💾 Archived View for spam.works › mirrors › textfiles › virus › vi900906.txt captured on 2023-06-16 at 21:05:12.

View Raw

More Information

-=-=-=-=-=-=-

Msg#: 2473 *Virus Info*
08-19-90 09:46:00 (Read 11 Times)
From: PATRICIA HOFFMAN
  To: KEN DORSHIMER
Subj: RE: CRC CHECKING
 <KD>the deal is that the invading program would have to know how the CRC 
 <KD>your
 <KD>program uses works. otherwise it would have a (bytes changed!/bytes in 
 <KD>file!)
 <KD>chance of succeeding, or somewhere in that neighborhood...
 <KD>

Except in the case of Stealth Viruses....CRC checking doesn't work with them.

Patti
 

--- msged 1.99S ZTC
 * Origin: Sir Dep's Dungeon 714-740-1130 Adult Links Network (1:103/158)




Msg#: 2474 *Virus Info*
08-19-90 09:50:00 (Read 9 Times)
From: PATRICIA HOFFMAN
  To: SHEA TISDALE
Subj: FILE ECHO?
 <ST>Hey, what happened to connecting my system to the file echo?
 <ST>
 <ST>I have sent numerous netmail messages to you since you sent the info 
 <ST>on setting it up and have not had a reply yet.

Recheck your netmail, I sent a reply after receiving the message "What is 
Tick?" indicating that you need to be running Tick in order to be able to 
participate in the file echo since that is how the files are processed and 
extra files go with the .zip files that carry the description.  Tick is 
available from most SDS nodes.

Patti
 

--- msged 1.99S ZTC
 * Origin: Sir Dep's Dungeon 714-740-1130 Adult Links Network (1:103/158)




Msg#: 2475 *Virus Info*
08-16-90 11:56:00 (Read 8 Times)
From: MIKE DURKIN
  To: WARREN ANDERSON
Subj: RE: INTERNET WORM
> I am interested in obtaining the list of passwords used by the
> Internet worm in the US. I am the administrator of several

The list is in the McAfee/Haynes book ("computer viruses,
worms...threats to your system") (pgs 89-91)...
I'll type it in for you if you can't find the book locally...

     Mike

--- RBBSMail 17.3A
 * Origin: The TeleSoft RBBS (RBBS 1:143/204)




Msg#: 2476 *Virus Info*
08-19-90 14:51:00 (Read 9 Times)
From: MIKE DURKIN
  To: JAMES DICK
Subj: REPLY TO MSG# 2473 (RE: CRC CHECKING)
> You might want to take a look at McAfee's FSHLD*.ZIP.   This is a new
> anti-virus program from the creator of SCAN that is designed
> specifically for developers.   It will build a 'shield' into an
> application such that the application _cannot_ be infected and if it
> does become infected, will remove that infection after execution but
> prior to running. You will find it in the virus scanners area of many
 
Jim... this is a little mis-leading... all programs will become infected 
but FSHLD will remove it for most viruses.. for viruses like 4096, FSHLD 
won't remove or even know/announce that the file is infected...
 
When FSHLD can remove a virus, 'after execution but before running' 
really makes no difference since a resident virus will still go TSR and 
a direct action virus will still do it's infecting of other programs...
 
But all things considered...  I definately agree that FSHLD is a must 
have...
 
      Mike

--- RBBSMail 17.3A
 * Origin: The TeleSoft RBBS (RBBS 1:143/204)




Msg#: 2477 *Virus Info*
08-20-90 04:44:00 (Read 8 Times)
From: KEN DORSHIMER
  To: PATRICIA HOFFMAN
Subj: RE: SCANV66B RELEASED

 On 19-Aug-90 with bulging eyes and flailing arms Patricia Hoffman said:

 <KD>>does this mean i should erase the old scanv66 that i just d/l'd from
 <KD>>SDN?
 <KD>>:-(
 <KD>>

 PH> Yep, ScanV66 has a bug or two in it involving the validate codes it
 PH> can add to the end of files.  The validate codes were not being
 PH> calculated correctly in
 PH>

swell. think i'll wait for the next release.
ps, you have net-mail waiting. :-) BTW why on earth would anyone take time
off from a disneyland vacation to call a bbs? <grin>
 ...Your attorney is in the mail...


--- ME2
 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)




Msg#: 2478 *Virus Info*
08-20-90 04:46:00 (Read 9 Times)
From: KEN DORSHIMER
  To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 2476 (RE: CRC CHECKING)

 On 19-Aug-90 with bulging eyes and flailing arms Patricia Hoffman said:

 <KD>>the deal is that the invading program would have to know how the CRC
 <KD>>your
 <KD>>program uses works. otherwise it would have a (bytes changed!/bytes in
 <KD>>file!)
 <KD>>chance of succeeding, or somewhere in that neighborhood...
 <KD>>

 PH> Except in the case of Stealth Viruses....CRC checking doesn't work
 PH> with them.
 PH>

i'd have to see that for myself. i think a complex enough algorithm would
keep them at bay. the probability factor is just too low for such a stealth
scheme to work.

 ...Your attorney is in the mail...


--- ME2
 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)




Msg#: 2479 *Virus Info*
08-20-90 04:50:00 (Read 9 Times)
From: KEN DORSHIMER
  To: MIKE DURKIN
Subj: REPLY TO MSG# 2478 (RE: CRC CHECKING)

 On 19-Aug-90 with bulging eyes and flailing arms Mike Durkin said:

 >> You might want to take a look at McAfee's FSHLD*.ZIP.   This is a new
 >> anti-virus program from the creator of SCAN that is designed
 >> specifically for developers.   It will build a 'shield' into an
 >> application such that the application _cannot_ be infected and if it
 >> does become infected, will remove that infection after execution but
 >> prior to running. You will find it in the virus scanners area of many
 MD> Jim... this is a little mis-leading... all programs will become
 MD> infected but FSHLD will remove it for most viruses.. for viruses like
 MD> 4096, FSHLD won't remove or even know/announce that the file is
 MD> infected... When FSHLD can remove a virus, 'after execution but before

i have some misgivings about this particular protection scheme myself. i
don't like embedding someone else's stuff into my executables, partly for
licensing reasons. not to knock what is probably a good idea...


 ...Your attorney is in the mail...


--- ME2
 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)




Msg#: 2653 *Virus Info*
08-20-90 17:09:00 (Read 10 Times)
From: TALLEY RAGAN
  To: MIKE MCCUNE
Subj: RE: REMOVING JOSHI


In a message to Philip Laird <08-16-90 14:09> Mike Mccune wrote:

MM>> Just be sure to boot off a clean diskette to remove the
MM>>virus from memory, otherwise the virus will not be removed.
MM>> If RMJOSHI is used on an unifected hard drive, it will
MM>>destroy the partition table. This next program, RETURN.COM
MM>>will restore the partition table.
MM>> I will post this program in my next listing...<MM>.

        Does this mean that RMJOSHI.COM, if run on an uninfected hard
drive by it self is a virus?




                Talley




--- ZAFFER v1.01
--- QuickBBS 2.64 [Reg] Qecho ver 2.62
 * Origin: Southern Systems *HST DS* Tampa Fl (813)977-7065 (1:377/9)




Msg#: 2654 *Virus Info*
08-21-90 09:32:00 (Read 10 Times)
From: PATRICK TOULME
  To: MIKE MCCUNE
Subj: RE: HAVE ANYONE TRIED SECURE ?
 
MM> I have tried Secure and have found it to be the only interrupt moniter
MM> that will stop all the known viruses.                         
 
  Mike perhaps you should add a caveat to that statement.  Secure
neither detects, nor does it stop, Virus-101.


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 2655 *Virus Info*
08-21-90 12:11:00 (Read 8 Times)
From: PAUL FERGUSON
  To: HERB BROWN
Subj: KEYBOARD REMAPPING (AGAIN)...
Herb,
      I stand corrected on that last bit of dialogue....You are
correct, indeed.....But, you know what I mean along those lines of
getting what you don't expect, whether damaging or not, NO ONE wants
the unexpected on thier system.....Touche!
-Paul ^@@^........


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 2656 *Virus Info*
08-21-90 22:29:00 (Read 10 Times)
From: PATRICIA HOFFMAN
  To: YASHA KIDA
Subj: AKA AND BBS HANDLES
 YK> What is the rule in this message echo concerning BBS HANDLES?
 YK> Would like some clarification,  I have users expressing interest in 
 YK> using bbs handles in this echo, since they are seeing them used .
 YK> As you can see I have not allowed this, feeling this echo to be 
 YK> professial in nature. 
 YK> 
 YK> I understand the use of AKA names in this echo maybe needed.
 YK> 
 YK> Example :
 YK> After my SITE Manager saw my interest in viruses, I was called in to 
 YK> his office.  After explaining my reseach, was to protect not to infect, 
 YK> he relaxed.
 YK> 

[Note: the above quote is muchly editted....]

Yasha, Aliases are ok in this echo, as long as the Sysop of the system where 
the messages originate knows who the user is and can contact him if the need 
arrises.  I fully understand the sitation that you describe about your Site 
Manager...which is a fully valid reason to use an alias here.  I used to use 
the alias of "Merry Hughes" for exactly that reason!

Patti


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 2657 *Virus Info*
08-21-90 22:32:00 (Read 9 Times)
From: PATRICIA HOFFMAN
  To: KEN DORSHIMER
Subj: REPLY TO MSG# 2477 (RE: SCANV66B RELEASED)
 KD> swell. think i'll wait for the next release.
 KD> ps, you have net-mail waiting. :-) BTW why on earth would anyone take 
 KD> time
 KD> off from a disneyland vacation to call a bbs? <grin>

<laughing>  I was eating dinner or lunch while entering those messages, then we
went back to Dizzyland and Knott's.  Besides, I had to see what you guys were 
up to while I was gone.....Mom instinct....what can I say?

Patti


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 2658 *Virus Info*
08-22-90 18:21:00 (Read 8 Times)
From: HERB BROWN
  To: PAUL FERGUSON
Subj: REPLY TO MSG# 2655 (KEYBOARD REMAPPING (AGAIN)...)
With a sharp eye <Aug 21 12:11>, Paul Ferguson (1:204/869) noted:
 PF>Herb,
 PF>      I stand corrected on that last bit of dialogue....You are
 PF>correct, indeed.....But, you know what I mean along those lines of
 PF>getting what you don't expect, whether damaging or not, NO ONE wants
 PF>the unexpected on thier system.....Touche!
 PF>-Paul ^@@^........

I knew what you meant.  Glad to know you do too. :-) ( No flame intended )


--- QM v1.00
 * Origin: Delta Point (1:396/5.11)




Msg#: 2659 *Virus Info*
08-22-90 05:37:00 (Read 8 Times)
From: KEN DORSHIMER
  To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 2657 (RE: SCANV66B RELEASED)

 On 21-Aug-90 with bulging eyes and flailing arms Patricia Hoffman said:

 KD>> swell. think i'll wait for the next release.
 KD>> ps, you have net-mail waiting. :-) BTW why on earth would anyone take
 KD>> time
 KD>> off from a disneyland vacation to call a bbs? <grin>

 PH> <laughing>  I was eating dinner or lunch while entering those
 PH> messages, then we went back to Dizzyland and Knott's.  Besides, I had
 PH> to see what you guys were up to while I was gone.....Mom
 PH> instinct....what can I say?
 PH>

did you go on the roller coaster at Knotts that looks like a corkscrew? my
personal favorite after a big dinner. <erp!>
in other news there was a report <<unconfirmed>> that there is a hack of
lharc floating around called lharc190. might want to keep an eyeball open for
it. what am i doing up at this hour? just got thru writting the docs for a
program <yawn>. as usual, the program looks better than the docs. have fun,
see ya.

 ...All of my dreams are in COBOL...


--- ME2
 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)




Msg#: 2660 *Virus Info*
08-20-90 15:40:00 (Read 9 Times)
From: RON LAUZON
  To: PAUL FERGUSON
Subj: RE: KEYBOARD REMAPPING....
yes, it is possible to re-map the keyboard from a remote system.  However, most
people are protected by this because the term program rather than ANSI.SYS is 
handling the ANSI escape sequences.

If you are using a "dumb" terminal that has no terminal emulation and allowing 
ANSI.SYS to handle your screen formatting, you may be in trouble.

--- Telegard v2.5i Standard
 * Origin: The Flight of the Raven (313)-232-7815 (1:2200/107.0)




Msg#: 2661 *Virus Info*
08-21-90 20:29:00 (Read 8 Times)
From: MARTIN NICHOL
  To: MICHAEL TUNN
Subj: WHAT'S THE SOLUTION?
mt said => It seems to me our Virus checking programs will just
mt said => get bigger and bigger as more viruses and strains of
mt said => the same viruses are discovered. If so (and if their
mt said => development is excelerating) then we may find in the
mt said => near future that it has become impossiable to deal
mt said => with the outbreaks!
mt said => Do we do develop new Operating Systems which are far
mt said => more secure!

Develope different virus scanning programs.  Make them more generic where virus
signatures/characteristics can be kept in a seperate file and the virus scanner
just reads the file and interprets it accordingly.  
 
--- 
 * Origin: JoJac BBS - (416) 841-3701. HST  Kettleby, ON (1:250/910)




Msg#: 2683 *Virus Info*
08-22-90 22:55:00 (Read 8 Times)
From: FRED ENNIS
  To: ALL
Subj: VIRUS-486COMP.*

FORWARDED BY James Dick of 1:163/118

QUOTE ON

I've been informed by "reliable sources" that there's a file floating around
called 486COMP.* (select your favourite packing method) which claims to "show 
you the difference between your machine and a 486".
.
When run, the program flashes a "too big for memory" message, and aborts.
.
Then, the next time you boot, you're informed that you have the "Leprosy 1.00" 
virus which then hangs the machine.
.
After you manage to boot from a floppy, you find that COMMAND.COM has been 
altered, although the date, time, and size appear not to have been changed.

Just thought you'd like to know.

Cheers!
Fred


--- msged 1.99S ZTC
 * Origin: Page Six, POINT of order Mr. Speaker  (1:163/115.5)




Msg#: 2684 *Virus Info*
08-22-90 11:07:00 (Read 8 Times)
From: SHEA TISDALE
  To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 2474 (FILE ECHO?)
Thanks Patricia...

I am all ready to go now.  Just poll your board?  
 
--- 
 * Origin:  >- c y n o s u r e -<  919-929-5153  <XRS> <HST> (1:151/501)




Msg#: 2685 *Virus Info*
08-20-90 21:50:00 (Read 9 Times)
From: TOM PREECE
  To: PAUL FERGUSON
Subj: RE: KEYBOARD REMAPPING VIA COMMUNICA
I can't help but wonder if Herb was experiencing something that suggested that 
kind of remapping.  Lately I have been experiencing keyboard problems that seem
to act like that.  When I use my down or left arrow the \ and | symbols toggle.
I can correct this when it happens by hitting the left hand shift key - but not
the right.  And tonight it seems as if I am occaissionaly transposing caps on 
and off. 
 
If either of you hears a  virus like this I'd like to know.  Q&A tested my 
memory and keyboard fine.  Scanv66 detected nothing.
--- TBBS v2.1/NM
 * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019  (1:161/208)




Msg#: 2738 *Virus Info*
08-23-90 23:49:00 (Read 7 Times)
From: PHILLIP LAIRD
  To: PATRICIA HOFFMAN
Subj: ONTARIO VIRUS
Patty, have you heard of such a Virus?  I was in the TAG Support Echo and saw
a message about a TAG Sysop who contracted that virus.  Any Info?  Supposedly 
the Virus is scanned in version SCANV66.ZIP.

???? 

--- TAGMAIL v2.20
 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)




Msg#: 2739 *Virus Info*
08-22-90 12:55:00 (Read 7 Times)
From: PAUL FERGUSON
  To: EVERYONE
Subj: MOM!
Patti-
    Mom, huh?...What can you say?..It seems it has already been said!
 
-Paul <wide grin on this one>


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 2740 *Virus Info*
08-23-90 12:06:00 (Read 8 Times)
From: PAUL FERGUSON
  To: TOM PREECE
Subj: REMAPPING...
Hello, Tom...
.
      More than likely there was nothing like that at all. Keyboard
remapping is an extremely complicated process and would take more than
forethought on the part of the programmer. What you have seen us
talking about here is figurative at best and personally, I would have
to see it to believe it. (you know the old saying: "Believe none of
what you hear and only half of of what you see."?) Although I do
believe that is quite possible under the proper circumstances, it would
indeed be a rare occurance. Sometimes when receiving odd characters
during telecommunications or not getting the exact same keys that you
typed could be attributed to disparity (parity differences), differing
data bits, stop bits, or even simply ANSI interpretation problems
between Comm Programs. I've seen the smallest, simplest things like
that have people pulling their hair out by the roots!
.
.....Clarke's Third Law
     Any sufficiently advanced technology is indistinguishable from
     magic.
.
.
       -Paul   ^@@^........


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 2741 *Virus Info*
08-17-90 01:51:00 (Read 8 Times)
From: YEN-ZON CHAI
  To: DOUG BAGGETT
Subj: ANTI VIRUS VIRUSES
 DB> well..here is a question..where exactly did viruses originate
 DB> anyway..was it in this country or others?

Probably where hacker exists, virus exists.




--- outGATE v2.10 
 # Origin: SIGnet International GateHost (8:7501/103)
 * Origin: Network Echogate (1:129/34)




Msg#: 2742 *Virus Info*
08-22-90 17:49:00 (Read 8 Times)
From: KEVIN HIGGINS
  To: MIKE MCCUNE
Subj: REPLY TO MSG# 2654 (RE: HAVE ANYONE TRIED SECURE ?)
    I took a look at it, but to be realistic, when you run a BBS, or are 
continuously updating your files as new releases come out, you could easily get
to the point where you spend more time reconfiguring the anti-virus program 
than you would getting any work done. I find it much more efficient to scan 
every file for viruses as soon as I get it on my system, then rezip it, if I'm 
not going to use it... a simple .bat file can be used such that if you want to 
check multiple files, you can just feed the file names on the command line and 
let the .bat file take care of unzipping, scanning and rezipping the file.
    Be best if someone would write a program that would do this, but I haven't 
found one yet.
                                  Kevin

--- TAGMAIL v2.40.02 Beta
 * Origin: The Hornet's Nest BBS (1:128/74)




Msg#: 2743 *Virus Info*
08-22-90 21:52:00 (Read 8 Times)
From: CY WELCH
  To: PAUL FERGUSON
Subj: REPLY TO MSG# 2660 (KEYBOARD REMAPPING....)
In a message to Everyone <16 Aug 90  6:32:00> Paul Ferguson wrote:

 PF> Isn't it possible to remap some (or any) keyboard functions via
 PF> communications with some funky ANSI control characters?....I seem to
 PF> remember mention of this somewhere.....I really can't remember if was
 PF> in the form of a question, though, or an answer.....It also made
 PF> mention of PKWares' Safe-ANSI program...Somebody help us out here...

I think most of the "FAST" ansi replacements do not have the keyboard remapping
so that danger is removed in those cases.

--- XRS! 3.40+
 * Origin: Former QuickBBS Beta Team Member (99:9402/1.1) (Quick 1:125/122.1)




Msg#: 2744 *Virus Info*
08-24-90 15:14:00 (Read 8 Times)
From: PATRICIA HOFFMAN
  To: ALL
Subj: VIRUS RESCUE & F-PROT RELEASES
The latest version of Fridrik Skulason's F-PROT anti-viral program is now 
available for download from my system as FPROT112.ZIP.  The program can also be
file requested as F-PROT, which will always return the latest copy I have 
available.  This program is actually a "suite" of programs for use in 
preventing and detecting viruses and trojans.  The program originates in 
Iceland, and so updates to it reaching my system for distribution have been 
rather sporatic.  

The other new anti-viral program available on my system is Virus Rescue.  Virus
Rescue is from Tacoma Software, and is a shell for invoking ViruScan, CleanUp, 
and VCopy from McAfee Associates.  Unlike other shell programs I've seen, this 
one should not require updates every time a new release of Scan comes out.  It 
picks up its virus information from the VIRLIST.TXT file which is packaged with
Scan and CleanUp.  It will be handy for those who have trouble with the Scan 
and CleanUp command line switches, or who want the VIRLIST.TXT information 
converted to english sentences.  This is a first public release, so I expect we
may see some changes in this product in the future.  Virus Rescue can be 
downloaded from my system as RESQ01.ZIP.

Both programs are also file requestable by other systems.  File requests should
ask for magic file names as follows:

        F-PROT for the latest copy of F-PROT (currently FPROT112.ZIP)
        RESCUE for the latest version of Virus Rescue

Patti


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 2745 *Virus Info*
08-24-90 23:37:00 (Read 9 Times)
From: KEN DORSHIMER
  To: KEVIN HIGGINS
Subj: REPLY TO MSG# 2742 (RE: HAVE ANYONE TRIED SECURE ?)

 On 22-Aug-90 with bulging eyes and flailing arms Kevin Higgins said:

 KH> I took a look at it, but to be realistic, when you run a BBS, or are
 KH> continuously updating your files as new releases come out, you could
 KH> easily get to the point where you spend more time reconfiguring the
 KH> anti-virus program than you would getting any work done. I find it
 KH> much more efficient to scan every file for viruses as soon as I get it
 KH> on my system, then rezip it, if I'm not going to use it... a simple
 KH> .bat file can be used such that if
 KH>
 KH> you want to check multiple files, you can just feed the file names on
 KH> the command line and let the .bat file take care of unzipping,
 KH> scanning and rezipping the file. Be best if someone would write a
 KH> program that would do this, but I haven't found one yet. Kevin
 KH>

sounds like a plan to me. it would actually be fairly simple to write a
program to look at all the files in your upload directory, unpack them based
on the extension, scan them, then re-compress them (if needed). of course
you'd still have to manually put the now scanned files into the proper
catagory directories yourself. when do you need it and what's it worth? :-)

 ...All of my dreams are in COBOL...


