💾 Archived View for spam.works › mirrors › textfiles › virus › vi901029.txt captured on 2023-06-16 at 21:05:14.

View Raw

More Information

-=-=-=-=-=-=-

Msg#: 7183 *Virus Info*
09-05-90 22:31:00 (Read 6 Times)
From: HAL SCHPERL
  To: CHRIS BARRETT
Subj: REPLY TO MSG# 7182 (MYSTERY VIRUS??)
 > At my school we have some XT's with 2 360K FDD each. Lately we have
 > noticed that some of the students disks are being over written by the
 > program disk they were using. Eg some people have found the Turbo
 > pascal files on their data disks.
 >
 > I brought in a copy of ScanV66 and placed a validation check on the
 > program disks (Not the data disks). Scanning showed no viruses (well
 > known ones anyway). But when we scanned them a week later we found
 > some had had their Boot Blocks altered.
 >
 > In some cases the files on the data disk are just renamed to one on
 > the program disk. Eg we listed "TURBO.EXE" and found it to contain a
 > students pascal source code.
 >
 > Could someone shed some light please..
 > I have told the teacher it is most likely home grown and he is
 > sh*tting himself.
 >
 > Chris.
 > --- TBBS v2.1/NM
 >  * Origin: 1990 MultiLine Perth Western Australia - 09-370-3333 -
 > (690/654)


It does not have to be a virus to cause this.  While creating files some 
programs assume that the diskette currently in the drive is the one that was 
started with.  One that comes to mind is SideKick.  I destroyed a few diskettes
before I realized the problem.  While using SideKick to edit a file on a 
diskette I popped it it down and forgot about the file.  Then I changed 
diskettes and continued to edit the file with SideKick.  I then saved the file 
forgetting about the diskette change.  The result was the files were still on 
the diskette but the directory belonged to the previous disk.  Since then I 
have encountered several other programs that can do this.

--- FD 1.99c
 * Origin: I'd give my right arm to be ambidextrous .. (1:163/127.4)




Msg#: 7184 *Virus Info*
09-06-90 18:28:00 (Read 4 Times)
From: PHILLIP LAIRD
  To: DOUG EMMETT
Subj: REPLY TO MSG# 7167 (RE: SCAN WEIRDNESS)
Doug, wouldn't it be feasible for you to change the archive bits to read only 
on the Scan File. Supposedly, Scan has a built in Mechanism for determining if 
it has been damged.  In fact, I found a virus had tried to copy to Scan.EXE and
the message came back and warned that scan.exe was damaged!  This was at a 
local University computing lab of PC's.  This may be a question that John needs
to answer or even Patti, the Moderator of the Echo.  I will ask her.

--- TAGMAIL v2.20
 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)




Msg#: 7185 *Virus Info*
09-06-90 18:30:00 (Read 5 Times)
From: PHILLIP LAIRD
  To: PATTI HOFFMAN
Subj: REPLY TO MSG# 4746 (MAKING SCAN READ ONLY.)
Patti, is it feasible to make Scan.Exe Read only?  Doug Emmett was wondering 
about doing that.  Couldn't you change the archive bits to read only?  Also, 
doesn't scan have an internal routine to determine if it is damaged?

--- TAGMAIL v2.20
 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)




Msg#: 7186 *Virus Info*
09-06-90 09:32:00 (Read 5 Times)
From: RICHARD HUFFMAN
  To: MICHAEL ADAMS
Subj: REPLY TO MSG# 7170 (RE: PKZ120.EXE)
Don't know if this one is still a problem, but I ran into a copy of ARC.EXE 
v5.4 that was a hard-disk formatter......  Wouldn't mention such an old program
except that the problem resurfaced there a couple of months ago

                                        RTH


--- SLMAIL v1.36M  (#0264)
 * Origin: Foundation BBS * College Park, MD * (109:109/50)




Msg#: 7187 *Virus Info*
09-03-90 12:18:00 (Read 6 Times)
From: MARC SHEWRING
  To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 4971 (INFORMATION)
Hi Patricia,
           I am a university student currently doing a research project on 
Viruses and I was wondering if you could help me or indicate as to where I 
could get some information on Virus signitures and scanning techniques.

Thanx, in advance.... Marc

--- Maximus-CBCS v1.02
 * Origin: GAMMA ISTARI: Line 2 - Perth, Western Australia (3:690/627)




Msg#: 7188 *Virus Info*
09-04-90 23:57:00 (Read 7 Times)
From: SIMON FOSTER
  To: CHRIS BARRETT
Subj: REPLY TO MSG# 7183 (MYSTERY VIRUS??)
 > At my school we have some XT's with 2 360K FDD each. Lately we
 > have noticed that some of the students disks are being over
 > written by the program disk they were using. Eg some people have
 > found the Turbo pascal files on their data disks.

I was having a similar problem on my 386 when I got it and as I was running 
DesqView, etc assumed that was causing the probs (it was, in a way) ... I since
discovered that it was simply that buffers was too low. Unfortunately you do 
not have a Hard Drive to see if that would be affected but your 'symptoms' are 
of a low buffers. so, simply change the config.sys and adjust the buffers value
up about 15 this SHOULD fix it. If however, it doesn't, try getting hold of 
SCANv66b and try that

<ping>

Regs,
        Simon

--- FD 1.99c
 * Origin: Jane doesn't live here anymore! (3:712/265)




Msg#: 8162 *Virus Info*
09-12-90 12:42:00 (Read 6 Times)
From: CHARLES HANNUM
  To: JAMES BLEACHER
Subj: REPLY TO MSG# 6662 (RE: ANTI VIRUS VIRUSES)
 > According to want I've read Dr. Fred Cohen at MIT developed the
 > first virus back in 1964 or so. This was to prove that code could
 > actually replicate and spread throughout a mainframe. My question is
 > why on earth would he want to do that in the first place?

Probably because some stupid manager said it was impossible... which is about
the same logic Robert Tappan Morris used.

--- ZMailQ 1.12 (QuickBBS)
 * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)




Msg#: 9381 *Virus Info*
09-19-90 22:32:00 (Read 5 Times)
From: TOM SMITH @ 930/1
  To: SATYR DAZE
Subj: REPLY TO MSG# 6661 (RE: VIRUS SCANNERS....)
"Satyr", the ARC/PAK/ZIP/LHARC shell program SHEZ will allow SCAN to
"look into an archived file"; it uncompresses it to a working directory
then passes the file info to SCAN which checks it.  I've got my
download BAT files set to fire it off automatically whenever I pick up
an archive from a BBS.  If you haven't looked at it, you might want to
check it out; I've found it to be very helpful...  Tom Smith/Dallas...


--- QM v1.00
 # Origin: Horizon RBBS 214-424-3831 & 214-881-9346 HST (8:930/1.0)
 * Origin: Network Gateway to RBBS-NET  (RBBS-PC 1:10/8)




Msg#: 9382 *Virus Info*
09-21-90 23:48:00 (Read 5 Times)
From: PHILLIP LAIRD
  To: JEFF LANES
Subj: RE: VIRUS AT LAMAR

 >Phillip,
 >My wife's business partner just had his system cratered by 
 >some software he picked up at LU.  I don't have any further 
 >details like name of program or anything...YET!  This guy is 
 >NOT a hacker or BBSer...just a regular student (Grad) with 
 >a PC at home for general homework and some business applications. 
 > It's kinda scary when the average users get infected with 
 >this stuff.  Where is software legitimately obtained at the 
 >school?  Can you get it from the library or what?  
 >More later!
 >
 >Jeff


Jeff, sorry to hear about that.  I have been working on a program with several 
Department directors at Lamar concerning this "VIRUS" issue.  The most common 
virus I have ran into is the notorious Jeruselum B Virus.  You can use 
cleanp66.ZIP found on my BBS here to clean the virus.  The other common viruses
are Stoned and Stoned II.  Someone (Perhaps a student) deleted the Chkdsk dos 
command on one system in the Business College Lab and replaced it with a nasy 
trojan.  Tell your friend to try ScanV66B.zip to scan the Drive first whenever 
he boots up.  If viruses are found he can run clean in most cases to clean the 
virus up.

The best cleanup for a virus however, is the Delete command to delete the 
infected files.  If the partitiion table was affected, then it could be the 
Stoned II virus that got him.  How about having this gentleman to call me voice
and see what I can do to help him.

--- TAGMAIL v2.20
 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)




Msg#: 9638 *Virus Info*
09-19-90 06:21:00 (Read 7 Times)
From: YASHA KIDA
  To: RAJU DARYANANI
Subj: RE: NETWARE BYPASSING JERUSALEM VIR
Yes FEDERAL COMPUTER WEEK carried a FRONT PAGE article on the problem....

2 months ago



--- Maximus-CBCS v1.00
 * Origin: Bragg IDBS, 82nd Airborne Bug hunter (1:151/305)




Msg#: 9640 *Virus Info*
09-21-90 13:31:00 (Read 6 Times)
From: PAUL FERGUSON
  To: RICK THOMA
Subj: MCRC
Rick,
   I'm always interested in anything that may be of =some= value to the
computing community, so....Sure...I'll bite. Now, would you prefer to
leave instructions to D/L a copy (BBS #, etc.) or would you prefer to
U/L a copy to this board for my perusal? (See Origin) CRC checkers can
have their merit if used in a =clean= environment, as you may well
know. 
 
Awaiting input...
 
Greetings from Capitol Hill
-Paul


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#: 9641 *Virus Info*
09-22-90 13:33:00 (Read 6 Times)
From: SATYR DAZE
  To: JIM HOBBS
Subj: REPLY TO MSG# 8162 (RE: ANTI VIRUS VIRUSES)
Well virus theory was being discused as far back as the 1940's.  John von 
Neumann outlined an Idea of programms self-replicating themselves in "Theory 
and Organization of Complicated Automata".  And if you want to really be 
boggled read his "The Computerand the Brain" ..
 
I use the '83 date because after Mr Thompson's speech, the following year 
Scientific american published an article further discussing viruses togather 
with an offer were by sending in $2.00 they sent you information on how to 
write virus programs.  I'm sure they rue the day they did that now.
 
At that point viruses where "Fun".  Harmless pranks one programmer could have 
with others.  And also one that could be shared.
 
The Gift that keeps on Giving ... so to speak.
 
 
                                            The Satyr Daze
--- TBBS v2.1/NM
 * Origin: Eclectic Multi-BBS System / Miami FL (305)662-1748  (1:135/2)




Msg#:10870 *Virus Info*
09-09-90 23:21:00 (Read 6 Times)
From: CY WELCH
  To: PHILLIP LAIRD
Subj: REPLY TO MSG# 7173 (JERUSALEM B AND CLEANP64.ZIP)
In a message to Patricia Hoffman <05 Sep 90 18:30:00> Phillip Laird wrote:

 PL> I cleaned 17 infected files today with clean version 64.  I have a
 PL> good question.  While the program removes the file, some where
 PL> removed the first time around, others were scanned several times
 PL> before the virus was actually removed.  Can you tell me why?

I can answer that.  Jerusalem-B will infect an EXE file every time it runs.  It
only infects a COM file once but infect an EXE multiple times.  Clean has to be
run as many times as the file is infected to completely clean it out.

--- XRS! 3.42+
 * Origin: Former QuickBBS Beta Team Member *:- (RAX 99:9402/122.1)




Msg#:10871 *Virus Info*
09-09-90 22:54:00 (Read 6 Times)
From: PETER YARD
  To: CHRIS BARRETT
Subj: REPLY TO MSG# 7188 (RE: MYSTERY VIRUS??)
CB!>we have noticed that some of the students disks are being
CB!>over written by the program disk they were using. Eg some

CB!>to one on the program disk. Eg we listed "TURBO.EXE" and
CB!>found it to contain a students pascal source code.

Sounds like someone is puting their data disk in the same drive before the 
buffers are flushed.  If you switch the disks while still in turbo.exe then 
when you exit the program DOS will overwrite the FAT and Directories with what 
it thinks should be there from the previous disk.

Peter  
 
--- QuickBBS 2.64+
 * Origin: Genius BBS.. Beaker Rulz OK! (3:640/486)




Msg#:10873 *Virus Info*
09-11-90 06:50:00 (Read 5 Times)
From: YASHA KIDA
  To: ALAN DAWSON
Subj: REPLY TO MSG# 9381 (RE: VIRUS SCANNERS....)
In a song of phrase on <16 Aug 90  08:30:58>, Alan Dawson (3:608/9) writes:

 AD> Hear, hear! The frustrating, rug-chewing, desk-beating, 
 AD> monitor-smashing, stomp-down crying SHAME is that some of these 
 AD> viruses, on a technical level, are tremendously slick, wonderous 
 AD> programs. The people writing them are wonderful programmers. Just 
 AD> think what these people could be doing to help our PCs work better by 
 AD> writing a different kind of program -- and, potentially, how much 
 AD> money they might be able to make. They obviously have inventive 
 AD> minds, many of them. Such inventiveness could be put to such great 
 AD> use.
 AD> 


Remember many of the Viruses are version B & C. Many of the modifications were 
not by the ORIGINAL programmers, but were people who improved on their code. 
These people most likey could'nt have ever started and finnished the coding 
from line 1.  

What I am saying is it is easy to modify code but Being the ORIGINAL writter is
something else....

Don't kid yourself these people are doing what they enjoy.. Destroying peoples 
data or making a poltical statement.  They could make $$ programing and I sure
many do. This is most likey a relief valve for them...or a way of screwing the 
world a littel...


These people not super heros.

To say they are great programmers is like saying LEE HARVEY OSWALD was a great 
shot.


Yasha



--- msged 1.99S ZTC
 * Origin: Bragg IDBS, (82nd - they can kick Iraqs booty) (1:151/305)




Msg#:10874 *Virus Info*
09-11-90 07:06:00 (Read 7 Times)
From: YASHA KIDA
  To: SKY RAIDER (Rcvd)
Subj: REPLY TO MSG# 3974 (VIRUS POST ON BBS)
In a message of <08 Sep 90  13:42:35>, Sky Raider (1:255/3) writes:

 SR> How about giving me 
 SR> your system number so I can call and see the finished form (never been 
 SR> quoted in this manner before).
 SR>  
 SR>                                A questor of knowledge,
 SR>  
 SR>                                         Sky Raider
 SR>                                         Ivan Baird, CET



Sure the Number is 919-867-0754 23.5 hrs a day 7 days a week

300-14,400 baud supported



--- msged 1.99S ZTC
 * Origin: Bragg IDBS, (82nd - they can kick Iraqs booty) (1:151/305)




Msg#:11396 *Virus Info*
09-17-90 23:42:00 (Read 6 Times)
From: PHILLIP LAIRD
  To: CY WELCH
Subj: REPLY TO MSG# 10870 (RE: JERUSALEM B AND CLEANP64.ZIP)

 >I can answer that.  Jerusalem-B will infect an EXE file every 
 >time it runs.  It only infects a COM file once but infect an 
 >EXE multiple times.  Clean has to be run as many times as the 
 >file is infected to completely clean it out.


Yea, I figured that one out!  Thanx for the help....

--- TAGMAIL v2.20
 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)




Msg#:11397 *Virus Info*
09-17-90 23:46:00 (Read 5 Times)
From: PHILLIP LAIRD
  To: ALL
Subj: VIRUS REPORTED IN SHAREWARE FILE
As reported by the Port Arthur Texas Computer Club, there is a file called 
Powermenu, Version 5.3 that reportedly carries some type of virus.  This file 
is supposed to be distributed by a publication named "PC Today".  If you have 
seen this file, please leave me mail in this echo.  I have yet to see the file,
however, I would like to know how widespread the file is.

If you have had any problems with it, please explain that, too or netmail me at
19/49.  Thanks.

Phillip Laird [SYSOP]

--- TAGMAIL v2.20
 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)




Msg#:11399 *Virus Info*
09-18-90 06:32:00 (Read 4 Times)
From: PHILLIP LAIRD
  To: ALAN DAWSON
Subj: REPLY TO MSG# 7184 (RE: SCAN WEIRDNESS)

 >believe in brute-force removal i.e. DEL VIRUS.COM, and re-install. 
 >
 >It's safer that way, and certain (after you check the floppies, 
 >of 
 >course).
 >   - From Thailand, a warm country in more ways than one.  



Quite regular, the "DELETE" Disinfection IS the only way to go.  After running 
cleanup some times, the user of the software complains that some programs do 
not work.  I just recommend they delete not just the once infected file, but 
rather the software package and re-install it.  I rememeber you mentioning that
piracy abounds in Thailand.  When I was working in the Middle East a few years 
back, i learned you could get a copy of most any software at the Computer 
stores.  They had diskette copying devices.  For 1 Riyal you were in business. 
This is another way viruses were spread.  Everybody would come in and share 
diskettes.

--- TAGMAIL v2.20
 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49)




Msg#:11400 *Virus Info*
09-17-90 18:34:00 (Read 4 Times)
From: PAUL FERGUSON
  To: MIKE MCCUNE
Subj: MFV
Well, Mike,
    I can tell you this at least....It =will= be included in the next
version of VSUM (due to be released around the 25th or so of the month).
But, it is not even being called by that name at the moment. Perhaps,
someone else (Patrick) will detail this more for you, but at the
moment, it is not a topic for public discussion, obviously. 
 
Greatings from Capitol Hill
-Paul


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#:11401 *Virus Info*
09-18-90 06:35:00 (Read 6 Times)
From: PATRICIA HOFFMAN
  To: CHRIS BARRETT
Subj: REPLY TO MSG# 10871 (MYSTERY VIRUS??)
 CB> At my school we have some XT's with 2 360K FDD each. Lately we have 
 CB> noticed that some of the students disks are being over written by the 
 CB> program disk they were using. Eg some people have found the Turbo 
 CB> pascal files on their data disks.
 CB>  

This may not be a virus at all, but instead operator error.  It is possible 
that the students are switching diskettes after openning files, and then 
writing the programs back a different diskette than they originally read from. 
Some flavors of DOS will keep the disk directory in memory, and then update it 
and write it back to the diskette without checking that it is the correct 
diskette.  

 CB> I brought in a copy of ScanV66 and placed a validation check on the 
 CB> program disks (Not the data disks). Scanning showed no viruses (well 
 CB> known ones anyway). But when we scanned them a week later we found some 
 CB> had had their Boot Blocks altered.
 CB>  

Are you using ScanV66 or ScanV66B?  V66 itself has an bug in it with the 
validation codes and was replaced with V66B shortly after release.  Also, does 
the boot sector (sector 0 on the floppy) have any unusual messages in it, or 
does it lack the normal messages which appear at the end of the sector?  

 CB> In some cases the files on the data disk are just renamed to one on the 
 CB> program disk. Eg we listed "TURBO.EXE" and found it to contain a 
 CB> students pascal source code.
 CB>  

Again, this could be user error described above....

 CB> Could someone shed some light please..
 CB> I have told the teacher it is most likely home grown and he is sh*tting 
 CB> himself.
 CB>  

Those are my guesses, if you want to send one of the affected diskettes, I'd be
happy to take a look at it and see if it contains an unknown virus or one that 
Scan can't detect.  My mailing address is:

        Patricia Hoffman
        1556 Halford Avenue #127
        Santa Clara, CA 95051


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#:11402 *Virus Info*
09-18-90 06:47:00 (Read 6 Times)
From: PATRICIA HOFFMAN
  To: SATYR DAZE
Subj: REPLY TO MSG# 11401 (RE: MYSTERY VIRUS??)
 SD> Sorry to butt in ..... you aparently have been infected by the 
 SD> Stoner-Marijauna Virus , quite a few people here in florida myself 
 SD> included have seen this little beauty.
 SD>  

His symptoms don't match any known variant of the Stoned Virus.

 SD> After disinfecting yourself the damaged caused by the virus is 
 SD> unaltered.
 SD>  Backup your harddrive and reformat it, after restoring it.  Delete and 
 SD> redo Autoexec.bat and Config.sys they have both also been altered.
 SD>  

Stoned doesn't alter the AUTOEXEC.BAT or CONFIG.SYS.  It infects floppy disk 
boot sectors and the hard disk partition table.  When it infects, it usually 
moves the original boot sector on floppies to another sector which is usually 
in the root directory, which results in files being lost if the root directory 
had entries in that area.  What is suggested, though, is that before 
disinfecting Stoned, the user backup his/her data files since in approximately 
1 out of 10 cases, the disinfection will result in the partition table being 
lost on hard disks....this occurs with some hard disk controllers.  
  
 SD> Your Hardrive should now be back to snuff .... but before i forget run 
 SD> a utility to mark and lock out bad sectors the Virus may have caused.  
 SD> These unfortunaly are not always recoverable.
 SD>  

Stoned doesn't cause bad sectors to be created.  Two possibilities 
here...either the user disinfected after booting from a version of DOS that was
not the same as what he was originally using, or the disk already had the bad 
sectors to begin with.  

Patti


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#:11403 *Virus Info*
09-18-90 06:55:00 (Read 6 Times)
From: PATRICIA HOFFMAN
  To: SATYR DAZE
Subj: REPLY TO MSG# 10873 (RE: VIRUS SCANNERS....)
 SD> Well you can  Download a Virus scanner from a reputable BBS -- one that 
 SD> actually checks all of it's files for viruses --- or go out and 
 SD> purchase a Virus Scanner.  Most of the downloadable stuffis by Mcaffe 
 SD> Associates, You can purchase Virucide (commercial version) which checks 
 SD> and disinfects your files, also by Mcaffe Associates for about $30.00. 
 SD> Not a bad buy when you consider the consequences of not having a good 
 SD> scanner.
 SD>  

ViruCide is marketted by Parsons Technologies.  The McAfee product that is sold
directly by McAfee Associates is named Pro-Scan.  

Patti


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#:11404 *Virus Info*
09-19-90 11:53:00 (Read 5 Times)
From: JAMES DICK
  To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 11403 (RE: VIRUS SCANNERS....)
On Tue, 18 Sep, Patricia Hoffman wrote to Satyr Daze


 PH > ViruCide is marketted by Parsons Technologies.  The McAfee product 
 PH > that is sold directly by McAfee Associates is named Pro-Scan.  

What are the features and costs of John's Pro-Scan and the ViruCide?

