keaka.cis.hawaii.edu>, 
: bobk@uhunix.uhcc.hawaii.edu (Bob Koehler) wrote:
: > Aloha,                
: > We just got our PowerMacs and are awaiting SoftWindows.  But we have a
: > question.            
: > If we begin downloading PC things and pick up a PC virus, will it also
: > infect the Mac part of the disk?  Or will it just infect the PC stuff?
: > Are there any virus detection programs that will check and fix both sides
: > of the PowerMac?                              
: > Any information will be appreciated.
: > Mahalo,
: > bobk
: > bobk@uhunix.uhcc.hawaii.edu

: Wow.  Don't give them any ideas.  Pretty soon we'll have fat,
: cross-platform viruses floating around.  What a nightmare.
I don't think that is what Bob Koehler is asking.  He is asking if there are 
ALREADY EXISTING PC viruses that can create problems.  Well we know that there 
are about six of the PC viruses that can get through SoftWindows and destroy 
the Desktop files or erase the drive on the Mac section.  The good news is 
that there are only about six of the hundreds of PC viruses that can do this.  
The problems is that I forget what six there are and that unlike the Mac there 
is NO Gatekeeper or Disinfectant-like programs on the PC side {i.e no free or 
semi-free 'detect _ALL_ know viruses' programs.}

I have crossposted this to comp.virus as thay are far more knowledgable on 
this than comp.sys.powerpc is.

------------------------------

Date:    Thu, 26 May 94 21:50:16 -0400
From:    gandalf@pipeline.com (Tom Neumann)
Subject: Re: DIR-Virus? (PC)

hoens@gmd.de (guenter hoens) wrote:

>
>Some days ago i gave a floppy to a friend, but when he 
>tried to read it,  there was nothing. 
>I got the floppy back, and i could read this floppy 
>very well.  We had a next try, but the same happend. 
>The Dir-Command on his computer reported, that there 
>were no files.

    Its very likely that one of your foppy drives has
    heads badly out of alignment, thats why files made on     
that machine can be read, but not files made on other       
machines. I had a similar problem with a Vicon 386 at
    work, it could only read files made on it, though it
    seemed to read anyones double Density formatted disks.
    I ran a diagnostic program on it and the alignment was     
way off.

                        GANDALF

------------------------------

Date:    Thu, 26 May 94 23:09:12 -0400
From:    dhull@nunic.nu.edu (Dr. David B Hull)
Subject: Computer viruses for Sale (PC)

First question - is this newgroup really dead!!

[Moderator's note: no, it's been revived.  There were problems with
the mail to news gateway, followed by the moderator going on a couple
of long business trips.]

At any rate, I just received a nice little CD -ROM from
American Eagle Publications. It is really a knock out, with
527 major virus source codes and pleanty of other interesting
things. I happen to need it for my research into the
morphology of computer viruses. But if my serial number of
001126 is true - oh boy ! I in one sense congratulate
Mark (see sig), but it really does tread on dangerous ground.
a well - I live in a main frame enviroment practicing
"security by obscurity" - so I don't tell nobody nothin.

OK if this newsgroup is alive - what happens next ! The
man has just yelled fire in a crowded theater !

- --
<  David B. Hull                     Always interested in computer viruses. > 
<                                                                           >
<                                                                           >
< " And God saw that it was good. And God blessed them, saying:             >
<   Be fruitful and multiply"  Mark A. Ludwig (quoting God !)               >
<                                                                           >
< "  Fornication is the contemplation of the body"  -  Kibo reincarnation ? >
<                                                                           >
<    " When the mind goes to rest, the bonds of the body are destroyed,     >
<      And when the one flavour of the Innate pours forth,                  >
<      There is neither outcaste nor Brahmin.                               >
<                                                                           >
<      Here is the sacred Yamuna and here the River Ganges,                 >
<      Here are Prayaga and Benares, here are Sun and Moon,                 >
<      Here I have visited in my wanderings shrines and such places         >
<      of pilgrimage,                                                       >
<      For I have not seen another shrine blissful like my own body. "      >
<                                       Saraha - tantric siddha and poet    >

