Msg#: 7183 *Virus Info* 09-05-90 22:31:00 (Read 6 Times) From: HAL SCHPERL To: CHRIS BARRETT Subj: REPLY TO MSG# 7182 (MYSTERY VIRUS??) > At my school we have some XT's with 2 360K FDD each. Lately we have > noticed that some of the students disks are being over written by the > program disk they were using. Eg some people have found the Turbo > pascal files on their data disks. > > I brought in a copy of ScanV66 and placed a validation check on the > program disks (Not the data disks). Scanning showed no viruses (well > known ones anyway). But when we scanned them a week later we found > some had had their Boot Blocks altered. > > In some cases the files on the data disk are just renamed to one on > the program disk. Eg we listed "TURBO.EXE" and found it to contain a > students pascal source code. > > Could someone shed some light please.. > I have told the teacher it is most likely home grown and he is > sh*tting himself. > > Chris. > --- TBBS v2.1/NM > * Origin: 1990 MultiLine Perth Western Australia - 09-370-3333 - > (690/654) It does not have to be a virus to cause this. While creating files some programs assume that the diskette currently in the drive is the one that was started with. One that comes to mind is SideKick. I destroyed a few diskettes before I realized the problem. While using SideKick to edit a file on a diskette I popped it it down and forgot about the file. Then I changed diskettes and continued to edit the file with SideKick. I then saved the file forgetting about the diskette change. The result was the files were still on the diskette but the directory belonged to the previous disk. Since then I have encountered several other programs that can do this. --- FD 1.99c * Origin: I'd give my right arm to be ambidextrous .. (1:163/127.4) Msg#: 7184 *Virus Info* 09-06-90 18:28:00 (Read 4 Times) From: PHILLIP LAIRD To: DOUG EMMETT Subj: REPLY TO MSG# 7167 (RE: SCAN WEIRDNESS) Doug, wouldn't it be feasible for you to change the archive bits to read only on the Scan File. Supposedly, Scan has a built in Mechanism for determining if it has been damged. In fact, I found a virus had tried to copy to Scan.EXE and the message came back and warned that scan.exe was damaged! This was at a local University computing lab of PC's. This may be a question that John needs to answer or even Patti, the Moderator of the Echo. I will ask her. --- TAGMAIL v2.20 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49) Msg#: 7185 *Virus Info* 09-06-90 18:30:00 (Read 5 Times) From: PHILLIP LAIRD To: PATTI HOFFMAN Subj: REPLY TO MSG# 4746 (MAKING SCAN READ ONLY.) Patti, is it feasible to make Scan.Exe Read only? Doug Emmett was wondering about doing that. Couldn't you change the archive bits to read only? Also, doesn't scan have an internal routine to determine if it is damaged? --- TAGMAIL v2.20 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49) Msg#: 7186 *Virus Info* 09-06-90 09:32:00 (Read 5 Times) From: RICHARD HUFFMAN To: MICHAEL ADAMS Subj: REPLY TO MSG# 7170 (RE: PKZ120.EXE) Don't know if this one is still a problem, but I ran into a copy of ARC.EXE v5.4 that was a hard-disk formatter...... Wouldn't mention such an old program except that the problem resurfaced there a couple of months ago RTH --- SLMAIL v1.36M (#0264) * Origin: Foundation BBS * College Park, MD * (109:109/50) Msg#: 7187 *Virus Info* 09-03-90 12:18:00 (Read 6 Times) From: MARC SHEWRING To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 4971 (INFORMATION) Hi Patricia, I am a university student currently doing a research project on Viruses and I was wondering if you could help me or indicate as to where I could get some information on Virus signitures and scanning techniques. Thanx, in advance.... Marc --- Maximus-CBCS v1.02 * Origin: GAMMA ISTARI: Line 2 - Perth, Western Australia (3:690/627) Msg#: 7188 *Virus Info* 09-04-90 23:57:00 (Read 7 Times) From: SIMON FOSTER To: CHRIS BARRETT Subj: REPLY TO MSG# 7183 (MYSTERY VIRUS??) > At my school we have some XT's with 2 360K FDD each. Lately we > have noticed that some of the students disks are being over > written by the program disk they were using. Eg some people have > found the Turbo pascal files on their data disks. I was having a similar problem on my 386 when I got it and as I was running DesqView, etc assumed that was causing the probs (it was, in a way) ... I since discovered that it was simply that buffers was too low. Unfortunately you do not have a Hard Drive to see if that would be affected but your 'symptoms' are of a low buffers. so, simply change the config.sys and adjust the buffers value up about 15 this SHOULD fix it. If however, it doesn't, try getting hold of SCANv66b and try that Regs, Simon --- FD 1.99c * Origin: Jane doesn't live here anymore! (3:712/265) Msg#: 8162 *Virus Info* 09-12-90 12:42:00 (Read 6 Times) From: CHARLES HANNUM To: JAMES BLEACHER Subj: REPLY TO MSG# 6662 (RE: ANTI VIRUS VIRUSES) > According to want I've read Dr. Fred Cohen at MIT developed the > first virus back in 1964 or so. This was to prove that code could > actually replicate and spread throughout a mainframe. My question is > why on earth would he want to do that in the first place? Probably because some stupid manager said it was impossible... which is about the same logic Robert Tappan Morris used. --- ZMailQ 1.12 (QuickBBS) * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0) Msg#: 9381 *Virus Info* 09-19-90 22:32:00 (Read 5 Times) From: TOM SMITH @ 930/1 To: SATYR DAZE Subj: REPLY TO MSG# 6661 (RE: VIRUS SCANNERS....) "Satyr", the ARC/PAK/ZIP/LHARC shell program SHEZ will allow SCAN to "look into an archived file"; it uncompresses it to a working directory then passes the file info to SCAN which checks it. I've got my download BAT files set to fire it off automatically whenever I pick up an archive from a BBS. If you haven't looked at it, you might want to check it out; I've found it to be very helpful... Tom Smith/Dallas... --- QM v1.00 # Origin: Horizon RBBS 214-424-3831 & 214-881-9346 HST (8:930/1.0) * Origin: Network Gateway to RBBS-NET (RBBS-PC 1:10/8) Msg#: 9382 *Virus Info* 09-21-90 23:48:00 (Read 5 Times) From: PHILLIP LAIRD To: JEFF LANES Subj: RE: VIRUS AT LAMAR ** Quoting Jeff Lanes to Phillip Laird ** >Phillip, >My wife's business partner just had his system cratered by >some software he picked up at LU. I don't have any further >details like name of program or anything...YET! This guy is >NOT a hacker or BBSer...just a regular student (Grad) with >a PC at home for general homework and some business applications. > It's kinda scary when the average users get infected with >this stuff. Where is software legitimately obtained at the >school? Can you get it from the library or what? >More later! > >Jeff ** End of Quote ** Jeff, sorry to hear about that. I have been working on a program with several Department directors at Lamar concerning this "VIRUS" issue. The most common virus I have ran into is the notorious Jeruselum B Virus. You can use cleanp66.ZIP found on my BBS here to clean the virus. The other common viruses are Stoned and Stoned II. Someone (Perhaps a student) deleted the Chkdsk dos command on one system in the Business College Lab and replaced it with a nasy trojan. Tell your friend to try ScanV66B.zip to scan the Drive first whenever he boots up. If viruses are found he can run clean in most cases to clean the virus up. The best cleanup for a virus however, is the Delete command to delete the infected files. If the partitiion table was affected, then it could be the Stoned II virus that got him. How about having this gentleman to call me voice and see what I can do to help him. --- TAGMAIL v2.20 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49) Msg#: 9638 *Virus Info* 09-19-90 06:21:00 (Read 7 Times) From: YASHA KIDA To: RAJU DARYANANI Subj: RE: NETWARE BYPASSING JERUSALEM VIR Yes FEDERAL COMPUTER WEEK carried a FRONT PAGE article on the problem.... 2 months ago --- Maximus-CBCS v1.00 * Origin: Bragg IDBS, 82nd Airborne Bug hunter (1:151/305) Msg#: 9640 *Virus Info* 09-21-90 13:31:00 (Read 6 Times) From: PAUL FERGUSON To: RICK THOMA Subj: MCRC Rick, I'm always interested in anything that may be of =some= value to the computing community, so....Sure...I'll bite. Now, would you prefer to leave instructions to D/L a copy (BBS #, etc.) or would you prefer to U/L a copy to this board for my perusal? (See Origin) CRC checkers can have their merit if used in a =clean= environment, as you may well know. Awaiting input... Greetings from Capitol Hill -Paul --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 9641 *Virus Info* 09-22-90 13:33:00 (Read 6 Times) From: SATYR DAZE To: JIM HOBBS Subj: REPLY TO MSG# 8162 (RE: ANTI VIRUS VIRUSES) Well virus theory was being discused as far back as the 1940's. John von Neumann outlined an Idea of programms self-replicating themselves in "Theory and Organization of Complicated Automata". And if you want to really be boggled read his "The Computerand the Brain" .. I use the '83 date because after Mr Thompson's speech, the following year Scientific american published an article further discussing viruses togather with an offer were by sending in $2.00 they sent you information on how to write virus programs. I'm sure they rue the day they did that now. At that point viruses where "Fun". Harmless pranks one programmer could have with others. And also one that could be shared. The Gift that keeps on Giving ... so to speak. The Satyr Daze --- TBBS v2.1/NM * Origin: Eclectic Multi-BBS System / Miami FL (305)662-1748 (1:135/2) Msg#:10870 *Virus Info* 09-09-90 23:21:00 (Read 6 Times) From: CY WELCH To: PHILLIP LAIRD Subj: REPLY TO MSG# 7173 (JERUSALEM B AND CLEANP64.ZIP) In a message to Patricia Hoffman <05 Sep 90 18:30:00> Phillip Laird wrote: PL> I cleaned 17 infected files today with clean version 64. I have a PL> good question. While the program removes the file, some where PL> removed the first time around, others were scanned several times PL> before the virus was actually removed. Can you tell me why? I can answer that. Jerusalem-B will infect an EXE file every time it runs. It only infects a COM file once but infect an EXE multiple times. Clean has to be run as many times as the file is infected to completely clean it out. --- XRS! 3.42+ * Origin: Former QuickBBS Beta Team Member *:- (RAX 99:9402/122.1) Msg#:10871 *Virus Info* 09-09-90 22:54:00 (Read 6 Times) From: PETER YARD To: CHRIS BARRETT Subj: REPLY TO MSG# 7188 (RE: MYSTERY VIRUS??) CB!>we have noticed that some of the students disks are being CB!>over written by the program disk they were using. Eg some CB!>to one on the program disk. Eg we listed "TURBO.EXE" and CB!>found it to contain a students pascal source code. Sounds like someone is puting their data disk in the same drive before the buffers are flushed. If you switch the disks while still in turbo.exe then when you exit the program DOS will overwrite the FAT and Directories with what it thinks should be there from the previous disk. Peter --- QuickBBS 2.64+ * Origin: Genius BBS.. Beaker Rulz OK! (3:640/486) Msg#:10873 *Virus Info* 09-11-90 06:50:00 (Read 5 Times) From: YASHA KIDA To: ALAN DAWSON Subj: REPLY TO MSG# 9381 (RE: VIRUS SCANNERS....) In a song of phrase on <16 Aug 90 08:30:58>, Alan Dawson (3:608/9) writes: AD> Hear, hear! The frustrating, rug-chewing, desk-beating, AD> monitor-smashing, stomp-down crying SHAME is that some of these AD> viruses, on a technical level, are tremendously slick, wonderous AD> programs. The people writing them are wonderful programmers. Just AD> think what these people could be doing to help our PCs work better by AD> writing a different kind of program -- and, potentially, how much AD> money they might be able to make. They obviously have inventive AD> minds, many of them. Such inventiveness could be put to such great AD> use. AD> Remember many of the Viruses are version B & C. Many of the modifications were not by the ORIGINAL programmers, but were people who improved on their code. These people most likey could'nt have ever started and finnished the coding from line 1. What I am saying is it is easy to modify code but Being the ORIGINAL writter is something else.... Don't kid yourself these people are doing what they enjoy.. Destroying peoples data or making a poltical statement. They could make $$$ programing and I sure many do. This is most likey a relief valve for them...or a way of screwing the world a littel... These people not super heros. To say they are great programmers is like saying LEE HARVEY OSWALD was a great shot. Yasha --- msged 1.99S ZTC * Origin: Bragg IDBS, (82nd - they can kick Iraqs booty) (1:151/305) Msg#:10874 *Virus Info* 09-11-90 07:06:00 (Read 7 Times) From: YASHA KIDA To: SKY RAIDER (Rcvd) Subj: REPLY TO MSG# 3974 (VIRUS POST ON BBS) In a message of <08 Sep 90 13:42:35>, Sky Raider (1:255/3) writes: SR> How about giving me SR> your system number so I can call and see the finished form (never been SR> quoted in this manner before). SR> SR> A questor of knowledge, SR> SR> Sky Raider SR> Ivan Baird, CET Sure the Number is 919-867-0754 23.5 hrs a day 7 days a week 300-14,400 baud supported --- msged 1.99S ZTC * Origin: Bragg IDBS, (82nd - they can kick Iraqs booty) (1:151/305) Msg#:11396 *Virus Info* 09-17-90 23:42:00 (Read 6 Times) From: PHILLIP LAIRD To: CY WELCH Subj: REPLY TO MSG# 10870 (RE: JERUSALEM B AND CLEANP64.ZIP) ** Quoting Cy Welch to Phillip Laird ** >I can answer that. Jerusalem-B will infect an EXE file every >time it runs. It only infects a COM file once but infect an >EXE multiple times. Clean has to be run as many times as the >file is infected to completely clean it out. ** End of Quote ** Yea, I figured that one out! Thanx for the help.... --- TAGMAIL v2.20 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49) Msg#:11397 *Virus Info* 09-17-90 23:46:00 (Read 5 Times) From: PHILLIP LAIRD To: ALL Subj: VIRUS REPORTED IN SHAREWARE FILE As reported by the Port Arthur Texas Computer Club, there is a file called Powermenu, Version 5.3 that reportedly carries some type of virus. This file is supposed to be distributed by a publication named "PC Today". If you have seen this file, please leave me mail in this echo. I have yet to see the file, however, I would like to know how widespread the file is. If you have had any problems with it, please explain that, too or netmail me at 19/49. Thanks. Phillip Laird [SYSOP] --- TAGMAIL v2.20 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49) Msg#:11399 *Virus Info* 09-18-90 06:32:00 (Read 4 Times) From: PHILLIP LAIRD To: ALAN DAWSON Subj: REPLY TO MSG# 7184 (RE: SCAN WEIRDNESS) ** Quoting Alan Dawson to Phillip Laird ** >believe in brute-force removal i.e. DEL VIRUS.COM, and re-install. > >It's safer that way, and certain (after you check the floppies, >of >course). > - From Thailand, a warm country in more ways than one. ** End of Quote ** Quite regular, the "DELETE" Disinfection IS the only way to go. After running cleanup some times, the user of the software complains that some programs do not work. I just recommend they delete not just the once infected file, but rather the software package and re-install it. I rememeber you mentioning that piracy abounds in Thailand. When I was working in the Middle East a few years back, i learned you could get a copy of most any software at the Computer stores. They had diskette copying devices. For 1 Riyal you were in business. This is another way viruses were spread. Everybody would come in and share diskettes. --- TAGMAIL v2.20 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49) Msg#:11400 *Virus Info* 09-17-90 18:34:00 (Read 4 Times) From: PAUL FERGUSON To: MIKE MCCUNE Subj: MFV Well, Mike, I can tell you this at least....It =will= be included in the next version of VSUM (due to be released around the 25th or so of the month). But, it is not even being called by that name at the moment. Perhaps, someone else (Patrick) will detail this more for you, but at the moment, it is not a topic for public discussion, obviously. Greatings from Capitol Hill -Paul --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#:11401 *Virus Info* 09-18-90 06:35:00 (Read 6 Times) From: PATRICIA HOFFMAN To: CHRIS BARRETT Subj: REPLY TO MSG# 10871 (MYSTERY VIRUS??) CB> At my school we have some XT's with 2 360K FDD each. Lately we have CB> noticed that some of the students disks are being over written by the CB> program disk they were using. Eg some people have found the Turbo CB> pascal files on their data disks. CB> This may not be a virus at all, but instead operator error. It is possible that the students are switching diskettes after openning files, and then writing the programs back a different diskette than they originally read from. Some flavors of DOS will keep the disk directory in memory, and then update it and write it back to the diskette without checking that it is the correct diskette. CB> I brought in a copy of ScanV66 and placed a validation check on the CB> program disks (Not the data disks). Scanning showed no viruses (well CB> known ones anyway). But when we scanned them a week later we found some CB> had had their Boot Blocks altered. CB> Are you using ScanV66 or ScanV66B? V66 itself has an bug in it with the validation codes and was replaced with V66B shortly after release. Also, does the boot sector (sector 0 on the floppy) have any unusual messages in it, or does it lack the normal messages which appear at the end of the sector? CB> In some cases the files on the data disk are just renamed to one on the CB> program disk. Eg we listed "TURBO.EXE" and found it to contain a CB> students pascal source code. CB> Again, this could be user error described above.... CB> Could someone shed some light please.. CB> I have told the teacher it is most likely home grown and he is sh*tting CB> himself. CB> Those are my guesses, if you want to send one of the affected diskettes, I'd be happy to take a look at it and see if it contains an unknown virus or one that Scan can't detect. My mailing address is: Patricia Hoffman 1556 Halford Avenue #127 Santa Clara, CA 95051 --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#:11402 *Virus Info* 09-18-90 06:47:00 (Read 6 Times) From: PATRICIA HOFFMAN To: SATYR DAZE Subj: REPLY TO MSG# 11401 (RE: MYSTERY VIRUS??) SD> Sorry to butt in ..... you aparently have been infected by the SD> Stoner-Marijauna Virus , quite a few people here in florida myself SD> included have seen this little beauty. SD> His symptoms don't match any known variant of the Stoned Virus. SD> After disinfecting yourself the damaged caused by the virus is SD> unaltered. SD> Backup your harddrive and reformat it, after restoring it. Delete and SD> redo Autoexec.bat and Config.sys they have both also been altered. SD> Stoned doesn't alter the AUTOEXEC.BAT or CONFIG.SYS. It infects floppy disk boot sectors and the hard disk partition table. When it infects, it usually moves the original boot sector on floppies to another sector which is usually in the root directory, which results in files being lost if the root directory had entries in that area. What is suggested, though, is that before disinfecting Stoned, the user backup his/her data files since in approximately 1 out of 10 cases, the disinfection will result in the partition table being lost on hard disks....this occurs with some hard disk controllers. SD> Your Hardrive should now be back to snuff .... but before i forget run SD> a utility to mark and lock out bad sectors the Virus may have caused. SD> These unfortunaly are not always recoverable. SD> Stoned doesn't cause bad sectors to be created. Two possibilities here...either the user disinfected after booting from a version of DOS that was not the same as what he was originally using, or the disk already had the bad sectors to begin with. Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#:11403 *Virus Info* 09-18-90 06:55:00 (Read 6 Times) From: PATRICIA HOFFMAN To: SATYR DAZE Subj: REPLY TO MSG# 10873 (RE: VIRUS SCANNERS....) SD> Well you can Download a Virus scanner from a reputable BBS -- one that SD> actually checks all of it's files for viruses --- or go out and SD> purchase a Virus Scanner. Most of the downloadable stuffis by Mcaffe SD> Associates, You can purchase Virucide (commercial version) which checks SD> and disinfects your files, also by Mcaffe Associates for about $30.00. SD> Not a bad buy when you consider the consequences of not having a good SD> scanner. SD> ViruCide is marketted by Parsons Technologies. The McAfee product that is sold directly by McAfee Associates is named Pro-Scan. Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#:11404 *Virus Info* 09-19-90 11:53:00 (Read 5 Times) From: JAMES DICK To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 11403 (RE: VIRUS SCANNERS....) On Tue, 18 Sep, Patricia Hoffman wrote to Satyr Daze PH > ViruCide is marketted by Parsons Technologies. The McAfee product PH > that is sold directly by McAfee Associates is named Pro-Scan. What are the features and costs of John's Pro-Scan and the ViruCide? -={ Jim }=- --- QM v1.00 * Origin: The Clipperist - Home to happy Clippheads in Ottawa, Canada (1:163/118.0) Msg#:11405 *Virus Info* 09-19-90 06:11:00 (Read 4 Times) From: PATRICK TOULME To: MIKE MCCUNE Subj: REPLY TO MSG# 5887 (RE: MOTHER FISH) MM> Everybody was talking about the Mother Fish a few weeks ago. Now that MM> it has been out for mor than a week, nobody is saying anything about MM> it. What's the deal with this virus? I think the deal is that nobody is really sure what it does, how it does it, and if the programs that look for it find it all the time. If a program misses it just once, you'll never be able to get it off a system. --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#:11406 *Virus Info* 09-20-90 08:19:00 (Read 4 Times) From: RICK THOMA To: WHOMEVER Subj: MCRC CHECKER Some weeks ago, I mentioned a CRC checking utility I DL'd from Compu$erve, MCRC. I found it in a pile of old floppies. Now, who was interested in seeing it? --- FD 2.00 * Origin: Village BBS, Mahopac, NY 914-621-2719 *HST* (1:272/1) Msg#:11407 *Virus Info* 09-19-90 15:48:00 (Read 5 Times) From: RON LAUZON To: GARY MOYER Subj: REPLY TO MSG# 11404 (RE: VIRUS SCANNERS....) They are pretty accurate, but remember this: I have been BBS-ing (downloading alot) for over 7 years now. I have called BBSs across the US and I have never, first hand, seen a virus. That right there says something about how much hype the virus scares are. Also, remember something about the virus scan programs: They only find *known* viruses. If someone writes a new virus, you are vulnerable. You might want to check out something like Flu Shot+ if you want peace of mind. --- Telegard v2.5i Standard * Origin: The Flight of the Raven (313)-232-7815 (1:2200/107.0) Msg#:11408 *Virus Info* 09-20-90 16:13:00 (Read 4 Times) From: PAUL FERGUSON To: PATRICIA HOFFMAN Subj: PROSCAN Patti... I realize that this question should probably be directed to HomeBase and John, but since someone has already brought it up here within the conference, I'll go ahead and post it =anyway=.... You could you, by chance, the "enhancements" that Pro Scan vs. ViruScan......What are the differences in performance and effectiveness? How should (if it is, I don't see how) =shareware= suffer because of the nature of the beast, so to speak? And, is it at all? From what I can gather, the majority of funds are drawn from site licensing.....I would like to be able to rely (as I have) on a pelethera of detection utilities to maintain the constant "drop-net" within my own systems while making sure that any products that I may suggest for negotiated license through contacts will =remain= "top of the line". Pretty shakey forum topic but a dilemma nonetheless. Awaiting comments from the field ;-) Salutations from Capitol Hill -Paul --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#:11409 *Virus Info* 09-20-90 20:44:00 (Read 5 Times) From: SATYR DAZE To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 11402 (RE: MYSTERY VIRUS??) Hi Patti He stated that he recieved a screen mesage informing him that his System was Stoned. I might be mistaken, but I'm sure that that is the Stoner-B virus Signiture. And while I agree that the Stoner Virus is known To attack the Boot Sector and Partition Table. This is what we saw in our Variant down here. After disinfecting the system, a backup was made. The HarDrive was then Reformated, but still would not Boot up correctly. It wasn't untill the Autoexec and Config files were deleted that it would. Oops ... I stand Corrected on Bad Sectors, I meant to run a utility to check for bad file linkages. Thanks for your info though, I just wish whoever keeps creating Variants would turn their obvious Talents to somthing more useful. The Satyr Daze --- TBBS v2.1/NM * Origin: Eclectic Multi-BBS System / Miami FL (305)662-1748 (1:135/2) Msg#:11410 *Virus Info* 09-20-90 20:54:00 (Read 5 Times) From: SATYR DAZE To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 11407 (RE: VIRUS SCANNERS....) Hi Again, While Parsons Technology may Markett it, Mcaffe Assoc. has the Software Copyright --- TBBS v2.1/NM * Origin: Eclectic Multi-BBS System / Miami FL (305)662-1748 (1:135/2) Msg#:11411 *Virus Info* 09-20-90 18:46:00 (Read 4 Times) From: JIM HOBBS To: SATYR DAZE Subj: REPLY TO MSG# 9641 (RE: ANTI VIRUS VIRUSES) > But these were never allowed to get beyond that scope, Virus programs where > never destructive untill the "Core Wars". Opposing Programmers would > create self-replicating programms that when they encountered other > self-replicaters would try to devour them. Incidently it was called "Core > Wars" because the game itself took place in Core Memory . These young > Programmers were actually quite small in number and never publicly > discussed what they were doing. If any blame is to be attached it should > be to Ken THompson who went public with the process in 1983..... at that > point it was "Discovered" by university students who began creatingthe real > nasties ..... Today many strains are just variation of their original work. I seem to recall that it was pretty well public by, say, 1974. Some operating systems even had features named after it. I recall it in the singular (Core War), by the way, but I wasn't taking notes! --- Dutchie V2.91d * Origin: Perelandra (1:203/42.386) Msg#:13385 *Virus Info* 09-29-90 09:01:00 (Read 4 Times) From: PATRICIA HOFFMAN To: ALL Subj: NODELIST PROBLEMS This is an FYI....If you are trying to poll or send netmail to my system, you could have a problem if you apply NodeDiff.271 which is being distributed this weekend. Net 204, of which I am a member of, was inadvertantly dropped from the nodelist with this nodediff. It should be back in place with the following nodediff. Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#:13386 *Virus Info* 09-29-90 09:05:00 (Read 4 Times) From: PATRICIA HOFFMAN To: JAMES DICK Subj: NEW RELEASES DELAYED JD> Patti, is there any chance of the VSUM???? being formatted with page JD> breaks at 60 lines/page and after each virus description. And page JD> numbering and an index would help find the various descriptions. JD> Not in the real near term future since almost all of my free time for the last few months has been used for researching and updating it for new viruses and variants. I won't be looking at the formatting again until the volume of new samples being received is lower, there are only so many hours in a day..... VSUM is purposely distributed as an ASCII file so that it can be used by anyone regardless of what type of computer they have. --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#:13927 *Virus Info* 09-28-90 17:03:00 (Read 5 Times) From: KEN DORSHIMER To: TOM SMITH @ 930/1 Subj: REPLY TO MSG# 11410 (RE: VIRUS SCANNERS....) ...at a time when Western civilization was declining too rapidly for comfort, yet too slowly to be very exciting Tom Smith @ 930/1 was saying: TS> working directory is removed. I don't know if the few seconds that an TS> infected COM or EXE exists in the working directory would give it time TS> to propogate to other files or not; I've never run into an infection, sounds impossible as the .COM and .EXE files are never actually run. they can't infect your system if you don't run them. common misconception. the same idea as if you had a disk with a virus sitting in a box of disks without viruses. the infected disk can't magically infect the other disks. fortunatly computers aren't people and don't get airborne viruses. :-) ...space is merely a device to keep everything from being in the same spot... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#:14132 *Virus Info* 09-24-90 17:50:00 (Read 5 Times) From: ALAN DAWSON To: YASHA KIDA Subj: REPLY TO MSG# 13927 (RE: VIRUS SCANNERS....) YK> To say they are great programmers is like saying LEE HARVEY YK> OSWALD was a great shot. I hear you, Yasha, and I'm not arguing with you. But the fact is that some of the new, first-generation assembler viruses ARE both inventive and original programming. Oswald wasn't a great shot; he was a Marine for goodness sake. It's not SUPPORTING perverts to say that Hitler was a great leader or that Machiavelli was an original political thinker-essayist. YK> * Origin: Bragg IDBS, (82nd - they can kick Iraqs booty) Boy, THAT takes me back. That's where *I* left CONUS for, um, "Southeast Asia." 23 years ago. Uh! That hurt. Cheers. - From Thailand, a warm country in more ways than one. --- Opus-CBCS 1.13 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0) Msg#:14133 *Virus Info* 09-29-90 20:31:00 (Read 5 Times) From: JOHN O'CONNOR To: TOM SMITH @ 930/1 Subj: REPLY TO MSG# 14132 (RE: VIRUS SCANNERS....) TS> Satyr, watching Shez work in virus scan mode's most interesting. TS> I don't know if the few seconds that an infected COM or EXE TS> exists in the working directory would give it time to propogate TS> to other files or not; I've never run into an infection, yet, TS> on my home system, although we did hit upon one at work. At this stage an suspected COM or EXE file is being treated as DATA, as far as the the virus scanner is concerned. It is just reading the file looking for known virus code. For a virus to trigger and infect a system, an infected program must be RUN. Until the CPU is fed virus code as instructions to run, there is no danger. When scanning for virus code, (within SHEZ or not) the program with control of the CPU is SCAN.EXE. It does not test-run suspected programs to check them for virii, it simply reads them. JOC --- via Silver Xpress V2.27 [NR] * Origin: Sunmap Multline BBS - Brisbane - Australia (3:640/206) Msg#:14134 *Virus Info* 09-30-90 19:24:00 (Read 4 Times) From: KEN JONES To: RON LAUZON Subj: RE: NARROW VIEW > In all > those years, I have never seen a virus. Moreover, I have never > talked to > anyone (on the BBSs or face to face) who ever encountered a virus. > That says Hmmm.... I thought I could say that a few months ago. I was called into work early one day because one of the p/c's was acting strange. A scan of the drive said it had a Jerusalem B virus, 2 days later a friend called and asked what was the best way of removing the Jerusalem B virus. This was a different system completly some 40 miles away. Then to top it off 2 sysops in the area called and left messages on my system that they would be down till they removed, you got it, the Jerusalem B again. This all took place in less than 5 days. In those 5 days it poped up in. San Francisco Fairfield Oakland San Leandro I left as quick as it hit, I'm sure there were other unknown systems in the area that had it also, it just seems strange that the small circle I'm involved with, 4 totaly unrelated systems were hit. The source of the virus is still a mystery, the only thing that was in common was each system had a file on it called MIRROR. I forgot what the extension was. Well thats my 2 cents --- Telegard v2.5i Standard * Origin: The Twilight Zone (415)-352-0433 (1:161/88.0) Msg#:14135 *Virus Info* 09-30-90 16:27:00 (Read 4 Times) From: TOM PREECE To: RON LAUZON Subj: REPLY TO MSG# 14134 (RE: NARROW VIEW) How prudent can you be? As many others have been I was infected by commercial software provided to me by an upright and legitimate computer dealer. Scan allowed me to survive and thrive. Otherwise I wouldn't be here. --- TBBS v2.1/NM * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 (1:161/208) Msg#:14136 *Virus Info* 10-01-90 18:18:00 (Read 4 Times) From: TOM PREECE To: ALL Subj: VIRUS - TROJANS FOR EVERYONE. Locally we experienced a trojan that was an exe file compiled by a utility that converts .bat to .exe files. The file purported to be a means to provide mnp5 performance from an ordinary modem. In fact the compiled bat instructions destroyed the C: drive. What bothers me about this is the simplicity with which anybody could do this. I have the Bat2exec.zip file which performs the conversions. I have not used it because the majority of my bat files are short fast executing things anyway. Has anybody else encountered the problem and is there any sort of generic defense that we might arrange against the generic attack files which may follow? --- TBBS v2.1/NM * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 (1:161/208) Msg#:14137 *Virus Info* 10-01-90 18:24:00 (Read 4 Times) From: TOM PREECE To: KEN JONES Subj: REPLY TO MSG# 14135 (RE: NARROW VIEW) Ken I live in Hayward. I believe my system was infected by a Disk Manager diskette provided to me by a dealer who admitted that some of his system were infected by the jeru B virus. Naturally he wanted to tell me that I had picked up my infection from a BBS. Strange to relate, none of the local boards to which I restrict my calling had this infection. This dealer was in Sunnyvale. If that raises any suspicions from the list of boards that you are referring to, why don't you call me voice some evening before 7:00 (lock up the phone with BBS'ing after that usually) and I'll tell you the dealer name. They claim to have dealt with the problem so I don't want to smear them perhaps inappropriately. My home number is 415-889-0898. My work number if you want to try (I might not be there) is 415-744-7577. --- TBBS v2.1/NM * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 (1:161/208) Msg#:15496 *Virus Info* 09-22-90 19:32:00 (Read 4 Times) From: PAUL FERGUSON To: RON LAUZON Subj: REPLY TO MSG# 14137 (NARROW VIEW) Ron, With all due respect, my friend...if you continue along with the narrow frame of mind that you seem so intent on inflicting upon others, then we all should take heed. For the reason that =you= have never been confronted with any viral types is certainly no reason to make light of the situation (you're in the wrong conference for that). You'd be quite surprised just how many that I've run across just within my clients and our audit sites alone....simply mind boggling what the average user can pick up along the way. You obviously seem to be in =no= position to be suggesting =any= Anti Viral detection/removal utilities that you have not =personally= tried yourself, and I think that we all would benefit from any such conjecture from anyone who has not personally been inflicted by the scourge. I do not know what locale that you are dealing with, but here in the nations' capitol, we seem to be constantly a target for malcontents. Cheers, Ron.....No harm intended, just fact.... Salutations from Capitol Hill -Paul --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#:15497 *Virus Info* 09-23-90 12:20:00 (Read 4 Times) From: SATYR DAZE To: TOM SMITH @ 930/1 Subj: REPLY TO MSG# 14133 (RE: VIRUS SCANNERS....) While I've heard of "it", I havn't actually seen it yet. Does it work on all types of File-Compression files. You said it uncompressess it to a working Directory is this before or after it checks it out. If before then what is the benefit, or does it load these files into memory some how ??? The Satyr --- TBBS v2.1/NM * Origin: Eclectic Multi-BBS System / Miami FL (305)662-1748 (1:135/2) Msg#:15503 *Virus Info* 09-23-90 07:14:00 (Read 6 Times) From: PATRICIA HOFFMAN To: SATYR DAZE Subj: REPLY TO MSG# 11409 (RE: MYSTERY VIRUS??) SD> He stated that he recieved a screen mesage informing him that SD> his System was Stoned. I might be mistaken, but I'm sure that that is SD> the Stoner-B virus Signiture. Hmmm....the message when it got here didn't have anything in it saying it displayed a message on boot, just that they found that the boot sector had been altered somehow after a week of noticing the problems. SD> SD> And while I agree that the Stoner Virus is known To attack the Boot SD> Sector and Partition Table. This is what we saw in our Variant down SD> here. After disinfecting the system, a backup was made. The HarDrive SD> was then Reformated, but still would not Boot up correctly. It wasn't SD> untill the Autoexec and Config files were deleted that it would. SD> SD> Oops ... I stand Corrected on Bad Sectors, I meant to run a utility to SD> check for bad file linkages. SD> Did you by any chance low-level format the drive, or just do a regular format? Also, when you disinfected, are you sure you used the same version of DOS to boot from before disinfecting? SD> Thanks for your info though, I just wish whoever keeps creating SD> Variants would turn their obvious Talents to somthing more useful. SD> You aren't the only one.... --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#:15504 *Virus Info* 09-23-90 07:23:00 (Read 5 Times) From: PATRICIA HOFFMAN To: SATYR DAZE Subj: REPLY TO MSG# 15497 (RE: VIRUS SCANNERS....) SD> While Parsons Technology may Markett it, Mcaffe Assoc. has SD> the Software Copyright True...and I've already indicated that ViruCide is essentially the McAfee Associates' Pro-Scan product with a different name since it is licensed to and marketted by Parsons Technology. The reason I brought up the point was that if someone wants to buy this product, they need to contact Parsons Technology. If they contact McAfee Associates, they will get referred to Parsons....same with upgrades, etc. Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#:15505 *Virus Info* 09-23-90 07:30:00 (Read 5 Times) From: PATRICIA HOFFMAN To: PHILLIP LAIRD Subj: REPLY TO MSG# 9382 (RE: VIRUS AT LAMAR) PL> The best cleanup for a virus however, is the Delete command to delete PL> the infected files. If the partitiion table was affected, then it PL> could be the Stoned II virus that got him. How about having this PL> gentleman to call me voice and see what I can do to help him. PL> Very good advice! There are a lot of files that won't disinfect correctly, such as programs that use internal overlays, or files that have the length set in the .EXE header incorrectly to begin with....so running a disinfector can result in the infected file not working correctly after disinfection. The only saving grace is that the program probably didn't run correctly before disinfection either since in the case of files with internal overlays, the virus would have overlayed part of the program. Also, disinfectors typically can only disinfect the more common viruses since they account for 90%+ of all infections, or new viruses which are thought will be a future problem due to their characteristics. If you are unlucky enough to get a rare virus, then you would have to replace all the programs. The only advice I would add is if someone is infected with any of the viruses which infect the partition table, they should backup critical data files they can't afford to loose before attempting to disinfect the system. There are some combinations of DOS/BIOS/Hardware which, when disinfected, can result in the hard drive becoming inaccessible (happens in about 10% of the Stoned/Stoned II cases). Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#:15506 *Virus Info* 09-23-90 07:37:00 (Read 5 Times) From: PATRICIA HOFFMAN To: ALL Subj: REPLY TO MSG# 13386 (NEW RELEASES DELAYED) The next release of the McAfee Associates programs scheduled for September 25 have been rescheduled to October 2 or 3, according to the call I received yesterday from McAfee himself. The delay is to allow them to complete some addition of new features to the programs. If you call Homebase to pickup these programs, hold off until the 3rd so that you don't have an unneeded long-distance call.... Due to illness and having one of my two test machines having intermittent hardware problems, I'm going to be also delaying the release of the new version of the Virus Information Summary List until October 2 or 3 as well. The additional week in there is to make sure the Whale virus makes it into the new version of the listing, as well as insuring that almost (if not) all of the new viruses and variants I've received are included. The October 2 or 3 release will be VSUM9009.Zip, there will still be an October release which is scheduled for late October though they will be just two or three weeks apart. The October release will also include another new "section" to the list that several people have indicated they thought would be useful.... ....more about that right before the release date. Hopefully, this message will allow some of the non-Silicon Valley users of the McAfee programs and my listing to avoid long-distance charges if picking up new releases is their primary reason to place the calls.... Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#:15507 *Virus Info* 09-23-90 09:57:00 (Read 4 Times) From: BEN SAMMAN To: ALL Subj: QUICK QUESTION. I just got my system trashed twice..by the same bug if it is one..or if it's hadware... What it does is it causes the drive(hard drive mind you) light to flash on and off intermittenntly with intervals of 1 second...the hard drive becomes unusable till midnight the next day... Has there been other reports of such a virus? --- Telegard v2.5i Standard * Origin: The Twilight Zone (415)-352-0433 (1:161/88.0) Msg#:15508 *Virus Info* 09-22-90 09:24:00 (Read 4 Times) From: PAUL LOEBER To: RON LAUZON Subj: REPLY TO MSG# 15504 (RE: VIRUS SCANNERS....) ** Quoting Ron Lauzon to Gary Moyer ** >They are pretty accurate, but remember this: I have been BBS-ing >(downloading alot) for over 7 years now. I have called BBSs >across the US and I have never, first hand, seen a virus. >That right there says something about how much hype the virus >scares are. ** End of Quote ** I used to say that, too. In fact, I used almost the same, exact words. However, recently almost all of the PC's at the college where I teach information systems got the Stoner virus. Since I have students turn in disks as homework, had I not taken the appropriate precautions, my machine would have becomed "stoned" as well. Currently, several of my users who work for Ford have "caught" the Joshi (sp?) virus and have been on my board looking for the "cure". I no longer have a cavalier attitude when it comes to viruses. --- TAGMAIL v2.30 * Origin: Downriver Download (1:120/137) Msg#:15509 *Virus Info* 09-25-90 10:47:00 (Read 4 Times) From: SCOTT HOWELL To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 15506 (RE: NEW RELEASES DELAYED) >To: All > >version of the Virus Information Summary List until October 2 or 3 as well. >The additional week in there is to make sure the Whale virus makes it into >the new version of the listing, as well as insuring that almost (if not) >all of the new viruses and variants I've received are included. The >October 2 or 3 release will be VSUM9009.Zip, there will still be an October >release which is scheduled for late October though they will be just two or >three weeks apart. The October release will also include another new >"section" to the list that several people have indicated they thought would >be useful.... ....more about that right before the release date. If this list is available via file request I would be most interested in picking a copy up from you when it is made available. I am always trying to keep my users up to date with the latest scan utils and virus listings. Any help would be very much so appreciated. Scott Howell --- SLMAIL v1.36M (#0264) * Origin: Foundation BBS * College Park, MD * (109:109/521) Msg#:15510 *Virus Info* 09-25-90 19:03:00 (Read 4 Times) From: TONY JOHNSON To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 2896 (COMMUNICATION VIRALS) PH> I believe one of them is Prodigy, which requires their software to be PH> running on your system in order for you to be able to access them. QLINK is another service of which you MUST run their software in order to take part in the service. Another cute thing about it is that only Commodore systems can use the stuff. (QLink.... Quantum Link) --- QM v1.00 * Origin: The 286 Express (504-282-5817) (1:396/30.0) Msg#:17267 *Virus Info* 09-27-90 14:22:00 (Read 4 Times) From: RICK THOMA To: PAUL FERGUSON Subj: REPLY TO MSG# 9640 (MCRC) > I'm always interested in anything that may be of =some= value > to the computing community... Let me give you a quick rundown. The file is about a year and a half old, and claims to use some proprietary CRC mechanism. I'll zip it up as "MCRC.ZIP", and you may request it by the time this message reaches you. I would imagine the docs tell you how to get in touch with the author for an updated version. --- FD 2.00 * Origin: Village BBS, Mahopac, NY 914-621-2719 *HST* (1:272/1) Msg#:17268 *Virus Info* 09-27-90 07:59:00 (Read 4 Times) From: JAMES DICK To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 15509 (NEW RELEASES DELAYED) On Sun, 23 Sep, Patricia Hoffman wrote to All PH > intermittent hardware problems, I'm going to be also delaying the PH > release of the new version of the Virus Information Summary List until PH > October 2 or 3 as well. The additional week in there is to make sure Patti, is there any chance of the VSUM???? being formatted with page breaks at 60 lines/page and after each virus description. And page numbering and an index would help find the various descriptions. -={ Jim }=- --- QM v1.00 * Origin: The Clipperist - Home to happy Clippheads in Ottawa, Canada (1:163/118.0) Msg#:17756 *Virus Info* 10-01-90 02:24:00 (Read 4 Times) From: REINHARDT MUELLER To: TOM SMITH @ 930/1 Subj: REPLY TO MSG# 15508 (VIRUS SCANNERS....) In a message to Satyr Daze <26 Sep 90 23:15:00> Tom Smith @ 930/1 wrote: TS> The routine is this: 1) You select, from Shez's file TS> listing, the archive you want to check. 2) Shez examines the archive, TS> finds the EXE and COM files, and, automatically, selects the proper TS> archiving program to use in uncompressing them. 3) The COM and EXE TS> files are unpacked into a working directory automatically created by TS> Shez, called Z#, when it first fires up. 4) SCAN is started, with TS> the file names passed to it by Shez, which then looks into the working TS> directory and checks the specified files for viruses. 5) After TS> SCAN finishes, Shez deletes the files. 6) When Shez is exited, TS> the working directory is removed. NO!! Your system won't get infected unless you RUN of those infected .COM or .EXE files. A virus can only do its thing if it is executed. Reading it isn't enough. --- [MicrStar] via TComm XRS 3.1 * Origin: Loose as a goose, boys! Here we go! (TComm 1:343/17.1) Msg#:17757 *Virus Info* 10-02-90 22:47:00 (Read 4 Times) From: PHILLIP LAIRD To: KEN JONES Subj: REPLY TO MSG# 15496 (RE: NARROW VIEW) Same problem in this area. Strange, but there are about three strains at the Unviersity I work at. From the Businesss Computer Lab, Pakistani Brain is spread, from the Computer Science Lab, Stoned and Stoned II is spread, from the Engineering Lab, it is Jeruselum B and the Library PC Lab - ALL of the Above! Why does it happen like that? Hmmm..... I suppose this might tell us something about targeted groups if there was such a plan.... --- TAGMAIL v2.40 * Origin: Datamaniac's Hideout BBS - Beaumont, TX (1:19/49) Msg#:17759 *Virus Info* 10-02-90 14:37:00 (Read 4 Times) From: KEN JONES To: TOM PREECE Subj: REPLY TO MSG# 17757 (RE: NARROW VIEW) The p/c out at work has a very narrow range of users, its totaly menu driven and on the most part, locked up. Via software and the key [wow someone really does use it]. Of the few users that do use it, one of them attends a junior collage in the west bay. Were pretty sure he was the source of the infected file, but really know one will ever know for sure. I guess it could be possible to have a known source like you said. It seems really odd that they would come out and openly admit something like that. I guess on one hand they are trying to be the totaly honest dealer, but the on the other it looks like they are cutting there own throat on credidility --- Telegard v2.5i Standard * Origin: The Twilight Zone (415)-352-0433 (1:161/88.0) Msg#:17760 *Virus Info* 09-30-90 15:57:00 (Read 4 Times) From: MIKE MCCUNE To: ORI BERGER Subj: DETECTING STEALTH VIRUSES In a message on September 7 to Patrick Toulme you wrote... >However, the 4096 is still lurking in thousands of >computers in Israel and is causing major problems. Due to lack of widely >available detection/removal programs, when a virus hits Israel, it stays >there, especially when it is as "invisible" as the 4096. Here is a simple detection program that will detect the 4096 while it is in memory. It will not become infected by the 4096 (the 4096 thinks the file is already infected). I wrote it for the shareware A86, but it should assemble with MASM, TASM or WASM with few modifications. ADD [BX+SI],AL ADD [BX+SI],AL ADD [BX+SI],AL MOV AX,3521h INT 21h ES: CMP B[BX],0EAh JE FOUND MOV AH,9h LEA DX,NOT_FOUND_MESSAGE INT 21h INT 20h NOT_FOUND_MESSAGE: DB 'Stealth Virus not found in memory$' FOUND: MOV AH,9h LEA DX,FOUND_MESSAGE INT 21h INT 20h FOUND_MESSAGE: DB $Stealth Virus active in memory$' This program should also detect the Fish-6 and Mother Fish (Whale) viruses, since they use the same method to redirect interrupts. The next message will describe how to remove the 4096... --- Opus-CBCS 1.13 * Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0) Msg#:17761 *Virus Info* 09-30-90 16:05:00 (Read 4 Times) From: MIKE MCCUNE To: PAUL LOEBER Subj: STONED AND JOSHI VIRUSES In a message dated September 22, you stated that several people you know were looking for removers for the Stoned and Joshi viruses. I posted removers for both of these viruses on this echo several weeks ago. If you can't find them, I will repost them. The posting were assembler source codes; if you need executable files, leave me a number where I can call you..... --- Opus-CBCS 1.13 * Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0) Msg#:17762 *Virus Info* 09-30-90 11:10:00 (Read 4 Times) From: DUANE BROWN To: TOM SMITH @ 930/1 Subj: REPLY TO MSG# 17756 (VIRUS SCANNERS....) T9>archiving program to use in uncompressing them. 3) The COM T9>and EXE T9>files are unpacked into a working directory automatically T9>created by ... T9>I don't know if the few seconds that an infected COM or EXE T9>exists in T9>the working directory would give it time to propogate to T9>other files or Since the program while it was in the directory was not *executed*, then there isn't any danger. --- * Origin: End of the Line. Stafford, Va. (703)720-1624. (1:274/16) Msg#:17763 *Virus Info* 10-03-90 19:33:00 (Read 4 Times) From: TOM PREECE To: KEN JONES Subj: REPLY TO MSG# 17759 (RE: NARROW VIEW) They never admitted they were the source. I told them later after I had confirmed and disinfected my system that I thought they were. At that point they reported that they had disinfected all of their machines. I pointed out that they had handed me not an infected system but an infected used diskette. I guy kind of choked and promised he would look into it. --- TBBS v2.1/NM * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 (1:161/208) Msg#:17764 *Virus Info* 10-04-90 11:15:00 (Read 4 Times) From: CHARLES HANNUM To: KEN JONES Subj: REPLY TO MSG# 17763 (RE: NARROW VIEW) >> In all >> those years, I have never seen a virus. Moreover, I have never >> talked to >> anyone (on the BBSs or face to face) who ever encountered a virus. >> That says I'm inclined to echo this. In my experience, anything unusual is instantly called a "virus", even though it's usually pilot error. However, I *do* run ViruScan on everything I download. Never found a virus. Of course, that doesn't mean there *isn't* one... --- ZMailQ 1.12 (QuickBBS) * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0) Msg#:17765 *Virus Info* 10-03-90 08:16:00 (Read 4 Times) From: JERRY MASEFIELD To: TOM PREECE Subj: REPLY TO MSG# 14136 (VIRUS - TROJANS FOR EVERYONE.) > Locally we experienced a trojan that was an exe file compiled by a > utility that converts .bat to .exe files. The file purported to be a > means to provide mnp5 performance from an ordinary modem. In fact the > compiled bat instructions destroyed the C: drive. What bothers me about > this is the simplicity with which anybody could do this. I have the > Bat2exec.zip file which performs the conversions. I have not used it > because the majority of my bat files are short fast executing things > anyway. > > Has anybody else encountered the problem and is there any sort of > generic defense that we might arrange against the generic attack files > which may follow? Are you saying that the file BAT2EXEC.ZIP is the culprit?? You didn't make yourself too clear. I've recently received a file on my BBS called BAT2EX12.ZIP, but only scanned it for viruses and CRC errors. Thanks. --- TosScan 1.00 * Origin: On A Clear Disk You Can Seek Forever! (1:260/212) Msg#:18864 *Virus Info* 10-05-90 06:42:00 (Read 4 Times) From: PETE MCDONOUGH To: ALL Subj: VIRUS IN HARDWARE? Hi! I'm new here and had a question. Is it possible for a virus to enter the computer system and remain their when the system is shut down for the night, and resurface when the IBM/clone system is turned on in the morning? Background: We have had viruses at at local college in the computer labs, in the Macintosh and clone computers. We turn the computer off for ten seconds to dump any virus in the memory. Then we turn the computer back on. One of the lab techs said it might be possible for a virus to stay in the system even if turned on and then off. --- FD 1.99c via RA 0.04a [RT] * Origin: Sirus System BBS, Citrus Heights CA (916)725-8578 (1:0/0) Msg#:19510 *Virus Info* 10-04-90 14:05:00 (Read 4 Times) From: CHARLES HANNUM To: REINHARDT MUELLER Subj: REPLY TO MSG# 17762 (RE: VIRUS SCANNERS....) > NO!! Your system won't get infected unless you RUN of those > infected .COM or .EXE files. A virus can only do its thing > if it is executed. Reading it isn't enough. WARNING: This information not applicable to the Macintosh or the NeXT. --- ZMailQ 1.12 (QuickBBS) * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0) Msg#:19511 *Virus Info* 10-06-90 03:24:00 (Read 4 Times) From: CHARLES HANNUM To: JERRY MASEFIELD Subj: RE: VIRUS - TROJANS FOR EVERYO > Are you saying that the file BAT2EXEC.ZIP is the culprit?? You > didn't make yourself too clear. I've recently received a file on my > BBS called BAT2EX12.ZIP, but only scanned it for viruses and CRC > errors. Thanks. No way! BAT2EXEC is as clean as a fresh condom! (Well, we are talking about *viruses* aren't we? ) --- ZMailQ 1.12 (QuickBBS) * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0) Msg#:19512 *Virus Info* 10-06-90 20:40:00 (Read 4 Times) From: PHILLIP LAIRD To: ALL Subj: ARTICLE IN BEAUMONT ENTERPRISE Quoting an Article which appeared in the Beaumont Enterprise on Saturday, October 6, 1990 from the Associated Press: ______________________________ ASSOCIATED PRESS ______________________________ NEW VIRUSES INFECT COMPUTERS DALLAS - Computer Viruses, once percieved as contagious only through shared programming or electronic"bulletin boards," have wormed thier way into brand new equipment purchased from reputable companies. In one incident earlier this year, workers at an Evaleth, Minn., company were suprised when thier computers suddenly began flashing the message: "Your system has been stoned." The virus, which didn't destroy any data, was traced back to software in brand new modems, the devices that hook computers to telephone lines. Computer Viruses have been around for several years and there seem to have been several widely publicized infections. But only recently have viruses begun to be reported in new equipment, and computer manufacturers are reluctant to discuss the situation, fearing even a hint of contamination could torpedo sales. "A year ago we had nothing like this. Now, it's almost an everyday occurrence," said John McAfee, Chairman of the Computer Virus Industry Association in Santa Clara, Calif. "Yes it has happened," said Winn Schwartau, president of American Security Industries, Inc., a Nashville, Tenn. consulting firm. "And the posiblity of it occurring on a larger scale is all too great and unfortunately it is unrecognized." In the modem case, the virus was quickly discovered and narrowly contained, said John Pope, spokesman for CompuAdd, Corp., an Austin-based computer retailer and mail-order house that sold the infected modems. -=- END -=- I don't agree that the wording that viruses were spread through "electronic Bulletin Boards" in the second line. My understanding is that a virus is a replicating code within a computer program or set of instructions, and that would mean running the code or program. However, it is highly possible that the ROM of the modem could have contained the Viral Code to send that message to the screen. It is not my belief, however that the modem ROM could actually write to the drives, just issue interrupt requests, which are then interpreted by the command$ spec within the computer system. Again, not a virus, but a simple (or complex Trojan). And since most modems operate at interrupt 14, that would be logical for me not to be frightened of such things happening. I really think that the press should be more responsible in thier articles. --- TAGMAIL v2.40 * Origin: Datamaniac's Hideout BBS - Beaumont, TX (1:19/49) Msg#:19513 *Virus Info* 10-05-90 18:55:00 (Read 4 Times) From: PHILLIP LAIRD To: PAUL LOEBER Subj: REPLY TO MSG# 17761 (RE: STONED AND JOSHI VIRUSES) Paul, I have the Clean Diskette by Mcafee. Also, several other good programs from his Board such as Vshield, Scan, Vcopy, Checkout11 and severl other programs I downloaded from his BBS. If you like, just reply to me and I will stick them all on a 1.2MB Floppy DIskette and Mail them TO Randy Goebal at his Address. He can then get them to you, or better yet, just netmail me at 19/49 and tell me where to send the diskettes. I don't know about the JOSHI, becuase I have never been confronted with it, but the Stoned and Stoned II Virus is bad at the University where I work. So, ScanV66B.ZIP works to identify and CleanP66.ZIP will remove both of them, or Use M-Disk.ZIP, which again is on my Board for Download. The Stoned Virus appears to infect the FAT Tables of the Hard Drives there and eventually, the drives have to be low-leveled and re-formatted. --- TAGMAIL v2.40 * Origin: Datamaniac's Hideout BBS - Beaumont, TX (1:19/49) Msg#:19514 *Virus Info* 10-05-90 09:30:00 (Read 4 Times) From: PAUL LOEBER To: MIKE MCCUNE Subj: REPLY TO MSG# 19513 (RE: STONED AND JOSHI VIRUSES) ** Quoting Mike Mccune to Paul Loeber ** >In a message dated September 22, you stated that several people >you know were looking for removers for the Stoned and Joshi >viruses. I posted removers for both of these viruses on this >echo several weeks ago. If you can't find them, I will repost >them. The posting were assembler source codes; if you need >executable files, leave me a number where I can call you..... ** End of Quote ** Thanks for the offer, but I don't need the cures. I was merely telling someone who stated viruses were overrated and that he had never seen any that I knew of a couple of cases where my friends and co-workers had been hit. As far as I know, the latest version of SCAN and CLEAN took care of them. --- TAGMAIL v2.30 * Origin: Downriver Download (1:120/137) Msg#:19517 *Virus Info* 10-05-90 21:38:00 (Read 5 Times) From: PATRICIA HOFFMAN To: ALL Subj: VSUM OCTOBER 1990 RELEASE The October 1990 Version of the Virus Information Summary List is now available for download and file request as VSUM9010.ZIP. It is also being sent out thru VIRUSINF and submitted to SDS. The following new viruses have been added with this release: 1605 Black Monday Blood & Blood2 Burger Casper Christmas In Japan Invader Kamikazi Nomenklatura Number One Scott's Valley Stoned II SVir (SVir A & SVir B) Westwood Whale V2P2 V2P6 V2P6Z Violator Wisconsin There were also several variants to previously listed viruses which were added. Five anti-viral products were updated in the listing: CleanUp for version V67 Dr. Solomon's Anti-Viral Toolkit to version 3.5 F-Prot for version 1.12 VirexPC for version 1.1B ViruScan for version V67 New descriptions for Virus-90 and Virus101 which were submitted by Patrick Toulme did not make it into this version, they will be in the early November 1990 release of the listing. My apologies to Patrick. Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#:19518 *Virus Info* 10-05-90 21:37:00 (Read 5 Times) From: PATRICIA HOFFMAN To: ALL Subj: SCANV67 RELEASED The ViruScan program line from McAfee Associates was released this evening and is available for download and file request. As usual, these programs will be sent out thru the VIRUSINF file echo and submitted to SDS this evening. Four of the five programs in this series have new versions: ViruScan V67 - SCANV67.ZIP CleanUp V67 - CLEANP67.ZIP NetScan V67 - NETSCN67.ZIP VShield V67 - VSHLD67.ZIP The VCopy program was not released as a V67, so the current version remains V66B, and is downloadable as VCOPY66B.ZIP. New viruses now detectable by Scan are: Casper, 1605, Violator, Blood2, Wisconsin, Christmas In Japan, Burger, Leprosy-B, Whale, Invader, Scott's Valley, Black Monday, and Nomenklatura/Nomenclature. Also added with this release is an extinct switch: Scan will no longer automatically check for viruses which either are research viruses or have not been reported in the public domain for over 1 year. Please see the documentation for details. CleanUp has added disinfectors for Whale, Invader, Slow, and EDV. VShield now has a new feature to check the validate codes which Scan can add to files. Again, please check the documentation. Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#:19519 *Virus Info* 10-06-90 09:14:00 (Read 4 Times) From: CHUCK FAIRCHILD To: PETE MCDONOUGH Subj: REPLY TO MSG# 18864 (VIRUS IN HARDWARE?) Mac viruses appear to infect everything. You must run VIREX, because these viruses infect every single disk that comes in contact with the machine, and contaminated data disks re-infect the system. --- via TComm XRS 3.1+DV (286) * Origin: FlowerChild BBS (202)364-9463 (TComm 1:109/519.18) Msg#:19520 *Virus Info* 10-06-90 17:21:00 (Read 6 Times) From: JAMES KLASSEN To: PETE MCDONOUGH Subj: REPLY TO MSG# 19519 (VIRUS IN HARDWARE?) In a message to All <05 Oct 90 6:42:00> Pete Mcdonough wrote: Pe> Is it possible for a virus to enter the computer system and remain Pe> their when the system is shut down for the night, and resurface when Pe> the IBM/clone system is turned on in the morning? Definately. In fact, very few virii stay in memory only. Nearly ALL virii write themselves to disk(usally to COM or EXE files and some in OVL files as well). After a cold reboot, the virus is USUALLY cleared from memory(I've never heard of it still being there, but.....). The can get into memory though during Bootup through various ways though so your best bet if you THINK you have a virus is to do a cold reboot from your ORIGINAL DOS disk and then use a virus checker(Scan is one of the best) on your hard drive and ALL of your floppies. Also make sure you put a w/p tab on your virus checking disk as soon as you get it so it doesn't get infected. I find that making a bootable disk and putting SCAN on it in the autoexec file and the put a w/p on it is pretty easy to do. Try not to worry TOO MUCH about getting one but do take a reasonable amount of checking. --- XRS! 3.40 * Origin: Have a nice day, or I'll kill you! (RAX 1:275/3.4) Msg#:20555 *Virus Info* 10-14-90 10:20:00 (Read 3 Times) From: PHILLIP LAIRD To: CHARLES HANNUM Subj: RE: STERILAB ** Quoting Charles Hannum to All >(Besides, by posting this I've ruined my marketing potential >anyway, since >some other enterprising soul will probably write it first.) > > >I hereby name this concept "SteriLab" and donate this title >to the public >domain, mainly to prevent anyone claiming it as their own. > >--- ZMailQ 1.12 (QuickBBS) > * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0) That is a good idea, Charles. I have a program similar to that at the University I work at in Texas. The students/or other users must go through a "corridor" to get into the lab. They must turn over all disks to be scanned by the Lab Clerk. If a virus is found, the student is informedand the disk is usually cleaned first. If that works, we still recommend that they format the disk over to be sure. Then, when they stick their disk in the computers in the lab, we also perform another test which I wrote - but it is not a TSR program. The hard drive is securely protected and will not allow access to DOS or an application program until the disk passes. That way, we cut down on the chances of infection. THe main problem I have found is Computer Technicians that do NOT know about viruses or just flatly refuse to recognize the problems and do not scan their diagnostic disks. They are the worst carriers. They pick up a virus, then go diagnose someone elses system and spread it. A local area Retailer is one who refuses to recognize the problem and has spread many Jerulselum B headaches.... But you have a good idea! Wanna work on it? How about Turbo C or just Quick Basic would work... Would be glad to help you out as long as it will remain "Militantly Public Domain". --- TAGMAIL v2.41 * Origin: Datamaniac's Hideout BBS - Beaumont, TX (1:19/49) Msg#:20556 *Virus Info* 10-14-90 16:28:00 (Read 3 Times) From: ERIC JACKSCH To: ALL Subj: DOCUMENTING VIRUS HITS I'm currently involved in research on the topic of data security in companies using MS-DOS based machines. If anyone has first hand knowledge of: - a commercial site being infected by a virus, - data loses due to hard drive crash(es), - malicious damage by employees, - unauthorized access to data stored on PC's, or - other incidents involving serious data loss or security related issues, I would greatly appreciate hearing from you, preferably via netmail to 1:163/111. (High speed systems, please feel free to route via 1:163/131 14.4 HST). Thanks in advance, Eric Jacksch Sysop 1:163/111 --- FD 1.99c * Origin: Insomniacs' Guild *** Nepean, Ontario, Canada *** (1:163/111) Msg#:20557 *Virus Info* 10-12-90 22:12:00 (Read 3 Times) From: TOM PREECE To: PAUL FERGUSON Subj: RE: VIRUS - TORJANS FOR EVERYONE. Sorry I can't specifically recall the original. I was asked before this last response if a file was "safe". I couldn't know. I believed it was. What does it matter what the file was since you should take your own precautions? --- TBBS v2.1/NM * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 (1:161/208) Msg#:20558 *Virus Info* 10-13-90 22:29:00 (Read 3 Times) From: ICE WOLF To: KEN JONES Subj: REPLY TO MSG# 17764 (RE: NARROW VIEW) ** Quoting Ken Jones to Ron Lauzon ** >A scan of the drive said it had a Jerusalem B virus, 2 days >later a friend called and asked what was the best way of removing >the Jerusalem B virus. This was a different system completly >some 40 miles away. Then to top it off 2 sysops in the area >San Francisco >Fairfield >Oakland >San Leandro Add a town to your list: I just got off the phone from Lake Tahoe with an old boss of mine that runs a computer shop. He says that for the last week he's been run ragged stomping out Jerusalem B. He told me that a scanner called Scan 66 works real well against it. He also told me where I could get that scanner. I haven't called this BBS yet, so I don't know for sure, but he said that Lightning Systems at (702)588-0315 has it. WARNING!!!: That BBS is IN Lake Tahoe where the virus is still around. Do NOT download anything from there except Scan 66. Or, if you do at least scan it before running it! Marshall Gatten (Any mail to me should be to Ice Wolf) --- TAGMAIL v2.41 * Origin: Rialto BBS - Rialto California - (714) 820-3444 (1:207/204) Msg#:20559 *Virus Info* 10-13-90 22:44:00 (Read 3 Times) From: ICE WOLF To: ALL Subj: TROJAN I've been monitoring this echo for a while, and I have a question: I've dealt with viruses before (yes, they were viruses; not just programming bugs), but I have never heard the term 'Trojan' except in passing. What exactly is a Trojan and how does it differ from a virus? Or, are the two word just synonyms? Thanx! Marshall Gatten (Mail should be addessed to Ice Wolf, thanx!) --- TAGMAIL v2.41 * Origin: Rialto BBS - Rialto California - (714) 820-3444 (1:207/204) Msg#:20560 *Virus Info* 10-13-90 23:04:00 (Read 3 Times) From: ICE WOLF To: ALAN DAWSON Subj: REPLY TO MSG# 17765 (RE: VIRUS - TROJANS FOR EVERYONE.) ** Quoting Alan Dawson to Tom Preece ** >The only >defense would be to stop your computer from doing anything >at all. I once spoke with a person who ran a BBS and said he had a 'fool-proof' protection from anything (I don't know if he's trustworthy, but here's his idea): He put a physical switch on the cables to his hard drives. He would copy a suspected file into a RamDrive and then shut off his drives. He'd run the program in RAM and see what happened. That way, no writes were possible. How possible is it that this would work? It seems like you'd have to reconfigure your whole system after shutting off the drives, which would include a power-down, which would wipe out RAM??? Marshall Gatten --- TAGMAIL v2.41 * Origin: Rialto BBS - Rialto California - (714) 820-3444 (1:207/204) Msg#:20561 *Virus Info* 10-15-90 13:57:00 (Read 3 Times) From: CHARLES HANNUM To: ALL Subj: "CLEAN, UNINFECTED DISK" How many times have you heard this? "Just boot from a clean, uninfected disk and run SCAN." This is an interesting idea. It might even work. However, how can you be *sure* your original copy of DOS isn't infected? Or SCAN? Or your comm. package? Or your dearchiver? "Just because I'm paranoid doesn't mean they're not *really* out to get me!" --- ZMailQ 1.12 (QuickBBS) * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0) Msg#:20562 *Virus Info* 10-12-90 10:41:00 (Read 3 Times) From: YASHA KIDA To: PATRICIA HOFFMAN Subj: UNIX UU-NET VIRUS ECHO Pat is there a UNIX/XENIX version of the VIRUS_INFO... if so whom can I contract or what the focal point? Reason for asking: I now have the ability to tap UU-NET and others via 9600 links. --- msged 1.99S ZTC * Origin: Bragg IDBS, (82nd - The hole in SADDAMS PLAN) (1:151/305) Msg#:20563 *Virus Info* 10-13-90 19:41:00 (Read 3 Times) From: REINHARDT MUELLER To: TOM SMITH @ 930/1 Subj: REPLY TO MSG# 19510 (VIRUS SCANNERS....) In a message to Satyr Daze <09 Oct 90 21:55:00> Tom Smith @ 930/1 wrote: TS> Makes you wonder, doesn't it? What could these people, like most TS> mentally-deficient criminals, actually do if they tried to be TS> productive?? Now _there's_ double-entendre for ya! :) A. What could these people do if they worked hard at doing something _good_. or B. You mean these virus-writers haven't even _begun_ to work hard at their dastardly deeds? Sure seems like they've started to in the past year! :-( --- [MicrStar] via TComm XRS 3.1 * Origin: Why buy shampoo when real poo is still free? (TComm 1:343/17.1) Msg#:20564 *Virus Info* 10-15-90 21:01:00 (Read 3 Times) From: PAUL FERGUSON To: TOM PREECE Subj: REPLY TO MSG# 20557 (RE: VIRUS - TORJANS FOR EVERYONE.) TP>Sorry I can't specifically recall the original. I was asked TP>before this last response if a file was "safe". I couldn't TP>know. I believed it was. What does it matter what the file TP>was since you should take your own precautions? TP>--- TBBS v2.1/NM TP> * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 TP>(1:161/208) Good point, Tom, and well taken. I =do= take my own precautions, but thought that the rest of the participants in the echo would like to follow the train of thought. Ciao. -Paul --- * Origin: Sentry Net BBS C'Ville VA (1:109/229) Msg#:20565 *Virus Info* 10-15-90 21:13:00 (Read 3 Times) From: PAUL FERGUSON To: SATYR DAZE Subj: REPLY TO MSG# 20563 (RE: VIRUS SCANNERS....) * Replying to a message originally to Tom Smith @ 930/1 SD> SD>Well with more and more sytems being produced overses in SD>build-em/Shipp-em out quick companies anything is possible. SD>But luckily not probable, while someone might infecta system SD>that way, the company would hopefully be aware of it and do SD>somthing before it got out of hand. SD> SD>While with the proliferation of Shareware and BBS's, an SD>infected program that look like it may be useful or at least SD>moderatly entertaining, you could actually infect sizable SD>portions of the community. With new infections poping up as SD>people share them. SD> SD>I myself was infected about month and half ago with the SD>Stoned virus from a BBS that had failed to check it's upload, SD>and unfortunatly the individual who uploaded it was to SD>interested in running the program versus checking it ... SD>because it came from a reputable BBS. Very Catch-22. SD>Ultimate responsibility falls on the user, because ultimatly SD>it's our Butts that get fried. SD> SD>From my understanding the people who write these programs SD>aren't Geniuses by any scope. Anyone can write a Virus SD>program, all it takes is the know-how -- somthing easiliy SD>gained in today's information Society. SD>I feel sorry for them, they feel this is the only way to SD>convey their angry and hurt feelings about society or SD>themselves. SD> SD>They are nothing short of Terrorists. SD> SD> The Satyr Daze SD>--- TBBS v2.1/NM SD> * Origin: Eclectic Multi-BBS System / Miami FL (305)662-1748 SD>(1:135/2) Satyr, I believe that you are mistaken. Virtually the only way to spread STONED is through direct disk access (ie. Copying files, fformatin diskettes....). STONED is a Boot sector infector and will omly spread in that fashion. It does not attach itself to any executables but instead resides in the partition table. I agree with your sentiment wholeheartedly, but I do not think that the BBS is to blame. (Gosh, we BBSs get all the blame!). -Paul --- * Origin: Sentry Net BBS C'Ville VA (1:109/229) Msg#:20566 *Virus Info* 10-15-90 21:48:00 (Read 3 Times) From: PAUL FERGUSON To: DANIEL KALCHEV Subj: PHOENIX VARIANTS * Replying to a message originally to Vesselin Bontchev DK>In a message of Vesselin Bontchev DK>(2:359/101.2) writes: DK> VB> EID:f650 1549b6c0 DK> VB> MSGID: 2:359/101.2 2712a435 DK> VB> REPLY: 2:359/1.1 270ff27e DK> VB> In a message to Vesselin Bontchev <07 Oct 90 20:26:00> Daniel Kalchev DK> VB> wrote: DK> DK> DK> By the way, I am passing a question from Dark Avenger to you: "Do DK> DK> you discover ALL the variants of Phoenix virus?" DK> DK> VB> Why he didn't ask the questions himself? He has access even to this DK> VB> echo... Anyway, what does the question mean exactly? Currently I DK> DK>I think he even have your phone, but... :-) DK> DK> VB> If DA really wants to make my life a bit more difficult, he has to DK> VB> obtain a copy of the 1260 virus and to study it carefully; or to DK> VB> contact the author of AntiPascal/Terror/Tiny viruses and have a long DK> VB> speach with him; or go to CINTI and dig some journals on computer DK> VB> security and data encryption. His currently encryption algorithms are DK> VB> only childish games. DK> DK>Common Vesselin, don't you think you're giving him some DK>dangerous pointers? We don't need Tiny-Phoenix, IMHO! DK> DK> DK> Think, really think about it. ;-) DK> DK> VB> Well, if you have any doubts, tell him to upload any Phoenix variant DK> VB> and test my program CleanUp (that I left you for beta test) on it. DK> DK>CleanUp works, with the known viruses though. :-) DK> DK>Regards from Varna, DK>Daniel DK> DK>--- msged 2.00 DK> * Origin: Danbo's Cave (2:359/1.1) Sorry, Daniel. Some the original quote did not wrap the way I thought it would but that is beside the point. Your message and dialogue with Vess only reinforces the need for multilayered protection schemes, not relying upon only one. Salutations from Washington, DC -Paul --- * Origin: Sentry Net BBS C'Ville VA (1:109/229) Msg#:20567 *Virus Info* 10-15-90 21:53:00 (Read 3 Times) From: PAUL FERGUSON To: RICHARD ENTWISTLE Subj: RE: VALIDATE AND CLEANP66 * Replying to a message originally to Justin Keen RE> JK> What's the problem? It may be nothing but the VALIDATE.COM program I RE> JK> decompressed from the CLEANP66.ZIP package does not validate RE>correctly! RE> JK> Details are: RE> JK> RE>Well here I am again. Hope I have not startled too many RE>people with theoriginal message, but I did not expect it to RE>echo just yet. I have had time now to look further into the RE>validate.com difference and all it turns out to be is the RE>wrong file length byte number (6,945 instead of 6,485 bytes). RE>By editing the file length number and running a file compare RE>shows identical files. I have looked through myself sector RE>by sector to be absolutely sure. RE> RE>So, the problem is that the validate.com I got from the RE>cleanp66.zip pack had an error in file size number only! RE>Just how it got there, who knows - it must have slipped RE>through a file transfer error check somewhere. RE> RE>Relax for now then - but maintain the vigilance of course. RE> RE>Bye... RE> RE> RE>--- Maximus-CBCS v1.02 RE> * Origin: Hong Kong PC User Group Software Library (3:700/8) Patti Hoffman has suggested that perhaps the SCAN /AV option may have been used to add validation codes to the VALIDATE program....Well, I have not had the opportuniy to look into this as yet (very busy), but I have copies of VALIDATE that measure up to the file sizes you mentioned =and= another that is another 10 bytes larger! I will sit down, perhaps tomorrow and dig a little deeper.... 10 bytes at a time, Hmmmm..... Ciao. -Paul --- * Origin: Sentry Net BBS C'Ville VA (1:109/229) Msg#:20568 *Virus Info* 10-15-90 22:22:00 (Read 3 Times) From: PAUL FERGUSON To: ERIC JACKSCH Subj: REPLY TO MSG# 20556 (DOCUMENTING VIRUS HITS) * Replying to a message originally to all EJ>I'm currently involved in research on the topic of data EJ>security in companies using MS-DOS based machines. If anyone EJ>has first hand knowledge of: EJ> EJ>- a commercial site being infected by a virus, EJ>- data loses due to hard drive crash(es), EJ>- malicious damage by employees, EJ>- unauthorized access to data stored on PC's, or EJ>- other incidents involving serious data loss or security EJ>related issues, EJ> EJ>I would greatly appreciate hearing from you, preferably via EJ>netmail to 1:163/111. (High speed systems, please feel free EJ>to route via 1:163/131 14.4 HST). EJ> EJ>Thanks in advance, EJ>Eric Jacksch EJ>Sysop 1:163/111 EJ> EJ>--- FD 1.99c EJ> * Origin: Insomniacs' Guild *** Nepean, Ontario, Canada *** EJ>(1:163/111) Look for NetMail, Eric. Glad to help you in any way I can. Greetings from Capitol Hill -Paul --- * Origin: Sentry Net BBS C'Ville VA (1:109/229) Msg#:20569 *Virus Info* 10-15-90 22:32:00 (Read 3 Times) From: PAUL FERGUSON To: ICE WOLF Subj: UPDATED VERSIONS * Replying to a message originally to Ken Jones IW>** Quoting Ken Jones to Ron Lauzon ** IW> >A scan of the drive said it had a Jerusalem B virus, 2 days IW> >later a friend called and asked what was the best way of removing IW> >the Jerusalem B virus. This was a different system completly IW> >some 40 miles away. Then to top it off 2 sysops in the area IW> >San Francisco IW> >Fairfield IW> >Oakland IW> >San Leandro IW> IW>Add a town to your list: I just got off the phone from Lake IW>Tahoe with an old boss of mine that runs a computer shop. He IW>says that for the last week he's been run ragged stomping out IW>Jerusalem B. He told me that a scanner called Scan 66 works IW>real well against it. He also told me where I could get that IW>scanner. I haven't called this BBS yet, so I don't know for IW>sure, but he said that Lightning Systems at (702)588-0315 has IW>it. WARNING!!!: That BBS is IN Lake Tahoe where the virus is IW>still around. Do NOT download anything from there except Scan IW>66. Or, if you do at least scan it before running it! IW> IW>Marshall Gatten IW>(Any mail to me should be to Ice Wolf) IW> IW> IW>--- TAGMAIL v2.41 IW> * Origin: Rialto BBS - Rialto California - (714) 820-3444 IW>(1:207/204) Hello, "Ice".... My suggestion to you (and anyone else, actually) is to rely on the Author's board for a "clean" copy of the program. The latest version of ViruScan (SCANVxx) is version 67 B (a minor bug fix to version 67)....John McAfee and the Home base crew are very attentive to detail. The next release is tentatively scheduled for November 25th (I believe). There are some =rules= though, when it comes to scanning/disinfecting and the documentation should be read in entirety. Hope this helps. I would post the BBS # but I think that would be a =little= commercial. Ciao from DC... -Paul --- * Origin: Sentry Net BBS C'Ville VA (1:109/229) Msg#:20570 *Virus Info* 10-15-90 22:38:00 (Read 3 Times) From: PAUL FERGUSON To: ICE WOLF Subj: REPLY TO MSG# 20559 (TROJAN) * Replying to a message originally to All IW>I've been monitoring this echo for a while, and I have a IW>question: I've dealt with viruses before (yes, they were IW>viruses; not just programming bugs), but I have never heard IW>the term 'Trojan' except in passing. What exactly is a Trojan IW>and how does it differ from a virus? Or, are the two word IW>just synonyms? IW> IW>Thanx! IW>Marshall Gatten IW>(Mail should be addessed to Ice Wolf, thanx!) IW> IW> IW>--- TAGMAIL v2.41 IW> * Origin: Rialto BBS - Rialto California - (714) 820-3444 IW>(1:207/204) Remember the terrible (or perhaps it was great, I can't remember which) story of the Trojan War and the Trojan Horse...Well, that is what a Trojan Horse program produces. Something quite undesireable, like formatting all of your sectors to dust. A virus, on the other hand, can replicate, attach itself to a "host" and for whatever you can image, have any number of "triggers to become detructive. My best advise that I can give is to get ahold of a copy of Patti Hoffman's "Virus Information Summary List" which is produced monthly. This is an invaluable document for reference purposes. -Paul --- * Origin: Sentry Net BBS C'Ville VA (1:109/229) Msg#:20571 *Virus Info* 10-16-90 11:54:00 (Read 3 Times) From: CHARLES HANNUM To: RICHARD ENTWISTLE Subj: REPLY TO MSG# 20567 (RE: VALIDATE AND CLEANP66) > Well here I am again. Hope I have not startled too many people with > the original message, but I did not expect it to echo just yet. I > have had time now to look further into the validate.com difference > and all it turns out to be is the wrong file length byte number > (6,945 instead of 6,485 bytes). By editing the file length number > and running a file compare shows identical files. I have looked > through myself sector by sector to be absolutely sure. > So, the problem is that the validate.com I got from the cleanp66.zip > pack had an error in file size number only! Just how it got there, > who knows - it must have slipped through a file transfer error check > somewhere. That's probably the 10-byte validation code... --- ZMailQ 1.12 (QuickBBS) * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0) Msg#:20572 *Virus Info* 10-16-90 13:20:00 (Read 3 Times) From: CHARLES HANNUM To: ICE WOLF Subj: REPLY TO MSG# 20570 (RE: TROJAN) > I've been monitoring this echo for a while, and I have a question: > I've dealt with viruses before (yes, they were viruses; not just > programming bugs), but I have never heard the term 'Trojan' except > in passing. What exactly is a Trojan and how does it differ from a > virus? Or, are the two word just synonyms? A "Trojan Horse" is a referral to an ancient