--- ME2
 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)




Msg#: 2746 *Virus Info*
08-23-90 15:23:00 (Read 8 Times)
From: MIKE MCCUNE
  To: TALLEY RAGAN
Subj: REPLY TO MSG# 2653 (RE: REMOVING JOSHI)
No, it just modifies the partition record to remove the virus.
If the virus isn't there, it still modifies the partition
record. Return.com just reverses the modifications done to the
partition table. I will post an improved version of RMJOSHI that
scans the partition record for the virus before modifying
it...<MM>.

 
--- KramMail v3.15
 * Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0)




Msg#: 2747 *Virus Info*
08-23-90 15:26:00 (Read 8 Times)
From: MIKE MCCUNE
  To: PATRICK TOULME
Subj: REPLY TO MSG# 2745 (RE: HAVE ANYONE TRIED SECURE ?)
Maybe I should say all virus that are in the "public domain".
Virus 101 is a research virus that only a few people have (and
you wrote). Nothing is fool proof but Secure is better than any
other interrupt moniter.

 
--- KramMail v3.15
 * Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0)




Msg#: 2748 *Virus Info*
08-23-90 07:01:00 (Read 8 Times)
From: YASHA KIDA
  To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 2656 (AKA AND BBS HANDLES)
In a message of <21 Aug 90  22:29:34>, Patricia Hoffman (1:204/869) writes:

 PH> 
 PH> Yasha, Aliases are ok in this echo, as long as the Sysop of the system 
 PH> where the messages originate knows who the user is and can contact him 
 PH> if the need arrises.  I fully understand the sitation that you 
 PH> describe about your Site Manager...which is a fully valid reason to 
 PH> use an alias here.  I used to use the alias of "Merry Hughes" for 
 PH> exactly that reason!
 PH> 
 PH> Patti


I understand AKA names like "MERRY",  but I speak of HACKER HANDLES.
like  "LINE RUNNER", "DATA BYTE" etc... I must have misunderstood FIDO ECHO 
POLICY either way I will drop the subject.

Yasha Kida








--- msged 1.99S ZTC
 * Origin: Bragg IDBS, (FT. Bragg, NC - we're gonna kick some booty) 
(1:151/305)




Msg#: 2749 *Virus Info*
08-08-90 23:23:00 (Read 7 Times)
From: ALAN DAWSON
  To: DAVID SMART
Subj: RE: VIRUS SCANNERS....
 DS> You can't win on this!  I've been downloading for quite a while 
 DS> - always running a virus checker on the information.  So, where 
 DS> did our virus come from?  Off a shrink-wrapped anti-virus 
 DS> diskette one of our guys picked up in the US!  

Nothing new about this, as people learn all the time. One MAJOR 
company (really big, really well known) has shipped shrink-wrapped 
viruses twice -- once on purpose! Shrink wrap doesn't keep the bugs 
out.     



--- Opus-CBCS 1.13
 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0)




Msg#: 2750 *Virus Info*
08-08-90 23:31:00 (Read 7 Times)
From: ALAN DAWSON
  To: PATRICIA HOFFMAN
Subj: SCAN WEIRDNESS
(All answers gratefully received despite the TO: line)
   Anybody heard of this? I've got a floppy with some viruses on it, 
among them a SCAN-known Dark Avenger. I SCAN this floppy from the C 
drive, and the "hey, nothing to worry about there" report comes back. 
Strange. I SCAN it again. This time 'round, SCAN barfs after 64K of 
the memory check, telling me Dark Avenger is in memory, power down, 
load the .45, get the cyanide tablet ready and so on.
   But DA of course is NOT in memory or active in any way. It is, 
however, on the floppy, unrun.
   The above occurred with SCANV64. Out of curiosity, I cranked up 
SCAN-54 and -- EXACTLY the same result.
   AST Bravo 286, no TSRs, nothing else loaded, clean (normal) boot 
just performed.
   I have a bunch of viruses that I don't expect SCAN to find -- 
ever. But this kind of thing has never happened to me before. Can 
anyone match this story, or event?



--- Opus-CBCS 1.13
 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0)




Msg#: 2751 *Virus Info*
08-26-90 00:59:00 (Read 7 Times)
From: STEVEN TREIBLE
  To: KEN DORSHIMER
Subj: VOICE NUMBER

Ken,
I haven't mailed the disk yet as you can see.  I'd like to have your voice # so
I can talk to instead of sending Net Mail.
                                                        Thanks,
                                                             Steve.  
 
--- ZMailQ 1.12 (QuickBBS)
 * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)




Msg#: 2752 *Virus Info*
08-25-90 06:10:00 (Read 8 Times)
From: SANDY LOCKE
  To: HERB BROWN
Subj: RE: COMMUNICATION VIRALS
 
 
 PH> However, unless one of the above is occurring, just connecting via 
 PH> telecom to a system won't directly transmit a virus....
 PH> 
 
 
HB> Well, that is not exactly what I meant.  Sorry for the miscommunicatio
HB> should have used an example.  I'll have to dig for some old documentat
HB> about z-modem when it first came out.  I seem to remember it stating t
HB> locked the directory that a file was able to go to when being download
HB> has something to do with the structure of a .EXE file, or something.  
HB> to also remember that it was possible to have the .exe "go were it wan
HB> as defined by this structure.  Thus, having some of the file go to a c
HB> part of a drive or memory.  It seems wild, but without the docs I read
HB> can't give any details.  Thought maybe you could shed some light on th
 
 Well considering that I am hosting chuck forsberg today ... hes down
here for the sco developer forum I will put the question to him
directly... but as one of the suggestors for feature addition to the
protocol in another personna... ZMODEM will INDEED allow one to
transmit a FULL path name... however this is mitigated by the ability
on the receiving end to override the transmitted pathname spec... I
dont really see a problem here... and when I put the question to chuck
I dont see where he will see one either... btw READ the DSZ DOCS and
register the product... that will turn on ALL the neat zmodem
features...
      sandy


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 2753 *Virus Info*
08-25-90 06:18:00 (Read 15 Times)
From: SANDY LOCKE
  To: SKY RAIDER (Rcvd)
Subj: RE: VIRUS ORIGINALS
SR> Doug,
 
SR> It is my belief that viruses originated in the early days of computing
SR> effort to see what kind of stuff could be done with them, a group of
SR> programmers (financed by the US government as I recall) institued a se
SR> programs that would attempt to 'beat' others in taking over a computer
SR> system. These programs led to a gaming system known as the CORE WARS. 
SR> today there is an International Core Wars Society.
 
SR> I think it can be easily seen how a program to destroy/circumvent a st
SR> operating system can develope into a virus. 
 
SR> I tried to double check this information for accuracy, names, dates, e
SR> but it seems I have deleted this file. I will try to get further info 
SR> you, but beleive this info is shrouded in secrecy, and may be hard to
SR> relocate.
 
SR> So, the original viruses did come from the US (and even possibly with
SR> government help).
 
SR>                                Ivan Baird
SR>  * Origin: Northern Connection, Fredericton, N.B. Canada <HST 14.4K> 
SR> (1:255/3)
WHAT a LOAD of UNADULTERATED CRAP... redcode is simply a GAME created by
bored programmers... ORIGINAL CORE WARS games were created as far back
as 1969 back on the OLD IBM 360 architectures under both OS/MFT and
OSMVT OS's... neither had anything to do with so-called secret
financing by the US government...BTW I was AROUND and A Systems
Programmer during that period... we created our own versions when we
heard of the rumours... it was an old system programmers game designed
to give Egotistal programmers some lighthearted fun... at this point
ALL code ran in real Address space and redcode hadnt even been though
of... the MUCH later article by Scientific American in 1979 gave this
fun with out harm via the redcode interpreter implemented on early 6502
and 8080 systems... really... I am going to have to move to canada...
sounds like there are some really potent and fun drugs in circulation
up there... jeese... what a simp...
   sandy


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 2754 *Virus Info*
08-25-90 06:19:00 (Read 14 Times)
From: SANDY LOCKE
  To: STEVE HOKE
Subj: REPLY TO MSG# 2752 (RE: COMMUNICATION VIRALS)
SH> In a message to Herb Brown <15 Aug 90 17:44:00> Patricia Hoffman wrote
 
 PH> The only way a virus could be directly transmitted via a
 PH> telecommunications link ...
 PH> is if the particular "service" has a feature where they upgrade
 PH> their software on your system when you connect.
 
SH> Is there any commercial system that does this? I don't know of one, bu
SH> like to know what types of systems to be wary of.
 
SH> Steve
just one word for you... PRODIGY avoid it like the plague...
    sandy


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 2755 *Virus Info*
08-25-90 06:25:00 (Read 9 Times)
From: SANDY LOCKE
  To: MIKE MCCUNE
Subj: REPLY TO MSG# 2747 (RE: HAVE ANYONE TRIED SECURE ?)
 
MM> I have tried Secure and have found it to be the only interrupt moniter
MM> that will stop all the known viruses. It won't stop the boot viruses, 
MM> obviously (because a boot virus loades before Secure does), but it wil
MM> detect them as soon as Secure is loaded. Secure is hard to configure, 
MM> but once it is configured, it will give few false alarms. With string 
MM> scanners becoming increasingly easy to defeat, Secure may be the way t
MM> go for virus protection...<MM>.
 
 well kiddies... a certain couple of anti-viral types on HOMEBASE BBS
managed to sting SECURE with modified version of JER-B... one of them
continues to find holes with the same tool... SECURE is simply NOT
SECURE...
   sandy


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 2756 *Virus Info*
08-25-90 06:31:00 (Read 9 Times)
From: SANDY LOCKE
  To: KEN DORSHIMER
Subj: REPLY TO MSG# 2479 (RE: CRC CHECKING)
 
KD>  On 19-Aug-90 with bulging eyes and flailing arms Patricia Hoffman sai
 
KD>  <KD>>the deal is that the invading program would have to know how the
KD>  <KD>>your
KD>  <KD>>program uses works. otherwise it would have a (bytes changed!/by
KD>  <KD>>file!)
KD>  <KD>>chance of succeeding, or somewhere in that neighborhood...
KD>  <KD>>
 
 PH> Except in the case of Stealth Viruses....CRC checking doesn't work
 PH> with them.
 PH>
 
KD> i'd have to see that for myself. i think a complex enough algorithm wo
KD> keep them at bay. the probability factor is just too low for such a st
KD> scheme to work.
 
KD>  ...Your attorney is in the mail...
 
check out Gilmore Data Systems in LA authors of the OLD FICHECK and
XFICHECK... the techniques is called CRC padding after the addition of
the viral code the file is padded with a given number of bytes to make
the CRC Polynomial come out with the same result... the FCB is then
Patched to the original file length leaving nothing for standrad CRC
checkers to detect... Childs play really...
      sandyp.s. in the case of most stealth viruses... the file read
code is simply altered to disinfect the file as the CRC checking
program reads it... agains simply childs play...


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 2757 *Virus Info*
08-25-90 06:32:00 (Read 10 Times)
From: SANDY LOCKE
  To: PATRICK TOULME
Subj: REPLY TO MSG# 2755 (RE: HAVE ANYONE TRIED SECURE ?)
 
MM> I have tried Secure and have found it to be the only interrupt moniter
MM> that will stop all the known viruses.                         
 
PT>   Mike perhaps you should add a caveat to that statement.  Secure
PT> neither detects, nor does it stop, Virus-101.
 
 Right on Patrick...
    sandy
p.s. Damn nice design on the code complex as HELL....


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 2758 *Virus Info*
08-25-90 06:36:00 (Read 9 Times)
From: SANDY LOCKE
  To: PAUL FERGUSON
Subj: REPLY TO MSG# 2740 (RE: REMAPPING...)
PF> Hello, Tom...
PF> .
PF>       More than likely there was nothing like that at all. Keyboard
PF> remapping is an extremely complicated process and would take more than
PF> forethought on the part of the programmer. What you have seen us
PF> talking about here is figurative at best and personally, I would have
PF> to see it to believe it. (you know the old saying: "Believe none of
PF> what you hear and only half of of what you see."?) Although I do
PF> believe that is quite possible under the proper circumstances, it woul
PF> indeed be a rare occurance. Sometimes when receiving odd characters
PF> during telecommunications or not getting the exact same keys that you
PF> typed could be attributed to disparity (parity differences), differing
PF> data bits, stop bits, or even simply ANSI interpretation problems
PF> between Comm Programs. I've seen the smallest, simplest things like
PF> that have people pulling their hair out by the roots!
PF> .
PF> .....Clarke's Third Law
PF>      Any sufficiently advanced technology is indistinguishable from
PF>      magic.
PF> .
PF> .
PF>        -Paul   ^@@^........
 
 well paul normally on hombase you are quite lucid... but as a long
time programmer I can testify the keyboard mapping is really quite
simple... no real problem and the business of using terminal control
code is quite as simple...
    sandy


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 2759 *Virus Info*
08-25-90 06:39:00 (Read 9 Times)
From: SANDY LOCKE
  To: CY WELCH
Subj: REPLY TO MSG# 2743 (RE: KEYBOARD REMAPPING....)
CW> In a message to Everyone <16 Aug 90  6:32:00> Paul Ferguson wrote:
 
 PF> Isn't it possible to remap some (or any) keyboard functions via
 PF> communications with some funky ANSI control characters?....I seem to
 PF> remember mention of this somewhere.....I really can't remember if was
 PF> in the form of a question, though, or an answer.....It also made
 PF> mention of PKWares' Safe-ANSI program...Somebody help us out here...
 
CW> I think most of the "FAST" ansi replacements do not have the keyboard
CW> remapping so that danger is removed in those cases.
 Well if you are referring to FANSI.SYS by hershey Microsystems it too
is vunerable to remap effects... and since it implemnt FULL ANSI 3.64
terminal control codes plus some extensions it is even more vunerable
to a whole class of tricks that go way beyond noremally keyboard
remapping... but to there credit they ahve include a way to turn this
"FEATURE" OFF... just most users get it off a BBS and never order or
look at the 50.00 set of docs that come when you pay for the
products...
    sandy


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 2760 *Virus Info*
08-25-90 08:49:00 (Read 9 Times)
From: PATRICIA HOFFMAN
  To: PHILLIP LAIRD
Subj: REPLY TO MSG# 2738 (ONTARIO VIRUS)
 PL> Patty, have you heard of such a Virus?  I was in the TAG Support Echo 
 PL> and saw
 PL> a message about a TAG Sysop who contracted that virus.  Any Info?  
 PL> Supposedly the Virus is scanned in version SCANV66.ZIP.

Yep, I've heard of this one....I was the one that named it after it was 
submitted by Mike Shields (Sysop of 1:244/114).  Ontario is a memory resident 
generic infector of .COM and .EXE files, including COMMAND.COM.  Infected .COM 
files will increase in length by 512 bytes.  Infected .EXE files will increase 
in length between 512 bytes and 1023 bytes on disk drives with standard 512 
byte sectors.  When files are infected, the virus adds itself to the end of the
program, and then places a jump at the beginning so that the virus's code will 
always execute before the program that was infected.  Ontario is not a 
low-system memory TSR, it goes memory resident installing itself at the top of 
free memory, but below the 640K line.  Available free memory will decrease by 
2,048 bytes.  Once the virus has installed itself in memory, any program which 
is executed will then become infected.  

It was reported with the sample I received from Mike that infected systems may 
experience hard disk errors, but I was unable to duplicate that here.  This may
only happen in severe infections, I try not to let them get that severe when 
I'm working with a virus :-).  

Scan V66 and above can detect the Ontario Virus on both .COM and .EXE files. 
Unfortunately, Ontario is one of the viruses that uses a "double-encryption" 
technique to prevent scanners from being able to use a search string to detect 
it, so there isn't a simple way to find it with a hex string and a utility such
as Norton Utilities.  As of right now, there aren't any disinfectors available 
for the Ontario virus, so if you happen to be infected with it you need to 
remove the infected programs and replace them with clean copies from your 
uninfected backups or original write-protected distribution diskettes.  

A more complete description of the Ontario virus is in VSUM9008, which was 
released on August 10.  The above is just off of the top of my head, which 
happens to hurt right now.  Hope it is understandable.....

Patti


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 2761 *Virus Info*
08-25-90 09:02:00 (Read 10 Times)
From: PATRICIA HOFFMAN
  To: YEN-ZON CHAI
Subj: REPLY TO MSG# 2741 (ANTI VIRUS VIRUSES)
 YC>  DB> well..here is a question..where exactly did viruses originate
 YC>  DB> anyway..was it in this country or others?
 YC> 
 YC> Probably where hacker exists, virus exists.
 YC> 

Well, the two oldest known viruses for MS-DOS are the Pakistani Brain and 
VirDem.  The Brain is from Pakistan, VirDem from West Germany.  Both of these 
originated in 1986.  Both have known authors.  The viruses from 1987 include 
Jerusalem and the Suriv series from Israel, Alameda/Yale from the United 
States, and 405 from Austria or Germany.  

Patti


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 2762 *Virus Info*
08-25-90 09:07:00 (Read 10 Times)
From: PATRICIA HOFFMAN
  To: KEVIN HIGGINS
Subj: REPLY TO MSG# 2757 (RE: HAVE ANYONE TRIED SECURE ?)
 KH>     I took a look at it, but to be realistic, when you run a BBS, or 
 KH> are continuously updating your files as new releases come out, you 
 KH> could easily get to the point where you spend more time reconfiguring 
 KH> the anti-virus program than you would getting any work done. I find it 
 KH> much more efficient to scan every file for viruses as soon as I get it 
 KH> on my system, then rezip it, if I'm not going to use it... a simple 
 KH> .bat file can be used such that if you want to check multiple files, 
 KH> you can just feed the file names on the command line and let the .bat 
 KH> file take care of unzipping, scanning and rezipping the file.
 KH>     Be best if someone would write a program that would do this, but I 
 KH> haven't found one yet.

You might want to take a look at CheckOut and Shez.  

CheckOut uses ViruScan to check .ARC, .PAK, .ZIP, .LZH, and other archive 
formats for viruses by automatically creating a temporary directory and 
unarchiving the file to it.  It then invokes Scan to check the executable 
files.  One of its nice features is that it will never invoke a program in that
temporary directory, as well as you can have it either delete an infected file 
or move it to a badfiles directory.  It will also find archives which are 
damaged for you.  It can be invoked easily from a .BAT file, such as if you 
want to run it at midnight against all new uploads.  

Shez is another program which can be used to scan inside archives.  It is 
interactive, so you need to manually invoke it.  After you have selected the 
archive and listed the contents, hitting ctrl-Z will result in Scan checking 
the contents.  

There are other scanning shells which handle archived files, though these are 
the two that I've used regularly and are the most familiar with.  I was also 
involved in the beta testing of CheckOut with some known to be infected files, 
and it does function properly in that instance.  I've also tested Shez with 
infected files, and it works well....

Patti


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 2763 *Virus Info*
08-24-90 16:53:00 (Read 8 Times)
From: PRAKASH JANAKIRAMAN
  To: ALL
Subj: LEPROSY
Exactly what is the Leprosy virus supposed to do? I was informed that it had 
been included in McAfee's latest version of Scan, but, having never used Scan 
before in my life, and never having encountered a virus, are there "symptoms", 
shall we say, caused by the Leprosy virus, or for any virus? If there is a 
textfile explaining what each virus is capable of doing, and how it can be 
detected, I'd like to get a copy of it, if any of you know where I can get 
something of that sort.
  
Also, does anyone have the number to McAfee's BBS? I'd like to become a user 
over there as well. (I remember it being in the 408 area code, but I can't 
recall the actual number). Anyways, thanks a bunch, all...
 
Prakash
--- TBBS v2.1/NM
 * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019  (1:161/208)




Msg#: 2896 *Virus Info*
08-26-90 20:55:00 (Read 9 Times)
From: HERB BROWN
  To: SANDY LOCKE
Subj: REPLY TO MSG# 2754 (RE: COMMUNICATION VIRALS)
With a sharp eye <Aug 25 06:10>, Sandy Locke (1:204/869) noted:
 SL> Well considering that I am hosting chuck forsberg today ... hes down
 SL>here for the sco developer forum I will put the question to him
 SL>directly... but as one of the suggestors for feature addition to the
 SL>protocol in another personna... ZMODEM will INDEED allow one to
 SL>transmit a FULL path name... however this is mitigated by the ability

I have the understanding that other protocols would do this, not by choice. 
Without the security on the recieving end, this could be disasterous, to say 
the least..  I would be happy to hear what you find.. Speaking of registering 
zmodem, is it still free to sysops? You can asnwer that in net-mail.. :-)


--- QM v1.00
 * Origin: Delta Point (1:396/5.11)




Msg#: 2897 *Virus Info*
08-24-90 13:39:00 (Read 7 Times)
From: MIKE MCCUNE
  To: VESSELIN BONTCHEV
Subj: REPLY TO MSG# 2746 (REMOVING JOSHI)
In your recent letter to me you wrote to me you suggested that I check for the 
virus before trying to remove it. Now that I've got a working copy of the Joshi
(and don't have to let someone else test RMJOSHI), I rewrote the program to 
check for the virus first.
mov dx,80h
mov cx,1h
mov bx,200h
mov ax,201h
int 13h
or ah,ah
jnz read_error
es:
cmp w[bx],1feb
jnz no_virus
mov cx,000ah
mov ax,301h
int 13h
or ah,ah
jnz write_error
mov cx,9h
mov ax,201h
int 13h
or ah,ah
jnz read_error
mov cx,1h
mov ax,301h
int 13h
or ah,ah
jnz write_error
mov ah,9h
lea dx,remove_message
int 21h
int 20h
remove_message:
db 'Joshi Removed



no_virus:
mov ah,9h
lea dx,virus_message
int 21h
int 20h
virus_message:
db 'Joshi not found



read_error:
mov ah,9h
lea dx,read_message
int 21h
int 20h
read_message:
db 'Read Error



write_error:
mov ah,9h
lea dx,write_message
int 21h
int 20h
write_message:
db 'Write Error



I wrote it for the shareware A86, but it should assemble under MASM, TASM or 
WASM with minor modifications. Next I will scan the memory for the virus 
because the remover won't work while the virus is active in memory....<MM>.


