💾 Archived View for spam.works › mirrors › textfiles › virus › virus2.txt captured on 2023-06-16 at 21:05:45.
-=-=-=-=-=-=-
?????????????????????????????????
? THE VIRUS INFORMER ?
? your weekly virus newsletter ? When buying 'pre-formatted' blank
? by Mark E. Bishop edited by ? disks, don't trust that they are
? Alan Bechtold ? virus free, SCAN THEM FIRST!
?????????????????????????????????
CHAPTER 2: 'FROM THE VIRUS MESSAGE BOARD'
real life people and their virus questions
The following messages are taken from various online anti-virus
research systems. The names have been changed and the content edited. They
cover situations and people's computers from all over the country. You
should find these messages very interesting. MAKE USE THIS INFORMATION.
QUESTION: 1 ZARAGOZA MAKES IT VISIT TO TOWN, ARE YOU NEXT?
I just received my SCAN93 program and ran it showing no viruses on my
systems. However, when I ran it on my network it then reported that I
had a virus with the name of ZARAGOZA active in memory and that I should
power down. What is this virus and why does it show on my network and not
my PC?
ANSWER: 1
The ZARAGOZA virus is a .COM and .EXE., and overlay file infector
that infects when a file is 'open' common in the use of networks. It
was first reported from Zaragoza, Spain, and has been reported just
recently here in the United States.
QUESTION: 2 DOS 5 IS SPIRIT-FILLED AND CAUSES HAVOC
Recently I have had an interesting phenomenon occur on my computer
system. When I run CHKDSK has revealed pairs of files existing on my
hard drive and on my floppy. The files have certain unique characteristics
such as:
1. Their length is always zero '0'
2. Their date and time are always the current ones
3. They can't be referred to in any way
4. Their names are both fixed and variable. The first
three characters are fixed for each pair, "BFC."
5. And they can't be removed.
Do I have a virus or what, HELP!
ANSWER: 2
The files that you have mentioned above are 'temporary files' that
are created by DOS when you use the PIPE "|" command. At the end of the
piping they are deleted. It is possible that you have a program that is
abnormal terminating the piping process and as a result these mystery
files are being left on your disk.
QUESTION: 3 VALIDATE MY PARKING PLEASE, ER RATHER MY PROGRAM!
What is this 'Validation' program I keep seeing in my downloads?
Is this a program that helps detect computer viruses? I'm confused!
ANSWER 3:
VALIDATE is always with any McAfee anti-virus program and one
you're seeing also on many other quality Shareware programs. Validate is
a 'file-authentication' program that is used to check software programs
from tampering.
VALIDATE uses two discrete methods to generate what is known as a
Cyclic Redundancy Check (known as CRCs) which are then displayed to the
user to compare against the known value for the program being validated.
For example, let's say that I write a computer software program and
as the author I know that my program is exactly 53,245 bytes in size. If
I use my Validate program on the file name it should tell me that the file
is indeed EXACTLY that size. Remember, a computer virus will generally
increase the SIZE of a .COM or .EXE file.
HOW TO USE VALIDATE:
Okay, for example purposes let's say that my GIZBO.EXE program is
53,245 bytes. How do I check that out as a guy who just downloaded my
file back in Kansas, here's how:
-> VALIDATE GIZBO.EXE <- this is the exact size of the
program itself.
this is what you see next ...
Filename: GIZBO.EXE
Size: 53,245
Date: 3-25-1992 <- this information proves that
the file has NOT be altered.
File Authentication
Check Method 1 - 9215
Check Method 2 - 0CA6
To CONFIRM that a program is in its original and un-tampered state,
run the VALDIATE program on it, record the validation information (see
above) and then compare it with what the author says the size should be.
Note: Do not rely completely upon the documentation that came with your
download UNLESS you received that program directly from the author or
company themselves! Documentation can be changed.
------------
SPECIAL NOTE about the authentification program and McAfee products:
------------
Beginning with Version 72, all McAfee Associates programs for
download are archived with PKWare's PKZIP Authentic File Verification.
If you do not see the "-AV" message after every file is unzipped and
receive the message "Authentic Files Verified! # NWN405 Zip Source:
McAFEE ASSOCIATES" when you unzip the files then do not run them.
If your version of PKUNZIP does not have verification ability, then this
message may not be displayed. Please contact McAfee Associates if
your .ZIP file has been tampered with.
* The above questions are REAL. However, the names of the message senders
has been changed and the messages also have been edited.
Does anyone know what in the heck is the 'BLOODY' computer virus?
It's also know as the AZUSA virus. It apparently is infecting my boot
sector of my floppy diskettes. Now MANY of my clients have this virus
and I need to know how to remove it. Please Help!
