💾 Archived View for gemini.spam.works › mirrors › textfiles › messages › vi901029.vir captured on 2020-10-31 at 16:52:55.
View Raw
More Information
-=-=-=-=-=-=-
Msg#: 7183 *Virus Info*
09-05-90 22:31:00 (Read 6 Times)
From: HAL SCHPERL
To: CHRIS BARRETT
Subj: REPLY TO MSG# 7182 (MYSTERY VIRUS??)
> At my school we have some XT's with 2 360K FDD each. Lately we have
> noticed that some of the students disks are being over written by the
> program disk they were using. Eg some people have found the Turbo
> pascal files on their data disks.
>
> I brought in a copy of ScanV66 and placed a validation check on the
> program disks (Not the data disks). Scanning showed no viruses (well
> known ones anyway). But when we scanned them a week later we found
> some had had their Boot Blocks altered.
>
> In some cases the files on the data disk are just renamed to one on
> the program disk. Eg we listed "TURBO.EXE" and found it to contain a
> students pascal source code.
>
> Could someone shed some light please..
> I have told the teacher it is most likely home grown and he is
> sh*tting himself.
>
> Chris.
> --- TBBS v2.1/NM
> * Origin: 1990 MultiLine Perth Western Australia - 09-370-3333 -
> (690/654)
It does not have to be a virus to cause this. While creating files some
programs assume that the diskette currently in the drive is the one that was
started with. One that comes to mind is SideKick. I destroyed a few diskettes
before I realized the problem. While using SideKick to edit a file on a
diskette I popped it it down and forgot about the file. Then I changed
diskettes and continued to edit the file with SideKick. I then saved the file
forgetting about the diskette change. The result was the files were still on
the diskette but the directory belonged to the previous disk. Since then I
have encountered several other programs that can do this.
--- FD 1.99c
* Origin: I'd give my right arm to be ambidextrous .. (1:163/127.4)
Msg#: 7184 *Virus Info*
09-06-90 18:28:00 (Read 4 Times)
From: PHILLIP LAIRD
To: DOUG EMMETT
Subj: REPLY TO MSG# 7167 (RE: SCAN WEIRDNESS)
Doug, wouldn't it be feasible for you to change the archive bits to read only
on the Scan File. Supposedly, Scan has a built in Mechanism for determining if
it has been damged. In fact, I found a virus had tried to copy to Scan.EXE and
the message came back and warned that scan.exe was damaged! This was at a
local University computing lab of PC's. This may be a question that John needs
to answer or even Patti, the Moderator of the Echo. I will ask her.
--- TAGMAIL v2.20
* Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)
Msg#: 7185 *Virus Info*
09-06-90 18:30:00 (Read 5 Times)
From: PHILLIP LAIRD
To: PATTI HOFFMAN
Subj: REPLY TO MSG# 4746 (MAKING SCAN READ ONLY.)
Patti, is it feasible to make Scan.Exe Read only? Doug Emmett was wondering
about doing that. Couldn't you change the archive bits to read only? Also,
doesn't scan have an internal routine to determine if it is damaged?
--- TAGMAIL v2.20
* Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)
Msg#: 7186 *Virus Info*
09-06-90 09:32:00 (Read 5 Times)
From: RICHARD HUFFMAN
To: MICHAEL ADAMS
Subj: REPLY TO MSG# 7170 (RE: PKZ120.EXE)
Don't know if this one is still a problem, but I ran into a copy of ARC.EXE
v5.4 that was a hard-disk formatter...... Wouldn't mention such an old program
except that the problem resurfaced there a couple of months ago
RTH
--- SLMAIL v1.36M (#0264)
* Origin: Foundation BBS * College Park, MD * (109:109/50)
Msg#: 7187 *Virus Info*
09-03-90 12:18:00 (Read 6 Times)
From: MARC SHEWRING
To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 4971 (INFORMATION)
Hi Patricia,
I am a university student currently doing a research project on
Viruses and I was wondering if you could help me or indicate as to where I
could get some information on Virus signitures and scanning techniques.
Thanx, in advance.... Marc
--- Maximus-CBCS v1.02
* Origin: GAMMA ISTARI: Line 2 - Perth, Western Australia (3:690/627)
Msg#: 7188 *Virus Info*
09-04-90 23:57:00 (Read 7 Times)
From: SIMON FOSTER
To: CHRIS BARRETT
Subj: REPLY TO MSG# 7183 (MYSTERY VIRUS??)
> At my school we have some XT's with 2 360K FDD each. Lately we
> have noticed that some of the students disks are being over
> written by the program disk they were using. Eg some people have
> found the Turbo pascal files on their data disks.
I was having a similar problem on my 386 when I got it and as I was running
DesqView, etc assumed that was causing the probs (it was, in a way) ... I since
discovered that it was simply that buffers was too low. Unfortunately you do
not have a Hard Drive to see if that would be affected but your 'symptoms' are
of a low buffers. so, simply change the config.sys and adjust the buffers value
up about 15 this SHOULD fix it. If however, it doesn't, try getting hold of
SCANv66b and try that
<ping>
Regs,
Simon
--- FD 1.99c
* Origin: Jane doesn't live here anymore! (3:712/265)
Msg#: 8162 *Virus Info*
09-12-90 12:42:00 (Read 6 Times)
From: CHARLES HANNUM
To: JAMES BLEACHER
Subj: REPLY TO MSG# 6662 (RE: ANTI VIRUS VIRUSES)
> According to want I've read Dr. Fred Cohen at MIT developed the
> first virus back in 1964 or so. This was to prove that code could
> actually replicate and spread throughout a mainframe. My question is
> why on earth would he want to do that in the first place?
Probably because some stupid manager said it was impossible... which is about
the same logic Robert Tappan Morris used.
--- ZMailQ 1.12 (QuickBBS)
* Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)
Msg#: 9381 *Virus Info*
09-19-90 22:32:00 (Read 5 Times)
From: TOM SMITH @ 930/1
To: SATYR DAZE
Subj: REPLY TO MSG# 6661 (RE: VIRUS SCANNERS....)
"Satyr", the ARC/PAK/ZIP/LHARC shell program SHEZ will allow SCAN to
"look into an archived file"; it uncompresses it to a working directory
then passes the file info to SCAN which checks it. I've got my
download BAT files set to fire it off automatically whenever I pick up
an archive from a BBS. If you haven't looked at it, you might want to
check it out; I've found it to be very helpful... Tom Smith/Dallas...