--- Opus-CBCS 1.13
 * Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0)




Msg#: 2898 *Virus Info*
08-25-90 23:46:00 (Read 6 Times)
From: TALLEY RAGAN
  To: MIKE MCCUNE
Subj: REPLY TO MSG# 2897 (RE: REMOVING JOSHI)


In a message to Talley Ragan <08-23-90 15:23> Mike Mccune wrote:

MM>>No, it just modifies the partition record to remove the virus.
MM>>If the virus isn't there, it still modifies the partition
MM>>record.

        Thanks for the information.  That clears up the question just
fine.


                Talley




--- ZAFFER v1.01
--- QuickBBS 2.64 [Reg] Qecho ver 2.62
 * Origin: Southern Systems *HST DS* Tampa Fl (813)977-7065 (1:377/9)




Msg#: 2899 *Virus Info*
08-23-90 17:31:00 (Read 6 Times)
From: DAVID BURGESS
  To: MARTIN NICHOL
Subj: REPLY TO MSG# 2661 (WHAT'S THE SOLUTION?)
In a message to michael tunn <21 Aug 90 20:29:00> Martin Nichol wrote:

 MN> mt said => It seems to me our Virus checking programs will just
 MN> mt said => get bigger and bigger as more viruses and strains of
 MN> mt said => the same viruses are discovered. If so (and if their
 MN> mt said => development is excelerating) then we may find in the
 MN> mt said => near future that it has become impossiable to deal
 MN> mt said => with the outbreaks!
 MN> mt said => Do we do develop new Operating Systems which are far
 MN> mt said => more secure!

 MN> Develope different virus scanning programs.  Make them more generic
 MN> where virus signatures/characteristics can be kept in a seperate
 MN> file and the virus scanner just reads the
 MN> file and interprets it accordingly. 

That opens the door to having the virus scanner or part of the virus scanner
to become contaminated.


--- [Q] XRS 3.40
 * Origin: Eurkea! I've found the secret elephant playground (RAX 1:124/3106.6)




Msg#: 2900 *Virus Info*
08-17-90 21:06:00 (Read 6 Times)
From: CHRIS BARRETT
  To: PATRICIA HOFFMAN
Subj: RE: VIRUCIDE V1.2
Thanks for the info..  If ya remeber the name could ya tell us it..
I think i'll stick with the ScanV?? and CleanP?? for now then..
 
Chris..
--- TBBS v2.1/NM
 * Origin: 1990 MultiLine Perth Western Australia - 09-370-3333 - (690/654)




Msg#: 2901 *Virus Info*
08-17-90 06:26:00 (Read 6 Times)
From: ZEBEE JOHNSTONE
  To: ALL
Subj: MAC VIRUS
Anyone know anything about a mac virus which:

        Sets the delete flag on any folder with a name which starts with the 
letter "o" or higher (eg system...)

IT doesn't actually delete the folder, the machine will still boot, but the 
folder is missing from the desktop and the delete flag is set.

Weird one hmm?  
 
--- 
 * Origin: Lighten up! What man can make, man can break! (3:680/813)




Msg#: 2902 *Virus Info*
08-19-90 22:31:00 (Read 6 Times)
From: BRENDON THOMPSON
  To: PATRICIA HOFFMAN
Subj: "STONED 2"
Patti, I sent you a message the other day about a new variant of
"Stoned" that I found in Christchurch, New Zealand.  It had reference
to some "S & S program for testing anti-virus software" and the
phone number  0494 791900 in it.

I have since had the time to pull it to bits, and it is only the
original "Stoned" virus.  The code at the start of the sector is
still the same, but some clown has modified the message after
location 65H.

I'm still pleased to send you a specimen by airmail if you like,
but it ain't "Stoned 2".

Regards..


... Doon.
--- Via Silver Xpress V2.26
 * Origin: TONY'S BBS - Gateway to New Zealand. (3:770/101)




Msg#: 2903 *Virus Info*
08-19-90 09:25:00 (Read 6 Times)
From: DONALD ANDERSON
  To: FRIAR NESTOR
Subj: RE: LOOKIN' FOR FUN?
I always looking for fun

 
--- KramMail v3.15
 * Origin: get real (3:621/221.0)




Msg#: 2904 *Virus Info*
08-26-90 23:36:00 (Read 7 Times)
From: GLENN JORDAN
  To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 2761 (ANTI VIRUS VIRUSES)
 PH> The Vacsina Viruses were written in Bulgaria to seek out and destroy
 PH> certain other viruses, or at least that was their original purpose.


     In examples of the VACSINA virus I have investigated, I have found the 
following odd behavior, which I wonder if you have also noted :

     .COM files of over a certain size are infected at first bite, but .EXE 
files are different. It takes two Exposures to infect an .EXE file, each of 
which adds a bit to the file length, but only at the second exposure do you get
a live virus, signaled by a short beep. A tiny .EXE will take the first 
exposure, but never complete on a subsequent exposure to become a live virus. 
     I wonder if in some way this behavior, which I have not seen in any other 
viruses so far, is in some way related to the original "anti-virus" nature of 
this beast ?

--- XRS 3.30-DV (286)
 * Origin: Jordan Computer Consulting (RAX 1:151/223.3)




Msg#: 2905 *Virus Info*
08-26-90 07:54:00 (Read 6 Times)
From: KEN DORSHIMER
  To: SANDY LOCKE
Subj: REPLY TO MSG# 2756 (RE: CRC CHECKING)

 On 25-Aug-90 with bulging eyes and flailing arms Sandy Locke said:

 SL> check out Gilmore Data Systems in LA authors of the OLD FICHECK and
 SL> XFICHECK... the techniques is called CRC padding after the addition of
 SL> the viral code the file is padded with a given number of bytes to make
 SL> the CRC Polynomial come out with the same result... the FCB is then
 SL> Patched to the original file length leaving nothing for standrad CRC
 SL> checkers to detect... Childs play really... sandyp.s. in the case of
 SL> most stealth viruses... the file read code is simply altered to
 SL> disinfect the file as the CRC checking program reads it... agains
 SL> simply childs play...
 SL>

could you send me this article? i still believe that the virus would have to
know your crc algorithm in order to perform this magic. additionally if the
file is padded, it's size would increase and would be detected that way.
correct? sooo, the person writting the virus would require a copy of your
file to disassemble, see how you performed your checks, then create a means
to circumvent it. sounds like a lot of trouble to me for very little gain.
catch ya on the rebound.

 ...All of my dreams are in COBOL...


--- ME2
 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)




Msg#: 2906 *Virus Info*
08-26-90 23:58:00 (Read 6 Times)
From: KEN DORSHIMER
  To: STEVEN TREIBLE
Subj: REPLY TO MSG# 2751 (RE: VOICE NUMBER)

 On 26-Aug-90 with bulging eyes and flailing arms Steven Treible said:

 ST> Ken, I haven't mailed the disk yet as you can see.  I'd like to have
 ST> your voice # so I can talk to instead of sending Net Mail. Thanks,
 ST> Steve.

 you got it look for it in a net-mail-o-gram. i'd rather not leave it in the
 public msg area as everyone would try to call and shoot the breeze. :-)

 ...All of my dreams are in COBOL...


--- ME2
 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)




Msg#: 2907 *Virus Info*
08-26-90 13:09:00 (Read 6 Times)
From: PAUL BENDER
  To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 2744 (VIRUS RESCUE & F-PROT RELEASES)
 * Replying to a message originally to All

PH> Both programs are also file requestable by other systems.
PH> File requests should ask for magic file names as follows:
PH>
PH>         F-PROT for the latest copy of F-PROT (currently
PH> FPROT112.ZIP)
PH>         RESCUE for the latest version of Virus Rescue
PH>

Would it be possible for you to hatch these out into SDS or arrange for the 
authors to do so?

        Paul  
 
--- RemoteAccess 0.04a via QEcho 2.
 * Origin: -=* Rassi's Retreat *=- 10pm to 8am Only! (615) 831-1338 (1:116/37)




Msg#: 2908 *Virus Info*
08-26-90 12:44:00 (Read 7 Times)
From: PATRICIA HOFFMAN
  To: ALL
Subj: VIRUS_INFO INTRODUCTION & RULES
Welcome to the VIRUS_INFO echo.  The purpose of this echo is to allow
BBS users and sysops to ask questions about computer viruses and to be
able to get back up-to-date information.  Discussion topics may include,
but is not necessarily limited to:

    - what are viruses
    - how to prevent getting infected
    - how to determine if your system is infected
    - how to clean up an infected system and salvage as much information
      as possible
    - reviews and announcements of new anti-viral products and product
      releases.

There was a lot of hysteria in the press over the Columbus Day/
DataCrime/October 12 virus, for example, but little mentioned of how
rare the virus is or how to determine if a system is infected with it
and how to remove it.  This type of information is an example of what
this echo is intended to carry.

Some messages appearing in this conference may be cross-postings from
the Dirty_Dozen echo which is sysop only.  Cross-postings may only be
done by the originator of the message.  For example, several of my
messages posted in the Dirty_Dozen echo will be cross-posted here.
Messages from the HomeBase/CVIA BBS run by Mr. John McAfee in Santa
Clara, CA and/or CVIA bulletins may be posted here by Patricia Hoffman,
these are being done with Mr. McAfee's permission.  Replies to these
messages, as well as netmail received at 1:204/869 for Mr. McAfee, is
manually transferred to his system as it is received.

Conference rules are very simple.....
1.   Discussions of how to write a virus, specific technical discussions
     of how a virus works, or anything of an illegal nature, are not 
     allowed.  This rule is *not* open to debate.
2.   Messages with a sexually suggestive nature are not allowed, please keep
     in mind that minors as well as adults participate in this conference.
3.   Discussions of a ethical or retorical nature that lead into a debate are
     considered off-topic in that they will not ever be resolved and do not
     help anyone.  An example in this category would be a discussion in the
     area of "Should live viruses or virus disassemblies be made available 
     to the public?".  These questions and topics will be allowed until such
     a point that they start to severely disrupt the echo, or start a flame
     war.  At that point, the moderator will request that the discussion be
     discontinued.
4.   Be courteous to your fellow echo participants, and remember there
     is no such thing as a dumb question, except for the question that some-
     one is afraid to ask.  Everyone needs to help everyone else understand
     viruses and why they are a problem.
5.   This conference is not to be distributed thru Group-mail or any
     other mail processor which will obscure the ability to track a
     message back to an originating system.  All messages must have
     seen-bys and path statements if the BBSs participatings software
     can generate them.
6.   If you have a question or problem of an extremely sensitive nature,
     consider sending it NetMail to 1:204/869 or 99:9403/2 instead of
     posting it here.  If you are netmailing a file that you think is
     infected, be sure to send a message in NetMail with it so I know
     what it is, I'll be sure it gets to someone to get analysed for you.
     Do not under any circumstances host route a file that you think is
     infected.  Suspect files may also be sent on diskette via US Mail
     to the following address:
          Patricia Hoffman
          1556 Halford Avenue #127
          Santa Clara, CA 95051
7.   This conference is available to FidoNet and EggNet systems.
     The conference echomail tag in FidoNet is VIRUS_INFO, in EggNet 
     the conference is available as E_VIRUS_INFO.
8.   This conference is available on the FidoNet Backbone.  While you 
     are welcome to freely pass this echo along to other systems, out
     of region links must be approved by moderator of the echo.  Gating
     the echo into another network or Zone must be approved by the
     conference moderator.
9.   Opinions are welcome in the conference, however the ethics of the
     behavior of people that write viruses, or name calling, is frowned
     upon.  Likewise, accusations of virus writing are strictly forbidden.
     Please keep opinions down to a single message, and do not
     repeatedly post them, as these messages tend to water down the
     purpose of the conference and degrade the level of information that
     is being presented.
10.  Handling of off-topic messages or messages that violate the
     conference rules will be done by the moderator.  First and second
     warnings on these messages will be in private Netmail.  Please
     do not respond to the off-topic messages so that the conference
     doesn't get further off-track.  Let the moderator do the moderating.
11.  Handles are allowed in this conference, however sysops of boards
     carrying the conference are expected to be able to determine which
     of their users entered a message if a problem arises.  This in
     effect means, for example, that Opus systems must not set this echo
     up to allow anonymous messages.
12.  If a matter arises where the moderator needs to contact a participant
     in the echo, the moderator will contact the system where the message
     was entered and request that the sysop allow the user netmail access,
     or call the participant with a request for them to logon to the
     moderator's system or provide a phone number with the participant's
     permission.  Sysops are not expected to provide their users' phone
     numbers to the moderator without the user's express permission, their
     privacy is important.  There are times, however, when a phone call
     or chat can resolve a problem much faster than any other route.  This is
     the only reason for this rule.
12.  This echo is not a programming echo for answering questions 
     on how to code programs in assembler.  If you want to exchange
     assembler (or any other program language) techniques, please
     locate an appropriate programming echo or start your own echo.  

Patricia M. Hoffman is the moderator of the VIRUS_INFO echo conference.  She
has previously used the name "Merry Hughes" in moderating this conference, and
is the originator of the conference and the original moderator.

Patricia Hoffman is also the author of the Virus Information Summary List, and
is an independent anti-viral researcher.

Please contact the moderator, Patricia Hoffman, at 1:204/869 or 99:9403/2
if you need assistance on setting up an echofeed for this echo to your
system.


thanks...
Patti


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 2909 *Virus Info*
08-26-90 15:13:00 (Read 7 Times)
From: PATRICIA HOFFMAN
  To: PRAKASH JANAKIRAMAN
Subj: REPLY TO MSG# 2763 (LEPROSY)
 PJ> Exactly what is the Leprosy virus supposed to do? I was informed that 
 PJ> it had been included in McAfee's latest version of Scan, but, having 
 PJ> never used Scan before in my life, and never having encountered a 
 PJ> virus, are there "symptoms", shall we say, caused by the Leprosy virus, 
 PJ> or for any virus? If there is a textfile explaining what each virus is 
 PJ> capable of doing, and how it can be detected, I'd like to get a copy of 
 PJ> it, if any of you know where I can get something of that sort.

The Leprosy virus is a non-resident overwriting virus.  It infects .COM and 
.EXE files, overwriting the first 666 bytes of the file.  Symptoms of it 
include that infected files will not execute properly...instead of what they 
are supposed to do, they will upon execution, infect other files then display a
message and end.  A complete description of this virus and all (with the 
exception of V2P2, V2P6, V2P6 and Stoned II) known MS-DOS viruses as of August 
10, 1990 is available in the Virus Information Summary List.  Its current 
version is VSUM9008.ZIP.  It is available on my system at 408-244-0813, as well
as many other systems, including McAfee's BBS.  Check around your area before 
you make the long distance call, it could save you the phone call cost. 

 PJ>   
 PJ> Also, does anyone have the number to McAfee's BBS? I'd like to become a 
 PJ> user over there as well. (I remember it being in the 408 area code, but 
 PJ> I can't recall the actual number). Anyways, thanks a bunch, all...

The number of the HomeBase BBS is 408-988-4004.  The 9600 HST number is 
408-988-5138.  

Patti


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 2910 *Virus Info*
08-24-90 23:05:00 (Read 7 Times)
From: CY WELCH
  To: TALLEY RAGAN
Subj: REPLY TO MSG# 2898 (REMOVING JOSHI)
In a message to Mike Mccune <20 Aug 90 17:09:00> Talley Ragan wrote:

 >MM>> Just be sure to boot off a clean diskette to remove the
 >MM>>virus from memory, otherwise the virus will not be removed.
 >MM>> If RMJOSHI is used on an unifected hard drive, it will
 >MM>>destroy the partition table. This next program, RETURN.COM
 >MM>>will restore the partition table.
 >MM>> I will post this program in my next listing...<MM>.

 TR>        Does this mean that RMJOSHI.COM, if run on an uninfected hard
 TR> drive by it self is a virus?

Actually I think it would fit the description of trojan rather than virus as it
doesn't replicate.

--- XRS! 3.40+
 * Origin: Former QuickBBS Beta Team Member (99:9402/122.1) (Quick 1:125/122.1)




Msg#: 2911 *Virus Info*
08-26-90 21:13:00 (Read 6 Times)
From: TOM PREECE
  To: SANDY LOCKE
Subj: REPLY TO MSG# 2758 (RE: REMAPPING...)
As you may see by looking at my other entry's, I have been loading a cache 
program that is clearly implementing software to remap my keys to s certain 
extent.  If this is possible as a glitch, its is obviously possible as an 
attack.  Let's hope it never comes to that.
--- TBBS v2.1/NM
 * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019  (1:161/208)




Msg#: 2993 *Virus Info*
08-27-90 07:54:00 (Read 7 Times)
From: JAMES DICK
  To: KEN DORSHIMER
Subj: REPLY TO MSG# 2762 (RE: HAVE ANYONE TRIED SECURE ?)
On Fri, 24 Aug, 1990 at the ungodly hour of 23:37, while ducking Broccoli Jello
and drinking jolt, Ken Dorshimer wrote to Kevin Higgins, TO WIT...
 
 KD > sounds like a plan to me. it would actually be fairly simple to write 
 KD > a
 KD > program to look at all the files in your upload directory, unpack them 
 KD > based
 KD > on the extension, scan them, then re-compress them (if needed). of 

Sounds like CHECKOUT....available here, homebase excaliber! and others as 
CKOT11.*

-={ Jim }=-
 
 


--- QM v1.00
 * Origin: The Clipperist - Home to happy Clippheads in Ottawa, Canada 
(1:163/118.0)




Msg#: 2994 *Virus Info*
08-27-90 19:34:00 (Read 6 Times)
From: PHILLIP LAIRD
  To: ALAN DAWSON
Subj: REPLY TO MSG# 2750 (RE: SCAN WEIRDNESS)

 >among them a SCAN-known Dark Avenger. I SCAN this floppy from 
 >the C 
 >drive, and the "hey, nothing to worry about there" report comes 
 >back. 
 >Strange. I SCAN it again. This time 'round, SCAN barfs after 
 >
 >--- Opus-CBCS 1.13
 > * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand 
 >(3:608/9.0)


Allan, I NEVER SCAN from the C Drive or any hard disk.  I always scan from a 
write protected Floppy Diskette in Drive A.  I also have a third system (Yep 
that's right a third system to do all my scanning from.  However, I have never 
had happen to me what happened to you.  I did one time find Scan.EXE infected 
at my place of employment when I didn't write protect the floppy and scanned 
the b drive, PLEASE write protect the floppy or SCAN.EXE on the hard drive...

--- TAGMAIL v2.20
 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)




Msg#: 2995 *Virus Info*
08-27-90 19:50:00 (Read 10 Times)
From: PHILLIP LAIRD
  To: SANDY LOCKE
Subj: REPLY TO MSG# 2753 (RE: VIRUS ORIGINALS)
Sandy, maybe this might help.  I have read an excellent book on the Subject of
Origins of Viruses, but let me quote you guys first...


 >SR> effort to see what kind of stuff could be done with them, 
 >a group of
 >SR> programmers (financed by the US government as I recall) 
 >institued a se
 >SR> programs that would attempt to 'beat' others in taking 
 >over a computer
 >SR> system. These programs led to a gaming system known as 
 >the CORE WARS. 
 >SR> today there is an International Core Wars Society.
 > 
 >SR> I think it can be easily seen how a program to destroy/circumvent 
 >a st
 >SR> operating system can develope into a virus. 
 > 
 >SR> I tried to double check this information for accuracy, 
 >names, dates, e
 >SR> but it seems I have deleted this file. I will try to get 
 >further info 
 >SR> you, but beleive this info is shrouded in secrecy, and 
 >may be hard to
 >SR> relocate.
 > 
 >SR> So, the original viruses did come from the US (and even 
 >possibly with
 >SR> government help).
 > 
 >SR>                                Ivan Baird
 >SR>  * Origin: Northern Connection, Fredericton, N.B. Canada 
 ><HST 14.4K> 
 >SR> (1:255/3)
 >WHAT a LOAD of UNADULTERATED CRAP... redcode is simply a GAME 
 >created by
 >bored programmers... ORIGINAL CORE WARS games were created 
 >as far back
 >as 1969 back on the OLD IBM 360 architectures under both OS/MFT 
 >and
 >OSMVT OS's... neither had anything to do with so-called secret
 >financing by the US government...BTW I was AROUND and A Systems
 >Programmer during that period... we created our own versions 
 >when we
 >heard of the rumours... it was an old system programmers game 
 >designed
 >to give Egotistal programmers some lighthearted fun... at this 
 >point
 >ALL code ran in real Address space and redcode hadnt even been 
 >though
 >of... the MUCH later article by Scientific American in 1979 
 >gave this
 >fun with out harm via the redcode interpreter implemented on 
 >early 6502
 >and 8080 systems... really... I am going to have to move to 
 >canada...
 >sounds like there are some really potent and fun drugs in circulation
 >up there... jeese... what a simp...
 >   sandy
 >
 >
 >--- QM v1.00
 > * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 
 >(1:204/869.0)


O.K.  The above message is what I am quoting to you....

If you get a chance, you can pick this book up at Wladen Software at the 
following locations in California and maybe other bookstores near you can order
the book, too:

                      Viruses, A High Tech Disease
                      By Ralph Burger
                      Published by Abacus
                      ISBN 1557550433
                      Retails at 18.95 US

Can be picked up at the following Walden Software Stores:

Doly City, Ca (415) 756-2430
San Leandro, Ca (415) 481-8884

It starts from way back when...