Also, is this virus dangerous? Is it destructive at all? So far
it seems that it only slows down the system and sometimes sends un-
authorized messages to the user.
AN IMPORTANT NOTE ABOUT THE STONED VIRUS: Removing the Stoned virus can
cause loss of the partition table on systems with non-standard formatted hard
disks. As a precaution, backup all critical data before running CLEAN-UP.
Loss of the partition table can result in the LOSS OF ALL DATA ON THE DISK.
QUESTION: 4 DOWNLOADED COPY OF SCAN AND DOES NOT HAVE -AV
I just took of my BBS a copy of SCAN93.ZIP and after unzipping the
program I noticed that after each file was unzipped it did not have the
Validation Code, -AV, shown to the right of each file as it unzipped.
Also, it had an advertisement for a BBS inside the file. Is this okay to
use or should I make sure it has the Authentication code first?
ANSWER: 4
SEE how to read and understand the Validation Code and -AV in question
#3 above. Any of McAfee's Shareware programs are safe to use and have not
been modified when you see the "-AV" displayed after each file that is
uncompressed and that you run the "Validate" program and make sure the
program(s) is the exact size it says it is.
QUESTION: 5 VIRUSES ON OS/2?
I'm a recent convert to OS/2 2.0 operating software and was curious
about the availability of any virus scanning programs for this platform.
Does McAfee Associates have such a program or any plans in having an anti-
virus program for OS/2? I still use SCAN to check all of my DOS programs
and that program runs well under OS/2 in DOS mode. Thank you.
ANSWER: 5
There are currently NO OS/2 viruses as of yet, but we're not taking
any chances. Presently we are looking into OS/2 virus protection and intend
to develop an anti-viral program for OS/2 which should be available by
mid-summer. Stay tuned as THE VIRUS INFORMER newsletter will keep you
informed.
-------------
The below portion was seen in last week's THE VIRUS INFORMER. A few
users have asked to see it again. So, by popular demand.
-------------
----------
VIRUS HINT ... preventing computer viruses from infecting you!
---------- The following is a hardware attempt to prevent writes
to your hard disk. DO NOT attempt this if you are not
experienced with the inside workings of your computer!
Here is how you can virus-proof a PC that has MFM or RLL disk drives (st-
506). Basically, you can add a write protect switch for one of the two disks
(I recommend C:) and put all your executables on it, along with dos. It's
very simple, almost anyone can do it. This is it:
_ _
=============| | | | |
Controller |===========| |=====================================| |
| | | .XX cut wire 6 XX. | |
1|===========|1|===========|================|========|1|
=============| /^\ |_| | | |_|
| Drive D: | | Drive C: 34 Pin
Hard Disk | Conn. | | Conn. Ribbon Cable
-More-_____| | |
|__________o/o___|
Switch
Open=Protected
Closed=Unsafe
Okay, here's what's going on. We have interrupted pin 6, which is
writegate. Leave the terminator resistors in on both drives, and make sure
both sets are in or you will blow the data on drive C:.
What I suggest is you use the keyboard lock key switch on the front of
most pc's. The little lock icon is correct. With the switch in the lock
position, all writes to C: will be ignored, without any error or warning
message. With the switch in the unlock position, the system will behave
normally. You must look at the motherboard and jumper the connector that the
switch used to go to, usually this can be done with a 0.1" shunt like is used
to set unit ID on many disk drives.
Or if you wish, you can drill a hole in your case and install a switch or
key interlock or whatever. You could also use the turbo switch. I like the
key switch because it's more idiot resistant.
Wire 1 on the ribbon cable has a red stripe on it, and you just count
wires to wire 6. You obviously need to solder extension wires to reach the
switch. Don't make them over 2 feet long, though. The shorter the better.
With the switch in the locked position, you are completely immune to boot
sector viruses, and file infectors who try to infect executables on drive c:.
Since this solution is 100% hardware, there is no way that a present or
future virus can get past it.
PERFECT FOR COMPUTER LABS AND RESEARCHERS!
This technique is ideally suited to virus researchers, and university
"data slut" computing center machines. This way, the dos, networking code,
compilers, and word processing software could stay intact on a machine. The
students would be directed to place their data on drive D: Only the facility
director would have the unlock key.
For the techie: it doesn't hurt to doubly terminate the st506 control bus.
The margins are sufficient to make it reliable. If it bugs you, use an
ohmmeter to figure out which terminator pin is wire 6 on the 34 pin cable,
and clip off all other terminator pins on drive C:.
* questions and answers have bee modified or adapted from original
material for editing purposes.
- end -
- end -
Downloaded From P-80 International Information Systems 304-744-2253