--- QM v1.00
# Origin: Horizon RBBS 214-424-3831 & 214-881-9346 HST (8:930/1.0)
* Origin: Network Gateway to RBBS-NET (RBBS-PC 1:10/8)
Msg#: 9382 *Virus Info*
09-21-90 23:48:00 (Read 5 Times)
From: PHILLIP LAIRD
To: JEFF LANES
Subj: RE: VIRUS AT LAMAR
- * Quoting Jeff Lanes to Phillip Laird **
>Phillip,
>My wife's business partner just had his system cratered by
>some software he picked up at LU. I don't have any further
>details like name of program or anything...YET! This guy is
>NOT a hacker or BBSer...just a regular student (Grad) with
>a PC at home for general homework and some business applications.
> It's kinda scary when the average users get infected with
>this stuff. Where is software legitimately obtained at the
>school? Can you get it from the library or what?
>More later!
>
>Jeff
Jeff, sorry to hear about that. I have been working on a program with several
Department directors at Lamar concerning this "VIRUS" issue. The most common
virus I have ran into is the notorious Jeruselum B Virus. You can use
cleanp66.ZIP found on my BBS here to clean the virus. The other common viruses
are Stoned and Stoned II. Someone (Perhaps a student) deleted the Chkdsk dos
command on one system in the Business College Lab and replaced it with a nasy
trojan. Tell your friend to try ScanV66B.zip to scan the Drive first whenever
he boots up. If viruses are found he can run clean in most cases to clean the
virus up.
The best cleanup for a virus however, is the Delete command to delete the
infected files. If the partitiion table was affected, then it could be the
Stoned II virus that got him. How about having this gentleman to call me voice
and see what I can do to help him.
--- TAGMAIL v2.20
* Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)
Msg#: 9638 *Virus Info*
09-19-90 06:21:00 (Read 7 Times)
From: YASHA KIDA
To: RAJU DARYANANI
Subj: RE: NETWARE BYPASSING JERUSALEM VIR
Yes FEDERAL COMPUTER WEEK carried a FRONT PAGE article on the problem....
2 months ago
--- Maximus-CBCS v1.00
* Origin: Bragg IDBS, 82nd Airborne Bug hunter (1:151/305)
Msg#: 9640 *Virus Info*
09-21-90 13:31:00 (Read 6 Times)
From: PAUL FERGUSON
To: RICK THOMA
Subj: MCRC
Rick,
I'm always interested in anything that may be of =some= value to the
computing community, so....Sure...I'll bite. Now, would you prefer to
leave instructions to D/L a copy (BBS #, etc.) or would you prefer to
U/L a copy to this board for my perusal? (See Origin) CRC checkers can
have their merit if used in a =clean= environment, as you may well
know.
Awaiting input...
Greetings from Capitol Hill
-Paul
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#: 9641 *Virus Info*
09-22-90 13:33:00 (Read 6 Times)
From: SATYR DAZE
To: JIM HOBBS
Subj: REPLY TO MSG# 8162 (RE: ANTI VIRUS VIRUSES)
Well virus theory was being discused as far back as the 1940's. John von
Neumann outlined an Idea of programms self-replicating themselves in "Theory
and Organization of Complicated Automata". And if you want to really be
boggled read his "The Computerand the Brain" ..
I use the '83 date because after Mr Thompson's speech, the following year
Scientific american published an article further discussing viruses togather
with an offer were by sending in $2.00 they sent you information on how to
write virus programs. I'm sure they rue the day they did that now.
At that point viruses where "Fun". Harmless pranks one programmer could have
with others. And also one that could be shared.
The Gift that keeps on Giving ... so to speak.
The Satyr Daze
--- TBBS v2.1/NM
* Origin: Eclectic Multi-BBS System / Miami FL (305)662-1748 (1:135/2)
Msg#:10870 *Virus Info*
09-09-90 23:21:00 (Read 6 Times)
From: CY WELCH
To: PHILLIP LAIRD
Subj: REPLY TO MSG# 7173 (JERUSALEM B AND CLEANP64.ZIP)
In a message to Patricia Hoffman <05 Sep 90 18:30:00> Phillip Laird wrote:
PL> I cleaned 17 infected files today with clean version 64. I have a
PL> good question. While the program removes the file, some where
PL> removed the first time around, others were scanned several times
PL> before the virus was actually removed. Can you tell me why?
I can answer that. Jerusalem-B will infect an EXE file every time it runs. It
only infects a COM file once but infect an EXE multiple times. Clean has to be
run as many times as the file is infected to completely clean it out.
--- XRS! 3.42+
* Origin: Former QuickBBS Beta Team Member *:- (RAX 99:9402/122.1)
Msg#:10871 *Virus Info*
09-09-90 22:54:00 (Read 6 Times)
From: PETER YARD
To: CHRIS BARRETT
Subj: REPLY TO MSG# 7188 (RE: MYSTERY VIRUS??)
CB!>we have noticed that some of the students disks are being
CB!>over written by the program disk they were using. Eg some
CB!>to one on the program disk. Eg we listed "TURBO.EXE" and
CB!>found it to contain a students pascal source code.
Sounds like someone is puting their data disk in the same drive before the
buffers are flushed. If you switch the disks while still in turbo.exe then
when you exit the program DOS will overwrite the FAT and Directories with what
it thinks should be there from the previous disk.
Peter
--- QuickBBS 2.64+
* Origin: Genius BBS.. Beaker Rulz OK! (3:640/486)
Msg#:10873 *Virus Info*
09-11-90 06:50:00 (Read 5 Times)
From: YASHA KIDA
To: ALAN DAWSON
Subj: REPLY TO MSG# 9381 (RE: VIRUS SCANNERS....)
In a song of phrase on <16 Aug 90 08:30:58>, Alan Dawson (3:608/9) writes:
AD> Hear, hear! The frustrating, rug-chewing, desk-beating,
AD> monitor-smashing, stomp-down crying SHAME is that some of these
AD> viruses, on a technical level, are tremendously slick, wonderous
AD> programs. The people writing them are wonderful programmers. Just
AD> think what these people could be doing to help our PCs work better by
AD> writing a different kind of program -- and, potentially, how much
AD> money they might be able to make. They obviously have inventive
AD> minds, many of them. Such inventiveness could be put to such great
AD> use.
