informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/messages/vi900906.vir

5239 lines
183 KiB
Plaintext
Raw Normal View History

Initial commit
2021-04-15 11:31:59 -07:00
Msg#: 2473 *Virus Info*
08-19-90 09:46:00 (Read 11 Times)
From: PATRICIA HOFFMAN
To: KEN DORSHIMER
Subj: RE: CRC CHECKING
<KD>the deal is that the invading program would have to know how the CRC
<KD>your
<KD>program uses works. otherwise it would have a (bytes changed!/bytes in
<KD>file!)
<KD>chance of succeeding, or somewhere in that neighborhood...
<KD>
Except in the case of Stealth Viruses....CRC checking doesn't work with them.
Patti
--- msged 1.99S ZTC
* Origin: Sir Dep's Dungeon 714-740-1130 Adult Links Network (1:103/158)
Msg#: 2474 *Virus Info*
08-19-90 09:50:00 (Read 9 Times)
From: PATRICIA HOFFMAN
To: SHEA TISDALE
Subj: FILE ECHO?
<ST>Hey, what happened to connecting my system to the file echo?
<ST>
<ST>I have sent numerous netmail messages to you since you sent the info
<ST>on setting it up and have not had a reply yet.
Recheck your netmail, I sent a reply after receiving the message "What is
Tick?" indicating that you need to be running Tick in order to be able to
participate in the file echo since that is how the files are processed and
extra files go with the .zip files that carry the description. Tick is
available from most SDS nodes.
Patti
--- msged 1.99S ZTC
* Origin: Sir Dep's Dungeon 714-740-1130 Adult Links Network (1:103/158)
Msg#: 2475 *Virus Info*
08-16-90 11:56:00 (Read 8 Times)
From: MIKE DURKIN
To: WARREN ANDERSON
Subj: RE: INTERNET WORM
> I am interested in obtaining the list of passwords used by the
> Internet worm in the US. I am the administrator of several
The list is in the McAfee/Haynes book ("computer viruses,
worms...threats to your system") (pgs 89-91)...
I'll type it in for you if you can't find the book locally...
Mike
--- RBBSMail 17.3A
* Origin: The TeleSoft RBBS (RBBS 1:143/204)
Msg#: 2476 *Virus Info*
08-19-90 14:51:00 (Read 9 Times)
From: MIKE DURKIN
To: JAMES DICK
Subj: REPLY TO MSG# 2473 (RE: CRC CHECKING)
> You might want to take a look at McAfee's FSHLD*.ZIP. This is a new
> anti-virus program from the creator of SCAN that is designed
> specifically for developers. It will build a 'shield' into an
> application such that the application _cannot_ be infected and if it
> does become infected, will remove that infection after execution but
> prior to running. You will find it in the virus scanners area of many
Jim... this is a little mis-leading... all programs will become infected
but FSHLD will remove it for most viruses.. for viruses like 4096, FSHLD
won't remove or even know/announce that the file is infected...
When FSHLD can remove a virus, 'after execution but before running'
really makes no difference since a resident virus will still go TSR and
a direct action virus will still do it's infecting of other programs...
But all things considered... I definately agree that FSHLD is a must
have...
Mike
--- RBBSMail 17.3A
* Origin: The TeleSoft RBBS (RBBS 1:143/204)
Msg#: 2477 *Virus Info*
08-20-90 04:44:00 (Read 8 Times)
From: KEN DORSHIMER
To: PATRICIA HOFFMAN
Subj: RE: SCANV66B RELEASED
On 19-Aug-90 with bulging eyes and flailing arms Patricia Hoffman said:
<KD>>does this mean i should erase the old scanv66 that i just d/l'd from
<KD>>SDN?
<KD>>:-(
<KD>>
PH> Yep, ScanV66 has a bug or two in it involving the validate codes it
PH> can add to the end of files. The validate codes were not being
PH> calculated correctly in
PH>
swell. think i'll wait for the next release.
ps, you have net-mail waiting. :-) BTW why on earth would anyone take time
off from a disneyland vacation to call a bbs? <grin>
...Your attorney is in the mail...
--- ME2
* Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)
Msg#: 2478 *Virus Info*
08-20-90 04:46:00 (Read 9 Times)
From: KEN DORSHIMER
To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 2476 (RE: CRC CHECKING)
On 19-Aug-90 with bulging eyes and flailing arms Patricia Hoffman said:
<KD>>the deal is that the invading program would have to know how the CRC
<KD>>your
<KD>>program uses works. otherwise it would have a (bytes changed!/bytes in
<KD>>file!)
<KD>>chance of succeeding, or somewhere in that neighborhood...
<KD>>
PH> Except in the case of Stealth Viruses....CRC checking doesn't work
PH> with them.
PH>
i'd have to see that for myself. i think a complex enough algorithm would
keep them at bay. the probability factor is just too low for such a stealth
scheme to work.
...Your attorney is in the mail...
--- ME2
* Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)
Msg#: 2479 *Virus Info*
08-20-90 04:50:00 (Read 9 Times)
From: KEN DORSHIMER
To: MIKE DURKIN
Subj: REPLY TO MSG# 2478 (RE: CRC CHECKING)
On 19-Aug-90 with bulging eyes and flailing arms Mike Durkin said:
>> You might want to take a look at McAfee's FSHLD*.ZIP. This is a new
>> anti-virus program from the creator of SCAN that is designed
>> specifically for developers. It will build a 'shield' into an
>> application such that the application _cannot_ be infected and if it
>> does become infected, will remove that infection after execution but
>> prior to running. You will find it in the virus scanners area of many
MD> Jim... this is a little mis-leading... all programs will become
MD> infected but FSHLD will remove it for most viruses.. for viruses like
MD> 4096, FSHLD won't remove or even know/announce that the file is
MD> infected... When FSHLD can remove a virus, 'after execution but before
i have some misgivings about this particular protection scheme myself. i
don't like embedding someone else's stuff into my executables, partly for
licensing reasons. not to knock what is probably a good idea...
...Your attorney is in the mail...
--- ME2
* Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)
Msg#: 2653 *Virus Info*
08-20-90 17:09:00 (Read 10 Times)
From: TALLEY RAGAN
To: MIKE MCCUNE
Subj: RE: REMOVING JOSHI
In a message to Philip Laird <08-16-90 14:09> Mike Mccune wrote:
MM>> Just be sure to boot off a clean diskette to remove the
MM>>virus from memory, otherwise the virus will not be removed.
MM>> If RMJOSHI is used on an unifected hard drive, it will
MM>>destroy the partition table. This next program, RETURN.COM
MM>>will restore the partition table.
MM>> I will post this program in my next listing...<MM>.
Does this mean that RMJOSHI.COM, if run on an uninfected hard
drive by it self is a virus?
Talley
--- ZAFFER v1.01
--- QuickBBS 2.64 [Reg] Qecho ver 2.62
* Origin: Southern Systems *HST DS* Tampa Fl (813)977-7065 (1:377/9)
Msg#: 2654 *Virus Info*
08-21-90 09:32:00 (Read 10 Times)
From: PATRICK TOULME
To: MIKE MCCUNE
Subj: RE: HAVE ANYONE TRIED SECURE ?
MM> I have tried Secure and have found it to be the only interrupt moniter
MM> that will stop all the known viruses.
Mike perhaps you should add a caveat to that statement. Secure
neither detects, nor does it stop, Virus-101.
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 2655 *Virus Info*
08-21-90 12:11:00 (Read 8 Times)
From: PAUL FERGUSON
To: HERB BROWN
Subj: KEYBOARD REMAPPING (AGAIN)...
Herb,
I stand corrected on that last bit of dialogue....You are
correct, indeed.....But, you know what I mean along those lines of
getting what you don't expect, whether damaging or not, NO ONE wants
the unexpected on thier system.....Touche!
-Paul ^@@^........
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 2656 *Virus Info*
08-21-90 22:29:00 (Read 10 Times)
From: PATRICIA HOFFMAN
To: YASHA KIDA
Subj: AKA AND BBS HANDLES
YK> What is the rule in this message echo concerning BBS HANDLES?
YK> Would like some clarification, I have users expressing interest in
YK> using bbs handles in this echo, since they are seeing them used .
YK> As you can see I have not allowed this, feeling this echo to be
YK> professial in nature.
YK>
YK> I understand the use of AKA names in this echo maybe needed.
YK>
YK> Example :
YK> After my SITE Manager saw my interest in viruses, I was called in to
YK> his office. After explaining my reseach, was to protect not to infect,
YK> he relaxed.
YK>
[Note: the above quote is muchly editted....]
Yasha, Aliases are ok in this echo, as long as the Sysop of the system where
the messages originate knows who the user is and can contact him if the need
arrises. I fully understand the sitation that you describe about your Site
Manager...which is a fully valid reason to use an alias here. I used to use
the alias of "Merry Hughes" for exactly that reason!
Patti
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 2657 *Virus Info*
08-21-90 22:32:00 (Read 9 Times)
From: PATRICIA HOFFMAN
To: KEN DORSHIMER
Subj: REPLY TO MSG# 2477 (RE: SCANV66B RELEASED)
KD> swell. think i'll wait for the next release.
KD> ps, you have net-mail waiting. :-) BTW why on earth would anyone take
KD> time
KD> off from a disneyland vacation to call a bbs? <grin>
<laughing> I was eating dinner or lunch while entering those messages, then we
went back to Dizzyland and Knott's. Besides, I had to see what you guys were
up to while I was gone.....Mom instinct....what can I say?
Patti
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 2658 *Virus Info*
08-22-90 18:21:00 (Read 8 Times)
From: HERB BROWN
To: PAUL FERGUSON
Subj: REPLY TO MSG# 2655 (KEYBOARD REMAPPING (AGAIN)...)
With a sharp eye <Aug 21 12:11>, Paul Ferguson (1:204/869) noted:
PF>Herb,
PF> I stand corrected on that last bit of dialogue....You are
PF>correct, indeed.....But, you know what I mean along those lines of
PF>getting what you don't expect, whether damaging or not, NO ONE wants
PF>the unexpected on thier system.....Touche!
PF>-Paul ^@@^........
I knew what you meant. Glad to know you do too. :-) ( No flame intended )
--- QM v1.00
* Origin: Delta Point (1:396/5.11)
Msg#: 2659 *Virus Info*
08-22-90 05:37:00 (Read 8 Times)
From: KEN DORSHIMER
To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 2657 (RE: SCANV66B RELEASED)
On 21-Aug-90 with bulging eyes and flailing arms Patricia Hoffman said:
KD>> swell. think i'll wait for the next release.
KD>> ps, you have net-mail waiting. :-) BTW why on earth would anyone take
KD>> time
KD>> off from a disneyland vacation to call a bbs? <grin>
PH> <laughing> I was eating dinner or lunch while entering those
PH> messages, then we went back to Dizzyland and Knott's. Besides, I had
PH> to see what you guys were up to while I was gone.....Mom
PH> instinct....what can I say?
PH>
did you go on the roller coaster at Knotts that looks like a corkscrew? my
personal favorite after a big dinner. <erp!>
in other news there was a report <<unconfirmed>> that there is a hack of
lharc floating around called lharc190. might want to keep an eyeball open for
it. what am i doing up at this hour? just got thru writting the docs for a
program <yawn>. as usual, the program looks better than the docs. have fun,
see ya.
...All of my dreams are in COBOL...
--- ME2
* Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)
Msg#: 2660 *Virus Info*
08-20-90 15:40:00 (Read 9 Times)
From: RON LAUZON
To: PAUL FERGUSON
Subj: RE: KEYBOARD REMAPPING....
yes, it is possible to re-map the keyboard from a remote system. However, most
people are protected by this because the term program rather than ANSI.SYS is
handling the ANSI escape sequences.
If you are using a "dumb" terminal that has no terminal emulation and allowing
ANSI.SYS to handle your screen formatting, you may be in trouble.
--- Telegard v2.5i Standard
* Origin: The Flight of the Raven (313)-232-7815 (1:2200/107.0)
Msg#: 2661 *Virus Info*
08-21-90 20:29:00 (Read 8 Times)
From: MARTIN NICHOL
To: MICHAEL TUNN
Subj: WHAT'S THE SOLUTION?
mt said => It seems to me our Virus checking programs will just
mt said => get bigger and bigger as more viruses and strains of
mt said => the same viruses are discovered. If so (and if their
mt said => development is excelerating) then we may find in the
mt said => near future that it has become impossiable to deal
mt said => with the outbreaks!
mt said => Do we do develop new Operating Systems which are far
mt said => more secure!
Develope different virus scanning programs. Make them more generic where virus
signatures/characteristics can be kept in a seperate file and the virus scanner
just reads the file and interprets it accordingly.
---
* Origin: JoJac BBS - (416) 841-3701. HST Kettleby, ON (1:250/910)
Msg#: 2683 *Virus Info*
08-22-90 22:55:00 (Read 8 Times)
From: FRED ENNIS
To: ALL
Subj: VIRUS-486COMP.*
FORWARDED BY James Dick of 1:163/118
QUOTE ON
I've been informed by "reliable sources" that there's a file floating around
called 486COMP.* (select your favourite packing method) which claims to "show
you the difference between your machine and a 486".
.
When run, the program flashes a "too big for memory" message, and aborts.
.
Then, the next time you boot, you're informed that you have the "Leprosy 1.00"
virus which then hangs the machine.
.
After you manage to boot from a floppy, you find that COMMAND.COM has been
altered, although the date, time, and size appear not to have been changed.
Just thought you'd like to know.
Cheers!
Fred
--- msged 1.99S ZTC
* Origin: Page Six, POINT of order Mr. Speaker (1:163/115.5)
Msg#: 2684 *Virus Info*
08-22-90 11:07:00 (Read 8 Times)
From: SHEA TISDALE
To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 2474 (FILE ECHO?)
Thanks Patricia...
I am all ready to go now. Just poll your board?
---
* Origin: >- c y n o s u r e -< 919-929-5153 <XRS> <HST> (1:151/501)
Msg#: 2685 *Virus Info*
08-20-90 21:50:00 (Read 9 Times)
From: TOM PREECE
To: PAUL FERGUSON
Subj: RE: KEYBOARD REMAPPING VIA COMMUNICA
I can't help but wonder if Herb was experiencing something that suggested that
kind of remapping. Lately I have been experiencing keyboard problems that seem
to act like that. When I use my down or left arrow the \ and | symbols toggle.
I can correct this when it happens by hitting the left hand shift key - but not
the right. And tonight it seems as if I am occaissionaly transposing caps on
and off.
If either of you hears a virus like this I'd like to know. Q&A tested my
memory and keyboard fine. Scanv66 detected nothing.
--- TBBS v2.1/NM
* Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 (1:161/208)
Msg#: 2738 *Virus Info*
08-23-90 23:49:00 (Read 7 Times)
From: PHILLIP LAIRD
To: PATRICIA HOFFMAN
Subj: ONTARIO VIRUS
Patty, have you heard of such a Virus? I was in the TAG Support Echo and saw
a message about a TAG Sysop who contracted that virus. Any Info? Supposedly
the Virus is scanned in version SCANV66.ZIP.
????
--- TAGMAIL v2.20
* Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)
Msg#: 2739 *Virus Info*
08-22-90 12:55:00 (Read 7 Times)
From: PAUL FERGUSON
To: EVERYONE
Subj: MOM!
Patti-
Mom, huh?...What can you say?..It seems it has already been said!
-Paul <wide grin on this one>
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 2740 *Virus Info*
08-23-90 12:06:00 (Read 8 Times)
From: PAUL FERGUSON
To: TOM PREECE
Subj: REMAPPING...
Hello, Tom...
.
More than likely there was nothing like that at all. Keyboard
remapping is an extremely complicated process and would take more than
forethought on the part of the programmer. What you have seen us
talking about here is figurative at best and personally, I would have
to see it to believe it. (you know the old saying: "Believe none of
what you hear and only half of of what you see."?) Although I do
believe that is quite possible under the proper circumstances, it would
indeed be a rare occurance. Sometimes when receiving odd characters
during telecommunications or not getting the exact same keys that you
typed could be attributed to disparity (parity differences), differing
data bits, stop bits, or even simply ANSI interpretation problems
between Comm Programs. I've seen the smallest, simplest things like
that have people pulling their hair out by the roots!
.
.....Clarke's Third Law
Any sufficiently advanced technology is indistinguishable from
magic.
.
.
-Paul ^@@^........
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 2741 *Virus Info*
08-17-90 01:51:00 (Read 8 Times)
From: YEN-ZON CHAI
To: DOUG BAGGETT
Subj: ANTI VIRUS VIRUSES
DB> well..here is a question..where exactly did viruses originate
DB> anyway..was it in this country or others?
Probably where hacker exists, virus exists.
--- outGATE v2.10
# Origin: SIGnet International GateHost (8:7501/103)
* Origin: Network Echogate (1:129/34)
Msg#: 2742 *Virus Info*
08-22-90 17:49:00 (Read 8 Times)
From: KEVIN HIGGINS
To: MIKE MCCUNE
Subj: REPLY TO MSG# 2654 (RE: HAVE ANYONE TRIED SECURE ?)
I took a look at it, but to be realistic, when you run a BBS, or are
continuously updating your files as new releases come out, you could easily get
to the point where you spend more time reconfiguring the anti-virus program
than you would getting any work done. I find it much more efficient to scan
every file for viruses as soon as I get it on my system, then rezip it, if I'm
not going to use it... a simple .bat file can be used such that if you want to
check multiple files, you can just feed the file names on the command line and
let the .bat file take care of unzipping, scanning and rezipping the file.
Be best if someone would write a program that would do this, but I haven't
found one yet.
Kevin
--- TAGMAIL v2.40.02 Beta
* Origin: The Hornet's Nest BBS (1:128/74)
Msg#: 2743 *Virus Info*
08-22-90 21:52:00 (Read 8 Times)
From: CY WELCH
To: PAUL FERGUSON
Subj: REPLY TO MSG# 2660 (KEYBOARD REMAPPING....)
In a message to Everyone <16 Aug 90 6:32:00> Paul Ferguson wrote:
PF> Isn't it possible to remap some (or any) keyboard functions via
PF> communications with some funky ANSI control characters?....I seem to
PF> remember mention of this somewhere.....I really can't remember if was
PF> in the form of a question, though, or an answer.....It also made
PF> mention of PKWares' Safe-ANSI program...Somebody help us out here...
I think most of the "FAST" ansi replacements do not have the keyboard remapping
so that danger is removed in those cases.
--- XRS! 3.40+
* Origin: Former QuickBBS Beta Team Member (99:9402/1.1) (Quick 1:125/122.1)
Msg#: 2744 *Virus Info*
08-24-90 15:14:00 (Read 8 Times)
From: PATRICIA HOFFMAN
To: ALL
Subj: VIRUS RESCUE & F-PROT RELEASES
The latest version of Fridrik Skulason's F-PROT anti-viral program is now
available for download from my system as FPROT112.ZIP. The program can also be
file requested as F-PROT, which will always return the latest copy I have
available. This program is actually a "suite" of programs for use in
preventing and detecting viruses and trojans. The program originates in
Iceland, and so updates to it reaching my system for distribution have been
rather sporatic.
The other new anti-viral program available on my system is Virus Rescue. Virus
Rescue is from Tacoma Software, and is a shell for invoking ViruScan, CleanUp,
and VCopy from McAfee Associates. Unlike other shell programs I've seen, this
one should not require updates every time a new release of Scan comes out. It
picks up its virus information from the VIRLIST.TXT file which is packaged with
Scan and CleanUp. It will be handy for those who have trouble with the Scan
and CleanUp command line switches, or who want the VIRLIST.TXT information
converted to english sentences. This is a first public release, so I expect we
may see some changes in this product in the future. Virus Rescue can be
downloaded from my system as RESQ01.ZIP.
Both programs are also file requestable by other systems. File requests should
ask for magic file names as follows:
F-PROT for the latest copy of F-PROT (currently FPROT112.ZIP)
RESCUE for the latest version of Virus Rescue
Patti
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 2745 *Virus Info*
08-24-90 23:37:00 (Read 9 Times)
From: KEN DORSHIMER
To: KEVIN HIGGINS
Subj: REPLY TO MSG# 2742 (RE: HAVE ANYONE TRIED SECURE ?)
On 22-Aug-90 with bulging eyes and flailing arms Kevin Higgins said:
KH> I took a look at it, but to be realistic, when you run a BBS, or are
KH> continuously updating your files as new releases come out, you could
KH> easily get to the point where you spend more time reconfiguring the
KH> anti-virus program than you would getting any work done. I find it
KH> much more efficient to scan every file for viruses as soon as I get it
KH> on my system, then rezip it, if I'm not going to use it... a simple
KH> .bat file can be used such that if
KH>
KH> you want to check multiple files, you can just feed the file names on
KH> the command line and let the .bat file take care of unzipping,
KH> scanning and rezipping the file. Be best if someone would write a
KH> program that would do this, but I haven't found one yet. Kevin
KH>
sounds like a plan to me. it would actually be fairly simple to write a
program to look at all the files in your upload directory, unpack them based
on the extension, scan them, then re-compress them (if needed). of course
you'd still have to manually put the now scanned files into the proper
catagory directories yourself. when do you need it and what's it worth? :-)
...All of my dreams are in COBOL...