-={ Jim }=-
 


--- QM v1.00
 * Origin: The Clipperist - Home to happy Clippheads in Ottawa, Canada 
(1:163/118.0)




Msg#:11405 *Virus Info*
09-19-90 06:11:00 (Read 4 Times)
From: PATRICK TOULME
  To: MIKE MCCUNE
Subj: REPLY TO MSG# 5887 (RE: MOTHER FISH)
 
MM> Everybody was talking about the Mother Fish a few weeks ago. Now that 
MM> it has been out for mor than a week, nobody is saying anything about 
MM> it. What's the deal with this virus?
 
 
    I think the deal is that nobody is really sure what it does, how it
does it, and if the programs that look for it find it all the time.  If
a program misses it just once, you'll never be able to get it off a
system.


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#:11406 *Virus Info*
09-20-90 08:19:00 (Read 4 Times)
From: RICK THOMA
  To: WHOMEVER
Subj: MCRC CHECKER
Some weeks ago, I mentioned a CRC checking utility I DL'd from Compu$erve, 
MCRC.  I found it in a pile of old floppies. Now, who was interested in seeing 
it?

--- FD 2.00
 * Origin: Village BBS, Mahopac, NY  914-621-2719 *HST* (1:272/1)




Msg#:11407 *Virus Info*
09-19-90 15:48:00 (Read 5 Times)
From: RON LAUZON
  To: GARY MOYER
Subj: REPLY TO MSG# 11404 (RE: VIRUS SCANNERS....)
They are pretty accurate, but remember this:  I have been BBS-ing (downloading 
alot) for over 7 years now.  I have called BBSs across the US and I have never,
first hand, seen a virus.  That right there says something about how much hype 
the virus scares are.

Also, remember something about the virus scan programs:  They only find *known*
viruses.  If someone writes a new virus, you are vulnerable.  You might want to
check out something like Flu Shot+ if you want peace of mind.

--- Telegard v2.5i Standard
 * Origin: The Flight of the Raven (313)-232-7815 (1:2200/107.0)




Msg#:11408 *Virus Info*
09-20-90 16:13:00 (Read 4 Times)
From: PAUL FERGUSON
  To: PATRICIA HOFFMAN
Subj: PROSCAN
Patti...
    I realize that this question should probably be directed to
HomeBase and John, but since someone has already brought it up here
within the conference, I'll go ahead and post it =anyway=....
   You could you, by chance, the "enhancements" that Pro Scan vs.
ViruScan......What are the differences in performance and
effectiveness?  How should (if it is, I don't see how) =shareware=
suffer because of the nature of the beast, so to speak? And, is it at
all? From what I can gather, the majority of  funds are drawn from site
licensing.....I would like to be able to rely (as I have) on a
pelethera of detection utilities to maintain the constant "drop-net"
within my own systems while making sure that any products that I may
suggest for negotiated license through contacts will =remain= "top of
the line". Pretty shakey forum topic but a dilemma nonetheless.
  
Awaiting comments from the field   ;-)
 
Salutations from Capitol Hill
-Paul


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#:11409 *Virus Info*
09-20-90 20:44:00 (Read 5 Times)
From: SATYR DAZE
  To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 11402 (RE: MYSTERY VIRUS??)
 
Hi Patti 
 
        He stated that he recieved a screen mesage informing him that his 
System was Stoned.  I might be mistaken, but I'm sure that that is the Stoner-B
virus Signiture.
 
And while I agree that the Stoner Virus is known To attack the Boot Sector and 
Partition Table.  This is what we saw in our Variant down here.  After 
disinfecting the system, a backup was made.  The HarDrive was then Reformated, 
but still would not Boot up correctly.  It wasn't untill the Autoexec and 
Config files were deleted that it would.
 
Oops ... I stand Corrected on Bad Sectors, I meant to run a utility to check 
for bad file linkages.
 
Thanks for your info though, I just wish whoever keeps creating Variants would 
turn their obvious Talents to somthing more useful.
 
       
                                                   The Satyr Daze
--- TBBS v2.1/NM
 * Origin: Eclectic Multi-BBS System / Miami FL (305)662-1748  (1:135/2)




Msg#:11410 *Virus Info*
09-20-90 20:54:00 (Read 5 Times)
From: SATYR DAZE
  To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 11407 (RE: VIRUS SCANNERS....)
Hi Again,
 
            While Parsons Technology may Markett it, Mcaffe Assoc. has the 
Software Copyright
--- TBBS v2.1/NM
 * Origin: Eclectic Multi-BBS System / Miami FL (305)662-1748  (1:135/2)




Msg#:11411 *Virus Info*
09-20-90 18:46:00 (Read 4 Times)
From: JIM HOBBS
  To: SATYR DAZE
Subj: REPLY TO MSG# 9641 (RE: ANTI VIRUS VIRUSES)
 > But these were never allowed to get beyond that scope, Virus programs where
 > never destructive untill the "Core Wars".  Opposing Programmers would
 > create self-replicating programms that when they encountered other
 > self-replicaters would try to devour them.  Incidently it was called "Core
 > Wars" because the game itself took place in Core Memory .  These young
 > Programmers were actually quite small in number and never publicly
 > discussed what they were doing.  If any blame is to be attached it should
 > be to Ken THompson who went public with the process in 1983..... at that
 > point it was "Discovered" by university students who began creatingthe real
 > nasties ..... Today many strains are just variation of their original work.
 
I seem to recall that it was pretty well public by, say, 1974.  Some operating 
systems even had features named after it.  I recall it in the singular (Core 
War), by the way, but I wasn't taking notes!
 
--- Dutchie V2.91d
 * Origin: Perelandra (1:203/42.386)




Msg#:13385 *Virus Info*
09-29-90 09:01:00 (Read 4 Times)
From: PATRICIA HOFFMAN
  To: ALL
Subj: NODELIST PROBLEMS
This is an FYI....If you are trying to poll or send netmail to my system, you 
could have a problem if you apply NodeDiff.271 which is being distributed this 
weekend.  Net 204, of which I am a member of, was inadvertantly dropped from 
the nodelist with this nodediff.  It should be back in place with the following
nodediff.  

Patti


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#:13386 *Virus Info*
09-29-90 09:05:00 (Read 4 Times)
From: PATRICIA HOFFMAN
  To: JAMES DICK
Subj: NEW RELEASES DELAYED
 JD> Patti, is there any chance of the VSUM???? being formatted with page 
 JD> breaks at 60 lines/page and after each virus description.  And page 
 JD> numbering and an index would help find the various descriptions.  
 JD> 

Not in the real near term future since almost all of my free time for the last 
few months has been used for researching and updating it for new viruses and 
variants.  I won't be looking at the formatting again until the volume of new 
samples being received is lower, there are only so many hours in a day..... 

VSUM is purposely distributed as an ASCII file so that it can be used by anyone
regardless of what type of computer they have.


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#:13927 *Virus Info*
09-28-90 17:03:00 (Read 5 Times)
From: KEN DORSHIMER
  To: TOM SMITH @ 930/1
Subj: REPLY TO MSG# 11410 (RE: VIRUS SCANNERS....)

 ...at a time when Western civilization was declining
    too rapidly for comfort, yet too slowly to be very
    exciting Tom Smith @ 930/1 was saying:

 TS> working directory is removed. I don't know if the few seconds that an
 TS> infected COM or EXE exists in the working directory would give it time
 TS> to propogate to other files or not; I've never run into an infection,

sounds impossible as the .COM and .EXE files are never actually run. they
can't infect your system if you don't run them.
common misconception. the same idea as if you had a disk with a virus sitting
in a box of disks without viruses. the infected disk can't magically infect
the other disks. fortunatly computers aren't people and don't get airborne
viruses. :-)

 ...space is merely a device to keep everything from being
    in the same spot...


--- ME2
 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)




Msg#:14132 *Virus Info*
09-24-90 17:50:00 (Read 5 Times)
From: ALAN DAWSON
  To: YASHA KIDA
Subj: REPLY TO MSG# 13927 (RE: VIRUS SCANNERS....)
 YK> To say they are great programmers is like saying LEE HARVEY 
 YK> OSWALD was a great shot.
     
I hear you, Yasha, and I'm not arguing with you. But the fact is that 
some of the new, first-generation assembler viruses ARE both 
inventive and original programming. Oswald wasn't a great shot; he 
was a Marine for goodness sake. It's not SUPPORTING perverts to say 
that Hitler was a great leader or that Machiavelli was an original 
political thinker-essayist. 
     
 YK>  * Origin: Bragg IDBS, (82nd - they can kick Iraqs booty) 

Boy, THAT takes me back. That's where *I* left CONUS for, um, 
"Southeast Asia." 23 years ago. Uh! That hurt. Cheers.
   - From Thailand, a warm country in more ways than one.     





--- Opus-CBCS 1.13
 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0)




Msg#:14133 *Virus Info*
09-29-90 20:31:00 (Read 5 Times)
From: JOHN O'CONNOR
  To: TOM SMITH @ 930/1
Subj: REPLY TO MSG# 14132 (RE: VIRUS SCANNERS....)
 TS> Satyr, watching Shez work in virus scan mode's most interesting.

 TS> I don't know if the few seconds that an infected COM or EXE 
 TS> exists in the working directory would give it time to propogate 
 TS> to other files or not; I've never run into an infection, yet, 
 TS> on my home system, although we did hit upon one at work.
 
        At this stage an suspected COM or EXE file is being treated as
        DATA, as far as the the virus scanner is concerned. It is just
        reading the file looking for known virus code.

        For a virus to trigger and infect a system, an infected program
        must be RUN. Until the CPU is fed virus code as instructions to
        run, there is no danger. When scanning for virus code, (within
        SHEZ or not) the program with control of the CPU is SCAN.EXE.
 
        It does not test-run suspected programs to check them for virii,
        it simply reads them.


        JOC



--- via Silver Xpress V2.27 [NR]
 * Origin: Sunmap Multline BBS - Brisbane - Australia (3:640/206)




Msg#:14134 *Virus Info*
09-30-90 19:24:00 (Read 4 Times)
From: KEN JONES
  To: RON LAUZON
Subj: RE: NARROW VIEW
 >  In all
 > those years, I have never seen a virus.  Moreover, I have never
 > talked to
 > anyone (on the BBSs or face to face) who ever encountered a virus.
 >  That says

Hmmm.... I thought I could say that a few months ago. I was called into work 
early one day because one of the p/c's was acting strange. A scan of the drive 
said it had a Jerusalem B virus, 2 days later a friend called and asked what 
was the best way of removing the Jerusalem B virus. This was a different system
completly some 40 miles away. Then to top it off 2 sysops in the area called 
and left messages on my system that they would be down till they removed, you 
got it, the Jerusalem B again. This all took place in less than 5 days. In 
those 5 days it poped up in.
San Francisco
Fairfield
Oakland
San Leandro

I left as quick as it hit, I'm sure there were other unknown systems in the 
area that had it also, it just seems strange that the small circle I'm involved
with, 4 totaly unrelated systems were hit.

The source of the virus is still a mystery, the only thing that was in common 
was each system had a file on it called MIRROR.   I forgot what the extension 
was.
Well thats my 2 cents

--- Telegard v2.5i Standard
 * Origin: The Twilight Zone (415)-352-0433 (1:161/88.0)




Msg#:14135 *Virus Info*
09-30-90 16:27:00 (Read 4 Times)
From: TOM PREECE
  To: RON LAUZON
Subj: REPLY TO MSG# 14134 (RE: NARROW VIEW)
How prudent can you be?  As many others have been I was infected by commercial 
software provided to me by an upright and legitimate computer dealer.  Scan 
allowed me to survive and thrive.  Otherwise I wouldn't be here.
--- TBBS v2.1/NM
 * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019  (1:161/208)




Msg#:14136 *Virus Info*
10-01-90 18:18:00 (Read 4 Times)
From: TOM PREECE
  To: ALL
Subj: VIRUS - TROJANS FOR EVERYONE.
Locally we experienced a trojan that was an exe file compiled by a utility that
converts .bat to .exe files.  The file purported to be a means to provide mnp5 
performance from an ordinary modem.  In fact the compiled bat instructions 
destroyed the C: drive.
 
What bothers me about this is the simplicity with which anybody could do this. 
I have the Bat2exec.zip file which performs the conversions.  I have not used 
it because the majority of my bat files are short fast executing things anyway.
 
Has anybody else encountered the problem and is there any sort of generic 
defense that we might arrange against the generic attack files which may 
follow?
--- TBBS v2.1/NM
 * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019  (1:161/208)




Msg#:14137 *Virus Info*
10-01-90 18:24:00 (Read 4 Times)
From: TOM PREECE
  To: KEN JONES
Subj: REPLY TO MSG# 14135 (RE: NARROW VIEW)
Ken I live in Hayward.  I believe my system was infected by a Disk Manager 
diskette provided to me by a dealer who admitted that some of his system were 
infected by the jeru B virus.
 
Naturally he wanted to tell me that I had picked up my infection from a BBS. 
Strange to relate, none of the local boards to which I restrict my calling had 
this infection.
 
This dealer was in Sunnyvale.   If that raises any suspicions from the list of 
boards that you are referring to, why don't you call me voice some evening 
before 7:00 (lock up the phone with BBS'ing after that usually) and I'll tell 
you the dealer name.
 
They claim to have dealt with the problem so I don't want to smear them perhaps
inappropriately.  My home number is 415-889-0898.  My work number if you want 
to try (I might not be there) is 415-744-7577.
--- TBBS v2.1/NM
 * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019  (1:161/208)




Msg#:15496 *Virus Info*
09-22-90 19:32:00 (Read 4 Times)
From: PAUL FERGUSON
  To: RON LAUZON
Subj: REPLY TO MSG# 14137 (NARROW VIEW)
Ron,
  With all due respect, my friend...if you continue along with the
narrow frame of mind that you seem so intent on inflicting upon others,
then we all should take heed. For the reason that =you= have never been
confronted with any viral types is certainly no reason to make light of
the situation (you're in the wrong conference for that). You'd be quite
surprised just how many that I've run across just within my clients and
our audit sites alone....simply mind boggling what the average user can
pick up along the way. You obviously seem to be in =no= position to be 
suggesting =any= Anti Viral detection/removal utilities that you have not
=personally= tried yourself, and I think that we all would benefit from
any such conjecture from anyone who has not personally been inflicted
by the scourge. I do not know what locale that you are dealing with,
but here in the nations' capitol, we seem to be constantly a target for
malcontents. Cheers, Ron.....No harm intended, just fact....
 
Salutations from Capitol Hill
-Paul


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#:15497 *Virus Info*
09-23-90 12:20:00 (Read 4 Times)
From: SATYR DAZE
  To: TOM SMITH @ 930/1
Subj: REPLY TO MSG# 14133 (RE: VIRUS SCANNERS....)
 
While I've heard of "it", I havn't actually seen it yet.  Does it work on all 
types of File-Compression files.  You said it uncompressess it to a working 
Directory is this before or after it checks it out.  If before then what is the
benefit, or does it load these files into memory some how ???
 
 
                                                   The Satyr
--- TBBS v2.1/NM
 * Origin: Eclectic Multi-BBS System / Miami FL (305)662-1748  (1:135/2)




Msg#:15503 *Virus Info*
09-23-90 07:14:00 (Read 6 Times)
From: PATRICIA HOFFMAN
  To: SATYR DAZE
Subj: REPLY TO MSG# 11409 (RE: MYSTERY VIRUS??)
 SD>         He stated that he recieved a screen mesage informing him that 
 SD> his System was Stoned.  I might be mistaken, but I'm sure that that is 
 SD> the Stoner-B virus Signiture.

Hmmm....the message when it got here didn't have anything in it saying it 
displayed a message on boot, just that they found that the boot sector had been
altered somehow after a week of noticing the problems.  

 SD>  
 SD> And while I agree that the Stoner Virus is known To attack the Boot 
 SD> Sector and Partition Table.  This is what we saw in our Variant down 
 SD> here.  After disinfecting the system, a backup was made.  The HarDrive 
 SD> was then Reformated, but still would not Boot up correctly.  It wasn't 
 SD> untill the Autoexec and Config files were deleted that it would.
 SD>  
 SD> Oops ... I stand Corrected on Bad Sectors, I meant to run a utility to 
 SD> check for bad file linkages.
 SD>  

Did you by any chance low-level format the drive, or just do a regular format? 
Also, when you disinfected, are you sure you used the same version of DOS to 
boot from before disinfecting?  

 SD> Thanks for your info though, I just wish whoever keeps creating 
 SD> Variants would turn their obvious Talents to somthing more useful.
 SD>  
 
You aren't the only one....


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#:15504 *Virus Info*
09-23-90 07:23:00 (Read 5 Times)
From: PATRICIA HOFFMAN
  To: SATYR DAZE
Subj: REPLY TO MSG# 15497 (RE: VIRUS SCANNERS....)
 SD>             While Parsons Technology may Markett it, Mcaffe Assoc. has 
 SD> the Software Copyright

True...and I've already indicated that ViruCide is essentially the McAfee 
Associates' Pro-Scan product with a different name since it is licensed to and 
marketted by Parsons Technology.  The reason I brought up the point was that if
someone wants to buy this product, they need to contact Parsons Technology.  If
they contact McAfee Associates, they will get referred to Parsons....same with 
upgrades, etc. 

Patti


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#:15505 *Virus Info*
09-23-90 07:30:00 (Read 5 Times)
From: PATRICIA HOFFMAN
  To: PHILLIP LAIRD
Subj: REPLY TO MSG# 9382 (RE: VIRUS AT LAMAR)
 PL> The best cleanup for a virus however, is the Delete command to delete 
 PL> the infected files.  If the partitiion table was affected, then it 
 PL> could be the Stoned II virus that got him.  How about having this 
 PL> gentleman to call me voice and see what I can do to help him.
 PL> 

Very good advice!  There are a lot of files that won't disinfect correctly, 
such as programs that use internal overlays, or files that have the length set 
in the .EXE header incorrectly to begin with....so running a disinfector can 
result in the infected file not working correctly after disinfection.  The only
saving grace is that the program probably didn't run correctly before 
disinfection either since in the case of files with internal overlays, the 
virus would have overlayed part of the program.  Also, disinfectors typically 
can only disinfect the more common viruses since they account for 90%+ of all 
infections, or new viruses which are thought will be a future problem due to 
their characteristics.  If you are unlucky enough to get a rare virus, then you
would have to replace all the programs.

The only advice I would add is if someone is infected with any of the viruses 
which infect the partition table, they should backup critical data files they 
can't afford to loose before attempting to disinfect the system.  There are 
some combinations of DOS/BIOS/Hardware which, when disinfected, can result in 
the hard drive becoming inaccessible (happens in about 10% of the Stoned/Stoned
II cases).  

Patti


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#:15506 *Virus Info*
09-23-90 07:37:00 (Read 5 Times)
From: PATRICIA HOFFMAN
  To: ALL
Subj: REPLY TO MSG# 13386 (NEW RELEASES DELAYED)
The next release of the McAfee Associates programs scheduled for September 25 
have been rescheduled to October 2 or 3, according to the call I received 
yesterday from McAfee himself.  The delay is to allow them to complete some 
addition of new features to the programs.  If you call Homebase to pickup these
programs, hold off until the 3rd so that you don't have an unneeded 
long-distance call.... 

Due to illness and having one of my two test machines having intermittent 
hardware problems, I'm going to be also delaying the release of the new version
of the Virus Information Summary List until October 2 or 3 as well.  The 
additional week in there is to make sure the Whale virus makes it into the new 
version of the listing, as well as insuring that almost (if not) all of the new
viruses and variants I've received are included.  The October 2 or 3 release 
will be VSUM9009.Zip, there will still be an October release which is scheduled
for late October though they will be just two or three weeks apart.  The 
October release will also include another new "section" to the list that 
several people have indicated they thought would be useful.... <grin>....more 
about that right before the release date.

Hopefully, this message will allow some of the non-Silicon Valley users of the 
McAfee programs and my listing to avoid long-distance charges if picking up new
releases is their primary reason to place the calls.... 

Patti


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#:15507 *Virus Info*
09-23-90 09:57:00 (Read 4 Times)
From: BEN SAMMAN
  To: ALL
Subj: QUICK QUESTION.
I just got my system trashed twice..by the same bug if it is one..or if it's 
hadware...

What it does is it causes the drive(hard drive mind you) light to flash on and 
off intermittenntly with intervals of 1 second...the hard drive becomes 
unusable till midnight the next day...

Has there been other reports of such a virus?

--- Telegard v2.5i Standard
 * Origin: The Twilight Zone (415)-352-0433 (1:161/88.0)




Msg#:15508 *Virus Info*
09-22-90 09:24:00 (Read 4 Times)
From: PAUL LOEBER
  To: RON LAUZON
Subj: REPLY TO MSG# 15504 (RE: VIRUS SCANNERS....)

 >They are pretty accurate, but remember this:  I have been BBS-ing 
 >(downloading alot) for over 7 years now.  I have called BBSs 
 >across the US and I have never, first hand, seen a virus.  
 >That right there says something about how much hype the virus 
 >scares are.


I used to say that, too.  In fact, I used almost the same, exact words. 
However, recently almost all of the PC's at the college where I teach
information systems got the Stoner virus.  Since I have students turn in
disks as homework, had I not taken the appropriate precautions, my machine
would have becomed "stoned" as well.  Currently, several of my users who work
for Ford have "caught" the Joshi (sp?) virus and have been on my board
looking for the "cure".  I no longer have a cavalier attitude when it comes
to viruses.

--- TAGMAIL v2.30
 * Origin: Downriver Download (1:120/137)




Msg#:15509 *Virus Info*
09-25-90 10:47:00 (Read 4 Times)
From: SCOTT HOWELL
  To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 15506 (RE: NEW RELEASES DELAYED)
 >To: All
 >
 >version of the Virus Information Summary List until October 2 or 3 as well.
 >The additional week in there is to make sure the Whale virus makes it into
 >the new version of the listing, as well as insuring that almost (if not)
 >all of the new viruses and variants I've received are included.  The
 >October 2 or 3 release will be VSUM9009.Zip, there will still be an October
 >release which is scheduled for late October though they will be just two or
 >three weeks apart.  The October release will also include another new
 >"section" to the list that several people have indicated they thought would
 >be useful.... <grin>....more about that right before the release date.