                      Phillip Laird

--- TAGMAIL v2.20
 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)




Msg#: 2996 *Virus Info*
08-27-90 19:58:00 (Read 7 Times)
From: PHILLIP LAIRD
  To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 2760 (RE: ONTARIO VIRUS)

 >after it was submitted by Mike Shields (Sysop of 1:244/114). 
 > Ontario is a memory resident generic infector of .COM and 
 >.EXE files, including COMMAND.COM.  Infected .COM files will 
 >increase in length by 512 bytes.  Infected .EXE files will 
 >A more complete description of the Ontario virus is in VSUM9008, 
 >which was released on August 10.  The above is just off of 
 >the top of my head, which happens to hurt right now.  Hope 
 >it is understandable.....
 >
 >Patti
 >
 >
 >--- QM v1.00
 > * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 
 >(1:204/869.0)


Yea, I think Mike was the one the message came from I read about.  He Was 
instrumental in helping us with another problem he found, too.  I am sure that 
he is on the up and up about the hard disk problems.  Nope, I don't have the 
Ontario Virus that I know of!  I read about the Virus after I had posted to 
you,  Thanx for the info.  Nice to know where it loads in Mem, that would make 
a util easier to write once I had a fix on what you have already told me.

I will see if I can locate that message from Mike about the Virus originally 
and let you read it...

--- TAGMAIL v2.20
 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)




Msg#: 3029 *Virus Info*
08-26-90 14:01:00 (Read 7 Times)
From: RICK WILSON
  To: SANDY LOCKE
Subj: RE: CORE WARS
yep core wars was something that a bunch of people that had access to systems 
messed with after hours, there was a artical in DDJ a few years ago about a 
bunch of em out a Berkely of Stanford or something. really weired how these 
folks that have recently ( within the last 8 to 10 years ) become such experts 
on micros and mainframes and their history. later...
                                                                Rick

--- Telegard v2.5 Standard
 * Origin: Telegard BBS (000-000-0000) (1:161/88.0)




Msg#: 3030 *Virus Info*
08-26-90 16:45:00 (Read 7 Times)
From: JOE MORLAN
  To: CY WELCH
Subj: KEYBOARD REMAPPING.
In addition to PKWares's Safe-ANSI, ZANSI does not support keyboard remapping. 
However, NANSI.SYS does have keyboard remapping.

--- Telegard v2.5 Standard
 * Origin: Telegard BBS (000-000-0000) (1:161/88.0)




Msg#: 3070 *Virus Info*
08-30-90 23:11:45 (Read 9 Times)
From: SKY RAIDER
  To: SANDY LOCKE
Subj: REPLY TO MSG# 2753 (Re: VIRUS ORIGINALS)
Firstly, I did not wish to anger you (although I seem to have done just this), 
but only sought to answer your question to the best of my abilities (which you 
seem to doubt).

Secondly, I stand by my original assertions that viruses were developed through
the original Core Wars gaming system. This has been corroborated by various 
'virus gurus' here at the local university. In fact, without prompting, one 
mentioned Bell Labs. Since, as you state, you are a Systems Programmer - it 
should be obvious to yourself that a RedCode program could be easily adapted to
the microcomputer world. It should also be equally as obvious that these 
RedCode experiments have laid the groundwork for many of the various virus 
types infecting micros today (ie. trojans, worms, etc.).
 
Thirdly, I did not state, nor did I mean to imply (as you seem to believe), 
that these RedCode 'fighter programs' are in fact the viruses we see today - 
merely that they (RedCode fighters) provided the techniques for the micro 
viruses. Furthermore, since the RedCode experiments were "old system 
programmers games designed to give Egoistical programmers some lighthearted 
fun", and since it is generally accepted that virus writers are in this for the
same reasons (the egotistical, not the fun), I find it hard to beleive that you
cannot equate the two.

If you will note in the extract below, I am not the only person who who 
beleives the RedCode experiments were the forerunners of the modern viruses (in
fact, it may be noted they refer to these as viruses - which, of course, they 
were);


From the Sept./89 issue of Popular Science;
 
Despite all the recent publicity, viruses aren't new. In the 1950's researchers
studied programs the called "self-altering automata," says Mike Holm...
 
In the 1960s computer scientists at Bell Laboratories had viruses battling each
other in a game called Core Wars. The object was to create a virus small enough
to destroy other viruses without being caught....


Also, just for the record, allow me to mention that this is an American 
publication (apparently there are strange drugs down there too).
 
Again, for the record, allow me to mention that it is fact that Robert Morris, 
Sr. was a participant in the Core Wars games. Is it a coincidence that his son 
wrote the Internet Virus, or did his father give him the building blocks to 
build upon? (With my apologies to the Morris family, but I felt this example 
might carry some weight with Know-it-all System Programmers).

To answer your original question, in a form that you may deem acceptable (ie. 
no RedCode, no mainframe systems, the US is not the origin - all those naive 
things), the original micro virus was (at least in the IBM world, I can not be 
sure this applies to early Apple ][ systems, or even the Pets from Commodore) 
the "Pakistani Brain", released in Jan. '86.
 
But it must be noted (although I feel you will reject this also (ie. mainframe,
US, etc)), in Nov. '83, Fred Cohen, in 8 hours wrote a virus which attached 
itself to users programs, and proceeded to use this program to gain access to 
all system rights (in an average time of 30 mins). Also, although I don't have 
a date (the computer name itself may give some indication of age) - on a UNIVAC
1108, with a secure operating system using the Bell-Lapadula model for OS 
security, a virus was created that: infected the system in 26 hours, used only 
legitimate activity with the Bell-Lapadula rules, and the infection took only 
250 (approx.) of code (From "Computer Security: Are Viruses the AIDS of the 
Computing Industry?", by Prof. Wayne Patterson, Chairman, Dept. of Computer 
Science, University of New Orleans.).

I am not interested in a war of words, so I will suggest some reading before 
you go off half cocked to this reply - "Computer Security; A Global Challenge,"
J.W. Finch & E.G. Douglas, eds., Elsevier Science Publishers, North-Holland - 
especially the chapters by Fred Cohen. I have not read this, but will try to 
when it becomes available to me. Also see the message posted by Phillip Laird.
--- TBBS v2.1/NM
 * Origin: Northern Connection, Fredericton, N.B. Canada <HST 14.4K>  (1:255/3)



Msg#: 3154 *Virus Info*
08-28-90 06:33:00 (Read 7 Times)
From: PATRICIA HOFFMAN
  To: ALAN DAWSON
Subj: REPLY TO MSG# 2994 (SCAN WEIRDNESS)
 AD>    Anybody heard of this? I've got a floppy with some viruses on it, 
 AD> among them a SCAN-known Dark Avenger. I SCAN this floppy from the C 
 AD> drive, and the "hey, nothing to worry about there" report comes back. 
 AD> Strange. I SCAN it again. This time 'round, SCAN barfs after 64K of 
 AD> the memory check, telling me Dark Avenger is in memory, power down, 
 AD> load the .45, get the cyanide tablet ready and so on.
 AD>    But DA of course is NOT in memory or active in any way. It is, 
 AD> however, on the floppy, unrun.
 AD>    The above occurred with SCANV64. Out of curiosity, I cranked up 
 AD> SCAN-54 and -- EXACTLY the same result.
 AD>    AST Bravo 286, no TSRs, nothing else loaded, clean (normal) boot 
 AD> just performed.
 AD>    I have a bunch of viruses that I don't expect SCAN to find -- 
 AD> ever. But this kind of thing has never happened to me before. Can 
 AD> anyone match this story, or event?

There are a couple of possibilities here.  First, if the virus is on a 
non-executable file, such as one with a .VOM or .VXE extension, Scan won't find
it since it is not one of the file extensions it checks for Dark Avenger.  In 
this case, a subsequent run of Scan may find it in memory anyways since the DOS
buffers in memory are not cleaned out between program executions.  If this is 
the case, running Scan with the /A option will find it on any file, regardless 
of extension.

Likewise, if your copy of Dark Avenger has ever had a disinfector run against 
it, it may have some "dead" Dark Avenger code after the end of file mark, but 
within the last sector of the program as allocated on disk.  In this case, Scan
won't find it on disk, but may later find it in memory since the code after the
end of file mark was read in with the rest of the last sector of the program to
memory.  This is what is sometimes referred to as a "ghost virus", it isn't 
really the virus, just dead remnant code remaining in the slack space in the 
sector.  It can't be executed.  Running a disk optimization utility such as 
Speed Disk from Norton Utilities will get rid of the "ghost virus".  They are 
caused by the way DOS fills out the end of the buffer before it writes it out 
to disk, doesn't always occur when disinfecting programs, but it sometimes will
occur.

The other case is if your copy of Dark Avenger does not occur at the correct 
place in the file.  Dark Avenger always adds its code to the End Of Programs. 
If your copy happens to have it at the beginning of the program, or perhaps 
imbedded in the middle where it shouldn't be, it may not get found.  In this 
case, your copy doesn't match either of the Dark Avenger's that McAfee has.  

Hope that helps....those are the only three cases that I've heard of a similar 
problem to yours.  

Patti


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 3155 *Virus Info*
08-28-90 15:16:00 (Read 5 Times)
From: KEN DORSHIMER
  To: JAMES DICK
Subj: REPLY TO MSG# 2993 (RE: HAVE ANYONE TRIED SECURE ?)

 On 27-Aug-90 with bulging eyes and flailing arms James Dick said:

 JD> On Fri, 24 Aug, 1990 at the ungodly hour of 23:37, while ducking
 JD> Broccoli Jello and drinking jolt, Ken Dorshimer wrote to Kevin
 JD> Higgins, TO WIT...
 KD >> sounds like a plan to me. it would actually be fairly simple to write
 KD >> a
 KD >> program to look at all the files in your upload directory, unpack them
 KD >> based
 KD >> on the extension, scan them, then re-compress them (if needed). of

 JD> Sounds like CHECKOUT....available here, homebase excaliber! and
 JD> others as CKOT11.*
 JD>
thanks but you might want to tell kevin higgins about that. :-) as for me,
hell i'll write the bloody thing myself. just wouldn't be a day without some
programming in it.

 ...All of my dreams are in COBOL...


--- ME2
 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)




Msg#: 3156 *Virus Info*
08-27-90 14:14:00 (Read 5 Times)
From: MICHAEL CHOY
  To: ALL
Subj: IN THE MAC WORLD
Disinfectant 2.0 was released in July...it has the Disinfectant INIT, which is 
like SAM only it removes viruses as well as detecting them..it catches the 
Frankie virusa whoch in an old virus that ran on mac emulators for Atari..I 
guess nobody has to worry about that...it also has much more info on protecting
yourself from virus and such..

--- Telegard v2.5 Standard
 * Origin: Telegard BBS (000-000-0000) (1:161/88.0)




Msg#: 3157 *Virus Info*
08-27-90 20:25:00 (Read 5 Times)
From: JOE MORLAN
  To: ALL
Subj: LHARC114?
I had heard that and infected version of LHARC was released last year under the
name LHARC114.  I also heard that because of that, the next release of LHARC 
was expected to be LHARC200 to avoid confustion with the virus.  This week a 
file appeared on a local board called LHARC114.  I left a message to the sysop 
to check it out and he says it's clean.  The docs say that this is version 
114b, the latest version.

Does anybody know what the deal is or was here?  Is LHARC114 safe to use?  Is 
there a virus associated with this program?  Thanks.

--- Telegard v2.5 Standard
 * Origin: Telegard BBS (000-000-0000) (1:161/88.0)




Msg#: 3158 *Virus Info*
08-28-90 15:01:00 (Read 6 Times)
From: KEVIN HIGGINS
  To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 3155 (RE: HAVE ANYONE TRIED SECURE ?)
    Thanks for the info on CheckOut. I'd seen the file description usage 
included in a .bat for for TAG, but never implemented it, or d/l'd the checkout
file because on my XT it sometimes takes awhile to dearc. a large .zip file--a 
real pain for L/D types... Probably be wise to start using something like that,
though, since the BBS can do all the checking automatically following 
uploads....
    Guess most users won't mind waiting a minute or so, if it makes their d/l's
almost certifiably safe.
                                            Kevin

--- TAGMAIL v2.40.02 Beta
 * Origin: The Hornet's Nest BBS (1:128/74)




Msg#: 3177 *Virus Info*
08-28-90 18:10:00 (Read 6 Times)
From: RICK PERCIVAL
  To: KEVIN HIGGINS
Subj: REPLY TO MSG# 3158 (RE: HAVE ANYONE TRIED SECURE ?)
 > command line and let the .bat file take care of unzipping, scanning
 > and rezipping the file.     Be best if someone would write a program
 > that would do this, but I haven't found one yet.
 >               Kevin

 Hi there, you guys must be behind the times or something but there is a very 
good program which does exactly what you are looking for. Its called CHECKOUT. 
The version we are using over here is called CKOT11.ZIP and it is a little 
pearler!!

  What it does is, unzips a file, scans it and rezips it, menu driven or 
command line driven. Try it, you'll love it.

--- FD 1.99c
 * Origin: The Cyclops BBS Auckland NEW ZEALAND (3:772/170)




Msg#: 3178 *Virus Info*
08-14-90 09:39:00 (Read 7 Times)
From: DAN BRIDGES
  To: KEN DORSHIMER
Subj: RE: CRC?
I've been reading, with interest, the messages about a program that provides a 
demo of circumventing a single CRC generating program. I thought that its name 
would be common knowledge, but apparently it isn't.

You were told the name of the file was MCRCx. May I suggest that you look for 
it as FICHECKx. The one I got is v5 and has program called PROVECRC which 
demonstrates the problem. 


                        **********************
                        *  FICHECK  Ver 5.0  *
                        *  MFICHECK Ver 5.0  *
                        **********************
 
                 (C)Copyright 1988,1989 Gilmore Systems
              P.O. Box 3831, Beverly Hills, CA 90212-0831
                                 U.S.A.
 
             Voice: (213) 275-8006    Data: (213) 276-5263

Cheers,
Dan (no connection with the above firm).

--- Maximus-CBCS v1.02
 * Origin: Marwick's MadHouse (3:640/820)




Msg#: 3179 *Virus Info*
08-18-90 14:19:00 (Read 7 Times)
From: YVETTE LIAN
  To: FRED GOLDFARB
Subj: RE: VIRUS GROUPS....
FG> writing viruses".  The idea I got was that there are actual
FG> "virus groups" similar to the game cracking groups you hear
FG> of occasionally, who's sole purposes are to write viruses,
FG> not for research's sake, but to infect people.  Has anyone
FG> else heard of this before?  Are there really such groups?
FG> Imagine, when a new virus comes out three or four groups
FG> claiming to be the writers.. Kinda like terrorist bombings
FG> only different.  Come to think of it, I remember reading a

That'd be right... you would think that if these people were intelligent enough
to program something such as a virus they'd probably be better off not wasting 
their time with it...  
 
--- QuickBBS 2.64 (Eval)
 * Origin: Virus Info .. how to do it and not get it ! (3:640/886)




Msg#: 3180 *Virus Info*
08-18-90 14:42:00 (Read 7 Times)
From: ROD FEWSTER
  To: KERRY ROBINSON
Subj: RE: VIRUS CHECKERS
 > In a message of <12 Jun 90  7:31:31>, Patrick Curry (1:133/425) writes:
 >
 > Rarely does a MAC get a virus  It is an IBM phonomonum
                                  ^^^^^^^^^^^^^^^^^^^^^^^
Tell it to an Amiga user !!   B-)

--- FD 1.99c
 * Origin: The Edge of Reality .. THE NIGHTMARE BEGINS ! (3:640/886)




Msg#: 3181 *Virus Info*
08-30-90 13:01:00 (Read 7 Times)
From: BRIAN WENDT
  To: ALL
Subj: NEWSPAPER CLIPPING
The following item appeared in a newspaper in Brisbane, Austsralia yesterday.
Anyone care to comment?

VIRUS ATTACKS STATE'S PERSONAL COMPUTERS

A sophisticated computer virus is feared to have infected Queensland Government
and home computers.   The COMPUTER VIRUS INFORMATION GROUP at the QUEENSLAND 
UNIVERSITY OF TECHNOLOGY has issued it first major warning to personal computer
users about the virus.

The virus, initially detected by the Israeli defence force, freezes computers 
on September 22, the birthday of a character in Tolkien's book, 'Lord of the 
Rings'.

A computer virus is a program designed to attach copies of itself to software 
and disable a computer system, or destroy files.   Acting technologist, MR 
EMLYN CREEVY said the warning was issued after a State Government public 
servant gave the virus to the group for investigation.

Mr Creevy said somputers infected with the virus - known as FRODO, 4096, or 
CENTURY - would freeze on September 22 or until the end of the year unless it 
was removed.    He said the group expected to know if the virus had infected 
computers in Queensland next week after users report the results of searches 
they were requested to conduct.   The group warned all personal computer 
operators that there was a bug in the FRODO virus which prevented it from 
displaying a message 'FRODO LIVES' on September 22 and instead caused the 
computer to 'hang' or freeze.

"It is from the FRODO name that the significance of the 22nd September can be 
identified," they said.    "This is the birthday of Frodo Baggins in Tolkien's 
story.    Users are advised to theck for the virus as soon as possible.

Mr Creevy said the virus had the ability to avoid detection and spread but was 
not 'seriously destructive'.   He said it could become damaging if an expert 
could disassemble the virus and change the instructions to wipe the computer's 
disk.   "I'd say there's people working on it somewhere although probably not 
in Australia," Mr Creevy said.

An expert would have created the Frodo virus because it had only one bug while 
most viruses had more.

Mr Creevy said more than 100 viruses were believed to exist worldwide.

ENDS

Brian Wendt
Sysop
SUNMAP BBS

--- Maximus-CBCS v1.02
 * Origin: Sunmap BBS Node 5 (HST/DS) - Brisbane - Australia (3:640/206)




Msg#: 3182 *Virus Info*
08-28-90 19:33:00 (Read 7 Times)
From: SANDY LOCKE
  To: PATRICK TOULME
Subj: REPLY TO MSG# 3177 (RE: HAVE ANYONE TRIED SECURE ?)
MM> Maybe I should say all virus that are in the "public domain".
MM> Virus 101 is a research virus that only a few people have (and
MM> you wrote). Nothing is fool proof but Secure is better than any
MM> other interrupt moniter.
 
PT>    
PT> I agree with you, Mike.
 
 and I have to concur with patrick, out of all the TSR type monitor
programs out there , SECURE is indeed the best of the group... BUT
PLEASE do NOT depend upon this as your ONLY protection... as on part of
a multilayered protection scheme it would be fine... I guess my real
problems with it stem from the NAME the Mark wasburn has chosen...it
can mislead the neophyte too easily...into thinking that it really is
the be-all and end-all of protection...I wouldnt hestitate to recommend
it over the socalled commercial products in this class... BUT again NOT
as a SOLE protection against viruses... sorry for any confusion my
comments may have caused...
     cheers
     sandy


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 3183 *Virus Info*
08-28-90 19:35:00 (Read 6 Times)
From: SANDY LOCKE
  To: ALAN DAWSON
Subj: REPLY TO MSG# 2749 (RE: VIRUS SCANNERS....)
 DS> You can't win on this!  I've been downloading for quite a while 
 DS> - always running a virus checker on the information.  So, where 
 DS> did our virus come from?  Off a shrink-wrapped anti-virus 
 DS> diskette one of our guys picked up in the US!  
 
AD> Nothing new about this, as people learn all the time. One MAJOR 
AD> company (really big, really well known) has shipped shrink-wrapped 
AD> viruses twice -- once on purpose! Shrink wrap doesn't keep the bugs 
AD> out.     
 
 
 UH ALAN... you mind sending the NAME of this vendor via private
e-mail... accidentally I can understand BUT ON PURPOSE??? what end
would this kind of action serve???
    cheers
    sandy


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 3184 *Virus Info*
08-28-90 19:44:00 (Read 6 Times)
From: SANDY LOCKE
  To: KEN DORSHIMER
Subj: REPLY TO MSG# 2905 (RE: CRC CHECKING)
well close... without discussing HOW its done... the file length is
altered back to the original length... its not that hard and does point
out one of the MAJOR problesm with crc scanners...that is that the
critical information that tells the operating system how long the file
is can be altered at will... as far as the comments of a virus author
disassembling the CRC package its commonly done during product testing
to find out ahead of time what algorithms are in use by the product...
it really depends on the level of security one wants for ones PC...
I really wouldnt put it past a good virus author to specifically
target anti-viral programs in this fashion... as far as disassemblies
being hard... well I do an average of 5-6 per day with files ranging in
size from 2k to 90k(although I will admit that some of the trickier
ones do cause head scratching occasionally...) note that i said
programs and not specifically viruses...
   cheers
   sandy


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 3185 *Virus Info*
08-28-90 19:53:00 (Read 6 Times)
From: SANDY LOCKE
  To: TOM PREECE
Subj: REPLY TO MSG# 2911 (RE: REMAPPING...)
TP> As you may see by looking at my other entry's, I have been loading a c
TP> program that is clearly implementing software to remap my keys to s ce
TP> extent.  If this is possible as a glitch, its is obviously possible as
TP> attack.  Let's hope it never comes to that.
Tom,
    without adding too much fuel to any fire... certain
non-communication programs are susceptible to the ANSI programmable
attack... on my end I run no program that implements ANSI3.64
terminal control language without having a way to turn thoses "FEATURES
" off... certain programs without mentioning brand names do allow
this. if the echo moderator allows I will post a list of good and bad
programs in this regard... so that you can all protect yourselves
better...(n.b. after being chewed out by the moderator I am
constraining my comments carefully...)
   cheers
   sandyp.s. these attacks have been common since programmable
terminals came into being during the middle 1970's the problem is that
when these features were implemented in comm programs the possibility
arose that it was possible for malicious individuals to finally do some
real damage...the way to protect yourself is to STOP using programs
that implement such features and switch to others that are more secure
in their usage of such features...


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 3186 *Virus Info*
08-29-90 05:44:00 (Read 6 Times)
From: PATRICIA HOFFMAN
  To: SANDY LOCKE
Subj: REPLY TO MSG# 3185 (RE: REMAPPING...)
 SL> attack... on my end I run no program that implements ANSI3.64
 SL> terminal control language without having a way to turn thoses "FEATURES
 SL> " off... certain programs without mentioning brand names do allow
 SL> this. if the echo moderator allows I will post a list of good and bad
 SL> programs in this regard... so that you can all protect yourselves
 SL> better...(n.b. after being chewed out by the moderator I am
 SL> constraining my comments carefully...)