--- ME2
* Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)
Msg#: 2746 *Virus Info*
08-23-90 15:23:00 (Read 8 Times)
From: MIKE MCCUNE
To: TALLEY RAGAN
Subj: REPLY TO MSG# 2653 (RE: REMOVING JOSHI)
No, it just modifies the partition record to remove the virus.
If the virus isn't there, it still modifies the partition
record. Return.com just reverses the modifications done to the
partition table. I will post an improved version of RMJOSHI that
scans the partition record for the virus before modifying
it...<MM>.
--- KramMail v3.15
* Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0)
Msg#: 2747 *Virus Info*
08-23-90 15:26:00 (Read 8 Times)
From: MIKE MCCUNE
To: PATRICK TOULME
Subj: REPLY TO MSG# 2745 (RE: HAVE ANYONE TRIED SECURE ?)
Maybe I should say all virus that are in the "public domain".
Virus 101 is a research virus that only a few people have (and
you wrote). Nothing is fool proof but Secure is better than any
other interrupt moniter.
--- KramMail v3.15
* Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0)
Msg#: 2748 *Virus Info*
08-23-90 07:01:00 (Read 8 Times)
From: YASHA KIDA
To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 2656 (AKA AND BBS HANDLES)
In a message of <21 Aug 90 22:29:34>, Patricia Hoffman (1:204/869) writes:
PH>
PH> Yasha, Aliases are ok in this echo, as long as the Sysop of the system
PH> where the messages originate knows who the user is and can contact him
PH> if the need arrises. I fully understand the sitation that you
PH> describe about your Site Manager...which is a fully valid reason to
PH> use an alias here. I used to use the alias of "Merry Hughes" for
PH> exactly that reason!
PH>
PH> Patti
I understand AKA names like "MERRY", but I speak of HACKER HANDLES.
like "LINE RUNNER", "DATA BYTE" etc... I must have misunderstood FIDO ECHO
POLICY either way I will drop the subject.
Yasha Kida
--- msged 1.99S ZTC
* Origin: Bragg IDBS, (FT. Bragg, NC - we're gonna kick some booty)
(1:151/305)
Msg#: 2749 *Virus Info*
08-08-90 23:23:00 (Read 7 Times)
From: ALAN DAWSON
To: DAVID SMART
Subj: RE: VIRUS SCANNERS....
DS> You can't win on this! I've been downloading for quite a while
DS> - always running a virus checker on the information. So, where
DS> did our virus come from? Off a shrink-wrapped anti-virus
DS> diskette one of our guys picked up in the US!
Nothing new about this, as people learn all the time. One MAJOR
company (really big, really well known) has shipped shrink-wrapped
viruses twice -- once on purpose! Shrink wrap doesn't keep the bugs
out.
--- Opus-CBCS 1.13
* Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0)
Msg#: 2750 *Virus Info*
08-08-90 23:31:00 (Read 7 Times)
From: ALAN DAWSON
To: PATRICIA HOFFMAN
Subj: SCAN WEIRDNESS
(All answers gratefully received despite the TO: line)
Anybody heard of this? I've got a floppy with some viruses on it,
among them a SCAN-known Dark Avenger. I SCAN this floppy from the C
drive, and the "hey, nothing to worry about there" report comes back.
Strange. I SCAN it again. This time 'round, SCAN barfs after 64K of
the memory check, telling me Dark Avenger is in memory, power down,
load the .45, get the cyanide tablet ready and so on.
But DA of course is NOT in memory or active in any way. It is,
however, on the floppy, unrun.
The above occurred with SCANV64. Out of curiosity, I cranked up
SCAN-54 and -- EXACTLY the same result.
AST Bravo 286, no TSRs, nothing else loaded, clean (normal) boot
just performed.
I have a bunch of viruses that I don't expect SCAN to find --
ever. But this kind of thing has never happened to me before. Can
anyone match this story, or event?
--- Opus-CBCS 1.13
* Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0)
Msg#: 2751 *Virus Info*
08-26-90 00:59:00 (Read 7 Times)
From: STEVEN TREIBLE
To: KEN DORSHIMER
Subj: VOICE NUMBER
Ken,
I haven't mailed the disk yet as you can see. I'd like to have your voice # so
I can talk to instead of sending Net Mail.
Thanks,
Steve.
--- ZMailQ 1.12 (QuickBBS)
* Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)
Msg#: 2752 *Virus Info*
08-25-90 06:10:00 (Read 8 Times)
From: SANDY LOCKE
To: HERB BROWN
Subj: RE: COMMUNICATION VIRALS
PH> However, unless one of the above is occurring, just connecting via
PH> telecom to a system won't directly transmit a virus....
PH>
HB> Well, that is not exactly what I meant. Sorry for the miscommunicatio
HB> should have used an example. I'll have to dig for some old documentat
HB> about z-modem when it first came out. I seem to remember it stating t
HB> locked the directory that a file was able to go to when being download
HB> has something to do with the structure of a .EXE file, or something.
HB> to also remember that it was possible to have the .exe "go were it wan
HB> as defined by this structure. Thus, having some of the file go to a c
HB> part of a drive or memory. It seems wild, but without the docs I read
HB> can't give any details. Thought maybe you could shed some light on th
Well considering that I am hosting chuck forsberg today ... hes down
here for the sco developer forum I will put the question to him
directly... but as one of the suggestors for feature addition to the
protocol in another personna... ZMODEM will INDEED allow one to
transmit a FULL path name... however this is mitigated by the ability
on the receiving end to override the transmitted pathname spec... I
dont really see a problem here... and when I put the question to chuck
I dont see where he will see one either... btw READ the DSZ DOCS and
register the product... that will turn on ALL the neat zmodem
features...
sandy
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 2753 *Virus Info*
08-25-90 06:18:00 (Read 15 Times)
From: SANDY LOCKE
To: SKY RAIDER (Rcvd)
Subj: RE: VIRUS ORIGINALS
SR> Doug,
SR> It is my belief that viruses originated in the early days of computing
SR> effort to see what kind of stuff could be done with them, a group of
SR> programmers (financed by the US government as I recall) institued a se
SR> programs that would attempt to 'beat' others in taking over a computer
SR> system. These programs led to a gaming system known as the CORE WARS.
SR> today there is an International Core Wars Society.
SR> I think it can be easily seen how a program to destroy/circumvent a st
SR> operating system can develope into a virus.
SR> I tried to double check this information for accuracy, names, dates, e
SR> but it seems I have deleted this file. I will try to get further info
SR> you, but beleive this info is shrouded in secrecy, and may be hard to
SR> relocate.
SR> So, the original viruses did come from the US (and even possibly with
SR> government help).
SR> Ivan Baird
SR> * Origin: Northern Connection, Fredericton, N.B. Canada <HST 14.4K>
SR> (1:255/3)
WHAT a LOAD of UNADULTERATED CRAP... redcode is simply a GAME created by
bored programmers... ORIGINAL CORE WARS games were created as far back
as 1969 back on the OLD IBM 360 architectures under both OS/MFT and
OSMVT OS's... neither had anything to do with so-called secret
financing by the US government...BTW I was AROUND and A Systems
Programmer during that period... we created our own versions when we
heard of the rumours... it was an old system programmers game designed
to give Egotistal programmers some lighthearted fun... at this point
ALL code ran in real Address space and redcode hadnt even been though
of... the MUCH later article by Scientific American in 1979 gave this
fun with out harm via the redcode interpreter implemented on early 6502
and 8080 systems... really... I am going to have to move to canada...
sounds like there are some really potent and fun drugs in circulation
up there... jeese... what a simp...
sandy
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 2754 *Virus Info*
08-25-90 06:19:00 (Read 14 Times)
From: SANDY LOCKE
To: STEVE HOKE
Subj: REPLY TO MSG# 2752 (RE: COMMUNICATION VIRALS)
SH> In a message to Herb Brown <15 Aug 90 17:44:00> Patricia Hoffman wrote
PH> The only way a virus could be directly transmitted via a
PH> telecommunications link ...
PH> is if the particular "service" has a feature where they upgrade
PH> their software on your system when you connect.
SH> Is there any commercial system that does this? I don't know of one, bu
SH> like to know what types of systems to be wary of.
SH> Steve
just one word for you... PRODIGY avoid it like the plague...
sandy
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 2755 *Virus Info*
08-25-90 06:25:00 (Read 9 Times)
From: SANDY LOCKE
To: MIKE MCCUNE
Subj: REPLY TO MSG# 2747 (RE: HAVE ANYONE TRIED SECURE ?)
MM> I have tried Secure and have found it to be the only interrupt moniter
MM> that will stop all the known viruses. It won't stop the boot viruses,
MM> obviously (because a boot virus loades before Secure does), but it wil
MM> detect them as soon as Secure is loaded. Secure is hard to configure,
MM> but once it is configured, it will give few false alarms. With string
MM> scanners becoming increasingly easy to defeat, Secure may be the way t
MM> go for virus protection...<MM>.
well kiddies... a certain couple of anti-viral types on HOMEBASE BBS
managed to sting SECURE with modified version of JER-B... one of them
continues to find holes with the same tool... SECURE is simply NOT
SECURE...
sandy
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 2756 *Virus Info*
08-25-90 06:31:00 (Read 9 Times)
From: SANDY LOCKE
To: KEN DORSHIMER
Subj: REPLY TO MSG# 2479 (RE: CRC CHECKING)
KD> On 19-Aug-90 with bulging eyes and flailing arms Patricia Hoffman sai
KD> <KD>>the deal is that the invading program would have to know how the
KD> <KD>>your
KD> <KD>>program uses works. otherwise it would have a (bytes changed!/by
KD> <KD>>file!)
KD> <KD>>chance of succeeding, or somewhere in that neighborhood...
KD> <KD>>
PH> Except in the case of Stealth Viruses....CRC checking doesn't work
PH> with them.
PH>
KD> i'd have to see that for myself. i think a complex enough algorithm wo
KD> keep them at bay. the probability factor is just too low for such a st
KD> scheme to work.
KD> ...Your attorney is in the mail...
check out Gilmore Data Systems in LA authors of the OLD FICHECK and
XFICHECK... the techniques is called CRC padding after the addition of
the viral code the file is padded with a given number of bytes to make
the CRC Polynomial come out with the same result... the FCB is then
Patched to the original file length leaving nothing for standrad CRC
checkers to detect... Childs play really...
sandyp.s. in the case of most stealth viruses... the file read
code is simply altered to disinfect the file as the CRC checking
program reads it... agains simply childs play...
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 2757 *Virus Info*
08-25-90 06:32:00 (Read 10 Times)
From: SANDY LOCKE
To: PATRICK TOULME
Subj: REPLY TO MSG# 2755 (RE: HAVE ANYONE TRIED SECURE ?)
MM> I have tried Secure and have found it to be the only interrupt moniter
MM> that will stop all the known viruses.
PT> Mike perhaps you should add a caveat to that statement. Secure
PT> neither detects, nor does it stop, Virus-101.
Right on Patrick...
sandy
p.s. Damn nice design on the code complex as HELL....
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 2758 *Virus Info*
08-25-90 06:36:00 (Read 9 Times)
From: SANDY LOCKE
To: PAUL FERGUSON
Subj: REPLY TO MSG# 2740 (RE: REMAPPING...)
PF> Hello, Tom...
PF> .
PF> More than likely there was nothing like that at all. Keyboard
PF> remapping is an extremely complicated process and would take more than
PF> forethought on the part of the programmer. What you have seen us
PF> talking about here is figurative at best and personally, I would have
PF> to see it to believe it. (you know the old saying: "Believe none of
PF> what you hear and only half of of what you see."?) Although I do
PF> believe that is quite possible under the proper circumstances, it woul
PF> indeed be a rare occurance. Sometimes when receiving odd characters
PF> during telecommunications or not getting the exact same keys that you
PF> typed could be attributed to disparity (parity differences), differing
PF> data bits, stop bits, or even simply ANSI interpretation problems
PF> between Comm Programs. I've seen the smallest, simplest things like
PF> that have people pulling their hair out by the roots!
PF> .
PF> .....Clarke's Third Law
PF> Any sufficiently advanced technology is indistinguishable from
PF> magic.
PF> .
PF> .
PF> -Paul ^@@^........
well paul normally on hombase you are quite lucid... but as a long
time programmer I can testify the keyboard mapping is really quite
simple... no real problem and the business of using terminal control
code is quite as simple...
sandy
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 2759 *Virus Info*
08-25-90 06:39:00 (Read 9 Times)
From: SANDY LOCKE
To: CY WELCH
Subj: REPLY TO MSG# 2743 (RE: KEYBOARD REMAPPING....)
CW> In a message to Everyone <16 Aug 90 6:32:00> Paul Ferguson wrote:
PF> Isn't it possible to remap some (or any) keyboard functions via
PF> communications with some funky ANSI control characters?....I seem to
PF> remember mention of this somewhere.....I really can't remember if was
PF> in the form of a question, though, or an answer.....It also made
PF> mention of PKWares' Safe-ANSI program...Somebody help us out here...
CW> I think most of the "FAST" ansi replacements do not have the keyboard
CW> remapping so that danger is removed in those cases.
Well if you are referring to FANSI.SYS by hershey Microsystems it too
is vunerable to remap effects... and since it implemnt FULL ANSI 3.64
terminal control codes plus some extensions it is even more vunerable
to a whole class of tricks that go way beyond noremally keyboard
remapping... but to there credit they ahve include a way to turn this
"FEATURE" OFF... just most users get it off a BBS and never order or
look at the 50.00 set of docs that come when you pay for the
products...
sandy
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 2760 *Virus Info*
08-25-90 08:49:00 (Read 9 Times)
From: PATRICIA HOFFMAN
To: PHILLIP LAIRD
Subj: REPLY TO MSG# 2738 (ONTARIO VIRUS)
PL> Patty, have you heard of such a Virus? I was in the TAG Support Echo
PL> and saw
PL> a message about a TAG Sysop who contracted that virus. Any Info?
PL> Supposedly the Virus is scanned in version SCANV66.ZIP.
Yep, I've heard of this one....I was the one that named it after it was
submitted by Mike Shields (Sysop of 1:244/114). Ontario is a memory resident
generic infector of .COM and .EXE files, including COMMAND.COM. Infected .COM
files will increase in length by 512 bytes. Infected .EXE files will increase
in length between 512 bytes and 1023 bytes on disk drives with standard 512
byte sectors. When files are infected, the virus adds itself to the end of the
program, and then places a jump at the beginning so that the virus's code will
always execute before the program that was infected. Ontario is not a
low-system memory TSR, it goes memory resident installing itself at the top of
free memory, but below the 640K line. Available free memory will decrease by
2,048 bytes. Once the virus has installed itself in memory, any program which
is executed will then become infected.
It was reported with the sample I received from Mike that infected systems may
experience hard disk errors, but I was unable to duplicate that here. This may
only happen in severe infections, I try not to let them get that severe when
I'm working with a virus :-).
Scan V66 and above can detect the Ontario Virus on both .COM and .EXE files.
Unfortunately, Ontario is one of the viruses that uses a "double-encryption"
technique to prevent scanners from being able to use a search string to detect
it, so there isn't a simple way to find it with a hex string and a utility such
as Norton Utilities. As of right now, there aren't any disinfectors available
for the Ontario virus, so if you happen to be infected with it you need to
remove the infected programs and replace them with clean copies from your
uninfected backups or original write-protected distribution diskettes.
A more complete description of the Ontario virus is in VSUM9008, which was
released on August 10. The above is just off of the top of my head, which
happens to hurt right now. Hope it is understandable.....
Patti
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 2761 *Virus Info*
08-25-90 09:02:00 (Read 10 Times)
From: PATRICIA HOFFMAN
To: YEN-ZON CHAI
Subj: REPLY TO MSG# 2741 (ANTI VIRUS VIRUSES)
YC> DB> well..here is a question..where exactly did viruses originate
YC> DB> anyway..was it in this country or others?
YC>
YC> Probably where hacker exists, virus exists.
YC>
Well, the two oldest known viruses for MS-DOS are the Pakistani Brain and
VirDem. The Brain is from Pakistan, VirDem from West Germany. Both of these
originated in 1986. Both have known authors. The viruses from 1987 include
Jerusalem and the Suriv series from Israel, Alameda/Yale from the United
States, and 405 from Austria or Germany.
Patti
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 2762 *Virus Info*
08-25-90 09:07:00 (Read 10 Times)
From: PATRICIA HOFFMAN
To: KEVIN HIGGINS
Subj: REPLY TO MSG# 2757 (RE: HAVE ANYONE TRIED SECURE ?)
KH> I took a look at it, but to be realistic, when you run a BBS, or
KH> are continuously updating your files as new releases come out, you
KH> could easily get to the point where you spend more time reconfiguring
KH> the anti-virus program than you would getting any work done. I find it
KH> much more efficient to scan every file for viruses as soon as I get it
KH> on my system, then rezip it, if I'm not going to use it... a simple
KH> .bat file can be used such that if you want to check multiple files,
KH> you can just feed the file names on the command line and let the .bat
KH> file take care of unzipping, scanning and rezipping the file.
KH> Be best if someone would write a program that would do this, but I
KH> haven't found one yet.
You might want to take a look at CheckOut and Shez.
CheckOut uses ViruScan to check .ARC, .PAK, .ZIP, .LZH, and other archive
formats for viruses by automatically creating a temporary directory and
unarchiving the file to it. It then invokes Scan to check the executable
files. One of its nice features is that it will never invoke a program in that
temporary directory, as well as you can have it either delete an infected file
or move it to a badfiles directory. It will also find archives which are
damaged for you. It can be invoked easily from a .BAT file, such as if you
want to run it at midnight against all new uploads.
Shez is another program which can be used to scan inside archives. It is
interactive, so you need to manually invoke it. After you have selected the
archive and listed the contents, hitting ctrl-Z will result in Scan checking
the contents.
There are other scanning shells which handle archived files, though these are
the two that I've used regularly and are the most familiar with. I was also
involved in the beta testing of CheckOut with some known to be infected files,
and it does function properly in that instance. I've also tested Shez with
infected files, and it works well....
Patti
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 2763 *Virus Info*
08-24-90 16:53:00 (Read 8 Times)
From: PRAKASH JANAKIRAMAN
To: ALL
Subj: LEPROSY
Exactly what is the Leprosy virus supposed to do? I was informed that it had
been included in McAfee's latest version of Scan, but, having never used Scan
before in my life, and never having encountered a virus, are there "symptoms",
shall we say, caused by the Leprosy virus, or for any virus? If there is a
textfile explaining what each virus is capable of doing, and how it can be
detected, I'd like to get a copy of it, if any of you know where I can get
something of that sort.
Also, does anyone have the number to McAfee's BBS? I'd like to become a user
over there as well. (I remember it being in the 408 area code, but I can't
recall the actual number). Anyways, thanks a bunch, all...
Prakash
--- TBBS v2.1/NM
* Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 (1:161/208)
Msg#: 2896 *Virus Info*
08-26-90 20:55:00 (Read 9 Times)
From: HERB BROWN
To: SANDY LOCKE
Subj: REPLY TO MSG# 2754 (RE: COMMUNICATION VIRALS)
With a sharp eye <Aug 25 06:10>, Sandy Locke (1:204/869) noted:
SL> Well considering that I am hosting chuck forsberg today ... hes down
SL>here for the sco developer forum I will put the question to him
SL>directly... but as one of the suggestors for feature addition to the
SL>protocol in another personna... ZMODEM will INDEED allow one to
SL>transmit a FULL path name... however this is mitigated by the ability
I have the understanding that other protocols would do this, not by choice.
Without the security on the recieving end, this could be disasterous, to say
the least.. I would be happy to hear what you find.. Speaking of registering
zmodem, is it still free to sysops? You can asnwer that in net-mail.. :-)
--- QM v1.00
* Origin: Delta Point (1:396/5.11)
Msg#: 2897 *Virus Info*
08-24-90 13:39:00 (Read 7 Times)
From: MIKE MCCUNE
To: VESSELIN BONTCHEV
Subj: REPLY TO MSG# 2746 (REMOVING JOSHI)
In your recent letter to me you wrote to me you suggested that I check for the
virus before trying to remove it. Now that I've got a working copy of the Joshi
(and don't have to let someone else test RMJOSHI), I rewrote the program to
check for the virus first.
mov dx,80h
mov cx,1h
mov bx,200h
mov ax,201h
int 13h
or ah,ah
jnz read_error
es:
cmp w[bx],1feb
jnz no_virus
mov cx,000ah
mov ax,301h
int 13h
or ah,ah
jnz write_error
mov cx,9h
mov ax,201h
int 13h
or ah,ah
jnz read_error
mov cx,1h
mov ax,301h
int 13h
or ah,ah
jnz write_error
mov ah,9h
lea dx,remove_message
int 21h
int 20h
remove_message:
db 'Joshi Removed$'
no_virus:
mov ah,9h
lea dx,virus_message
int 21h
int 20h
virus_message:
db 'Joshi not found$'
read_error:
mov ah,9h
lea dx,read_message
int 21h
int 20h
read_message:
db 'Read Error$'
write_error:
mov ah,9h
lea dx,write_message
int 21h
int 20h
write_message:
db 'Write Error$'
I wrote it for the shareware A86, but it should assemble under MASM, TASM or
WASM with minor modifications. Next I will scan the memory for the virus
because the remover won't work while the virus is active in memory....<MM>.