     If this list is available via file request I would be most interested in 
picking a copy up from you when it is made available.  I am always trying to 
keep my users up to date with the latest scan utils and virus listings. Any 
help would be very much so appreciated.

                               Scott Howell

--- SLMAIL v1.36M  (#0264)
 * Origin: Foundation BBS * College Park, MD * (109:109/521)




Msg#:15510 *Virus Info*
09-25-90 19:03:00 (Read 4 Times)
From: TONY JOHNSON
  To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 2896 (COMMUNICATION VIRALS)
 PH> I believe one of them is Prodigy, which requires their software to be
 PH> running on your system in order for you to be able to access them.

QLINK is another service of which you MUST run their software in order to take 
part in the service.  Another cute thing about it is that only Commodore 
systems can use the stuff.  (QLink.... Quantum Link)


--- QM v1.00
 * Origin: The 286 Express (504-282-5817) (1:396/30.0)




Msg#:17267 *Virus Info*
09-27-90 14:22:00 (Read 4 Times)
From: RICK THOMA
  To: PAUL FERGUSON
Subj: REPLY TO MSG# 9640 (MCRC)
 >    I'm always interested in anything that may be of =some= value
 > to the computing community...

   Let me give you a quick rundown.  The file is about a year and a half old, 
and claims to use some proprietary CRC mechanism.  I'll zip it up as 
"MCRC.ZIP", and you may request it by the time this message reaches you.  I 
would imagine the docs tell you how to get in touch with the author for an 
updated version.

--- FD 2.00
 * Origin: Village BBS, Mahopac, NY  914-621-2719 *HST* (1:272/1)




Msg#:17268 *Virus Info*
09-27-90 07:59:00 (Read 4 Times)
From: JAMES DICK
  To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 15509 (NEW RELEASES DELAYED)
On Sun, 23 Sep, Patricia Hoffman wrote to All

 PH > intermittent hardware problems, I'm going to be also delaying the 
 PH > release of the new version of the Virus Information Summary List until 
 PH > October 2 or 3 as well.  The additional week in there is to make sure 

Patti, is there any chance of the VSUM???? being formatted with page breaks at 
60 lines/page and after each virus description.  And page numbering and an 
index would help find the various descriptions.  

-={ Jim }=-
 


--- QM v1.00
 * Origin: The Clipperist - Home to happy Clippheads in Ottawa, Canada 
(1:163/118.0)




Msg#:17756 *Virus Info*
10-01-90 02:24:00 (Read 4 Times)
From: REINHARDT MUELLER
  To: TOM SMITH @ 930/1
Subj: REPLY TO MSG# 15508 (VIRUS SCANNERS....)
In a message to Satyr Daze <26 Sep 90 23:15:00> Tom Smith @ 930/1 wrote:

 TS> The routine is this:  1)  You select, from Shez's file
 TS> listing, the archive you want to check.  2) Shez examines the archive,
 TS> finds the EXE and COM files, and, automatically, selects the proper
 TS> archiving program to use in uncompressing them.  3)  The COM and EXE
 TS> files are unpacked into a working directory automatically created by
 TS> Shez, called Z#, when it first fires up.  4)  SCAN is started, with 
 TS> the file names passed to it by Shez, which then looks into the working
 TS> directory and checks the specified files for viruses.  5)  After 
 TS> SCAN finishes, Shez deletes the files.  6)  When Shez is exited, 
 TS> the working directory is removed.

NO!!  Your system won't get infected unless you RUN of those
infected .COM or .EXE files.  A virus can only do its thing
if it is executed.  Reading it isn't enough.


--- [MicrStar] via TComm XRS 3.1
 * Origin: Loose as a goose, boys!  Here we go! <patooie!> (TComm 1:343/17.1)




Msg#:17757 *Virus Info*
10-02-90 22:47:00 (Read 4 Times)
From: PHILLIP LAIRD
  To: KEN JONES
Subj: REPLY TO MSG# 15496 (RE: NARROW VIEW)
Same problem in this area. Strange, but there are about three strains at the 
Unviersity I work at.  From the Businesss Computer Lab, Pakistani Brain is 
spread, from the Computer Science Lab, Stoned and Stoned II is spread, from the
Engineering Lab, it is Jeruselum B  and the Library PC Lab - ALL of the Above! 
Why does it happen like that?  Hmmm..... I suppose this might tell us something
about targeted groups if there was such a plan....

--- TAGMAIL v2.40
 * Origin: Datamaniac's Hideout BBS - Beaumont, TX (1:19/49)




Msg#:17759 *Virus Info*
10-02-90 14:37:00 (Read 4 Times)
From: KEN JONES
  To: TOM PREECE
Subj: REPLY TO MSG# 17757 (RE: NARROW VIEW)
The p/c out at work has a very narrow range of users, its totaly menu driven 
and on the most part, locked up. Via software and the key [wow someone really 
does use it]. Of the few users that do use it, one of them attends a junior 
collage in the west bay. Were pretty sure he was the source of the infected 
file, but really know one will ever know for sure.  I guess it could be 
possible to have a known source like you said. It seems really odd that they 
would come out and openly admit something like that. I guess on one hand they 
are trying to be the totaly honest dealer, but the on the other it looks like 
they are cutting there own throat on credidility

--- Telegard v2.5i Standard
 * Origin: The Twilight Zone (415)-352-0433 (1:161/88.0)




Msg#:17760 *Virus Info*
09-30-90 15:57:00 (Read 4 Times)
From: MIKE MCCUNE
  To: ORI BERGER
Subj: DETECTING STEALTH VIRUSES
In a message on September 7 to Patrick Toulme you wrote...
                        >However, the 4096 is still lurking in thousands of
>computers in Israel and is causing major problems. Due to lack of widely
>available detection/removal programs, when a virus hits Israel, it stays
>there, especially when it is as "invisible" as the 4096.
Here is a simple detection program that will detect the 4096 while it is
in memory. It will not become infected by the 4096 (the 4096 thinks the
file is already infected). I wrote it for the shareware A86, but it should
assemble with MASM, TASM or WASM with few modifications.
ADD     [BX+SI],AL
ADD     [BX+SI],AL
ADD     [BX+SI],AL
MOV AX,3521h
INT 21h     
ES:
CMP B[BX],0EAh
JE FOUND
MOV AH,9h
LEA DX,NOT_FOUND_MESSAGE
INT 21h
INT 20h
NOT_FOUND_MESSAGE:
DB 'Stealth Virus not found in memory



FOUND:
MOV AH,9h
LEA DX,FOUND_MESSAGE
INT 21h
INT 20h
FOUND_MESSAGE:
DB $Stealth Virus active in memory



This program should also detect the Fish-6 and Mother Fish
(Whale) viruses, since they use the same method to redirect
interrupts.
The next message will describe how to remove the 4096...<MM>


--- Opus-CBCS 1.13
 * Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0)




Msg#:17761 *Virus Info*
09-30-90 16:05:00 (Read 4 Times)
From: MIKE MCCUNE
  To: PAUL LOEBER
Subj: STONED AND JOSHI VIRUSES
In a message dated September 22, you stated that several people you know were 
looking for removers for the Stoned and Joshi viruses. I posted removers for 
both of these viruses on this echo several weeks ago. If you can't find them, I
will repost them. The posting were assembler source codes; if you need 
executable files, leave me a number where I can call you....<MM>.


--- Opus-CBCS 1.13
 * Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0)




Msg#:17762 *Virus Info*
09-30-90 11:10:00 (Read 4 Times)
From: DUANE BROWN
  To: TOM SMITH @ 930/1
Subj: REPLY TO MSG# 17756 (VIRUS SCANNERS....)
 T9>archiving program to use in uncompressing them.  3)  The COM
 T9>and EXE
 T9>files are unpacked into a working directory automatically
 T9>created by
...
 T9>I don't know if the few seconds that an infected COM or EXE
 T9>exists in
 T9>the working directory would give it time to propogate to
 T9>other files or

Since the program while it was in the directory was not *executed*, then there 
isn't any danger.  
 
--- 
 * Origin: End of the Line. Stafford, Va. (703)720-1624. (1:274/16)




Msg#:17763 *Virus Info*
10-03-90 19:33:00 (Read 4 Times)
From: TOM PREECE
  To: KEN JONES
Subj: REPLY TO MSG# 17759 (RE: NARROW VIEW)
They never admitted they were the source.  I told them later after I had 
confirmed and disinfected my system that I thought they were.  At that point 
they reported that they had disinfected all of their machines.  I pointed out 
that they had handed me not an infected system but an infected used diskette. 
I guy kind of choked and promised he would look into it.
--- TBBS v2.1/NM
 * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019  (1:161/208)




Msg#:17764 *Virus Info*
10-04-90 11:15:00 (Read 4 Times)
From: CHARLES HANNUM
  To: KEN JONES
Subj: REPLY TO MSG# 17763 (RE: NARROW VIEW)
 >>  In all
 >> those years, I have never seen a virus.  Moreover, I have never
 >> talked to
 >> anyone (on the BBSs or face to face) who ever encountered a virus.
 >>  That says

I'm inclined to echo this.  In my experience, anything unusual is instantly
called a "virus", even though it's usually pilot error.

However, I *do* run ViruScan on everything I download.  Never found a virus.
Of course, that doesn't mean there *isn't* one...

--- ZMailQ 1.12 (QuickBBS)
 * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)




Msg#:17765 *Virus Info*
10-03-90 08:16:00 (Read 4 Times)
From: JERRY MASEFIELD
  To: TOM PREECE
Subj: REPLY TO MSG# 14136 (VIRUS - TROJANS FOR EVERYONE.)
 > Locally we experienced a trojan that was an exe file compiled by a
 > utility that converts .bat to .exe files.  The file purported to be a
 > means to provide mnp5 performance from an ordinary modem.  In fact the
 > compiled bat instructions destroyed the C: drive.  What bothers me about
 > this is the simplicity with which anybody could do this.  I have the
 > Bat2exec.zip file which performs the conversions.  I have not used it
 > because the majority of my bat files are short fast executing things
 > anyway.
 >
 > Has anybody else encountered the problem and is there any sort of
 > generic defense that we might arrange against the generic attack files
 > which may follow?

Are you saying that the file BAT2EXEC.ZIP is the culprit??  You didn't make 
yourself too clear.  I've recently received a file on my BBS called 
BAT2EX12.ZIP, but only scanned it for viruses and CRC errors.  Thanks.


--- TosScan 1.00
 * Origin: On A Clear Disk You Can Seek Forever! (1:260/212)




Msg#:18864 *Virus Info*
10-05-90 06:42:00 (Read 4 Times)
From: PETE  MCDONOUGH
  To: ALL
Subj: VIRUS IN HARDWARE?
Hi!
I'm new here and had a question.
Is it possible for a virus to enter the computer system and remain their when 
the system is shut down for the night, and resurface when the IBM/clone system 
is turned on in the morning?
Background:  We have had viruses at at local college in the computer labs, in 
the Macintosh and clone computers.  We turn the computer off for ten seconds to
dump any virus in the memory.  Then we turn the computer back on.  One of the 
lab techs said it might be possible for a virus to stay in the system even if 
turned on and then off.
--- FD 1.99c via RA 0.04a [RT] 
 * Origin: Sirus System BBS, Citrus Heights CA (916)725-8578 (1:0/0)




Msg#:19510 *Virus Info*
10-04-90 14:05:00 (Read 4 Times)
From: CHARLES HANNUM
  To: REINHARDT MUELLER
Subj: REPLY TO MSG# 17762 (RE: VIRUS SCANNERS....)
 > NO!!  Your system won't get infected unless you RUN of those
 > infected .COM or .EXE files.  A virus can only do its thing
 > if it is executed.  Reading it isn't enough.

WARNING:  This information not applicable to the Macintosh or the NeXT.

--- ZMailQ 1.12 (QuickBBS)
 * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)




Msg#:19511 *Virus Info*
10-06-90 03:24:00 (Read 4 Times)
From: CHARLES HANNUM
  To: JERRY MASEFIELD
Subj: RE: VIRUS - TROJANS FOR EVERYO
 > Are you saying that the file BAT2EXEC.ZIP is the culprit??  You
 > didn't make yourself too clear.  I've recently received a file on my
 > BBS called BAT2EX12.ZIP, but only scanned it for viruses and CRC
 > errors.  Thanks.

No way!  BAT2EXEC is as clean as a fresh condom!  (Well, we are talking about


--- ZMailQ 1.12 (QuickBBS)
 * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)




Msg#:19512 *Virus Info*
10-06-90 20:40:00 (Read 4 Times)
From: PHILLIP LAIRD
  To: ALL
Subj: ARTICLE IN BEAUMONT ENTERPRISE
Quoting an Article which appeared in the Beaumont Enterprise on Saturday, 
October 6, 1990 from the Associated Press:
______________________________
ASSOCIATED PRESS
______________________________
NEW VIRUSES INFECT COMPUTERS

DALLAS - Computer Viruses, once percieved as contagious only through shared 
programming or electronic"bulletin boards," have wormed thier way into brand 
new equipment purchased from reputable companies.
  In one incident earlier this year, workers at an Evaleth, Minn., company were
suprised when thier computers suddenly began flashing the message: "Your 
system has been stoned."  The virus, which didn't destroy any data, was traced 
back to software in brand new modems, the devices that hook computers to 
telephone lines.
  Computer Viruses have been around for several years and there seem to have 
been several widely publicized infections.  But only recently have viruses 
begun to be reported in new equipment, and computer manufacturers are reluctant
to discuss the situation, fearing even a hint of contamination could torpedo 
sales.
  "A year ago we had nothing like this.  Now, it's almost an everyday 
occurrence," said John McAfee, Chairman of the Computer Virus Industry 
Association in Santa Clara, Calif.
  "Yes it has happened," said Winn Schwartau, president of American Security 
Industries, Inc., a Nashville, Tenn. consulting firm.  "And the posiblity of it
occurring on a larger scale is all too great and unfortunately it is 
unrecognized."
  In the modem case, the virus was quickly discovered and narrowly contained, 
said John Pope, spokesman for CompuAdd, Corp., an Austin-based computer 
retailer and mail-order house that sold the infected modems.

-=- END -=-

I don't agree that the wording that viruses were spread through "electronic 
Bulletin Boards" in the second line.  My understanding is that a virus is a 
replicating code within a computer program or set of instructions, and that 
would mean running the code or program.

However, it is highly possible that the ROM of the modem could have contained 
the Viral Code to send that message to the screen.  It is not my belief, 
however that the modem ROM could actually write to the drives, just issue 
interrupt requests, which are then interpreted by the command$ spec within the 
computer system.  Again, not a virus, but a simple (or complex Trojan).  And 
since most modems operate at interrupt 14, that would be logical for me not to 
be frightened of such things happening.  I really think that the press should 
be more responsible in thier articles.

--- TAGMAIL v2.40
 * Origin: Datamaniac's Hideout BBS - Beaumont, TX (1:19/49)




Msg#:19513 *Virus Info*
10-05-90 18:55:00 (Read 4 Times)
From: PHILLIP LAIRD
  To: PAUL LOEBER
Subj: REPLY TO MSG# 17761 (RE: STONED AND JOSHI VIRUSES)
Paul, I have the Clean Diskette by Mcafee.  Also, several other good programs 
from his Board such as Vshield, Scan, Vcopy, Checkout11 and severl other 
programs I downloaded from his BBS.  If you like, just reply to me and I will 
stick them all on a 1.2MB Floppy DIskette and Mail them TO Randy Goebal at his 
Address.  He can then get them to you, or better yet, just netmail me at 19/49 
and tell me where to send the diskettes.  I don't know about the JOSHI, becuase
I have never been confronted with it, but the Stoned and Stoned II Virus is bad
at the University where I work.  So, ScanV66B.ZIP works to identify and 
CleanP66.ZIP will remove both of them, or Use M-Disk.ZIP, which again is on my 
Board for Download.  The Stoned Virus appears to infect the FAT Tables of the 
Hard Drives there and eventually, the drives have to be low-leveled and 
re-formatted.

--- TAGMAIL v2.40
 * Origin: Datamaniac's Hideout BBS - Beaumont, TX (1:19/49)




Msg#:19514 *Virus Info*
10-05-90 09:30:00 (Read 4 Times)
From: PAUL LOEBER
  To: MIKE MCCUNE
Subj: REPLY TO MSG# 19513 (RE: STONED AND JOSHI VIRUSES)

 >In a message dated September 22, you stated that several people 
 >you know were looking for removers for the Stoned and Joshi 
 >viruses. I posted removers for both of these viruses on this 
 >echo several weeks ago. If you can't find them, I will repost 
 >them. The posting were assembler source codes; if you need 
 >executable files, leave me a number where I can call you....<MM>.


Thanks for the offer, but I don't need the cures.  I was merely telling someone
who stated viruses were overrated and that he had never seen any that I knew of
a couple of cases where my friends and co-workers had been hit.  As far as I 
know, the latest version of SCAN and CLEAN took care of them.

--- TAGMAIL v2.30
 * Origin: Downriver Download (1:120/137)




Msg#:19517 *Virus Info*
10-05-90 21:38:00 (Read 5 Times)
From: PATRICIA HOFFMAN
  To: ALL
Subj: VSUM OCTOBER 1990 RELEASE

The October 1990 Version of the Virus Information Summary List is now
available for download and file request as VSUM9010.ZIP.  It is also being sent
out thru VIRUSINF and submitted to SDS.  The following new viruses have
been added with this release:

1605
Black Monday
Blood & Blood2
Burger
Casper
Christmas In Japan
Invader
Kamikazi
Nomenklatura
Number One
Scott's Valley
Stoned II
SVir (SVir A & SVir B)
Westwood
Whale
V2P2
V2P6
V2P6Z
Violator
Wisconsin

There were also several variants to previously listed viruses which were
added.  Five anti-viral products were updated in the listing:

CleanUp for version V67
Dr. Solomon's Anti-Viral Toolkit to version 3.5
F-Prot for version 1.12
VirexPC for version 1.1B
ViruScan for version V67

New descriptions for Virus-90 and Virus101 which were submitted by Patrick
Toulme did not make it into this version, they will be in the early
November 1990 release of the listing.  My apologies to Patrick.

Patti


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#:19518 *Virus Info*
10-05-90 21:37:00 (Read 5 Times)
From: PATRICIA HOFFMAN
  To: ALL
Subj: SCANV67 RELEASED

The ViruScan program line from McAfee Associates was released this evening
and is available for download and file request.  As usual, these programs will 
be sent out thru the VIRUSINF file echo and submitted to SDS this evening. 
Four of the five programs in this series have new versions:

ViruScan V67 - SCANV67.ZIP
CleanUp  V67 - CLEANP67.ZIP
NetScan  V67 - NETSCN67.ZIP
VShield  V67 - VSHLD67.ZIP

The VCopy program was not released as a V67, so the current version remains
V66B, and is downloadable as VCOPY66B.ZIP.

New viruses now detectable by Scan are: Casper, 1605, Violator, Blood2,
Wisconsin, Christmas In Japan, Burger, Leprosy-B, Whale, Invader, Scott's
Valley, Black Monday, and Nomenklatura/Nomenclature.  Also added with this
release is an extinct switch: Scan will no longer automatically check for
viruses which either are research viruses or have not been reported in the
public domain for over 1 year.  Please see the documentation for details.

CleanUp has added disinfectors for Whale, Invader, Slow, and EDV.

VShield now has a new feature to check the validate codes which Scan can
add to files.  Again, please check the documentation.

Patti


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#:19519 *Virus Info*
10-06-90 09:14:00 (Read 4 Times)
From: CHUCK FAIRCHILD
  To: PETE  MCDONOUGH
Subj: REPLY TO MSG# 18864 (VIRUS IN HARDWARE?)
     Mac viruses appear to infect everything.  You must run VIREX, because 
these viruses infect every single disk that comes in contact with the machine, 
and contaminated data disks re-infect the system.

--- via TComm XRS 3.1+DV (286)
 * Origin: FlowerChild BBS (202)364-9463 (TComm 1:109/519.18)




Msg#:19520 *Virus Info*
10-06-90 17:21:00 (Read 6 Times)
From: JAMES KLASSEN
  To: PETE  MCDONOUGH
Subj: REPLY TO MSG# 19519 (VIRUS IN HARDWARE?)
In a message to All <05 Oct 90  6:42:00> Pete  Mcdonough wrote:
 Pe> Is it possible for a virus to enter the computer system and remain
 Pe> their when the system is shut down for the night, and resurface when
 Pe> the IBM/clone system is turned on in the morning?

Definately. In fact, very few virii stay in memory only. Nearly ALL virii write
themselves to disk(usally to COM or EXE files and some in OVL files as well). 
After a cold reboot, the virus is USUALLY cleared from memory(I've never heard 
of it still being there, but.....).   The can get into memory though during 
Bootup through various ways though so your best bet if you THINK you have a 
virus is to do a cold reboot from your ORIGINAL DOS disk and then use a virus 
checker(Scan is one of the best) on your hard drive and ALL of your floppies. 
Also make sure you put a w/p tab on your virus checking disk as soon as you get
it so it doesn't get infected. I find that making a bootable disk and putting 
SCAN on it in the autoexec file and the put a w/p on it is pretty easy to do.  

 
     Try not to worry TOO MUCH about getting one but do take a reasonable 
amount of checking. 
--- XRS! 3.40
 * Origin: Have a nice day, or I'll kill you! (RAX 1:275/3.4)




Msg#:20555 *Virus Info*
10-14-90 10:20:00 (Read 3 Times)
From: PHILLIP LAIRD
  To: CHARLES HANNUM
Subj: RE: STERILAB

 >(Besides, by posting this I've ruined my marketing potential 
 >anyway, since
 >some other enterprising soul will probably write it first.)
 >
 >
 >I hereby name this concept "SteriLab" and donate this title 
 >to the public
 >domain, mainly to prevent anyone claiming it as their own.
 >
 >--- ZMailQ 1.12 (QuickBBS)
 > * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)

That is a good idea, Charles. I have a program similar to that at the 
University I work at in Texas.  The students/or other users must go through a 
"corridor" to get into the lab.  They must turn over all disks to be scanned by
the Lab Clerk.  If a virus is found, the student is informedand the disk is 
usually cleaned first.  If that works, we still recommend that they format the 
disk over to be sure.  Then, when they stick their disk in the computers in the
lab, we also perform another test which I wrote - but it is not a TSR program. 
The hard drive is securely protected and will not allow access to DOS or an 
application program until the disk passes.  That way, we cut down on the 
chances of infection.