AD>
Remember many of the Viruses are version B & C. Many of the modifications were
not by the ORIGINAL programmers, but were people who improved on their code.
These people most likey could'nt have ever started and finnished the coding
from line 1.
What I am saying is it is easy to modify code but Being the ORIGINAL writter is
something else....
Don't kid yourself these people are doing what they enjoy.. Destroying peoples
data or making a poltical statement. They could make $$ programing and I sure
many do. This is most likey a relief valve for them...or a way of screwing the
world a littel...
These people not super heros.
To say they are great programmers is like saying LEE HARVEY OSWALD was a great
shot.
Yasha
--- msged 1.99S ZTC
* Origin: Bragg IDBS, (82nd - they can kick Iraqs booty) (1:151/305)
Msg#:10874 *Virus Info*
09-11-90 07:06:00 (Read 7 Times)
From: YASHA KIDA
To: SKY RAIDER (Rcvd)
Subj: REPLY TO MSG# 3974 (VIRUS POST ON BBS)
In a message of <08 Sep 90 13:42:35>, Sky Raider (1:255/3) writes:
SR> How about giving me
SR> your system number so I can call and see the finished form (never been
SR> quoted in this manner before).
SR>
SR> A questor of knowledge,
SR>
SR> Sky Raider
SR> Ivan Baird, CET
Sure the Number is 919-867-0754 23.5 hrs a day 7 days a week
300-14,400 baud supported
--- msged 1.99S ZTC
* Origin: Bragg IDBS, (82nd - they can kick Iraqs booty) (1:151/305)
Msg#:11396 *Virus Info*
09-17-90 23:42:00 (Read 6 Times)
From: PHILLIP LAIRD
To: CY WELCH
Subj: REPLY TO MSG# 10870 (RE: JERUSALEM B AND CLEANP64.ZIP)
- * Quoting Cy Welch to Phillip Laird **
>I can answer that. Jerusalem-B will infect an EXE file every
>time it runs. It only infects a COM file once but infect an
>EXE multiple times. Clean has to be run as many times as the
>file is infected to completely clean it out.
Yea, I figured that one out! Thanx for the help....
--- TAGMAIL v2.20
* Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)
Msg#:11397 *Virus Info*
09-17-90 23:46:00 (Read 5 Times)
From: PHILLIP LAIRD
To: ALL
Subj: VIRUS REPORTED IN SHAREWARE FILE
As reported by the Port Arthur Texas Computer Club, there is a file called
Powermenu, Version 5.3 that reportedly carries some type of virus. This file
is supposed to be distributed by a publication named "PC Today". If you have
seen this file, please leave me mail in this echo. I have yet to see the file,
however, I would like to know how widespread the file is.
If you have had any problems with it, please explain that, too or netmail me at
19/49. Thanks.
Phillip Laird [SYSOP]
--- TAGMAIL v2.20
* Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)
Msg#:11399 *Virus Info*
09-18-90 06:32:00 (Read 4 Times)
From: PHILLIP LAIRD
To: ALAN DAWSON
Subj: REPLY TO MSG# 7184 (RE: SCAN WEIRDNESS)
- * Quoting Alan Dawson to Phillip Laird **
>believe in brute-force removal i.e. DEL VIRUS.COM, and re-install.
>
>It's safer that way, and certain (after you check the floppies,
>of
>course).
> - From Thailand, a warm country in more ways than one.
Quite regular, the "DELETE" Disinfection IS the only way to go. After running
cleanup some times, the user of the software complains that some programs do
not work. I just recommend they delete not just the once infected file, but
rather the software package and re-install it. I rememeber you mentioning that
piracy abounds in Thailand. When I was working in the Middle East a few years
back, i learned you could get a copy of most any software at the Computer
stores. They had diskette copying devices. For 1 Riyal you were in business.
This is another way viruses were spread. Everybody would come in and share
diskettes.
--- TAGMAIL v2.20
* Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)
Msg#:11400 *Virus Info*
09-17-90 18:34:00 (Read 4 Times)
From: PAUL FERGUSON
To: MIKE MCCUNE
Subj: MFV
Well, Mike,
I can tell you this at least....It =will= be included in the next
version of VSUM (due to be released around the 25th or so of the month).
But, it is not even being called by that name at the moment. Perhaps,
someone else (Patrick) will detail this more for you, but at the
moment, it is not a topic for public discussion, obviously.
Greatings from Capitol Hill
-Paul
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#:11401 *Virus Info*
09-18-90 06:35:00 (Read 6 Times)
From: PATRICIA HOFFMAN
To: CHRIS BARRETT
Subj: REPLY TO MSG# 10871 (MYSTERY VIRUS??)
CB> At my school we have some XT's with 2 360K FDD each. Lately we have
CB> noticed that some of the students disks are being over written by the
CB> program disk they were using. Eg some people have found the Turbo
CB> pascal files on their data disks.
CB>
This may not be a virus at all, but instead operator error. It is possible
that the students are switching diskettes after openning files, and then
writing the programs back a different diskette than they originally read from.
Some flavors of DOS will keep the disk directory in memory, and then update it
and write it back to the diskette without checking that it is the correct
diskette.
CB> I brought in a copy of ScanV66 and placed a validation check on the
CB> program disks (Not the data disks). Scanning showed no viruses (well
CB> known ones anyway). But when we scanned them a week later we found some
CB> had had their Boot Blocks altered.
CB>
Are you using ScanV66 or ScanV66B? V66 itself has an bug in it with the
validation codes and was replaced with V66B shortly after release. Also, does
the boot sector (sector 0 on the floppy) have any unusual messages in it, or
does it lack the normal messages which appear at the end of the sector?
CB> In some cases the files on the data disk are just renamed to one on the
CB> program disk. Eg we listed "TURBO.EXE" and found it to contain a
CB> students pascal source code.
CB>
Again, this could be user error described above....
CB> Could someone shed some light please..
CB> I have told the teacher it is most likely home grown and he is sh*tting
CB> himself.