--- Opus-CBCS 1.13
* Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0)
Msg#: 2898 *Virus Info*
08-25-90 23:46:00 (Read 6 Times)
From: TALLEY RAGAN
To: MIKE MCCUNE
Subj: REPLY TO MSG# 2897 (RE: REMOVING JOSHI)
In a message to Talley Ragan <08-23-90 15:23> Mike Mccune wrote:
MM>>No, it just modifies the partition record to remove the virus.
MM>>If the virus isn't there, it still modifies the partition
MM>>record.
Thanks for the information. That clears up the question just
fine.
Talley
--- ZAFFER v1.01
--- QuickBBS 2.64 [Reg] Qecho ver 2.62
* Origin: Southern Systems *HST DS* Tampa Fl (813)977-7065 (1:377/9)
Msg#: 2899 *Virus Info*
08-23-90 17:31:00 (Read 6 Times)
From: DAVID BURGESS
To: MARTIN NICHOL
Subj: REPLY TO MSG# 2661 (WHAT'S THE SOLUTION?)
In a message to michael tunn <21 Aug 90 20:29:00> Martin Nichol wrote:
MN> mt said => It seems to me our Virus checking programs will just
MN> mt said => get bigger and bigger as more viruses and strains of
MN> mt said => the same viruses are discovered. If so (and if their
MN> mt said => development is excelerating) then we may find in the
MN> mt said => near future that it has become impossiable to deal
MN> mt said => with the outbreaks!
MN> mt said => Do we do develop new Operating Systems which are far
MN> mt said => more secure!
MN> Develope different virus scanning programs. Make them more generic
MN> where virus signatures/characteristics can be kept in a seperate
MN> file and the virus scanner just reads the
MN> file and interprets it accordingly.
That opens the door to having the virus scanner or part of the virus scanner
to become contaminated.
--- [Q] XRS 3.40
* Origin: Eurkea! I've found the secret elephant playground (RAX 1:124/3106.6)
Msg#: 2900 *Virus Info*
08-17-90 21:06:00 (Read 6 Times)
From: CHRIS BARRETT
To: PATRICIA HOFFMAN
Subj: RE: VIRUCIDE V1.2
Thanks for the info.. If ya remeber the name could ya tell us it..
I think i'll stick with the ScanV?? and CleanP?? for now then..
Chris..
--- TBBS v2.1/NM
* Origin: 1990 MultiLine Perth Western Australia - 09-370-3333 - (690/654)
Msg#: 2901 *Virus Info*
08-17-90 06:26:00 (Read 6 Times)
From: ZEBEE JOHNSTONE
To: ALL
Subj: MAC VIRUS
Anyone know anything about a mac virus which:
Sets the delete flag on any folder with a name which starts with the
letter "o" or higher (eg system...)
IT doesn't actually delete the folder, the machine will still boot, but the
folder is missing from the desktop and the delete flag is set.
Weird one hmm?
---
* Origin: Lighten up! What man can make, man can break! (3:680/813)
Msg#: 2902 *Virus Info*
08-19-90 22:31:00 (Read 6 Times)
From: BRENDON THOMPSON
To: PATRICIA HOFFMAN
Subj: "STONED 2"
Patti, I sent you a message the other day about a new variant of
"Stoned" that I found in Christchurch, New Zealand. It had reference
to some "S & S program for testing anti-virus software" and the
phone number 0494 791900 in it.
I have since had the time to pull it to bits, and it is only the
original "Stoned" virus. The code at the start of the sector is
still the same, but some clown has modified the message after
location 65H.
I'm still pleased to send you a specimen by airmail if you like,
but it ain't "Stoned 2".
Regards..
... Doon.
--- Via Silver Xpress V2.26
* Origin: TONY'S BBS - Gateway to New Zealand. (3:770/101)
Msg#: 2903 *Virus Info*
08-19-90 09:25:00 (Read 6 Times)
From: DONALD ANDERSON
To: FRIAR NESTOR
Subj: RE: LOOKIN' FOR FUN?
I always looking for fun
--- KramMail v3.15
* Origin: get real (3:621/221.0)
Msg#: 2904 *Virus Info*
08-26-90 23:36:00 (Read 7 Times)
From: GLENN JORDAN
To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 2761 (ANTI VIRUS VIRUSES)
PH> The Vacsina Viruses were written in Bulgaria to seek out and destroy
PH> certain other viruses, or at least that was their original purpose.
In examples of the VACSINA virus I have investigated, I have found the
following odd behavior, which I wonder if you have also noted :
.COM files of over a certain size are infected at first bite, but .EXE
files are different. It takes two Exposures to infect an .EXE file, each of
which adds a bit to the file length, but only at the second exposure do you get
a live virus, signaled by a short beep. A tiny .EXE will take the first
exposure, but never complete on a subsequent exposure to become a live virus.
I wonder if in some way this behavior, which I have not seen in any other
viruses so far, is in some way related to the original "anti-virus" nature of
this beast ?
--- XRS 3.30-DV (286)
* Origin: Jordan Computer Consulting (RAX 1:151/223.3)
Msg#: 2905 *Virus Info*
08-26-90 07:54:00 (Read 6 Times)
From: KEN DORSHIMER
To: SANDY LOCKE
Subj: REPLY TO MSG# 2756 (RE: CRC CHECKING)
On 25-Aug-90 with bulging eyes and flailing arms Sandy Locke said:
SL> check out Gilmore Data Systems in LA authors of the OLD FICHECK and
SL> XFICHECK... the techniques is called CRC padding after the addition of
SL> the viral code the file is padded with a given number of bytes to make
SL> the CRC Polynomial come out with the same result... the FCB is then
SL> Patched to the original file length leaving nothing for standrad CRC
SL> checkers to detect... Childs play really... sandyp.s. in the case of
SL> most stealth viruses... the file read code is simply altered to
SL> disinfect the file as the CRC checking program reads it... agains
SL> simply childs play...
SL>
could you send me this article? i still believe that the virus would have to
know your crc algorithm in order to perform this magic. additionally if the
file is padded, it's size would increase and would be detected that way.
correct? sooo, the person writting the virus would require a copy of your
file to disassemble, see how you performed your checks, then create a means
to circumvent it. sounds like a lot of trouble to me for very little gain.
catch ya on the rebound.
...All of my dreams are in COBOL...
--- ME2
* Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)
Msg#: 2906 *Virus Info*
08-26-90 23:58:00 (Read 6 Times)
From: KEN DORSHIMER
To: STEVEN TREIBLE
Subj: REPLY TO MSG# 2751 (RE: VOICE NUMBER)
On 26-Aug-90 with bulging eyes and flailing arms Steven Treible said:
ST> Ken, I haven't mailed the disk yet as you can see. I'd like to have
ST> your voice # so I can talk to instead of sending Net Mail. Thanks,
ST> Steve.
you got it look for it in a net-mail-o-gram. i'd rather not leave it in the
public msg area as everyone would try to call and shoot the breeze. :-)
...All of my dreams are in COBOL...
--- ME2
* Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)
Msg#: 2907 *Virus Info*
08-26-90 13:09:00 (Read 6 Times)
From: PAUL BENDER
To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 2744 (VIRUS RESCUE & F-PROT RELEASES)
* Replying to a message originally to All
PH> Both programs are also file requestable by other systems.
PH> File requests should ask for magic file names as follows:
PH>
PH> F-PROT for the latest copy of F-PROT (currently
PH> FPROT112.ZIP)
PH> RESCUE for the latest version of Virus Rescue
PH>
Would it be possible for you to hatch these out into SDS or arrange for the
authors to do so?
Paul
--- RemoteAccess 0.04a via QEcho 2.
* Origin: -=* Rassi's Retreat *=- 10pm to 8am Only! (615) 831-1338 (1:116/37)
Msg#: 2908 *Virus Info*
08-26-90 12:44:00 (Read 7 Times)
From: PATRICIA HOFFMAN
To: ALL
Subj: VIRUS_INFO INTRODUCTION & RULES
Welcome to the VIRUS_INFO echo. The purpose of this echo is to allow
BBS users and sysops to ask questions about computer viruses and to be
able to get back up-to-date information. Discussion topics may include,
but is not necessarily limited to:
- what are viruses
- how to prevent getting infected
- how to determine if your system is infected
- how to clean up an infected system and salvage as much information
as possible
- reviews and announcements of new anti-viral products and product
releases.
There was a lot of hysteria in the press over the Columbus Day/
DataCrime/October 12 virus, for example, but little mentioned of how
rare the virus is or how to determine if a system is infected with it
and how to remove it. This type of information is an example of what
this echo is intended to carry.
Some messages appearing in this conference may be cross-postings from
the Dirty_Dozen echo which is sysop only. Cross-postings may only be
done by the originator of the message. For example, several of my
messages posted in the Dirty_Dozen echo will be cross-posted here.
Messages from the HomeBase/CVIA BBS run by Mr. John McAfee in Santa
Clara, CA and/or CVIA bulletins may be posted here by Patricia Hoffman,
these are being done with Mr. McAfee's permission. Replies to these
messages, as well as netmail received at 1:204/869 for Mr. McAfee, is
manually transferred to his system as it is received.
Conference rules are very simple.....
1. Discussions of how to write a virus, specific technical discussions
of how a virus works, or anything of an illegal nature, are not
allowed. This rule is *not* open to debate.
2. Messages with a sexually suggestive nature are not allowed, please keep
in mind that minors as well as adults participate in this conference.
3. Discussions of a ethical or retorical nature that lead into a debate are
considered off-topic in that they will not ever be resolved and do not
help anyone. An example in this category would be a discussion in the
area of "Should live viruses or virus disassemblies be made available
to the public?". These questions and topics will be allowed until such
a point that they start to severely disrupt the echo, or start a flame
war. At that point, the moderator will request that the discussion be
discontinued.
4. Be courteous to your fellow echo participants, and remember there
is no such thing as a dumb question, except for the question that some-
one is afraid to ask. Everyone needs to help everyone else understand
viruses and why they are a problem.
5. This conference is not to be distributed thru Group-mail or any
other mail processor which will obscure the ability to track a
message back to an originating system. All messages must have
seen-bys and path statements if the BBSs participatings software
can generate them.
6. If you have a question or problem of an extremely sensitive nature,
consider sending it NetMail to 1:204/869 or 99:9403/2 instead of
posting it here. If you are netmailing a file that you think is
infected, be sure to send a message in NetMail with it so I know
what it is, I'll be sure it gets to someone to get analysed for you.
Do not under any circumstances host route a file that you think is
infected. Suspect files may also be sent on diskette via US Mail
to the following address:
Patricia Hoffman
1556 Halford Avenue #127
Santa Clara, CA 95051
7. This conference is available to FidoNet and EggNet systems.
The conference echomail tag in FidoNet is VIRUS_INFO, in EggNet
the conference is available as E_VIRUS_INFO.
8. This conference is available on the FidoNet Backbone. While you
are welcome to freely pass this echo along to other systems, out
of region links must be approved by moderator of the echo. Gating
the echo into another network or Zone must be approved by the
conference moderator.
9. Opinions are welcome in the conference, however the ethics of the
behavior of people that write viruses, or name calling, is frowned
upon. Likewise, accusations of virus writing are strictly forbidden.
Please keep opinions down to a single message, and do not
repeatedly post them, as these messages tend to water down the
purpose of the conference and degrade the level of information that
is being presented.
10. Handling of off-topic messages or messages that violate the
conference rules will be done by the moderator. First and second
warnings on these messages will be in private Netmail. Please
do not respond to the off-topic messages so that the conference
doesn't get further off-track. Let the moderator do the moderating.
11. Handles are allowed in this conference, however sysops of boards
carrying the conference are expected to be able to determine which
of their users entered a message if a problem arises. This in
effect means, for example, that Opus systems must not set this echo
up to allow anonymous messages.
12. If a matter arises where the moderator needs to contact a participant
in the echo, the moderator will contact the system where the message
was entered and request that the sysop allow the user netmail access,
or call the participant with a request for them to logon to the
moderator's system or provide a phone number with the participant's
permission. Sysops are not expected to provide their users' phone
numbers to the moderator without the user's express permission, their
privacy is important. There are times, however, when a phone call
or chat can resolve a problem much faster than any other route. This is
the only reason for this rule.
12. This echo is not a programming echo for answering questions
on how to code programs in assembler. If you want to exchange
assembler (or any other program language) techniques, please
locate an appropriate programming echo or start your own echo.
Patricia M. Hoffman is the moderator of the VIRUS_INFO echo conference. She
has previously used the name "Merry Hughes" in moderating this conference, and
is the originator of the conference and the original moderator.
Patricia Hoffman is also the author of the Virus Information Summary List, and
is an independent anti-viral researcher.
Please contact the moderator, Patricia Hoffman, at 1:204/869 or 99:9403/2
if you need assistance on setting up an echofeed for this echo to your
system.
thanks...
Patti
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 2909 *Virus Info*
08-26-90 15:13:00 (Read 7 Times)
From: PATRICIA HOFFMAN
To: PRAKASH JANAKIRAMAN
Subj: REPLY TO MSG# 2763 (LEPROSY)
PJ> Exactly what is the Leprosy virus supposed to do? I was informed that
PJ> it had been included in McAfee's latest version of Scan, but, having
PJ> never used Scan before in my life, and never having encountered a
PJ> virus, are there "symptoms", shall we say, caused by the Leprosy virus,
PJ> or for any virus? If there is a textfile explaining what each virus is
PJ> capable of doing, and how it can be detected, I'd like to get a copy of
PJ> it, if any of you know where I can get something of that sort.
The Leprosy virus is a non-resident overwriting virus. It infects .COM and
.EXE files, overwriting the first 666 bytes of the file. Symptoms of it
include that infected files will not execute properly...instead of what they
are supposed to do, they will upon execution, infect other files then display a
message and end. A complete description of this virus and all (with the
exception of V2P2, V2P6, V2P6 and Stoned II) known MS-DOS viruses as of August
10, 1990 is available in the Virus Information Summary List. Its current
version is VSUM9008.ZIP. It is available on my system at 408-244-0813, as well
as many other systems, including McAfee's BBS. Check around your area before
you make the long distance call, it could save you the phone call cost.
PJ>
PJ> Also, does anyone have the number to McAfee's BBS? I'd like to become a
PJ> user over there as well. (I remember it being in the 408 area code, but
PJ> I can't recall the actual number). Anyways, thanks a bunch, all...
The number of the HomeBase BBS is 408-988-4004. The 9600 HST number is
408-988-5138.
Patti
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 2910 *Virus Info*
08-24-90 23:05:00 (Read 7 Times)
From: CY WELCH
To: TALLEY RAGAN
Subj: REPLY TO MSG# 2898 (REMOVING JOSHI)
In a message to Mike Mccune <20 Aug 90 17:09:00> Talley Ragan wrote:
>MM>> Just be sure to boot off a clean diskette to remove the
>MM>>virus from memory, otherwise the virus will not be removed.
>MM>> If RMJOSHI is used on an unifected hard drive, it will
>MM>>destroy the partition table. This next program, RETURN.COM
>MM>>will restore the partition table.
>MM>> I will post this program in my next listing...<MM>.
TR> Does this mean that RMJOSHI.COM, if run on an uninfected hard
TR> drive by it self is a virus?
Actually I think it would fit the description of trojan rather than virus as it
doesn't replicate.
--- XRS! 3.40+
* Origin: Former QuickBBS Beta Team Member (99:9402/122.1) (Quick 1:125/122.1)
Msg#: 2911 *Virus Info*
08-26-90 21:13:00 (Read 6 Times)
From: TOM PREECE
To: SANDY LOCKE
Subj: REPLY TO MSG# 2758 (RE: REMAPPING...)
As you may see by looking at my other entry's, I have been loading a cache
program that is clearly implementing software to remap my keys to s certain
extent. If this is possible as a glitch, its is obviously possible as an
attack. Let's hope it never comes to that.
--- TBBS v2.1/NM
* Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 (1:161/208)
Msg#: 2993 *Virus Info*
08-27-90 07:54:00 (Read 7 Times)
From: JAMES DICK
To: KEN DORSHIMER
Subj: REPLY TO MSG# 2762 (RE: HAVE ANYONE TRIED SECURE ?)
On Fri, 24 Aug, 1990 at the ungodly hour of 23:37, while ducking Broccoli Jello
and drinking jolt, Ken Dorshimer wrote to Kevin Higgins, TO WIT...
KD > sounds like a plan to me. it would actually be fairly simple to write
KD > a
KD > program to look at all the files in your upload directory, unpack them
KD > based
KD > on the extension, scan them, then re-compress them (if needed). of
Sounds like CHECKOUT....available here, homebase excaliber! and others as
CKOT11.*
-={ Jim }=-
--- QM v1.00
* Origin: The Clipperist - Home to happy Clippheads in Ottawa, Canada
(1:163/118.0)
Msg#: 2994 *Virus Info*
08-27-90 19:34:00 (Read 6 Times)
From: PHILLIP LAIRD
To: ALAN DAWSON
Subj: REPLY TO MSG# 2750 (RE: SCAN WEIRDNESS)
** Quoting Alan Dawson to Patricia Hoffman **
>among them a SCAN-known Dark Avenger. I SCAN this floppy from
>the C
>drive, and the "hey, nothing to worry about there" report comes
>back.
>Strange. I SCAN it again. This time 'round, SCAN barfs after
>
>--- Opus-CBCS 1.13
> * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand
>(3:608/9.0)
** End of Quote **
Allan, I NEVER SCAN from the C Drive or any hard disk. I always scan from a
write protected Floppy Diskette in Drive A. I also have a third system (Yep
that's right a third system to do all my scanning from. However, I have never
had happen to me what happened to you. I did one time find Scan.EXE infected
at my place of employment when I didn't write protect the floppy and scanned
the b drive, PLEASE write protect the floppy or SCAN.EXE on the hard drive...
--- TAGMAIL v2.20
* Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)
Msg#: 2995 *Virus Info*
08-27-90 19:50:00 (Read 10 Times)
From: PHILLIP LAIRD
To: SANDY LOCKE
Subj: REPLY TO MSG# 2753 (RE: VIRUS ORIGINALS)
Sandy, maybe this might help. I have read an excellent book on the Subject of
Origins of Viruses, but let me quote you guys first...
** Quoting Sandy Locke to Sky Raider **
>SR> effort to see what kind of stuff could be done with them,
>a group of
>SR> programmers (financed by the US government as I recall)
>institued a se
>SR> programs that would attempt to 'beat' others in taking
>over a computer
>SR> system. These programs led to a gaming system known as
>the CORE WARS.
>SR> today there is an International Core Wars Society.
>
>SR> I think it can be easily seen how a program to destroy/circumvent
>a st
>SR> operating system can develope into a virus.
>
>SR> I tried to double check this information for accuracy,
>names, dates, e
>SR> but it seems I have deleted this file. I will try to get
>further info
>SR> you, but beleive this info is shrouded in secrecy, and
>may be hard to
>SR> relocate.
>
>SR> So, the original viruses did come from the US (and even
>possibly with
>SR> government help).
>
>SR> Ivan Baird
>SR> * Origin: Northern Connection, Fredericton, N.B. Canada
><HST 14.4K>
>SR> (1:255/3)
>WHAT a LOAD of UNADULTERATED CRAP... redcode is simply a GAME
>created by
>bored programmers... ORIGINAL CORE WARS games were created
>as far back
>as 1969 back on the OLD IBM 360 architectures under both OS/MFT
>and
>OSMVT OS's... neither had anything to do with so-called secret
>financing by the US government...BTW I was AROUND and A Systems
>Programmer during that period... we created our own versions
>when we
>heard of the rumours... it was an old system programmers game
>designed
>to give Egotistal programmers some lighthearted fun... at this
>point
>ALL code ran in real Address space and redcode hadnt even been
>though
>of... the MUCH later article by Scientific American in 1979
>gave this
>fun with out harm via the redcode interpreter implemented on
>early 6502
>and 8080 systems... really... I am going to have to move to
>canada...
>sounds like there are some really potent and fun drugs in circulation
>up there... jeese... what a simp...
> sandy
>
>
>--- QM v1.00
> * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813
>(1:204/869.0)
** End of Quote **
O.K. The above message is what I am quoting to you....
If you get a chance, you can pick this book up at Wladen Software at the
following locations in California and maybe other bookstores near you can order
the book, too:
Viruses, A High Tech Disease
By Ralph Burger
Published by Abacus
ISBN 1557550433
Retails at 18.95 US
Can be picked up at the following Walden Software Stores:
Doly City, Ca (415) 756-2430
San Leandro, Ca (415) 481-8884
It starts from way back when...
Phillip Laird
--- TAGMAIL v2.20
* Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)
Msg#: 2996 *Virus Info*
08-27-90 19:58:00 (Read 7 Times)
From: PHILLIP LAIRD
To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 2760 (RE: ONTARIO VIRUS)
** Quoting Patricia Hoffman to Phillip Laird **
>after it was submitted by Mike Shields (Sysop of 1:244/114).