------------------------------

Date:    Thu, 26 May 94 23:19:59 -0400
From:    iiggii@mixcom.mixcom.com (KMJ Enterprises)
Subject: Thunderbyte Antivirus (PC)

Has anyone heard of/used thunderbyte antivirus?  How does it compare
(reliability, speed, etc) to some of the others - McAfee, SP, Norton,
etc?

advTHANXance
                        ...Hank     hobbes@mixcom.mixcom.com
                                     
- -- 

------------------------------

Date:    Fri, 27 May 94 03:49:21 -0400
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: ** Date recovery after Michelangelo virus infection ** (PC)

schoudhu@ucunix.san.uc.EDU (Spandan Choudury) writes:

>For a hard disk infected with the M. virus, does anyone
>have info on

> 	* Whether there is a shareware/commercial_software
>	  that will recover most/all the data present on the
>	  damaged hard-disk. 

Maybe this should go into the FAQ....

- ------------------------------------------------------------------------------
Frisk Software International - Technical note #3

                       Recovery from Michelangelo

When the Michelangelo virus activates, it overwrites the first 9 sectors
on heads 0-3 on every track of the hard disk.  Recovery from this may or
may not be possible, depending on two factors.

   Time:  If the virus was allowed to run without interruption when it
          activated, it will have overwritten data on every track, making
          recovery much more complicated than if the user hit reset or the
          power-off within seconds of the activation of the virus,

   Size of the disk: As the virus only overwrites 9 sectors, disks with a
          large number of sectors on every track - 32 sectors maybe, will
          have a large part of their data intact. Also, a disk might have
          (or rather, appear to have, from the BIOS' point of view) a large
          number of heads...maybe 64, and as described before, the virus will
          only destroy data on the first 4 heads.

The fastest method to recover would probably be to re-partition the disk,
re-format and restore yesterday's backup.  However, as the users who make
backups every day may not be the ones who are most likely to be hit by the
virus, we will assume that no backups exist.

We will also assume that the person trying to restore the data is thoroughly
familiar with partition layouts, disk editors and other similar tools.  In
my personal opinion, the best tool for doing this by hand is NU, version 4.5,
rather than versions 5 and later.

If not - don't try this....send the disk to some professional data recovery
service.

Finally, we will assume this is a "normal" disk - not a "fancy" one like a
HPFS/Stacker/Doublespace volume.

The virus will always have trashed the MBR - head 0, track 0, sector 1, which
needs to be rebuilt - usually by hand, but if one restores the rest first,
a program like NDD should be able to reconstruct it.

The first step is to "map" the disk, and determine the extent of the damage.

As DOS keeps two copies of the FAT, there is a chance that the second one is
intact, but the virus usually trashes the first one.   Locate the second one
(If you don't know what an intact FAT looks like, you probably should not be
doing this anyhow), and if it is OK, just copy it over the first one.

Examine the root directory - if it is OK, fine...if not, then you need to
re-build it by locating other directories on the disk, noting their
starting cluster and re-creating the root directory 

You need to re-construct the DOS boot sector too.  The best way (assuming you
don't have a backup of it) is to copy it from a different machine with 
identical partitioning, but it can also be re-built manually, or in some
cases reconstructed by NDD....however, then you would have to reconstruct the
MBR first...

In other words: Recovering from Micelangelo is not easy, but an attack does
not have to be a complete disaster.

- -frisk

------------------------------

Date:    Fri, 27 May 94 03:51:19 -0400
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: vbait12.zip - Simple virus bait, detects COM infecting virus (PC)

heilfort@ap01.physik.uni-greifswald.de (Matthias Heilfort) writes:

>I have uploaded to the SimTel Software Repository (available by anonymous
>ftp from the primary mirror site OAK.Oakland.Edu and its mirrors):

>SimTel/msdos/virus/
>vbait12.zip     Simple virus bait, detects COM infecting virus

"Detects COM infecting viruses"...hmm...  Is it able to detect infection
by stealth viruses ?  If not, I would say a redesign was required.