CB>
Those are my guesses, if you want to send one of the affected diskettes, I'd be
happy to take a look at it and see if it contains an unknown virus or one that
Scan can't detect. My mailing address is:
Patricia Hoffman
1556 Halford Avenue #127
Santa Clara, CA 95051
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#:11402 *Virus Info*
09-18-90 06:47:00 (Read 6 Times)
From: PATRICIA HOFFMAN
To: SATYR DAZE
Subj: REPLY TO MSG# 11401 (RE: MYSTERY VIRUS??)
SD> Sorry to butt in ..... you aparently have been infected by the
SD> Stoner-Marijauna Virus , quite a few people here in florida myself
SD> included have seen this little beauty.
SD>
His symptoms don't match any known variant of the Stoned Virus.
SD> After disinfecting yourself the damaged caused by the virus is
SD> unaltered.
SD> Backup your harddrive and reformat it, after restoring it. Delete and
SD> redo Autoexec.bat and Config.sys they have both also been altered.
SD>
Stoned doesn't alter the AUTOEXEC.BAT or CONFIG.SYS. It infects floppy disk
boot sectors and the hard disk partition table. When it infects, it usually
moves the original boot sector on floppies to another sector which is usually
in the root directory, which results in files being lost if the root directory
had entries in that area. What is suggested, though, is that before
disinfecting Stoned, the user backup his/her data files since in approximately
1 out of 10 cases, the disinfection will result in the partition table being
lost on hard disks....this occurs with some hard disk controllers.
SD> Your Hardrive should now be back to snuff .... but before i forget run
SD> a utility to mark and lock out bad sectors the Virus may have caused.
SD> These unfortunaly are not always recoverable.
SD>
Stoned doesn't cause bad sectors to be created. Two possibilities
here...either the user disinfected after booting from a version of DOS that was
not the same as what he was originally using, or the disk already had the bad
sectors to begin with.
Patti
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#:11403 *Virus Info*
09-18-90 06:55:00 (Read 6 Times)
From: PATRICIA HOFFMAN
To: SATYR DAZE
Subj: REPLY TO MSG# 10873 (RE: VIRUS SCANNERS....)
SD> Well you can Download a Virus scanner from a reputable BBS -- one that
SD> actually checks all of it's files for viruses --- or go out and
SD> purchase a Virus Scanner. Most of the downloadable stuffis by Mcaffe
SD> Associates, You can purchase Virucide (commercial version) which checks
SD> and disinfects your files, also by Mcaffe Associates for about $30.00.
SD> Not a bad buy when you consider the consequences of not having a good
SD> scanner.
SD>
ViruCide is marketted by Parsons Technologies. The McAfee product that is sold
directly by McAfee Associates is named Pro-Scan.
Patti
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#:11404 *Virus Info*
09-19-90 11:53:00 (Read 5 Times)
From: JAMES DICK
To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 11403 (RE: VIRUS SCANNERS....)
On Tue, 18 Sep, Patricia Hoffman wrote to Satyr Daze
PH > ViruCide is marketted by Parsons Technologies. The McAfee product
PH > that is sold directly by McAfee Associates is named Pro-Scan.
What are the features and costs of John's Pro-Scan and the ViruCide?
-={ Jim }=-
--- QM v1.00
* Origin: The Clipperist - Home to happy Clippheads in Ottawa, Canada
(1:163/118.0)
Msg#:11405 *Virus Info*
09-19-90 06:11:00 (Read 4 Times)
From: PATRICK TOULME
To: MIKE MCCUNE
Subj: REPLY TO MSG# 5887 (RE: MOTHER FISH)
MM> Everybody was talking about the Mother Fish a few weeks ago. Now that
MM> it has been out for mor than a week, nobody is saying anything about
MM> it. What's the deal with this virus?
I think the deal is that nobody is really sure what it does, how it
does it, and if the programs that look for it find it all the time. If
a program misses it just once, you'll never be able to get it off a
system.
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#:11406 *Virus Info*
09-20-90 08:19:00 (Read 4 Times)
From: RICK THOMA
To: WHOMEVER
Subj: MCRC CHECKER
Some weeks ago, I mentioned a CRC checking utility I DL'd from Compu$erve,
MCRC. I found it in a pile of old floppies. Now, who was interested in seeing
it?
--- FD 2.00
* Origin: Village BBS, Mahopac, NY 914-621-2719 *HST* (1:272/1)
Msg#:11407 *Virus Info*
09-19-90 15:48:00 (Read 5 Times)
From: RON LAUZON
To: GARY MOYER
Subj: REPLY TO MSG# 11404 (RE: VIRUS SCANNERS....)
They are pretty accurate, but remember this: I have been BBS-ing (downloading
alot) for over 7 years now. I have called BBSs across the US and I have never,
first hand, seen a virus. That right there says something about how much hype
the virus scares are.
Also, remember something about the virus scan programs: They only find *known*
viruses. If someone writes a new virus, you are vulnerable. You might want to
check out something like Flu Shot+ if you want peace of mind.
--- Telegard v2.5i Standard
* Origin: The Flight of the Raven (313)-232-7815 (1:2200/107.0)
Msg#:11408 *Virus Info*
09-20-90 16:13:00 (Read 4 Times)
From: PAUL FERGUSON
To: PATRICIA HOFFMAN
Subj: PROSCAN
Patti...
I realize that this question should probably be directed to
HomeBase and John, but since someone has already brought it up here
within the conference, I'll go ahead and post it =anyway=....
You could you, by chance, the "enhancements" that Pro Scan vs.
ViruScan......What are the differences in performance and
effectiveness? How should (if it is, I don't see how) =shareware=
suffer because of the nature of the beast, so to speak? And, is it at
all? From what I can gather, the majority of funds are drawn from site
licensing.....I would like to be able to rely (as I have) on a
pelethera of detection utilities to maintain the constant "drop-net"
within my own systems while making sure that any products that I may
suggest for negotiated license through contacts will =remain= "top of
the line". Pretty shakey forum topic but a dilemma nonetheless.
Awaiting comments from the field ;-)
Salutations from Capitol Hill
-Paul
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#:11409 *Virus Info*
09-20-90 20:44:00 (Read 5 Times)
From: SATYR DAZE
To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 11402 (RE: MYSTERY VIRUS??)