Greek myth of a large wooden horse that was given to the city of Troy. The Troyans brought the horse into the city, to discover later that enemy soldiers were hiding inside. The soldiers proceeded to flatten the city. A "Trojan Horse" program is similar. It's a program that damages your computer in some way. Usually, a Trojan Horse does its damage once, whereas a virus may infect other programs and repeatedly destroy things. Any program could be a Trojan Horse; there's simply no sure-fire way of detecting them. A simple way to write one would be: char junk[20000] = {'\0'}; // give it a realistic file size int main(void) { system( "echo y | format c:" ); // do some damage puts( "Nyah, nyah!!" ); // brag about it } Then claim that it's a telecommunications package or something. These types of Trojans are usually detected fairly quickly, as anyone who gets a copy pretty much knows what did it. It's those hidden little time-bombs that could be lurking ANYWHERE that are the problem. --- ZMailQ 1.12 (QuickBBS) * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0) Msg#:20573 *Virus Info* 10-14-90 23:41:00 (Read 3 Times) From: VINSON NICHOLS To: PAUL FERGUSON Subj: RE: DOES PF> * Replying to a message originally to All OS>>Quoted from message by Dark Avenger 11-Oct-1990 02:16:39 : OS>> OS>>> WP> does anyone know how to make a virus??????? OS>>> OS>>> Yes, I know. If you want to make a virus for PC first you have to OS>>> learn assembly language. If you already have done that then you OS>>> have to study the listing of some existing virus. If you don't OS>>> have such a listing, give me your post address and I will send you OS>>> one via snail mail. If you want to ask me something else, call OS>>> +xxx-xx-xxxxxx and leave me a message there. OS>> OS>>Allright, then. This conference has turned into being a place OS>>where sick people can teach each other how to make viruses OS>>and destroy innocent people's hard work. OS>> OS>>Messages like this should be deleted...! Makes me wanna throw OS>>up... OS>> OS>>>:-C Oeyvind OS>> ~~~~~~~ OS>> OS>>--- msged 1.99L TC (Norsk) OS>> * Origin: SunPoint On Johnny's (Bergen, Norway) OS>>(2:502/502.1) PF> PF> Yes, it is quite disturbing that DAV sees fit to spread his sick PF> infuence. Should not be allowed to happen. Perhaps if he saw PF> fit to refrain from such practices and =contribute= something PF> valuable instead, we could all rest a little easier. PF> PF> Greetings from Washington, DC PF> -Paul PF> --- PF> * Origin: Sentry Net BBS C'Ville VA (1:109/229) Ok. If more people understood how virus's worked then more people would not get in trouble with them. There are some real good things about virus's when it come to beening able to program one. I have writen 2 so far, and of course destroyed them. What they do is teach you more about how the config.sys and the command com works. Also how to deal with tagging into exe files, and harddrives. The above message is very upsetting to me as a novice programer computer's main reason is to share infomation, not restrict it. Now what you are telling me is that you would like to restrict what people can learn and what they can create. What are we doing going back to some sort of computer dark ages. Vinson --- via Silver Xpress V2.27 [NR] --- QM v1.00 * Origin: The F e d e r a l Post -{*}- Fayetteville, NC (1:151/301.0) Msg#:20574 *Virus Info* 10-14-90 23:45:00 (Read 3 Times) From: VINSON NICHOLS To: PAUL FERGUSON Subj: RE: DOES ANYONE KNOW HOW TO MAKE Is not funny that there a company's that profit from virus. Seems that for every new one that hits. One of the companies a few weeks later offer a fix.??? Vinson --- via Silver Xpress V2.27 [NR] --- QM v1.00 * Origin: The F e d e r a l Post -{*}- Fayetteville, NC (1:151/301.0) Msg#:20575 *Virus Info* 10-16-90 18:44:00 (Read 3 Times) From: PAUL FERGUSON To: CHARLES HANNUM Subj: REPLY TO MSG# 20561 ("CLEAN, UNINFECTED DISK") * Replying to a message originally to All CH>How many times have you heard this? CH> CH>"Just boot from a clean, uninfected disk and run SCAN." CH> CH>This is an interesting idea. It might even work. However, CH>how can you be CH>*sure* your original copy of DOS isn't infected? Or SCAN? CH>Or your comm. CH>package? Or your dearchiver? CH> CH> CH>"Just because I'm paranoid doesn't mean they're not *really* CH>out to get me!" CH> CH>--- ZMailQ 1.12 (QuickBBS) CH> * Origin: The Allied Group BBS *HST* Buffett's Buddy CH>(1:268/108.0) Hello, Charles.... If you take the precautionary measures that use multi-layered defenses, then you will catch it eventually. It also doesn't hurt to download the Virus Detection utility from the authors board. Later.... -Paul --- * Origin: Sentry Net BBS C'Ville VA (1:109/229) Msg#:20576 *Virus Info* 10-16-90 20:55:00 (Read 4 Times) From: DUANE BROWN To: CHARLES HANNUM Subj: REPLY TO MSG# 20555 (STERILAB) CH>All disks must be "checked-in." This process involves CH>scanning the disk for CH>known viruses (even, and especially, in archive files), and CH>then coding the CH>boot sector and FAT in such a way that the disk would be CH>unusable in a normal CH>DOS environment. Would you want to be responsible for the wrath of someone who lost their WHOLE FAT TABLE with their term paper if something went wrong with this encoding/decoding process???????? Even norton's wouldn't work if the fat, etc was scrambled in such a process... Think about it... it may be secure, but a computer lab is no Top Secret data processing laboratory... Why not encrypt the whole disk while you're at it??? --- ZMailQ 1.12 (QuickBBS) * Origin: End of the Line. (703)720-1624 in Stafford, Va. (1:274/16.0) Msg#:22164 *Virus Info* 10-19-90 23:10:00 (Read 3 Times) From: TOM SMITH @ 930/1 To: SCOTT HOWELL Subj: RE: QUESTION Scott, you'd have to go into more detail on your "scramble"d FAT before it'd become obvious that a virus had hit it; I'd bet that it's the disk "optimizer" you mentioned. You didn't say which one it was, but several of them, particularly older ones, can be quite nasty if something unusual happens during the optimization run; they can even be nasty if something unusual DOESN'T happen!. Were you running a disk enhancement utility such as SpeedStor or Disk Manager? These, or other TSRs like disk caches, especially ones with delayed writes, can add still more problems. As for possible fixes, I'd suggest that you try one of the "fixit" programs in Norton Utilities 5.0, PC Tools Deluxe 6.0, or Mace Utilities 1990. The "Emergency Room" utility in the latter gets particularly high marks; I've found it to fix disks that the others wouldn't even admit existed! If these won't help, you can contact one of the commercial data recovery firms, but they can be exxpppeeeennnnnssssssiiiiiiivvvvvvvveeeeeeeee.......... One final piece of advice: Before you try to optimize again, 1) BACK UP!; 2) Copy to save files CONFIG.SYS and AUTOEXEC.BAT; 3) Delete them and reboot to remove any TSRs (note: If you're running a Disk Manager-type of disk enhancer, you can't remove it. In that case, make sure that the optimizer you're using specifically states that it'll work with the particular disk enhancer you're using.) and run the optimizer on a "clean" system. Hope some of this helps... Tom Smith/Dallas... --- QM v1.00 # Origin: Horizon RBBS 214-424-3831 & 214-881-9346 HST (8:930/1.0) * Origin: Network Gateway to RBBS-NET (RBBS-PC 1:10/8) Msg#:22412 *Virus Info* 10-15-90 20:23:00 (Read 3 Times) From: TOM PREECE To: ALAN DAWSON Subj: REPLY TO MSG# 20560 (RE: VIRUS - TROJANS FOR EVERYONE.) Well I guess its time for me to uncover. I am not a programmer and can't pretend to be. It does however seem to me that the compiliation of dangerous instructions to dos by whatever method should have a similar structure in direct processor instructions. I guess I was hoping some really clever programmer out there would be able to build a detect for the simple kinds of dos destruco instructions and create some generic form of a scan file to prevent this kind of crud. Meanwhile I'll back up often. --- TBBS v2.1/NM * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 (1:161/208) Msg#:22413 *Virus Info* 10-15-90 20:32:00 (Read 3 Times) From: TOM PREECE To: DUANE BROWN Subj: REPLY TO MSG# 19512 (RE: ARTICLE IN BEAUMONT ENTERPRISE) I don't know if I was in this before, but I believe I have reported being infected by software supplied by a dealer. Always be suspicious. --- TBBS v2.1/NM * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 (1:161/208) Msg#:22414 *Virus Info* 10-16-90 20:40:00 (Read 3 Times) From: TOM PREECE To: ICE WOLF Subj: REPLY TO MSG# 20572 (RE: TROJAN) Do I speak for all? I don't know. A trojan is a file with data or media destroying instructions that does not neccessarily replicate and spread like a virus. Many or most viruses are trojans. Not all trojans are viruses. --- TBBS v2.1/NM * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 (1:161/208) Msg#:22415 *Virus Info* 10-17-90 01:00:00 (Read 2 Times) From: DARIN ARRICK To: PAUL FERGUSON Subj: DOES ANYONE KNOW HOW TO MAKE VIRUS * Replying to a message originally to Janne Ristavaara > * Replying to a message originally to Wilson Phillips > JR>Sure someone will know, but what is it worth of ?!? > JR>Do you want to get your name or alias known or what ?!? > JR>I think (and I'm sure many others do the same) that making a > JR>virus is really discusting. Why don't use your gifts to more > JR>useful purpose, like some utilities or another useful > JR>programs ? > JR>Or if you just have to make a virus, please make an friendly > JR>one;-) > JR> > JR>-JR- > JR> > JR>--- > JR> * Origin: The Eternal Flame BBS +358-55-53340 / V.32 ECM > JR>(2:515/841.3) > > Surely you do not belong to the school of thinking that > =actually= beleives that there can be a "friendly" virus? Any > replicating and infectious program is undesireable. There > have been numerous attempts to implement "good" vviruse (Den > Zuk, et al.) but it ran amok. I think that more harm than > good would ever come of this train of thought. > > Greetings from Washington, DC > -Paul > --- > * Origin: Sentry Net BBS C'Ville VA (1:109/229) Paul, I have been following this echo for a few days and am amazed at the hatred spread toward viruses. They are programs, just like Lotus 123 or dBase IV. There are good reasons for "friendly" viruses, such as automatic error detection and correction for unattended systems. System crash cleaners, I guess you could call them. I welcome replies, but no screaming. Just intelligent conversation. :-) Darin --- * Origin: GENESYS I BBS (817)-284-1520 (1:130/59) Msg#:22416 *Virus Info* 10-17-90 01:10:00 (Read 3 Times) From: DARIN ARRICK To: ICE WOLF Subj: REPLY TO MSG# 22412 (RE: VIRUS - TROJANS FOR EVERYONE.) * Replying to a message originally to Alan Dawson > ** Quoting Alan Dawson to Tom Preece ** > >The only > >defense would be to stop your computer from doing anything > >at all. > > I once spoke with a person who ran a BBS and said he had a > 'fool-proof' protection from anything (I don't know if he's > trustworthy, but here's his idea): He put a physical switch > on the cables to his hard drives. He would copy a suspected > file into a RamDrive and then shut off his drives. He'd run > the program in RAM and see what happened. That way, no writes > were possible. > > How possible is it that this would work? It seems like you'd > have to reconfigure your whole system after shutting off the > drives, which would include a power-down, which would wipe > out RAM??? > > Marshall Gatten It is possible and is a commercial product. Arrick/Microsync in Ft.Worth, Texas, has a product called "WriteGuard" which does just that. Let's you flip a switch anytime and make the hard drive write protected. It also intercepts any writes to the hard disk and informs you with a buzzer, so you know when something tries to write to the drive. Call (817)540-0938. Tell them I sent you. (They are friends of mine.My brother used to own it, but sold it and they kept the name, so I'm not affiliated with them except by friendship.) Later, Darin Arrick, KB5KHR --- * Origin: GENESYS I BBS (817)-284-1520 (1:130/59) Msg#:22417 *Virus Info* 10-17-90 21:09:00 (Read 3 Times) From: ERIC JACKSCH To: PAUL FERGUSON Subj: REPLY TO MSG# 20568 (DOCUMENTING VIRUS HITS) > Look for NetMail, Eric. Glad to help you in any way I can. > > Greetings from Capitol Hill > -Paul Thanks, I really appreciate it. Besides some documentation in magazines, there is very little information in Canada on the topic...I hope to contact people here who are in areas which have serious problems, and also want to look at the economic impacts of viruses, hard drive crashes, and other computer data security related issues....the larger the area over which I collect info, the better. Thanks, Eric. --- FD 1.99c * Origin: Insomniacs' Guild *** Nepean, Ontario, Canada *** (1:163/111) Msg#:22418 *Virus Info* 10-16-90 23:58:00 (Read 3 Times) From: MIKE MCCUNE To: PAUL FERGUSON Subj: REPLY TO MSG# 20564 (RE: VIRUS - TORJANS FOR EVERYONE.) I have the commercial version of the program complete with all the overlays and help files. It is my main communication software. I used to use Procomm but MTE has almost identical command and does more (not to mention it has built-in error correction). I'll call you BBS later to check out your version of the program.... --- KramMail v3.15 * Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0) Msg#:22419 *Virus Info* 10-17-90 09:09:00 (Read 3 Times) From: PHILLIP LAIRD To: RICHARD ENTWISTLE Subj: REPLY TO MSG# 20571 (RE: VALIDATE AND CLEANP66) ** Quoting Paul Ferguson to Richard Entwistle > * Replying to a message originally to Justin Keen >RE> JK> What's the problem? It may be nothing but the VALIDATE.COM >program I >RE> JK> decompressed from the CLEANP66.ZIP package does not >validate >RE>correctly! >RE> JK> Details are: >RE> JK> Where did you download it from? Can you tell me that? It would not suprise me that some one would try to infect John's programs, even though it may be a bad move to do so, after John has put a lot of work into them for our protection. If someone uploads SCAN/CLEANUP or any other Program used to eradicate viruses here, it is deleted - I personally download them directly from McAfees' BBS to cut the chances of infection and some new viurs attached to the program. I have noticed though, that the CRC Doesn't always match the original file. Sometimes erro in zip causes it, sometimes I don't know what causes it. Hope this helps. From South East Texas, U.S.A --- TAGMAIL v2.41 * Origin: Datamaniac's Hideout BBS - Beaumont, TX (1:19/49) Msg#:22420 *Virus Info* 10-17-90 18:41:00 (Read 3 Times) From: PAUL FERGUSON To: VINSON NICHOLS Subj: REPLY TO MSG# 20573 (RE: DOES) Quoting your message to me: VN> What we are doing is going back to some computer dark ages. Well, Vinson, I must take an opposing view concerning programming. Any code than can secretly attach itself to any of my clients executables (or whatever, you should know what I mean) is quite undesireable, especially if it slows processing speed or is destructive in any fashion. That is the equivalent of Invasion of Privacy. I commend you for "destroying" whatever it is/was that you compiled, but the hazards are a little too great from my standpoint. There is are a myriad of viruses popping up every month that keep every extremely busy enough as it is. Greetings from DC -Paul --- * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229) Msg#:22421 *Virus Info* 10-17-90 18:51:00 (Read 3 Times) From: PAUL FERGUSON To: VINSON NICHOLS Subj: REPLY TO MSG# 20574 (RE: DOES ANYONE KNOW HOW TO MAKE) VN>Is not funny that there a company's that profit from virus. VN>Seems that VN>for every new one that hits. One of the companies a few weeks VN>later offer VN>a fix.??? Vinson VN> VN> VN>--- via Silver Xpress V2.27 [NR] VN> VN> VN>--- QM v1.00 VN> * Origin: The F e d e r a l Post -{*}- Fayetteville, NC VN>(1:151/301.0) I have no intention of going around with you on this, Vinson, but you are obviously running with blinders on....It is narrow minded viepoints such as yours that plague the effort that research, hard work and eradication/education efforts are trying to instill in the computing public. BTW, wouldn't a working knowledge of DEBUG or similar address manipulating facility suffice to help you with the inner workings of COMMAND.COM, etc.? There are many more aspects to dealing with viruses than knowledge of these files, but I do see your point, I guess. Shame, though, that you must rely on such odd circumstances to enhance your programming skills. -Paul --- * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229) Msg#:22422 *Virus Info* 10-17-90 18:57:00 (Read 3 Times) From: PAUL FERGUSON To: STEPHEN BROMWICH Subj: VIRUS SUMMARY VERSION ??? * Replying to a message originally to All SB> Since no-one seems to know what the virus I have (if it is SB>a virus) coud anyone te me which is the atest version of SB>vsum? Thanks. SB> SB>Steve SB>--- XRS 3.30 SB> * Origin: STRANGE BREW! - yer mother wouldn't like it! (RAX SB>2:25/101.8) Hello, Steven.... The last release of VSUM is 15 October 1990. In it's original form it is called VSUM9010.ZIP. Hopes this helps. -Paul --- * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229) Msg#:22423 *Virus Info* 10-11-90 11:58:00 (Read 3 Times) From: SCOTT HOWELL To: ALL Subj: REPLY TO MSG# 22164 (QUESTION) to: all I have two questions. First can a virus scramble the file alication table, but not to the point where it can't be repaired and where can I get a list of the most recent viruses? I ask because I am pretty sure I wasn't hit because Scan couldn't find anything, but for some reason a large majority of the files on drives c through h were cross linked and the table was pretty screwed. Hmmm well I think it has something to do with the optimizer I was running, but who can tell. Please help!!! thanks Scott Howell PS. I would like to take this list to the other folks at the AIS meeting here at NASA Headquarters and the meeting is on Oct. 17 so if anyone can get back to me before then I would appreciate it. --- SLMAIL v1.36M (#0264) * Origin: Foundation BBS * College Park, MD Society's connection * (109:109/5 Msg#:22424 *Virus Info* 10-17-90 06:36:00 (Read 4 Times) From: PATRICIA HOFFMAN To: SATYR DAZE Subj: REPLY TO MSG# 20565 (RE: VIRUS SCANNERS....) SD> I myself was infected about month and half ago with the Stoned virus SD> from a BBS that had failed to check it's upload, and unfortunatly the SD> individual who uploaded it was to interested in running the program SD> versus checking it ... Satyr, the Stoned virus is a boot sector and partition table virus, it does not infect executable program files such as .COM and .EXE files. You cannot get it from a download from a BBS unless the download happens to be a complete, compressed file containing an image of a floppy disk. If you got a virus from a normal file that you downloaded, it wasn't the Stoned virus. It may have been a file infector that also carries a boot sector infector, such as the Invader virus which was only isolated within the last month. How did you determine it was Stoned? Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#:22425 *Virus Info* 10-17-90 06:50:00 (Read 4 Times) From: PATRICIA HOFFMAN To: ALL Subj: CROSS-LINKED ECHOS All sysops who recently added this echo (VIRUS_INFO) or the VIRUS echo should check their systems to make sure that they have not accidently cross-linked these two echos. Several of the messages which have been received on my system in the last two days appear to belong in VIRUS since the messages being quoted from came from the VIRUS echo. Please verify your echomail setups if you just recently added either echo to your system, these two echos are not the same echo! Thanks... Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#:22426 *Virus Info* 10-17-90 02:31:00 (Read 3 Times) From: TOM SMITH @ 930/1 To: SATYR DAZE Subj: REPLY TO MSG# 22424 (RE: VIRUS SCANNERS....) SD> From my understanding the people who write these programs aren't Geniu SD> any scope. Anyone can write a Virus program, all it takes is the know SD> somthing easiliy gained in today's information Society. SD> I feel sorry for them, they feel this is the only way to convey their SD> and hurt feelings about society or themselves. SD> They are nothing short of Terrorists. Hear, hear... Tom Smith/Dallas... --- QM v1.00 # Origin: Horizon RBBS 214-424-3831 & 214-881-9346 HST (8:930/1.0) * Origin: Network Gateway to RBBS-NET (RBBS-PC 1:10/8) Msg#:22427 *Virus Info* 10-17-90 02:36:00 (Read 3 Times) From: TOM SMITH @ 930/1 To: ERIC JACKSCH Subj: REPLY TO MSG# 22417 (RE: DOCUMENTING VIRUS HITS) Eric, I don't have access to NetMail, but please feel free to call me at my work number - (214) 401-7839 - between about 9:30 AM and 5:30 PM CST if you'd like to chat; I've run into each of the security issues you listed at one time or another... Tom Smith/Dallas... --- QM v1.00 # Origin: Horizon RBBS 214-424-3831 & 214-881-9346 HST (8:930/1.0) * Origin: Network Gateway to RBBS-NET (RBBS-PC 1:10/8) Msg#:22428 *Virus Info* 10-17-90 17:05:00 (Read 3 Times) From: KEN DORSHIMER To: TOM PREECE Subj: REPLY TO MSG# 22416 (RE: VIRUS - TROJANS FOR EVERYONE.) ...at a time when Western civilization was declining too rapidly for comfort, yet too slowly to be very exciting Tom Preece was saying: TP> Well I guess its time for me to uncover. I am not a programmer and TP> can't pretend to be. It does however seem to me that the compiliation TP> of dangerous TP> TP> instructions to dos by whatever method should have a similar TP> structure in direct processor instructions. I guess I was hoping some TP> really clever programmer out there would be able to build a detect for TP> the simple kinds of dos destruco instructions and create some generic TP> form of a scan file to prevent this kind of crud. Meanwhile I'll back TP> up often. there is one, sort of. it's called CHK4BOMB. it comes with the FLUSHOT package. what it does is look for calls to direct disk writes and warns you that the program you're examining uses them. mostly it just looks for calls to INT 13 instructions. not perfect, but worth checking out. ...space is merely a device to keep everything from being in the same spot... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#:22429 *Virus Info* 10-17-90 18:00:00 (Read 3 Times) From: RON LAUZON To: ICE WOLF Subj: REPLY TO MSG# 22414 (TROJAN) IW> I've been monitoring this echo for a while, and I have a question: IW> I've dealt with viruses before (yes, they were viruses; not just IW> programming bugs), but I have never heard the term 'Trojan' except in IW> passing. What exactly is a Trojan and how does it differ from a virus? IW> Or, are the two word just synonyms? No, they are not synonyms but they are similar. The term "trojan" comes from the story of Helen of Troy and the Trojan Horse. To refresh your memory: Troy was a very well fortified city. So the enemy's of Troy built a horse, hid inside it and parked it in front of the gates of Troy. The Trojans thought it was a gift from the gods and brought it in. Once inside, the guys inside the horse jumped out and battled inside of Troy (I don't remember who won, though). But in any case, a Trojan is a program that says it will do something useful but does something damaging instead. It differs from a virus in that it doesn't infect any other program. But like a virus, it may choose to damage your disk now or some time in the future. ... !lanimret siht edisni deppart ma I !pleH --- via The Blue Wave v1.05 [NR] * Origin: Flight of the Raven -=* Home of the Blue Wave *=- (1:2200/107.0) Msg#:22430 *Virus Info* 10-18-90 09:29:00 (Read 3 Times) From: PATRICK MURPHY To: SCOTT HOWELL Subj: REPLY TO MSG# 22423 (QUESTION) SH> I have two questions. First can a virus scramble the file SH> alication table, but not to the point where it can't be repaired and SH> where can I get a list of the most recent viruses? I ask because I am My brother's computer got infected by the Stoned virus, and although the FAT was very screwed up, after running CLEAN the Norton Disk Doctor did a fairly good job (as dangerous as NDD can be...) SH> cross linked and the table was pretty screwed. Hmmm well I think it has SH> something to do with the optimizer I was running, but who can tell. SH> Please help!!! thanks SH> SH> Scott Howell Hmmm...maybe your FAT problem is not due to a virus...did you run the latest version of SCAN??? (v67C I think)... If you do any optimizing under a multitasking system (e.g. Desqview), you may quite easily scramble your FAT... ttyl......Pat --- msged 1.99S ZTC * Origin: SmurfBBS - (613)565-1607 Origin Unknown... (1:163/106.999) Msg#:22431 *Virus Info* 10-19-90 17:02:00 (Read 3 Times) From: SUNMAP SYSOP To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 22425 (RE: CROSS-LINKED ECHOS) ->All sysops who recently added this echo (VIRUS_INFO) or the VIRUS ->echo should check their systems to make sure that they have not ->accidently cross-linked these two echos. Several of the messages ->which have been received on my system in the last two days appear ->to belong in VIRUS since the messages being quoted from came from ->the VIRUS echo. Please verify your echomail setups if you just ->recently added either echo to your system, these two echos are not ->the same echo! Patricia, We pick both conferences up direct from the US and noticed the same thing so my guess is that it is before it gets to 1;124/4115 on our feed line. ->Thanks... You're welcome! BW --- via Silver Xpress V2.27 [NR] * Origin: Sunmap Multline BBS - Brisbane - Australia (3:640/206) Msg#:22432 *Virus Info* 10-18-90 20:49:00 (Read 3 Times) From: PAUL FERGUSON To: DARIN ARRICK Subj: REPLY TO MSG# 22415 (DOES ANYONE KNOW HOW TO MAKE VIRUS) DA> * Replying to a message originally to Janne Ristavaara DA> > * Replying to a message originally to Wilson Phillips DA> > JR>Sure someone will know, but what is it worth of ?!? DA> > JR>Do you want to get your name or alias known or what ?!? DA> > JR>I think (and I'm sure many others do the same) that making a DA> > JR>virus is really discusting. Why don't use your gifts to more DA> > JR>useful purpose, like some utilities or another useful DA> > JR>programs ? DA> > JR>Or if you just have to make a virus, please make an friendly DA> > JR>one;-) DA> > JR> DA> > JR>-JR- DA> > JR> DA> > JR>--- DA> > JR> * Origin: The Eternal Flame BBS +358-55-53340 / V.32 ECM DA> > JR>(2:515/841.3) DA> > DA> > Surely you do not belong to the school of thinking that DA> > =actually= beleives that there can be a "friendly" virus? Any DA> > replicating and infectious program is undesireable. There DA> > have been numerous attempts to implement "good" vviruse (Den DA> > Zuk, et al.) but it ran amok. I think that more harm than DA> > good would ever come of this train of thought. DA> > DA> > Greetings from Washington, DC DA> > -Paul DA> > --- DA> > * Origin: Sentry Net BBS C'Ville VA (1:109/229) DA> DA>Paul, I have been following this echo for a few days and am DA>amazed at the hatred spread toward viruses. They are DA>programs, just like Lotus 123 or dBase IV. There are good DA>reasons for "friendly" viruses, such as automatic error DA>detection and correction for unattended systems. System crash DA>cleaners, I guess you could call them. I welcome replies, but DA>no screaming. Just intelligent conversation. :-) DA> DA>Darin DA>--- DA> * Origin: GENESYS I BBS (817)-284-1520 (1:130/59) Hello, again, Darin.... I apologize if it seemed liked "screaming"...actually quite the opposite. You are obviously looking at this situation from an esoteric standpoint. I see the damage a virus can do (gone unchecked and allowed to run it's course) on a regular basis. Some of my unsuspecting users go for months sometimes thinking that their recurring problems (whatever they may be, in this instance) are actually hardware problems. Technicians that must break routine and travel to correct such viral surfacings are bogged down enough. We handle all the hardware and software support for a very large government agency here in DC, all their sites locally =and= around the world. It gets to be a =very= large problem at times. I cannot at times allow myself to become esoteric. Perhaps you see my point. Greetings (again) from Washington, DC -Paul --- * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229) Msg#:22433 *Virus Info* 10-18-90 20:51:00 (Read 3 Times) From: PAUL FERGUSON To: ERIC JACKSCH Subj: REPLY TO MSG# 22427 (DOCUMENTING VIRUS HITS) EJ> > Look for NetMail, Eric. Glad to help you in any way I can. EJ> > EJ> > Greetings from Capitol Hill EJ> > -Paul EJ> EJ>Thanks, I really appreciate it. Besides some documentation EJ>in magazines, there is very little information in Canada on EJ>the topic...I hope to contact people here who are in areas EJ>which have serious problems, and also want to look at the EJ>economic impacts of viruses, hard drive crashes, and other EJ>computer data security related issues....the larger the area EJ>over which I collect info, the better. EJ>Thanks, EJ>Eric. EJ> EJ>--- FD 1.99c EJ> * Origin: Insomniacs' Guild *** Nepean, Ontario, Canada *** EJ>(1:163/111) Oh...BTW, you can reach me NetMail, also, via the Origin Line. Steady. -Paul --- * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229) Msg#:22434 *Virus Info* 10-18-90 20:53:00 (Read 3 Times) From: PAUL FERGUSON To: MIKE MCCUNE Subj: REPLY TO MSG# 22418 (RE: VIRUS - TORJANS FOR EVERYONE.) MM>I have the commercial version of the program complete with MM>all MM>the overlays and help files. It is my main communication MM>software. I used to use Procomm but MTE has almost identical MM>command and does more (not to mention it has built-in error MM>correction). I'll call you BBS later to check out your MM>version MM>of the program.... MM> MM> MM>--- KramMail v3.15 MM> * Origin: The Slowboat BBS (404-578-1691) Atlanta, GA MM>(1:133/311.0) Ok, Mike. But I ditched MagicSoft in favor of Telix. Took my a while but....hey, I'm a little stubborn sometimes. '-) -Paul --- * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229) Msg#:22435 *Virus Info* 10-18-90 21:07:00 (Read 3 Times) From: PAUL FERGUSON To: DANIEL KALCHEV Subj: STEALTH VIRUSES * Replying to a message originally to Vesselin Bontchev DK>In a message of Vesselin Bontchev DK>(2:359/101.2) writes: DK> DK> VB> (1) Does not cause visible increasing of file sizes. This is DK> DK>Better say "does not SHOW the increased file size"! DK> DK> VB> BTW, the term "stealth" was got from the F-19 plane that is DK>"invisible" DK> VB> for the radars. DK> DK>But not for all!!! Remember the old russian radars, using DK>looong wave, that were still able to detect it? Same with DK>"stealth" viruses - some programs (techniques) can't detect DK>them, some can. DK> DK> VB> (2) Any program that reads the file in order to inspect it (say, DK> VB> to compute a checksum or to see if it is infected) is unable the DK>"see" DK> VB> the infection if the virus is present in memory. Usually (but not DK> VB> always) the virus achievs this by disinfecting the file on-the-fly on DK> VB> a file open operation and reinfecting it again when it is closed. DK> DK>What about using the (good old) method of reading files as DK>suggested in the "DOS Technical Reference"? Finding cluster DK>number from the FAT, doing read dn then looking for the next DK>cluster if any... DK> DK>Regards from Varna, DK>Daniel DK> DK>--- msged 2.00 DK> * Origin: Danbo's Cave (2:359/1.1) Your point reinforces all arguments for multi-layered protection schemes, no? '-) -Paul --- * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229) Msg#:22436 *Virus Info* 10-18-90 21:12:00 (Read 3 Times) From: PAUL FERGUSON To: MIKAEL LARSSON Subj: NORTON'S ANTIVIRUS * Replying to a message originally to Herb Brown ML> * Replying to a message originally to all ML> ML> > Has anybody heard anything about Norton's antivirus programs ML> > yet? ML> ML>Nah, I Think it will be released soon. But i heard some ML>rumour that it couldn't find some VERY COMMON viruses.. ML>Ehum..... ML> ML>MiL ML> ML>--- ML> * Origin: -= Virus Help Centre HQ +46-26-275710 =- ML>(2:205/204) I started hearing all the hubbub about Norton's AntiViral package a couple of days ago....Will let "The Fingers Do the Walking", if you know what I mean. I am anxious to see what =this= group thinks about it after evaluation....I know most of you are teeming to "play". I'm looking forward to obtaining my copy as well...We shall see how effective it =really= is. '-) --- * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229) Msg#:22437 *Virus Info* 10-18-90 21:23:00 (Read 3 Times) From: PAUL FERGUSON To: SCOTT HOWELL Subj: REPLY TO MSG# 22430 (QUESTION) * Replying to a message originally to All SH>to: all SH. M!J W ҮWVWk $T-H, )WKW.,X[e the SH>file alication table, but not to the point where it can't be SH>repaired and where can I get a list of the most recent SH>viruses? I ask because I am pretty sure I wasn't hit because SH>Scan couldn't find anything, but for some reason a large SH>majority of the files on drives c through h were cross linked SH>and the table was pretty screwed. Hmmm well I think it has SH>something to do with the optimizer I was running, but who can SH>tell. Please help!!! thanks SH> SH> Scott Howell SH> SH>PS. I would like to take this list to the other folks at the SH>AIS meeting here at NASA Headquarters and the meeting is on SH>Oct. 17 so if anyone can get back to me before then I would SH>appreciate it. SH> SH>--- SLMAIL v1.36M (#0264) SH> * Origin: Foundation BBS * College Park, MD Society's SH>connection * (109:109/521) I would go ahead and post the number of my own BBS, but it would not be quite desireable to have some uninvited "guests" dropping in. You'll be hearing from me soon via regular mail at Foundation. Patti Hoffman's "Virus Summary Information List" is the un-rivaled descriptive document available. It can be downloaded on any reputable board (the latest version VSUM1090.ZIP, that os) in the DC Metro Area. Hope this helps. BTW...Remember that Snail Mail takes a couple of days! -Paul --- * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229) Msg#:22438 *Virus Info* 10-18-90 21:31:00 (Read 3 Times) From: PAUL FERGUSON To: KEN DORSHIMER Subj: REPLY TO MSG# 22428 (RE: VIRUS - TROJANS FOR EVERYONE.) * Replying to a message originally to Tom Preece KD> ...at a time when Western civilization was declining KD> too rapidly for comfort, yet too slowly to be very KD> exciting Tom Preece was saying: KD> KD> TP> Well I guess its time for me to uncover. I am not a programmer and KD> TP> can't pretend to be. It does however seem to me that the compiliation KD> TP> of dangerous KD> TP> KD> TP> instructions to dos by whatever method should have a similar KD> TP> structure in direct processor instructions. I guess I was hoping some KD> TP> really clever programmer out there would be able to build a detect for KD> TP> the simple kinds of dos destruco instructions and create some generic KD> TP> form of a scan file to prevent this kind of crud. Meanwhile I'll back KD> TP> up often. KD> KD>there is one, sort of. it's called CHK4BOMB. it comes with KD>the FLUSHOT KD>package. what it does is look for calls to direct disk writes KD>and warns you KD>that the program you're examining uses them. mostly it just KD>looks for calls KD>to INT 13 instructions. not perfect, but worth checking out. KD> KD> ...space is merely a device to keep everything from being KD> in the same spot... KD> KD> KD>--- ME2 KD> * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Well, it didn't wrap correctly, but what the hey.... There is a newer, enhanced offshoot of CHK4BMB called TRAPDISK. Based on the aforementioned, it seems to work rather well...I have tested it in a couple of instances in "triggered" type viruses without mishap (although I would =never= rely on it =completely). It is a decent program and worth a look. -Paul --- * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229) Msg#:22439 *Virus Info* 10-18-90 21:39:00 (Read 3 Times) From: PAUL FERGUSON To: JAN TERPSTRA Subj: TBSCAN TESTING Hello, again, Jan Can you please elaborate on the "New" viruses that you mentioned referencing in your testing of the product? Please don't keep us enquiring types hanging. Thanks, -Paul --- * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229) Msg#:22440 *Virus Info* 10-17-90 06:53:00 (Read 3 Times) From: YASHA KIDA To: PAUL FERGUSON Subj: REPLY TO MSG# 22426 (RE: VIRUS SCANNERS....) In a message of <15 Oct 90 21:13:00>, Paul Ferguson (1:109/229) writes: PF> SD>I myself was infected about month and half ago with the PF> SD>Stoned virus from a BBS that had failed to check it's upload, PF> I believe that you are mistaken. Virtually the only way to spread PF> STONED is through direct disk access (ie. Copying files, fformatin PF> diskettes....). STONED is a Boot sector infector and will omly spread PF> in that fashion. It does not attach itself to any executables but PF> instead resides in the partition table. I agree with your sentiment PF> wholeheartedly, but I do not think that the BBS is to blame. (Gosh, we PF> BBSs get all the blame!). There are several programs which send the ENTIRE CONTENTS including the boot sector ....TELADISK.* is one for starters Yasha Kida sysop --- msged 1.99S ZTC * Origin: Bragg IDBS, (82nd - The hole in SADDAMS PLAN) (1:151/305) Msg#:22441 *Virus Info* 10-17-90 08:40:00 (Read 2 Times) From: YASHA KIDA To: PATRICIA HOFFMAN Subj: TECH QUESTION PAT is there a VIRUS SCANNING programs which can scan for viruses on SELF-BOOTING DISKETTES (COPY PROTECTED ie.. STICKLY-BEAR) I purchased some of these type of programs (USED) and would like to be sure... McAfees SCANV reports GENERAL FAILURE READ DRIVE A: A)bort R)etry F)ail won't even check the BOOT SECTOR Yasha --- msged 1.99S ZTC * Origin: Bragg IDBS, (82nd - The hole in SADDAMS PLAN) (1:151/305) Msg#:22442 *Virus Info* 10-19-90 12:19:00 (Read 3 Times) From: CHARLES HANNUM To: PAUL FERGUSON Subj: REPLY TO MSG# 22440 (RE: VIRUS SCANNERS....) > I believe that you are mistaken. Virtually the only way to spread > STONED is through direct disk access (ie. Copying files, fformatin > diskettes....). STONED is a Boot sector infector and will omly > spread in that fashion. It does not attach itself to any executables > but instead resides in the partition table. I agree with your > sentiment wholeheartedly, but I do not think that the BBS is to > blame. (Gosh, we BBSs get all the blame!). Of course, that's not to say that some inventive person didn't package Stoned in an executable... "Just because I'm paranoid doesn't mean they're not *really* out to get me!" --- ZMailQ 1.12 (QuickBBS) * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0) Msg#:22443 *Virus Info* 10-19-90 12:20:00 (Read 3 Times) From: CHARLES HANNUM To: DUANE BROWN Subj: REPLY TO MSG# 20576 (RE: STERILAB) > Would you want to be responsible for the wrath of someone who lost > their WHOLE FAT TABLE with their term paper if something went wrong > with this encoding/decoding process???????? Even norton's wouldn't > work if the fat, etc was scrambled in such a process... It doesn't have to really screw anything up; you *could* just change the media descriptor and the corresponding info in the boot sector. Then it would be fairly straightforward to resurrect a disk. It would also be less secure. > Think about it... it may be secure, but a computer lab is no Top > Secret data processing laboratory... It should, however, be as sterile as possible. > Why not encrypt the whole disk while you're at it??? Sure. Why not? "Just because I'm paranoid doesn't mean they're not *really* out to get me!" --- ZMailQ 1.12 (QuickBBS) * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0) Msg#:22444 *Virus Info* 10-18-90 02:28:00 (Read 3 Times) From: ANDY CAMPBELL To: ALL Subj: WIERD PROBLEM I am having a strange problem with a Telex 286 AT computer's floppy. I have tried replacing the floppy drive, the controller, the cable, etc. We have other Telex machines that work fine. But now I am suspicious... Does anyone out there know of a virus that causes excessive read errors on the floppy disks? This is the only machine in our shop that does this, but it also is isolated from anything else. One of our technicians copied some software from it to his own floppy to use on his machine at home, and the same problem started to appear on the home machine! There is no 'Kilroy' message or anything...just the random failure on the disk. The floppies it's reading work fine on the other machines in our shop, so this is beginning to make me curious. The message we keep getting is the A)bort, R)etry, I)gnore msg. Maestro, The Tocatta BBS -ahc- --- ConfMail V4.00 * Origin: The Tocatta BBS (1:343/61) Msg#:22445 *Virus Info* 10-19-90 17:30:00 (Read 3 Times) From: DARIN ARRICK To: VINSON NICHOLS Subj: REPLY TO MSG# 22420 (RE: DOES) I agree that computer information should be free. The traditional view of a virus is something that sneaks into your computer and destroys your hard drive data. Yes, there are a lot that do that. A virus could also monitor system functions and watch for unusual activity (like a "bad" virus) and stop it before anything destructive can occur. They are both "viruses", one good, one bad. Don't a lot of virus detection programs do what the above example does? Yup. Just remember, you're using a virus to protect yourself from a virus (fighting-fire-with-fire theory). If you can't beat 'em, join 'em. Just my opinion. --- * Origin: GENESYS I BBS (817)-284-1520 (1:130/59) Msg#:22446 *Virus Info* 10-17-90 21:06:00 (Read 3 Times) From: STUART CORNALL To: ERIC JACKSCH Subj: REPLY TO MSG# 22433 (DOCUMENTING VIRUS HITS) -=>security in companies using MS-DOS based machines. If anyone -=>has first hand knowledge of: -=> -=>- a commercial site being infected by a virus, I'm employed as a Data communications technicain is Australia. We frequently install modems into systems and are called upon to show people how to run the software. far too often we will