THe main problem I have found is Computer Technicians that do NOT know about 
viruses or just flatly refuse to recognize the problems and do not scan their 
diagnostic disks.  They are the worst carriers.  They pick up a virus, then go 
diagnose someone elses system and spread it.  A local area Retailer is one who 
refuses to recognize the problem and has spread many Jerulselum B headaches....

But you have a good idea!  Wanna work on it?  How about Turbo C or just Quick 
Basic would work...  Would be glad to help you out as long as it will remain 
"Militantly Public Domain".

--- TAGMAIL v2.41
 * Origin: Datamaniac's Hideout BBS - Beaumont, TX (1:19/49)




Msg#:20556 *Virus Info*
10-14-90 16:28:00 (Read 3 Times)
From: ERIC JACKSCH
  To: ALL
Subj: DOCUMENTING VIRUS HITS
I'm currently involved in research on the topic of data security in companies 
using MS-DOS based machines.  If anyone has first hand knowledge of:

- a commercial site being infected by a virus,
- data loses due to hard drive crash(es),
- malicious damage by employees,
- unauthorized access to data stored on PC's, or
- other incidents involving serious data loss or security related issues,

I would greatly appreciate hearing from you, preferably via netmail to 
1:163/111.  (High speed systems, please feel free to route via 1:163/131 14.4 
HST).

Thanks in advance,
Eric Jacksch
Sysop 1:163/111

--- FD 1.99c
 * Origin: Insomniacs' Guild  *** Nepean, Ontario, Canada *** (1:163/111)




Msg#:20557 *Virus Info*
10-12-90 22:12:00 (Read 3 Times)
From: TOM PREECE
  To: PAUL FERGUSON
Subj: RE: VIRUS - TORJANS FOR EVERYONE.
Sorry I can't specifically recall the original.  I was asked before this last 
response if a file was "safe".  I couldn't know.  I believed it was. What does 
it matter what the file was since you should take your own precautions?
--- TBBS v2.1/NM
 * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019  (1:161/208)




Msg#:20558 *Virus Info*
10-13-90 22:29:00 (Read 3 Times)
From: ICE WOLF
  To: KEN JONES
Subj: REPLY TO MSG# 17764 (RE: NARROW VIEW)

 >A scan of the drive said it had a Jerusalem B virus, 2 days 
 >later a friend called and asked what was the best way of removing 
 >the Jerusalem B virus. This was a different system completly 
 >some 40 miles away. Then to top it off 2 sysops in the area 
 >San Francisco
 >Fairfield
 >Oakland
 >San Leandro
 
Add a town to your list: I just got off the phone from Lake Tahoe with an old 
boss of mine that runs a computer shop. He says that for the last week he's 
been run ragged stomping out Jerusalem B. He told me that a scanner called Scan
66 works real well against it. He also told me where I could get that scanner. 
I haven't called this BBS yet, so I don't know for sure, but he said that 
Lightning Systems at (702)588-0315 has it. WARNING!!!: That BBS is IN Lake 
Tahoe where the virus is still around. Do NOT download anything from there 
except Scan 66. Or, if you do at least scan it before running it!
 
Marshall Gatten
(Any mail to me should be to Ice Wolf)


--- TAGMAIL v2.41
 * Origin: Rialto BBS - Rialto California - (714) 820-3444 (1:207/204)




Msg#:20559 *Virus Info*
10-13-90 22:44:00 (Read 3 Times)
From: ICE WOLF
  To: ALL
Subj: TROJAN
I've been monitoring this echo for a while, and I have a question: I've dealt 
with viruses before (yes, they were viruses; not just programming bugs), but I 
have never heard the term 'Trojan' except in passing. What exactly is a Trojan 
and how does it differ from a virus? Or, are the two word just synonyms?
 
Thanx!
Marshall Gatten
(Mail should be addessed to Ice Wolf, thanx!)


--- TAGMAIL v2.41
 * Origin: Rialto BBS - Rialto California - (714) 820-3444 (1:207/204)




Msg#:20560 *Virus Info*
10-13-90 23:04:00 (Read 3 Times)
From: ICE WOLF
  To: ALAN DAWSON
Subj: REPLY TO MSG# 17765 (RE: VIRUS - TROJANS FOR EVERYONE.)

 >The only 
 >defense would be to stop your computer from doing anything 
 >at all.
 
I once spoke with a person who ran a BBS and said he had a 'fool-proof' 
protection from anything (I don't know if he's trustworthy, but here's his 
idea): He put a physical switch on the cables to his hard drives. He would copy
a suspected file into a RamDrive and then shut off his drives. He'd run the 
program in RAM and see what happened. That way, no writes were possible.
 
How possible is it that this would work? It seems like you'd have to 
reconfigure your whole system after shutting off the drives, which would 
include a power-down, which would wipe out RAM???
 
Marshall Gatten


--- TAGMAIL v2.41
 * Origin: Rialto BBS - Rialto California - (714) 820-3444 (1:207/204)




Msg#:20561 *Virus Info*
10-15-90 13:57:00 (Read 3 Times)
From: CHARLES HANNUM
  To: ALL
Subj: "CLEAN, UNINFECTED DISK"
How many times have you heard this?

"Just boot from a clean, uninfected disk and run SCAN."

This is an interesting idea.  It might even work.  However, how can you be

package?  Or your dearchiver?


"Just because I'm paranoid doesn't mean they're not *really* out to get me!"

--- ZMailQ 1.12 (QuickBBS)
 * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)




Msg#:20562 *Virus Info*
10-12-90 10:41:00 (Read 3 Times)
From: YASHA KIDA
  To: PATRICIA HOFFMAN
Subj: UNIX UU-NET VIRUS ECHO
Pat is there a UNIX/XENIX version of the VIRUS_INFO...
if so whom can I contract or what the focal point?

Reason for asking: I now have the ability to tap UU-NET and others via 9600 
links.




--- msged 1.99S ZTC
 * Origin: Bragg IDBS, (82nd - The hole in SADDAMS PLAN) (1:151/305)




Msg#:20563 *Virus Info*
10-13-90 19:41:00 (Read 3 Times)
From: REINHARDT MUELLER
  To: TOM SMITH @ 930/1
Subj: REPLY TO MSG# 19510 (VIRUS SCANNERS....)
In a message to Satyr Daze <09 Oct 90 21:55:00> Tom Smith @ 930/1 wrote:

 TS> Makes you wonder, doesn't it?  What could these people, like most
 TS> mentally-deficient criminals, actually do if they tried to be
 TS> productive?? 

Now _there's_ double-entendre for ya!  :)

A.  What could these people do if they worked hard at doing 
    something _good_.

    or <shudder!>

B.  You mean these virus-writers haven't even _begun_
    to work hard at their dastardly deeds?  Sure
    seems like they've started to in the past year!  :-(






--- [MicrStar] via TComm XRS 3.1
 * Origin: Why buy shampoo when real poo is still free? (TComm 1:343/17.1)




Msg#:20564 *Virus Info*
10-15-90 21:01:00 (Read 3 Times)
From: PAUL FERGUSON
  To: TOM PREECE
Subj: REPLY TO MSG# 20557 (RE: VIRUS - TORJANS FOR EVERYONE.)
TP>Sorry I can't specifically recall the original.  I was asked
TP>before this last response if a file was "safe".  I couldn't
TP>know.  I believed it was. What does it matter what the file
TP>was since you should take your own precautions?
TP>--- TBBS v2.1/NM
TP> * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 
TP>(1:161/208)
 
Good point, Tom, and well taken. I =do= take my own precautions, but thought 
that the rest of the participants in the echo would like to follow the train of
thought. 
 
Ciao.
 
-Paul
--- 
 * Origin: Sentry Net BBS C'Ville VA (1:109/229)




Msg#:20565 *Virus Info*
10-15-90 21:13:00 (Read 3 Times)
From: PAUL FERGUSON
  To: SATYR DAZE
Subj: REPLY TO MSG# 20563 (RE: VIRUS SCANNERS....)
 * Replying to a message originally to Tom Smith @ 930/1
SD> 
SD>Well with more and more sytems being produced overses in
SD>build-em/Shipp-em out quick companies anything is possible. 
SD>But luckily not probable, while someone might infecta system
SD>that way, the company would hopefully be aware of it and do
SD>somthing before it got out of hand.  
SD> 
SD>While with the proliferation of Shareware and BBS's, an
SD>infected program that look like it may be useful or at least
SD>moderatly entertaining, you could actually infect sizable
SD>portions of the community.  With new infections poping up as
SD>people share them.
SD> 
SD>I myself was infected about month and half ago with the
SD>Stoned virus from a BBS that had failed to check it's upload,
SD>and unfortunatly the individual who uploaded it was to
SD>interested in running the program versus checking it ...
SD>because it came from a reputable BBS.  Very Catch-22.     
SD>Ultimate responsibility falls on the user,  because ultimatly
SD>it's our Butts that get fried. 
SD> 
SD>From my understanding the people who write these programs
SD>aren't Geniuses by any scope.  Anyone can write a Virus
SD>program, all it takes is the know-how -- somthing easiliy
SD>gained in today's information Society.         
SD>I feel sorry for them, they feel this is the only way to
SD>convey their angry and hurt feelings about society or
SD>themselves.
SD> 
SD>They are nothing short of Terrorists.
SD> 
SD>                                           The Satyr Daze
SD>--- TBBS v2.1/NM
SD> * Origin: Eclectic Multi-BBS System / Miami FL (305)662-1748 
SD>(1:135/2)
 
Satyr,
  I believe that you are mistaken. Virtually the only way to spread STONED is 
through direct disk access (ie. Copying files, fformatin diskettes....). STONED
is a Boot sector infector and will omly spread in that fashion. It does not 
attach itself to any executables but instead resides in the partition table. I 
agree with your sentiment wholeheartedly, but I do not think that the BBS is to
blame. (Gosh, we BBSs get all the blame!). 
 
-Paul
--- 
 * Origin: Sentry Net BBS C'Ville VA (1:109/229)




Msg#:20566 *Virus Info*
10-15-90 21:48:00 (Read 3 Times)
From: PAUL FERGUSON
  To: DANIEL KALCHEV
Subj: PHOENIX VARIANTS
 * Replying to a message originally to Vesselin Bontchev
DK>In a message of <Oct 09 22:54> Vesselin Bontchev
DK>(2:359/101.2) writes:
DK>  VB> EID:f650 1549b6c0
DK>  VB> MSGID: 2:359/101.2 2712a435
DK>  VB> REPLY: 2:359/1.1 270ff27e
DK>  VB> In a message to Vesselin Bontchev <07 Oct 90 20:26:00> Daniel Kalchev 
DK>  VB> wrote:
DK>
DK> DK> By the way, I am passing a question from Dark Avenger to you: "Do
DK> DK> you discover ALL the variants of Phoenix virus?"
DK>
DK>  VB> Why he didn't ask the questions himself? He has access even to this 
DK>  VB> echo... Anyway, what does the question mean exactly? Currently I 
DK>
DK>I think he even have your phone, but... :-)
DK>
DK>  VB> If DA really wants to make my life a bit more difficult, he has to 
DK>  VB> obtain a copy of the 1260 virus and to study it carefully; or to 
DK>  VB> contact the author of AntiPascal/Terror/Tiny viruses and have a long 
DK>  VB> speach with him; or go to CINTI and dig some journals on computer 
DK>  VB> security and data encryption. His currently encryption algorithms are 
DK>  VB> only childish games.
DK>
DK>Common Vesselin, don't you think you're giving him some
DK>dangerous pointers? We don't need Tiny-Phoenix, IMHO!
DK>
DK> DK> Think, really think about it. ;-)
DK>
DK>  VB> Well, if you have any doubts, tell him to upload any Phoenix variant 
DK>  VB> and test my program CleanUp (that I left you for beta test) on it.
DK>
DK>CleanUp works, with the known viruses though. :-)
DK>
DK>Regards from Varna,
DK>Daniel
DK>
DK>--- msged 2.00
DK> * Origin: Danbo's Cave  (2:359/1.1)
 
Sorry, Daniel. Some the original quote did not wrap the way I thought it would 
but that is beside the point.
  Your message and dialogue with Vess only reinforces the need for multilayered
protection schemes, not relying upon only one.
 
Salutations from Washington, DC
-Paul
--- 
 * Origin: Sentry Net BBS C'Ville VA (1:109/229)




Msg#:20567 *Virus Info*
10-15-90 21:53:00 (Read 3 Times)
From: PAUL FERGUSON
  To: RICHARD ENTWISTLE
Subj: RE: VALIDATE AND CLEANP66
 * Replying to a message originally to Justin Keen
RE> JK> What's the problem?  It may be nothing but the VALIDATE.COM program I 
RE> JK> decompressed from the CLEANP66.ZIP package does not validate
RE>correctly! 
RE> JK> Details are:
RE> JK>  
RE>Well here I am again.  Hope I have not startled too many
RE>people with theoriginal message, but I did not expect it to
RE>echo just yet.  I have had time now to look further into the
RE>validate.com difference and all it turns out to be is the
RE>wrong file length byte number (6,945 instead of 6,485 bytes). 
RE>By editing the file length number and running a file compare
RE>shows identical files.  I have looked through myself sector
RE>by sector to be absolutely sure.
RE>  
RE>So, the problem is that the validate.com I got from the
RE>cleanp66.zip pack had an error in file size number only!  
RE>Just how it got there, who knows - it must have slipped
RE>through a file transfer error check somewhere.
RE>  
RE>Relax for now then - but maintain the vigilance of course.
RE>  
RE>Bye...
RE>
RE>
RE>--- Maximus-CBCS v1.02
RE> * Origin: Hong Kong PC User Group Software Library (3:700/8)
 
Patti Hoffman has suggested that perhaps the SCAN /AV option may have been used
to add validation codes to the VALIDATE program....Well, I have not had the 
opportuniy to look into this as yet (very busy), but I have copies of VALIDATE 
that measure up to the file sizes you mentioned =and= another that is another 
10 bytes larger! I will sit down, perhaps tomorrow and dig a little deeper....
10 bytes at a time, Hmmmm.....
 
Ciao.
-Paul
--- 
 * Origin: Sentry Net BBS C'Ville VA (1:109/229)




Msg#:20568 *Virus Info*
10-15-90 22:22:00 (Read 3 Times)
From: PAUL FERGUSON
  To: ERIC JACKSCH
Subj: REPLY TO MSG# 20556 (DOCUMENTING VIRUS HITS)
 * Replying to a message originally to all
EJ>I'm currently involved in research on the topic of data
EJ>security in companies using MS-DOS based machines.  If anyone
EJ>has first hand knowledge of:
EJ>
EJ>- a commercial site being infected by a virus,
EJ>- data loses due to hard drive crash(es),
EJ>- malicious damage by employees,
EJ>- unauthorized access to data stored on PC's, or
EJ>- other incidents involving serious data loss or security
EJ>related issues,
EJ>
EJ>I would greatly appreciate hearing from you, preferably via
EJ>netmail to 1:163/111.  (High speed systems, please feel free
EJ>to route via 1:163/131 14.4 HST).
EJ>
EJ>Thanks in advance,
EJ>Eric Jacksch
EJ>Sysop 1:163/111
EJ>
EJ>--- FD 1.99c
EJ> * Origin: Insomniacs' Guild  *** Nepean, Ontario, Canada ***
EJ>(1:163/111)
 
Look for NetMail, Eric. <grin> Glad to help you in any way I can.
 
Greetings from Capitol Hill
-Paul
--- 
 * Origin: Sentry Net BBS C'Ville VA (1:109/229)




Msg#:20569 *Virus Info*
10-15-90 22:32:00 (Read 3 Times)
From: PAUL FERGUSON
  To: ICE WOLF
Subj: UPDATED VERSIONS
 * Replying to a message originally to Ken Jones
IW>** Quoting Ken Jones to Ron Lauzon **
IW> >A scan of the drive said it had a Jerusalem B virus, 2 days 
IW> >later a friend called and asked what was the best way of removing 
IW> >the Jerusalem B virus. This was a different system completly 
IW> >some 40 miles away. Then to top it off 2 sysops in the area 
IW> >San Francisco
IW> >Fairfield
IW> >Oakland
IW> >San Leandro
IW> 
IW>Add a town to your list: I just got off the phone from Lake
IW>Tahoe with an old boss of mine that runs a computer shop. He
IW>says that for the last week he's been run ragged stomping out
IW>Jerusalem B. He told me that a scanner called Scan 66 works
IW>real well against it. He also told me where I could get that
IW>scanner. I haven't called this BBS yet, so I don't know for
IW>sure, but he said that Lightning Systems at (702)588-0315 has
IW>it. WARNING!!!: That BBS is IN Lake Tahoe where the virus is
IW>still around. Do NOT download anything from there except Scan
IW>66. Or, if you do at least scan it before running it!
IW> 
IW>Marshall Gatten
IW>(Any mail to me should be to Ice Wolf)
IW>
IW>
IW>--- TAGMAIL v2.41
IW> * Origin: Rialto BBS - Rialto California - (714) 820-3444
IW>(1:207/204)
 
Hello, "Ice"....
   My suggestion to you (and anyone else, actually) is to rely on the Author's 
board for a "clean" copy of the program. The latest version of ViruScan 
(SCANVxx) is version 67 B (a minor bug fix to version 67)....John McAfee and 
the Home base crew are very attentive to detail. The next release is 
tentatively scheduled for November 25th (I believe). There are some =rules= 
though, when it comes to scanning/disinfecting and the documentation should be 
read in entirety. Hope this helps. I would post the BBS # but I think that 
would be a =little= commercial.
 
Ciao from DC...
-Paul
--- 
 * Origin: Sentry Net BBS C'Ville VA (1:109/229)




Msg#:20570 *Virus Info*
10-15-90 22:38:00 (Read 3 Times)
From: PAUL FERGUSON
  To: ICE WOLF
Subj: REPLY TO MSG# 20559 (TROJAN)
 * Replying to a message originally to All
IW>I've been monitoring this echo for a while, and I have a
IW>question: I've dealt with viruses before (yes, they were
IW>viruses; not just programming bugs), but I have never heard
IW>the term 'Trojan' except in passing. What exactly is a Trojan
IW>and how does it differ from a virus? Or, are the two word
IW>just synonyms?
IW> 
IW>Thanx!
IW>Marshall Gatten
IW>(Mail should be addessed to Ice Wolf, thanx!)
IW>
IW>
IW>--- TAGMAIL v2.41
IW> * Origin: Rialto BBS - Rialto California - (714) 820-3444
IW>(1:207/204)
 
Remember the terrible (or perhaps it was great, I can't remember which) story 
of the Trojan War and the Trojan Horse...Well, that is what a Trojan Horse 
program produces. Something quite undesireable, like formatting all of your 
sectors to dust. A virus, on the other hand, can replicate, attach itself to a 
"host" and for whatever you can image, have any number of "triggers to become 
detructive. My best advise that I can give is to get ahold of a copy of Patti 
Hoffman's "Virus Information Summary List" which is produced monthly. This is 
an invaluable document for reference purposes.
 
-Paul
--- 
 * Origin: Sentry Net BBS C'Ville VA (1:109/229)




Msg#:20571 *Virus Info*
10-16-90 11:54:00 (Read 3 Times)
From: CHARLES HANNUM
  To: RICHARD ENTWISTLE
Subj: REPLY TO MSG# 20567 (RE: VALIDATE AND CLEANP66)
 > Well here I am again.  Hope I have not startled too many people with
 > the original message, but I did not expect it to echo just yet.  I
 > have had time now to look further into the validate.com difference
 > and all it turns out to be is the wrong file length byte number
 > (6,945 instead of 6,485 bytes).  By editing the file length number
 > and running a file compare shows identical files.  I have looked
 > through myself sector by sector to be absolutely sure.
 > So, the problem is that the validate.com I got from the cleanp66.zip
 > pack had an error in file size number only!   Just how it got there,
 > who knows - it must have slipped through a file transfer error check
 > somewhere.

That's probably the 10-byte validation code...

--- ZMailQ 1.12 (QuickBBS)
 * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)




Msg#:20572 *Virus Info*
10-16-90 13:20:00 (Read 3 Times)
From: CHARLES HANNUM
  To: ICE WOLF
Subj: REPLY TO MSG# 20570 (RE: TROJAN)
 > I've been monitoring this echo for a while, and I have a question:
 > I've dealt with viruses before (yes, they were viruses; not just
 > programming bugs), but I have never heard the term 'Trojan' except
 > in passing. What exactly is a Trojan and how does it differ from a
 > virus? Or, are the two word just synonyms?


A "Trojan Horse" is a referral to an ancient Greek myth of a large wooden
horse that was given to the city of Troy.  The Troyans brought the horse into
the city, to discover later that enemy soldiers were hiding inside.  The
soldiers proceeded to flatten the city.

A "Trojan Horse" program is similar.  It's a program that damages your
computer in some way.  Usually, a Trojan Horse does its damage once, whereas
a virus may infect other programs and repeatedly destroy things.

Any program could be a Trojan Horse; there's simply no sure-fire way of
detecting them.  A simple way to write one would be:


  char junk[20000] = {'\0'};            // give it a realistic file size

  int
  main(void)
  {
    system( "echo y | format c:" );     // do some damage
    puts( "Nyah, nyah!!" );             // brag about it
  }


Then claim that it's a telecommunications package or something.  These types
of Trojans are usually detected fairly quickly, as anyone who gets a copy
pretty much knows what did it.

It's those hidden little time-bombs that could be lurking ANYWHERE that are
the problem.