> Ontario is a memory resident generic infector of .COM and
>.EXE files, including COMMAND.COM. Infected .COM files will
>increase in length by 512 bytes. Infected .EXE files will
>A more complete description of the Ontario virus is in VSUM9008,
>which was released on August 10. The above is just off of
>the top of my head, which happens to hurt right now. Hope
>it is understandable.....
>
>Patti
>
>
>--- QM v1.00
> * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813
>(1:204/869.0)
** End of Quote **
Yea, I think Mike was the one the message came from I read about. He Was
instrumental in helping us with another problem he found, too. I am sure that
he is on the up and up about the hard disk problems. Nope, I don't have the
Ontario Virus that I know of! I read about the Virus after I had posted to
you, Thanx for the info. Nice to know where it loads in Mem, that would make
a util easier to write once I had a fix on what you have already told me.
I will see if I can locate that message from Mike about the Virus originally
and let you read it...
--- TAGMAIL v2.20
* Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)
Msg#: 3029 *Virus Info*
08-26-90 14:01:00 (Read 7 Times)
From: RICK WILSON
To: SANDY LOCKE
Subj: RE: CORE WARS
yep core wars was something that a bunch of people that had access to systems
messed with after hours, there was a artical in DDJ a few years ago about a
bunch of em out a Berkely of Stanford or something. really weired how these
folks that have recently ( within the last 8 to 10 years ) become such experts
on micros and mainframes and their history. later...
Rick
--- Telegard v2.5 Standard
* Origin: Telegard BBS (000-000-0000) (1:161/88.0)
Msg#: 3030 *Virus Info*
08-26-90 16:45:00 (Read 7 Times)
From: JOE MORLAN
To: CY WELCH
Subj: KEYBOARD REMAPPING.
In addition to PKWares's Safe-ANSI, ZANSI does not support keyboard remapping.
However, NANSI.SYS does have keyboard remapping.
--- Telegard v2.5 Standard
* Origin: Telegard BBS (000-000-0000) (1:161/88.0)
Msg#: 3070 *Virus Info*
08-30-90 23:11:45 (Read 9 Times)
From: SKY RAIDER
To: SANDY LOCKE
Subj: REPLY TO MSG# 2753 (Re: VIRUS ORIGINALS)
Firstly, I did not wish to anger you (although I seem to have done just this),
but only sought to answer your question to the best of my abilities (which you
seem to doubt).
Secondly, I stand by my original assertions that viruses were developed through
the original Core Wars gaming system. This has been corroborated by various
'virus gurus' here at the local university. In fact, without prompting, one
mentioned Bell Labs. Since, as you state, you are a Systems Programmer - it
should be obvious to yourself that a RedCode program could be easily adapted to
the microcomputer world. It should also be equally as obvious that these
RedCode experiments have laid the groundwork for many of the various virus
types infecting micros today (ie. trojans, worms, etc.).
Thirdly, I did not state, nor did I mean to imply (as you seem to believe),
that these RedCode 'fighter programs' are in fact the viruses we see today -
merely that they (RedCode fighters) provided the techniques for the micro
viruses. Furthermore, since the RedCode experiments were "old system
programmers games designed to give Egoistical programmers some lighthearted
fun", and since it is generally accepted that virus writers are in this for the
same reasons (the egotistical, not the fun), I find it hard to beleive that you
cannot equate the two.
If you will note in the extract below, I am not the only person who who
beleives the RedCode experiments were the forerunners of the modern viruses (in
fact, it may be noted they refer to these as viruses - which, of course, they
were);
From the Sept./89 issue of Popular Science;
Despite all the recent publicity, viruses aren't new. In the 1950's researchers
studied programs the called "self-altering automata," says Mike Holm...
In the 1960s computer scientists at Bell Laboratories had viruses battling each
other in a game called Core Wars. The object was to create a virus small enough
to destroy other viruses without being caught....
Also, just for the record, allow me to mention that this is an American
publication (apparently there are strange drugs down there too).
Again, for the record, allow me to mention that it is fact that Robert Morris,
Sr. was a participant in the Core Wars games. Is it a coincidence that his son
wrote the Internet Virus, or did his father give him the building blocks to
build upon? (With my apologies to the Morris family, but I felt this example
might carry some weight with Know-it-all System Programmers).
To answer your original question, in a form that you may deem acceptable (ie.
no RedCode, no mainframe systems, the US is not the origin - all those naive
things), the original micro virus was (at least in the IBM world, I can not be
sure this applies to early Apple ][ systems, or even the Pets from Commodore)
the "Pakistani Brain", released in Jan. '86.
But it must be noted (although I feel you will reject this also (ie. mainframe,
US, etc)), in Nov. '83, Fred Cohen, in 8 hours wrote a virus which attached
itself to users programs, and proceeded to use this program to gain access to
all system rights (in an average time of 30 mins). Also, although I don't have
a date (the computer name itself may give some indication of age) - on a UNIVAC
1108, with a secure operating system using the Bell-Lapadula model for OS
security, a virus was created that: infected the system in 26 hours, used only
legitimate activity with the Bell-Lapadula rules, and the infection took only
250 (approx.) of code (From "Computer Security: Are Viruses the AIDS of the
Computing Industry?", by Prof. Wayne Patterson, Chairman, Dept. of Computer
Science, University of New Orleans.).
I am not interested in a war of words, so I will suggest some reading before
you go off half cocked to this reply - "Computer Security; A Global Challenge,"
J.W. Finch & E.G. Douglas, eds., Elsevier Science Publishers, North-Holland -
especially the chapters by Fred Cohen. I have not read this, but will try to
when it becomes available to me. Also see the message posted by Phillip Laird.
--- TBBS v2.1/NM
* Origin: Northern Connection, Fredericton, N.B. Canada <HST 14.4K> (1:255/3)
Msg#: 3154 *Virus Info*
08-28-90 06:33:00 (Read 7 Times)
From: PATRICIA HOFFMAN
To: ALAN DAWSON
Subj: REPLY TO MSG# 2994 (SCAN WEIRDNESS)
AD> Anybody heard of this? I've got a floppy with some viruses on it,
AD> among them a SCAN-known Dark Avenger. I SCAN this floppy from the C
AD> drive, and the "hey, nothing to worry about there" report comes back.
AD> Strange. I SCAN it again. This time 'round, SCAN barfs after 64K of
AD> the memory check, telling me Dark Avenger is in memory, power down,
AD> load the .45, get the cyanide tablet ready and so on.
AD> But DA of course is NOT in memory or active in any way. It is,
AD> however, on the floppy, unrun.
AD> The above occurred with SCANV64. Out of curiosity, I cranked up
AD> SCAN-54 and -- EXACTLY the same result.
AD> AST Bravo 286, no TSRs, nothing else loaded, clean (normal) boot
AD> just performed.
AD> I have a bunch of viruses that I don't expect SCAN to find --
AD> ever. But this kind of thing has never happened to me before. Can
AD> anyone match this story, or event?
There are a couple of possibilities here. First, if the virus is on a
non-executable file, such as one with a .VOM or .VXE extension, Scan won't find
it since it is not one of the file extensions it checks for Dark Avenger. In
this case, a subsequent run of Scan may find it in memory anyways since the DOS
buffers in memory are not cleaned out between program executions. If this is
the case, running Scan with the /A option will find it on any file, regardless
of extension.
Likewise, if your copy of Dark Avenger has ever had a disinfector run against
it, it may have some "dead" Dark Avenger code after the end of file mark, but
within the last sector of the program as allocated on disk. In this case, Scan
won't find it on disk, but may later find it in memory since the code after the
end of file mark was read in with the rest of the last sector of the program to
memory. This is what is sometimes referred to as a "ghost virus", it isn't
really the virus, just dead remnant code remaining in the slack space in the
sector. It can't be executed. Running a disk optimization utility such as
Speed Disk from Norton Utilities will get rid of the "ghost virus". They are
caused by the way DOS fills out the end of the buffer before it writes it out
to disk, doesn't always occur when disinfecting programs, but it sometimes will
occur.
The other case is if your copy of Dark Avenger does not occur at the correct
place in the file. Dark Avenger always adds its code to the End Of Programs.
If your copy happens to have it at the beginning of the program, or perhaps
imbedded in the middle where it shouldn't be, it may not get found. In this
case, your copy doesn't match either of the Dark Avenger's that McAfee has.
Hope that helps....those are the only three cases that I've heard of a similar
problem to yours.
Patti
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 3155 *Virus Info*
08-28-90 15:16:00 (Read 5 Times)
From: KEN DORSHIMER
To: JAMES DICK
Subj: REPLY TO MSG# 2993 (RE: HAVE ANYONE TRIED SECURE ?)
On 27-Aug-90 with bulging eyes and flailing arms James Dick said:
JD> On Fri, 24 Aug, 1990 at the ungodly hour of 23:37, while ducking
JD> Broccoli Jello and drinking jolt, Ken Dorshimer wrote to Kevin
JD> Higgins, TO WIT...
KD >> sounds like a plan to me. it would actually be fairly simple to write
KD >> a
KD >> program to look at all the files in your upload directory, unpack them
KD >> based
KD >> on the extension, scan them, then re-compress them (if needed). of
JD> Sounds like CHECKOUT....available here, homebase excaliber! and
JD> others as CKOT11.*
JD>
thanks but you might want to tell kevin higgins about that. :-) as for me,
hell i'll write the bloody thing myself. just wouldn't be a day without some
programming in it.
...All of my dreams are in COBOL...
--- ME2
* Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)
Msg#: 3156 *Virus Info*
08-27-90 14:14:00 (Read 5 Times)
From: MICHAEL CHOY
To: ALL
Subj: IN THE MAC WORLD
Disinfectant 2.0 was released in July...it has the Disinfectant INIT, which is
like SAM only it removes viruses as well as detecting them..it catches the
Frankie virusa whoch in an old virus that ran on mac emulators for Atari..I
guess nobody has to worry about that...it also has much more info on protecting
yourself from virus and such..
--- Telegard v2.5 Standard
* Origin: Telegard BBS (000-000-0000) (1:161/88.0)
Msg#: 3157 *Virus Info*
08-27-90 20:25:00 (Read 5 Times)
From: JOE MORLAN
To: ALL
Subj: LHARC114?
I had heard that and infected version of LHARC was released last year under the
name LHARC114. I also heard that because of that, the next release of LHARC
was expected to be LHARC200 to avoid confustion with the virus. This week a
file appeared on a local board called LHARC114. I left a message to the sysop
to check it out and he says it's clean. The docs say that this is version
114b, the latest version.
Does anybody know what the deal is or was here? Is LHARC114 safe to use? Is
there a virus associated with this program? Thanks.
--- Telegard v2.5 Standard
* Origin: Telegard BBS (000-000-0000) (1:161/88.0)
Msg#: 3158 *Virus Info*
08-28-90 15:01:00 (Read 6 Times)
From: KEVIN HIGGINS
To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 3155 (RE: HAVE ANYONE TRIED SECURE ?)
Thanks for the info on CheckOut. I'd seen the file description usage
included in a .bat for for TAG, but never implemented it, or d/l'd the checkout
file because on my XT it sometimes takes awhile to dearc. a large .zip file--a
real pain for L/D types... Probably be wise to start using something like that,
though, since the BBS can do all the checking automatically following
uploads....
Guess most users won't mind waiting a minute or so, if it makes their d/l's
almost certifiably safe.
Kevin
--- TAGMAIL v2.40.02 Beta
* Origin: The Hornet's Nest BBS (1:128/74)
Msg#: 3177 *Virus Info*
08-28-90 18:10:00 (Read 6 Times)
From: RICK PERCIVAL
To: KEVIN HIGGINS
Subj: REPLY TO MSG# 3158 (RE: HAVE ANYONE TRIED SECURE ?)
> command line and let the .bat file take care of unzipping, scanning
> and rezipping the file. Be best if someone would write a program
> that would do this, but I haven't found one yet.
> Kevin
Hi there, you guys must be behind the times or something but there is a very
good program which does exactly what you are looking for. Its called CHECKOUT.
The version we are using over here is called CKOT11.ZIP and it is a little
pearler!!
What it does is, unzips a file, scans it and rezips it, menu driven or
command line driven. Try it, you'll love it.
--- FD 1.99c
* Origin: The Cyclops BBS Auckland NEW ZEALAND (3:772/170)
Msg#: 3178 *Virus Info*
08-14-90 09:39:00 (Read 7 Times)
From: DAN BRIDGES
To: KEN DORSHIMER
Subj: RE: CRC?
I've been reading, with interest, the messages about a program that provides a
demo of circumventing a single CRC generating program. I thought that its name
would be common knowledge, but apparently it isn't.
You were told the name of the file was MCRCx. May I suggest that you look for
it as FICHECKx. The one I got is v5 and has program called PROVECRC which
demonstrates the problem.
**********************
* FICHECK Ver 5.0 *
* MFICHECK Ver 5.0 *
**********************
(C)Copyright 1988,1989 Gilmore Systems
P.O. Box 3831, Beverly Hills, CA 90212-0831
U.S.A.
Voice: (213) 275-8006 Data: (213) 276-5263
Cheers,
Dan (no connection with the above firm).
--- Maximus-CBCS v1.02
* Origin: Marwick's MadHouse (3:640/820)
Msg#: 3179 *Virus Info*
08-18-90 14:19:00 (Read 7 Times)
From: YVETTE LIAN
To: FRED GOLDFARB
Subj: RE: VIRUS GROUPS....
FG> writing viruses". The idea I got was that there are actual
FG> "virus groups" similar to the game cracking groups you hear
FG> of occasionally, who's sole purposes are to write viruses,
FG> not for research's sake, but to infect people. Has anyone
FG> else heard of this before? Are there really such groups?
FG> Imagine, when a new virus comes out three or four groups
FG> claiming to be the writers.. Kinda like terrorist bombings
FG> only different. Come to think of it, I remember reading a
That'd be right... you would think that if these people were intelligent enough
to program something such as a virus they'd probably be better off not wasting
their time with it...
--- QuickBBS 2.64 (Eval)
* Origin: Virus Info .. how to do it and not get it ! (3:640/886)
Msg#: 3180 *Virus Info*
08-18-90 14:42:00 (Read 7 Times)
From: ROD FEWSTER
To: KERRY ROBINSON
Subj: RE: VIRUS CHECKERS
> In a message of <12 Jun 90 7:31:31>, Patrick Curry (1:133/425) writes:
>
> Rarely does a MAC get a virus It is an IBM phonomonum
^^^^^^^^^^^^^^^^^^^^^^^
Tell it to an Amiga user !! B-)
--- FD 1.99c
* Origin: The Edge of Reality .. THE NIGHTMARE BEGINS ! (3:640/886)
Msg#: 3181 *Virus Info*
08-30-90 13:01:00 (Read 7 Times)
From: BRIAN WENDT
To: ALL
Subj: NEWSPAPER CLIPPING
The following item appeared in a newspaper in Brisbane, Austsralia yesterday.
Anyone care to comment?
VIRUS ATTACKS STATE'S PERSONAL COMPUTERS
A sophisticated computer virus is feared to have infected Queensland Government
and home computers. The COMPUTER VIRUS INFORMATION GROUP at the QUEENSLAND
UNIVERSITY OF TECHNOLOGY has issued it first major warning to personal computer
users about the virus.
The virus, initially detected by the Israeli defence force, freezes computers
on September 22, the birthday of a character in Tolkien's book, 'Lord of the
Rings'.
A computer virus is a program designed to attach copies of itself to software
and disable a computer system, or destroy files. Acting technologist, MR
EMLYN CREEVY said the warning was issued after a State Government public
servant gave the virus to the group for investigation.
Mr Creevy said somputers infected with the virus - known as FRODO, 4096, or
CENTURY - would freeze on September 22 or until the end of the year unless it
was removed. He said the group expected to know if the virus had infected
computers in Queensland next week after users report the results of searches
they were requested to conduct. The group warned all personal computer
operators that there was a bug in the FRODO virus which prevented it from
displaying a message 'FRODO LIVES' on September 22 and instead caused the
computer to 'hang' or freeze.
"It is from the FRODO name that the significance of the 22nd September can be
identified," they said. "This is the birthday of Frodo Baggins in Tolkien's
story. Users are advised to theck for the virus as soon as possible.
Mr Creevy said the virus had the ability to avoid detection and spread but was
not 'seriously destructive'. He said it could become damaging if an expert
could disassemble the virus and change the instructions to wipe the computer's
disk. "I'd say there's people working on it somewhere although probably not
in Australia," Mr Creevy said.
An expert would have created the Frodo virus because it had only one bug while
most viruses had more.
Mr Creevy said more than 100 viruses were believed to exist worldwide.
ENDS
Brian Wendt
Sysop
SUNMAP BBS
--- Maximus-CBCS v1.02
* Origin: Sunmap BBS Node 5 (HST/DS) - Brisbane - Australia (3:640/206)
Msg#: 3182 *Virus Info*
08-28-90 19:33:00 (Read 7 Times)
From: SANDY LOCKE
To: PATRICK TOULME
Subj: REPLY TO MSG# 3177 (RE: HAVE ANYONE TRIED SECURE ?)
MM> Maybe I should say all virus that are in the "public domain".
MM> Virus 101 is a research virus that only a few people have (and
MM> you wrote). Nothing is fool proof but Secure is better than any
MM> other interrupt moniter.
PT>
PT> I agree with you, Mike.
and I have to concur with patrick, out of all the TSR type monitor
programs out there , SECURE is indeed the best of the group... BUT
PLEASE do NOT depend upon this as your ONLY protection... as on part of
a multilayered protection scheme it would be fine... I guess my real
problems with it stem from the NAME the Mark wasburn has chosen...it
can mislead the neophyte too easily...into thinking that it really is
the be-all and end-all of protection...I wouldnt hestitate to recommend
it over the socalled commercial products in this class... BUT again NOT
as a SOLE protection against viruses... sorry for any confusion my
comments may have caused...
cheers
sandy
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 3183 *Virus Info*
08-28-90 19:35:00 (Read 6 Times)
From: SANDY LOCKE
To: ALAN DAWSON
Subj: REPLY TO MSG# 2749 (RE: VIRUS SCANNERS....)
DS> You can't win on this! I've been downloading for quite a while
DS> - always running a virus checker on the information. So, where
DS> did our virus come from? Off a shrink-wrapped anti-virus
DS> diskette one of our guys picked up in the US!
AD> Nothing new about this, as people learn all the time. One MAJOR
AD> company (really big, really well known) has shipped shrink-wrapped
AD> viruses twice -- once on purpose! Shrink wrap doesn't keep the bugs
AD> out.
UH ALAN... you mind sending the NAME of this vendor via private
e-mail... accidentally I can understand BUT ON PURPOSE??? what end
would this kind of action serve???
cheers
sandy
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 3184 *Virus Info*
08-28-90 19:44:00 (Read 6 Times)
From: SANDY LOCKE
To: KEN DORSHIMER
Subj: REPLY TO MSG# 2905 (RE: CRC CHECKING)
well close... without discussing HOW its done... the file length is
altered back to the original length... its not that hard and does point
out one of the MAJOR problesm with crc scanners...that is that the
critical information that tells the operating system how long the file
is can be altered at will... as far as the comments of a virus author
disassembling the CRC package its commonly done during product testing
to find out ahead of time what algorithms are in use by the product...
it really depends on the level of security one wants for ones PC...
I really wouldnt put it past a good virus author to specifically
target anti-viral programs in this fashion... as far as disassemblies
being hard... well I do an average of 5-6 per day with files ranging in
size from 2k to 90k(although I will admit that some of the trickier
ones do cause head scratching occasionally...) note that i said
programs and not specifically viruses...
cheers
sandy
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 3185 *Virus Info*
08-28-90 19:53:00 (Read 6 Times)
From: SANDY LOCKE
To: TOM PREECE
Subj: REPLY TO MSG# 2911 (RE: REMAPPING...)
TP> As you may see by looking at my other entry's, I have been loading a c
TP> program that is clearly implementing software to remap my keys to s ce
TP> extent. If this is possible as a glitch, its is obviously possible as
TP> attack. Let's hope it never comes to that.
Tom,
without adding too much fuel to any fire... certain
non-communication programs are susceptible to the ANSI programmable
attack... on my end I run no program that implements ANSI3.64
terminal control language without having a way to turn thoses "FEATURES
" off... certain programs without mentioning brand names do allow
this. if the echo moderator allows I will post a list of good and bad
programs in this regard... so that you can all protect yourselves
better...(n.b. after being chewed out by the moderator I am
constraining my comments carefully...)
cheers
sandyp.s. these attacks have been common since programmable
terminals came into being during the middle 1970's the problem is that
when these features were implemented in comm programs the possibility
arose that it was possible for malicious individuals to finally do some
real damage...the way to protect yourself is to STOP using programs
that implement such features and switch to others that are more secure
in their usage of such features...
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 3186 *Virus Info*
08-29-90 05:44:00 (Read 6 Times)
From: PATRICIA HOFFMAN
To: SANDY LOCKE
Subj: REPLY TO MSG# 3185 (RE: REMAPPING...)
SL> attack... on my end I run no program that implements ANSI3.64
SL> terminal control language without having a way to turn thoses "FEATURES
SL> " off... certain programs without mentioning brand names do allow
SL> this. if the echo moderator allows I will post a list of good and bad
SL> programs in this regard... so that you can all protect yourselves
SL> better...(n.b. after being chewed out by the moderator I am
SL> constraining my comments carefully...)