Please feel free to go ahead and post the list.  Was just trying to keep you 
out of trouble, you do sometimes get over excited in messages...didn't mean for
it to be "chewing out".

Patti


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 3187 *Virus Info*
08-29-90 06:27:00 (Read 7 Times)
From: PATRICIA HOFFMAN
  To: PHILLIP LAIRD
Subj: REPLY TO MSG# 2996 (RE: ONTARIO VIRUS)
 PL> Nope, I don't have the Ontario Virus that I know of!  I read about the 
 PL> Virus after I had posted to you,  Thanx for the info.  Nice to know 
 PL> where it loads in Mem, that would make a util easier to write once I 
 PL> had a fix on what you have already told me.
 PL> 

Ontario loads into the top of free memory, right below the 640K boundary.  It 
takes up 2,048 bytes.  If you run chkdsk after it is in memory, both total 
system memory and free available memory will have decreased by 2,048 bytes.  
Patti


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 3326 *Virus Info*
08-30-90 15:05:00 (Read 6 Times)
From: KEN DORSHIMER
  To: SANDY LOCKE
Subj: REPLY TO MSG# 3184 (RE: CRC CHECKING)

 ...at a time when Western civilization was declining
    too rapidly for comfort, yet too slowly to be very
    exciting Sandy Locke was saying:

 SL> well close... without discussing HOW its done... the file length is
 SL> altered back to the original length... its not that hard and does
 SL> point out one of the MAJOR problesm with crc scanners...that is that

interesting why don't you drop me some net-mail on this (see origin line)

 SL> the critical information that tells the operating system how long the
 SL> file is can be altered at will... as far as the comments of a virus
 SL> author disassembling the CRC package its commonly done during product
 SL> testing to find out ahead of time what algorithms are in use by the

i think that's one of the things i mentioned; that they would have to have
pre-existing knowledge of the crc scheme in order to make that work.

 SL> product... it really depends on the level of security one wants for
 SL> ones PC... I really wouldnt put it past a good virus author to
 SL> specifically target anti-viral programs in this fashion... as far as

one of the reasons i am interesting in developing my own anti-viral utils for
my software business.  i figure if they stay primarily in house, the chance
that some bozo will screw around with them and try to break them is reduced.

 SL> disassemblies being hard... well I do an average of 5-6 per day with
 SL> files ranging in size from 2k to 90k(although I will admit that some
 SL> of the trickier ones do cause head scratching occasionally...) note
 SL> that i said programs and not specifically viruses... cheers sandy

heh, yup source to assembled is always easier than the reverse process, of
course there's head scratching that goes on at that end too. :-)
the client said he wanted it to do what?!

 ...just part of the food chain...

--- ME2
 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)




Msg#: 3327 *Virus Info*
08-29-90 11:37:00 (Read 6 Times)
From: PAUL FERGUSON
  To: EVERYONE
Subj: FLOPPY MBR BACKUP
I had originally posted this question to the moderator, but after a
little thought decided that I would be sure to receive a myriad of
answers from the ECHO participants if asking the question here,
also.....
      It is simply this:
 Does anyone have any decent (and simple) suggestions for extraction of
the floppy MBR???.....There are several very good utilities in the
public domain for strictly Hard Drive Boot Sector (ie. ST0) and other
utilities contained within, say for instance, PCTools, that can back-up
the HARD Drive Partition Table (I forgot to mention several PD programs
to back-up the FAT).....But, almost all of these that I have seen
pertain to the HDU! I realize that there are ways to write it to a file
using certain SPY-type programs, but what I am really interested in is
a simplified program that is easy to use at the lowest end of the USER
pyramid
   
  -Thanks in advance for your suggestions and assistance.....
    
    
  -Paul  ^@@^.........


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 3328 *Virus Info*
08-29-90 18:46:00 (Read 6 Times)
From: PAUL FERGUSON
  To: EVERYONE
Subj: STEALTH FAMILY
I have read with great interest the July editions of VIRUS-L digest
(along with about the first week or so of August) and cannot, for the
life of me, figure the almighty hype with The (noticed that I
capitolized that!) Stealth Family of Virus....Only a Trojan should
deserve such attentention.....If one takes appropriate precautionary
measures, then the virus will (theoretically) be caught in memory..
...that is, it will make (and reside) a noticeable difference in
vectoring.....I truly believe WAY too much hype (Ok, maybe that is a
little strong!) has been given to this.....Yes, it can be a true menace
if one does not expect such a rogue, but come on.......I downloaded
some code today....Yes, I must say it IS quite ingenius, but at the
same time, I must also say, I enjoy the work I do, etc....
  
  PS.....Patrick Toulme, Check your E-Mail....
   
   
   ........"The Delicate Sound of Thunder".......


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 3329 *Virus Info*
08-29-90 22:07:00 (Read 6 Times)
From: PAUL FERGUSON
  To: EVERYONE
Subj: LATENITE
Ok, so we're up again in the pale moonlite (unquote)...
    
  
    Next question (in paticular, to you, Sandy)
is:
    What diverse opinions do you have concerning those that, also,
fight the battle on the front lines (I'm noy alluding to who has any
more experience, to wit)...I feel that many of us (Tech
Support/Slash/Gov't Contractors)(No, We're not scum, nor
unknowledgable) have done much to benefit the Anti-Viral Research
Community.....I would like a little input on this topic.....
   
    
   
   .......We're not all BAD guys!........


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 3330 *Virus Info*
08-31-90 13:05:00 (Read 6 Times)
From: HERB BROWN
  To: ALL
Subj: PKZ120.ZIP

I was informed that there is a bad version of PKZIP floating around by the name
of PKZ120.ZIP..  I am not sure if it is viral or not, but delete it if you find
it..


--- QM v1.00
 * Origin: Delta Point (1:396/5.11)




Msg#: 3331 *Virus Info*
09-01-90 11:34:00 (Read 7 Times)
From: DEREK BILLINGSLEY
  To: ALL
Subj: POSSIBLE VIRUS?

This just hit me today - I am not sure if it is some kind of system error or a 
potential virus.

Last night (September first) and before gave me no indication of any virus 
being present on my system. It is now september 1st and now, whenever a file is
written to disk (I noticed the text files first, but a downloaded zip'd file 
was also garbled...) it took out about 10 bytes from the beginning of each 
line...

When I realized this may be set to occur on this date, I set my DATE back a 
night and everything worked fine... I made a sample text file with a known 
pattern of characters -- any date past september 1st 1990 leaves the file 
altered as mentioned above. Any date previous is written unharmed...

SCANV56 reports only that the SCAN program is damaged - no disk presence of the
source is evident.

Has anyone heard of something like this happening?

Derek Billingsley

--- SLMAIL v1.36M  (#0198)
 * Origin: Atlantic Access SJ/NB 1-506-635-1964 HST You can Run With Us ! 
(1:255/1)




Msg#: 3354 *Virus Info*
08-29-90 09:02:00 (Read 6 Times)
From: CY WELCH
  To: SANDY LOCKE
Subj: REPLY TO MSG# 2759 (KEYBOARD REMAPPING....)
In a message to Cy Welch <25 Aug 90  6:39:00> Sandy Locke wrote:

 >CW> In a message to Everyone <16 Aug 90  6:32:00> Paul Ferguson wrote:

 > PF> Isn't it possible to remap some (or any) keyboard functions via
 > PF> communications with some funky ANSI control characters?....I seem to
 > PF> remember mention of this somewhere.....I really can't remember if was
 > PF> in the form of a question, though, or an answer.....It also made
 > PF> mention of PKWares' Safe-ANSI program...Somebody help us out here...

 >CW> I think most of the "FAST" ansi replacements do not have the keyboard
 >CW> remapping so that danger is removed in those cases.
 SL> Well if you are referring to FANSI.SYS by hershey Microsystems it too
 SL> is vunerable to remap effects... and since it implemnt FULL ANSI 3.64
 SL> terminal control codes plus some extensions it is even more vunerable
 SL> to a whole class of tricks that go way beyond noremally keyboard
 SL> remapping... but to there credit they ahve include a way to turn this
 SL> "FEATURE" OFF... just most users get it off a BBS and never order or
 SL> look at the 50.00 set of docs that come when you pay for the
 SL> products...

Actually I was refering to zansi.sys which is a high speed replacement which 
part of what they did to do it was to remove the keyboard remapping functions.

--- XRS! 3.40+
 * Origin: Former QuickBBS Beta Team Member (99:9402/122.1) (Quick 1:125/122.1)




Msg#: 3355 *Virus Info*
08-26-90 15:45:00 (Read 6 Times)
From: MIKE MCCUNE
  To: SANDY LOCKE
Subj: SECURE
Sandy,
Thanks for the information. I suspected that Secure probably had some
holes in its protection scheme and that someone knew about it. I am
curious about how the modified Jerusalem-B got around it. I'm pretty
sure how Virus 101 does it (the Air Force uses it) but I would like
to know if there are any other hole in secure...<MM>


--- Opus-CBCS 1.13
 * Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0)




Msg#: 3477 *Virus Info*
09-01-90 15:56:00 (Read 6 Times)
From: KEN DORSHIMER
  To: HERB BROWN
Subj: REPLY TO MSG# 3330 (RE: PKZ120.ZIP)
 >
 > I was informed that there is a bad version of PKZIP floating
 > around by the name of PKZ120.ZIP..  I am not sure if it
 > is viral or not, but delete it if you find it..
 
seem to remember seeing something about this a couple of months ago.
mostly, i wanted to drop a line and say "hey". got your net-mail, hopefully if 
the routing is working right, you got a response. :-) how's new orleans this 
time of year? later.
 


--- Opus-CBCS 1.12 & NoOrigin 3.7a


--- QM v1.00
 * Origin: Ion Induced Insomnia (1:203/42.753)




Msg#: 3478 *Virus Info*
09-02-90 10:45:00 (Read 6 Times)
From: JAMES KLASSEN
  To: PRAKASH JANAKIRAMAN
Subj: REPLY TO MSG# 2909 (LEPROSY)
   I have a copy of the Leprosy virus along with its source and 
"documentation".  What it does is copies itself to 4 exe or com files 
each time it is run and produces a memory error code so the user thinks 
there is a problem with memory and runs it again. After all the com and 
exe files have been infected, it displays a message that they have a 
virus and "Good luck!"...   It increases file sizes by 666 but when I 
tested it on a floppy, the bytes didn't increase...

--- W2Q v1.4
 * Origin: The C.F.I BBS * Norfolk, Va. * (804)423-1338 * (1:275/328)




Msg#: 3479 *Virus Info*
09-01-90 07:18:00 (Read 6 Times)
From: YASHA KIDA
  To: PAUL FERGUSON
Subj: REPLY TO MSG# 3329 (LATENITE)
In a message of <29 Aug 90 22:07:29>, Paul Ferguson (1:204/869) writes:

 PF> EID:6368 151db0ee
 PF> Support/Slash/Gov't Contractors)(No, We're not scum, nor
 PF> unknowledgable) have done much to benefit the Anti-Viral Research
 PF> Community.....I would like a little input on this topic.....
 PF>    



I am a Private contractor for a Large Network installation an support company.
I work for the good of the Customer and the population (users). 

I hear the phrase " SLIMY CONTRACTOR" " M.F.C." everyday. I also heard 
"Can this be done", "Would you look into this...", "What are your suggestions 
so I can put them in my report" when things get deep. We are the WHIPPING BOYS 
and EMERGENCY 911 all in one.

I am sure there are Software contractors who have planted or released a virus 
at contract renewal time. To show how much they are needed.
There are also those of us the that want to see their job sites safe from such 
problems. We are the ones who own our time (Non-Paid) Compile information
on ways to safe guard our data from compermise or viral attacks. 

The Anti-Viral reseach done by Mrs. Hoffman (PAT)  and John McAfees group 
is carefully read and evaluated on my end. I am sure it has saved many a rear
from a bear trap.



--- msged 1.99S ZTC
 * Origin: Bragg IDBS, (FT. Bragg, NC - we're gonna kick some booty) 
(1:151/305)




Msg#: 3480 *Virus Info*
09-02-90 19:19:00 (Read 6 Times)
From: HERB BROWN
  To: KEN DORSHIMER
Subj: REPLY TO MSG# 3477 (RE: PKZ120.ZIP)
With a sharp eye <Sep 01 15:56>, Ken Dorshimer (1:203/42.753) noted:
 >
 > I was informed that there is a bad version of PKZIP floating
 > around by the name of PKZ120.ZIP..  I am not sure if it
 > is viral or not, but delete it if you find it..
 KD> 
 KD>seem to remember seeing something about this a couple of months ago.
 KD>mostly, i wanted to drop a line and say "hey". got your net-mail, 
 KD>hopefully if the routing is working right, you got a response. :-) 
 KD>how's new orleans this time of year? later.
 KD> 


Hmmmm, first time I heard of this file.  How long ago did it appear?
Rained Sunday and had to BBQ inside.  Made watching TV a little hard, but we 
managed.


--- QM v1.00
 * Origin: Delta Point (1:396/5.11)




Msg#: 3630 *Virus Info*
09-01-90 20:49:00 (Read 6 Times)
From: PAUL FERGUSON
  To: KEN DORSHIMER
Subj: REPLY TO MSG# 3326 (RE: CRC CHECKING)
Ken...
   
    I've GOT to agree with you on this one....only preconceived CRC
defeaters are just that...preconceived....no such luck...


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 3813 *Virus Info*
09-01-90 13:11:00 (Read 6 Times)
From: KEVIN HIGGINS
  To: JAMES DICK
Subj: SECURING YOUR UPLOADS
    I've got checkout, and while its a pretty neat program, there are a few 
things I don't like about it, the main one being the initial memory scan. I 
also don't like the auto-pause that seems to be at the beginning of it. That 
means running gateway, which means the user may be able to get into DOS and 
party. (have heard of Key-fake, but never seen it around to play with it..).
    TAG calls a file named postul.bat after every upload (if the .bat file is 
present), so I hacked up this .bat file to auto-check for virii. But I'm not 
smart enough to know how to use the %%f in a batch file to have it run through 
for all the files in the active directory (for batch uploads)...
    Maybe there's a genius out there who can help. FYI the parameters passed to
the .bat file are: [Baud] [ComPort] [User#] [U/L Dir] [Filename].

Here it is. Chuckle, then help make it better <grin>. 

echo off
cd\bbs\uploads
echo Verifying latest Pkzip version...... > com2
REM This program checks file integrity.
ozf -v %5 > com2
echo : > com2
REM These are the directories I don't want checked.
if %4 == D:\ZIPSTUFF\WRITERS\ goto end
if %4 == D:\ZIPSTUFF\AMIGA goto end
echo Testing file integrity, and checking for virii. > com2
echo Please wait..... (this is the scary part, eh?) > com2
echo : > com2
echo Moving the suspect file to a sterile cell for interogation.... > com2
REM This moves the file to an empty directory for the examination.
move %4%5 d:\bbs\bads
echo File is now undergoing interrogation... > com2
cd\bbs\bads
pkunzip -x D:\bbs\bads\%5 *.exe *.com > com2
scan d:\bbs\bads\*.exe /NOMEM > com2
scan d:\bbs\bads\*.com /NOMEM > com2
if errorlevel 1 goto Oops
echo Alright! (whew) File passed. > com2
del *.exe
del *.com
echo Almost finished. Releasing innocent file back into public. > com2
move %5 d:\bbs\uploads
echo : > com2
echo Now adding (Nested) zip comment to file... > com2
cd\
REM This adds the Hornet's Nest comment to the .Zip file.
call d:\commentr.bat
cd\bbs
echo Thanks for waiting!..
goto end
:Oops
echo Arrrrgghhhhh! File had a virus! File deleted! > com2
erase *.*
echo Logging your name to Scumbag.lst! > com2
echo Hey, Kato! User number %3 tried to upload a virus infected file! >>
d:\fd\scumbag.lst
echo Maybe you need to leave a message to Kato, eh? > com2
cd\bbs
:end


(Note: the fourth line from the end is a continuation of the line above it.)
Also, I have a program that will make a .com fil out of a .bat file, for faster
processing. Any reason why this couldn't be done with the above .bat file? How 
about after the %%f is added?
                                            Kevin

--- TAGMAIL v2.40.02 Beta
 * Origin: The Hornet's Nest BBS (1:128/74)




Msg#: 3814 *Virus Info*
09-03-90 23:40:00 (Read 5 Times)
From: RICK THOMA
  To: HERB BROWN
Subj: REPLY TO MSG# 3480 (RE: PKZ120.ZIP)
 > Hmmmm, first time I heard of this file.  How long ago did it
 > appear?

   I have a copy, and think it came out around March, or so.  At the time, 
SCANV detected no virus, but I thought better of running it.

   Sorry, folks.  Whatever it is, it isn't available for downloading, so please
don't ask.  I'm just waiting for the time to pick it apart, to see just what 
kind of hack it is.

--- FD 2.00
 * Origin: Village BBS, Mahopac, NY  914-621-2719 *HST* (1:272/1)




Msg#: 3815 *Virus Info*
09-03-90 03:38:00 (Read 5 Times)
From: KEN DORSHIMER
  To: PAUL FERGUSON
Subj: REPLY TO MSG# 3630 (RE: CRC CHECKING)

 ...at a time when Western civilization was declining
    too rapidly for comfort, yet too slowly to be very
    exciting Paul Ferguson was saying:

 PF> Ken... I've GOT to agree with you on this one....only preconceived CRC
 PF> defeaters are just that...preconceived....no such luck...
 PF>

that's what i figured. that is if you're responding to the msg i think you're
responding to. what the hell does that mean?

 ...space is merely a device to keep everything from being
    in the same spot...


--- ME2
 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)




Msg#: 3816 *Virus Info*
09-03-90 18:03:00 (Read 5 Times)
From: KEN DORSHIMER
  To: HERB BROWN
Subj: REPLY TO MSG# 3814 (RE: PKZ120.ZIP)

 ...at a time when Western civilization was declining
    too rapidly for comfort, yet too slowly to be very
    exciting Herb Brown was saying:

 HB> Hmmmm, first time I heard of this file.  How long ago did it appear?
 HB> Rained Sunday and had to BBQ inside.  Made watching TV a little hard,
 HB> but we managed.

i think it was a couple of months ago. which means any mention of it has long
since been renumbered off my system. yup BBQing indoors does have a certain
mystique. i know dinner is ready when the smoke alarm goes off.

 ...space is merely a device to keep everything from being
    in the same spot...


--- ME2
 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)




Msg#: 3817 *Virus Info*
09-03-90 18:08:00 (Read 7 Times)
From: KEN DORSHIMER
  To: DEREK BILLINGSLEY
Subj: REPLY TO MSG# 3331 (RE: POSSIBLE VIRUS?)

 ...at a time when Western civilization was declining
    too rapidly for comfort, yet too slowly to be very
    exciting DEREK BILLINGSLEY was saying:

 DB> This just hit me today - I am not sure if it is some kind of system
 DB> error or a potential virus.
 DB>
 DB> Last night (September first) and before gave me no indication of any
 DB> virus being present on my system. It is now september 1st and now,
 DB> whenever a file is written to disk (I noticed the text files first,
 DB> but a downloaded zip'd file was also garbled...) it took out about 10
 DB> bytes from the beginning of each line...
 DB>

could you send a copy of what you believe is infected to me? i'd like to
analyse this myself, thanks.
my address is:
Dorshimer Software Systems
P.O. Box 191126
Sacramento, Ca. 95819-1126 USA

 ...space is merely a device to keep everything from being
    in the same spot...


--- ME2
 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)




Msg#: 3818 *Virus Info*
09-03-90 20:57:00 (Read 4 Times)
From: JOHN HERRBACH
  To: ALL
Subj: PUBLIC KEY ENCRYPTION
Does anyone know the status or progress in regards to public key encryption?
Thanks.

John {|-)

--- ME2
 * Origin: The Lighthouse BBS/HST; Lansing, MI; 517-321-0788 (1:159/950)




Msg#: 3819 *Virus Info*
09-01-90 20:26:00 (Read 5 Times)
From: SEAN SOMERS
  To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 3186 (RE: REMAPPING...)

Off topic here, anybody out there encounter the French Revoloution virus? I was
the first out here to discover it. What it does is nuke your HD while 
displaying an anti Western/English speaking Canadians.  
 



--- outGATE v2.10 
 # Origin: SIGnet International GateHost (8:7501/103)
 * Origin: Network Echogate (1:129/34)




Msg#: 3938 *Virus Info*
09-06-90 11:51:00 (Read 13 Times)
From: YASHA KIDA
  To: SKY RAIDER (Rcvd)
Subj: REPLY TO MSG# 2995 (RE: VIRUS ORIGINALS)

GLAD TO SEE SOMEONE  does their homework...

Well written.. If you don't mind I wish to post it as a bulletin
on my System (BBS).. Re written to as a document instead of a 
msg reply...
                                                       '


Yasha
sysop 151/305



"What do you do when all of your users are in the sand lands, without a phone."






--- Maximus-CBCS v1.00
 * Origin: Bragg IDBS, We hunt bugs for the 82nd Airborne (1:151/305)




Msg#: 3974 *Virus Info*
09-08-90 13:42:35 (Read 5 Times)
From: SKY RAIDER
  To: YASHA KIDA
Subj: VIRUS POST ON BBS
Yasha,
 
You write:
 
GLAD TO SEE SOMEONE  does their homework...
 
Well written.. If you don't mind I wish to post it as a bulletin on my System 
(BBS).. Re written to as a document instead of a msg reply...
 
 
Sure, no problems in rewritting and posting on your system. I try not to enter 
into this type of a conversation without at least a bit of a footing in fact. I
wish I could find the original document I had quoting these things (it had 
names, dates, etc.). How about giving me your system number so I can call and 
see the finished form (never been quoted in this manner before).
 