Hi Patti
He stated that he recieved a screen mesage informing him that his
System was Stoned. I might be mistaken, but I'm sure that that is the Stoner-B
virus Signiture.
And while I agree that the Stoner Virus is known To attack the Boot Sector and
Partition Table. This is what we saw in our Variant down here. After
disinfecting the system, a backup was made. The HarDrive was then Reformated,
but still would not Boot up correctly. It wasn't untill the Autoexec and
Config files were deleted that it would.
Oops ... I stand Corrected on Bad Sectors, I meant to run a utility to check
for bad file linkages.
Thanks for your info though, I just wish whoever keeps creating Variants would
turn their obvious Talents to somthing more useful.
The Satyr Daze
--- TBBS v2.1/NM
* Origin: Eclectic Multi-BBS System / Miami FL (305)662-1748 (1:135/2)
Msg#:11410 *Virus Info*
09-20-90 20:54:00 (Read 5 Times)
From: SATYR DAZE
To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 11407 (RE: VIRUS SCANNERS....)
Hi Again,
While Parsons Technology may Markett it, Mcaffe Assoc. has the
Software Copyright
--- TBBS v2.1/NM
* Origin: Eclectic Multi-BBS System / Miami FL (305)662-1748 (1:135/2)
Msg#:11411 *Virus Info*
09-20-90 18:46:00 (Read 4 Times)
From: JIM HOBBS
To: SATYR DAZE
Subj: REPLY TO MSG# 9641 (RE: ANTI VIRUS VIRUSES)
> But these were never allowed to get beyond that scope, Virus programs where
> never destructive untill the "Core Wars". Opposing Programmers would
> create self-replicating programms that when they encountered other
> self-replicaters would try to devour them. Incidently it was called "Core
> Wars" because the game itself took place in Core Memory . These young
> Programmers were actually quite small in number and never publicly
> discussed what they were doing. If any blame is to be attached it should
> be to Ken THompson who went public with the process in 1983..... at that
> point it was "Discovered" by university students who began creatingthe real
> nasties ..... Today many strains are just variation of their original work.
I seem to recall that it was pretty well public by, say, 1974. Some operating
systems even had features named after it. I recall it in the singular (Core
War), by the way, but I wasn't taking notes!
--- Dutchie V2.91d
* Origin: Perelandra (1:203/42.386)
Msg#:13385 *Virus Info*
09-29-90 09:01:00 (Read 4 Times)
From: PATRICIA HOFFMAN
To: ALL
Subj: NODELIST PROBLEMS
This is an FYI....If you are trying to poll or send netmail to my system, you
could have a problem if you apply NodeDiff.271 which is being distributed this
weekend. Net 204, of which I am a member of, was inadvertantly dropped from
the nodelist with this nodediff. It should be back in place with the following
nodediff.
Patti
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#:13386 *Virus Info*
09-29-90 09:05:00 (Read 4 Times)
From: PATRICIA HOFFMAN
To: JAMES DICK
Subj: NEW RELEASES DELAYED
JD> Patti, is there any chance of the VSUM???? being formatted with page
JD> breaks at 60 lines/page and after each virus description. And page
JD> numbering and an index would help find the various descriptions.
JD>
Not in the real near term future since almost all of my free time for the last
few months has been used for researching and updating it for new viruses and
variants. I won't be looking at the formatting again until the volume of new
samples being received is lower, there are only so many hours in a day.....
VSUM is purposely distributed as an ASCII file so that it can be used by anyone
regardless of what type of computer they have.
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#:13927 *Virus Info*
09-28-90 17:03:00 (Read 5 Times)
From: KEN DORSHIMER
To: TOM SMITH @ 930/1
Subj: REPLY TO MSG# 11410 (RE: VIRUS SCANNERS....)
...at a time when Western civilization was declining
too rapidly for comfort, yet too slowly to be very
exciting Tom Smith @ 930/1 was saying:
TS> working directory is removed. I don't know if the few seconds that an
TS> infected COM or EXE exists in the working directory would give it time
TS> to propogate to other files or not; I've never run into an infection,
sounds impossible as the .COM and .EXE files are never actually run. they
can't infect your system if you don't run them.
common misconception. the same idea as if you had a disk with a virus sitting
in a box of disks without viruses. the infected disk can't magically infect
the other disks. fortunatly computers aren't people and don't get airborne
viruses. :-)
...space is merely a device to keep everything from being
in the same spot...
--- ME2
* Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)
Msg#:14132 *Virus Info*
09-24-90 17:50:00 (Read 5 Times)
From: ALAN DAWSON
To: YASHA KIDA
Subj: REPLY TO MSG# 13927 (RE: VIRUS SCANNERS....)
YK> To say they are great programmers is like saying LEE HARVEY
YK> OSWALD was a great shot.
I hear you, Yasha, and I'm not arguing with you. But the fact is that
some of the new, first-generation assembler viruses ARE both
inventive and original programming. Oswald wasn't a great shot; he
was a Marine for goodness sake. It's not SUPPORTING perverts to say
that Hitler was a great leader or that Machiavelli was an original
political thinker-essayist.
YK> * Origin: Bragg IDBS, (82nd - they can kick Iraqs booty)
Boy, THAT takes me back. That's where *I* left CONUS for, um,
"Southeast Asia." 23 years ago. Uh! That hurt. Cheers.
- From Thailand, a warm country in more ways than one.
--- Opus-CBCS 1.13
* Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0)
Msg#:14133 *Virus Info*
09-29-90 20:31:00 (Read 5 Times)
From: JOHN O'CONNOR
To: TOM SMITH @ 930/1
Subj: REPLY TO MSG# 14132 (RE: VIRUS SCANNERS....)
TS> Satyr, watching Shez work in virus scan mode's most interesting.
TS> I don't know if the few seconds that an infected COM or EXE
TS> exists in the working directory would give it time to propogate
TS> to other files or not; I've never run into an infection, yet,
TS> on my home system, although we did hit upon one at work.
At this stage an suspected COM or EXE file is being treated as
DATA, as far as the the virus scanner is concerned. It is just
reading the file looking for known virus code.
For a virus to trigger and infect a system, an infected program
must be RUN. Until the CPU is fed virus code as instructions to
run, there is no danger. When scanning for virus code, (within
SHEZ or not) the program with control of the CPU is SCAN.EXE.