Please feel free to go ahead and post the list. Was just trying to keep you
out of trouble, you do sometimes get over excited in messages...didn't mean for
it to be "chewing out".
Patti
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 3187 *Virus Info*
08-29-90 06:27:00 (Read 7 Times)
From: PATRICIA HOFFMAN
To: PHILLIP LAIRD
Subj: REPLY TO MSG# 2996 (RE: ONTARIO VIRUS)
PL> Nope, I don't have the Ontario Virus that I know of! I read about the
PL> Virus after I had posted to you, Thanx for the info. Nice to know
PL> where it loads in Mem, that would make a util easier to write once I
PL> had a fix on what you have already told me.
PL>
Ontario loads into the top of free memory, right below the 640K boundary. It
takes up 2,048 bytes. If you run chkdsk after it is in memory, both total
system memory and free available memory will have decreased by 2,048 bytes.
Patti
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 3326 *Virus Info*
08-30-90 15:05:00 (Read 6 Times)
From: KEN DORSHIMER
To: SANDY LOCKE
Subj: REPLY TO MSG# 3184 (RE: CRC CHECKING)
...at a time when Western civilization was declining
too rapidly for comfort, yet too slowly to be very
exciting Sandy Locke was saying:
SL> well close... without discussing HOW its done... the file length is
SL> altered back to the original length... its not that hard and does
SL> point out one of the MAJOR problesm with crc scanners...that is that
interesting why don't you drop me some net-mail on this (see origin line)
SL> the critical information that tells the operating system how long the
SL> file is can be altered at will... as far as the comments of a virus
SL> author disassembling the CRC package its commonly done during product
SL> testing to find out ahead of time what algorithms are in use by the
i think that's one of the things i mentioned; that they would have to have
pre-existing knowledge of the crc scheme in order to make that work.
SL> product... it really depends on the level of security one wants for
SL> ones PC... I really wouldnt put it past a good virus author to
SL> specifically target anti-viral programs in this fashion... as far as
one of the reasons i am interesting in developing my own anti-viral utils for
my software business. i figure if they stay primarily in house, the chance
that some bozo will screw around with them and try to break them is reduced.
SL> disassemblies being hard... well I do an average of 5-6 per day with
SL> files ranging in size from 2k to 90k(although I will admit that some
SL> of the trickier ones do cause head scratching occasionally...) note
SL> that i said programs and not specifically viruses... cheers sandy
heh, yup source to assembled is always easier than the reverse process, of
course there's head scratching that goes on at that end too. :-)
the client said he wanted it to do what?!
...just part of the food chain...
--- ME2
* Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)
Msg#: 3327 *Virus Info*
08-29-90 11:37:00 (Read 6 Times)
From: PAUL FERGUSON
To: EVERYONE
Subj: FLOPPY MBR BACKUP
I had originally posted this question to the moderator, but after a
little thought decided that I would be sure to receive a myriad of
answers from the ECHO participants if asking the question here,
also.....
It is simply this:
Does anyone have any decent (and simple) suggestions for extraction of
the floppy MBR???.....There are several very good utilities in the
public domain for strictly Hard Drive Boot Sector (ie. ST0) and other
utilities contained within, say for instance, PCTools, that can back-up
the HARD Drive Partition Table (I forgot to mention several PD programs
to back-up the FAT).....But, almost all of these that I have seen
pertain to the HDU! I realize that there are ways to write it to a file
using certain SPY-type programs, but what I am really interested in is
a simplified program that is easy to use at the lowest end of the USER
pyramid
-Thanks in advance for your suggestions and assistance.....
-Paul ^@@^.........
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 3328 *Virus Info*
08-29-90 18:46:00 (Read 6 Times)
From: PAUL FERGUSON
To: EVERYONE
Subj: STEALTH FAMILY
I have read with great interest the July editions of VIRUS-L digest
(along with about the first week or so of August) and cannot, for the
life of me, figure the almighty hype with The (noticed that I
capitolized that!) Stealth Family of Virus....Only a Trojan should
deserve such attentention.....If one takes appropriate precautionary
measures, then the virus will (theoretically) be caught in memory..
...that is, it will make (and reside) a noticeable difference in
vectoring.....I truly believe WAY too much hype (Ok, maybe that is a
little strong!) has been given to this.....Yes, it can be a true menace
if one does not expect such a rogue, but come on.......I downloaded
some code today....Yes, I must say it IS quite ingenius, but at the
same time, I must also say, I enjoy the work I do, etc....
PS.....Patrick Toulme, Check your E-Mail....
........"The Delicate Sound of Thunder".......
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 3329 *Virus Info*
08-29-90 22:07:00 (Read 6 Times)
From: PAUL FERGUSON
To: EVERYONE
Subj: LATENITE
Ok, so we're up again in the pale moonlite (unquote)...
Next question (in paticular, to you, Sandy)
is:
What diverse opinions do you have concerning those that, also,
fight the battle on the front lines (I'm noy alluding to who has any
more experience, to wit)...I feel that many of us (Tech
Support/Slash/Gov't Contractors)(No, We're not scum, nor
unknowledgable) have done much to benefit the Anti-Viral Research
Community.....I would like a little input on this topic.....
.......We're not all BAD guys!........
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 3330 *Virus Info*
08-31-90 13:05:00 (Read 6 Times)
From: HERB BROWN
To: ALL
Subj: PKZ120.ZIP
I was informed that there is a bad version of PKZIP floating around by the name
of PKZ120.ZIP.. I am not sure if it is viral or not, but delete it if you find
it..
--- QM v1.00
* Origin: Delta Point (1:396/5.11)
Msg#: 3331 *Virus Info*
09-01-90 11:34:00 (Read 7 Times)
From: DEREK BILLINGSLEY
To: ALL
Subj: POSSIBLE VIRUS?
This just hit me today - I am not sure if it is some kind of system error or a
potential virus.
Last night (September first) and before gave me no indication of any virus
being present on my system. It is now september 1st and now, whenever a file is
written to disk (I noticed the text files first, but a downloaded zip'd file
was also garbled...) it took out about 10 bytes from the beginning of each
line...
When I realized this may be set to occur on this date, I set my DATE back a
night and everything worked fine... I made a sample text file with a known
pattern of characters -- any date past september 1st 1990 leaves the file
altered as mentioned above. Any date previous is written unharmed...
SCANV56 reports only that the SCAN program is damaged - no disk presence of the
source is evident.
Has anyone heard of something like this happening?
Derek Billingsley
--- SLMAIL v1.36M (#0198)
* Origin: Atlantic Access SJ/NB 1-506-635-1964 HST You can Run With Us !
(1:255/1)
Msg#: 3354 *Virus Info*
08-29-90 09:02:00 (Read 6 Times)
From: CY WELCH
To: SANDY LOCKE
Subj: REPLY TO MSG# 2759 (KEYBOARD REMAPPING....)
In a message to Cy Welch <25 Aug 90 6:39:00> Sandy Locke wrote:
>CW> In a message to Everyone <16 Aug 90 6:32:00> Paul Ferguson wrote:
> PF> Isn't it possible to remap some (or any) keyboard functions via
> PF> communications with some funky ANSI control characters?....I seem to
> PF> remember mention of this somewhere.....I really can't remember if was
> PF> in the form of a question, though, or an answer.....It also made
> PF> mention of PKWares' Safe-ANSI program...Somebody help us out here...
>CW> I think most of the "FAST" ansi replacements do not have the keyboard
>CW> remapping so that danger is removed in those cases.
SL> Well if you are referring to FANSI.SYS by hershey Microsystems it too
SL> is vunerable to remap effects... and since it implemnt FULL ANSI 3.64
SL> terminal control codes plus some extensions it is even more vunerable
SL> to a whole class of tricks that go way beyond noremally keyboard
SL> remapping... but to there credit they ahve include a way to turn this
SL> "FEATURE" OFF... just most users get it off a BBS and never order or
SL> look at the 50.00 set of docs that come when you pay for the
SL> products...
Actually I was refering to zansi.sys which is a high speed replacement which
part of what they did to do it was to remove the keyboard remapping functions.
--- XRS! 3.40+
* Origin: Former QuickBBS Beta Team Member (99:9402/122.1) (Quick 1:125/122.1)
Msg#: 3355 *Virus Info*
08-26-90 15:45:00 (Read 6 Times)
From: MIKE MCCUNE
To: SANDY LOCKE
Subj: SECURE
Sandy,
Thanks for the information. I suspected that Secure probably had some
holes in its protection scheme and that someone knew about it. I am
curious about how the modified Jerusalem-B got around it. I'm pretty
sure how Virus 101 does it (the Air Force uses it) but I would like
to know if there are any other hole in secure...<MM>
--- Opus-CBCS 1.13
* Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0)
Msg#: 3477 *Virus Info*
09-01-90 15:56:00 (Read 6 Times)
From: KEN DORSHIMER
To: HERB BROWN
Subj: REPLY TO MSG# 3330 (RE: PKZ120.ZIP)
>
> I was informed that there is a bad version of PKZIP floating
> around by the name of PKZ120.ZIP.. I am not sure if it
> is viral or not, but delete it if you find it..
seem to remember seeing something about this a couple of months ago.
mostly, i wanted to drop a line and say "hey". got your net-mail, hopefully if
the routing is working right, you got a response. :-) how's new orleans this
time of year? later.
--- Opus-CBCS 1.12 & NoOrigin 3.7a
--- QM v1.00
* Origin: Ion Induced Insomnia (1:203/42.753)
Msg#: 3478 *Virus Info*
09-02-90 10:45:00 (Read 6 Times)
From: JAMES KLASSEN
To: PRAKASH JANAKIRAMAN
Subj: REPLY TO MSG# 2909 (LEPROSY)
I have a copy of the Leprosy virus along with its source and
"documentation". What it does is copies itself to 4 exe or com files
each time it is run and produces a memory error code so the user thinks
there is a problem with memory and runs it again. After all the com and
exe files have been infected, it displays a message that they have a
virus and "Good luck!"... It increases file sizes by 666 but when I
tested it on a floppy, the bytes didn't increase...
--- W2Q v1.4
* Origin: The C.F.I BBS * Norfolk, Va. * (804)423-1338 * (1:275/328)
Msg#: 3479 *Virus Info*
09-01-90 07:18:00 (Read 6 Times)
From: YASHA KIDA
To: PAUL FERGUSON
Subj: REPLY TO MSG# 3329 (LATENITE)
In a message of <29 Aug 90 22:07:29>, Paul Ferguson (1:204/869) writes:
PF> EID:6368 151db0ee
PF> Support/Slash/Gov't Contractors)(No, We're not scum, nor
PF> unknowledgable) have done much to benefit the Anti-Viral Research
PF> Community.....I would like a little input on this topic.....
PF>
I am a Private contractor for a Large Network installation an support company.
I work for the good of the Customer and the population (users).
I hear the phrase " SLIMY CONTRACTOR" " M.F.C." everyday. I also heard
"Can this be done", "Would you look into this...", "What are your suggestions
so I can put them in my report" when things get deep. We are the WHIPPING BOYS
and EMERGENCY 911 all in one.
I am sure there are Software contractors who have planted or released a virus
at contract renewal time. To show how much they are needed.
There are also those of us the that want to see their job sites safe from such
problems. We are the ones who own our time (Non-Paid) Compile information
on ways to safe guard our data from compermise or viral attacks.
The Anti-Viral reseach done by Mrs. Hoffman (PAT) and John McAfees group
is carefully read and evaluated on my end. I am sure it has saved many a rear
from a bear trap.
--- msged 1.99S ZTC
* Origin: Bragg IDBS, (FT. Bragg, NC - we're gonna kick some booty)
(1:151/305)
Msg#: 3480 *Virus Info*
09-02-90 19:19:00 (Read 6 Times)
From: HERB BROWN
To: KEN DORSHIMER
Subj: REPLY TO MSG# 3477 (RE: PKZ120.ZIP)
With a sharp eye <Sep 01 15:56>, Ken Dorshimer (1:203/42.753) noted:
>
> I was informed that there is a bad version of PKZIP floating
> around by the name of PKZ120.ZIP.. I am not sure if it
> is viral or not, but delete it if you find it..
KD>
KD>seem to remember seeing something about this a couple of months ago.
KD>mostly, i wanted to drop a line and say "hey". got your net-mail,
KD>hopefully if the routing is working right, you got a response. :-)
KD>how's new orleans this time of year? later.
KD>
Hmmmm, first time I heard of this file. How long ago did it appear?
Rained Sunday and had to BBQ inside. Made watching TV a little hard, but we
managed.
--- QM v1.00
* Origin: Delta Point (1:396/5.11)
Msg#: 3630 *Virus Info*
09-01-90 20:49:00 (Read 6 Times)
From: PAUL FERGUSON
To: KEN DORSHIMER
Subj: REPLY TO MSG# 3326 (RE: CRC CHECKING)
Ken...
I've GOT to agree with you on this one....only preconceived CRC
defeaters are just that...preconceived....no such luck...
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 3813 *Virus Info*
09-01-90 13:11:00 (Read 6 Times)
From: KEVIN HIGGINS
To: JAMES DICK
Subj: SECURING YOUR UPLOADS
I've got checkout, and while its a pretty neat program, there are a few
things I don't like about it, the main one being the initial memory scan. I
also don't like the auto-pause that seems to be at the beginning of it. That
means running gateway, which means the user may be able to get into DOS and
party. (have heard of Key-fake, but never seen it around to play with it..).
TAG calls a file named postul.bat after every upload (if the .bat file is
present), so I hacked up this .bat file to auto-check for virii. But I'm not
smart enough to know how to use the %%f in a batch file to have it run through
for all the files in the active directory (for batch uploads)...
Maybe there's a genius out there who can help. FYI the parameters passed to
the .bat file are: [Baud] [ComPort] [User#] [U/L Dir] [Filename].
Here it is. Chuckle, then help make it better <grin>.
echo off
cd\bbs\uploads
echo Verifying latest Pkzip version...... > com2
REM This program checks file integrity.
ozf -v %5 > com2
echo : > com2
REM These are the directories I don't want checked.
if %4 == D:\ZIPSTUFF\WRITERS\ goto end
if %4 == D:\ZIPSTUFF\AMIGA goto end
echo Testing file integrity, and checking for virii. > com2
echo Please wait..... (this is the scary part, eh?) > com2
echo : > com2
echo Moving the suspect file to a sterile cell for interogation.... > com2
REM This moves the file to an empty directory for the examination.
move %4%5 d:\bbs\bads
echo File is now undergoing interrogation... > com2
cd\bbs\bads
pkunzip -x D:\bbs\bads\%5 *.exe *.com > com2
scan d:\bbs\bads\*.exe /NOMEM > com2
scan d:\bbs\bads\*.com /NOMEM > com2
if errorlevel 1 goto Oops
echo Alright! (whew) File passed. > com2
del *.exe
del *.com
echo Almost finished. Releasing innocent file back into public. > com2
move %5 d:\bbs\uploads
echo : > com2
echo Now adding (Nested) zip comment to file... > com2
cd\
REM This adds the Hornet's Nest comment to the .Zip file.
call d:\commentr.bat
cd\bbs
echo Thanks for waiting!..
goto end
:Oops
echo Arrrrgghhhhh! File had a virus! File deleted! > com2
erase *.*
echo Logging your name to Scumbag.lst! > com2
echo Hey, Kato! User number %3 tried to upload a virus infected file! >>
d:\fd\scumbag.lst
echo Maybe you need to leave a message to Kato, eh? > com2
cd\bbs
:end
(Note: the fourth line from the end is a continuation of the line above it.)
Also, I have a program that will make a .com fil out of a .bat file, for faster
processing. Any reason why this couldn't be done with the above .bat file? How
about after the %%f is added?
Kevin
--- TAGMAIL v2.40.02 Beta
* Origin: The Hornet's Nest BBS (1:128/74)
Msg#: 3814 *Virus Info*
09-03-90 23:40:00 (Read 5 Times)
From: RICK THOMA
To: HERB BROWN
Subj: REPLY TO MSG# 3480 (RE: PKZ120.ZIP)
> Hmmmm, first time I heard of this file. How long ago did it
> appear?
I have a copy, and think it came out around March, or so. At the time,
SCANV detected no virus, but I thought better of running it.
Sorry, folks. Whatever it is, it isn't available for downloading, so please
don't ask. I'm just waiting for the time to pick it apart, to see just what
kind of hack it is.
--- FD 2.00
* Origin: Village BBS, Mahopac, NY 914-621-2719 *HST* (1:272/1)
Msg#: 3815 *Virus Info*
09-03-90 03:38:00 (Read 5 Times)
From: KEN DORSHIMER
To: PAUL FERGUSON
Subj: REPLY TO MSG# 3630 (RE: CRC CHECKING)
...at a time when Western civilization was declining
too rapidly for comfort, yet too slowly to be very
exciting Paul Ferguson was saying:
PF> Ken... I've GOT to agree with you on this one....only preconceived CRC
PF> defeaters are just that...preconceived....no such luck...
PF>
that's what i figured. that is if you're responding to the msg i think you're
responding to. what the hell does that mean?
...space is merely a device to keep everything from being
in the same spot...
--- ME2
* Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)
Msg#: 3816 *Virus Info*
09-03-90 18:03:00 (Read 5 Times)
From: KEN DORSHIMER
To: HERB BROWN
Subj: REPLY TO MSG# 3814 (RE: PKZ120.ZIP)
...at a time when Western civilization was declining
too rapidly for comfort, yet too slowly to be very
exciting Herb Brown was saying:
HB> Hmmmm, first time I heard of this file. How long ago did it appear?
HB> Rained Sunday and had to BBQ inside. Made watching TV a little hard,
HB> but we managed.
i think it was a couple of months ago. which means any mention of it has long
since been renumbered off my system. yup BBQing indoors does have a certain
mystique. i know dinner is ready when the smoke alarm goes off.
...space is merely a device to keep everything from being
in the same spot...
--- ME2
* Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)
Msg#: 3817 *Virus Info*
09-03-90 18:08:00 (Read 7 Times)
From: KEN DORSHIMER
To: DEREK BILLINGSLEY
Subj: REPLY TO MSG# 3331 (RE: POSSIBLE VIRUS?)
...at a time when Western civilization was declining
too rapidly for comfort, yet too slowly to be very
exciting DEREK BILLINGSLEY was saying:
DB> This just hit me today - I am not sure if it is some kind of system
DB> error or a potential virus.
DB>
DB> Last night (September first) and before gave me no indication of any
DB> virus being present on my system. It is now september 1st and now,
DB> whenever a file is written to disk (I noticed the text files first,
DB> but a downloaded zip'd file was also garbled...) it took out about 10
DB> bytes from the beginning of each line...
DB>
could you send a copy of what you believe is infected to me? i'd like to
analyse this myself, thanks.
my address is:
Dorshimer Software Systems
P.O. Box 191126
Sacramento, Ca. 95819-1126 USA
...space is merely a device to keep everything from being
in the same spot...
--- ME2
* Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)
Msg#: 3818 *Virus Info*
09-03-90 20:57:00 (Read 4 Times)
From: JOHN HERRBACH
To: ALL
Subj: PUBLIC KEY ENCRYPTION
Does anyone know the status or progress in regards to public key encryption?
Thanks.
John {|-)
--- ME2
* Origin: The Lighthouse BBS/HST; Lansing, MI; 517-321-0788 (1:159/950)
Msg#: 3819 *Virus Info*
09-01-90 20:26:00 (Read 5 Times)
From: SEAN SOMERS
To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 3186 (RE: REMAPPING...)
Off topic here, anybody out there encounter the French Revoloution virus? I was
the first out here to discover it. What it does is nuke your HD while
displaying an anti Western/English speaking Canadians.
--- outGATE v2.10
# Origin: SIGnet International GateHost (8:7501/103)
* Origin: Network Echogate (1:129/34)
Msg#: 3938 *Virus Info*
09-06-90 11:51:00 (Read 13 Times)
From: YASHA KIDA
To: SKY RAIDER (Rcvd)
Subj: REPLY TO MSG# 2995 (RE: VIRUS ORIGINALS)
GLAD TO SEE SOMEONE does their homework...
Well written.. If you don't mind I wish to post it as a bulletin
on my System (BBS).. Re written to as a document instead of a
msg reply...
'
Yasha
sysop 151/305
"What do you do when all of your users are in the sand lands, without a phone."
--- Maximus-CBCS v1.00
* Origin: Bragg IDBS, We hunt bugs for the 82nd Airborne (1:151/305)
Msg#: 3974 *Virus Info*
09-08-90 13:42:35 (Read 5 Times)
From: SKY RAIDER
To: YASHA KIDA
Subj: VIRUS POST ON BBS
Yasha,
You write:
GLAD TO SEE SOMEONE does their homework...
Well written.. If you don't mind I wish to post it as a bulletin on my System
(BBS).. Re written to as a document instead of a msg reply...
Sure, no problems in rewritting and posting on your system. I try not to enter
into this type of a conversation without at least a bit of a footing in fact. I
wish I could find the original document I had quoting these things (it had
names, dates, etc.). How about giving me your system number so I can call and
see the finished form (never been quoted in this manner before).