                               A questor of knowledge,
 
                                        Sky Raider
                                        Ivan Baird, CET
--- TBBS v2.1/NM
 * Origin: Northern Connection, Fredericton, N.B. Canada <HST 14.4K>  (1:255/3)



Msg#: 4025 *Virus Info*
09-06-90 13:32:00 (Read 6 Times)
From: JONO MOORE
  To: JOE MORLAN
Subj: REPLY TO MSG# 3157 (LHARC114?)
JM >I had heard that and infected version of LHARC was released
JM >last year under the name LHARC114.  I also heard that
JM >because of that, the next release of LHARC was expected to
JM >be LHARC200 to avoid confustion with the virus.  This week a
JM >file appeared on a local board called LHARC114.  I left a
JM >message to the sysop to check it out and he says it's clean.
JM >The docs say that this is version 114b, the latest version.

LHARC v1.14b is a real release.  The author brought it out after the 
controversy on the fake 1.14 release.  
 



--- outGATE v2.10 
 # Origin: SIGnet International GateHost (8:7501/103)
 * Origin: Network Echogate (1:129/34)




Msg#: 4026 *Virus Info*
09-05-90 19:47:00 (Read 5 Times)
From: PATRICIA HOFFMAN
  To: PAUL FERGUSON
Subj: LET ME REPHRASE THAT.....
 PF>     Actually, I really should have said "virtually preconceived".
 PF> From what I can gather on the topic (I don't yet have a copy of 4096),
 PF> they actually redirect CRC/Checksum interrogators to a "snapshot" of
 PF> the original file as it appeared before infection.(Someone, I'm sure,
 PF> will correct me if I'm wrong or at least add enlightenment.)

You are correct.....What the CRC/Checksum interrogator sees, if 4096 is in
memory, is the disinfected version of the program in memory, not what is
actually out on disk.  Fish 6 also does this, as do a couple of other viruses
using Stealth techniques.

 PF> The infected file, in the case of 4096, has in reality grown by 4096
 PF> bytes and would more than likely hang the system, therefore, which
 PF> would lead me to believe that running the CRC check without the virus
 PF> TSR would allow you to identify the actual infected files. Also, it
 PF> seems like the only way to catch it TSR is to trace the interrupt
 PF> vectors (although everyone seems to have a little bit of differing
 PF> ideas on this '->)

Lots of 4096 infected files will run without hanging the system....the virus
disinfects the program when it is read into memory so that anti-viral packages
can't find the virus as easily.  CRC checkers and scanners won't be able to
find it in the infected file if the virus is in memory, in fact, these viruses
usually infect on file open as well as execute.  Run a CRC checker or Scanner
that doesn't check memory for the virus with it present and you'll infect
everything that is openned that meets its infection criteria.

If the virus isn't in memory, the CRC checker technique will work to identify
the infected files in 99% of the cases.  I'm not going to say 100% because I
believe some of the 512 virus variants can get around it due to the way it
attaches to the files in some cases, but not all.  Some CRC checkers don't
actually CRC the entire file either....and as soon as I state it is a fool
proof way of doing it, someone will write a virus that gets around it
perfectly in all cases.

Patti

 PF>      Until I can get my hands on this little fellow, I guess that I'll
 PF> just follow the more logical explanations from the sources with
 PF> credibilty and make a judgement from that! Sounds credible. But, as I'v
 PF> said before-    I sure would like to see it.
 PF>
 PF>       I've been following several different message base threads on
 PF> this particular virus, with input from users at the basic levels to BBS
 PF> SysOps to the AntiViral research community.......I must say, it gets
 PF> overwhelming at times to keep objective. *:)
 PF>
 PF>      -Paul
 PF>
 PF>
 PF> --- QM v1.00
 PF>  * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813
 PF> (1:204/869.0)
 PF>

--- W2Q v1.4
 * Origin: The C.F.I BBS * Norfolk, Va. * (804)423-1338 * (1:275/328)




Msg#: 4027 *Virus Info*
09-07-90 12:48:00 (Read 4 Times)
From: MICHAEL ADAMS
  To: RICHARD HUFFMAN
Subj: RE: ARC.EXE
Thank you for the warning .... Kill keep an eye out for it.  

--- Maximus-CBCS v1.00
 * Origin: The Southern Star - SDS/SDN/PDN - 504-885-5928 - (1:396/1)




Msg#: 4028 *Virus Info*
09-07-90 20:21:00 (Read 5 Times)
From: HERB BROWN
  To: JONO MOORE
Subj: REPLY TO MSG# 4025 (LHARC114?)

JM >I had heard that and infected version of LHARC was released
JM >last year under the name LHARC114.  I also heard that
JM >because of that, the next release of LHARC was expected to
JM >be LHARC200 to avoid confustion with the virus.  This week a
JM >file appeared on a local board called LHARC114.  I left a
JM >message to the sysop to check it out and he says it's clean.
JM >The docs say that this is version 114b, the latest version.

 JM>LHARC v1.14b is a real release.  The author brought it out after the 
 JM>controversy on the fake 1.14 release.  
 JM> 

Now, how is someone going to know the difference?  That is about as dumb as 
BBQ'ing indoors and forgetting to open the windows... Sheesh..


--- QM v1.00
 * Origin: Delta Point (1:396/5.11)




Msg#: 4029 *Virus Info*
09-07-90 20:25:00 (Read 4 Times)
From: HERB BROWN
  To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 4026 (LET ME REPHRASE THAT.....)


 PH>can't find the virus as easily.  CRC checkers and scanners won't be 
 PH>able to
 PH>find it in the infected file if the virus is in memory, in fact, these 
 PH>viruses
 PH>usually infect on file open as well as execute.  Run a CRC checker or 
 PH>Scanner
 PH>that doesn't check memory for the virus with it present and you'll 
 PH>infect
 PH>everything that is openned that meets its infection criteria.


I seem to be missing something here.  As I understand it, to check for virii 
with a scanner, such as SCAN, or whatever, you boot from a uninfected floppy 
that has scan residing on it.  Ok, now, how would a virus that works as a TSR, 
that probably is loaded from the boot sector from the hard disk be loaded, if 
you are booting from the floppy?  Which, the floppy being write protected, of 
course, would not have this viral infection.  I was under the assumption that 
the BIOS first checked drive A: at bootup for a disk, etc.  It seems that it 
would be impossible to find a virii in memory with this type of scheme.. Please
enlighten me..


--- QM v1.00
 * Origin: Delta Point (1:396/5.11)




Msg#: 4030 *Virus Info*
09-07-90 17:03:00 (Read 5 Times)
From: TALLEY RAGAN
  To: MIKE MCCUNE
Subj: REPLY TO MSG# 2910 (RE: REMOVING JOSHI)


In a message to Talley Ragan <09-04-90 16:04> Mike Mccune wrote:

MM>>I have posted a new version that checks for the virus
MM>>before
MM>>trying to remove it (now that I have a working copy of the
MM>>virus). It will not damage the partition table on
MM>>uninfected
MM>>hard disks...<MM>.

        Thanks for the information.  This was very educational, as I have
had one case of a virus.  I don't know how it workedbut the screen would
show all garbage and then the computer would hang.  I low level formatted
the hard disk and restored from good backups.  I sure would like to know
how it got to me and where it came from!!...  Thanks again.


                Talley



--- ZAFFER v1.01
--- QuickBBS 2.64 [Reg] Qecho ver 2.62
 * Origin: Southern Systems *HST DS* Tampa Fl (813)977-7065 (1:377/9)




Msg#: 4031 *Virus Info*
09-05-90 21:23:00 (Read 5 Times)
From: TOM PREECE
  To: HERB BROWN
Subj: REPLY TO MSG# 3816 (RE: PKZ120.ZIP)
I seem to remember running into this file several months ago.  I don't remember
concluding that it had a virus - just that it didn't work properly. The sysop 
on the sytem that had it apparently reached the same conclusion or something 
similar because it disappeared here (SF Bay Area.)
--- TBBS v2.1/NM
 * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019  (1:161/208)




Msg#: 4032 *Virus Info*
09-06-90 19:15:00 (Read 5 Times)
From: KEN DORSHIMER
  To: PAUL FERGUSON
Subj: REPLY TO MSG# 4029 (RE: LET ME REPHRASE THAT.....)

 ...at a time when Western civilization was declining
    too rapidly for comfort, yet too slowly to be very
    exciting Paul Ferguson was saying:

 PF> Ken- This is a continuation of msg.# 156 (I dropped the

just FYI the msg numbers don't have much bearing here. on my system is was
#75 or something. :-)

 PF> don't yet have a copy of 4096), they actually redirect CRC/Checksum
 PF> interrogators to a "snapshot" of the original file as it appeared
 PF> before infection.(Someone, I'm sure, will correct me if I'm wrong or

interesting. seems there would be some simple method of circumventing what
the virus does. (i don't have a copy of that one yet either)

 PF> system, therefore, which would lead me to believe that running the CRC
 PF> check without the virus TSR would allow you to identify the actual
 PF> infected files. Also, it seems like the only way to catch it TSR is to
 PF> trace the interrupt vectors (although everyone seems to have a little

i've always thought that by having your own tsr grab the interupts first
might be a good way to stop unwanted tsr's from grabbing them. (i'm sure
someone will argue the point tho)

 ...space is merely a device to keep everything from being
    in the same spot...


--- ME2
 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)




Msg#: 4278 *Virus Info*
09-08-90 13:51:00 (Read 5 Times)
From: DUANE BROWN
  To: PHILLIP LAIRD
Subj: REPLY TO MSG# 3813 (SECURING YOUR UPLOADS)
 PL>present.  I have the Key fake program if it will help you!
 PL>That file will enter the "Y or N" Question when the batch
 PL>file comes to Are you sure? Y or N.  Meaning you had the
 PL>batch file to delete all programs in the temp check

That's easy to fix the problem about del *.* -- just do

echo y | del *.*

then the Y gets placed in there automatically...no keyfake, nothing!  
 
--- 
 * Origin: End of the Line. Stafford, Va. (703)720-1624. (1:274/16)




Msg#: 4279 *Virus Info*
09-07-90 12:45:00 (Read 5 Times)
From: CHARLES HANNUM
  To: PHILLIP LAIRD
Subj: REPLY TO MSG# 4031 (RE: PKZ120.ZIP)
 >Didn't someone say that because someone had already hacked an earlier
 >version of PKZIP that 120 would be the next scheduled release?
 >Anybody have any info?

Yes.  Phil Katz said it.

--- ZMailQ 1.12 (QuickBBS)
 * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)




Msg#: 4280 *Virus Info*
09-08-90 10:49:00 (Read 4 Times)
From: JAMES BARRETT
  To: ALL
Subj: SEPTEMBER 18-20, 1990
I have heard somebody mention that there will be a major virus in the next 
couple of weeks.  What's the scoop?  I'm involved in a college campus computer 
lab and need to know what's coming and how to prepare for it.  Will ScanV66 
catch it????

Thanks in advance...
--JCB
--- XRS 3.40+
 * Origin: >- c y n o s u r e -<  919-929-5153  <HST><XRS> (RAX 1:151/501.14)




Msg#: 4281 *Virus Info*
09-08-90 17:39:00 (Read 4 Times)
From: HERB BROWN
  To: KEN DORSHIMER
Subj: REPLY TO MSG# 4032 (RE: LET ME REPHRASE THAT.....)
With a sharp eye <Sep 06 19:15>, Ken Dorshimer (1:203/42.753) noted:

 KD>i've always thought that by having your own tsr grab the interupts 
 KD>first
 KD>might be a good way to stop unwanted tsr's from grabbing them. (i'm 
 KD>sure
 KD>someone will argue the point tho)

Depends on who got there first, I would presume.. Also, multiple TSR's would be
a nightmare, colliding and such.


--- QM v1.00
 * Origin: Delta Point (1:396/5.11)




Msg#: 4535 *Virus Info*
09-07-90 08:04:00 (Read 4 Times)
From: PAUL FERGUSON
  To: DOUG EMMETT
Subj: SCAN FROM C:
Hello, Doug....
       Doug, I must tell you that it is not advisable to run ViruScan
from your hard disc....It really should ALWAYS be run from a WRITE
PROTECTED FLOPPY....Scan can become easily infected when ran in an
infected environment on a HD. BTW....Software that "Write Protects" you
r hard disc may work in some cases, but can be circunvented.
Be safe.....
              -Paul


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 4536 *Virus Info*
09-07-90 08:06:00 (Read 4 Times)
From: PAUL FERGUSON
  To: LONNIE DENNISON
Subj: WELCOME...
Glad to have you........
                        Welcome aboard....
                                                -Paul   ^@@^........


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 4537 *Virus Info*
09-07-90 08:09:00 (Read 4 Times)
From: PAUL FERGUSON
  To: RICHARD HUFFMAN
Subj: REPLY TO MSG# 4027 (ARC.EXE)
Richard,
    Please E- me out of the conference....I would like to discuss this
a little further......Better yet, contact me at the NCSA BBS in DC
(202) 364-1304 at 1200/2400, 8,N,1.....I can be reached in the VIRUS
Conference.....Thanks, -Paul


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 4538 *Virus Info*
08-16-90 08:30:00 (Read 5 Times)
From: ALAN DAWSON
  To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 3183 (RE: VIRUS SCANNERS....)
 PH> I just wish the people writing this viruses would find more 
 PH> useful things to do with their talents....such as trying to 
 PH> help people instead of harm their systems.
     
Hear, hear! The frustrating, rug-chewing, desk-beating, 
monitor-smashing, stomp-down crying SHAME is that some of these 
viruses, on a technical level, are tremendously slick, wonderous 
programs. The people writing them are wonderful programmers. Just 
think what these people could be doing to help our PCs work better by 
writing a different kind of program -- and, potentially, how much 
money they might be able to make. They obviously have inventive 
minds, many of them. Such inventiveness could be put to such great 
use.



--- Opus-CBCS 1.13
 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0)




Msg#: 4539 *Virus Info*
08-16-90 08:36:00 (Read 5 Times)
From: ALAN DAWSON
  To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 4538 (RE: VIRUS SCANNERS....)
 PH> I'd agree with that.  The anti-viral program should be able to 
 PH> detect that it is infected and produce a warning, though it may 
 PH> still execute.  By the time the anti-viral program has 
 PH> determined its been infected, you've already infected system 
 PH> memory or spread the virus. 

Sure. Something ELSE has infected it. No reason not to let it run so 
long as it still works. One of our local youngsters wrote a wonderful 
remover of the Dark Avenger -- about 1400 bytes and worked like a 
charm. Only one teensy-weensy trouble -- the remover got infected and 
didn't warn you. That's not really one of the more useful programs to 
have around.
   Since it seems to be the constant topic of conversation here, 
SCANV's routine of warning of infection and continuing its duties is 
great.
   A common cause of re-infection is forgetting to remove the tools 
you used in the disinfection process -- stuff like LIST, just for 
example, that you might have used to examine the virus. 




--- Opus-CBCS 1.13
 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0)




Msg#: 4540 *Virus Info*
08-16-90 08:52:00 (Read 5 Times)
From: ALAN DAWSON
  To: MICHAEL TUNN
Subj: REPLY TO MSG# 2899 (RE: WHAT'S THE SOLUTION?)
 MT> It seems to me our Virus checking programs will just get bigger 
 MT> and bigger as more viruses and strains of the same viruses are 
 MT> discovered. If so (and if their development is excelerating) 

Right. Question of the Year (1991??): What can you call it after you've 
hit the SCANV999 wall?

 MT> Do we do develop new Operating Systems which are far more 
 MT> secure! 

Well, at least a new DOS which allows 9-character names? Then we 
could do SCANV9999. [joke].

 MT> Do we crawl in a hole and hope it wont happen to us?
     
No, in a metaphor placed in 1970 terms, we get to the airport two 
hours before flight time for the security checks. And for the same 
reason, too -- the unwillingness of the many to take the resolve to 
remove the few. We have, most of us, helped the virus writers build 
up their existing sick belief that we are willing participants in 
some kind of game here. They win if they manage to steal our time, 
programs, disk space and data. They only do it because they had an 
unhappy childhood, right?
   One tangible result of allowing them to feed on this warped view 
is this echo, where we're all trying to get to the airport two hours 
early for the security check -- AND WE'RE ALL WASTING TWO HOURS 
because somebody we don't know might try to hurt us.
   We should have sympathy for Robert Morris, of course, because 
after all, he was just experimenting and not REALLY trying to hurt 
anyone, right? I have a one-word, two-syllable response to that but 
FidoNet policy frowns down upon me for thinking of using it.



--- Opus-CBCS 1.13
 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0)




Msg#: 4541 *Virus Info*
08-16-90 09:25:00 (Read 4 Times)
From: ALAN DAWSON
  To: KEN DORSHIMER
Subj: RE: VIRUSES, WHAT ELSE...
 KD> not sure on that one, who knows what menagerie of thoughts 
 KD> wander through clients minds.. :-)  actually, i was unaware of 
 KD> Corporate Vaccine (maybe I should get out more). I'm a little 
 KD> concerned that the commercial programs may not be aware of some 
 KD> of the newer viruses which crop up from time to time. 

This is just a thought, too. But why not take your clients into your 
confidence, and point out to them that it is virtually impossible for 
anyone to match the up-to-dateness of a BBS distribution system? 
You're a BBSer. You know, just for example, that without BBSes McAfee 
couldn't have a program-of-the-week. Distribution of what your 
clients think of as commercial software simply isn't up to this 
standard -- isn't meant to be; never was; probably never will be.
   Seems to me if your clients like the SCANV concept, you should 
explain to them why they should be using SCANV. Why reinvent the 
wheel?
   If it wasn't that commercial messages which mention something 
other than SCANV often seem to get flamed here, I'd tell you about my 
commercial, non-BBS, wholly generic virus detector that doesn't need 
upgrading, which is available in North America and which soon will be 
launched there. But I don't want to get flamed, so I won't.



--- Opus-CBCS 1.13
 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0)




Msg#: 4542 *Virus Info*
08-29-90 12:26:00 (Read 5 Times)
From: ALAN DAWSON
  To: KEN DORSHIMER
Subj: REPLY TO MSG# 3815 (RE: CRC CHECKING)
 PH>> Except in the case of Stealth Viruses....CRC checking doesn't work
 PH>> with them.
 PH>>
     
 KD> i'd have to see that for myself. i think a complex enough 
 KD> algorithm would keep them at bay. the probability factor is 
 KD> just too low for such a stealth scheme to work.
     
Roger that. A program (such as a virus) can possibly figure out a 
checksum or CRC and "fool" your checker. But complex and random 
checksumming or CRCing is beyond the real-world possibility of defeat 
by a PC virus -- it would have to be too big and complex itself.
   Our strategy on our anti-virus program is to have eight different 
algorithms, and to use two of them on each checksum pass. Which two, 
even we do not know. Your virus then would have to take into account 
64 reasonably complex algorithmic possibilities to defeat it.
   Patti is technically correct that this can be done -- but not in 
the real world. I'd tend to be slightly suspicious if my word 
processor suddenly grew by the size of THIS virus. Most programs 
would, in fact, be incapable of loading it.
   As you say -- make it complex (which isn't so difficult) and keep 
churning out hundreds of different algorithms. Then you can forget 
about "stealth" viruses succeeding.

   - From Thailand, a warm country in more ways than one.     





--- Opus-CBCS 1.13
 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0)




Msg#: 4543 *Virus Info*
09-01-90 21:26:00 (Read 5 Times)
From: ALAN DAWSON
  To: PHILLIP LAIRD
Subj: REPLY TO MSG# 3154 (RE: SCAN WEIRDNESS)
 PL> Allan, I NEVER SCAN from the C Drive or any hard disk.  I 
 PL> always scan from a write protected Floppy Diskette in Drive A.  

This is absolutely correct, of course, and EXACTLY what's recommended 
in the doc. I was just curious whether others had had the experience. 
I do do some experimenting with viruses and anti-virus stuff, because 
Bangkok's a "virus capital" (dumb dealers plus a whole raft of 
pirates) and because I'm involved in a commercial anti-virus project. 
This was just a weird thing that happened to me when I was "playing" 
with Dark Avenger. I do wonder how many people follow that 
"write-protected floppy" recommendation (order???) in the SCAN docs, 
though.
   One note on your comment: it might be hard for some people to 
follow the recommendation, i.e. those with one floppy. The total 
beauty of SCAN, really, is to look over that new stuff. A lot of 
machines go to new people with one floppy drive. 
   A lot also go with two different floppy drives (my own setup) 
although this of course is combatted simply by having TWO 
write-protected diskettes with SCAN aboard.
   - From Thailand, a warm country in more ways than one.     





--- Opus-CBCS 1.13
 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0)




Msg#: 4544 *Virus Info*
09-01-90 23:00:00 (Read 5 Times)
From: ALAN DAWSON
  To: SANDY LOCKE
Subj: REPLY TO MSG# 3819 (RE: REMAPPING...)
 SL>  long time programmer I can testify the keyboard mapping is 
 SL>  really quite simple... no real problem and the business of 
 SL>  using terminal control code is quite as simple...
 SL>     sandy

Finally, some sanity, sandy. [grin] (no pun intended until after I 
read that). The letter bomb, as a friend calls it, is alive, well and 
could certainly flourish. I wouldn't lay a huge amount of money on 
the ability to write a *virus* with remapping, but a bomb's a piece 
of cake. 
   I THINK this thread started with the ability to put one directly 
over a terminal BBS-to-user connection, and in general there seem by 
my own experiments to be two chances of this: slim and fat. But, like 
a virus, a letter bomb can be transmitted via a BBS to a user, and 
then set off by that user in a number of pernicious ways that occur 
to me right off the top of my head. None of which you will see writ 
here, you understand -- but after watching this thread for a few 
weeks, I'm glad you leapt in with both feet.
   - From Thailand, a warm country in more ways than one.     