COLD boot from our "Own" system disk with Scan installed, and find the stoned virus, or the Brain virii. Sometimes other types than boot block goodies are in the computers. We refuse to continue the instaltion without removing the virii. Most of the time if it's a boot block, I'll manually remove it with debug. -=>- data loses due to hard drive crash(es), Virus infection, or head crash. Towers with the legs folded in to make it fit into smaller spaces just love to go BASH on the floor and the hard disk makes a nice screech. It's hard, very much so, not to start giggling! -=>- malicious damage by employees, Take one example; Old employee at my high school was fired for misconduct, so he found out what turning off the power to the file server did. Server had a UPS, but he disabled it. -=>- unauthorized access to data stored on PC's, or -=>- other incidents involving serious data loss or security -=>related issues, Faulty tape backup unit, user disabled read after write , I quote 'Caus it takes too long'. Then the 600 Meg drive decided to die, and what happened to the poor old backups?! didn't go at all, and he was quickly terminated from that company. I could tell of many more tales, but I've said enough in this to get the creative juices flowing for others to write about. regards Stuart Cornall. --- * Origin: Stoned.... Like wow man... 20 Meg Magic (3:640/351) Msg#:22447 *Virus Info* 10-18-90 16:07:00 (Read 3 Times) From: SATYR DAZE To: PAUL FERGUSON Subj: REPLY TO MSG# 22442 (RE: VIRUS SCANNERS....) Whoops .. didn't mean to open a Can of Worms here . I never meant to imply BBS's where to blame ...without them how could we alert each other to problems. No indivduals are to blame ... Those who write these little Darling Viruses. and now we must all be responsible in trying not to infect ourselves. In other words always Scan irregardless of Where you got it from. And this goes not only for Down-Loading ... but Programs Bought commercially .... and those assed around by Friends. As you so well pointed out these can come from anywhere. The Satyr Daze --- TBBS v2.1/NM * Origin: Eclectic Multi-BBS System / Miami FL (305)662-1748 (1:135/2) Msg#:24150 *Virus Info* 10-21-90 07:23:00 (Read 4 Times) From: PATRICIA HOFFMAN To: YASHA KIDA Subj: REPLY TO MSG# 20562 (UNIX UU-NET VIRUS ECHO) YK> Pat is there a UNIX/XENIX version of the VIRUS_INFO... YK> if so whom can I contract or what the focal point? YK> YK> Reason for asking: I now have the ability to tap UU-NET and others via YK> 9600 links. Not really a Unix/Xenix version of VIRUS_INFO, but you might want to see if you can pickup Comp.Virus, which originates on UseNet or Internet. --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#:24151 *Virus Info* 10-21-90 07:33:00 (Read 4 Times) From: PATRICIA HOFFMAN To: PAUL FERGUSON Subj: REPLY TO MSG# 22422 (VIRUS SUMMARY VERSION ???) PF> The last release of VSUM is 15 October 1990. In it's original form it PF> is called VSUM9010.ZIP. Hopes this helps. PF> The current release of VSUM is VSUM9010.ZIP, and is dated October 5, 1990. If you have one dated October 15, 1990, I'd like to see it because it isn't a version released by me! Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#:24152 *Virus Info* 10-21-90 07:39:00 (Read 4 Times) From: PATRICIA HOFFMAN To: SCOTT HOWELL Subj: REPLY TO MSG# 22437 (QUESTION) SH> I have two questions. First can a virus scramble the file SH> alication table, but not to the point where it can't be repaired and SH> where can I get a list of the most recent viruses? I ask because I am SH> pretty sure I wasn't hit because Scan couldn't find anything, but for SH> some reason a large majority of the files on drives c through h were SH> cross linked and the table was pretty screwed. Hmmm well I think it SH> has something to do with the optimizer I was running, but who can tell. SH> Please help!!! thanks SH> Scott, it is possible that the optimizer or some other utility that was run on the system caused the crosslinking of the files, but it is also possible it was a virus. Most of the "stealth" type viruses can have this symptom, particularly if CHKDSK is run with the /F parameter. The effect occurs because the "stealth" type viruses adjust the directory on the fly, but not the file allocation table. Which version of Scan did you use? If you take a look at the Virus Information Summary List, towards the back there is a revision history. To look at only the more recent viruses, look up the viruses that were added with the last couple of releases. SH> PS. I would like to take this list to the other folks at the AIS SH> meeting here at NASA Headquarters and the meeting is on Oct. 17 so if SH> anyone can get back to me before then I would appreciate it. Keep in mind that the Virus Information Summary List must be site licensed with the author (me) if it is used in one of several types of environments. NASA is considered both "government" and "agency", and not "non-profit", as far as I'm concerned. Please do not take it into NASA for purposes of distributing it if they aren't going to check into licensing it. If it is distributed there, as with any other government location or agency, it must be site licensed. (Sorry if the words are a little harsh, but after a recent "problem", it had to be stated.) Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#:24153 *Virus Info* 10-18-90 21:44:00 (Read 3 Times) From: CY WELCH To: CHARLES HANNUM Subj: REPLY TO MSG# 20575 ("CLEAN, UNINFECTED DISK") In a message to All <15 Oct 90 13:57:00> Charles Hannum wrote: CH> How many times have you heard this? CH> "Just boot from a clean, uninfected disk and run SCAN." CH> This is an interesting idea. It might CH> even work. However, how can you be CH> *sure* your original copy of DOS isn't CH> infected? Or SCAN? Or your comm. CH> package? Or your dearchiver? If you have been doing even CLOSE to what you should you will have at least your original DOS disks to boot from in a pinch. (you mean those are what you boot from day to day?) Just put a write protect tab on it and boot. If scan is infected it will tell you. I don't worry about the making sure I am unifected since I ALWAYS back up to tape just before trying anything new on my system. That way I can always reboot, low level format my drives and reinstall DOS, Pc-Tools backup and then restore my system. --- XRS! 3.44+ * Origin: Limping along on a 286/16. What a drag!! *:- (Super 99:9402/122.1) Msg#:24154 *Virus Info* 10-18-90 21:48:00 (Read 3 Times) From: CY WELCH To: PAUL FERGUSON Subj: REPLY TO MSG# 22429 (TROJAN) In a message to Ice Wolf <15 Oct 90 22:38:00> Paul Ferguson wrote: PF> Remember the terrible (or perhaps it was great, I can't remember PF> which) story of the Trojan War and the Trojan Horse...Well, that is PF> what a Trojan Horse program produces. Something quite undesireable, PF> like formatting all of your sectors to dust. A virus, on the other PF> hand, can replicate, attach itself to a "host" and for whatever you PF> can image, have any number of "triggers to become detructive. My PF> best advise that I can give is to get ahold of a copy of Patti PF> Hoffman's "Virus Information Summary List" which is produced PF> monthly. This is an invaluable document for reference purposes. Yup, I got one once that was a TSR made to look like a trojan. What it did was you loaded it, told it how long to wait and then how many presses of the enter key to watch for, and then would pop up a full screen display of "Contratulations you have won a complete hard disk format" along with a display showing as if it were really doing it. It also scanned the disk as it did it to look more realistic. I pulled it on a friend and he really hit panic city. Turned it off and was afraid to turn it back on. Strange he didn't think it was funny for about 2 days. Then he couldn't stop laughing for a week. --- XRS! 3.44+ * Origin: Limping along on a 286/16. What a drag!! *:- (Super 99:9402/122.1) Msg#:24155 *Virus Info* 10-22-90 14:33:00 (Read 3 Times) From: JAMES BARRETT To: TOM SMITH @ 930/1 Subj: REPLY TO MSG# 24152 (QUESTION) In a message to Scott Howell <19 Oct 90 23:10:00> Tom Smith @ 930/1 wrote: TS> As for possible fixes, I'd suggest that you try one of the "fixit" TS> programs in Norton Utilities 5.0, PC Tools Deluxe 6.0, or Mace TS> Utilities 1990. The "Emergency Room" utility in the latter gets TS> particularly high marks; I've found it to fix disks that the others TS> wouldn't even admit existed! If these won't help, you can contact one Norton should be run with certain parameters (or can be changed in the config in 5.0) to treat everything as "phyiscal" drives instead of logical drives to recognize everything! --- XRS! 3.44+ * Origin: Chapel Hill, NC - The Southern Part of Heaven (Quick 1:271/250.5) Msg#:24156 *Virus Info* 10-23-90 19:48:00 (Read 3 Times) From: RYAN ROBERTS To: ALL Subj: MACAFFEES Is there a news SCAN* out besides SCAN61? Thanks, Ryan --- Opus-CBCS 1.13 * Origin: Power Socket 404-883-6231 24hrs (1:3621/450.0) Msg#:24157 *Virus Info* 10-22-90 20:55:00 (Read 3 Times) From: YASHA KIDA To: PAUL FERGUSON Subj: REPLY TO MSG# 22447 (RE: VIRUS SCANNERS....) In a message of <20 Oct 90 20:51:00>, Paul Ferguson (1:109/229) writes: PF> YK>There are several programs which send the ENTIRE CONTENTS PF> YK>including the boot sector ....TELADISK.* is one for starters PF> YK> PF> YK>Yasha Kida PF> YK>sysop PF> PF> Right you are, but come now, Yasha...You are not going to find a that PF> certain circumstance happening via BBS. Very improbable. PF> How are thing's "in the rear" at Bragg? '-) I have had jokers try... My batch file which uses CHECKER dumps the bad ARC-ZIPS-ZOOS-etc.. to safe area The REAR AREA can be fun.... Yasha --- msged 1.99S ZTC * Origin: Bragg IDBS, 82nd Airborne Bug hunte Msg#:24159 *Virus Info* 10-23-90 02:46:00 (Read 3 Times) From: MARSHALL BARRY To: DARIN ARRICK Subj: REPLY TO MSG# 22445 (DOES) >A virus could also monitor system functions and watch for unusual activity >(like a "bad" virus) and stop it before anything destructive can occur. Except that a "virus" replicates itself... thereby "forcing" its protection upon those who do not wish same. >They are both "viruses", one good, one bad. A program which automatically checks for "corruption" is not, by any stretch of the imagination, a "virus". It is a "TSR", and many companies already have such. >Don't a lot of virus detection programs do what the above example does? >Yup. Just remember, you're using a virus to protect yourself from a virus >(fighting-fire-with-fire theory). If you can't beat 'em, join 'em. Except that they are, again, not virii, but resident programs. They don't "attach" themselves to files (although they may, optionally, provide a "check code" for programs) and don't propagate from machine to machine. // Mb // --- MDMK WorldPoint * Origin: My System has a 12Mhz Fever, Doc... (1:104/169.17) Msg#:25109 *Virus Info* 10-21-90 10:46:00 (Read 3 Times) From: DUANE BROWN To: CHARLES HANNUM Subj: REPLY TO MSG# 22443 (STERILAB) CH>It doesn't have to really screw anything up; you *could* CH>just change the CH>media descriptor and the corresponding info in the boot CH>sector. Then it CH>would be fairly straightforward to resurrect a disk. It CH>would also be less CH>secure. But then that would make data recovery within the "secure" lab impossible, as almost all programs that rely on the media descriptor byte will barf.. --- ZMailQ 1.12 (QuickBBS) * Origin: End of the Line. (703)720-1624 in Stafford, Va. (1:274/16.0) Msg#:25110 *Virus Info* 10-24-90 17:56:00 (Read 3 Times) From: PAUL FERGUSON To: ROBERTO ZANASI Subj: WHAT IS VERSION C OF SCANVIRUS? * Replying to a message originally to All RZ>I have version 67 of scan, and I have heard of versions 67b RZ>and 67c. Which is the newest? RZ> RZ>--- msged 2.05 RZ> * Origin: Videl Positronic Brain (2:332/504.2) SCAN version 67b is a minor bug fix to the original version (SCANV67) and verion 67c is a minor bug fix to version 67b. It seems that the earlier of the three versions provided erroneous results at varying times. SCAN version 67c is now the current version. --- * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229) Msg#:25111 *Virus Info* 10-24-90 18:01:00 (Read 3 Times) From: PAUL FERGUSON To: KEN DORSHIMER Subj: RE: FAR CALL KD> FD>>Why not re-write the rom on an EPROM losing this problem as you can KD> FD>>then scan this address and knowone can change it. KD> KD> CH> Yeah, right -- in fact, I do indeed spend most of my time changing KD> CH> BIOS code locations and burning EPROMs. I just can't imagine why more KD> CH> people aren't like me! :-) KD> CH> KD> KD> Not me, I use the Random EPROM Burner . That way no one KD>can find the KD> code, not even me. :-) That must be a mighty finely honed soldering iron... --- * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229) Msg#:25277 *Virus Info* 10-23-90 13:34:00 (Read 3 Times) From: CHARLES HANNUM To: PAUL FERGUSON Subj: RE: VIREN IM SPIEL GROWLER??? OR>>Hallo Henrik, OR>>ich habe gestern das o.g. Spiel bei Euch upgeloaded. Spaeter OR>>habe ich mit dem VirScan 1.3 einen Test gefahren und der OR>>meldete einige befallene Overlay Dateien meiner PC-Shell. Ich OR>>wuerde Dich bitten, dies zu ueberpruefen!! Der Viren-Scanner OR>>von McAffee zeigte allerdings keinen Befall!!! > > Would someone care to translate this? Even after spending a few > years in Germany, my German leaves much to be desired. (This is very > annoying.) I just read through FidoNet Policy 4.07 (which I believe is current) earlier, and ran across this: The offical language of FidoNet is English. Note that they didn't specify "correct English," just "English." B-) --- ZMailQ 1.12 (QuickBBS) * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0) Msg#:25278 *Virus Info* 10-24-90 23:33:00 (Read 3 Times) From: SCOTT HOWELL To: ALL Subj: SCANV67C to: all Two quick questions. Does anyone know where I can get scanv67c.zip or the latest copy of scan and second has anyone had any problems using the crc check part of scan? THis crc check routine adds some extra code to your exe com etc files and so therfore I thought I would ask if anyone had any problems before I do it. --- SLMAIL v1.36M (#0264) * Origin: Foundation BBS * College Park, MD Society's connection * (109:109/5 Msg#:25279 *Virus Info* 10-24-90 23:53:00 (Read 3 Times) From: DARIN ARRICK To: PAUL FERGUSON Subj: REPLY TO MSG# 22432 (DOES ANYONE KNOW HOW TO MAKE VIRUS) Yes, I can see your point on the matter. I'm a hacker, programmer who programs for programming itself. It's an art form to me. You see viruses from a bad standpoint on a daily basis. If saw the same, I'd hate them, too. --- * Origin: GENESYS I BBS (817)-284-1520 (1:130/59) Msg#:25280 *Virus Info* 10-25-90 00:03:00 (Read 3 Times) From: DARIN ARRICK To: PAUL FERGUSON Subj: REPLY TO MSG# 25279 (DOES ANYONE KNOW HOW TO MAKE VIRUS) By the way, I've had my share of viruses (from a bad point). Wheen I first got my Amiga about a year ago, 30 out of 40 disks which came with it were infected with the "Lamer Exterminator" virus. Fortunately, a gentleman named Steve Tibbetts has seen it fit to fight bad viruses on the Amiga with his heart and soul. He wrote and EXCELLENT virus detection and vaccinations program called VirusX. It checks each disk automatically as soon as it is inserted into the disk drive. (The Amiga checks it's drives automatically for disk changes, and therefore, he just latched onto this routine.) I just switched disks until it had killed them all. Took me about 10-15 minutes for 30 disks or so. The most recent happened about 6 months ago (Amiga again). There is a virus that seems to be able to disrupt your real time clock and it caused mine not to work. I think it actually stores itself in battery backed clock RAM. Solution : (you're gonna love this) I shorted the battery terminals together with a screwdriver. It scrambled the memory, and therefore, the virus, too. I reset my clock and haven't seen it since. I wish I could have taken the code for these viruses and disassembled it. It seems like there is quite a bit of programming time and talent which goes into one. (I know, most people think there's no talent in destructive viruses, but, you have to admit, the programmers know their stuff.) I like to classify programs, viruses, and programmers and hackers into two groups : black and white. Black = evil, destructive White = Good, constructive. There are black viruses and white viruses. Black hackers and white hackers. (I hope no one takes this as racial, because I don't mean it that way. I'm talking about personality, not skin color.) I consider myself a white hacker. --- * Origin: GENESYS I BBS (817)-284-1520 (1:130/59) Msg#:25281 *Virus Info* 10-24-90 22:21:00 (Read 3 Times) From: TOM SMITH @ 930/1 To: JAMES BARRETT Subj: REPLY TO MSG# 24155 (RE: QUESTION) JB> Norton should be run with certain parameters (or can be changed in th JB> config in 5.0) to treat everything as "phyiscal" drives instead of log JB> drives to recognize everything! Good point, James; I was ASSuming that the original poster would RTFM, but it never hurts to add obscure points that might cause very noticable problems! Tom Smith/Dallas... --- QM v1.00 # Origin: Horizon RBBS 214-424-3831 & 214-881-9346 HST (8:930/1.0) * Origin: Network Gateway to RBBS-NET (RBBS-PC 1:10/8) Msg#:25282 *Virus Info* 10-21-90 11:13:00 (Read 3 Times) From: VINSON NICHOLS To: PAUL FERGUSON Subj: REPLY TO MSG# 24159 (RE: DOES) PF> Well, Vinson, I must take an opposing view concerning PF> programming. Any code than can secretly attach itself to any PF> of my clients executables (or whatever, you should know what I PF> mean) is quite undesireable, especially if it slows processing PF> speed or is destructive in any fashion. That is the equivalent PF> of Invasion of Privacy. I commend you for "destroying" PF> whatever it is/was that you compiled, but the hazards are a PF> little too great from my standpoint. There is are a myriad of PF> viruses popping up every month that keep every extremely busy PF> enough as it is. What I was tring to say was. That if someone wanted to learn something about computers then they have the right too. I did not and do not say that any one has the right to do dammage to data. It does take a good program or at least one with alot of programing to write such a thing. I did mine to see what was involved . I did learn quite abit about how how dos work in conjuction with the command processor. These two are doing is ok. To learn is to grow, but don't destroy in the process. I will say one thing I don't understand why someone would release a virus....Vinson --- via Silver Xpress V2.27 [NR] --- QM v1.00 * Origin: The F e d e r a l Post -{*}- Fayetteville, NC (1:151/301.0) Msg#:25284 *Virus Info* 10-21-90 11:18:00 (Read 3 Times) From: VINSON NICHOLS To: DARIN ARRICK Subj: REPLY TO MSG# 25282 (RE: DOES) DA> I agree that computer information should be free. The DA> traditional view of a virus is something that sneaks into your DA> computer and destroys your hard drive data. Yes, there are a DA> lot that do that. A virus could also monitor system functions DA> and watch for unusual activity (like a "bad" virus) and stop DA> it before anything destructive can occur. They are both DA> "viruses", one good, one bad. Don't a lot of virus detection DA> programs do what the above example does? Yup. Just remember, DA> you're using a virus to protect yourself from a virus DA> (fighting-fire-with-fire theory). If you can't beat 'em, join DA> 'em. DA> Just my opinion. Thanks for the note. As I told Paul . It's ok to learn how to write them just don't release them. I believe in the freedom of learning, not the right to destroy someone else's data. Vinson --- via Silver Xpress V2.27 [NR] --- QM v1.00 * Origin: The F e d e r a l Post -{*}- Fayetteville, NC (1:151/301.0) Msg#:25285 *Virus Info* 10-25-90 02:20:00 (Read 3 Times) From: CHARLES HANNUM To: RYAN ROBERTS Subj: REPLY TO MSG# 24156 (RE: MACAFFEES) > Is there a news SCAN* out besides SCAN61? The current version is 67B. If you had read back a few days, you would know that without asking. --- ZMailQ 1.12 (QuickBBS) * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0) Msg#:25721 *Virus Info* 10-25-90 18:18:00 (Read 3 Times) From: PAUL FERGUSON To: YASHA KIDA Subj: REPLY TO MSG# 24157 (RE: VIRUS SCANNERS....) YK>I have had jokers try... My batch file which uses CHECKER YK>dumps the bad YK>ARC-ZIPS-ZOOS-etc.. to safe area That is why I do my SCANing "in person" instead of setting it up as an event along with other nightly maintenance....I like to supervise. ...CKOT is good, but I dislike the idea of making =any= file available to my users without first personally checking it out. (Overly cautious? Who? Me?).... Later, -Paul --- * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229) Msg#:25722 *Virus Info* 10-25-90 18:26:00 (Read 3 Times) From: PAUL FERGUSON To: RYAN ROBERTS Subj: REPLY TO MSG# 25285 (MACAFFEES) * Replying to a message originally to All RR>Is there a news SCAN* out besides