It does not test-run suspected programs to check them for virii,
it simply reads them.
JOC
--- via Silver Xpress V2.27 [NR]
* Origin: Sunmap Multline BBS - Brisbane - Australia (3:640/206)
Msg#:14134 *Virus Info*
09-30-90 19:24:00 (Read 4 Times)
From: KEN JONES
To: RON LAUZON
Subj: RE: NARROW VIEW
> In all
> those years, I have never seen a virus. Moreover, I have never
> talked to
> anyone (on the BBSs or face to face) who ever encountered a virus.
> That says
Hmmm.... I thought I could say that a few months ago. I was called into work
early one day because one of the p/c's was acting strange. A scan of the drive
said it had a Jerusalem B virus, 2 days later a friend called and asked what
was the best way of removing the Jerusalem B virus. This was a different system
completly some 40 miles away. Then to top it off 2 sysops in the area called
and left messages on my system that they would be down till they removed, you
got it, the Jerusalem B again. This all took place in less than 5 days. In
those 5 days it poped up in.
San Francisco
Fairfield
Oakland
San Leandro
I left as quick as it hit, I'm sure there were other unknown systems in the
area that had it also, it just seems strange that the small circle I'm involved
with, 4 totaly unrelated systems were hit.
The source of the virus is still a mystery, the only thing that was in common
was each system had a file on it called MIRROR. I forgot what the extension
was.
Well thats my 2 cents
--- Telegard v2.5i Standard
* Origin: The Twilight Zone (415)-352-0433 (1:161/88.0)
Msg#:14135 *Virus Info*
09-30-90 16:27:00 (Read 4 Times)
From: TOM PREECE
To: RON LAUZON
Subj: REPLY TO MSG# 14134 (RE: NARROW VIEW)
How prudent can you be? As many others have been I was infected by commercial
software provided to me by an upright and legitimate computer dealer. Scan
allowed me to survive and thrive. Otherwise I wouldn't be here.
--- TBBS v2.1/NM
* Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 (1:161/208)
Msg#:14136 *Virus Info*
10-01-90 18:18:00 (Read 4 Times)
From: TOM PREECE
To: ALL
Subj: VIRUS - TROJANS FOR EVERYONE.
Locally we experienced a trojan that was an exe file compiled by a utility that
converts .bat to .exe files. The file purported to be a means to provide mnp5
performance from an ordinary modem. In fact the compiled bat instructions
destroyed the C: drive.
What bothers me about this is the simplicity with which anybody could do this.
I have the Bat2exec.zip file which performs the conversions. I have not used
it because the majority of my bat files are short fast executing things anyway.
Has anybody else encountered the problem and is there any sort of generic
defense that we might arrange against the generic attack files which may
follow?
--- TBBS v2.1/NM
* Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 (1:161/208)
Msg#:14137 *Virus Info*
10-01-90 18:24:00 (Read 4 Times)
From: TOM PREECE
To: KEN JONES
Subj: REPLY TO MSG# 14135 (RE: NARROW VIEW)
Ken I live in Hayward. I believe my system was infected by a Disk Manager
diskette provided to me by a dealer who admitted that some of his system were
infected by the jeru B virus.
Naturally he wanted to tell me that I had picked up my infection from a BBS.
Strange to relate, none of the local boards to which I restrict my calling had
this infection.
This dealer was in Sunnyvale. If that raises any suspicions from the list of
boards that you are referring to, why don't you call me voice some evening
before 7:00 (lock up the phone with BBS'ing after that usually) and I'll tell
you the dealer name.
They claim to have dealt with the problem so I don't want to smear them perhaps
inappropriately. My home number is 415-889-0898. My work number if you want
to try (I might not be there) is 415-744-7577.
--- TBBS v2.1/NM
* Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 (1:161/208)
Msg#:15496 *Virus Info*
09-22-90 19:32:00 (Read 4 Times)
From: PAUL FERGUSON
To: RON LAUZON
Subj: REPLY TO MSG# 14137 (NARROW VIEW)
Ron,
With all due respect, my friend...if you continue along with the
narrow frame of mind that you seem so intent on inflicting upon others,
then we all should take heed. For the reason that =you= have never been
confronted with any viral types is certainly no reason to make light of
the situation (you're in the wrong conference for that). You'd be quite
surprised just how many that I've run across just within my clients and
our audit sites alone....simply mind boggling what the average user can
pick up along the way. You obviously seem to be in =no= position to be
suggesting =any= Anti Viral detection/removal utilities that you have not
=personally= tried yourself, and I think that we all would benefit from
any such conjecture from anyone who has not personally been inflicted
by the scourge. I do not know what locale that you are dealing with,
but here in the nations' capitol, we seem to be constantly a target for
malcontents. Cheers, Ron.....No harm intended, just fact....
Salutations from Capitol Hill
-Paul
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#:15497 *Virus Info*
09-23-90 12:20:00 (Read 4 Times)
From: SATYR DAZE
To: TOM SMITH @ 930/1
Subj: REPLY TO MSG# 14133 (RE: VIRUS SCANNERS....)
While I've heard of "it", I havn't actually seen it yet. Does it work on all
types of File-Compression files. You said it uncompressess it to a working
Directory is this before or after it checks it out. If before then what is the
benefit, or does it load these files into memory some how ???
The Satyr
--- TBBS v2.1/NM
* Origin: Eclectic Multi-BBS System / Miami FL (305)662-1748 (1:135/2)
Msg#:15503 *Virus Info*
09-23-90 07:14:00 (Read 6 Times)
From: PATRICIA HOFFMAN
To: SATYR DAZE
Subj: REPLY TO MSG# 11409 (RE: MYSTERY VIRUS??)
SD> He stated that he recieved a screen mesage informing him that
SD> his System was Stoned. I might be mistaken, but I'm sure that that is
SD> the Stoner-B virus Signiture.
Hmmm....the message when it got here didn't have anything in it saying it
displayed a message on boot, just that they found that the boot sector had been
altered somehow after a week of noticing the problems.
SD>
SD> And while I agree that the Stoner Virus is known To attack the Boot
SD> Sector and Partition Table. This is what we saw in our Variant down
SD> here. After disinfecting the system, a backup was made. The HarDrive
SD> was then Reformated, but still would not Boot up correctly. It wasn't
SD> untill the Autoexec and Config files were deleted that it would.