--- ZMailQ 1.12 (QuickBBS)
 * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)




Msg#:20573 *Virus Info*
10-14-90 23:41:00 (Read 3 Times)
From: VINSON NICHOLS
  To: PAUL FERGUSON
Subj: RE: DOES
 PF>  * Replying to a message originally to All
OS>>Quoted from message by Dark Avenger 11-Oct-1990 02:16:39 :
OS>>
OS>>>  WP> does anyone know how to make a virus???????
OS>>>
OS>>> Yes, I know. If you want to make a virus for PC first you have to
OS>>> learn assembly language. If you already have done that then you
OS>>> have to study the listing of some existing virus. If you don't
OS>>> have such a listing, give me your post address and I will send you
OS>>> one via snail mail. If you want to ask me something else, call
OS>>> +xxx-xx-xxxxxx and leave me a message there.
OS>>
OS>>Allright, then. This conference has turned into being a place
OS>>where sick people can teach each other how to make viruses
OS>>and destroy innocent people's hard work.
OS>>
OS>>Messages like this should be deleted...! Makes me wanna throw
OS>>up...
OS>>
OS>>>:-C Oeyvind
OS>>     ~~~~~~~
OS>>
OS>>--- msged 1.99L TC (Norsk)
OS>> * Origin: SunPoint On Johnny's (Bergen, Norway)
OS>>(2:502/502.1)
 PF>
 PF> Yes, it is quite disturbing that DAV sees fit to spread his sick
 PF> infuence. Should not be allowed to happen. Perhaps if he saw
 PF> fit to refrain from such practices and =contribute= something
 PF> valuable instead, we could all rest a little easier.
 PF>
 PF> Greetings from Washington, DC
 PF> -Paul
 PF> ---
 PF>  * Origin: Sentry Net BBS C'Ville VA (1:109/229)

Ok. If more people understood how virus's worked then more people
would not get in trouble with them. There are some real good things
about virus's when it come to beening able to program one. I have
writen 2 so far, and of course destroyed them. What they do is teach
you more  about how the config.sys and the command com works. Also
how to deal with tagging into exe files, and harddrives.
The above message is very upsetting to me as a novice programer
computer's main reason is to share infomation, not restrict it. Now
what you are telling me is that you would like to restrict what people
can learn and what they can create. What are we doing going back to some
sort of computer dark ages.   Vinson

--- via Silver Xpress V2.27 [NR]


--- QM v1.00
 * Origin: The  F e d e r a l  Post  -{*}-  Fayetteville, NC (1:151/301.0)




Msg#:20574 *Virus Info*
10-14-90 23:45:00 (Read 3 Times)
From: VINSON NICHOLS
  To: PAUL FERGUSON
Subj: RE: DOES ANYONE KNOW HOW TO MAKE
Is not funny that there a company's that profit from virus. Seems that
for every new one that hits. One of the companies a few weeks later offer
a fix.??? Vinson


--- via Silver Xpress V2.27 [NR]


--- QM v1.00
 * Origin: The  F e d e r a l  Post  -{*}-  Fayetteville, NC (1:151/301.0)




Msg#:20575 *Virus Info*
10-16-90 18:44:00 (Read 3 Times)
From: PAUL FERGUSON
  To: CHARLES HANNUM
Subj: REPLY TO MSG# 20561 ("CLEAN, UNINFECTED DISK")
 * Replying to a message originally to All
CH>How many times have you heard this?
CH>
CH>"Just boot from a clean, uninfected disk and run SCAN."
CH>
CH>This is an interesting idea.  It might even work.  However,
CH>how can you be
CH>*sure* your original copy of DOS isn't infected?  Or SCAN? 
CH>Or your comm.
CH>package?  Or your dearchiver?
CH>
CH>
CH>"Just because I'm paranoid doesn't mean they're not *really*
CH>out to get me!"
CH>
CH>--- ZMailQ 1.12 (QuickBBS)
CH> * Origin: The Allied Group BBS *HST* Buffett's Buddy
CH>(1:268/108.0)
 
Hello, Charles....
   If you take the precautionary measures that use multi-layered defenses, then
you will catch it eventually. It also doesn't hurt to download the Virus 
Detection utility from the authors board. <grin>
 
Later....
-Paul
--- 
 * Origin: Sentry Net BBS C'Ville VA (1:109/229)




Msg#:20576 *Virus Info*
10-16-90 20:55:00 (Read 4 Times)
From: DUANE BROWN
  To: CHARLES HANNUM
Subj: REPLY TO MSG# 20555 (STERILAB)
 CH>All disks must be "checked-in."  This process involves
 CH>scanning the disk for
 CH>known viruses (even, and especially, in archive files), and
 CH>then coding the
 CH>boot sector and FAT in such a way that the disk would be
 CH>unusable in a normal
 CH>DOS environment.

Would you want to be responsible for the wrath of someone who lost their WHOLE 
FAT TABLE with their term paper if something went wrong with this 
encoding/decoding process???????? Even norton's wouldn't work if the fat, etc 
was scrambled in such a process...

Think about it... it may be secure, but a computer lab is no Top Secret data 
processing laboratory...

Why not encrypt the whole disk while you're at it???  
 
--- ZMailQ 1.12 (QuickBBS)
 * Origin: End of the Line. (703)720-1624 in Stafford, Va. (1:274/16.0)




Msg#:22164 *Virus Info*
10-19-90 23:10:00 (Read 3 Times)
From: TOM SMITH @ 930/1
  To: SCOTT HOWELL
Subj: RE: QUESTION
Scott, you'd have to go into more detail on your "scramble"d FAT before
it'd become obvious that a virus had hit it; I'd bet that it's the disk
"optimizer" you mentioned.  You didn't say which one it was, but
several of them, particularly older ones, can be quite nasty if
something unusual happens during the optimization run; they can even be
nasty if something unusual DOESN'T happen!.  Were you running a disk
enhancement utility such as SpeedStor or Disk Manager?  These, or other
TSRs like disk caches, especially ones with delayed writes, can add
still more problems.
 
As for possible fixes, I'd suggest that you try one of the "fixit"
programs in Norton Utilities 5.0, PC Tools Deluxe 6.0, or Mace
Utilities 1990.  The "Emergency Room" utility in the latter gets
particularly high marks; I've found it to fix disks that the others
wouldn't even admit existed!  If these won't help, you can contact one
of the commercial data recovery firms, but they can be
exxpppeeeennnnnssssssiiiiiiivvvvvvvveeeeeeeee..........
 
One final piece of advice:  Before you try to optimize again, 1) BACK
UP!; 2) Copy to save files CONFIG.SYS and AUTOEXEC.BAT; 3) Delete them
and reboot to remove any TSRs (note:  If you're running a Disk
Manager-type of disk enhancer, you can't remove it.  In that case, make
sure that the optimizer you're using specifically states that it'll
work with the particular disk enhancer you're using.) and run the
optimizer on a "clean" system.  Hope some of this helps...
 
Tom Smith/Dallas...


--- QM v1.00
 # Origin: Horizon RBBS 214-424-3831 & 214-881-9346 HST (8:930/1.0)
 * Origin: Network Gateway to RBBS-NET  (RBBS-PC 1:10/8)




Msg#:22412 *Virus Info*
10-15-90 20:23:00 (Read 3 Times)
From: TOM PREECE
  To: ALAN DAWSON
Subj: REPLY TO MSG# 20560 (RE: VIRUS - TROJANS FOR EVERYONE.)
Well I guess its time for me to uncover.  I am not a programmer and can't 
pretend to be.  It does however seem to me that the compiliation of dangerous 
instructions to dos by whatever method should have a similar structure in 
direct processor instructions.
 
I guess I was hoping some really clever programmer out there would be able to 
build a detect for the simple kinds of dos destruco instructions and create 
some generic form of a scan file to prevent this kind of crud. Meanwhile I'll 
back up often.
--- TBBS v2.1/NM
 * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019  (1:161/208)




Msg#:22413 *Virus Info*
10-15-90 20:32:00 (Read 3 Times)
From: TOM PREECE
  To: DUANE BROWN
Subj: REPLY TO MSG# 19512 (RE: ARTICLE IN BEAUMONT ENTERPRISE)
I don't know if I was in this before, but I believe I have reported being 
infected by software supplied by a dealer.  Always be suspicious.
--- TBBS v2.1/NM
 * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019  (1:161/208)




Msg#:22414 *Virus Info*
10-16-90 20:40:00 (Read 3 Times)
From: TOM PREECE
  To: ICE WOLF
Subj: REPLY TO MSG# 20572 (RE: TROJAN)
Do I speak for all?  I don't know.
A trojan is a file with data or media destroying instructions that does not 
neccessarily replicate and spread like a virus.  Many or most viruses are 
trojans.  Not all trojans are viruses.
--- TBBS v2.1/NM
 * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019  (1:161/208)




Msg#:22415 *Virus Info*
10-17-90 01:00:00 (Read 2 Times)
From: DARIN ARRICK
  To: PAUL FERGUSON
Subj: DOES ANYONE KNOW HOW TO MAKE VIRUS
 * Replying to a message originally to Janne Ristavaara
 >  * Replying to a message originally to Wilson Phillips
 > JR>Sure someone will know, but what is it worth of ?!?
 > JR>Do you want to get your name or alias known or what ?!?
 > JR>I think (and I'm sure many others do the same) that making a
 > JR>virus is really discusting. Why don't use your gifts to more
 > JR>useful purpose, like some utilities or another useful
 > JR>programs ?
 > JR>Or if you just have to make a virus, please make an friendly
 > JR>one;-)
 > JR>
 > JR>-JR-  
 > JR> 
 > JR>--- 
 > JR> * Origin: The Eternal Flame BBS +358-55-53340 / V.32 ECM 
 > JR>(2:515/841.3)
 >  
 > Surely you do not belong to the school of thinking that
 > =actually= beleives that there can be a "friendly" virus? Any
 > replicating and infectious program is undesireable. There
 > have been numerous attempts to implement "good" vviruse (Den
 > Zuk, et al.) but it ran amok. I think that more harm than
 > good would ever come of this train of thought.
 >  
 > Greetings from Washington, DC
 > -Paul
 > --- 
 >  * Origin: Sentry Net BBS C'Ville VA (1:109/229)
 
Paul, I have been following this echo for a few days and am amazed at the 
hatred spread toward viruses. They are programs, just like Lotus 123 or dBase 
IV. There are good reasons for "friendly" viruses, such as automatic error 
detection and correction for unattended systems. System crash cleaners, I guess
you could call them. I welcome replies, but no screaming. Just intelligent 
conversation. :-)
 
Darin
--- 
 * Origin: GENESYS I BBS (817)-284-1520 (1:130/59)




Msg#:22416 *Virus Info*
10-17-90 01:10:00 (Read 3 Times)
From: DARIN ARRICK
  To: ICE WOLF
Subj: REPLY TO MSG# 22412 (RE: VIRUS - TROJANS FOR EVERYONE.)
 * Replying to a message originally to Alan Dawson
 > ** Quoting Alan Dawson to Tom Preece **
 >  >The only 
 >  >defense would be to stop your computer from doing anything 
 >  >at all.
 >  
 > I once spoke with a person who ran a BBS and said he had a
 > 'fool-proof' protection from anything (I don't know if he's
 > trustworthy, but here's his idea): He put a physical switch
 > on the cables to his hard drives. He would copy a suspected
 > file into a RamDrive and then shut off his drives. He'd run
 > the program in RAM and see what happened. That way, no writes
 > were possible.
 >  
 > How possible is it that this would work? It seems like you'd
 > have to reconfigure your whole system after shutting off the
 > drives, which would include a power-down, which would wipe
 > out RAM???
 >  
 > Marshall Gatten
 
It is possible and is a commercial product. Arrick/Microsync in Ft.Worth, 
Texas, has a product called "WriteGuard" which does just that. Let's you flip a
switch anytime and make the hard drive write protected. It also intercepts any 
writes to the hard disk and informs you with a buzzer, so you know when 
something tries to write to the drive. Call (817)540-0938. Tell them I sent 
you. (They are friends of mine.My brother used to own it, but sold it and they 
kept the name, so I'm not affiliated with them except by friendship.)
 
Later,
Darin Arrick, KB5KHR
--- 
 * Origin: GENESYS I BBS (817)-284-1520 (1:130/59)




Msg#:22417 *Virus Info*
10-17-90 21:09:00 (Read 3 Times)
From: ERIC JACKSCH
  To: PAUL FERGUSON
Subj: REPLY TO MSG# 20568 (DOCUMENTING VIRUS HITS)
 > Look for NetMail, Eric. <grin> Glad to help you in any way I can.
 >
 > Greetings from Capitol Hill
 > -Paul

Thanks, I really appreciate it.  Besides some documentation in magazines, there
is very little information in Canada on the topic...I hope to contact people 
here who are in areas which have serious problems, and also want to look at the
economic impacts of viruses, hard drive crashes, and other computer data 
security related issues....the larger the area over which I collect info, the 
better. 
Thanks,
Eric.

--- FD 1.99c
 * Origin: Insomniacs' Guild  *** Nepean, Ontario, Canada *** (1:163/111)




Msg#:22418 *Virus Info*
10-16-90 23:58:00 (Read 3 Times)
From: MIKE MCCUNE
  To: PAUL FERGUSON
Subj: REPLY TO MSG# 20564 (RE: VIRUS - TORJANS FOR EVERYONE.)
I have the commercial version of the program complete with all
the overlays and help files. It is my main communication
software. I used to use Procomm but MTE has almost identical
command and does more (not to mention it has built-in error
correction). I'll call you BBS later to check out your version
of the program...<MM>.

 
--- KramMail v3.15
 * Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0)




Msg#:22419 *Virus Info*
10-17-90 09:09:00 (Read 3 Times)
From: PHILLIP LAIRD
  To: RICHARD ENTWISTLE
Subj: REPLY TO MSG# 20571 (RE: VALIDATE AND CLEANP66)

 > * Replying to a message originally to Justin Keen
 >RE> JK> What's the problem?  It may be nothing but the VALIDATE.COM 
 >program I 
 >RE> JK> decompressed from the CLEANP66.ZIP package does not 
 >validate
 >RE>correctly! 
 >RE> JK> Details are:
 >RE> JK>  

Where did you download it from?  Can you tell me that?  It would not suprise me
that some one would try to infect John's programs, even though it may be a bad 
move to do so, after John has put a lot of work into them for our protection. 
If someone uploads SCAN/CLEANUP or any other Program used to eradicate viruses 
here, it is deleted - I personally download them directly from McAfees' BBS to 
cut the chances of infection and some new viurs attached to the program.  I 
have noticed though, that the CRC Doesn't always match the original file. 
Sometimes erro in zip causes it, sometimes I don't know what causes it.  Hope 
this helps.

From South East Texas, U.S.A

--- TAGMAIL v2.41
 * Origin: Datamaniac's Hideout BBS - Beaumont, TX (1:19/49)




Msg#:22420 *Virus Info*
10-17-90 18:41:00 (Read 3 Times)
From: PAUL FERGUSON
  To: VINSON NICHOLS
Subj: REPLY TO MSG# 20573 (RE: DOES)
Quoting your message to me:
 
VN> What we are doing is going back to some computer dark ages.
 
  Well, Vinson, I must take an opposing view concerning programming. Any code 
than can secretly attach itself to any of my clients executables (or whatever, 
you should know what I mean) is quite undesireable, especially if it slows 
processing speed or is destructive in any fashion. That is the equivalent of 
Invasion of Privacy. I commend you for "destroying" whatever it is/was that you
compiled, but the hazards are a little too great from my standpoint. There is 
are a myriad of viruses popping up every month that keep every extremely busy 
enough as it is.
 
Greetings from DC
-Paul
--- 
 * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)




Msg#:22421 *Virus Info*
10-17-90 18:51:00 (Read 3 Times)
From: PAUL FERGUSON
  To: VINSON NICHOLS
Subj: REPLY TO MSG# 20574 (RE: DOES ANYONE KNOW HOW TO MAKE)
VN>Is not funny that there a company's that profit from virus.
VN>Seems that
VN>for every new one that hits. One of the companies a few weeks
VN>later offer
VN>a fix.??? Vinson
VN>
VN>
VN>--- via Silver Xpress V2.27 [NR]
VN>
VN>
VN>--- QM v1.00
VN> * Origin: The  F e d e r a l  Post  -{*}-  Fayetteville, NC
VN>(1:151/301.0)
 
  I have no intention of going around with you on this, Vinson, but you are 
obviously running with blinders on....It is narrow minded viepoints such as 
yours that plague the effort that research, hard work and eradication/education
efforts are trying to instill in the computing public.
  BTW, wouldn't a working knowledge of DEBUG or similar address manipulating 
facility suffice to help you with the inner workings of COMMAND.COM, etc.? 
There are many more aspects to dealing with viruses than knowledge of these 
files, but I do see your point, I
guess. Shame, though, that you must rely on such odd circumstances to enhance 
your programming skills.
 
-Paul
--- 
 * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)




Msg#:22422 *Virus Info*
10-17-90 18:57:00 (Read 3 Times)
From: PAUL FERGUSON
  To: STEPHEN BROMWICH
Subj: VIRUS SUMMARY VERSION ???
 * Replying to a message originally to All
SB>  Since no-one seems to know what the virus I have (if it is
SB>a virus) coud anyone te me which is the atest version of
SB>vsum? Thanks.
SB>
SB>Steve
SB>--- XRS 3.30
SB> * Origin: STRANGE BREW! - yer mother wouldn't like it! (RAX
SB>2:25/101.8)
 
Hello, Steven....
  The last release of VSUM is 15 October 1990. In it's original form it is 
called VSUM9010.ZIP. Hopes this helps.
 
-Paul
--- 
 * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)




Msg#:22423 *Virus Info*
10-11-90 11:58:00 (Read 3 Times)
From: SCOTT HOWELL
  To: ALL
Subj: REPLY TO MSG# 22164 (QUESTION)
to: all

     I have two questions.  First can a virus scramble the file alication 
table, but not to the point where it can't be repaired and where can I get a 
list of the most recent viruses?  I ask because I am pretty sure I wasn't hit 
because Scan couldn't find anything, but for some reason a large majority of 
the files on drives c through h were cross linked and the table was pretty 
screwed.  Hmmm well I think it has something to do with the optimizer I was 
running, but who can tell.  Please help!!! thanks

                               Scott Howell

PS.  I would like to take this list to the other folks at the AIS meeting here 
at NASA Headquarters and the meeting is on Oct. 17 so if anyone can get back to
me before then I would appreciate it.

--- SLMAIL v1.36M  (#0264)
 * Origin: Foundation BBS * College Park, MD Society's connection * (109:109/5




Msg#:22424 *Virus Info*
10-17-90 06:36:00 (Read 4 Times)
From: PATRICIA HOFFMAN
  To: SATYR DAZE
Subj: REPLY TO MSG# 20565 (RE: VIRUS SCANNERS....)
 SD> I myself was infected about month and half ago with the Stoned virus 
 SD> from a BBS that had failed to check it's upload, and unfortunatly the 
 SD> individual who uploaded it was to interested in running the program 
 SD> versus checking it ... 

Satyr, the Stoned virus is a boot sector and partition table virus, it does not
infect executable program files such as .COM and .EXE files.  You cannot get it
from a download from a BBS unless the download happens to be a complete, 
compressed file containing an image of a floppy disk.  If you got a virus from 
a normal file that you downloaded, it wasn't the Stoned virus.  It may have 
been a file infector that also carries a boot sector infector, such as the 
Invader virus which was only isolated within the last month.  How did you 
determine it was Stoned?

Patti


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#:22425 *Virus Info*
10-17-90 06:50:00 (Read 4 Times)
From: PATRICIA HOFFMAN
  To: ALL
Subj: CROSS-LINKED ECHOS
All sysops who recently added this echo (VIRUS_INFO) or the VIRUS echo should 
check their systems to make sure that they have not accidently cross-linked 
these two echos.  Several of the messages which have been received on my system
in the last two days appear to belong in VIRUS since the messages being quoted 
from came from the VIRUS echo.  Please verify your echomail setups if you just 
recently added either echo to your system, these two echos are not the same 
echo!

Thanks...
Patti


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#:22426 *Virus Info*
10-17-90 02:31:00 (Read 3 Times)
From: TOM SMITH @ 930/1
  To: SATYR DAZE
Subj: REPLY TO MSG# 22424 (RE: VIRUS SCANNERS....)
SD> From my understanding the people who write these programs aren't Geniu
SD> any scope.  Anyone can write a Virus program, all it takes is the know
SD> somthing easiliy gained in today's information Society.         
 
SD> I feel sorry for them, they feel this is the only way to convey their 
SD> and hurt feelings about society or themselves.
 
SD> They are nothing short of Terrorists.
  
Hear, hear...  Tom Smith/Dallas...


--- QM v1.00
 # Origin: Horizon RBBS 214-424-3831 & 214-881-9346 HST (8:930/1.0)
 * Origin: Network Gateway to RBBS-NET  (RBBS-PC 1:10/8)




Msg#:22427 *Virus Info*
10-17-90 02:36:00 (Read 3 Times)
From: TOM SMITH @ 930/1
  To: ERIC JACKSCH
Subj: REPLY TO MSG# 22417 (RE: DOCUMENTING VIRUS HITS)
Eric, I don't have access to NetMail, but please feel free to call me
at my work number - (214) 401-7839 - between about 9:30 AM and 5:30 PM
CST if you'd like to chat; I've run into each of the security issues
you listed at one time or another...  Tom Smith/Dallas...


--- QM v1.00
 # Origin: Horizon RBBS 214-424-3831 & 214-881-9346 HST (8:930/1.0)
 * Origin: Network Gateway to RBBS-NET  (RBBS-PC 1:10/8)




Msg#:22428 *Virus Info*
10-17-90 17:05:00 (Read 3 Times)
From: KEN DORSHIMER
  To: TOM PREECE
Subj: REPLY TO MSG# 22416 (RE: VIRUS - TROJANS FOR EVERYONE.)

 ...at a time when Western civilization was declining
    too rapidly for comfort, yet too slowly to be very
    exciting Tom Preece was saying:

 TP> Well I guess its time for me to uncover.  I am not a programmer and
 TP> can't pretend to be.  It does however seem to me that the compiliation
 TP> of dangerous
 TP>
 TP> instructions to dos by whatever method should have a similar
 TP> structure in direct processor instructions. I guess I was hoping some
 TP> really clever programmer out there would be able to build a detect for
 TP> the simple kinds of dos destruco instructions and create some generic
 TP> form of a scan file to prevent this kind of crud. Meanwhile I'll back
 TP> up often.

there is one, sort of. it's called CHK4BOMB. it comes with the FLUSHOT
package. what it does is look for calls to direct disk writes and warns you
that the program you're examining uses them. mostly it just looks for calls
to INT 13 instructions. not perfect, but worth checking out.

 ...space is merely a device to keep everything from being
    in the same spot...