--- Opus-CBCS 1.13
 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0)




Msg#: 4545 *Virus Info*
09-06-90 18:59:00 (Read 5 Times)
From: ALAN DAWSON
  To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 4543 (RE: SCAN WEIRDNESS)
 PH> There are a couple of possibilities here.  First, if the virus 
 PH> is on a non-executable file, such as one with a .VOM or .VXE 

Nope, wasn't either of these Patti. I tried to put in everything, and 
then forgot to say it was a regular file called AVENGER.COM -- a 
small utility I infected to harbor the virus when I ran it for tests. 
The utility originally was a small screen shell for looking at files 
a la LIST. It USED to be 3K, but now it's a little bigger [grin]

 PH> The other case is if your copy of Dark Avenger does not occur 
 PH> at the correct place in the file.  Dark Avenger always adds its 
 PH> code to the End Of Programs. If your copy happens to have it at 

Roger. This is right up against the end of the file. 

 PH> Hope that helps....those are the only three cases that I've 
 PH> heard of a similar problem to yours.  
     
OK, no biggie. It was just that it was so weird I thought maybe you'd 
heard of it. I'll try it again when we get SCAN66B just for fun. It's 
not the kind of "bug" that's detrimental -- it's just one of those 
hey-it's-not-supposed-to-do-that things. Stupid machines.
   - From Thailand, a warm country in more ways than one.     





--- Opus-CBCS 1.13
 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0)




Msg#: 4546 *Virus Info*
09-06-90 19:00:00 (Read 5 Times)
From: ALAN DAWSON
  To: SANDY LOCKE
Subj: REPLY TO MSG# 4539 (RE: VIRUS SCANNERS....)
 SL>  UH ALAN... you mind sending the NAME of this vendor via private
 SL> e-mail... accidentally I can understand BUT ON PURPOSE??? what 
 SL> end would this kind of action serve???
 SL>     cheers
 SL>     sandy
     
This was before the Great Virus Scare of 1989 of course -- it was, if 
my tremendously failing memory isn't failing me, in 1986. A Toronto 
magazine put the virus in as a joke -- every time you started an 
infected program, a brief ad for the mag jumped up. Ald. . . whoops, 
the company name almost slipped out there, thought this was 
hilarious, left it in and shipped the thing. I'll send full details 
your way. 
   This same company, the next time it shipped viruses, claimed that 
a guy in the shipping department was playing a game and accidentally 
infected the shipment (exclaimer!!!!). Is this a company with a weird 
sense of security, or what?
      - From Thailand, a warm country in more ways than one.     





--- Opus-CBCS 1.13
 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0)




Msg#: 4746 *Virus Info*
09-09-90 14:33:00 (Read 4 Times)
From: CHARLES HANNUM
  To: PHILLIP LAIRD
Subj: RE: MAKING SCAN READ ONLY.
 > Patti, is it feasible to make Scan.Exe Read only?  Doug Emmett was
 > wondering about doing that.  Couldn't you change the archive bits to
 > read only?  Also, doesn't scan have an internal routine to determine
 > if it is damaged?

Setting the "Read-only" attribute wouldn't even *phase* a decent virus, and
SCAN's internal checksum is VERY weak.  (It quite literally is a checksum.
It simply checks to see if all the words in the files add up to 0.)

--- ZMailQ 1.12 (QuickBBS)
 * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)




Msg#: 4747 *Virus Info*
09-09-90 07:35:00 (Read 5 Times)
From: JERRY MASEFIELD
  To: CHARLES HANNUM
Subj: REPLY TO MSG# 4279 (RE: PKZ120.ZIP)
 >  >Didn't someone say that because someone had already hacked an earlier
 >  >version of PKZIP that 120 would be the next scheduled release?
 >  >Anybody have any info?
 >
 > Yes.  Phil Katz said it.

No, Phil Katz said there WOULDN'T be a 120 release because of the same reason. 
This would eliminate any confusions between the real and phony versions.  Also,
Katz is offering a reward for any info leading to the arrest of the perpetrator
of this hacking.


--- TosScan 1.00
 * Origin: On A Clear Disk You Can Seek Forever! (1:260/212)




Msg#: 4748 *Virus Info*
09-09-90 23:16:00 (Read 5 Times)
From: PHILLIP LAIRD
  To: CHARLES HANNUM
Subj: REPLY TO MSG# 4747 (RE: PKZ120.ZIP)

 >Yes.  Phil Katz said it.
 >
 >--- ZMailQ 1.12 (QuickBBS)
 > * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)


That is what I thought.  As soon as he went and said it, somebody appearently 
decided to hack it, huh?

--- TAGMAIL v2.20
 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)




Msg#: 4749 *Virus Info*
09-08-90 17:42:00 (Read 4 Times)
From: PAUL FERGUSON
  To: KEN DORSHIMER
Subj: YEAH, BUT...
You're on the right track, Ken....But TSR's have a nasty habit of
fighting for control amongst each other. Some do not behave very well.
-Paul


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 4750 *Virus Info*
09-09-90 08:43:00 (Read 6 Times)
From: PATRICIA HOFFMAN
  To: PHILLIP LAIRD
Subj: JERUSALEM B AND CLEANP64.ZIP
 PL> I cleaned 17 infected files today with clean version 64.  I have a good 
 PL> question.  While the program removes the file, some where removed the 
 PL> first time around, others were scanned several times before the virus 
 PL> was actually removed.  Can you tell me why?

The programs that were scanned several times probably were infected multiple 
times with Jerusalem virus.  A lot of the variants of Jerusalem B will infect 
.EXE files repeatedly, eventually the program will get too large to fit into 
memory.  On files that are infected multiple times with Jerusalem, you'll see a
message come up for each infection as it is removed.  

That is my guess as to what you observed...

Patti


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 4751 *Virus Info*
09-09-90 11:01:00 (Read 5 Times)
From: PATRICIA HOFFMAN
  To: HERB BROWN
Subj: REPLY TO MSG# 4281 (LET ME REPHRASE THAT.....)
 HB> I seem to be missing something here.  As I understand it, to check for 
 HB> virii with a scanner, such as SCAN, or whatever, you boot from a 
 HB> uninfected floppy that has scan residing on it.  Ok, now, how would a 
 HB> virus that works as a TSR, that probably is loaded from the boot sector 
 HB> from the hard disk be loaded, if you are booting from the floppy?  
 HB> Which, the floppy being write protected, of course, would not have this 
 HB> viral infection.  I was under the assumption that the BIOS first 
 HB> checked drive A: at bootup for a disk, etc.  It seems that it would be 
 HB> impossible to find a virii in memory with this type of scheme.. Please 
 HB> enlighten me..

The memory resident viruses that are a real problem when they are in memory and
any antiviral, whether a scanner or CRC checker, is run are not boot sector 
infectors....4096, Fish-6, Dark Avenger, and many others which infect on file 
open are file infectors.  There are three that are file infectors but can also 
infect and replicate from the partition table and/or boot sector: V2100, 
Anthrax, and Plastique 5.21.  (These last three are extremely rare, fairly new,
and not known in the United States.)  All of the viruses mentioned about use 
"Stealth" techniques to avoid detection or infect on file open.  

If you are booting from an uninfected diskette when powering on the computer, 
you wouldn't ever find a virus in memory.  However, if you are performing a 
warm reboot from a floppy, you could have a virus in memory still.  The real 
point here was that most people do not run scan or other anti-viral utilities 
after powering on and booting from a floppy, so it is always possible for the 
virus to be in memory.  

In that particular case, for a CRC checker which is what was being discussed, 
there are definite cases (the "Stealth" viruses) where the virus can get around
the CRC checker simply because if the virus is in memory it disinfects the 
infected programs as they are read into memory.  The CRC checker, since it is 
performing file reads, reads the DOS buffers to check the program, so the 
program it sees isn't infected and isn't the same as what is actually on the 
disk.  In the case of viruses that infect on file open, running an anti-viral 
product against all the programs on a system with the virus active in memory 
can very well result in all the programs becoming infected.  

I'm not against CRC checkers, I use one all the time on several of my systems. 
These systems all have master boot diskettes with clean system files, the CRC 
checker, and the log of all the expected crc values to be returned.  Most 
people simply do not have that type of diskette setup for their systems since 
they feel they'll never be infected with a virus.  In fact, the probability 
that a person will be infected with a virus is fairly low, though it does 
change depending on the person's computing habits and how often they exchange 
diskettes and/or programs with others.  

I was trying to point out that NONE of the current anti-virals will absolutely 
protect a user from getting a virus....all the techniques currently used by 
anti-viral products can be circumvented by some of the newer, more 
technologically advanced viruses.  Not to point that out would be like burying 
one's head in the sand, especially when the discussion has to do with someone 
thinkin of writing a new anti-viral who needs to know what can currently be 
circumvented.  It is easier to fix the design before the program is written 
then to fix it later after the hole is found....

Patti


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 4967 *Virus Info*
09-10-90 16:55:00 (Read 5 Times)
From: CHARLES HANNUM
  To: JERRY MASEFIELD
Subj: REPLY TO MSG# 4748 (RE: PKZ120.ZIP)
 >>  >Didn't someone say that because someone had already hacked an earlier
 >>  >version of PKZIP that 120 would be the next scheduled release?
 >>  >Anybody have any info?
 >>
 >> Yes.  Phil Katz said it.

 > No, Phil Katz said there WOULDN'T be a 120 release because of the
 > same reason. This would eliminate any confusions between the real
 > and phony versions.  Also, Katz is offering a reward for any info
 > leading to the arrest of the perpetrator of this hacking.

Err, <retracting foot from mouth> I must have misread the original note...

--- ZMailQ 1.12 (QuickBBS)
 * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)




Msg#: 4968 *Virus Info*
09-10-90 17:54:00 (Read 5 Times)
From: CHARLES HANNUM
  To: WHOM IT MAY CONCERN
Subj: LHARC 1.14B(ETA)
The 'b' is actually a beta, which makes me think he released it for testing
and it got loose, but is not yet an "official" release.

At any rate, I NEED AN ANSWER!!  I have "LHarc 1.14b(eta)", and I really need
a definitive answer.  IS IT REAL OR NOT?

--- ZMailQ 1.12 (QuickBBS)
 * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)




Msg#: 4969 *Virus Info*
09-10-90 23:13:00 (Read 4 Times)
From: PHILLIP LAIRD
  To: DUANE BROWN
Subj: REPLY TO MSG# 4278 (RE: SECURING YOUR UPLOADS)

 >
 >That's easy to fix the problem about del *.* -- just do
 >
 >echo y | del *.*
 >
 >then the Y gets placed in there automatically...no keyfake, 
 >nothing!  
 > 
 >--- 
 > * Origin: End of the Line. Stafford, Va. (703)720-1624. (1:274/16)


Thanx....  Using the pipe redirection will do just that like you say.  I use 
the KEYFAKE Program for a reason with KEY.DAT in the program I just finished 
that will check for bugs in uploads.  It calls the routine externally from the 
Execute file.

--- TAGMAIL v2.20
 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)




Msg#: 4970 *Virus Info*
09-10-90 23:21:00 (Read 6 Times)
From: PHILLIP LAIRD
  To: ALAN DAWSON
Subj: REPLY TO MSG# 4545 (RE: SCAN WEIRDNESS)

 >
 >This is absolutely correct, of course, and EXACTLY what's recommended 
 >
 >in the doc. I was just curious whether others had had the experience. 
 >
 >I do do some experimenting with viruses and anti-virus stuff, 
 >because 
 >Bangkok's a "virus capital" (dumb dealers plus a whole raft 
 >of 
 >pirates) and because I'm involved in a commercial anti-virus 
 >project. 
 >--- Opus-CBCS 1.13
 > * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand 
 >(3:608/9.0)





 
I totally agree that most people do not read the docs.  I work for a University
in South East Texas.  Some of the Micros have been plagued with viruses.  I 
have setup a routine for the Labs to Scan the Floppies coming in with SCAN. 
This has just taken Place.  Next thing I know, the clerk decides to run SCAN 
From her hard drive on her desktop!  Then Alameda hit her!  The SCAN Program 
has gone over good at the University.  We are getting an order ready for a Site
License Agreement with MCafee and Associates.  I do a little research on some 
of the strains.  However this BBS keeps me busy after work!

Weird thing about CLEAN.EXE the program to remove the Viruses.  I am using 
Clean Version 66 and sometimes the program will scan the file numerous times 
before the virus is eventually removed.  I guess the Marker is trying to move 
around in the file?  Anybody know?

--- TAGMAIL v2.20
 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)




Msg#: 4971 *Virus Info*
09-09-90 10:59:00 (Read 5 Times)
From: MIKE BADER
  To: MARC SHEWRING
Subj: INFORMATION
Several anti-virus programs use signature files.
IBM (yech) for one, but VirHUNT by DDI alos
uses a file for signatures and goes into
quite a bit of detail in their manual.
I'll look up a better address and phone.

Mike

--- FD 1.99c
 * Origin: P-1 BBS ][ (313) 542-9615 Ferndale, MI (HST) (1:120/45)




Msg#: 4972 *Virus Info*
09-06-90 20:56:00 (Read 8 Times)
From: CY WELCH
  To: DEREK BILLINGSLEY
Subj: REPLY TO MSG# 3817 (POSSIBLE VIRUS?)
In a message to All <01 Sep 90 11:34:00> Derek Billingsley wrote:

 DB> This just hit me today - I am not sure if it is some kind of system
 DB> error or a potential virus.

 DB> Last night (September first) and before gave me no indication of any
 DB> virus being present on my system. It is now september 1st and now,
 DB> whenever a file is written to disk (I noticed the text files first,
 DB> but a downloaded zip'd file was also garbled...) it took out about
 DB> 10 bytes from the beginning of each line...

 DB> When I realized this may be set to occur on this date, I set my DATE
 DB> back a night and everything worked fine... I made a sample text file
 DB> with a known pattern of characters -- any date past september 1st
 DB> 1990 leaves the file altered as mentioned above. Any date previous
 DB> is written unharmed...

 DB> SCANV56 reports only that the SCAN program is damaged - no disk
 DB> presence of the source is evident.

 DB> Has anyone heard of something like this happening?

Can't say I have heard of that but it sure sounds like a virus.  I would 
recommend getting a copy of scan v64 and see what it says.  It might even be 
something new.


--- XRS! 3.41+
 * Origin: Former QuickBBS Beta Team Member (99:9402/122.1) (Quick 1:125/122.1)




Msg#: 4973 *Virus Info*
08-14-90 18:15:00 (Read 5 Times)
From: JAMES BLEACHER
  To: DOUG BAGGETT
Subj: REPLY TO MSG# 2904 (ANTI VIRUS VIRUSES)
 * Replying to a message originally to Patricia Hoffman
 DB>well..here is a question..where exactly did viruses
 DB>originate anyway..was it in this country or others?
 DB>Doug
 
According to want I've read Dr. Fred Cohen at MIT developed the first virus 
back in 1964 or so. This was to prove that code could actually replicate and 
spread throughout a mainframe. My question is why on earth would he want to do 
that in the first place?
--- 
 * Origin: "Hey! Why's my COMMAND.COM larger than normal?" (1:151/801)




Msg#: 4974 *Virus Info*
08-14-90 18:23:00 (Read 5 Times)
From: JAMES BLEACHER
  To: PAUL FERGUSON
Subj: REPLY AND ADDENDUM TO MSG 145
 * Replying to a message originally to Alan Dawson
 PF>You can always be sure of an uninfected SCAN IF you download
 PF>from the
 PF>authors' BBS....The program itself will terminate upon
 PF>detection and
 PF>has safeguards written into it to protect against such
 PF>occurances....Of
 PF>course, there are ways for an unsuspecting user (You know
 PF>who) to
 PF>infect the programs themselves and then re-archive
 PF>unwittingly a 
 PF>viral Scan that will never know (depending upon the
 
WRONG! Scan checks itself upon startup and will give you a message to the 
effect of:
 
FILE DAMAGED! "C:\SCAN.EXE"
 
But will continue to operate. If you see that message then you're in big 
trouble. Viruses like the Dark Avenger will use scan's file checking (since it 
opens all the files it's checking) to spread itself all over your floppy/hard 
drive. Unless you've got a totally new virus that scan can't detect you don't 
have anything to worry about if it's already infected when you get it. (Except 
that it's probably detecting the virus all over your drive because it just 
helped put it there!)
--- 
 * Origin: "Hey! Why's my COMMAND.COM larger than normal?" (1:151/801)




Msg#: 4975 *Virus Info*
09-10-90 18:02:00 (Read 6 Times)
From: JAMES BLEACHER
  To: DEREK BILLINGSLEY
Subj: REPLY TO MSG# 4972 (POSSIBLE VIRUS?)
 DB>SCANV56 reports only that the SCAN program is damaged - no
 DB>disk presence of the source is evident.
 DB>
 DB>Has anyone heard of something like this happening?
 
Well, first of all you've got an old version of scan. Try downloading scanv66b 
from someone. I have it if you can't locate it elsewhere. Second if scan ever 
reports being damaged there's a 99% chance that you've got a virus! Better 
check into it quick! Hope you don't find that you have one but it sure sounds 
like you do!
--- 
 * Origin: "Hey! Why's my COMMAND.COM larger than normal?" (1:151/801)




Msg#: 5238 *Virus Info*
09-10-90 15:11:00 (Read 6 Times)
From: JOE MORLAN
  To: JONO MOORE
Subj: REPLY TO MSG# 4028 (RE: LHARC114?)
  I have learned from other sources that the latest official release of LHARC 
is LH113D.  The 'new' LHARC114 is said to be another unauthorized hack.  It 
evidently is NOT a virus.  Yoshi has been quoted as stating on GENIE that the 
next official release will be ver. 2.0.  I hope this helps.

--- Telegard v2.5i Standard
 * Origin: Telegard BBS (000-000-0000) (1:161/88.0)




Msg#: 5239 *Virus Info*
09-10-90 15:12:00 (Read 6 Times)
From: JOE MORLAN
  To: HERB BROWN
Subj: REPLY TO MSG# 5238 (RE: LHARC114?)
Exactly.  LHARC v1.14b is not a real release.  Just another unauthorized hack.

--- Telegard v2.5i Standard
 * Origin: Telegard BBS (000-000-0000) (1:161/88.0)




Msg#: 5240 *Virus Info*
09-07-90 20:35:00 (Read 6 Times)
From: CHRIS BARRETT
  To: SIMON FOSTER
Subj: RE: MYSTERY VIRUS??
Could I ask wy the buffers would be causing the Boot Block to be altered.
 
I have since removed the val checks using ScanV66B and put some new ones on 
using ScanV66B.
 
Could it be possible that someone has altered a bit of the code and as ScanV66 
uses a string (or is it hex search) it doesn't find it? 
 
eg In the Virus it originaly said "Your disk is stoned' and the person 
converted it to say 'Your disk is now stoned'. If ScanV66 happens to look for 
the original string to my knowlegde the virus would not be recognized.
 
Chris.
--- TBBS v2.1/NM
 * Origin: 1990 MultiLine Perth Western Australia - 09-370-3333 - (690/654)




Msg#: 5241 *Virus Info*
09-12-90 22:11:00 (Read 6 Times)
From: PHILLIP LAIRD
  To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 4751 (RE: LET ME REPHRASE THAT.....)

 >If you are booting from an uninfected diskette when powering 
 >on the computer, you wouldn't ever find a virus in memory. 
 > However, if you are performing a warm reboot from a floppy, 
 >you could have a virus in memory still.  The real point here 
 >was that most people do not run scan or other anti-viral utilities 
 >after powering on and booting from a floppy, so it is always 
 >possible for the virus to be in memory.  


THat is exactly the way I have found some of the Virii I researched as being. 
If the virus is present in memory, then it is possible the the file will 
infect, however, if the Scan Diskette is write protected and the diskette is 
bootable, Like oyu say.  It is BEST to cut the power to the system and then 
re-boot the system.  However, if you wanted to go a step further, it is 
possible to clear all volatile RAM if you want to do a warm boot.  The Warm 
Boot can result in infection, since the ram is not cleared.  The various 
hardware interrupts are still performed and cotrol passed to Command.com, but 
the System files are still present in memory, along with a virus possibly.  Too
many people are now taking the virus issue too lightly.  It can effect you, 
take precaution and use the Floppy to boot up on with a Write Protect on the 
Diskette.  Then scan the drive from there.

--- TAGMAIL v2.20
 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)




Msg#: 5242 *Virus Info*
09-12-90 22:16:00 (Read 6 Times)
From: PHILLIP LAIRD
  To: PATRICIA HOFFMAN
Subj: RE: JERUSALEM B AND CLEANP64.Z

 > PL> I cleaned 17 infected files today with clean version 64. 
 > I have a good 
 > PL> question.  While the program removes the file, some where 
 >removed the 
 > PL> first time around, others were scanned several times before 
 >the virus 
 > PL> was actually removed.  Can you tell me why?
 >
 >The programs that were scanned several times probably were 
 >infected multiple times with Jerusalem virus.  A lot of the 
 >variants of Jerusalem B will infect .EXE files repeatedly, 
 >eventually the program will get too large to fit into memory. 
 > On files that are infected multiple times with Jerusalem, 
 >you'll see a message come up for each infection as it is removed. 
 > 
 >
 >That is my guess as to what you observed...
 >
 >Patti
 >


That is exactly what I had suspected.  I assumed the file was re-infected 
several times as the size of the Original WP.EXE files that were infected once 
was for example 112K, and the ones that were infected several times was around 
173K.  Some of the programs were non functional after clean ws performed on the
file.  We just delte the file and re-copy it when that happens.  The only safe 
way to do it I have found is to go ahead anuse scans' /D option and delete the 
file and re-copy it. 

--- TAGMAIL v2.20
 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)




Msg#: 5887 *Virus Info*
09-14-90 14:05:00 (Read 5 Times)
From: MIKE MCCUNE
  To: PATRICK TOULME
Subj: MOTHER FISH
Everybody was talking about the Mother Fish a few weeks ago. Now that it has 
been out for mor than a week, nobody is saying anything about it. What's the 
deal with this virus?