A questor of knowledge,
Sky Raider
Ivan Baird, CET
--- TBBS v2.1/NM
* Origin: Northern Connection, Fredericton, N.B. Canada <HST 14.4K> (1:255/3)
Msg#: 4025 *Virus Info*
09-06-90 13:32:00 (Read 6 Times)
From: JONO MOORE
To: JOE MORLAN
Subj: REPLY TO MSG# 3157 (LHARC114?)
JM >I had heard that and infected version of LHARC was released
JM >last year under the name LHARC114. I also heard that
JM >because of that, the next release of LHARC was expected to
JM >be LHARC200 to avoid confustion with the virus. This week a
JM >file appeared on a local board called LHARC114. I left a
JM >message to the sysop to check it out and he says it's clean.
JM >The docs say that this is version 114b, the latest version.
LHARC v1.14b is a real release. The author brought it out after the
controversy on the fake 1.14 release.
--- outGATE v2.10
# Origin: SIGnet International GateHost (8:7501/103)
* Origin: Network Echogate (1:129/34)
Msg#: 4026 *Virus Info*
09-05-90 19:47:00 (Read 5 Times)
From: PATRICIA HOFFMAN
To: PAUL FERGUSON
Subj: LET ME REPHRASE THAT.....
PF> Actually, I really should have said "virtually preconceived".
PF> From what I can gather on the topic (I don't yet have a copy of 4096),
PF> they actually redirect CRC/Checksum interrogators to a "snapshot" of
PF> the original file as it appeared before infection.(Someone, I'm sure,
PF> will correct me if I'm wrong or at least add enlightenment.)
You are correct.....What the CRC/Checksum interrogator sees, if 4096 is in
memory, is the disinfected version of the program in memory, not what is
actually out on disk. Fish 6 also does this, as do a couple of other viruses
using Stealth techniques.
PF> The infected file, in the case of 4096, has in reality grown by 4096
PF> bytes and would more than likely hang the system, therefore, which
PF> would lead me to believe that running the CRC check without the virus
PF> TSR would allow you to identify the actual infected files. Also, it
PF> seems like the only way to catch it TSR is to trace the interrupt
PF> vectors (although everyone seems to have a little bit of differing
PF> ideas on this '->)
Lots of 4096 infected files will run without hanging the system....the virus
disinfects the program when it is read into memory so that anti-viral packages
can't find the virus as easily. CRC checkers and scanners won't be able to
find it in the infected file if the virus is in memory, in fact, these viruses
usually infect on file open as well as execute. Run a CRC checker or Scanner
that doesn't check memory for the virus with it present and you'll infect
everything that is openned that meets its infection criteria.
If the virus isn't in memory, the CRC checker technique will work to identify
the infected files in 99% of the cases. I'm not going to say 100% because I
believe some of the 512 virus variants can get around it due to the way it
attaches to the files in some cases, but not all. Some CRC checkers don't
actually CRC the entire file either....and as soon as I state it is a fool
proof way of doing it, someone will write a virus that gets around it
perfectly in all cases.
Patti
PF> Until I can get my hands on this little fellow, I guess that I'll
PF> just follow the more logical explanations from the sources with
PF> credibilty and make a judgement from that! Sounds credible. But, as I'v
PF> said before- I sure would like to see it.
PF>
PF> I've been following several different message base threads on
PF> this particular virus, with input from users at the basic levels to BBS
PF> SysOps to the AntiViral research community.......I must say, it gets
PF> overwhelming at times to keep objective. *:)
PF>
PF> -Paul
PF>
PF>
PF> --- QM v1.00
PF> * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813
PF> (1:204/869.0)
PF>
--- W2Q v1.4
* Origin: The C.F.I BBS * Norfolk, Va. * (804)423-1338 * (1:275/328)
Msg#: 4027 *Virus Info*
09-07-90 12:48:00 (Read 4 Times)
From: MICHAEL ADAMS
To: RICHARD HUFFMAN
Subj: RE: ARC.EXE
Thank you for the warning .... Kill keep an eye out for it.
--- Maximus-CBCS v1.00
* Origin: The Southern Star - SDS/SDN/PDN - 504-885-5928 - (1:396/1)
Msg#: 4028 *Virus Info*
09-07-90 20:21:00 (Read 5 Times)
From: HERB BROWN
To: JONO MOORE
Subj: REPLY TO MSG# 4025 (LHARC114?)
JM >I had heard that and infected version of LHARC was released
JM >last year under the name LHARC114. I also heard that
JM >because of that, the next release of LHARC was expected to
JM >be LHARC200 to avoid confustion with the virus. This week a
JM >file appeared on a local board called LHARC114. I left a
JM >message to the sysop to check it out and he says it's clean.
JM >The docs say that this is version 114b, the latest version.
JM>LHARC v1.14b is a real release. The author brought it out after the
JM>controversy on the fake 1.14 release.
JM>
Now, how is someone going to know the difference? That is about as dumb as
BBQ'ing indoors and forgetting to open the windows... Sheesh..
--- QM v1.00
* Origin: Delta Point (1:396/5.11)
Msg#: 4029 *Virus Info*
09-07-90 20:25:00 (Read 4 Times)
From: HERB BROWN
To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 4026 (LET ME REPHRASE THAT.....)
PH>can't find the virus as easily. CRC checkers and scanners won't be
PH>able to
PH>find it in the infected file if the virus is in memory, in fact, these
PH>viruses
PH>usually infect on file open as well as execute. Run a CRC checker or
PH>Scanner
PH>that doesn't check memory for the virus with it present and you'll
PH>infect
PH>everything that is openned that meets its infection criteria.
I seem to be missing something here. As I understand it, to check for virii
with a scanner, such as SCAN, or whatever, you boot from a uninfected floppy
that has scan residing on it. Ok, now, how would a virus that works as a TSR,
that probably is loaded from the boot sector from the hard disk be loaded, if
you are booting from the floppy? Which, the floppy being write protected, of
course, would not have this viral infection. I was under the assumption that
the BIOS first checked drive A: at bootup for a disk, etc. It seems that it
would be impossible to find a virii in memory with this type of scheme.. Please
enlighten me..
--- QM v1.00
* Origin: Delta Point (1:396/5.11)
Msg#: 4030 *Virus Info*
09-07-90 17:03:00 (Read 5 Times)
From: TALLEY RAGAN
To: MIKE MCCUNE
Subj: REPLY TO MSG# 2910 (RE: REMOVING JOSHI)
In a message to Talley Ragan <09-04-90 16:04> Mike Mccune wrote:
MM>>I have posted a new version that checks for the virus
MM>>before
MM>>trying to remove it (now that I have a working copy of the
MM>>virus). It will not damage the partition table on
MM>>uninfected
MM>>hard disks...<MM>.
Thanks for the information. This was very educational, as I have
had one case of a virus. I don't know how it workedbut the screen would
show all garbage and then the computer would hang. I low level formatted
the hard disk and restored from good backups. I sure would like to know
how it got to me and where it came from!!... Thanks again.
Talley
--- ZAFFER v1.01
--- QuickBBS 2.64 [Reg] Qecho ver 2.62
* Origin: Southern Systems *HST DS* Tampa Fl (813)977-7065 (1:377/9)
Msg#: 4031 *Virus Info*
09-05-90 21:23:00 (Read 5 Times)
From: TOM PREECE
To: HERB BROWN
Subj: REPLY TO MSG# 3816 (RE: PKZ120.ZIP)
I seem to remember running into this file several months ago. I don't remember
concluding that it had a virus - just that it didn't work properly. The sysop
on the sytem that had it apparently reached the same conclusion or something
similar because it disappeared here (SF Bay Area.)
--- TBBS v2.1/NM
* Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 (1:161/208)
Msg#: 4032 *Virus Info*
09-06-90 19:15:00 (Read 5 Times)
From: KEN DORSHIMER
To: PAUL FERGUSON
Subj: REPLY TO MSG# 4029 (RE: LET ME REPHRASE THAT.....)
...at a time when Western civilization was declining
too rapidly for comfort, yet too slowly to be very
exciting Paul Ferguson was saying:
PF> Ken- This is a continuation of msg.# 156 (I dropped the
just FYI the msg numbers don't have much bearing here. on my system is was
#75 or something. :-)
PF> don't yet have a copy of 4096), they actually redirect CRC/Checksum
PF> interrogators to a "snapshot" of the original file as it appeared
PF> before infection.(Someone, I'm sure, will correct me if I'm wrong or
interesting. seems there would be some simple method of circumventing what
the virus does. (i don't have a copy of that one yet either)
PF> system, therefore, which would lead me to believe that running the CRC
PF> check without the virus TSR would allow you to identify the actual
PF> infected files. Also, it seems like the only way to catch it TSR is to
PF> trace the interrupt vectors (although everyone seems to have a little
i've always thought that by having your own tsr grab the interupts first
might be a good way to stop unwanted tsr's from grabbing them. (i'm sure
someone will argue the point tho)
...space is merely a device to keep everything from being
in the same spot...
--- ME2
* Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)
Msg#: 4278 *Virus Info*
09-08-90 13:51:00 (Read 5 Times)
From: DUANE BROWN
To: PHILLIP LAIRD
Subj: REPLY TO MSG# 3813 (SECURING YOUR UPLOADS)
PL>present. I have the Key fake program if it will help you!
PL>That file will enter the "Y or N" Question when the batch
PL>file comes to Are you sure? Y or N. Meaning you had the
PL>batch file to delete all programs in the temp check
That's easy to fix the problem about del *.* -- just do
echo y | del *.*
then the Y gets placed in there automatically...no keyfake, nothing!
---
* Origin: End of the Line. Stafford, Va. (703)720-1624. (1:274/16)
Msg#: 4279 *Virus Info*
09-07-90 12:45:00 (Read 5 Times)
From: CHARLES HANNUM
To: PHILLIP LAIRD
Subj: REPLY TO MSG# 4031 (RE: PKZ120.ZIP)
>Didn't someone say that because someone had already hacked an earlier
>version of PKZIP that 120 would be the next scheduled release?
>Anybody have any info?
Yes. Phil Katz said it.
--- ZMailQ 1.12 (QuickBBS)
* Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)
Msg#: 4280 *Virus Info*
09-08-90 10:49:00 (Read 4 Times)
From: JAMES BARRETT
To: ALL
Subj: SEPTEMBER 18-20, 1990
I have heard somebody mention that there will be a major virus in the next
couple of weeks. What's the scoop? I'm involved in a college campus computer
lab and need to know what's coming and how to prepare for it. Will ScanV66
catch it????
Thanks in advance...
--JCB
--- XRS 3.40+
* Origin: >- c y n o s u r e -< 919-929-5153 <HST><XRS> (RAX 1:151/501.14)
Msg#: 4281 *Virus Info*
09-08-90 17:39:00 (Read 4 Times)
From: HERB BROWN
To: KEN DORSHIMER
Subj: REPLY TO MSG# 4032 (RE: LET ME REPHRASE THAT.....)
With a sharp eye <Sep 06 19:15>, Ken Dorshimer (1:203/42.753) noted:
KD>i've always thought that by having your own tsr grab the interupts
KD>first
KD>might be a good way to stop unwanted tsr's from grabbing them. (i'm
KD>sure
KD>someone will argue the point tho)
Depends on who got there first, I would presume.. Also, multiple TSR's would be
a nightmare, colliding and such.
--- QM v1.00
* Origin: Delta Point (1:396/5.11)
Msg#: 4535 *Virus Info*
09-07-90 08:04:00 (Read 4 Times)
From: PAUL FERGUSON
To: DOUG EMMETT
Subj: SCAN FROM C:
Hello, Doug....
Doug, I must tell you that it is not advisable to run ViruScan
from your hard disc....It really should ALWAYS be run from a WRITE
PROTECTED FLOPPY....Scan can become easily infected when ran in an
infected environment on a HD. BTW....Software that "Write Protects" you
r hard disc may work in some cases, but can be circunvented.
Be safe.....
-Paul
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 4536 *Virus Info*
09-07-90 08:06:00 (Read 4 Times)
From: PAUL FERGUSON
To: LONNIE DENNISON
Subj: WELCOME...
Glad to have you........
Welcome aboard....
-Paul ^@@^........
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 4537 *Virus Info*
09-07-90 08:09:00 (Read 4 Times)
From: PAUL FERGUSON
To: RICHARD HUFFMAN
Subj: REPLY TO MSG# 4027 (ARC.EXE)
Richard,
Please E- me out of the conference....I would like to discuss this
a little further......Better yet, contact me at the NCSA BBS in DC
(202) 364-1304 at 1200/2400, 8,N,1.....I can be reached in the VIRUS
Conference.....Thanks, -Paul
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 4538 *Virus Info*
08-16-90 08:30:00 (Read 5 Times)
From: ALAN DAWSON
To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 3183 (RE: VIRUS SCANNERS....)
PH> I just wish the people writing this viruses would find more
PH> useful things to do with their talents....such as trying to
PH> help people instead of harm their systems.
Hear, hear! The frustrating, rug-chewing, desk-beating,
monitor-smashing, stomp-down crying SHAME is that some of these
viruses, on a technical level, are tremendously slick, wonderous
programs. The people writing them are wonderful programmers. Just
think what these people could be doing to help our PCs work better by
writing a different kind of program -- and, potentially, how much
money they might be able to make. They obviously have inventive
minds, many of them. Such inventiveness could be put to such great
use.
--- Opus-CBCS 1.13
* Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0)
Msg#: 4539 *Virus Info*
08-16-90 08:36:00 (Read 5 Times)
From: ALAN DAWSON
To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 4538 (RE: VIRUS SCANNERS....)
PH> I'd agree with that. The anti-viral program should be able to
PH> detect that it is infected and produce a warning, though it may
PH> still execute. By the time the anti-viral program has
PH> determined its been infected, you've already infected system
PH> memory or spread the virus.
Sure. Something ELSE has infected it. No reason not to let it run so
long as it still works. One of our local youngsters wrote a wonderful
remover of the Dark Avenger -- about 1400 bytes and worked like a
charm. Only one teensy-weensy trouble -- the remover got infected and
didn't warn you. That's not really one of the more useful programs to
have around.
Since it seems to be the constant topic of conversation here,
SCANV's routine of warning of infection and continuing its duties is
great.
A common cause of re-infection is forgetting to remove the tools
you used in the disinfection process -- stuff like LIST, just for
example, that you might have used to examine the virus.
--- Opus-CBCS 1.13
* Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0)
Msg#: 4540 *Virus Info*
08-16-90 08:52:00 (Read 5 Times)
From: ALAN DAWSON
To: MICHAEL TUNN
Subj: REPLY TO MSG# 2899 (RE: WHAT'S THE SOLUTION?)
MT> It seems to me our Virus checking programs will just get bigger
MT> and bigger as more viruses and strains of the same viruses are
MT> discovered. If so (and if their development is excelerating)
Right. Question of the Year (1991??): What can you call it after you've
hit the SCANV999 wall?
MT> Do we do develop new Operating Systems which are far more
MT> secure!
Well, at least a new DOS which allows 9-character names? Then we
could do SCANV9999. [joke].
MT> Do we crawl in a hole and hope it wont happen to us?
No, in a metaphor placed in 1970 terms, we get to the airport two
hours before flight time for the security checks. And for the same
reason, too -- the unwillingness of the many to take the resolve to
remove the few. We have, most of us, helped the virus writers build
up their existing sick belief that we are willing participants in
some kind of game here. They win if they manage to steal our time,
programs, disk space and data. They only do it because they had an
unhappy childhood, right?
One tangible result of allowing them to feed on this warped view
is this echo, where we're all trying to get to the airport two hours
early for the security check -- AND WE'RE ALL WASTING TWO HOURS
because somebody we don't know might try to hurt us.
We should have sympathy for Robert Morris, of course, because
after all, he was just experimenting and not REALLY trying to hurt
anyone, right? I have a one-word, two-syllable response to that but
FidoNet policy frowns down upon me for thinking of using it.
--- Opus-CBCS 1.13
* Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0)
Msg#: 4541 *Virus Info*
08-16-90 09:25:00 (Read 4 Times)
From: ALAN DAWSON
To: KEN DORSHIMER
Subj: RE: VIRUSES, WHAT ELSE...
KD> not sure on that one, who knows what menagerie of thoughts
KD> wander through clients minds.. :-) actually, i was unaware of
KD> Corporate Vaccine (maybe I should get out more). I'm a little
KD> concerned that the commercial programs may not be aware of some
KD> of the newer viruses which crop up from time to time.
This is just a thought, too. But why not take your clients into your
confidence, and point out to them that it is virtually impossible for
anyone to match the up-to-dateness of a BBS distribution system?
You're a BBSer. You know, just for example, that without BBSes McAfee
couldn't have a program-of-the-week. Distribution of what your
clients think of as commercial software simply isn't up to this
standard -- isn't meant to be; never was; probably never will be.
Seems to me if your clients like the SCANV concept, you should
explain to them why they should be using SCANV. Why reinvent the
wheel?
If it wasn't that commercial messages which mention something
other than SCANV often seem to get flamed here, I'd tell you about my
commercial, non-BBS, wholly generic virus detector that doesn't need
upgrading, which is available in North America and which soon will be
launched there. But I don't want to get flamed, so I won't.
--- Opus-CBCS 1.13
* Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0)
Msg#: 4542 *Virus Info*
08-29-90 12:26:00 (Read 5 Times)
From: ALAN DAWSON
To: KEN DORSHIMER
Subj: REPLY TO MSG# 3815 (RE: CRC CHECKING)
PH>> Except in the case of Stealth Viruses....CRC checking doesn't work
PH>> with them.
PH>>
KD> i'd have to see that for myself. i think a complex enough
KD> algorithm would keep them at bay. the probability factor is
KD> just too low for such a stealth scheme to work.
Roger that. A program (such as a virus) can possibly figure out a
checksum or CRC and "fool" your checker. But complex and random
checksumming or CRCing is beyond the real-world possibility of defeat
by a PC virus -- it would have to be too big and complex itself.
Our strategy on our anti-virus program is to have eight different
algorithms, and to use two of them on each checksum pass. Which two,
even we do not know. Your virus then would have to take into account
64 reasonably complex algorithmic possibilities to defeat it.
Patti is technically correct that this can be done -- but not in
the real world. I'd tend to be slightly suspicious if my word
processor suddenly grew by the size of THIS virus. Most programs
would, in fact, be incapable of loading it.
As you say -- make it complex (which isn't so difficult) and keep
churning out hundreds of different algorithms. Then you can forget
about "stealth" viruses succeeding.
- From Thailand, a warm country in more ways than one.
--- Opus-CBCS 1.13
* Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0)
Msg#: 4543 *Virus Info*
09-01-90 21:26:00 (Read 5 Times)
From: ALAN DAWSON
To: PHILLIP LAIRD
Subj: REPLY TO MSG# 3154 (RE: SCAN WEIRDNESS)
PL> Allan, I NEVER SCAN from the C Drive or any hard disk. I
PL> always scan from a write protected Floppy Diskette in Drive A.
This is absolutely correct, of course, and EXACTLY what's recommended
in the doc. I was just curious whether others had had the experience.
I do do some experimenting with viruses and anti-virus stuff, because
Bangkok's a "virus capital" (dumb dealers plus a whole raft of
pirates) and because I'm involved in a commercial anti-virus project.
This was just a weird thing that happened to me when I was "playing"
with Dark Avenger. I do wonder how many people follow that
"write-protected floppy" recommendation (order???) in the SCAN docs,
though.
One note on your comment: it might be hard for some people to
follow the recommendation, i.e. those with one floppy. The total
beauty of SCAN, really, is to look over that new stuff. A lot of
machines go to new people with one floppy drive.
A lot also go with two different floppy drives (my own setup)
although this of course is combatted simply by having TWO
write-protected diskettes with SCAN aboard.
- From Thailand, a warm country in more ways than one.
--- Opus-CBCS 1.13
* Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0)
Msg#: 4544 *Virus Info*
09-01-90 23:00:00 (Read 5 Times)
From: ALAN DAWSON
To: SANDY LOCKE
Subj: REPLY TO MSG# 3819 (RE: REMAPPING...)
SL> long time programmer I can testify the keyboard mapping is
SL> really quite simple... no real problem and the business of
SL> using terminal control code is quite as simple...
SL> sandy
Finally, some sanity, sandy. [grin] (no pun intended until after I
read that). The letter bomb, as a friend calls it, is alive, well and
could certainly flourish. I wouldn't lay a huge amount of money on
the ability to write a *virus* with remapping, but a bomb's a piece
of cake.
I THINK this thread started with the ability to put one directly
over a terminal BBS-to-user connection, and in general there seem by
my own experiments to be two chances of this: slim and fat. But, like
a virus, a letter bomb can be transmitted via a BBS to a user, and
then set off by that user in a number of pernicious ways that occur
to me right off the top of my head. None of which you will see writ
here, you understand -- but after watching this thread for a few
weeks, I'm glad you leapt in with both feet.
- From Thailand, a warm country in more ways than one.