--- ME2
 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)




Msg#:22429 *Virus Info*
10-17-90 18:00:00 (Read 3 Times)
From: RON LAUZON
  To: ICE WOLF
Subj: REPLY TO MSG# 22414 (TROJAN)
IW> I've been monitoring this echo for a while, and I have a question:
IW> I've dealt with viruses before (yes, they were viruses; not just
IW> programming bugs), but I have never heard the term 'Trojan' except in
IW> passing. What exactly is a Trojan and how does it differ from a virus?
IW> Or, are the two word just synonyms?

No, they are not synonyms but they are similar.

The term "trojan" comes from the story of Helen of Troy and the Trojan Horse.  
To refresh your memory:  Troy was a very well fortified city. So the enemy's of
Troy built a horse, hid inside it and parked it in front of the gates of Troy. 
The Trojans thought it was a gift from the gods and brought it in.  Once 
inside, the guys inside the horse jumped out and battled inside of Troy (I 
don't remember who won, though). 

But in any case, a Trojan is a program that says it will do something useful 
but does something damaging instead.  It differs from a virus in that it 
doesn't infect any other program.  But like a virus, it may choose to damage 
your disk now or some time in the future. 



... !lanimret siht edisni deppart ma I !pleH
 
--- via The Blue Wave v1.05 [NR]
 * Origin: Flight of the Raven -=* Home of the Blue Wave *=- (1:2200/107.0)




Msg#:22430 *Virus Info*
10-18-90 09:29:00 (Read 3 Times)
From: PATRICK MURPHY
  To: SCOTT HOWELL
Subj: REPLY TO MSG# 22423 (QUESTION)
 SH>      I have two questions.  First can a virus scramble the file 
 SH> alication table, but not to the point where it can't be repaired and 
 SH> where can I get a list of the most recent viruses?  I ask because I am 

My brother's computer got infected by the Stoned virus, and although the FAT 
was very screwed up, after running CLEAN the Norton Disk Doctor did a fairly 
good job (as dangerous as NDD can be...)

 SH> cross linked and the table was pretty screwed.  Hmmm well I think it has 
 SH> something to do with the optimizer I was running, but who can tell.  
 SH> Please help!!! thanks
 SH> 
 SH>                                Scott Howell

Hmmm...maybe your FAT problem is not due to a virus...did you run the latest 
version of SCAN??? (v67C I think)...

If you do any optimizing under a multitasking system (e.g. Desqview), you may 
quite easily scramble your FAT...

ttyl......Pat


--- msged 1.99S ZTC
 * Origin: SmurfBBS - (613)565-1607    Origin Unknown... (1:163/106.999)




Msg#:22431 *Virus Info*
10-19-90 17:02:00 (Read 3 Times)
From: SUNMAP SYSOP
  To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 22425 (RE: CROSS-LINKED ECHOS)
->All sysops who recently added this echo (VIRUS_INFO) or the VIRUS 
->echo should check their systems to make sure that they have not 
->accidently cross-linked these two echos.  Several of the messages 
->which have been received on my system in the last two days appear 
->to belong in VIRUS since the messages being quoted from came from 
->the VIRUS echo.  Please verify your echomail setups if you just 
->recently added either echo to your system, these two echos are not 
->the same echo! 

Patricia,
We pick both conferences up direct from the US and noticed the same
thing so my guess is that it is before it gets to 1;124/4115 on our
feed line.

->Thanks...
  
You're welcome!

BW



--- via Silver Xpress V2.27 [NR]
 * Origin: Sunmap Multline BBS - Brisbane - Australia (3:640/206)




Msg#:22432 *Virus Info*
10-18-90 20:49:00 (Read 3 Times)
From: PAUL FERGUSON
  To: DARIN ARRICK
Subj: REPLY TO MSG# 22415 (DOES ANYONE KNOW HOW TO MAKE VIRUS)
DA> * Replying to a message originally to Janne Ristavaara
DA> >  * Replying to a message originally to Wilson Phillips
DA> > JR>Sure someone will know, but what is it worth of ?!?
DA> > JR>Do you want to get your name or alias known or what ?!?
DA> > JR>I think (and I'm sure many others do the same) that making a
DA> > JR>virus is really discusting. Why don't use your gifts to more
DA> > JR>useful purpose, like some utilities or another useful
DA> > JR>programs ?
DA> > JR>Or if you just have to make a virus, please make an friendly
DA> > JR>one;-)
DA> > JR>
DA> > JR>-JR-  
DA> > JR> 
DA> > JR>--- 
DA> > JR> * Origin: The Eternal Flame BBS +358-55-53340 / V.32 ECM 
DA> > JR>(2:515/841.3)
DA> >  
DA> > Surely you do not belong to the school of thinking that
DA> > =actually= beleives that there can be a "friendly" virus? Any
DA> > replicating and infectious program is undesireable. There
DA> > have been numerous attempts to implement "good" vviruse (Den
DA> > Zuk, et al.) but it ran amok. I think that more harm than
DA> > good would ever come of this train of thought.
DA> >  
DA> > Greetings from Washington, DC
DA> > -Paul
DA> > --- 
DA> >  * Origin: Sentry Net BBS C'Ville VA (1:109/229)
DA> 
DA>Paul, I have been following this echo for a few days and am
DA>amazed at the hatred spread toward viruses. They are
DA>programs, just like Lotus 123 or dBase IV. There are good
DA>reasons for "friendly" viruses, such as automatic error
DA>detection and correction for unattended systems. System crash
DA>cleaners, I guess you could call them. I welcome replies, but
DA>no screaming. Just intelligent conversation. :-)
DA> 
DA>Darin
DA>--- 
DA> * Origin: GENESYS I BBS (817)-284-1520 (1:130/59)
 
Hello, again, Darin....
 I apologize if it seemed liked "screaming"...actually quite the opposite. You 
are obviously looking at this situation from an esoteric standpoint. I see the 
damage a virus can do (gone unchecked and allowed to run it's course) on a 
regular basis. Some of my unsuspecting users go for months sometimes thinking 
that their recurring problems (whatever they may be, in this instance) are 
actually hardware problems. Technicians that must break routine and travel to 
correct such viral surfacings are bogged down enough. We handle all the 
hardware and software support for a very large government agency here in DC, 
all their sites locally =and= around the world. It gets to be a =very= large 
problem at times. I cannot at times allow myself to become esoteric. Perhaps 
you see my point.
 
Greetings (again) from Washington, DC
-Paul
--- 
 * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)




Msg#:22433 *Virus Info*
10-18-90 20:51:00 (Read 3 Times)
From: PAUL FERGUSON
  To: ERIC JACKSCH
Subj: REPLY TO MSG# 22427 (DOCUMENTING VIRUS HITS)
EJ> > Look for NetMail, Eric. <grin> Glad to help you in any way I can.
EJ> >
EJ> > Greetings from Capitol Hill
EJ> > -Paul
EJ>
EJ>Thanks, I really appreciate it.  Besides some documentation
EJ>in magazines, there is very little information in Canada on
EJ>the topic...I hope to contact people here who are in areas
EJ>which have serious problems, and also want to look at the
EJ>economic impacts of viruses, hard drive crashes, and other
EJ>computer data security related issues....the larger the area
EJ>over which I collect info, the better. 
EJ>Thanks,
EJ>Eric.
EJ>
EJ>--- FD 1.99c
EJ> * Origin: Insomniacs' Guild  *** Nepean, Ontario, Canada ***
EJ>(1:163/111)
 
Oh...BTW, you can reach me NetMail, also, via the Origin Line. Steady.
 
-Paul
--- 
 * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)




Msg#:22434 *Virus Info*
10-18-90 20:53:00 (Read 3 Times)
From: PAUL FERGUSON
  To: MIKE MCCUNE
Subj: REPLY TO MSG# 22418 (RE: VIRUS - TORJANS FOR EVERYONE.)
MM>I have the commercial version of the program complete with
MM>all
MM>the overlays and help files. It is my main communication
MM>software. I used to use Procomm but MTE has almost identical
MM>command and does more (not to mention it has built-in error
MM>correction). I'll call you BBS later to check out your
MM>version
MM>of the program...<MM>.
MM>
MM> 
MM>--- KramMail v3.15
MM> * Origin: The Slowboat BBS (404-578-1691) Atlanta, GA
MM>(1:133/311.0)
 
Ok, Mike. But I ditched MagicSoft in favor of Telix. Took my a while 
but....hey, I'm a little stubborn sometimes.   '-)
 
-Paul
--- 
 * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)




Msg#:22435 *Virus Info*
10-18-90 21:07:00 (Read 3 Times)
From: PAUL FERGUSON
  To: DANIEL KALCHEV
Subj: STEALTH VIRUSES
 * Replying to a message originally to Vesselin Bontchev
DK>In a message of <Oct 12 00:02> Vesselin Bontchev
DK>(2:359/101.2) writes:
DK>
DK>  VB>      (1) Does not cause visible increasing of file sizes. This is 
DK>
DK>Better say "does not SHOW the increased file size"!
DK>
DK>  VB> BTW, the term "stealth" was got from the F-19 plane that is
DK>"invisible"
DK>  VB> for the radars.
DK>
DK>But not for all!!! Remember the old russian radars, using
DK>looong wave, that were still able to detect it? Same with
DK>"stealth" viruses - some programs (techniques) can't detect
DK>them, some can.
DK>
DK>  VB>      (2) Any program that reads the file in order to inspect it (say, 
DK>  VB> to compute a checksum or to see if it is infected) is unable the
DK>"see" 
DK>  VB> the infection if the virus is present in memory. Usually (but not 
DK>  VB> always) the virus achievs this by disinfecting the file on-the-fly on 
DK>  VB> a file open operation and reinfecting it again when it is closed.
DK>
DK>What about using the (good old) method of reading files as
DK>suggested in the "DOS Technical Reference"? Finding cluster
DK>number from the FAT, doing read dn then looking for the next
DK>cluster if any...
DK>
DK>Regards from Varna,
DK>Daniel
DK>
DK>--- msged 2.00
DK> * Origin: Danbo's Cave  (2:359/1.1)
 
Your point reinforces all arguments for multi-layered protection schemes, no?
 
'-)
 
-Paul
--- 
 * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)




Msg#:22436 *Virus Info*
10-18-90 21:12:00 (Read 3 Times)
From: PAUL FERGUSON
  To: MIKAEL LARSSON
Subj: NORTON'S ANTIVIRUS
 * Replying to a message originally to Herb Brown
ML> * Replying to a message originally to all
ML>
ML> > Has anybody heard anything about Norton's antivirus programs
ML> > yet?
ML>
ML>Nah, I Think it will be released soon. But i heard some
ML>rumour that it couldn't find some VERY COMMON viruses.. 
ML>Ehum.....
ML>
ML>MiL 
ML> 
ML>--- 
ML> * Origin: -= Virus Help Centre HQ +46-26-275710 =- 
ML>(2:205/204)
 
I started hearing all the hubbub about Norton's AntiViral package a couple of 
days ago....Will let "The Fingers Do the Walking", if you know what I mean. I 
am anxious to see what =this= group thinks about it after evaluation....I know 
most of you are teeming to "play". I'm looking forward to obtaining my copy as 
well...We shall see how effective it =really= is. 
 
'-)
--- 
 * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)




Msg#:22437 *Virus Info*
10-18-90 21:23:00 (Read 3 Times)
From: PAUL FERGUSON
  To: SCOTT HOWELL
Subj: REPLY TO MSG# 22430 (QUESTION)
 * Replying to a message originally to All
SH>to: all
SH.
?M!?J?	??W????
??WV?W??k?	?$T-???H?,
)?WKW?.??,?X[??e the
SH>file alication table, but not to the point where it can't be
SH>repaired and where can I get a list of the most recent
SH>viruses?  I ask because I am pretty sure I wasn't hit because
SH>Scan couldn't find anything, but for some reason a large
SH>majority of the files on drives c through h were cross linked
SH>and the table was pretty screwed.  Hmmm well I think it has
SH>something to do with the optimizer I was running, but who can
SH>tell.  Please help!!! thanks
SH>
SH>                               Scott Howell
SH>
SH>PS.  I would like to take this list to the other folks at the
SH>AIS meeting here at NASA Headquarters and the meeting is on
SH>Oct. 17 so if anyone can get back to me before then I would
SH>appreciate it.
SH>
SH>--- SLMAIL v1.36M  (#0264)
SH> * Origin: Foundation BBS * College Park, MD Society's
SH>connection * (109:109/521)
 
I would go ahead and post the number of my own BBS, but it would not
be quite desireable to have some uninvited "guests" dropping in. You'll be 
hearing from me soon via regular mail at Foundation. Patti Hoffman's "Virus 
Summary Information List" is the un-rivaled descriptive document available. It 
can be downloaded on any reputable board (the latest version VSUM1090.ZIP, that
os) in the DC Metro Area. Hope this helps. BTW...Remember that Snail Mail takes
a couple of days!
 
-Paul
--- 
 * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)




Msg#:22438 *Virus Info*
10-18-90 21:31:00 (Read 3 Times)
From: PAUL FERGUSON
  To: KEN DORSHIMER
Subj: REPLY TO MSG# 22428 (RE: VIRUS - TROJANS FOR EVERYONE.)
 * Replying to a message originally to Tom Preece
KD> ...at a time when Western civilization was declining
KD>    too rapidly for comfort, yet too slowly to be very
KD>    exciting Tom Preece was saying:
KD>
KD> TP> Well I guess its time for me to uncover.  I am not a programmer and
KD> TP> can't pretend to be.  It does however seem to me that the compiliation
KD> TP> of dangerous
KD> TP>
KD> TP> instructions to dos by whatever method should have a similar
KD> TP> structure in direct processor instructions. I guess I was hoping some
KD> TP> really clever programmer out there would be able to build a detect for
KD> TP> the simple kinds of dos destruco instructions and create some generic
KD> TP> form of a scan file to prevent this kind of crud. Meanwhile I'll back
KD> TP> up often.
KD>
KD>there is one, sort of. it's called CHK4BOMB. it comes with
KD>the FLUSHOT
KD>package. what it does is look for calls to direct disk writes
KD>and warns you
KD>that the program you're examining uses them. mostly it just
KD>looks for calls
KD>to INT 13 instructions. not perfect, but worth checking out.
KD>
KD> ...space is merely a device to keep everything from being
KD>    in the same spot...
KD>
KD>
KD>--- ME2
KD> * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753)
 
Well, it didn't wrap correctly, but what the hey....
There is a newer, enhanced offshoot of CHK4BMB called TRAPDISK. Based on the 
aforementioned, it seems to work rather well...I have tested it in a couple of 
instances in "triggered" type viruses without mishap (although I would =never= 
rely on it =completely).
It is a decent program and worth a look.
 
-Paul
--- 
 * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)




Msg#:22439 *Virus Info*
10-18-90 21:39:00 (Read 3 Times)
From: PAUL FERGUSON
  To: JAN TERPSTRA
Subj: TBSCAN TESTING
Hello, again, Jan
 Can you please elaborate on the "New" viruses that you mentioned referencing 
in your testing of the product? Please don't keep us
enquiring types hanging.<grin>
 
Thanks,
-Paul
--- 
 * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)




Msg#:22440 *Virus Info*
10-17-90 06:53:00 (Read 3 Times)
From: YASHA KIDA
  To: PAUL FERGUSON
Subj: REPLY TO MSG# 22426 (RE: VIRUS SCANNERS....)

In a message of <15 Oct 90 21:13:00>, Paul Ferguson (1:109/229) writes:

 PF> SD>I myself was infected about month and half ago with the
 PF> SD>Stoned virus from a BBS that had failed to check it's upload,


 PF>   I believe that you are mistaken. Virtually the only way to spread 
 PF> STONED is through direct disk access (ie. Copying files, fformatin 
 PF> diskettes....). STONED is a Boot sector infector and will omly spread 
 PF> in that fashion. It does not attach itself to any executables but 
 PF> instead resides in the partition table. I agree with your sentiment 
 PF> wholeheartedly, but I do not think that the BBS is to blame. (Gosh, we 
 PF> BBSs get all the blame!). 

There are several programs which send the ENTIRE CONTENTS including the boot 
sector ....TELADISK.* is one for starters 

Yasha Kida
sysop 



--- msged 1.99S ZTC
 * Origin: Bragg IDBS, (82nd - The hole in SADDAMS PLAN) (1:151/305)




Msg#:22441 *Virus Info*
10-17-90 08:40:00 (Read 2 Times)
From: YASHA KIDA
  To: PATRICIA HOFFMAN
Subj: TECH QUESTION

PAT is there a VIRUS SCANNING programs which can scan for viruses on 
SELF-BOOTING DISKETTES (COPY PROTECTED ie.. STICKLY-BEAR)
I purchased some of these type of programs (USED) and would like to be sure...

McAfees SCANV reports

GENERAL FAILURE READ DRIVE A:
A)bort R)etry F)ail

won't even check the BOOT SECTOR



Yasha

     

--- msged 1.99S ZTC
 * Origin: Bragg IDBS, (82nd - The hole in SADDAMS PLAN) (1:151/305)




Msg#:22442 *Virus Info*
10-19-90 12:19:00 (Read 3 Times)
From: CHARLES HANNUM
  To: PAUL FERGUSON
Subj: REPLY TO MSG# 22440 (RE: VIRUS SCANNERS....)
 >   I believe that you are mistaken. Virtually the only way to spread
 > STONED is through direct disk access (ie. Copying files, fformatin
 > diskettes....). STONED is a Boot sector infector and will omly
 > spread in that fashion. It does not attach itself to any executables
 > but instead resides in the partition table. I agree with your
 > sentiment wholeheartedly, but I do not think that the BBS is to
 > blame. (Gosh, we BBSs get all the blame!).

Of course, that's not to say that some inventive person didn't package Stoned
in an executable...


"Just because I'm paranoid doesn't mean they're not *really* out to get me!"

--- ZMailQ 1.12 (QuickBBS)
 * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)




Msg#:22443 *Virus Info*
10-19-90 12:20:00 (Read 3 Times)
From: CHARLES HANNUM
  To: DUANE BROWN
Subj: REPLY TO MSG# 20576 (RE: STERILAB)
 > Would you want to be responsible for the wrath of someone who lost
 > their WHOLE FAT TABLE with their term paper if something went wrong
 > with this encoding/decoding process???????? Even norton's wouldn't
 > work if the fat, etc was scrambled in such a process...

It doesn't have to really screw anything up; you *could* just change the
media descriptor and the corresponding info in the boot sector.  Then it
would be fairly straightforward to resurrect a disk.  It would also be less
secure.

 > Think about it... it may be secure, but a computer lab is no Top
 > Secret data processing laboratory...

It should, however, be as sterile as possible.

 > Why not encrypt the whole disk while you're at it???

Sure.  Why not?


"Just because I'm paranoid doesn't mean they're not *really* out to get me!"

--- ZMailQ 1.12 (QuickBBS)
 * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)




Msg#:22444 *Virus Info*
10-18-90 02:28:00 (Read 3 Times)
From: ANDY CAMPBELL
  To: ALL
Subj: WIERD PROBLEM
I am having a strange problem with a Telex 286 AT computer's floppy. 
I have tried replacing the floppy drive, the controller, the cable, 
etc.  We have other Telex machines that work fine.  But now I am 
suspicious... 
 
Does anyone out there know of a virus that causes excessive read 
errors on the floppy disks?  This is the only machine in our shop 
that does this, but it also is isolated from anything else.  One of 
our technicians copied some software from it to his own floppy to use on his 
machine at home, and the same problem started to appear on the home machine! 
There is no 'Kilroy' message or anything...just the 
random failure on the disk.  The floppies it's reading work fine on 
the other machines in our shop, so this is beginning to make me 
curious.  The message we keep getting is the A)bort, R)etry, I)gnore msg. 

                                Maestro, The Tocatta BBS 
                                        -ahc- 
 

--- ConfMail V4.00
 * Origin: The Tocatta BBS (1:343/61)




Msg#:22445 *Virus Info*
10-19-90 17:30:00 (Read 3 Times)
From: DARIN ARRICK
  To: VINSON NICHOLS
Subj: REPLY TO MSG# 22420 (RE: DOES)
 I agree that computer information should be free. The traditional view of a 
virus is something that sneaks into your computer and destroys your hard drive 
data. Yes, there are a lot that do that. A virus could also monitor system 
functions and watch for unusual activity (like a "bad" virus) and stop it 
before anything destructive can occur. They are both "viruses", one good, one 
bad.
Don't a lot of virus detection programs do what the above example does? Yup. 
Just remember, you're using a virus to protect yourself from a virus 
(fighting-fire-with-fire theory). If you can't beat 'em, join 'em.
 
Just my opinion.
 
--- 
 * Origin: GENESYS I BBS (817)-284-1520 (1:130/59)




Msg#:22446 *Virus Info*
10-17-90 21:06:00 (Read 3 Times)
From: STUART CORNALL
  To: ERIC JACKSCH
Subj: REPLY TO MSG# 22433 (DOCUMENTING VIRUS HITS)
-=>security in companies using MS-DOS based machines.  If anyone
-=>has first hand knowledge of:
-=>
-=>- a commercial site being infected by a virus,

I'm employed as a Data communications technicain is Australia. We frequently 
install modems into systems and are called upon to show people how to run the 
software. far too often we will COLD boot from our "Own" system disk with Scan 
installed, and find the stoned virus, or the Brain virii. Sometimes other types
than boot block goodies are in the computers. We refuse to continue the 
instaltion without removing the virii.  Most of the time if it's a boot block, 
I'll manually remove it with debug.

-=>- data loses due to hard drive crash(es),

Virus infection, or head crash. Towers with the legs folded in to make it fit 
into smaller spaces just love to go BASH on the floor and the hard disk makes a
nice screech. It's hard, very much so, not to start giggling!

-=>- malicious damage by employees,

Take one example; Old employee at my high school was fired for misconduct, so 
he found out what turning off the power to the file server did. Server had a 
UPS, but he disabled it.

-=>- unauthorized access to data stored on PC's, or

-=>- other incidents involving serious data loss or security
-=>related issues,

  Faulty tape backup unit, user disabled read after write , I quote 'Caus it 
takes too long'. Then the 600 Meg drive decided to die, and what happened to 
the poor old backups?!  didn't go at all, and he was quickly terminated from 
that company.