- -frisk

------------------------------

Date:    Fri, 27 May 94 04:05:45 -0400
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: Help: W-boot or Swiss Variant Virus (PC)

DARREN.JABBA@law.mail.cornell.edu (DARREN) writes:

>F-Prot 2.12 identifies it as "W-boot - unknown" and apparently
>cannot get rid of it.  The docs also say it cannot be
>disinfected.

>SCAN/CLEAN 1.14 identifies it as "Swiss Variant" and also can't
>get rid of it (safely -- I guess that under other circumstances
>it could).

My guess is that this is a slightly modified W-boot variant - the "unknown"
part simply means that the checksum doesn't match, but it appears to be 
more-or-less like the original. 

>1.  Are they actually the same virus?

No...W-boot and Swiss Boot are totally different viruses.

>2.  What does it/they do?

Well, if this is a new variant, it might do something other than the original,
right ?  Anyhow...it probably is not seriously destructive.

>3.  Will using SYS or FDISK/MBR get rid of it safely?

Probably, yes...see below for info on generic removal....however, it might
be a good idea to make a copy of the boot sector (or better yet, a TeleDisk
image of an infected diskette) and send that to the various anti-virus 
companies, so the products can be updated.

>or 4.  Will we just have to kill/reformat everything?

You absolutely never have to do that when dealing with a boot sector infection.

- ---------------------

Frisk Software International - Technical note #8

                   Generic boot sector disinfection

Although F-PROT is usually up-to-date with respect to virus detection and
disinfection, there are occasional cases of a virus infecting a machine
before we have implemented disinfection of that particular virus.

The instructions below describe a "generic" method for the removal of boot
sector viruses.

If the virus infects the Master (Partition) boot sector.

    Create a bootable system diskette on a different (clean) machine, that
    is running DOS 5 or 6, with the FORMAT /S or "SYS" commands.  You cannot
    use DOS 4 or older for this purpose.

    Copy the file FDISK.EXE to that diskette and write-protect it.

    Boot the infected machine with this diskette - do not rely on just
    pressing Ctrl-Alt-Del...press the Reset button or turn the machine off
    and then back on.

    Check if you are able to access all partitions on the hard disk normally.
    If they are not recognized, it might be because the virus encrypts the
    partition data or overwrites it....in this case the generic disinfection
    method described below is not possible.   One method with will often work
    is to wipe out the MBR with a disk edtitor, and then run NDD and tell it
    to recover the lost partitions.  My favourite tool for this purpose is NDD
    version 4.5.  However, you should mmake a backup copy of the (infected)
    MBR first - if you don't know how to do that, you probably should not
    be fiddling with the MBR anyhow.

    If everything seems to be OK, give the command FDISK /MBR.  This will
    overwrite the code part of the MBR - in effect "killing" the virus.
    (note: if you are using Novell DOS 7.0, you need to select this option
    from the menu, not give a command-line switch).

    Reboot the machine normally from the hard disk.

If the virus infects the DOS boot sector:

    Create a bootable system diskette on a different (clean) machine, that
    is running exactly the same version of DOS as the infected machine.
    
    COPY the SYS.COM file from the DOS directory to the diskette and write-
    protect it.

    Boot from the diskette and give the command SYS C:

    In addition to copying the system files over (which is not necessary to
    remove the virus), this will overwrite the DOS boot sector with "clean"
    code, killing the virus.

------------------------------

Date:    Fri, 27 May 94 05:34:08 -0400
From:    we34329@vub.ac.be (DE KERPEL SVEN)
Subject: Thanks To ALL of you + solution (PC)

First of all I want to thank everyone who gave me info on my virus problem.
Special thanks go to Larry Pendergraft, who found a solution a few moments 
after I found it my self using information he gave me.

The flip virus aka Omicron reduced my diskspace to 33MB by deleting the info
which records the long partitions. (I know some other viri do this to)

Solution
The virus wrote a FFFA to offset 13h of the boot record, this is only used if 
Harddisks with <32MB are used. If long partitions are used this value should
be 0 and the value at offset 20h should give the amount of sectors used.