SCAN61? Hello, Ryan... The current versions of SCAN and CLEAN are versions 67c and 67, respectively. (SCANV67C.ZIP and CLEANP67.ZIP)... I'm sure that you will receive quite a few replies like this, but I thought I may as well respond nonetheless. Greetings from Washington, DC -Paul --- * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229) Msg#:25723 *Virus Info* 10-25-90 18:35:00 (Read 3 Times) From: PAUL FERGUSON To: SCOTT HOWELL Subj: REPLY TO MSG# 25278 (SCANV67C) * Replying to a message originally to All SH> Two quick questions. Does anyone know where I can get SH>scanv67c.zip or the latest copy of scan and second has anyone SH>had any problems using the crc check part of scan? THis crc SH>check routine adds some extra code to your exe com etc files SH>and so therfore I thought I would ask if anyone had any SH>problems before I do it. Scott, The bugs that were previously encountered with the addition of validation codes (/AV) have been worked out with the subsequent releases. No other problems have been reported since the bug fixes were released. As far as how to acquire a copy, please feel free to log onto my BBS anytime. I'm located in DC (just a stones throw away) and I have a nice selection of AntiViral utilities including SCAN and CLEAN. I download the new release directly from McAfee Associates BBS when they are put into circulation. I'll NetMail you the number. Anyone else desiring the number can make a request via NetMail, as well. I feel that this forum is a bit =too= public and it would not be entirely proper to "advertise" here. Look forward to hearing from you, -Paul --- * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229) Msg#:25724 *Virus Info* 10-24-90 18:05:00 (Read 3 Times) From: WARREN MALLETT To: ALL Subj: FILE VIRUS Can anyone help me with what I think is a new virus? The symtoms are when the infected disk is loaded the machine instntly gurus and then continues to guru for every disk inserted untill you power down. The disks contain a invisable file that resides in no directorys but in the general loose file area of disk. The file when viewed with Diskmaster V3.0 appears as " AAAA....." or similar to this.Also in the startup-sequence is a similar file to this " ... AA .." Now this is the first file in the startup-sequence and it also is hidden from normal view. So far no virus detector programs have detected it. Can anyone identify this virus? The solution I used was to delete both files then repair bootblock with Novirus. However disk is still not 100%. warren. --- Paragon v2.07 * Origin: Omega BBS - * 61-7-279-2487 (3:640/279) Msg#:25725 *Virus Info* 10-25-90 23:28:00 (Read 3 Times) From: DARIN ARRICK To: MARSHALL BARRY Subj: REPLY TO MSG# 25284 (DOES) Do you think that if an antiviral virus was released which destroyed malignant viruses, it would be condoned or scorned? Even people who didn't know they were protected would be protected. I don't think anyone would mind. I know I wouldn't mind the extra peace of mind that it would bring. Yes, and I now realize that those are TSRs, but I was talking about the Amiga world, not the PC. On the PC they are TSRs. On the Amiga, which natively multitasks, they are tasks, programs which are running continuously. This is my understanding of them. Darin --- * Origin: GENESYS I BBS (817)-284-1520 (1:130/59) Msg#:26265 *Virus Info* 10-25-90 21:45:00 (Read 3 Times) From: TOM SMITH @ 930/1 To: SCOTT HOWELL Subj: REPLY TO MSG# 25281 (RE: QUESTION) Scott, if you're using the PC-Cache from PC Tools 6.0, there's been several updates released since the original package started shipping. I'd suggest that you dial into their BBS and pick up the latest; it might prevent your disks from being scrambled again. It might also be necessary to disable delayed writes; depending upon the circumstances, those beasties can be very deadly. Anyway, I'm glad to see that it wasn't some new virus; there's enough of those beasties floating around already! Tom Smith/Dallas... --- QM v1.00 # Origin: Horizon RBBS 214-424-3831 & 214-881-9346 HST (8:930/1.0) * Origin: Network Gateway to RBBS-NET (RBBS-PC 1:10/8) Msg#:26266 *Virus Info* 10-25-90 16:16:00 (Read 3 Times) From: RON LAUZON To: CHARLES HANNUM Subj: REPLY TO MSG# 24153 ("CLEAN, UNINFECTED DISK") CH> How many times have you heard this? CH> CH> "Just boot from a clean, uninfected disk and run SCAN." CH> CH> This is an interesting idea. It might even work. However, how can CH> you be *sure* your original copy of DOS isn't infected? Or SCAN? Or CH> your comm. package? Or your dearchiver? Well, you really can't be 100% sure. What you have to do is assume and be very careful. 1) Boot (cold boot) from your ORIGINAL DOS floppy (you know, the one that came with your DOS manual in that little binder from Microsoft or IBM). Create your bootable floppy from the original DOS disk and then don't use the original DOS disk again. 2) Download SCANV only from a respectable BBS who's Sysop checks programs out. Also, run the verify program that comes with SCANV to verify that things are good. 3) The same goes for your de-archiver: download from only respectable BBSs. 4) As for your comm program, since you have a good de-archiver, SCANV and DOS bootable floppy, you should be able to scan term program downloaded from, again, a respectable BBS. The best way is to just be careful. Most Viruses are "evolutionary dead ends". If someone out there finds a program going around infected, he will let everyone know. ... Two wrongs do not make a right: it usually takes three or more. --- via The Blue Wave v1.05 * Origin: Flight of the Raven -=* Home of the Blue Wave *=- (1:2200/107.0) Msg#:26267 *Virus Info* 10-26-90 11:22:00 (Read 3 Times) From: PATRICK MURPHY To: CHARLES HANNUM Subj: REPLY TO MSG# 25722 (RE: MACAFFEES) CH> > Is there a news SCAN* out besides SCAN61? CH> CH> The current version is 67B. Nope, it's 67 "C"... CH> CH> If you had read back a few days, you would know that without asking. If YOU would have read back a few days, you would have seen this. ;-) ttyl......Pat --- msged 1.99S ZTC * Origin: "Then I saw le Squid, and he gave me la Fidonet address..." (1:163/ Msg#:26818 *Virus Info* 10-20-90 13:14:00 (Read 3 Times) From: SATYR DAZE To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 25721 (RE: VIRUS SCANNERS....) Well ... When scanned by Virucide, the Virus Identified was "Stoner" virus, as to how the infection occured. That is where we become a bit lost. Although as you have stated it was in all probability brought in by one of the workers ... and not downloaded in this case. But my point was that everything should always be checked irregardless of how the information is brought to a system. I never intended for it to mean I was somehow blaming the BBS's for our current plight ... the reverse is true, it seems the quickest way to spread information on new strains and iradication tecniques. Take care....... The Satyr Daze --- TBBS v2.1/NM * Origin: Eclectic Multi-BBS System / Miami FL (305)662-1748 (1:135/2) Msg#:26819 *Virus Info* 10-20-90 21:42:00 (Read 3 Times) From: REINHARDT MUELLER To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 22431 (CROSS-LINKED ECHOS) In a message to All <17 Oct 90 06:50:00> Patricia Hoffman wrote: PH> All sysops who recently added this echo (VIRUS_INFO) or the VIRUS PH> echo should check their systems to make sure that they have not PH> accidently cross-linked these two echos. Several of the messages PH> which have been received on my system in the last two days appear to PH> belong in VIRUS since the messages being quoted from came from the PH> VIRUS echo. Why 2 virus echos and what's the difference between these 2 echos? Please clear up the potential confusion! :) --- [MicrStar] via TComm XRS 3.1 * Origin: Global War -- the game Mikey loves! (TComm 1:343/17.1) Msg#:26820 *Virus Info* 10-21-90 17:10:00 (Read 3 Times) From: PAUL FERGUSON To: OLIVER RITTER Subj: REPLY TO MSG# 25277 (VIREN IM SPIEL GROWLER???) * Replying to a message originally to Henrik Bohm OR>Hallo Henrik, OR>ich habe gestern das o.g. Spiel bei Euch upgeloaded. Spaeter OR>habe ich mit dem VirScan 1.3 einen Test gefahren und der OR>meldete einige befallene Overlay Dateien meiner PC-Shell. Ich OR>wuerde Dich bitten, dies zu ueberpruefen!! Der Viren-Scanner OR>von McAffee zeigte allerdings keinen Befall!!! OR> OR>--- Opus-CBCS 1.14 OR> * Origin: ChaosBox: Nichts ist wahr ! <06257-7966> OR>(2:243/2.0) Would someone care to translate this? Even after spending a few years in Germany, my German leaves much to be desired. (This is very annoying.) --- * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229) Msg#:26821 *Virus Info* 10-25-90 06:15:00 (Read 3 Times) From: YASHA KIDA To: RYAN ROBERTS Subj: REPLY TO MSG# 26267 (MACAFFEES) In a message of <23 Oct 90 19:48:36>, Ryan Roberts (1:3621/450) writes: RR> Is there a news SCAN* out besides SCAN61? RR> RR> Thanks, Ryan =============================================================== = you're gon'na get and awful lot of replies to this request.= =============================================================== Scanv67. is the latest "I" know of... --- msged 1.99S ZTC * Origin: Bragg IDBS, 82nd Airborne Bug hunte Msg#:26822 *Virus Info* 10-27-90 15:26:00 (Read 3 Times) From: SUNMAP SYSOP To: CHARLES HANNUM Subj: REPLY TO MSG# 26821 (RE: MACAFFEES) ->The current version is 67B. ->If you had read back a few days, you would know that without ->asking. Try and be nice to someone who obviously is asking for assistance! The latest version we have is 67C, but that could have changed by now too. Best wishes from 'down under'! Brian Wendt --- via Silver Xpress V2.27 [NR] * Origin: Sunmap Multline BBS - Brisbane - Australia (3:640/206) Msg#:26823 *Virus Info* 10-26-90 23:13:00 (Read 3 Times) From: BOB SPOELDER To: WARREN MALLETT Subj: REPLY TO MSG# 25724 (FILE VIRUS) > Can anyone help me with what I think is a new virus? > The symtoms are when the infected disk is loaded the machine instntly > gurus and then continues to guru for every disk inserted untill you > power down. Sorry I can't help you with your virus problems but hopfully you can stop other getting this virus by telling us witch disk it was originaly on and if it was a PD program. Bob. --- Chameleon 0.10 * Origin: Bob's Dungeon.@p49.f203.n640.z3.fidonet.org (3:640/203.49) Msg#:26824 *Virus Info* 10-27-90 11:52:00 (Read 3 Times) From: RYAN ROBERTS To: ALL Subj: CPU VIRUS Did anyone hear about some computers being infected with a new virus? I mean the computer itself! It's was on the news that the computers worked well, for about a week then EVERYONE of them got screwed up! This message came accross the screen: "YOUR COMPUTER IS STONED". Dang that's pretty rough! --- Opus-CBCS 1.13 * Origin: Power Socket 404-883-6231 24hrs (1:3621/450.0) Msg#:26825 *Virus Info* 10-26-90 16:25:00 (Read 3 Times) From: ROSS WENTWORTH To: DARIN ARRICK Subj: HACKER DA> I like to classify programs, viruses, and programmers and hackers DA> into two groups : black and white. Black = evil, destructive DA> White = Good, constructive. There are black viruses and white DA> viruses. Black hackers and white hackers. (I hope no one takes this DA> as racial, because I don't mean it that way. I'm talking about DA> personality, not skin color.) DA> I consider myself a white hacker. I've always prefered to call destructive programmers as "crackers". Hackers was long an exalted title given to the best of the breed. The press and government, however, have twisted the meaning completely. Oh, the fact that "cracker" is also a derogetory (sp?) term for uneducated poor white trash is all the better for the new meaning! Ross --- [xp] XRS! 3.40 * Origin: Coito ergo sum (RAX 1:102/330.2) Msg#:26826 *Virus Info* 10-25-90 19:24:00 (Read 3 Times) From: KENT DRUGGE To: ALL Subj: VIRUS HELP Can you idenify, suggest how to find and destroy a POSSIBLE virus I MAY have. I copied on to my system from a friend who downloaded War. Also, a copy of Prince of Prussia, straight from taiwan (commercial). Now randomly on keystrokes we both get a character that repeats 10-25 times. Also, we each have had one overly file affected, A coincidence? Any suggestions would be appreciated. Have a great day! --- Opus-CBCS 1.03b & NoOrigin 3.5 --- ConfMail V4.00 * Origin: "ware hell-hole in sp" Arisia +1-213-634-4885 (99:9407/3) Msg#:26827 *Virus Info* 10-28-90 02:52:00 (Read 3 Times) From: ROSS WENTWORTH To: KEN DORSHIMER Subj: REPLY TO MSG# 25725 (DOES) > DA> Do you think that if an antiviral virus was released which destroyed > DA> malignant viruses, it would be condoned or scorned? Even people who > DA> didn't know they were protected would be protected. I don't think > DA> anyone would mind. I know I wouldn't mind the extra peace of mind that > DA> it would bring. Yes, and I now realize that those are TSRs, but I was KD> i'd mind. i prefer to know what my KD> system is up to. if i knew i was running KD> such a program that's another matter. KD> what you're suggesting is rather like KD> sneaking up on people and giving them KD> malaria shots for thier own good. i KD> like to know what i'm getting. An antivirus virus might mistake a legitimate program for a virus. Take a disk compacting (sorting) program, for example. It does a lot of low-level stuff with sector reads and the FAT, the same sort of thing a virus might do. Ross --- [xp] XRS! 3.40 * Origin: Coito ergo sum (RAX 1:102/330.2) Msg#:26828 *Virus Info* 10-28-90 14:35:00 (Read 3 Times) From: BILL STARNES To: WARREN MALLETT Subj: REPLY TO MSG# 26823 (RE: FILE VIRUS) Sorry, Warren, can't help you with this but I do have one question. You said: WM> The symtoms are when the infected disk is loaded the machine instntly WM> gurus and then continues to guru for every disk inserted untill you WM> power down. What exactly do you mean by "gurus"? It's a term I haven't run into. Bill --- Maximus-CBCS v1.02 * Origin: Bragg IDBS, (82nd Airborne Debugging the SandLand) (1:151/305) Msg#:26829 *Virus Info* 10-28-90 14:39:00 (Read 3 Times) From: BILL STARNES To: CHARLES HANNUM Subj: REPLY TO MSG# 26822 (RE: MACAFFEES) In a message to Ryan Roberts, Charles Hannum said: CH> The current version is 67B. CH> CH> If you had read back a few days, you would know that without asking. CH> Hey, now, let's be nice, Charles . Remember, some of us are on systems that only keep messages a day or two before they get purged. I've had cases where I've been out of town for a few days and come back and lost complete threads. Besides, Ryan may be a newbie on the net. It's a disease we've all suffered from in the past. B-) --- Maximus-CBCS v1.02 * Origin: Bragg IDBS, (82nd Airborne Debugging the SandLand) (1:151/305) Msg#:26830 *Virus Info* 10-29-90 22:29:00 (Read 4 Times) From: PAUL FERGUSON To: DARIN ARRICK Subj: REPLY TO MSG# 25280 (DOES ANYONE KNOW HOW TO MAKE VIRUS) DA> Yes, I can see your point on the matter. I'm a hacker, DA>programmer DA>who programs for programming itself. It's an art form to me. DA>You see viruses from a bad standpoint on a daily basis. If DA>saw the same, I'd hate them, too. Well, I don't necessarily =hate= them...they can be extremely educational from a knowledgeable standpoint. It is the effect that they have on the =unknowledgeable= and unsuspecting end users that waste my time. effort and patience. Controlled environments are all well and good....Rampid fire spreading is another. Greetings from Ground Zero... -Paul --- * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229) Msg#:26831 *Virus Info* 10-29-90 22:38:00 (Read 4 Times) From: PAUL FERGUSON To: DARIN ARRICK Subj: REPLY TO MSG# 26830 (DOES ANYONE KNOW HOW TO MAKE VIRUS) DA> I wish I could have taken the code for these viruses and DA>disassembled it. It seems like there is quite a bit of DA>programming time and talent which goes into one. (I know, DA>most people think there's no talent in destructive viruses, DA>but, you have to admit, the programmers know their stuff.) DA> I like to classify programs, viruses, and programmers and DA>hackers into two groups : black and white. Black = evil, DA>destructive DA>White = Good, constructive. There are black viruses and white Good point, but if you'll allow me to induldge myself....I must disagree...I remain steadfast in my beliefs that there are =no= good viruses. (I won't continue in this train of thought because there has been much heated debate within this echo concerning this and it is pretty much worn out as topic substance)... I do agree with you, however, on the point that there are some very talented programmers out there applying themselves improperly. (VB put in a good word...). It's a cyclic, redundit, futile effort on their part...We will always remain one step ahead....It always helps to have the forces combine and produce something productive at times. Comments? -Paul --- * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229) Msg#:26832 *Virus Info* 10-29-90 22:41:00 (Read 4 Times) From: PAUL FERGUSON To: TOM PREECE Subj: REPLY TO MSG# 25723 (RE: SCANV67C) TP>I don't suppose you want to know you can call California to TP>get it so I won't say so. TP>--- TBBS v2.1/NM TP> * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 TP>(1:161/208) Huh? I'm afraid you lost me on that one (or perhaps it was me....I just returned from Houston this evening with not much rest to show for it.) I call California virtually everyday. Could you possibly elebarote a bit? -Paul --- * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229) Msg#:26833 *Virus Info* 10-29-90 22:51:00 (Read 4 Times) From: PAUL FERGUSON To: MICHAEL WEINER Subj: ECHO VIRUS_INFO * Replying to a message originally to All MW>In the US, there seems to be a second virus echo called MW>"VIRUS_INFO". I'd also like to be able to read it in Europe MW>as it is said to be very interesting. If you are interested MW>too, please netmail me. I will forward these messages to MW>Felix Kasza who will (with the help of the other MW>trans-atlantic echomail traffickers get it to Europe :-) MW> MW>So, IF YOU ARE INTERESTED, NETMAIL ME. MW> MW> MW>Best regards from Vienna, MW> MW>Michael MW> MW>--- FD 1.99c MW> * Origin: Info Link [Vienna/Austria/Europe] (2:310/23) Hello, again, Michael... I realise that perhaps you are aware of this, but others may not.... The VIRUS_INFO Echo is moderated by Patti Hoffman via her Excalibur! BBS in California..Yes, it is indeed another good outlet for information and discussion. --- * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229) Msg#:26834 *Virus Info* 10-29-90 22:55:00 (Read 4 Times) From: PAUL FERGUSON To: KEN DORSHIMER Subj: REPLY TO MSG# 26827 (RE: DOES) KD>i'd mind. i prefer to know what my system is up to. if i knew KD>i was running KD>such a program that's another matter. what you're suggesting KD>is rather like KD>sneaking up on people and giving them malaria shots for thier KD>own good. i KD>like to know what i'm getting. Here we go again.....My sentiments ride with you, Ken. But haven't we pretty much beaten this topic to death? I suppose that we will have to continue to correct those individuals, though, that think that it is okay. Pity. Talk to you later, Ken.... -Paul --- * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229) Msg#:26835 *Virus Info* 10-29-90 22:58:00 (Read 4 Times) From: PAUL FERGUSON To: CHARLES HANNUM Subj: REPLY TO MSG# 25109 (RE: STERILAB) CH> You'd have a TSR that would change such info during CH>BIOS disk calls, CH>such that anything using the BIOS for disk I/O wouldn't know CH>the difference. Charles, What is it that you are trying to do exactly? It seems that you are taking the long way around... --- * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229) Msg#:26836 *Virus Info* 10-29-90 23:01:00 (Read 4 Times) From: PAUL FERGUSON To: DARIN ARRICK Subj: REPLY TO MSG# 26834 (RE: DOES) * Replying to a message originally to Vinson Nichols DA> I agree. Destroying someone else's hard work is stupid. DA>Learning about viruses by making some, and not releasing DA>them, is hands-on learning. Still...I vehemently disagree with you. Shall we discuss it further? --- * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229) Msg#:26837 *Virus Info* 10-29-90 23:06:00 (Read 4 Times) From: PAUL FERGUSON To: GARY WESTON Subj: !*VIRUS ALERT*! GW> my sources are extreme reliable..they work for a branch of GW>the U.S. government. GW> thank you. Uhh.......Uncle Sam and his hired help always lag behind the information dispersed within this echo...For example... 4096 is "old" news....Your reliable sources are behind in the times, so to speak.... Greetings fro Capitol Hill, -Paul --- * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229) Msg#:26838 *Virus Info* 10-29-90 23:11:00 (Read 4 Times) From: PAUL FERGUSON To: BOB SCHROEDER Subj: 1701 BS>1: I have a ZENITH HEATH DATA SYSTEMS Z-157 W/ a 30 MEF HD in BS>it. Is 1701 BS> a bad viruse ? 1701 is the IBM error message (equivalent) of either a Hard sisk failure or Hard Disk Controller failure...Check out your hardware first. --- * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)