 I could tell of many more tales, but I've said enough in this to get the 
creative juices flowing for others to write about.

  regards
          Stuart Cornall.  
 
--- 
 * Origin: Stoned.... Like wow man...     20 Meg Magic (3:640/351)




Msg#:22447 *Virus Info*
10-18-90 16:07:00 (Read 3 Times)
From: SATYR DAZE
  To: PAUL FERGUSON
Subj: REPLY TO MSG# 22442 (RE: VIRUS SCANNERS....)
 
Whoops .. didn't mean to open a Can of Worms here <grin>.  I never meant to 
imply BBS's where to blame ...without them how could we alert each other to 
problems.  No indivduals are to blame ... Those who write these little Darling 
Viruses.  and now we must all be responsible in trying not to infect ourselves.
In other words always Scan irregardless of Where you got it from.
 
And this goes not only for Down-Loading ... but Programs Bought commercially 
.... and those assed around by Friends.  As you so well pointed out these can 
come from anywhere.
 
                                                   The Satyr Daze
--- TBBS v2.1/NM
 * Origin: Eclectic Multi-BBS System / Miami FL (305)662-1748  (1:135/2)




Msg#:24150 *Virus Info*
10-21-90 07:23:00 (Read 4 Times)
From: PATRICIA HOFFMAN
  To: YASHA KIDA
Subj: REPLY TO MSG# 20562 (UNIX UU-NET VIRUS ECHO)
 YK> Pat is there a UNIX/XENIX version of the VIRUS_INFO...
 YK> if so whom can I contract or what the focal point?
 YK> 
 YK> Reason for asking: I now have the ability to tap UU-NET and others via 
 YK> 9600 links.

Not really a Unix/Xenix version of VIRUS_INFO, but you might want to see if you
can pickup Comp.Virus, which originates on UseNet or Internet.


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#:24151 *Virus Info*
10-21-90 07:33:00 (Read 4 Times)
From: PATRICIA HOFFMAN
  To: PAUL FERGUSON
Subj: REPLY TO MSG# 22422 (VIRUS SUMMARY VERSION ???)
 PF>   The last release of VSUM is 15 October 1990. In it's original form it 
 PF> is called VSUM9010.ZIP. Hopes this helps.
 PF>  

The current release of VSUM is VSUM9010.ZIP, and is dated October 5, 1990.  If 
you have one dated October 15, 1990, I'd like to see it because it isn't a 
version released by me!

Patti


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#:24152 *Virus Info*
10-21-90 07:39:00 (Read 4 Times)
From: PATRICIA HOFFMAN
  To: SCOTT HOWELL
Subj: REPLY TO MSG# 22437 (QUESTION)
 SH>      I have two questions.  First can a virus scramble the file 
 SH> alication table, but not to the point where it can't be repaired and 
 SH> where can I get a list of the most recent viruses?  I ask because I am 
 SH> pretty sure I wasn't hit because Scan couldn't find anything, but for 
 SH> some reason a large majority of the files on drives c through h were 
 SH> cross linked and the table was pretty screwed.  Hmmm well I think it 
 SH> has something to do with the optimizer I was running, but who can tell. 
 SH>  Please help!!! thanks
 SH> 

Scott, it is possible that the optimizer or some other utility that was run on 
the system caused the crosslinking of the files, but it is also possible it was
a virus.  Most of the "stealth" type viruses can have this symptom, 
particularly if CHKDSK is run with the /F parameter.  The effect occurs because
the "stealth" type viruses adjust the directory on the fly, but not the file 
allocation table.  Which version of Scan did you use?  

If you take a look at the Virus Information Summary List, towards the back 
there is a revision history.  To look at only the more recent viruses, look up 
the viruses that were added with the last couple of releases. 

 SH> PS.  I would like to take this list to the other folks at the AIS 
 SH> meeting here at NASA Headquarters and the meeting is on Oct. 17 so if 
 SH> anyone can get back to me before then I would appreciate it.

Keep in mind that the Virus Information Summary List must be site licensed with
the author (me) if it is used in one of several types of environments.  NASA is
considered both "government" and "agency", and not "non-profit", as far as I'm 
concerned.  Please do not take it into NASA for purposes of distributing it if 
they aren't going to check into licensing it.  If it is distributed there, as 
with any other government location or agency, it must be site licensed.  (Sorry
if the words are a little harsh, but after a recent "problem", it had to be 
stated.)

Patti


--- QM v1.00
 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0)




Msg#:24153 *Virus Info*
10-18-90 21:44:00 (Read 3 Times)
From: CY WELCH
  To: CHARLES HANNUM
Subj: REPLY TO MSG# 20575 ("CLEAN, UNINFECTED DISK")
In a message to All <15 Oct 90 13:57:00> Charles Hannum wrote:

 CH> How many times have you heard this?

 CH> "Just boot from a clean, uninfected disk and run SCAN."

 CH> This is an interesting idea.  It might
 CH> even work.  However, how can you be
 CH> *sure* your original copy of DOS isn't
 CH> infected?  Or SCAN?  Or your comm.
 CH> package?  Or your dearchiver?

If you have been doing even CLOSE to what you should you will have at least 
your original DOS disks to boot from in a pinch.  (you mean those are what you 
boot from day to day?) <grin>  Just put a write protect tab on it and boot.  If
scan is infected it will tell you.  I don't worry about the making sure I am 
unifected since I ALWAYS back up to tape just before trying anything new on my 
system.  That way I can always reboot, low level format my drives and reinstall
DOS, Pc-Tools backup and then restore my system.

--- XRS! 3.44+
 * Origin: Limping along on a 286/16. What a drag!! *:- (Super 99:9402/122.1)




Msg#:24154 *Virus Info*
10-18-90 21:48:00 (Read 3 Times)
From: CY WELCH
  To: PAUL FERGUSON
Subj: REPLY TO MSG# 22429 (TROJAN)
In a message to Ice Wolf <15 Oct 90 22:38:00> Paul Ferguson wrote:

 PF> Remember the terrible (or perhaps it was great, I can't remember
 PF> which) story of the Trojan War and the Trojan Horse...Well, that is
 PF> what a Trojan Horse program produces. Something quite undesireable,
 PF> like formatting all of your sectors to dust. A virus, on the other
 PF> hand, can replicate, attach itself to a "host" and for whatever you
 PF> can image, have any number of "triggers to become detructive. My
 PF> best advise that I can give is to get ahold of a copy of Patti
 PF> Hoffman's "Virus Information Summary List" which is produced
 PF> monthly. This is an invaluable document for reference purposes.

Yup,  I got one once that was a TSR made to look like a trojan.  What it did 
was you loaded it, told it how long to wait and then how many presses of the 
enter key to watch for, and then would pop up a full screen display of 
"Contratulations you have won a complete hard disk format"  along with a 
display showing as if it were really doing it.  It also scanned the disk as it 
did it to look more realistic.  I pulled it on a friend and he really hit panic
city.  Turned it off and was afraid to turn it back on.  Strange he didn't 
think it was funny for about 2 days.  Then he couldn't stop laughing for a 
week.  <grin>

--- XRS! 3.44+
 * Origin: Limping along on a 286/16. What a drag!! *:- (Super 99:9402/122.1)




Msg#:24155 *Virus Info*
10-22-90 14:33:00 (Read 3 Times)
From: JAMES BARRETT
  To: TOM SMITH @ 930/1
Subj: REPLY TO MSG# 24152 (QUESTION)
In a message to Scott Howell <19 Oct 90 23:10:00> Tom Smith @ 930/1 wrote:


 TS> As for possible fixes, I'd suggest that you try one of the "fixit"
 TS> programs in Norton Utilities 5.0, PC Tools Deluxe 6.0, or Mace
 TS> Utilities 1990.  The "Emergency Room" utility in the latter gets
 TS> particularly high marks; I've found it to fix disks that the others
 TS> wouldn't even admit existed!  If these won't help, you can contact one

 Norton should be run with certain parameters (or can be changed in the config 
in 5.0) to treat everything as "phyiscal" drives instead of logical drives to 
recognize everything!

--- XRS! 3.44+
 * Origin: Chapel Hill, NC - The Southern Part of Heaven (Quick 1:271/250.5)




Msg#:24156 *Virus Info*
10-23-90 19:48:00 (Read 3 Times)
From: RYAN ROBERTS
  To: ALL
Subj: MACAFFEES
Is there a news SCAN* out besides SCAN61?
 
 
 
                        Thanks, Ryan


--- Opus-CBCS 1.13
 * Origin: Power Socket 404-883-6231 24hrs (1:3621/450.0)




Msg#:24157 *Virus Info*
10-22-90 20:55:00 (Read 3 Times)
From: YASHA KIDA
  To: PAUL FERGUSON
Subj: REPLY TO MSG# 22447 (RE: VIRUS SCANNERS....)
In a message of <20 Oct 90 20:51:00>, Paul Ferguson (1:109/229) writes:

 PF> YK>There are several programs which send the ENTIRE CONTENTS
 PF> YK>including the boot sector ....TELADISK.* is one for starters 
 PF> YK>
 PF> YK>Yasha Kida
 PF> YK>sysop 
 PF>  
 PF> Right you are, but come now, Yasha...You are not going to find a that 
 PF> certain circumstance happening via BBS. Very improbable.
 PF> How are thing's "in the rear" at Bragg? '-)



I have had jokers try... My batch file which uses CHECKER dumps the bad 
ARC-ZIPS-ZOOS-etc.. to safe area


The REAR AREA can be fun....

Yasha


--- msged 1.99S ZTC
 * Origin: Bragg IDBS, 82nd Airborne Bug hunte




Msg#:24159 *Virus Info*
10-23-90 02:46:00 (Read 3 Times)
From: MARSHALL BARRY
  To: DARIN ARRICK
Subj: REPLY TO MSG# 22445 (DOES)
 >A virus could also monitor system functions and watch for unusual activity 
 >(like a "bad" virus) and stop it before anything destructive can occur. 
    Except that a "virus" replicates itself... thereby "forcing" its protection
upon those who do not wish same.

 >They are both "viruses", one good, one bad.
    A program which automatically checks for "corruption" is not, by any 
stretch of the imagination, a "virus".  It is a "TSR", and many companies 
already have such.

 >Don't a lot of virus detection programs do what the above example does? 
 >Yup. Just remember, you're using a virus to protect yourself from a virus 
 >(fighting-fire-with-fire theory). If you can't beat 'em, join 'em.
    Except that they are, again, not virii, but resident programs.

    They don't "attach" themselves to files (although they may, optionally, 
provide a "check code" for programs) and don't propagate from machine to 
machine.

// Mb //

--- MDMK WorldPoint
 * Origin: My System has a 12Mhz Fever, Doc... (1:104/169.17)




Msg#:25109 *Virus Info*
10-21-90 10:46:00 (Read 3 Times)
From: DUANE BROWN
  To: CHARLES HANNUM
Subj: REPLY TO MSG# 22443 (STERILAB)
 CH>It doesn't have to really screw anything up; you *could*
 CH>just change the
 CH>media descriptor and the corresponding info in the boot
 CH>sector.  Then it
 CH>would be fairly straightforward to resurrect a disk.  It
 CH>would also be less
 CH>secure.

But then that would make data recovery within the "secure" lab impossible, as 
almost all programs that rely on the media descriptor byte will barf..  
 
--- ZMailQ 1.12 (QuickBBS)
 * Origin: End of the Line. (703)720-1624 in Stafford, Va. (1:274/16.0)




Msg#:25110 *Virus Info*
10-24-90 17:56:00 (Read 3 Times)
From: PAUL FERGUSON
  To: ROBERTO ZANASI
Subj: WHAT IS VERSION C OF SCANVIRUS?
 * Replying to a message originally to All
RZ>I have version 67 of scan, and I have heard of versions 67b
RZ>and 67c. Which is the newest? 
RZ>
RZ>--- msged 2.05
RZ> * Origin: Videl Positronic Brain  (2:332/504.2)
 
 SCAN version 67b is a minor bug fix to the original version (SCANV67) and 
verion 67c is a minor bug fix to version 67b. It seems that the earlier of the 
three versions provided erroneous results at varying times. SCAN version 67c is
now the current version.
--- 
 * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)




Msg#:25111 *Virus Info*
10-24-90 18:01:00 (Read 3 Times)
From: PAUL FERGUSON
  To: KEN DORSHIMER
Subj: RE: FAR CALL
KD> FD>>Why not re-write the rom on an EPROM losing this problem as you can
KD> FD>>then scan this address and knowone can change it.
KD>
KD> CH> Yeah, right -- in fact, I do indeed spend most of my time changing
KD> CH> BIOS code locations and burning EPROMs.  I just can't imagine why more
KD> CH> people aren't like me! :-)
KD> CH>
KD>
KD>  Not me, I use the Random EPROM Burner <tm>. That way no one
KD>can find the
KD>  code, not even me. :-)
 
That must be a mighty finely honed soldering iron... <grin>
--- 
 * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)




Msg#:25277 *Virus Info*
10-23-90 13:34:00 (Read 3 Times)
From: CHARLES HANNUM
  To: PAUL FERGUSON
Subj: RE: VIREN IM SPIEL GROWLER???
OR>>Hallo Henrik,
OR>>ich habe gestern das o.g. Spiel bei Euch upgeloaded. Spaeter
OR>>habe ich mit dem VirScan 1.3 einen Test gefahren und der
OR>>meldete einige befallene Overlay Dateien meiner PC-Shell. Ich
OR>>wuerde Dich bitten, dies zu ueberpruefen!! Der Viren-Scanner
OR>>von McAffee zeigte allerdings keinen Befall!!!
 >
 > Would someone care to translate this? Even after spending a few
 > years in Germany, my German leaves much to be desired. (This is very
 > annoying.)

I just read through FidoNet Policy 4.07 (which I believe is current) earlier,
and ran across this:

  The offical language of FidoNet is English.

Note that they didn't specify "correct English," just "English."  B-)

--- ZMailQ 1.12 (QuickBBS)
 * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)




Msg#:25278 *Virus Info*
10-24-90 23:33:00 (Read 3 Times)
From: SCOTT HOWELL
  To: ALL
Subj: SCANV67C
to: all

     Two quick questions.  Does anyone know where I can get scanv67c.zip or the
latest copy of scan and second has anyone had any problems using the crc check 
part of scan?  THis crc check routine adds some extra code to your exe com etc 
files and so therfore I thought I would ask if anyone had any problems before I
do it.

--- SLMAIL v1.36M  (#0264)
 * Origin: Foundation BBS * College Park, MD Society's connection * (109:109/5




Msg#:25279 *Virus Info*
10-24-90 23:53:00 (Read 3 Times)
From: DARIN ARRICK
  To: PAUL FERGUSON
Subj: REPLY TO MSG# 22432 (DOES ANYONE KNOW HOW TO MAKE VIRUS)
 Yes, I can see your point on the matter. I'm a hacker, programmer
who programs for programming itself. It's an art form to me. You see viruses 
from a bad standpoint on a daily basis. If saw the same, I'd hate them, too.
 
--- 
 * Origin: GENESYS I BBS (817)-284-1520 (1:130/59)




Msg#:25280 *Virus Info*
10-25-90 00:03:00 (Read 3 Times)
From: DARIN ARRICK
  To: PAUL FERGUSON
Subj: REPLY TO MSG# 25279 (DOES ANYONE KNOW HOW TO MAKE VIRUS)
 By the way, I've had my share of viruses (from a bad point). Wheen I first got
my Amiga about a year ago, 30 out of 40 disks which came with it were infected 
with the "Lamer Exterminator" virus. Fortunately, a gentleman named Steve 
Tibbetts has seen it fit to fight bad viruses on the Amiga with his heart and 
soul. He wrote and EXCELLENT virus detection and vaccinations program called 
VirusX. It checks each disk automatically as soon as it is inserted into the 
disk drive. (The Amiga checks it's drives automatically for disk changes, and 
therefore, he just latched onto this routine.) I just switched disks until it 
had killed them all. Took me about 10-15 minutes for 30 disks or so.
 The most recent happened about 6 months ago (Amiga again). There is a virus 
that seems to be able to disrupt your real time clock and it caused mine not to
work. I think it actually stores itself in battery backed clock RAM. Solution :
(you're gonna love this) I shorted the battery terminals together with a 
screwdriver. It scrambled the memory, and therefore, the virus, too. I reset my
clock and haven't seen it since.
 I wish I could have taken the code for these viruses and disassembled it. It 
seems like there is quite a bit of programming time and talent which goes into 
one. (I know, most people think there's no talent in destructive viruses, but, 
you have to admit, the programmers know their stuff.)
 I like to classify programs, viruses, and programmers and hackers into two 
groups : black and white. Black = evil, destructive
White = Good, constructive. There are black viruses and white viruses. Black 
hackers and white hackers. (I hope no one takes this as racial, because I don't
mean it that way. I'm talking about personality, not skin color.)
 
I consider myself a white hacker.
--- 
 * Origin: GENESYS I BBS (817)-284-1520 (1:130/59)




Msg#:25281 *Virus Info*
10-24-90 22:21:00 (Read 3 Times)
From: TOM SMITH @ 930/1
  To: JAMES BARRETT
Subj: REPLY TO MSG# 24155 (RE: QUESTION)
JB>  Norton should be run with certain parameters (or can be changed in th
JB> config in 5.0) to treat everything as "phyiscal" drives instead of log
JB> drives to recognize everything!
  
Good point, James; I was ASSuming that the original poster would RTFM,
but it never hurts to add obscure points that might cause very
noticable problems!  Tom Smith/Dallas...


--- QM v1.00
 # Origin: Horizon RBBS 214-424-3831 & 214-881-9346 HST (8:930/1.0)
 * Origin: Network Gateway to RBBS-NET  (RBBS-PC 1:10/8)




Msg#:25282 *Virus Info*
10-21-90 11:13:00 (Read 3 Times)
From: VINSON NICHOLS
  To: PAUL FERGUSON
Subj: REPLY TO MSG# 24159 (RE: DOES)
 PF>   Well, Vinson, I must take an opposing view concerning
 PF>  programming. Any code than can secretly attach itself to any
 PF>  of my clients executables (or whatever, you should know what I
 PF>  mean) is quite undesireable, especially if it slows processing
 PF>  speed or is destructive in any fashion. That is the equivalent
 PF>  of Invasion of Privacy. I commend you for "destroying"
 PF>  whatever it is/was that you compiled, but the hazards are a
 PF>  little too great from my standpoint. There is are a myriad of
 PF>  viruses popping up every month that keep every extremely busy
 PF>  enough as it is.
What I was tring to say was. That if someone wanted to learn something
about computers then they have the right too. I did not and do not say
that any one has the right to do dammage to data. It does take a good
program or at least one with alot of programing to write such a thing.
I did mine to see what was involved . I did learn quite abit about how
how dos work in conjuction with the command processor. These two are doing
is ok. To learn is to grow, but don't destroy in the process. I will say one
thing I don't understand why someone would release a virus....Vinson

--- via Silver Xpress V2.27 [NR]


--- QM v1.00
 * Origin: The  F e d e r a l  Post  -{*}-  Fayetteville, NC (1:151/301.0)




Msg#:25284 *Virus Info*
10-21-90 11:18:00 (Read 3 Times)
From: VINSON NICHOLS
  To: DARIN ARRICK
Subj: REPLY TO MSG# 25282 (RE: DOES)
 DA>  I agree that computer information should be free. The
 DA>  traditional view of a virus is something that sneaks into your
 DA>  computer and destroys your hard drive data. Yes, there are a
 DA>  lot that do that. A virus could also monitor system functions
 DA>  and watch for unusual activity (like a "bad" virus) and stop
 DA>  it before anything destructive can occur. They are both
 DA>  "viruses", one good, one bad. Don't a lot of virus detection
 DA>  programs do what the above example does? Yup. Just remember,
 DA>  you're using a virus to protect yourself from a virus
 DA>  (fighting-fire-with-fire theory). If you can't beat 'em, join
 DA>  'em.
 DA> Just my opinion.
Thanks for the note. As I told Paul . It's ok to learn how to write them
just don't release them. I believe in the freedom of learning, not the
right to destroy someone else's data.
Vinson


--- via Silver Xpress V2.27 [NR]


--- QM v1.00
 * Origin: The  F e d e r a l  Post  -{*}-  Fayetteville, NC (1:151/301.0)




Msg#:25285 *Virus Info*
10-25-90 02:20:00 (Read 3 Times)
From: CHARLES HANNUM
  To: RYAN ROBERTS
Subj: REPLY TO MSG# 24156 (RE: MACAFFEES)
 > Is there a news SCAN* out besides SCAN61?

The current version is 67B.

If you had read back a few days, you would know that without asking.

--- ZMailQ 1.12 (QuickBBS)
 * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0)




Msg#:25721 *Virus Info*
10-25-90 18:18:00 (Read 3 Times)
From: PAUL FERGUSON
  To: YASHA KIDA
Subj: REPLY TO MSG# 24157 (RE: VIRUS SCANNERS....)
YK>I have had jokers try... My batch file which uses CHECKER
YK>dumps the bad 
YK>ARC-ZIPS-ZOOS-etc.. to safe area
 
That is why I do my SCANing "in person" instead of setting it up as an event 
along with other nightly maintenance....I like to supervise. <grin>...CKOT is 
good, but I dislike the idea of making =any= file available to my users without
first personally checking it out. (Overly cautious? Who? Me?)....
 
Later,
-Paul
--- 
 * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)




Msg#:25722 *Virus Info*
10-25-90 18:26:00 (Read 3 Times)
From: PAUL FERGUSON
  To: RYAN ROBERTS
Subj: REPLY TO MSG# 25285 (MACAFFEES)
 * Replying to a message originally to All
RR>Is there a news SCAN* out besides SCAN61?
 
 Hello, Ryan...
 The current versions of SCAN and CLEAN are versions 67c and 67,  respectively.
(SCANV67C.ZIP and CLEANP67.ZIP)...
 I'm sure that you will receive quite a few replies like this, but I
 thought I may as well respond nonetheless.
 