Thanks again,

Sven De Kerpel

------------------------------

Date:    Fri, 27 May 94 08:03:20 -0400
From:    vcurtis@relay.nswc.navy.mil (vcurtis)
Subject: Help! Checksums keep changing .......... (PC)

I ran the Microsoft Anti-Virus program in DOS 6.2 with the following
options selected:   Verify Integrity, Prompt While Detect, Anti-Stealth,
and Check All Files.

The checksum had been changed on nearly every .exe, .com, & .dll file on
my system.  The scan showed no virus however.  One other strange problem
occured.  About 75% through the virus scan, the program quit with this
message:  "MWAV caused a General Protection Fault in Module MWAVSCAN.DLL
at 0001:0C77." It threw me out of the program and back to program manager.
I tried to execute the Anti-Virus program again, and all it would do is
give me the following message "Unable to lock conventional memory."  It
would not even try to run.

I rebooted and tried again.  Got same results as first time, changed
Checksums, and GPF message, followed by conventional memory message on
retry.

I ran McAfee and F-Prot (April '94) on the system and they showed nothing.

I deleted MWAVSCAN.DLL and reinstalled it, rerun with same scenario, same
results.

I eventually copied MWAVSCAN.DLL from another source and put it on my
system.  When I rerun Virus-Scan I had same checksum change problem,
but the GPF error occurred on a different MWAV???.DLL file.

If I turn off Anti-Stealth checking, I still get checksum changes, but
no GPF message and the program completes it scan.

I don't know if this is symptomatic of some virus or what.  I am very
uncomfortable with this constantly changing checksum situation. 

Can anyone offer any suggestions?

email:  vcurtis@relay.nswc.navy.mil

Thank you.

------------------------------

Date:    Fri, 27 May 94 12:37:25 -0400
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: xFwd: CD-ROM Virus-Alert (PC)

This is sort of a follow-up to my own earlier posting, but ah...well..

jilka@GBAWS4.zamg.ac.at writes:

>CD-Rom manufacturer Chinon America, Inc. says computer vandals have ilegally
>put its name on a virus-ridden file and released it on the INTERNET.

there is one fundamental misunderstanding...this is a Trojan, not a virus.

>  The program also immediately crashes the CPU, forces the user to reboot
>and stays in memory.  The virus has proven thus far to be _undetectable_ by
>traditional virus checkers."

The last part is nonsense....many scanners have detected it for many years - 
the Trojan was originally released in '90

Anyhow...here is the original documentation of the Trojan:

_______________________________________________________________________________
           *****                                                *****
            ***             WARPCOM II Trojan Horse              ***
             *             Programmed by Flash Force!             *
        ***** *****       RABID N'tnl Development Corp       ***** *****
         ***   ***          Copyright (c) 1990 RABID!         ***   ***
          *     *                                              *     *
_______________________________________________________________________________

     This is the second version of the WARPCOM trojan.  The original, I hear,
has been the demise of many deserving hard drives.  Frankly, that surprised me
since the first one has so many shortcomings.  This version is much improved.
     Okay, here's the scenario.  Your victim runs WARPCOM II and nothing
happens but disk access.  So he just deletes what he thinks is a screwed up
program.  Later he turns off the computer and goes to sleep, or whatever.  Next
morning, he turns it on, and it appears to hang.  "Funny," he thinks.  He tries
again and it says "Non-system disk error"...At this point everything on his
hard drive is in data heaven.  Goodbye, loser.
     Now for a more detailed description of what happens:

1) WARPCOM II finds the COMMAND.COM used to boot up the computer.
2) Deletes it, even if it is read-only.
3) Creates another that is the same size with the same creation/modification
dates and same attributes.

     The COMMAND.COM that is created appears to be the same old copy that is
always used to boot up the computer, but in reality it has instructions to
format the drive and nothing else.  Since the damage occurs at boot time, and
the trojan is run before that, most stupid people will not be able to make the
connection between the trojan and their hard drive getting annihilated.  Also,
WARPCOM II makes no screen writes so it can be easily concealed in a batchfile
or something similar (Sierra game loader?)  Use your imagination on this part.
     The one problem with WARPCOM II is that Flushot will detect it.  If your
victim is running Flushot, I wouldn't bother them with this.  The only known
program that can get around Flushot is the Twelve Tricks Trojan.