--- Opus-CBCS 1.13
* Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0)
Msg#: 4545 *Virus Info*
09-06-90 18:59:00 (Read 5 Times)
From: ALAN DAWSON
To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 4543 (RE: SCAN WEIRDNESS)
PH> There are a couple of possibilities here. First, if the virus
PH> is on a non-executable file, such as one with a .VOM or .VXE
Nope, wasn't either of these Patti. I tried to put in everything, and
then forgot to say it was a regular file called AVENGER.COM -- a
small utility I infected to harbor the virus when I ran it for tests.
The utility originally was a small screen shell for looking at files
a la LIST. It USED to be 3K, but now it's a little bigger [grin]
PH> The other case is if your copy of Dark Avenger does not occur
PH> at the correct place in the file. Dark Avenger always adds its
PH> code to the End Of Programs. If your copy happens to have it at
Roger. This is right up against the end of the file.
PH> Hope that helps....those are the only three cases that I've
PH> heard of a similar problem to yours.
OK, no biggie. It was just that it was so weird I thought maybe you'd
heard of it. I'll try it again when we get SCAN66B just for fun. It's
not the kind of "bug" that's detrimental -- it's just one of those
hey-it's-not-supposed-to-do-that things. Stupid machines.
- From Thailand, a warm country in more ways than one.
--- Opus-CBCS 1.13
* Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0)
Msg#: 4546 *Virus Info*
09-06-90 19:00:00 (Read 5 Times)
From: ALAN DAWSON
To: SANDY LOCKE
Subj: REPLY TO MSG# 4539 (RE: VIRUS SCANNERS....)
SL> UH ALAN... you mind sending the NAME of this vendor via private
SL> e-mail... accidentally I can understand BUT ON PURPOSE??? what
SL> end would this kind of action serve???
SL> cheers
SL> sandy
This was before the Great Virus Scare of 1989 of course -- it was, if
my tremendously failing memory isn't failing me, in 1986. A Toronto
magazine put the virus in as a joke -- every time you started an
infected program, a brief ad for the mag jumped up. Ald. . . whoops,
the company name almost slipped out there, thought this was
hilarious, left it in and shipped the thing. I'll send full details
your way.
This same company, the next time it shipped viruses, claimed that
a guy in the shipping department was playing a game and accidentally
infected the shipment (exclaimer!!!!). Is this a company with a weird
sense of security, or what?
- From Thailand, a warm country in more ways than one.
--- Opus-CBCS 1.13
* Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0)
Msg#: 4746 *Virus Info*
09-09-90 14:33:00 (Read 4 Times)
From: CHARLES HANNUM
To: PHILLIP LAIRD
Subj: RE: MAKING SCAN READ ONLY.
> Patti, is it feasible to make Scan.Exe Read only? Doug Emmett was
> wondering about doing that. Couldn't you change the archive bits to
> read only? Also, doesn't scan have an internal routine to determine
> if it is damaged?
Setting the "Read-only" attribute wouldn't even *phase* a decent virus, and
SCAN's internal checksum is VERY weak. (It quite literally is a checksum.
It simply checks to see if all the words in the files add up to 0.)
--- ZMailQ 1.12 (QuickBBS)
* Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)
Msg#: 4747 *Virus Info*
09-09-90 07:35:00 (Read 5 Times)
From: JERRY MASEFIELD
To: CHARLES HANNUM
Subj: REPLY TO MSG# 4279 (RE: PKZ120.ZIP)
> >Didn't someone say that because someone had already hacked an earlier
> >version of PKZIP that 120 would be the next scheduled release?
> >Anybody have any info?
>
> Yes. Phil Katz said it.
No, Phil Katz said there WOULDN'T be a 120 release because of the same reason.
This would eliminate any confusions between the real and phony versions. Also,
Katz is offering a reward for any info leading to the arrest of the perpetrator
of this hacking.
--- TosScan 1.00
* Origin: On A Clear Disk You Can Seek Forever! (1:260/212)
Msg#: 4748 *Virus Info*
09-09-90 23:16:00 (Read 5 Times)
From: PHILLIP LAIRD
To: CHARLES HANNUM
Subj: REPLY TO MSG# 4747 (RE: PKZ120.ZIP)
** Quoting Charles Hannum to Phillip Laird **
>Yes. Phil Katz said it.
>
>--- ZMailQ 1.12 (QuickBBS)
> * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)
** End of Quote **
That is what I thought. As soon as he went and said it, somebody appearently
decided to hack it, huh?
--- TAGMAIL v2.20
* Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)
Msg#: 4749 *Virus Info*
09-08-90 17:42:00 (Read 4 Times)
From: PAUL FERGUSON
To: KEN DORSHIMER
Subj: YEAH, BUT...
You're on the right track, Ken....But TSR's have a nasty habit of
fighting for control amongst each other. Some do not behave very well.
-Paul
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 4750 *Virus Info*
09-09-90 08:43:00 (Read 6 Times)
From: PATRICIA HOFFMAN
To: PHILLIP LAIRD
Subj: JERUSALEM B AND CLEANP64.ZIP
PL> I cleaned 17 infected files today with clean version 64. I have a good
PL> question. While the program removes the file, some where removed the
PL> first time around, others were scanned several times before the virus
PL> was actually removed. Can you tell me why?
The programs that were scanned several times probably were infected multiple
times with Jerusalem virus. A lot of the variants of Jerusalem B will infect
.EXE files repeatedly, eventually the program will get too large to fit into
memory. On files that are infected multiple times with Jerusalem, you'll see a
message come up for each infection as it is removed.
That is my guess as to what you observed...
Patti
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 4751 *Virus Info*
09-09-90 11:01:00 (Read 5 Times)
From: PATRICIA HOFFMAN
To: HERB BROWN
Subj: REPLY TO MSG# 4281 (LET ME REPHRASE THAT.....)
HB> I seem to be missing something here. As I understand it, to check for
HB> virii with a scanner, such as SCAN, or whatever, you boot from a
HB> uninfected floppy that has scan residing on it. Ok, now, how would a
HB> virus that works as a TSR, that probably is loaded from the boot sector
HB> from the hard disk be loaded, if you are booting from the floppy?
HB> Which, the floppy being write protected, of course, would not have this
HB> viral infection. I was under the assumption that the BIOS first
HB> checked drive A: at bootup for a disk, etc. It seems that it would be
HB> impossible to find a virii in memory with this type of scheme.. Please
HB> enlighten me..
The memory resident viruses that are a real problem when they are in memory and
any antiviral, whether a scanner or CRC checker, is run are not boot sector
infectors....4096, Fish-6, Dark Avenger, and many others which infect on file
open are file infectors. There are three that are file infectors but can also
infect and replicate from the partition table and/or boot sector: V2100,
Anthrax, and Plastique 5.21. (These last three are extremely rare, fairly new,
and not known in the United States.) All of the viruses mentioned about use
"Stealth" techniques to avoid detection or infect on file open.
If you are booting from an uninfected diskette when powering on the computer,
you wouldn't ever find a virus in memory. However, if you are performing a
warm reboot from a floppy, you could have a virus in memory still. The real
point here was that most people do not run scan or other anti-viral utilities
after powering on and booting from a floppy, so it is always possible for the
virus to be in memory.
In that particular case, for a CRC checker which is what was being discussed,
there are definite cases (the "Stealth" viruses) where the virus can get around
the CRC checker simply because if the virus is in memory it disinfects the
infected programs as they are read into memory. The CRC checker, since it is
performing file reads, reads the DOS buffers to check the program, so the
program it sees isn't infected and isn't the same as what is actually on the
disk. In the case of viruses that infect on file open, running an anti-viral
product against all the programs on a system with the virus active in memory
can very well result in all the programs becoming infected.
I'm not against CRC checkers, I use one all the time on several of my systems.
These systems all have master boot diskettes with clean system files, the CRC
checker, and the log of all the expected crc values to be returned. Most
people simply do not have that type of diskette setup for their systems since
they feel they'll never be infected with a virus. In fact, the probability
that a person will be infected with a virus is fairly low, though it does
change depending on the person's computing habits and how often they exchange
diskettes and/or programs with others.
I was trying to point out that NONE of the current anti-virals will absolutely
protect a user from getting a virus....all the techniques currently used by
anti-viral products can be circumvented by some of the newer, more
technologically advanced viruses. Not to point that out would be like burying
one's head in the sand, especially when the discussion has to do with someone
thinkin of writing a new anti-viral who needs to know what can currently be
circumvented. It is easier to fix the design before the program is written
then to fix it later after the hole is found....
Patti
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 4967 *Virus Info*
09-10-90 16:55:00 (Read 5 Times)
From: CHARLES HANNUM
To: JERRY MASEFIELD
Subj: REPLY TO MSG# 4748 (RE: PKZ120.ZIP)
>> >Didn't someone say that because someone had already hacked an earlier
>> >version of PKZIP that 120 would be the next scheduled release?
>> >Anybody have any info?
>>
>> Yes. Phil Katz said it.
> No, Phil Katz said there WOULDN'T be a 120 release because of the
> same reason. This would eliminate any confusions between the real
> and phony versions. Also, Katz is offering a reward for any info
> leading to the arrest of the perpetrator of this hacking.
Err, <retracting foot from mouth> I must have misread the original note...
--- ZMailQ 1.12 (QuickBBS)
* Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)
Msg#: 4968 *Virus Info*
09-10-90 17:54:00 (Read 5 Times)
From: CHARLES HANNUM
To: WHOM IT MAY CONCERN
Subj: LHARC 1.14B(ETA)
The 'b' is actually a beta, which makes me think he released it for testing
and it got loose, but is not yet an "official" release.
At any rate, I NEED AN ANSWER!! I have "LHarc 1.14b(eta)", and I really need
a definitive answer. IS IT REAL OR NOT?
--- ZMailQ 1.12 (QuickBBS)
* Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)
Msg#: 4969 *Virus Info*
09-10-90 23:13:00 (Read 4 Times)
From: PHILLIP LAIRD
To: DUANE BROWN
Subj: REPLY TO MSG# 4278 (RE: SECURING YOUR UPLOADS)
** Quoting Duane Brown to Phillip Laird **
>
>That's easy to fix the problem about del *.* -- just do
>
>echo y | del *.*
>
>then the Y gets placed in there automatically...no keyfake,
>nothing!
>
>---
> * Origin: End of the Line. Stafford, Va. (703)720-1624. (1:274/16)
** End of Quote **
Thanx.... Using the pipe redirection will do just that like you say. I use
the KEYFAKE Program for a reason with KEY.DAT in the program I just finished
that will check for bugs in uploads. It calls the routine externally from the
Execute file.
--- TAGMAIL v2.20
* Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)
Msg#: 4970 *Virus Info*
09-10-90 23:21:00 (Read 6 Times)
From: PHILLIP LAIRD
To: ALAN DAWSON
Subj: REPLY TO MSG# 4545 (RE: SCAN WEIRDNESS)
** Quoting Alan Dawson to Phillip Laird **
>
>This is absolutely correct, of course, and EXACTLY what's recommended
>
>in the doc. I was just curious whether others had had the experience.
>
>I do do some experimenting with viruses and anti-virus stuff,
>because
>Bangkok's a "virus capital" (dumb dealers plus a whole raft
>of
>pirates) and because I'm involved in a commercial anti-virus
>project.
>--- Opus-CBCS 1.13
> * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand
>(3:608/9.0)
** End of Quote **
I totally agree that most people do not read the docs. I work for a University
in South East Texas. Some of the Micros have been plagued with viruses. I
have setup a routine for the Labs to Scan the Floppies coming in with SCAN.
This has just taken Place. Next thing I know, the clerk decides to run SCAN
From her hard drive on her desktop! Then Alameda hit her! The SCAN Program
has gone over good at the University. We are getting an order ready for a Site
License Agreement with MCafee and Associates. I do a little research on some
of the strains. However this BBS keeps me busy after work!
Weird thing about CLEAN.EXE the program to remove the Viruses. I am using
Clean Version 66 and sometimes the program will scan the file numerous times
before the virus is eventually removed. I guess the Marker is trying to move
around in the file? Anybody know?
--- TAGMAIL v2.20
* Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)
Msg#: 4971 *Virus Info*
09-09-90 10:59:00 (Read 5 Times)
From: MIKE BADER
To: MARC SHEWRING
Subj: INFORMATION
Several anti-virus programs use signature files.
IBM (yech) for one, but VirHUNT by DDI alos
uses a file for signatures and goes into
quite a bit of detail in their manual.
I'll look up a better address and phone.
Mike
--- FD 1.99c
* Origin: P-1 BBS ][ (313) 542-9615 Ferndale, MI (HST) (1:120/45)
Msg#: 4972 *Virus Info*
09-06-90 20:56:00 (Read 8 Times)
From: CY WELCH
To: DEREK BILLINGSLEY
Subj: REPLY TO MSG# 3817 (POSSIBLE VIRUS?)
In a message to All <01 Sep 90 11:34:00> Derek Billingsley wrote:
DB> This just hit me today - I am not sure if it is some kind of system
DB> error or a potential virus.
DB> Last night (September first) and before gave me no indication of any
DB> virus being present on my system. It is now september 1st and now,
DB> whenever a file is written to disk (I noticed the text files first,
DB> but a downloaded zip'd file was also garbled...) it took out about
DB> 10 bytes from the beginning of each line...
DB> When I realized this may be set to occur on this date, I set my DATE
DB> back a night and everything worked fine... I made a sample text file
DB> with a known pattern of characters -- any date past september 1st
DB> 1990 leaves the file altered as mentioned above. Any date previous
DB> is written unharmed...
DB> SCANV56 reports only that the SCAN program is damaged - no disk
DB> presence of the source is evident.
DB> Has anyone heard of something like this happening?
Can't say I have heard of that but it sure sounds like a virus. I would
recommend getting a copy of scan v64 and see what it says. It might even be
something new.
--- XRS! 3.41+
* Origin: Former QuickBBS Beta Team Member (99:9402/122.1) (Quick 1:125/122.1)
Msg#: 4973 *Virus Info*
08-14-90 18:15:00 (Read 5 Times)
From: JAMES BLEACHER
To: DOUG BAGGETT
Subj: REPLY TO MSG# 2904 (ANTI VIRUS VIRUSES)
* Replying to a message originally to Patricia Hoffman
DB>well..here is a question..where exactly did viruses
DB>originate anyway..was it in this country or others?
DB>Doug
According to want I've read Dr. Fred Cohen at MIT developed the first virus
back in 1964 or so. This was to prove that code could actually replicate and
spread throughout a mainframe. My question is why on earth would he want to do
that in the first place?
---
* Origin: "Hey! Why's my COMMAND.COM larger than normal?" (1:151/801)
Msg#: 4974 *Virus Info*
08-14-90 18:23:00 (Read 5 Times)
From: JAMES BLEACHER
To: PAUL FERGUSON
Subj: REPLY AND ADDENDUM TO MSG 145
* Replying to a message originally to Alan Dawson
PF>You can always be sure of an uninfected SCAN IF you download
PF>from the
PF>authors' BBS....The program itself will terminate upon
PF>detection and
PF>has safeguards written into it to protect against such
PF>occurances....Of
PF>course, there are ways for an unsuspecting user (You know
PF>who) to
PF>infect the programs themselves and then re-archive
PF>unwittingly a
PF>viral Scan that will never know (depending upon the
WRONG! Scan checks itself upon startup and will give you a message to the
effect of:
FILE DAMAGED! "C:\SCAN.EXE"
But will continue to operate. If you see that message then you're in big
trouble. Viruses like the Dark Avenger will use scan's file checking (since it
opens all the files it's checking) to spread itself all over your floppy/hard
drive. Unless you've got a totally new virus that scan can't detect you don't
have anything to worry about if it's already infected when you get it. (Except
that it's probably detecting the virus all over your drive because it just
helped put it there!)
---
* Origin: "Hey! Why's my COMMAND.COM larger than normal?" (1:151/801)
Msg#: 4975 *Virus Info*
09-10-90 18:02:00 (Read 6 Times)
From: JAMES BLEACHER
To: DEREK BILLINGSLEY
Subj: REPLY TO MSG# 4972 (POSSIBLE VIRUS?)
DB>SCANV56 reports only that the SCAN program is damaged - no
DB>disk presence of the source is evident.
DB>
DB>Has anyone heard of something like this happening?
Well, first of all you've got an old version of scan. Try downloading scanv66b
from someone. I have it if you can't locate it elsewhere. Second if scan ever
reports being damaged there's a 99% chance that you've got a virus! Better
check into it quick! Hope you don't find that you have one but it sure sounds
like you do!
---
* Origin: "Hey! Why's my COMMAND.COM larger than normal?" (1:151/801)
Msg#: 5238 *Virus Info*
09-10-90 15:11:00 (Read 6 Times)
From: JOE MORLAN
To: JONO MOORE
Subj: REPLY TO MSG# 4028 (RE: LHARC114?)
I have learned from other sources that the latest official release of LHARC
is LH113D. The 'new' LHARC114 is said to be another unauthorized hack. It
evidently is NOT a virus. Yoshi has been quoted as stating on GENIE that the
next official release will be ver. 2.0. I hope this helps.
--- Telegard v2.5i Standard
* Origin: Telegard BBS (000-000-0000) (1:161/88.0)
Msg#: 5239 *Virus Info*
09-10-90 15:12:00 (Read 6 Times)
From: JOE MORLAN
To: HERB BROWN
Subj: REPLY TO MSG# 5238 (RE: LHARC114?)
Exactly. LHARC v1.14b is not a real release. Just another unauthorized hack.
--- Telegard v2.5i Standard
* Origin: Telegard BBS (000-000-0000) (1:161/88.0)
Msg#: 5240 *Virus Info*
09-07-90 20:35:00 (Read 6 Times)
From: CHRIS BARRETT
To: SIMON FOSTER
Subj: RE: MYSTERY VIRUS??
Could I ask wy the buffers would be causing the Boot Block to be altered.
I have since removed the val checks using ScanV66B and put some new ones on
using ScanV66B.
Could it be possible that someone has altered a bit of the code and as ScanV66
uses a string (or is it hex search) it doesn't find it?
eg In the Virus it originaly said "Your disk is stoned' and the person
converted it to say 'Your disk is now stoned'. If ScanV66 happens to look for
the original string to my knowlegde the virus would not be recognized.
Chris.
--- TBBS v2.1/NM
* Origin: 1990 MultiLine Perth Western Australia - 09-370-3333 - (690/654)
Msg#: 5241 *Virus Info*
09-12-90 22:11:00 (Read 6 Times)
From: PHILLIP LAIRD
To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 4751 (RE: LET ME REPHRASE THAT.....)
** Quoting Patricia Hoffman to Herb Brown **
>If you are booting from an uninfected diskette when powering
>on the computer, you wouldn't ever find a virus in memory.
> However, if you are performing a warm reboot from a floppy,
>you could have a virus in memory still. The real point here
>was that most people do not run scan or other anti-viral utilities
>after powering on and booting from a floppy, so it is always
>possible for the virus to be in memory.
** End of Quote **
THat is exactly the way I have found some of the Virii I researched as being.
If the virus is present in memory, then it is possible the the file will
infect, however, if the Scan Diskette is write protected and the diskette is
bootable, Like oyu say. It is BEST to cut the power to the system and then
re-boot the system. However, if you wanted to go a step further, it is
possible to clear all volatile RAM if you want to do a warm boot. The Warm
Boot can result in infection, since the ram is not cleared. The various
hardware interrupts are still performed and cotrol passed to Command.com, but
the System files are still present in memory, along with a virus possibly. Too
many people are now taking the virus issue too lightly. It can effect you,
take precaution and use the Floppy to boot up on with a Write Protect on the
Diskette. Then scan the drive from there.
--- TAGMAIL v2.20
* Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)
Msg#: 5242 *Virus Info*
09-12-90 22:16:00 (Read 6 Times)
From: PHILLIP LAIRD
To: PATRICIA HOFFMAN
Subj: RE: JERUSALEM B AND CLEANP64.Z
** Quoting Patricia Hoffman to Phillip Laird **
> PL> I cleaned 17 infected files today with clean version 64.
> I have a good
> PL> question. While the program removes the file, some where
>removed the
> PL> first time around, others were scanned several times before
>the virus
> PL> was actually removed. Can you tell me why?
>
>The programs that were scanned several times probably were
>infected multiple times with Jerusalem virus. A lot of the
>variants of Jerusalem B will infect .EXE files repeatedly,
>eventually the program will get too large to fit into memory.
> On files that are infected multiple times with Jerusalem,
>you'll see a message come up for each infection as it is removed.
>
>
>That is my guess as to what you observed...
>
>Patti
>
** End of Quote **
That is exactly what I had suspected. I assumed the file was re-infected
several times as the size of the Original WP.EXE files that were infected once
was for example 112K, and the ones that were infected several times was around
173K. Some of the programs were non functional after clean ws performed on the
file. We just delte the file and re-copy it when that happens. The only safe
way to do it I have found is to go ahead anuse scans' /D option and delete the
file and re-copy it.
--- TAGMAIL v2.20
* Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)
Msg#: 5887 *Virus Info*
09-14-90 14:05:00 (Read 5 Times)
From: MIKE MCCUNE
To: PATRICK TOULME
Subj: MOTHER FISH
Everybody was talking about the Mother Fish a few weeks ago. Now that it has
been out for mor than a week, nobody is saying anything about it. What's the
deal with this virus?