SD>
SD> Oops ... I stand Corrected on Bad Sectors, I meant to run a utility to
SD> check for bad file linkages.
SD>
Did you by any chance low-level format the drive, or just do a regular format?
Also, when you disinfected, are you sure you used the same version of DOS to
boot from before disinfecting?
SD> Thanks for your info though, I just wish whoever keeps creating
SD> Variants would turn their obvious Talents to somthing more useful.
SD>
You aren't the only one....
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#:15504 *Virus Info*
09-23-90 07:23:00 (Read 5 Times)
From: PATRICIA HOFFMAN
To: SATYR DAZE
Subj: REPLY TO MSG# 15497 (RE: VIRUS SCANNERS....)
SD> While Parsons Technology may Markett it, Mcaffe Assoc. has
SD> the Software Copyright
True...and I've already indicated that ViruCide is essentially the McAfee
Associates' Pro-Scan product with a different name since it is licensed to and
marketted by Parsons Technology. The reason I brought up the point was that if
someone wants to buy this product, they need to contact Parsons Technology. If
they contact McAfee Associates, they will get referred to Parsons....same with
upgrades, etc.
Patti
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#:15505 *Virus Info*
09-23-90 07:30:00 (Read 5 Times)
From: PATRICIA HOFFMAN
To: PHILLIP LAIRD
Subj: REPLY TO MSG# 9382 (RE: VIRUS AT LAMAR)
PL> The best cleanup for a virus however, is the Delete command to delete
PL> the infected files. If the partitiion table was affected, then it
PL> could be the Stoned II virus that got him. How about having this
PL> gentleman to call me voice and see what I can do to help him.
PL>
Very good advice! There are a lot of files that won't disinfect correctly,
such as programs that use internal overlays, or files that have the length set
in the .EXE header incorrectly to begin with....so running a disinfector can
result in the infected file not working correctly after disinfection. The only
saving grace is that the program probably didn't run correctly before
disinfection either since in the case of files with internal overlays, the
virus would have overlayed part of the program. Also, disinfectors typically
can only disinfect the more common viruses since they account for 90%+ of all
infections, or new viruses which are thought will be a future problem due to
their characteristics. If you are unlucky enough to get a rare virus, then you
would have to replace all the programs.
The only advice I would add is if someone is infected with any of the viruses
which infect the partition table, they should backup critical data files they
can't afford to loose before attempting to disinfect the system. There are
some combinations of DOS/BIOS/Hardware which, when disinfected, can result in
the hard drive becoming inaccessible (happens in about 10% of the Stoned/Stoned
II cases).
Patti
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#:15506 *Virus Info*
09-23-90 07:37:00 (Read 5 Times)
From: PATRICIA HOFFMAN
To: ALL
Subj: REPLY TO MSG# 13386 (NEW RELEASES DELAYED)
The next release of the McAfee Associates programs scheduled for September 25
have been rescheduled to October 2 or 3, according to the call I received
yesterday from McAfee himself. The delay is to allow them to complete some
addition of new features to the programs. If you call Homebase to pickup these
programs, hold off until the 3rd so that you don't have an unneeded
long-distance call....
Due to illness and having one of my two test machines having intermittent
hardware problems, I'm going to be also delaying the release of the new version
of the Virus Information Summary List until October 2 or 3 as well. The
additional week in there is to make sure the Whale virus makes it into the new
version of the listing, as well as insuring that almost (if not) all of the new
viruses and variants I've received are included. The October 2 or 3 release
will be VSUM9009.Zip, there will still be an October release which is scheduled
for late October though they will be just two or three weeks apart. The
October release will also include another new "section" to the list that
several people have indicated they thought would be useful.... <grin>....more
about that right before the release date.
Hopefully, this message will allow some of the non-Silicon Valley users of the
McAfee programs and my listing to avoid long-distance charges if picking up new
releases is their primary reason to place the calls....
Patti
--- QM v1.00
* Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)
Msg#:15507 *Virus Info*
09-23-90 09:57:00 (Read 4 Times)
From: BEN SAMMAN
To: ALL
Subj: QUICK QUESTION.
I just got my system trashed twice..by the same bug if it is one..or if it's
hadware...
What it does is it causes the drive(hard drive mind you) light to flash on and
off intermittenntly with intervals of 1 second...the hard drive becomes
unusable till midnight the next day...
Has there been other reports of such a virus?
--- Telegard v2.5i Standard
* Origin: The Twilight Zone (415)-352-0433 (1:161/88.0)
Msg#:15508 *Virus Info*
09-22-90 09:24:00 (Read 4 Times)
From: PAUL LOEBER
To: RON LAUZON
Subj: REPLY TO MSG# 15504 (RE: VIRUS SCANNERS....)
- * Quoting Ron Lauzon to Gary Moyer **
>They are pretty accurate, but remember this: I have been BBS-ing
>(downloading alot) for over 7 years now. I have called BBSs
>across the US and I have never, first hand, seen a virus.
>That right there says something about how much hype the virus
>scares are.
I used to say that, too. In fact, I used almost the same, exact words.
However, recently almost all of the PC's at the college where I teach
information systems got the Stoner virus. Since I have students turn in
disks as homework, had I not taken the appropriate precautions, my machine
would have becomed "stoned" as well. Currently, several of my users who work
for Ford have "caught" the Joshi (sp?) virus and have been on my board
looking for the "cure". I no longer have a cavalier attitude when it comes
to viruses.
--- TAGMAIL v2.30
* Origin: Downriver Download (1:120/137)
Msg#:15509 *Virus Info*
09-25-90 10:47:00 (Read 4 Times)
From: SCOTT HOWELL
To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 15506 (RE: NEW RELEASES DELAYED)
>To: All
>
>version of the Virus Information Summary List until October 2 or 3 as well.
>The additional week in there is to make sure the Whale virus makes it into
>the new version of the listing, as well as insuring that almost (if not)
>all of the new viruses and variants I've received are included. The
>October 2 or 3 release will be VSUM9009.Zip, there will still be an October
>release which is scheduled for late October though they will be just two or
>three weeks apart. The October release will also include another new
>"section" to the list that several people have indicated they thought would
>be useful.... <grin>....more about that right before the release date.