     This program and textfile are provided for educational purposes only, of
course.  I wouldn't want anyone using this for any malicious purpose or
anything. (not!)

Flash Force
RABID

------------------------------

Date:    Sat, 28 May 94 00:22:15 -0400
From:    Steve Hathaway <steve@oem.or.gov>
Subject: Monkey Virus (PC)

A strain of Monkey Virus has been reported in Heppner, Oregon.
This virus infects the boot block of disk drives and the disk partition
table of hard disks.  The FORMAT command cannot create a good format
of any floppy disk in the presence of the Monkey Virus.  The only way
to eradicate the Monkey Virus is boot a virus-free DOS and recreate
a new partition table and FAT tables on your hard disk (preferably
after low-level format), then restore a bootable operating system
and then your last good backup.

If you are lucky enough to have your computer on a network with a file
server, you may copy all of your application files to the server, and
restore them from the server after you have a newly formatted and
bootable hard disk.  The Monkey Virus appears not to infect the structure
of remote network disks.

Some of the stealth features of the Monkey Virus allow the hard disk
to boot and use a reserved - relocated copy of the system partition
table.  You can copy files to diskettes, but that action becomes the
propogation activity.

If you boot a virgin DOS from diskettes and look for the hard disk,
the absence of a recognizable partition table causes the hard-disk
not to be recognized.  The PCTOOLS DiskFix program can usually 
examine the appropriate contents of saved system configuration
to rebuild a new partition on the hard drive, allowing recovery
formatting to continue.

=================================================================
Steve Hathaway // Oregon State Police // Emergency Management
<steve@oem.or.gov> Systems Analyst

------------------------------

Date:    Mon, 30 May 94 08:48:58 -0400
From:    litta@esl3.NoSubdomain.NoDomain (Littlewood A)
Subject: Aragon Virus (PC)

After downloading McAfee's latest version of scan113
and running it on my system (486DX 33 4M ram 170 HD ),
there was no virus found etc msg.

Next I tested high memory with the flag /chkhi, after which
scan return that it had in fact found the "Aragon" virus
and informed me to reboot from a clean disk and rerun scan 
(also from a new clean disk). 

Following these instruction and rerunning scan to check high memory
still returned the same msg. 

As I was runnuing dblspace at the time and had heard that this
could sometimes be mistaked for a virus, I decided to remove it.
Again no change in the error msg. 

Next I disabled the HD in the CMOS seting and tried again. 
Still no luck. 

Finally created a new boot block from disk which checks
integratety yet again know change.

If anyone can offer some help it would be most appreciated.

The "Aragon" virus copies the boot block before writing itself
onto it. Thus any checking made to it will be routed to the
copy of the original boot block.

Could it be possible that some hardware could look like 
the virus ?

- -- 
_____
Aidan Littlewood
    Replies to :-
	          litta@essex.ac.uk

------------------------------

Date:    Mon, 30 May 94 09:23:14 -0400
From:    am3a035@math.uni-hamburg.de (Radoslav Smiljanic)
Subject: Re: <HELP>f-prot strange behavior (PC)

Qian Qian (qianqian@tucson.princeton.edu) wrote:
|>All this happened after I restore something from a disk given
|>by my friend. I used to run f-prot without any problem.
|>I just run f-prot to check my harddisk and came up something
|>strange which I think probably has something to do with virus.
|>In the upper window some message shows:
|>Error reading C:\WP51\INSTALL.EXE
|>after which suddenly the same message shows up for rest of the 
|>files on the disk. At the end it says no suspicious virus is
|>detected. But I knew it is not all right. I then reboot the
|>machine from a clean floppy disk and run f-prot from a clean
|>protected floppy. The result was almost same. I did several
|>times. In one occasion, it did say that a variant of Como virus
|>was detected. But when I tried to disinfect the infected
|>file, the same error reading phenomenon occurred again.
|>The machine is 386sx16 with 4M RAM running DOS6.0.
|>Any suggestion about what I should do? I need inputs from
|>net wisdoms.
|>Thanks ahead!