 Greetings from Washington, DC
 -Paul
--- 
 * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)




Msg#:25723 *Virus Info*
10-25-90 18:35:00 (Read 3 Times)
From: PAUL FERGUSON
  To: SCOTT HOWELL
Subj: REPLY TO MSG# 25278 (SCANV67C)
 * Replying to a message originally to All
SH>     Two quick questions.  Does anyone know where I can get
SH>scanv67c.zip or the latest copy of scan and second has anyone
SH>had any problems using the crc check part of scan?  THis crc
SH>check routine adds some extra code to your exe com etc files
SH>and so therfore I thought I would ask if anyone had any
SH>problems before I do it.
 
Scott, 
  The bugs that were previously encountered with the addition of validation 
codes (/AV) have been worked out with the subsequent releases. No other 
problems have been reported since the bug fixes were released. 
  As far as how to acquire a copy, please feel free to log onto my BBS anytime.
I'm located in DC (just a stones throw away) and I have a nice selection of 
AntiViral utilities including SCAN and CLEAN. I download the new release 
directly from McAfee Associates BBS when they are put into circulation. I'll 
NetMail you the number. Anyone else desiring the number can make a request via 
NetMail, as well.
I feel that this forum is a bit =too= public and it would not be entirely 
proper to "advertise" here.
 
Look forward to hearing from you,
-Paul
--- 
 * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)




Msg#:25724 *Virus Info*
10-24-90 18:05:00 (Read 3 Times)
From: WARREN MALLETT
  To: ALL
Subj: FILE VIRUS
Can anyone help me with what I think is a new virus?
The symtoms are when the infected disk is loaded the machine instntly
gurus and then continues to guru for every disk inserted untill you
power down.
The disks contain a invisable file that resides in no directorys but in
the general loose file area of disk.
The file when viewed with Diskmaster V3.0 appears as " AAAA....."
or similar to this.Also in the startup-sequence is a similar file to this
 "     ...    AA .."
Now this is the first file in the startup-sequence and it also is hidden
from normal view.
So far no virus detector programs have detected it.
Can anyone identify this virus?
The solution I used was to delete both files then repair bootblock with
Novirus. However disk is still not 100%.
                                   warren.


--- Paragon v2.07
 * Origin: Omega BBS - * 61-7-279-2487 (3:640/279)




Msg#:25725 *Virus Info*
10-25-90 23:28:00 (Read 3 Times)
From: DARIN ARRICK
  To: MARSHALL BARRY
Subj: REPLY TO MSG# 25284 (DOES)
 Do you think that if an antiviral virus was released which destroyed malignant
viruses, it would be condoned or scorned? Even people who didn't know they were
protected would be protected. I don't think anyone would mind. I know I 
wouldn't mind the extra peace of mind that it would bring. 
 Yes, and I now realize that those are TSRs, but I was talking about the Amiga 
world, not the PC. On the PC they are TSRs. On the Amiga, which natively 
multitasks, they are tasks, programs which are running continuously. This is my
understanding of them.
 
Darin
--- 
 * Origin: GENESYS I BBS (817)-284-1520 (1:130/59)




Msg#:26265 *Virus Info*
10-25-90 21:45:00 (Read 3 Times)
From: TOM SMITH @ 930/1
  To: SCOTT HOWELL
Subj: REPLY TO MSG# 25281 (RE: QUESTION)
Scott, if you're using the PC-Cache from PC Tools 6.0, there's been
several updates released since the original package started shipping. 
I'd suggest that you dial into their BBS and pick up the latest; it
might prevent your disks from being scrambled again.  It might also be
necessary to disable delayed writes; depending upon the circumstances,
those beasties can be very deadly.  Anyway, I'm glad to see that it
wasn't some new virus; there's enough of those beasties floating around
already!  Tom Smith/Dallas...


--- QM v1.00
 # Origin: Horizon RBBS 214-424-3831 & 214-881-9346 HST (8:930/1.0)
 * Origin: Network Gateway to RBBS-NET  (RBBS-PC 1:10/8)




Msg#:26266 *Virus Info*
10-25-90 16:16:00 (Read 3 Times)
From: RON LAUZON
  To: CHARLES HANNUM
Subj: REPLY TO MSG# 24153 ("CLEAN, UNINFECTED DISK")
CH> How many times have you heard this?
CH>
CH> "Just boot from a clean, uninfected disk and run SCAN."
CH>
CH> This is an interesting idea.  It might even work.  However, how can
CH> you be *sure* your original copy of DOS isn't infected?  Or SCAN?  Or
CH> your comm. package?  Or your dearchiver?

Well, you really can't be 100% sure.  What you have to do is assume and be very
careful.

1) Boot (cold boot) from your ORIGINAL DOS floppy (you know, the one that came 
with your DOS manual in that little binder from Microsoft or IBM).  Create your
bootable floppy from the original DOS disk and then don't use the original DOS 
disk again.

2) Download SCANV only from a respectable BBS who's Sysop checks programs out. 
Also, run the verify program that comes with SCANV to verify that things are 
good.

3) The same goes for your de-archiver: download from only respectable BBSs.

4) As for your comm program, since you have a good de-archiver, SCANV and DOS 
bootable floppy, you should be able to scan term program downloaded from, 
again, a respectable BBS.


The best way is to just be careful.  Most Viruses are "evolutionary dead ends".
If someone out there finds a program going around infected, he will let 
everyone know.



... Two wrongs do not make a right:  it usually takes three or more.  
--- via The Blue Wave v1.05
 * Origin: Flight of the Raven -=* Home of the Blue Wave *=- (1:2200/107.0)




Msg#:26267 *Virus Info*
10-26-90 11:22:00 (Read 3 Times)
From: PATRICK MURPHY
  To: CHARLES HANNUM
Subj: REPLY TO MSG# 25722 (RE: MACAFFEES)
 CH>  > Is there a news SCAN* out besides SCAN61?
 CH> 
 CH> The current version is 67B.

Nope, it's 67 "C"...

 CH> 
 CH> If you had read back a few days, you would know that without asking.

If YOU would have read back a few days, you would have seen this. ;-)

ttyl......Pat


--- msged 1.99S ZTC
 * Origin: "Then I saw le Squid, and he gave me la Fidonet address..." (1:163/




Msg#:26818 *Virus Info*
10-20-90 13:14:00 (Read 3 Times)
From: SATYR DAZE
  To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 25721 (RE: VIRUS SCANNERS....)
Well ... When scanned by Virucide, the Virus Identified was "Stoner" virus, as 
to how the infection occured.  That is where we become a bit lost. Although as 
you have stated it was in all probability brought in by one of the workers ... 
and not downloaded in this case.  But my point was that everything should 
always be checked irregardless of how the information is brought to a system. 
I never intended for it to mean I was somehow blaming the BBS's for our current
plight ... the reverse is true, it seems the quickest way to spread information
on new strains and iradication tecniques.
 
Take care.......
 
                                                   The Satyr Daze
--- TBBS v2.1/NM
 * Origin: Eclectic Multi-BBS System / Miami FL (305)662-1748  (1:135/2)




Msg#:26819 *Virus Info*
10-20-90 21:42:00 (Read 3 Times)
From: REINHARDT MUELLER
  To: PATRICIA HOFFMAN
Subj: REPLY TO MSG# 22431 (CROSS-LINKED ECHOS)
In a message to All <17 Oct 90 06:50:00> Patricia Hoffman wrote:

 PH> All sysops who recently added this echo (VIRUS_INFO) or the VIRUS
 PH> echo should check their systems to make sure that they have not
 PH> accidently cross-linked these two echos.  Several of the messages
 PH> which have been received on my system in the last two days appear to
 PH> belong in VIRUS since the messages being quoted from came from the
 PH> VIRUS echo.  

Why 2 virus echos and what's the difference between these 
2 echos?  Please clear up the potential confusion!   :)

 

--- [MicrStar] via TComm XRS 3.1
 * Origin: Global War -- the game Mikey loves! (TComm 1:343/17.1)




Msg#:26820 *Virus Info*
10-21-90 17:10:00 (Read 3 Times)
From: PAUL FERGUSON
  To: OLIVER RITTER
Subj: REPLY TO MSG# 25277 (VIREN IM SPIEL GROWLER???)
 * Replying to a message originally to Henrik Bohm
OR>Hallo Henrik,
OR>ich habe gestern das o.g. Spiel bei Euch upgeloaded. Spaeter
OR>habe ich mit dem VirScan 1.3 einen Test gefahren und der
OR>meldete einige befallene Overlay Dateien meiner PC-Shell. Ich
OR>wuerde Dich bitten, dies zu ueberpruefen!! Der Viren-Scanner
OR>von McAffee zeigte allerdings keinen Befall!!! 
OR>
OR>--- Opus-CBCS 1.14
OR> * Origin: ChaosBox: Nichts ist wahr ! <06257-7966>
OR>(2:243/2.0)
 
Would someone care to translate this? Even after spending a few years in 
Germany, my German leaves much to be desired. (This is very annoying.)
--- 
 * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)




Msg#:26821 *Virus Info*
10-25-90 06:15:00 (Read 3 Times)
From: YASHA KIDA
  To: RYAN ROBERTS
Subj: REPLY TO MSG# 26267 (MACAFFEES)
In a message of <23 Oct 90 19:48:36>, Ryan Roberts (1:3621/450) writes:

 RR> Is there a news SCAN* out besides SCAN61?
 RR>  
 RR>                         Thanks, Ryan



===============================================================
= you're  gon'na get and awful lot of replies to this request.=
===============================================================


Scanv67. is the latest "I" know of...





--- msged 1.99S ZTC
 * Origin: Bragg IDBS, 82nd Airborne Bug hunte




Msg#:26822 *Virus Info*
10-27-90 15:26:00 (Read 3 Times)
From: SUNMAP SYSOP
  To: CHARLES HANNUM
Subj: REPLY TO MSG# 26821 (RE: MACAFFEES)
->The current version is 67B.
->If you had read back a few days, you would know that without 
->asking. 

Try and be nice to someone who obviously is asking for assistance!

The latest version we have is 67C, but that could have changed by
now too.

Best wishes from 'down under'!

Brian Wendt
  

--- via Silver Xpress V2.27 [NR]
 * Origin: Sunmap Multline BBS - Brisbane - Australia (3:640/206)




Msg#:26823 *Virus Info*
10-26-90 23:13:00 (Read 3 Times)
From: BOB SPOELDER
  To: WARREN MALLETT
Subj: REPLY TO MSG# 25724 (FILE VIRUS)
 > Can anyone help me with what I think is a new virus?
 > The symtoms are when the infected disk is loaded the machine instntly
 > gurus and then continues to guru for every disk inserted untill you
 > power down.

Sorry I can't help you with your virus problems but hopfully you can stop
other getting this virus by telling us witch disk it was originaly on and
if it was a PD program. 

Bob.
 

--- Chameleon 0.10
 * Origin: Bob's Dungeon.@p49.f203.n640.z3.fidonet.org (3:640/203.49)




Msg#:26824 *Virus Info*
10-27-90 11:52:00 (Read 3 Times)
From: RYAN ROBERTS
  To: ALL
Subj: CPU VIRUS
Did anyone hear about some computers being infected with a new
virus? I mean the computer itself! It's was on the news that the
computers worked well, for about a week then EVERYONE of them
got screwed up! This message came accross the screen: "YOUR COMPUTER
IS STONED". Dang that's pretty rough! 

--- Opus-CBCS 1.13
 * Origin: Power Socket 404-883-6231 24hrs (1:3621/450.0)




Msg#:26825 *Virus Info*
10-26-90 16:25:00 (Read 3 Times)
From: ROSS WENTWORTH
  To: DARIN ARRICK
Subj: HACKER
 DA> I like to classify programs, viruses, and programmers and hackers
 DA> into two groups : black and white. Black = evil, destructive
 DA> White = Good, constructive. There are black viruses and white
 DA> viruses. Black hackers and white hackers. (I hope no one takes this
 DA> as racial, because I don't mean it that way. I'm talking about
 DA> personality, not skin color.)

 DA> I consider myself a white hacker.

I've always prefered to call destructive programmers as
"crackers".  Hackers was long an exalted title given to the best
of the breed.  The press and government, however, have twisted
the meaning completely.  Oh, the fact that "cracker" is also a
derogetory (sp?) term for uneducated poor white trash is all the
better for the new meaning!

                                              Ross


--- [xp] XRS! 3.40
 * Origin: Coito ergo sum (RAX 1:102/330.2)




Msg#:26826 *Virus Info*
10-25-90 19:24:00 (Read 3 Times)
From: KENT DRUGGE
  To: ALL
Subj: VIRUS HELP
Can you idenify, suggest how to find and destroy a POSSIBLE virus I MAY have. 
I copied on to my system from a friend who downloaded War. Also, a copy of 
Prince of Prussia, straight from taiwan (commercial).
Now randomly on keystrokes we both get a character that repeats 10-25 times. 
Also, we each have had one overly file affected, A coincidence?
Any suggestions would be appreciated.  Have a great day!
 
 


--- Opus-CBCS 1.03b & NoOrigin 3.5

--- ConfMail V4.00
 * Origin: "ware hell-hole in sp"  Arisia +1-213-634-4885 (99:9407/3)




Msg#:26827 *Virus Info*
10-28-90 02:52:00 (Read 3 Times)
From: ROSS WENTWORTH
  To: KEN DORSHIMER
Subj: REPLY TO MSG# 25725 (DOES)
 > DA> Do you think that if an antiviral virus was released which destroyed
 > DA> malignant viruses, it would be condoned or scorned? Even people who
 > DA> didn't know they were protected would be protected. I don't think
 > DA> anyone would mind. I know I wouldn't mind the extra peace of mind that
 > DA> it would bring. Yes, and I now realize that those are TSRs, but I was

 KD> i'd mind. i prefer to know what my
 KD> system is up to. if i knew i was running
 KD> such a program that's another matter.
 KD> what you're suggesting is rather like
 KD> sneaking up on people and giving them
 KD> malaria shots for thier own good. i
 KD> like to know what i'm getting.

An antivirus virus might mistake a legitimate program for a
virus.  Take a disk compacting (sorting) program, for example.
It does a lot of low-level stuff with sector reads and the FAT,
the same sort of thing a virus might do.

                                              Ross

--- [xp] XRS! 3.40
 * Origin: Coito ergo sum (RAX 1:102/330.2)




Msg#:26828 *Virus Info*
10-28-90 14:35:00 (Read 3 Times)
From: BILL STARNES
  To: WARREN MALLETT
Subj: REPLY TO MSG# 26823 (RE: FILE VIRUS)
 Sorry, Warren, can't help you with this but I do have one question.  You said:

 WM> The symtoms are when the infected disk is loaded the machine instntly
 WM> gurus and then continues to guru for every disk inserted untill you
 WM> power down.

What exactly do you mean by "gurus"?  It's a term I haven't run into.

Bill


--- Maximus-CBCS v1.02
 * Origin: Bragg IDBS, (82nd Airborne Debugging the SandLand) (1:151/305)




Msg#:26829 *Virus Info*
10-28-90 14:39:00 (Read 3 Times)
From: BILL STARNES
  To: CHARLES HANNUM
Subj: REPLY TO MSG# 26822 (RE: MACAFFEES)
In a message to Ryan Roberts, Charles Hannum said:

 CH> The current version is 67B.
 CH> 
 CH> If you had read back a few days, you would know that without asking.
 CH> 

Hey, now, let's be nice, Charles <g>.  Remember, some of us are on systems that
only keep messages a day or two before they get purged.  I've had cases
where I've been out of town for a few days and come back and lost complete 
threads.  Besides, Ryan may be a newbie on the net.  It's a disease we've all 
suffered from in the past.  B-)



--- Maximus-CBCS v1.02
 * Origin: Bragg IDBS, (82nd Airborne Debugging the SandLand) (1:151/305)




Msg#:26830 *Virus Info*
10-29-90 22:29:00 (Read 4 Times)
From: PAUL FERGUSON
  To: DARIN ARRICK
Subj: REPLY TO MSG# 25280 (DOES ANYONE KNOW HOW TO MAKE VIRUS)
DA> Yes, I can see your point on the matter. I'm a hacker,
DA>programmer
DA>who programs for programming itself. It's an art form to me.
DA>You see viruses from a bad standpoint on a daily basis. If
DA>saw the same, I'd hate them, too.
 
 Well, I don't necessarily =hate= them...they can be extremely educational from
a knowledgeable standpoint. It is the effect that they have on the 
=unknowledgeable= and unsuspecting end users that waste my time. effort and 
patience. Controlled environments are all well and good....Rampid fire 
spreading is another.
 
Greetings from Ground Zero...
 
-Paul
--- 
 * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)




Msg#:26831 *Virus Info*
10-29-90 22:38:00 (Read 4 Times)
From: PAUL FERGUSON
  To: DARIN ARRICK
Subj: REPLY TO MSG# 26830 (DOES ANYONE KNOW HOW TO MAKE VIRUS)
DA> I wish I could have taken the code for these viruses and
DA>disassembled it. It seems like there is quite a bit of
DA>programming time and talent which goes into one. (I know,
DA>most people think there's no talent in destructive viruses,
DA>but, you have to admit, the programmers know their stuff.)
DA> I like to classify programs, viruses, and programmers and
DA>hackers into two groups : black and white. Black = evil,
DA>destructive
DA>White = Good, constructive. There are black viruses and white
 
 Good point, but if you'll allow me to induldge myself....I must disagree...I 
remain steadfast in my beliefs that there are =no= good viruses. (I won't 
continue in this train of thought because there has been much heated debate 
within this echo concerning this and it is pretty much worn out as topic 
substance)...
 
I do agree with you, however, on the point that there are some very talented 
programmers out there applying themselves improperly. (VB put in a good 
word...). It's a cyclic, redundit, futile effort on their part...We will always
remain one step ahead.<grin>...It always helps to have the forces combine and 
produce something productive at times. 
 
Comments?
 
-Paul
--- 
 * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)




Msg#:26832 *Virus Info*
10-29-90 22:41:00 (Read 4 Times)
From: PAUL FERGUSON
  To: TOM PREECE
Subj: REPLY TO MSG# 25723 (RE: SCANV67C)
TP>I don't suppose you want to know you can call California to
TP>get it so I won't say so.
TP>--- TBBS v2.1/NM
TP> * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 
TP>(1:161/208)
 
Huh? I'm afraid you lost me on that one (or perhaps it was me....I just 
returned from Houston this evening with not much rest to show for it.) I call 
California virtually everyday. Could you possibly elebarote a bit? 
 
-Paul
--- 
 * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)




Msg#:26833 *Virus Info*
10-29-90 22:51:00 (Read 4 Times)
From: PAUL FERGUSON
  To: MICHAEL WEINER
Subj: ECHO VIRUS_INFO
 * Replying to a message originally to All
MW>In the US, there seems to be a second virus echo called
MW>"VIRUS_INFO". I'd also like to be able to read it in Europe
MW>as it is said to be very interesting. If you are interested
MW>too, please netmail me. I will forward these messages to
MW>Felix Kasza who will (with the help of the other
MW>trans-atlantic echomail traffickers get it to Europe :-)
MW>
MW>So, IF YOU ARE INTERESTED, NETMAIL ME.
MW>
MW>
MW>Best regards from Vienna,
MW>
MW>Michael
MW>
MW>--- FD 1.99c
MW> * Origin: Info Link [Vienna/Austria/Europe] (2:310/23)
 
Hello, again, Michael...
 I realise that perhaps you are aware of this, but others may not....
The VIRUS_INFO Echo is moderated by Patti Hoffman via her Excalibur! BBS in 
California..Yes, it is indeed another good outlet for information and 
discussion.
 
--- 
 * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)




Msg#:26834 *Virus Info*
10-29-90 22:55:00 (Read 4 Times)
From: PAUL FERGUSON
  To: KEN DORSHIMER
Subj: REPLY TO MSG# 26827 (RE: DOES)
KD>i'd mind. i prefer to know what my system is up to. if i knew
KD>i was running
KD>such a program that's another matter. what you're suggesting
KD>is rather like
KD>sneaking up on people and giving them malaria shots for thier
KD>own good. i
KD>like to know what i'm getting.
 
Here we go again.....My sentiments ride with you, Ken. But haven't we pretty 
much beaten this topic to death? I suppose that we will have to continue to 
correct those individuals, though, that think that it is okay. Pity.
 
Talk to you later, Ken....
 
-Paul
--- 
 * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)




Msg#:26835 *Virus Info*
10-29-90 22:58:00 (Read 4 Times)
From: PAUL FERGUSON
  To: CHARLES HANNUM
Subj: REPLY TO MSG# 25109 (RE: STERILAB)
CH><sigh>  You'd have a TSR that would change such info during
CH>BIOS disk calls,
CH>such that anything using the BIOS for disk I/O wouldn't know
CH>the difference.
 
Charles,
  What is it that you are trying to do exactly? It seems that you are taking 
the long way around...
--- 
 * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)




Msg#:26836 *Virus Info*
10-29-90 23:01:00 (Read 4 Times)
From: PAUL FERGUSON
  To: DARIN ARRICK
Subj: REPLY TO MSG# 26834 (RE: DOES)
 * Replying to a message originally to Vinson Nichols
DA> I agree. Destroying someone else's hard work is stupid.
DA>Learning about viruses by making some, and not releasing
DA>them, is hands-on learning.
 
Still...I vehemently disagree with you. Shall we discuss it further?
--- 
 * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)




Msg#:26837 *Virus Info*
10-29-90 23:06:00 (Read 4 Times)
From: PAUL FERGUSON
  To: GARY WESTON
Subj: !*VIRUS ALERT*!
GW>   my sources are extreme reliable..they work for a branch of
GW>the U.S. government.
GW>         thank you.
 
Uhh...<laughing>....Uncle Sam and his hired help always lag behind the 
information dispersed within this echo...For example...
 
4096 is "old" news....Your reliable sources are behind in the times, so to 
speak....
 
Greetings fro Capitol Hill,
-Paul
--- 
 * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)




Msg#:26838 *Virus Info*
10-29-90 23:11:00 (Read 4 Times)
From: PAUL FERGUSON
  To: BOB SCHROEDER
Subj: 1701
BS>1: I have a ZENITH HEATH DATA SYSTEMS Z-157 W/ a 30 MEF HD in
BS>it. Is 1701 
BS>   a bad viruse ? 
 
1701 is the IBM error message (equivalent) of either a Hard sisk failure or 
Hard Disk Controller failure...Check out your hardware first.
--- 
 * Origin: Sentry Net BBS, Centreville, VA 703-815-3244 (1:109/229)