--- Opus-CBCS 1.13
* Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0)
Msg#: 6048 *Virus Info*
09-14-90 07:05:00 (Read 4 Times)
From: JOE MORLAN
To: CHARLES HANNUM
Subj: REPLY TO MSG# 4968 (RE: LHARC 1.14B(ETA))
According to folks posting on the technical echo, Yoshi has stated on Genie
that the next official release after LHarc 1.13c will be LHarc 2.xx. Beta
versions of LHarc 2.0 are said to have been released in Japan. It is illogical
that 114b would be a valid release. The main change is the same as the known
unauthorized hack, ICE.
There are a few people on that echo that seem to believe that the release is
"real" based mostly on the source where the file had been posted. It seems
clear to me that it is just another unauthorized hack.
--- Telegard v2.5i Standard
* Origin: The Twilight Zone (415)-352-0433 (1:161/88.0)
Msg#: 6659 *Virus Info*
09-15-90 08:13:00 (Read 4 Times)
From: RICHARD HECK
To: ALL
Subj: CLEAN UP
I think that the newest version of cleanup was alot better then the version
before it.
Oh and watch out for that Sunday Virus.
--- outGATE v2.10
# Origin: SIGnet International GateHost (8:7501/103)
* Origin: Network Echogate (1:129/34)
Msg#: 6660 *Virus Info*
09-16-90 11:28:00 (Read 5 Times)
From: SATYR DAZE
To: CHRIS BARRETT
Subj: REPLY TO MSG# 5240 (RE: MYSTERY VIRUS??)
Sorry to butt in ..... you aparently have been infected by the Stoner-Marijauna
Virus , quite a few people here in florida myself included have seen this
little beauty.
After disinfecting yourself the damaged caused by the virus is unaltered.
Backup your harddrive and reformat it, after restoring it. Delete and redo
Autoexec.bat and Config.sys they have both also been altered.
Your Hardrive should now be back to snuff .... but before i forget run a
utility to mark and lock out bad sectors the Virus may have caused. These
unfortunaly are not always recoverable.
G'Day ....................... The Satyr Daze
--- TBBS v2.1/NM
* Origin: Eclectic Multi-BBS System / Miami FL (305)662-1748 (1:135/2)
Msg#: 6661 *Virus Info*
09-16-90 11:39:00 (Read 4 Times)
From: SATYR DAZE
To: GARY MOYER
Subj: REPLY TO MSG# 4546 (RE: VIRUS SCANNERS....)
Well you can Download a Virus scanner from a reputable BBS -- one that
actually checks all of it's files for viruses --- or go out and purchase a
Virus Scanner. Most of the downloadable stuffis by Mcaffe Associates, You can
purchase Virucide (commercial version) which checks and disinfects your files,
also by Mcaffe Associates for about $30.00. Not a bad buy when you consider the
consequences of not having a good scanner.
Just make sure that after Downloading a file, unarc-unzip-unwhatever it, But
under no circumstance activate it --- run it --. Run the scanner, if the file
checks clean go ahead and run it then. If it dosn't the program will warn you
and disinfect it. The reason you must open the file (unzip) is because
scanners can't look into an archived file.
The Satyr Daze
--- TBBS v2.1/NM
* Origin: Eclectic Multi-BBS System / Miami FL (305)662-1748 (1:135/2)
Msg#: 6662 *Virus Info*
09-16-90 13:40:00 (Read 4 Times)
From: SATYR DAZE
To: CHARLES HANNUM
Subj: REPLY TO MSG# 4973 (RE: ANTI VIRUS VIRUSES)
Actually the Honor of creating Viruses Belongs to John Conway, he was trying to
develop software that emulated living organisms. He developed the first "Game
of Life". As he created these new programs they became more and more complex
having intricate enviroments that the elements would have to over come in order
to survive.
But these were never allowed to get beyond that scope, Virus programs where
never destructive untill the "Core Wars". Opposing Programmers would create
self-replicating programms that when they encountered other self-replicaters
would try to devour them. Incidently it was called "Core Wars" because the
game itself took place in Core Memory . These young Programmers were actually
quite small in number and never publicly discussed what they were doing. If
any blame is to be attached it should be to Ken THompson who went public with
the process in 1983..... at that point it was "Discovered" by university
students who began creatingthe real nasties ..... Today many strains are just
variation of their original work.
Just a little History...............
The Satyr Daze
--- TBBS v2.1/NM
* Origin: Eclectic Multi-BBS System / Miami FL (305)662-1748 (1:135/2)
Msg#: 6663 *Virus Info*
09-14-90 19:31:00 (Read 5 Times)
From: RAJU DARYANANI
To: ALL
Subj: NETWARE BYPASSING JERUSALEM VIRUS
Does anyone have any details on the CERT announcement that it has
isolated a version of the Jerusalem virus that can bypass Novell
Netware's file protection settings and infect files ? Anyone know
of actual infections, how common it is and whether McAfee's SCAN detect
this virus ?
Raju
--- via Silver Xpress V2.24 [NR]
--- QM v1.00
* Origin: TAIC Maximus - DVNet Asia, PEP/V.32 High Speed PathFinder
(3:700/1.0)
Msg#: 6664 *Virus Info*
09-16-90 00:41:00 (Read 4 Times)
From: ALAN DAWSON
To: PHILLIP LAIRD
Subj: REPLY TO MSG# 4970 (RE: SCAN WEIRDNESS)
PL> been plagued with viruses. I have setup a routine for the Labs
PL> to Scan the Floppies coming in with SCAN. This has just taken
PL> Place. Next thing I know, the clerk decides to run SCAN From
PL> her hard drive on her desktop! Then Alameda hit her! The SCAN
The next "killer-ap" should be the anti-stupidity program. If ever it
needed to be proved that "a little knowledge is a dangerous thing,"
computer users prove it to their techies daily!
PL> Weird thing about CLEAN.EXE the program to remove the Viruses.
PL> I am using Clean Version 66 and sometimes the program will scan
PL> the file numerous times before the virus is eventually removed.
I really don't like the whole idea of a "popular" virus remover. (A
specific cure for a specific virus on one site is different.) Any
yo-yo with PC-Tools or Norton can make a "new" virus and this makes
the possible results from a removal program very iffy. I really
believe in brute-force removal i.e. DEL VIRUS.COM, and re-install.
It's safer that way, and certain (after you check the floppies, of
course).
- From Thailand, a warm country in more ways than one.
--- Opus-CBCS 1.13
* Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0)
Msg#: 7165 *Virus Info*
08-31-90 20:15:00 (Read 4 Times)
From: CHRIS BARRETT
To: ALL
Subj: BOOKS ON VIRUSES
Could someone tell me somenames of books on Viruses and their authors.
As I am in Australia getting hold of them may be a problem though.
Hope you can help...
Chris..
--- TBBS v2.1/NM
* Origin: 1990 MultiLine Perth Western Australia - 09-370-3333 - (690/654)
Msg#: 7166 *Virus Info*
08-31-90 20:21:00 (Read 5 Times)
From: CHRIS BARRETT
To: ALL
Subj: REPLY TO MSG# 6660 (MYSTERY VIRUS??)
At my school we have some XT's with 2 360K FDD each. Lately we have noticed
that some of the students disks are being over written by the program disk they
were using. Eg some people have found the Turbo pascal files on their data
disks.
I brought in a copy of ScanV66 and placed a validation check on the program
disks (Not the data disks). Scanning showed no viruses (well known ones
anyway). But when we scanned them a week later we found some had had their Boot
Blocks altered.
In some cases the files on the data disk are just renamed to one on the program
disk. Eg we listed "TURBO.EXE" and found it to contain a students pascal source
code.
Could someone shed some light please..
I have told the teacher it is most likely home grown and he is sh*tting
himself.
Chris.
--- TBBS v2.1/NM
* Origin: 1990 MultiLine Perth Western Australia - 09-370-3333 - (690/654)
Msg#: 7167 *Virus Info*
09-01-90 18:28:00 (Read 4 Times)
From: DOUG EMMETT
To: PHILLIP LAIRD
Subj: REPLY TO MSG# 6664 (RE: SCAN WEIRDNESS)
For the new boy would you mind explaining how to write protect Scan.Exe on the
C: drive-Thanks
--- Opus-CBCS 1.13
* Origin: The U.S.A. Connection-*HN-NZ*-(+64-71-566851) (3:772/260.0)
Msg#: 7168 *Virus Info*
09-02-90 14:18:00 (Read 4 Times)
From: WARREN ANDERSON
To: MIKE DURKIN
Subj: REPLY TO MSG# 2475 (INTERNET WORM)
Hi, No I have never come across the book. I would appreciate it if you could
provide a copy of the password list (just in case I can't get hold of a copy of
the book). Thanks again.
Regards
\/\/ /\/\ Anderson
--- Telegard v2.5 Standard
* Origin: InfoBoard BBS - Auckland - New Zealand (3:772/140.0)
Msg#: 7169 *Virus Info*
09-04-90 06:12:00 (Read 4 Times)
From: PAUL FERGUSON
To: YASHA KIDA
Subj: REPLY TO MSG. 134
Right on, Yasha......I couldn't have said it better myself.....This
town (DC) seems to have a real problem concerning this. That's OK,
though, as you have said, we shall see who they come running to when
the going gets rough.....
-Paul
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 7170 *Virus Info*
09-05-90 12:50:00 (Read 4 Times)
From: MICHAEL ADAMS
To: RICK THOMA
Subj: RE: PKZ120.EXE
Rick .. I had one uploaded to my Board called "PKZ120.exe". The File looks
Authentic. Even went to the point of -AV and the Pkware registeration number
on the last line after self extraction. If it were not for the file
"Warning.txt" put out by "Pkware" I'd still be using it. Really went through
alot of trouble authenticating it!
Michael Adams
Baud Horizons
(504) 436-9590
--- Maximus-CBCS v1.00
* Origin: The Southern Star - SDS/SDN/PDN - 504-885-5928 - (1:396/1)
Msg#: 7171 *Virus Info*
09-05-90 16:06:00 (Read 4 Times)
From: LONNIE DENISON
To: ALL
Subj: HEY
Just letting you know that I have joined my board (The Maze) to this echo..
hope we can contribute some info here!
Lonnie Denison
--- Telegard v2.5i Standard
* Origin: => The Maze <= 916-391-6118 "Would ya Believe" (1:203/60.0)
Msg#: 7172 *Virus Info*
09-05-90 18:28:00 (Read 4 Times)
From: PHILLIP LAIRD
To: KEVIN HIGGINS
Subj: REPLY TO MSG# 4969 (RE: SECURING YOUR UPLOADS)
Kevin, nice batch file for testing files for virrii. I am now Alpha testing my
new program that will work with TAG at present. I have the Key fake program if
it will help you! That file will enter the "Y or N" Question when the batch
file comes to Are you sure? Y or N. Meaning you had the batch file to delete
all programs in the temp check directory. I plan on a new realease of the
program to several BBSES that will work to help all Sysops keep out the Virii.
If you want Keyfake Program, just Tell me, and I will netmail it to you... I
had a run in with Jerusalem B [jeru] today at Lamar University. Seems the
Chemistry Department stockroom manager had already infected 17 files on his
hard drive. Clean removed the virus.
--- TAGMAIL v2.20
* Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)
Msg#: 7173 *Virus Info*
09-05-90 18:30:00 (Read 5 Times)
From: PHILLIP LAIRD
To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 4750 (JERUSALEM B AND CLEANP64.ZIP)
Patti:
I cleaned 17 infected files today with clean version 64. I have a good
question. While the program removes the file, some where removed the first
time around, others were scanned several times before the virus was actually
removed. Can you tell me why?
--- TAGMAIL v2.20
* Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)
Msg#: 7174 *Virus Info*
09-05-90 18:32:00 (Read 4 Times)
From: PHILLIP LAIRD
To: RICK THOMA
Subj: REPLY TO MSG# 4967 (RE: PKZ120.ZIP)
Didn't someone say that because someone had already hacked an earlier version
of PKZIP that 120 would be the next scheduled release? Anybody have any info?
--- TAGMAIL v2.20
* Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)
Msg#: 7175 *Virus Info*
09-05-90 18:37:00 (Read 4 Times)
From: PHILLIP LAIRD
To: ALL
Subj: PROCOMM 3.10
Beware, there is a version of Procomm.zip going around in our area here in
Texas which boasts Procomm 3.10. After consulting with my friend at Datastorn
Technologies, he called my BBS and downloaded the file. I had a user complain
that the file hung and said "NUKE" at the lower left of his terminal.
Datastorm Technologies stated that this version doesn't exist, I.E.... the
latest was 2.4.3. The same user told me that the file one night then put a
message on his screen that stated "Does this IBM PC or Compatible have more
than one drive? Y or N " He immediately turned off the computer and didn't
answer the question. Althought we scanned this program and found no virus, we
disassembled it and also didn't find anything suspicious either. Be careful,
it might be a time bomb. If you know of this program, let me know at 1:19/49.
I would like to keep tabs on it.
--- TAGMAIL v2.20
* Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)
Msg#: 7176 *Virus Info*
09-04-90 16:04:00 (Read 4 Times)
From: MIKE MCCUNE
To: TALLEY RAGAN
Subj: REPLY TO MSG# 4030 (RE: REMOVING JOSHI)
I have posted a new version that checks for the virus before
trying to remove it (now that I have a working copy of the
virus). It will not damage the partition table on uninfected
hard disks...<MM>.
--- KramMail v3.15
* Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0)
Msg#: 7177 *Virus Info*
09-04-90 13:31:00 (Read 4 Times)
From: PAUL FERGUSON
To: KEN DORSHIMER
Subj: REPLY TO MSG# 5241 (LET ME REPHRASE THAT.....)
Ken-
This is a continuation of msg.# 156 (I dropped the
keyboard....Looong day, you know).....
Actually, I really should have said "virtually preconceived".
From what I can gather on the topic (I don't yet have a copy of 4096),
they actually redirect CRC/Checksum interrogators to a "snapshot" of
the original file as it appeared before infection.(Someone, I'm sure,
will correct me if I'm wrong or at least add enlightenment.)
The infected file, in the case of 4096, has in reality grown by 4096
bytes and would more than likely hang the system, therefore, which
would lead me to believe that running the CRC check without the virus
TSR would allow you to identify the actual infected files. Also, it
seems like the only way to catch it TSR is to trace the interrupt
vectors (although everyone seems to have a little bit of differing
ideas on this '->)
Until I can get my hands on this little fellow, I guess that I'll
just follow the more logical explanations from the sources with
credibilty and make a judgement from that! Sounds credible. But, as I'v
said before- I sure would like to see it.
I've been following several different message base threads on
this particular virus, with input from users at the basic levels to BBS
SysOps to the AntiViral research community.......I must say, it gets
overwhelming at times to keep objective. *:)
-Paul
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 7178 *Virus Info*
09-05-90 09:20:00 (Read 4 Times)
From: PAUL FERGUSON
To: EVERYONE
Subj: DETAILED INFO ON 4096...
The description in VSUM (August 15 release) of the 4096 virus has
gotten my usual curiousity arouser, along with a plethora of discussion
on this particular virus within many message conferences and viral
echos......Since I have not had the opportunity, yet, to obtain a
sample to personally examine, I must post a few questions to the field:
1.) Would someone like to elaborateon the structure of "Phases" that
the CVIA uses to catorgorize viruses? Please? ;-)
2.) I seem to remember mention (No, I don't have my copy of VSUM in
front of my now) of the virus (4096) containing it's own boot sector.
Could someone enlighten me on this , also?
3.) And, under what ? circumstances does the 'FRODO LIVES' msg.
appear and when does it not?
No offense, Patti, but I did think that on a couple of these points
that the VSUM doc was kinda sketchy (I know that is ALOT of work to
compile that baby and continually update, etc.!).
Perhaps with a little more detail, I will have settled my
curiousity and returned to other problems at hand...
-Paul
Patti- Any luck with last U/L? ,-)
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 7179 *Virus Info*
09-05-90 20:34:00 (Read 5 Times)
From: PATRICIA HOFFMAN
To: SEAN SOMERS
Subj: REPLY TO MSG# 4544 (RE: REMAPPING...)
SS> Off topic here, anybody out there encounter the French Revoloution
SS> virus? I was the first out here to discover it. What it does is nuke
SS> your HD while displaying an anti Western/English speaking Canadians.
Haven't seen or heard of that one before.... What does it infect? .COM, .EXE,
overlays, boot sectors, only floppies? If you want to send me a copy of it,
I'd be happy to take a look at it as well as pass it along to John McAfee's
group. Snail mail address is:
Patricia M. Hoffman
1556 Halford Avenue #127
Santa Clara, CA 95051
It can also be sent in a .ZIP file to my system, though be sure you don't route
it thru anyone, or directly uploaded here to a suspect area that is secured.
Not off-topic at all, that is what this conference is for....
Patti
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 7180 *Virus Info*
09-05-90 20:01:00 (Read 5 Times)
From: PATRICIA HOFFMAN
To: PAUL FERGUSON
Subj: REPLY TO MSG# 7178 (DETAILED INFO ON 4096...)
PF> 1.) Would someone like to elaborateon the structure of "Phases" that
PF> the CVIA uses to catorgorize viruses? Please? ;-)
PF>
VSUM doesn't necessarily use the McAfee or CVIA categorization techniques to
classify viruses. VSUM's categorization is a bit finer than McAfee's since in
many cases he can group things together for detection/removal purposes.
However, in describing them they don't make much sense that way. I haven't
seen a copy of the CVIA categorization in some time, but I believe they
classified by:
boot sector infector
parasitic file infector
overwriting file infector
Partition table infectors were (I think) thrown in with boot sector infectors
since at the time the only partition table infector was Stoned, which also
infected floppy boot sectors. They also classified by memory resident or
non-resident.
Generally, VSUM classified by memory resident/non-resident, what it infects,
file length change, symptoms, and other characteristics, as well as what virus
the new entry is based on if applicable. In the case of memory resident
viruses, there is a code to indicate how or where it is memory resident.
McAfee and I had a loooonnnnnggggg discussion on classification and naming
awhile back, and "agreed we could disagree" since how he uses the names in Scan
isn't workable for VSUM, and using the VSUM naming in Scan would not serve his
purposes since he needs to group variants in many cases. If possible, though,
we try to use the same names. If VSUM differs, the name that will be indicated
by Scan is indicated as an alias. McAfee's current classification methods as
indicated in VIRLIST.TXT which comes out with Scan also differs from the CVIA
classifications, and is fairly close to VSUM.
PF> 2.) I seem to remember mention (No, I don't have my copy of VSUM in
PF> front of my now) of the virus (4096) containing it's own boot sector.
PF> Could someone enlighten me on this , also?
PF>
Yes, it includes a boot sector, though do to an error in the virus, the
included boot sector isn't ever written to the hard disk or floppy boot sector.
This boot sector is where the "FRODO LIVES" message is....
PF> 3.) And, under what ? circumstances does the 'FRODO LIVES' msg.
PF> appear and when does it not?
PF>
Normally, due to a bug in the virus, the message is never displayed. If one
copies the boot sector from within the 4096 virus to a floppy diskette as
sector 0, and boots from it, the message will appear.
Of course, the above bugs may be fixed in a later version of the virus....but
the versions I've seen hang on September 22 when they were meant to activate
the Frodo Lives message.
PF>
PF> No offense, Patti, but I did think that on a couple of these points
PF> that the VSUM doc was kinda sketchy (I know that is ALOT of work to
PF> compile that baby and continually update, etc.!).
PF> Perhaps with a little more detail, I will have settled my
PF> curiousity and returned to other problems at hand...
PF>
No problem....A lot of time what makes perfect sense to me doesn't make sense
to others :-). There is always this question with VSUM on where to draw the
line on the descriptions.
PF> Patti- Any luck with last U/L? ,-)
PF>
Not yet....I'm busy working on analysing a new virus right now, and it is going
to take awhile....will probably be a Whale of a tale when I get done....and I
don't want to say anything prematurely on it.
Patti
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 7181 *Virus Info*
09-06-90 11:33:00 (Read 4 Times)
From: TONY JOHNSON
To: ALL
Subj: REPLY TO MSG# 3029 (CORE WARS)
Core Wars was a simulation system, it was not per se' a breeding ground for the
type of viri that you see today attacking systems and PCs. The programs tested
were called viri in the way they attacked and behaved while operating
within the Core Wars environment. I believe the "arena" used for the "viruses"
was an 8K memory grid, and that the programs/"viri" were limited to that area.
While those programs were not the same thing as what we see today chewing up
our beloved computers, I can say that Core Wars was an extremely enlightening
experience that had the programmers thinking about how a similiar type of
situation could apply to the actual computing world.
--- QM v1.00
* Origin: The 286 Express (504-282-5817) (1:396/30.0)
Msg#: 7182 *Virus Info*
09-06-90 13:09:00 (Read 5 Times)
From: CHARLES HANNUM
To: CHRIS BARRETT
Subj: REPLY TO MSG# 7166 (RE: MYSTERY VIRUS??)
>At my school we have some XT's with 2 360K FDD each. Lately we have
>noticed that some of the students disks are being over written by the
>program disk they were using. Eg some people have found the Turbo
>pascal files on their data disks.
This could happen (and has) if you are using disk caching software. That would
be a good place to look first.
--- ZMailQ 1.12 (QuickBBS)
* Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)