I'm not sure if I have the solution for you, but perhaps you have bad sectors
or clusters. It occurs sometimes on old HDDs and floppydisks. Data written
to these sectors or clusters is lost and can't be accessed. Try to check your
HDD with Norton Disk Doctor or similar applications.
- --
- ------------------------------------------------------------------------------
Rado Smiljanic, rado@math.uni-hamburg.de

A fool's brain digests philosophy into folly, science into
superstition, and art into pedantry.  Hence University education.
		-- G. B. Shaw

------------------------------

Date:    Mon, 30 May 94 10:56:39 -0400
From:    "MICHAL EGLER" <MICHAL@cygnus.ieitpp.poz.edu.pl>
Subject: More information about Evolution 2001 Virus (PC)

     NEXT (MORE) INFORMATION ABOUT >>> Evolution 2001 Virus <<<

There are more complete information about new virus 'Evolution 2001'.
I have uncode and analyze code of this virus and all information are
from virus code. I have written cure program for it.

- -virus code created useing 386 opcodes
- -polimorphic uncode procedure
- -increment year in file creation date about 100 years
- -code similary to TREMOR virus / time stemp, virus internal text
- -infect EXE files
- -increment file size about 2770 bytes
- -virus code resident in high conventional memory
- -virus reserved 7136 bytes in memory (it makes 9E42:0 as start virus code)
- -contain text
   ' Evolution 2001 Virus was done by lord Salivantis - Nov/Dec 1993'
- -virus display text befor 3:58:46 and 5:58:9 if <Alt><Ctrl><Del> pressed
- -use stealth technology for hide increase file size under programs like:
   NC, VC, DC
- -before open file (like view under VC) virus cure infected file
- -change interrupt vectors: 1, 9, 13h, 21h, 24h

------------------------------

Date:    Mon, 30 May 94 14:04:25 -0400
From:    Olivier Montanuy <montanuy@lsun75.cnet>
Subject: WARNING: VALIDATE.COM and VALIDATE.EXE can be cheated. (PC)

Motivation:

 VALIDATE.COM and VALIDATE.EXE are currently used to authentify the 
 files contained in McAfee shareware packages, so as to prevent any
 insertion of virus or trojans while they stay on public BBS or FTP 
 servers. They are inadequate and may be misleading.

******** This is a warning for users of McAfee shareware packages ********

 I have a method to cheat *both* these programs: as an exemple,
 I included in this post an uuencoded .ZIP archive containing two files:
 * one is TV.COM (Tiny View, a public domain file viewer, author???)
 * the other one is TV_SPOIL.COM. A copy of TV.COM in which I inserted
   a trojan horse (err...well, you'll see what I mean if you have a look
   at the file content :-)
 VALIDATE.COM and VALIDATE.EXE should report the same checksum and length.
 ( on my PC at least :-)

 I won't publish the source code or the executable of my cheating program,
 and I will not discuss details of the cheating method, except with 
 McAfee associates or trusted comp.virus contributors (if they care :-)
 

Technical note: 

 VALIDATE.COM performs a double 16-bit CRC and VALIDATE.EXE a 32-bit
 (and somehow unorthodox) CRC. The cheating method use only simple polynom
 arithmetic. The main program routine is 10 line of C code, and could be reduced
 to a hundred byte of machine code (but who would bother?)

Temporary counter measure:
 
 I don't have a replacement of VALIDATE.COM and VALIDATE.EXE.
 Anyway, it should be sufficient to authentify only the length of
 the files in the compressed package (using 'pkunzip -l').
 As a matter of fact I seriously doubt it is feasible to modify
 a file without affecting either the normal file length, or the
 compressed file lenght, or the compression method.

  	Olivier Montanuy
	Telecom Paris, France
	montanuy@inf.enst.fr

Included files: 
(uudecode and pkunzip this)

[Moderator's note: ...with all due caution.]