If this list is available via file request I would be most interested in
picking a copy up from you when it is made available. I am always trying to
keep my users up to date with the latest scan utils and virus listings. Any
help would be very much so appreciated.
Scott Howell
--- SLMAIL v1.36M (#0264)
* Origin: Foundation BBS * College Park, MD * (109:109/521)
Msg#:15510 *Virus Info*
09-25-90 19:03:00 (Read 4 Times)
From: TONY JOHNSON
To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 2896 (COMMUNICATION VIRALS)
PH> I believe one of them is Prodigy, which requires their software to be
PH> running on your system in order for you to be able to access them.
QLINK is another service of which you MUST run their software in order to take
part in the service. Another cute thing about it is that only Commodore
systems can use the stuff. (QLink.... Quantum Link)
--- QM v1.00
* Origin: The 286 Express (504-282-5817) (1:396/30.0)
Msg#:17267 *Virus Info*
09-27-90 14:22:00 (Read 4 Times)
From: RICK THOMA
To: PAUL FERGUSON
Subj: REPLY TO MSG# 9640 (MCRC)
> I'm always interested in anything that may be of =some= value
> to the computing community...
Let me give you a quick rundown. The file is about a year and a half old,
and claims to use some proprietary CRC mechanism. I'll zip it up as
"MCRC.ZIP", and you may request it by the time this message reaches you. I
would imagine the docs tell you how to get in touch with the author for an
updated version.
--- FD 2.00
* Origin: Village BBS, Mahopac, NY 914-621-2719 *HST* (1:272/1)
Msg#:17268 *Virus Info*
09-27-90 07:59:00 (Read 4 Times)
From: JAMES DICK
To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 15509 (NEW RELEASES DELAYED)
On Sun, 23 Sep, Patricia Hoffman wrote to All
PH > intermittent hardware problems, I'm going to be also delaying the
PH > release of the new version of the Virus Information Summary List until
PH > October 2 or 3 as well. The additional week in there is to make sure
Patti, is there any chance of the VSUM???? being formatted with page breaks at
60 lines/page and after each virus description. And page numbering and an
index would help find the various descriptions.
-={ Jim }=-
--- QM v1.00
* Origin: The Clipperist - Home to happy Clippheads in Ottawa, Canada
(1:163/118.0)
Msg#:17756 *Virus Info*
10-01-90 02:24:00 (Read 4 Times)
From: REINHARDT MUELLER
To: TOM SMITH @ 930/1
Subj: REPLY TO MSG# 15508 (VIRUS SCANNERS....)
In a message to Satyr Daze <26 Sep 90 23:15:00> Tom Smith @ 930/1 wrote:
TS> The routine is this: 1) You select, from Shez's file
TS> listing, the archive you want to check. 2) Shez examines the archive,
TS> finds the EXE and COM files, and, automatically, selects the proper
TS> archiving program to use in uncompressing them. 3) The COM and EXE
TS> files are unpacked into a working directory automatically created by
TS> Shez, called Z#, when it first fires up. 4) SCAN is started, with
TS> the file names passed to it by Shez, which then looks into the working
TS> directory and checks the specified files for viruses. 5) After
TS> SCAN finishes, Shez deletes the files. 6) When Shez is exited,
TS> the working directory is removed.
NO!! Your system won't get infected unless you RUN of those
infected .COM or .EXE files. A virus can only do its thing
if it is executed. Reading it isn't enough.
--- [MicrStar] via TComm XRS 3.1
* Origin: Loose as a goose, boys! Here we go! <patooie!> (TComm 1:343/17.1)
Msg#:17757 *Virus Info*
10-02-90 22:47:00 (Read 4 Times)
From: PHILLIP LAIRD
To: KEN JONES
Subj: REPLY TO MSG# 15496 (RE: NARROW VIEW)
Same problem in this area. Strange, but there are about three strains at the
Unviersity I work at. From the Businesss Computer Lab, Pakistani Brain is
spread, from the Computer Science Lab, Stoned and Stoned II is spread, from the
Engineering Lab, it is Jeruselum B and the Library PC Lab - ALL of the Above!
Why does it happen like that? Hmmm..... I suppose this might tell us something
about targeted groups if there was such a plan....
--- TAGMAIL v2.40
* Origin: Datamaniac's Hideout BBS - Beaumont, TX (1:19/49)
Msg#:17759 *Virus Info*
10-02-90 14:37:00 (Read 4 Times)
From: KEN JONES
To: TOM PREECE
Subj: REPLY TO MSG# 17757 (RE: NARROW VIEW)
The p/c out at work has a very narrow range of users, its totaly menu driven
and on the most part, locked up. Via software and the key [wow someone really
does use it]. Of the few users that do use it, one of them attends a junior
collage in the west bay. Were pretty sure he was the source of the infected
file, but really know one will ever know for sure. I guess it could be
possible to have a known source like you said. It seems really odd that they
would come out and openly admit something like that. I guess on one hand they
are trying to be the totaly honest dealer, but the on the other it looks like
they are cutting there own throat on credidility
--- Telegard v2.5i Standard
* Origin: The Twilight Zone (415)-352-0433 (1:161/88.0)
Msg#:17760 *Virus Info*
09-30-90 15:57:00 (Read 4 Times)
From: MIKE MCCUNE
To: ORI BERGER
Subj: DETECTING STEALTH VIRUSES
In a message on September 7 to Patrick Toulme you wrote...
>However, the 4096 is still lurking in thousands of
>computers in Israel and is causing major problems. Due to lack of widely
>available detection/removal programs, when a virus hits Israel, it stays
>there, especially when it is as "invisible" as the 4096.
Here is a simple detection program that will detect the 4096 while it is
in memory. It will not become infected by the 4096 (the 4096 thinks the
file is already infected). I wrote it for the shareware A86, but it should
assemble with MASM, TASM or WASM with few modifications.
ADD [BX+SI],AL
ADD [BX+SI],AL
ADD [BX+SI],AL
MOV AX,3521h
INT 21h
ES:
CMP B[BX],0EAh
JE FOUND
MOV AH,9h
LEA DX,NOT_FOUND_MESSAGE
INT 21h
INT 20h
NOT_FOUND_MESSAGE:
DB 'Stealth Virus not found in memory