--- Opus-CBCS 1.13
 * Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0)




Msg#: 6048 *Virus Info*
09-14-90 07:05:00 (Read 4 Times)
From: JOE MORLAN
  To: CHARLES HANNUM
Subj: REPLY TO MSG# 4968 (RE: LHARC 1.14B(ETA))
  According to folks posting on the technical echo, Yoshi has stated on Genie 
that the next official release after LHarc 1.13c will be LHarc 2.xx.  Beta 
versions of LHarc 2.0 are said to have been released in Japan.  It is illogical
that 114b would be a valid release.  The main change is the same as the known 
unauthorized hack, ICE.

 There are a few people on that echo that seem to believe that the release is 
"real" based mostly on the source where the file had been posted.  It seems 
clear to me that it is just another unauthorized hack.

--- Telegard v2.5i Standard
 * Origin: The Twilight Zone (415)-352-0433 (1:161/88.0)




Msg#: 6659 *Virus Info*
09-15-90 08:13:00 (Read 4 Times)
From: RICHARD HECK
  To: ALL
Subj: CLEAN UP
I think that the newest version of cleanup was alot better then the version 
before it.
Oh and watch out for that Sunday Virus.  
 



--- outGATE v2.10 
 # Origin: SIGnet International GateHost (8:7501/103)
 * Origin: Network Echogate (1:129/34)




Msg#: 6660 *Virus Info*
09-16-90 11:28:00 (Read 5 Times)
From: SATYR DAZE
  To: CHRIS BARRETT
Subj: REPLY TO MSG# 5240 (RE: MYSTERY VIRUS??)
 
Sorry to butt in ..... you aparently have been infected by the Stoner-Marijauna
Virus , quite a few people here in florida myself included have seen this 
little beauty.
 
After disinfecting yourself the damaged caused by the virus is unaltered.
 Backup your harddrive and reformat it, after restoring it.  Delete and redo 
Autoexec.bat and Config.sys they have both also been altered.
 
Your Hardrive should now be back to snuff .... but before i forget run a 
utility to mark and lock out bad sectors the Virus may have caused.  These 
unfortunaly are not always recoverable.
 
 
G'Day .......................     The Satyr Daze
--- TBBS v2.1/NM
 * Origin: Eclectic Multi-BBS System / Miami FL (305)662-1748  (1:135/2)




Msg#: 6661 *Virus Info*
09-16-90 11:39:00 (Read 4 Times)
From: SATYR DAZE
  To: GARY MOYER
Subj: REPLY TO MSG# 4546 (RE: VIRUS SCANNERS....)
Well you can  Download a Virus scanner from a reputable BBS -- one that 
actually checks all of it's files for viruses --- or go out and purchase a 
Virus Scanner.  Most of the downloadable stuffis by Mcaffe Associates, You can 
purchase Virucide (commercial version) which checks and disinfects your files, 
also by Mcaffe Associates for about $30.00. Not a bad buy when you consider the
consequences of not having a good scanner.
 
Just make sure that after Downloading a file, unarc-unzip-unwhatever it, But 
under no circumstance activate it --- run it --.  Run the scanner, if the file 
checks clean go ahead and run it then.  If it dosn't the program will warn you 
and disinfect it.  The reason you must open the file (unzip) is because 
scanners can't look into an archived file.
 
                                          The Satyr Daze
--- TBBS v2.1/NM
 * Origin: Eclectic Multi-BBS System / Miami FL (305)662-1748  (1:135/2)




Msg#: 6662 *Virus Info*
09-16-90 13:40:00 (Read 4 Times)
From: SATYR DAZE
  To: CHARLES HANNUM
Subj: REPLY TO MSG# 4973 (RE: ANTI VIRUS VIRUSES)
Actually the Honor of creating Viruses Belongs to John Conway, he was trying to
develop software that emulated living organisms.  He developed the first "Game 
of Life".  As he created these new programs they became more and more complex 
having intricate enviroments that the elements would have to over come in order
to survive.
 
But these were never allowed to get beyond that scope, Virus programs where 
never destructive untill the "Core Wars".  Opposing Programmers would create 
self-replicating programms that when they encountered other self-replicaters 
would try to devour them.  Incidently it was called "Core Wars" because the 
game itself took place in Core Memory .  These young Programmers were actually 
quite small in number and never publicly discussed what they were doing.  If 
any blame is to be attached it should be to Ken THompson who went public with 
the process in 1983..... at that point it was "Discovered" by university 
students who began creatingthe real nasties ..... Today many strains are just 
variation of their original work.
 
Just a little History...............
 
                                              The Satyr Daze
--- TBBS v2.1/NM
 * Origin: Eclectic Multi-BBS System / Miami FL (305)662-1748  (1:135/2)




Msg#: 6663 *Virus Info*
09-14-90 19:31:00 (Read 5 Times)
From: RAJU DARYANANI
  To: ALL
Subj: NETWARE BYPASSING JERUSALEM VIRUS
Does anyone have any details on the CERT announcement that it has
isolated a version of the Jerusalem virus that can bypass Novell
Netware's file protection settings and infect files ?  Anyone know
of actual infections, how common it is and whether McAfee's SCAN detect
this virus ?

Raju

--- via Silver Xpress V2.24 [NR]


--- QM v1.00
 * Origin: TAIC Maximus - DVNet Asia, PEP/V.32 High Speed PathFinder 
(3:700/1.0)




Msg#: 6664 *Virus Info*
09-16-90 00:41:00 (Read 4 Times)
From: ALAN DAWSON
  To: PHILLIP LAIRD
Subj: REPLY TO MSG# 4970 (RE: SCAN WEIRDNESS)
 PL> been plagued with viruses.  I have setup a routine for the Labs 
 PL> to Scan the Floppies coming in with SCAN.  This has just taken 
 PL> Place.  Next thing I know, the clerk decides to run SCAN From 
 PL> her hard drive on her desktop!  Then Alameda hit her!  The SCAN 

The next "killer-ap" should be the anti-stupidity program. If ever it 
needed to be proved that "a little knowledge is a dangerous thing," 
computer users prove it to their techies daily!

 PL> Weird thing about CLEAN.EXE the program to remove the Viruses.  
 PL> I am using Clean Version 66 and sometimes the program will scan 
 PL> the file numerous times before the virus is eventually removed. 

I really don't like the whole idea of a "popular" virus remover. (A 
specific cure for a specific virus on one site is different.) Any 
yo-yo with PC-Tools or Norton can make a "new" virus and this makes 
the possible results from a removal program very iffy. I really 
believe in brute-force removal i.e. DEL VIRUS.COM, and re-install. 
It's safer that way, and certain (after you check the floppies, of 
course).
   - From Thailand, a warm country in more ways than one.     





--- Opus-CBCS 1.13
 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0)




Msg#: 7165 *Virus Info*
08-31-90 20:15:00 (Read 4 Times)
From: CHRIS BARRETT
  To: ALL
Subj: BOOKS ON VIRUSES
Could someone tell me somenames of books on Viruses and their authors.
As I am in Australia getting hold of them may be a problem though.
 
Hope you can help...
Chris..
--- TBBS v2.1/NM
 * Origin: 1990 MultiLine Perth Western Australia - 09-370-3333 - (690/654)




Msg#: 7166 *Virus Info*
08-31-90 20:21:00 (Read 5 Times)
From: CHRIS BARRETT
  To: ALL
Subj: REPLY TO MSG# 6660 (MYSTERY VIRUS??)
At my school we have some XT's with 2 360K FDD each. Lately we have noticed 
that some of the students disks are being over written by the program disk they
were using. Eg some people have found the Turbo pascal files on their data 
disks.
 
I brought in a copy of ScanV66 and placed a validation check on the program 
disks (Not the data disks). Scanning showed no viruses (well known ones 
anyway). But when we scanned them a week later we found some had had their Boot
Blocks altered.
 
In some cases the files on the data disk are just renamed to one on the program
disk. Eg we listed "TURBO.EXE" and found it to contain a students pascal source
code.
 
Could someone shed some light please..
I have told the teacher it is most likely home grown and he is sh*tting 
himself.
 
Chris.
--- TBBS v2.1/NM
 * Origin: 1990 MultiLine Perth Western Australia - 09-370-3333 - (690/654)




Msg#: 7167 *Virus Info*
09-01-90 18:28:00 (Read 4 Times)
From: DOUG EMMETT
  To: PHILLIP LAIRD
Subj: REPLY TO MSG# 6664 (RE: SCAN WEIRDNESS)
For the new boy would you mind explaining how to write protect Scan.Exe on the 
C: drive-Thanks


--- Opus-CBCS 1.13
 * Origin: The U.S.A. Connection-*HN-NZ*-(+64-71-566851) (3:772/260.0)




Msg#: 7168 *Virus Info*
09-02-90 14:18:00 (Read 4 Times)
From: WARREN ANDERSON
  To: MIKE DURKIN
Subj: REPLY TO MSG# 2475 (INTERNET WORM)
Hi, No I have never come across the book. I would appreciate it if you could 
provide a copy of the password list (just in case I can't get hold of a copy of
the book). Thanks again.
Regards
\/\/ /\/\ Anderson

--- Telegard v2.5 Standard
 * Origin: InfoBoard BBS - Auckland - New Zealand (3:772/140.0)




Msg#: 7169 *Virus Info*
09-04-90 06:12:00 (Read 4 Times)
From: PAUL FERGUSON
  To: YASHA KIDA
Subj: REPLY TO MSG. 134
Right on, Yasha......I couldn't have said it better myself.....This
town (DC) seems to have a real problem concerning this. That's OK,
though, as you have said, we shall see who they come running to when
the going gets rough.....
     
    -Paul


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 7170 *Virus Info*
09-05-90 12:50:00 (Read 4 Times)
From: MICHAEL ADAMS
  To: RICK THOMA
Subj: RE: PKZ120.EXE
Rick .. I had one uploaded to my Board called "PKZ120.exe".  The File looks 
Authentic.  Even went to the point of -AV and the Pkware registeration number 
on the last line after self extraction.  If it were not for the file 
"Warning.txt" put out by "Pkware" I'd still be using it. Really went through 
alot of trouble authenticating it!
 
Michael Adams
Baud Horizons
(504) 436-9590

--- Maximus-CBCS v1.00
 * Origin: The Southern Star - SDS/SDN/PDN - 504-885-5928 - (1:396/1)




Msg#: 7171 *Virus Info*
09-05-90 16:06:00 (Read 4 Times)
From: LONNIE DENISON
  To: ALL
Subj: HEY
  Just letting you know that I have joined my board (The Maze) to this echo.. 
hope we can contribute some info here!

  Lonnie Denison

--- Telegard v2.5i Standard
 * Origin: => The Maze <=  916-391-6118  "Would ya Believe" (1:203/60.0)




Msg#: 7172 *Virus Info*
09-05-90 18:28:00 (Read 4 Times)
From: PHILLIP LAIRD
  To: KEVIN HIGGINS
Subj: REPLY TO MSG# 4969 (RE: SECURING YOUR UPLOADS)
Kevin, nice batch file for testing files for virrii.  I am now Alpha testing my
new program that will work with TAG at present.  I have the Key fake program if
it will help you!  That file will enter the "Y or N" Question when the batch 
file comes to Are you sure? Y or N.  Meaning you had the batch file to delete 
all programs in the temp check directory.  I plan on a new realease of the 
program to several BBSES that will work to help all Sysops keep out the Virii. 
If you want Keyfake Program, just Tell me, and I will netmail it to you...  I 
had a run in with Jerusalem B [jeru] today at Lamar University.  Seems the 
Chemistry Department stockroom manager had already infected 17 files on his 
hard drive.  Clean removed the virus.

--- TAGMAIL v2.20
 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)




Msg#: 7173 *Virus Info*
09-05-90 18:30:00 (Read 5 Times)
From: PHILLIP LAIRD
  To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 4750 (JERUSALEM B AND CLEANP64.ZIP)
Patti:

I cleaned 17 infected files today with clean version 64.  I have a good 
question.  While the program removes the file, some where removed the first 
time around, others were scanned several times before the virus was actually 
removed.  Can you tell me why?

--- TAGMAIL v2.20
 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)




Msg#: 7174 *Virus Info*
09-05-90 18:32:00 (Read 4 Times)
From: PHILLIP LAIRD
  To: RICK THOMA
Subj: REPLY TO MSG# 4967 (RE: PKZ120.ZIP)
Didn't someone say that because someone had already hacked an earlier version 
of PKZIP that 120 would be the next scheduled release?  Anybody have any info?

--- TAGMAIL v2.20
 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)




Msg#: 7175 *Virus Info*
09-05-90 18:37:00 (Read 4 Times)
From: PHILLIP LAIRD
  To: ALL
Subj: PROCOMM 3.10
Beware, there is a version of Procomm.zip going around in our area here in 
Texas which boasts Procomm 3.10.  After consulting with my friend at Datastorn 
Technologies, he called my BBS and downloaded the file.  I had a user complain 
that the file hung and said "NUKE" at the lower left of his terminal. 
Datastorm Technologies stated that this version doesn't exist, I.E.... the 
latest was 2.4.3.  The same user told me that the file one night then put a 
message on his screen that stated "Does this IBM PC or Compatible have more 
than one drive? Y or N "  He immediately turned off the computer and didn't 
answer the question.  Althought we scanned this program and found no virus, we 
disassembled it and also didn't find anything suspicious either.  Be careful, 
it might be a time bomb.  If you know of this program, let me know at 1:19/49.
I would like to keep tabs on it.

--- TAGMAIL v2.20
 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)




Msg#: 7176 *Virus Info*
09-04-90 16:04:00 (Read 4 Times)
From: MIKE MCCUNE
  To: TALLEY RAGAN
Subj: REPLY TO MSG# 4030 (RE: REMOVING JOSHI)
I have posted a new version that checks for the virus before
trying to remove it (now that I have a working copy of the
virus). It will not damage the partition table on uninfected
hard disks...<MM>.

 
--- KramMail v3.15
 * Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0)




Msg#: 7177 *Virus Info*
09-04-90 13:31:00 (Read 4 Times)
From: PAUL FERGUSON
  To: KEN DORSHIMER
Subj: REPLY TO MSG# 5241 (LET ME REPHRASE THAT.....)
Ken-
   
    This is a continuation of msg.# 156 (I dropped the
keyboard....Looong day, you know).....
  
    Actually, I really should have said "virtually preconceived".
From what I can gather on the topic (I don't yet have a copy of 4096),
they actually redirect CRC/Checksum interrogators to a "snapshot" of
the original file as it appeared before infection.(Someone, I'm sure,
will correct me if I'm wrong or at least add enlightenment.)
The infected file, in the case of 4096, has in reality grown by 4096
bytes and would more than likely hang the system, therefore, which
would lead me to believe that running the CRC check without the virus
TSR would allow you to identify the actual infected files. Also, it
seems like the only way to catch it TSR is to trace the interrupt
vectors (although everyone seems to have a little bit of differing
ideas on this '->)
     Until I can get my hands on this little fellow, I guess that I'll
just follow the more logical explanations from the sources with
credibilty and make a judgement from that! Sounds credible. But, as I'v
said before-    I sure would like to see it.
   
      I've been following several different message base threads on
this particular virus, with input from users at the basic levels to BBS
SysOps to the AntiViral research community.......I must say, it gets
overwhelming at times to keep objective. *:)
  
     -Paul


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 7178 *Virus Info*
09-05-90 09:20:00 (Read 4 Times)
From: PAUL FERGUSON
  To: EVERYONE
Subj: DETAILED INFO ON 4096...
The description in VSUM (August 15 release) of the 4096 virus has
gotten my usual curiousity arouser, along with a plethora of discussion
on this particular virus within many message conferences and viral
echos......Since I have not had the opportunity, yet, to obtain a
sample to personally examine, I must post a few questions to the field:
  
  
  1.) Would someone like to elaborateon the structure of "Phases" that
       the CVIA uses to catorgorize viruses? Please?    ;-)
   
  2.) I seem to remember mention (No, I don't have my copy of VSUM in
front of my now) of the virus (4096) containing it's own boot sector.
Could someone enlighten me on this , also?
  
  3.) And, under what ? circumstances does the 'FRODO LIVES' msg.
appear and when does it not?
  
   
No offense, Patti, but I did think that on a couple of these points
that the VSUM doc was kinda sketchy (I know that is ALOT of work to
compile that baby and continually update, etc.!). 
     Perhaps with a little more detail, I will have settled my
curiousity and returned to other problems at hand...
   
                                          -Paul
   
Patti- Any luck with last U/L?    ,-)


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 7179 *Virus Info*
09-05-90 20:34:00 (Read 5 Times)
From: PATRICIA HOFFMAN
  To: SEAN SOMERS
Subj: REPLY TO MSG# 4544 (RE: REMAPPING...)
 SS> Off topic here, anybody out there encounter the French Revoloution 
 SS> virus? I was the first out here to discover it. What it does is nuke 
 SS> your HD while displaying an anti Western/English speaking Canadians.  

Haven't seen or heard of that one before.... What does it infect?  .COM, .EXE, 
overlays, boot sectors, only floppies?  If you want to send me a copy of it, 
I'd be happy to take a look at it as well as pass it along to John McAfee's 
group.  Snail mail address is:

        Patricia M. Hoffman
        1556 Halford Avenue #127
        Santa Clara, CA  95051

It can also be sent in a .ZIP file to my system, though be sure you don't route
it thru anyone, or directly uploaded here to a suspect area that is secured.

Not off-topic at all, that is what this conference is for....

Patti


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 7180 *Virus Info*
09-05-90 20:01:00 (Read 5 Times)
From: PATRICIA HOFFMAN
  To: PAUL FERGUSON
Subj: REPLY TO MSG# 7178 (DETAILED INFO ON 4096...)
 PF>   1.) Would someone like to elaborateon the structure of "Phases" that
 PF>        the CVIA uses to catorgorize viruses? Please?    ;-)
 PF>    

VSUM doesn't necessarily use the McAfee or CVIA categorization techniques to 
classify viruses.  VSUM's categorization is a bit finer than McAfee's since in 
many cases he can group things together for detection/removal purposes. 
However, in describing them they don't make much sense that way.  I haven't 
seen a copy of the CVIA categorization in some time, but I believe they 
classified by:

        boot sector infector
        parasitic file infector
        overwriting file infector

Partition table infectors were (I think) thrown in with boot sector infectors 
since at the time the only partition table infector was Stoned, which also 
infected floppy boot sectors.  They also classified by memory resident or 
non-resident.  

Generally, VSUM classified by memory resident/non-resident, what it infects, 
file length change, symptoms, and other characteristics, as well as what virus 
the new entry is based on if applicable.  In the case of memory resident 
viruses, there is a code to indicate how or where it is memory resident.    

McAfee and I had a loooonnnnnggggg discussion on classification and naming 
awhile back, and "agreed we could disagree" since how he uses the names in Scan
isn't workable for VSUM, and using the VSUM naming in Scan would not serve his 
purposes since he needs to group variants in many cases.  If possible, though, 
we try to use the same names.  If VSUM differs, the name that will be indicated
by Scan is indicated as an alias.  McAfee's current classification methods as 
indicated in VIRLIST.TXT which comes out with Scan also differs from the CVIA 
classifications, and is fairly close to VSUM.

 PF>   2.) I seem to remember mention (No, I don't have my copy of VSUM in
 PF> front of my now) of the virus (4096) containing it's own boot sector.
 PF> Could someone enlighten me on this , also?
 PF>   

Yes, it includes a boot sector, though do to an error in the virus, the 
included boot sector isn't ever written to the hard disk or floppy boot sector.
This boot sector is where the "FRODO LIVES" message is....  

 PF>   3.) And, under what ? circumstances does the 'FRODO LIVES' msg.
 PF> appear and when does it not?
 PF>   

Normally, due to a bug in the virus, the message is never displayed.  If one 
copies the boot sector from within the 4096 virus to a floppy diskette as 
sector 0, and boots from it, the message will appear.  

Of course, the above bugs may be fixed in a later version of the virus....but 
the versions I've seen hang on September 22 when they were meant to activate 
the Frodo Lives message.  

 PF>    
 PF> No offense, Patti, but I did think that on a couple of these points
 PF> that the VSUM doc was kinda sketchy (I know that is ALOT of work to
 PF> compile that baby and continually update, etc.!). 
 PF>      Perhaps with a little more detail, I will have settled my
 PF> curiousity and returned to other problems at hand...
 PF>    

No problem....A lot of time what makes perfect sense to me doesn't make sense 
to others :-).  There is always this question with VSUM on where to draw the 
line on the descriptions.  

 PF> Patti- Any luck with last U/L?    ,-)
 PF> 

Not yet....I'm busy working on analysing a new virus right now, and it is going
to take awhile....will probably be a Whale of a tale when I get done....and I 
don't want to say anything prematurely on it.

Patti


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 7181 *Virus Info*
09-06-90 11:33:00 (Read 4 Times)
From: TONY JOHNSON
  To: ALL
Subj: REPLY TO MSG# 3029 (CORE WARS)
Core Wars was a simulation system, it was not per se' a breeding ground for the
type of viri that you see today attacking systems and PCs.  The programs tested
were called viri in the way they attacked and behaved while operating
within the Core Wars environment.  I believe the "arena" used for the "viruses"
was an 8K memory grid, and that the programs/"viri" were limited to that area.

While those programs were not the same thing as what we see today chewing up 
our beloved computers, I can say that Core Wars was an extremely enlightening 
experience that had the programmers thinking about how a similiar type of 
situation could apply to the actual computing world.


--- QM v1.00
 * Origin: The 286 Express (504-282-5817) (1:396/30.0)




Msg#: 7182 *Virus Info*
09-06-90 13:09:00 (Read 5 Times)
From: CHARLES HANNUM
  To: CHRIS BARRETT
Subj: REPLY TO MSG# 7166 (RE: MYSTERY VIRUS??)
 >At my school we have some XT's with 2 360K FDD each. Lately we have
 >noticed that some of the students disks are being over written by the
 >program disk they were using. Eg some people have found the Turbo
 >pascal files on their data disks.

This could happen (and has) if you are using disk caching software.  That would

be a good place to look first.

--- ZMailQ 1.12 (QuickBBS)
 * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)