- -------------------------------------------------------------------
begin 666 exemple.zip
M4$L#!!0  H ( ,:3OASOY<5'3@,  +X#   &    5%8N0T]-35)O2!MG&'^>
MW.62V,ZZ580QR"Y;#)B45LKF8#DSMXI;'5A-+*WVPYC+,5TUI_?'X$0T*,QZ
ML(\;^V:7?M.-4%),\N&2>E;[Y:#Z810*?G"%79;"Z-QJ-X>W]W4;[(7G?5Y^
M]_Q^][R_YZU^!>_V]\?;(?'!Q:[^=F]<G-!&9%'A.R\E^/-G6WE)YC\>DB;%
M8(^D\F)*TCX=YL?$,4F>"G:-C(H\A;LD+94,7DXIVOBX)*MBDI\<28H2/R8E
MQ:"//Q-M/P?@P,L @$!7@6X.633_XCK--#,O,>=(M)'H8+J9 >:O?*L5$%R*
MK]2 >9\5L'@C ZO""VJT/(1%-_SZO?I4_Z&;(GZ*< 31GFYV.O"CJU9=/<D+
M:<V]R7V&LQ0K0+L54-PE 6NWL\/(12I?5D++%UF!F6P4/*J[]"'6OMGB-(3<
M)C>.$%KN9K^]CJ&;/6Q6(>D3-CN!7'@G[!1:7[0:/'4[ZNFC]<6F40P]X[Y@
M6?HK2EN*#;&>Y>OX+#2*3"6;0K>QX :,;DQRI3!6WW3F8EX$K?$VGW=9@9PW
M7V\UY+U6PV+(BZ6'KL+KS5:@;"SH]2GTWVM3</_6JW8WW&A+H[T&I# @O*(&
M!=!^H^<S[\M/A+JT'7[,5/2'.BEROIY'6ES;-HR%C9B"5&C_ENX?QGR,>AAY
M=',:3W S>,,_38+F630,5O65#+8(<_;G:-IOH7S2/H^R1ZC3#NQ=,/7Z4;1_
M<O8.S2UNEDS07#Z%X<=(SJ:^:S="=%<[,.T[(/OL',@;E/8/YV?*X6AG_S6S
M7<WQ2^2R^RO$)=(XT<AF,+P3>41=VR,7><Z04GL8Y.1K9'IDO/M"G=HK^-18
M$2%*VI5;H_X,*F$J,Q<CKJO^1)S<OVD"Y]>Y)P]L^?!/LBN'NKER.'BMABL7
M]K9JW^EFLP>*7HC<S_&UM:/UM\GPY$6/&6V;0N5"YLA8D(6^^!7.[S&,SC)U
MHZ.E/DW=.\APTPAS\TTS""6CDWRP$Y Y2[".>6(A>#X:'*@55G\WB0B;?N-?
MA]66OCAQMGQ,P&.E_W&.[>ZP3P"ANOXP>Y;8YV9OHB^^Q4VAX^A-T\2M&:2#
M"U?R[UF!P8'\.^0%NR*5Z%W5S:QGI_#:5?-O4$L#!!0  H ( ,:3OASOY<5'
MW (  +X#   ,    5%9?4U!/24PN0T]-?5';3Q-+&)^Q=0N+BR^F+R;-U%N@
M8*N&8*";EECPDBARBW(QJ9MVL478ZNS4IK9<&G@0]P_P5>-YXYR$DW#BP8<%
M61)\:2(^F9#P0$A<+6^HH$VH,RT"OOAE=N>;W_?]?OO-;Q&-UCL"3[=8#*$[
M:#<8XD'!--K'@D$*5@4])63D+(L1>BB26:31?J1/_@;[_7ZF=Q!F*D$:K.S9
M1].LK5A-'P#3>\F?04])KY0PM"L251%=$NK"L0%)05=C6)6= B_PMZ3!:%@B
MLCMP\P:2E##: UJZ6U H(DLDJMP3^"&91&)A)E(5JD;G&QKJT$WWC9A")"6>
M%/@ RT($#<E((HUH:+?0%%7ZW;*B$G<_%OBJ+GE0#L6&4)N$HVHMNHPE)217
MLS&N*:J,B1Q&]-,2DI6PBB(REAL%_M%=9:#NW];K8+(^ <U78*8LZQ2/DU,B
MB']A>>T5O"'R"=.U;IG7/FBTJ?!L'++FW+*N3RSZ5*A5*G#S+\T1@3.^K#.+
M:E9>I& %-PPG'2GZL'T4ZKJ5E+_6K;-@S'P,#?,BQ$?,"Q#;1#Z^9:X"0ZL<
MA.;'PEK>6.)&(0#&\Z/0M0YI;FBKYC'@78UO&>9_ )>;TP O,EJ)\YEQ.#;9
MKV&6/TVCIV?*X.;4\_M4PT(U7F:@ZWW-"CU_6Z,7V;;05C,"</@$-P!%@6R*
M/&D3RXEO%@(O'1>?\SHR4'4QF3'? PB(H[.#WM_^$(XO<!OO3)S_0=]J7C.F
M\KU].3@56%O*_:,9IVU@M@S4O)U&N5<["XWV08B?V QO?1*J@<R./H'%]H[;
MG,.FZ\USS(VFZLH$<V\KPZ4@&!NW#T/P6F^F!;,39-P4:QJG%@);L+<G]__?
M7PTJ8DW4[3I,JML[J+-S10(L*AW@%.UN,BL I1[Z;K0^M6X;;9WM'4M<$A8*
MFCU%W1J&[,>YYF<N99V]/3/^K%,]5#/O?4,.6Q9>)F%?M_$34$L! A0 %  "
M  @ QI.^'._EQ4=. P  O@,   8            @         %16+D-/35!+
M 0(4 !0  @ ( ,:3OASOY<5'W (  +X#   ,            (    '(#  !4
A5E]34$])3"Y#3TU02P4&      (  @!N    > 8     
 
end
- --------------------------------------------------------------

------------------------------

Date:    Mon, 30 May 94 14:22:09 -0400
From:    cogni@actcom.co.il (Michael Cale')
Subject: HELP: How add code into .EXE ? (PC)

Hello all.

Now i try write basical ANTI-viral program that add to user program short 
code that will check CRC (or somethink same) before running program. Add any
code to .COM is trivial, but with .EXE i have some problem. I think that i 
forget some needed actions and do part only. I add my code INSTEAD OF starting
part of .EXE (after header part) and try change back it at run time, and also 
change relocation table but... have problems. :( 

May be someone can help me - send any working code or write what are ALL 
needed procedures to add code into .EXE correctly.

Thanks in advance.

All the best, Alexe Levitas

cogni@actcom.co.il 

P.S. DON'T WORRY - I DON'T TRY WRITE VIRUS.

------------------------------

Date:    Sat, 28 May 94 16:01:14 -0400
From:    James Ford <James.Ford@seebeck.ua.edu>
Subject: files updated on risc (PC)

The following files have been mirrored from ftp.mcafee.com:

(ftp.mcafee.com:/pub/antivirus -> /pub/ibm-antivirus/Mirrors/mcafee/antivirus
@ Sat May 28 00:10:17 CDT 1994
- ------------------------------
Got 00-Index 1912
Got osc-201.zip 324798
Got scn-201.zip 296703
Got vsh-201.zip 342228
removed /pub/ibm-antivirus/Mirrors/mcafee/antivirus/vsh-200.zip
removed /pub/ibm-antivirus/Mirrors/mcafee/antivirus/scn-200.zip
removed /pub/ibm-antivirus/Mirrors/mcafee/antivirus/osc-200.zip
- ----------
James Ford - Seebeck Computer Center
             jford@seebeck.ua.edu, jford@risc.ua.edu
             The University of Alabama (in Tuscaloosa, Alabama)
             (205) 348-3968     (205) 348-3993 (fax)

------------------------------

End of VIRUS-L Digest [Volume 7 Issue 40]
*****************************************