💾 Archived View for spam.works › mirrors › textfiles › virus › vi900906.txt captured on 2023-11-04 at 16:03:46.
⬅️ Previous capture (2023-06-16)
-=-=-=-=-=-=-
Msg#: 2473 *Virus Info* 08-19-90 09:46:00 (Read 11 Times) From: PATRICIA HOFFMAN To: KEN DORSHIMER Subj: RE: CRC CHECKING <KD>the deal is that the invading program would have to know how the CRC <KD>your <KD>program uses works. otherwise it would have a (bytes changed!/bytes in <KD>file!) <KD>chance of succeeding, or somewhere in that neighborhood... <KD> Except in the case of Stealth Viruses....CRC checking doesn't work with them. Patti --- msged 1.99S ZTC * Origin: Sir Dep's Dungeon 714-740-1130 Adult Links Network (1:103/158) Msg#: 2474 *Virus Info* 08-19-90 09:50:00 (Read 9 Times) From: PATRICIA HOFFMAN To: SHEA TISDALE Subj: FILE ECHO? <ST>Hey, what happened to connecting my system to the file echo? <ST> <ST>I have sent numerous netmail messages to you since you sent the info <ST>on setting it up and have not had a reply yet. Recheck your netmail, I sent a reply after receiving the message "What is Tick?" indicating that you need to be running Tick in order to be able to participate in the file echo since that is how the files are processed and extra files go with the .zip files that carry the description. Tick is available from most SDS nodes. Patti --- msged 1.99S ZTC * Origin: Sir Dep's Dungeon 714-740-1130 Adult Links Network (1:103/158) Msg#: 2475 *Virus Info* 08-16-90 11:56:00 (Read 8 Times) From: MIKE DURKIN To: WARREN ANDERSON Subj: RE: INTERNET WORM > I am interested in obtaining the list of passwords used by the > Internet worm in the US. I am the administrator of several The list is in the McAfee/Haynes book ("computer viruses, worms...threats to your system") (pgs 89-91)... I'll type it in for you if you can't find the book locally... Mike --- RBBSMail 17.3A * Origin: The TeleSoft RBBS (RBBS 1:143/204) Msg#: 2476 *Virus Info* 08-19-90 14:51:00 (Read 9 Times) From: MIKE DURKIN To: JAMES DICK Subj: REPLY TO MSG# 2473 (RE: CRC CHECKING) > You might want to take a look at McAfee's FSHLD*.ZIP. This is a new > anti-virus program from the creator of SCAN that is designed > specifically for developers. It will build a 'shield' into an > application such that the application _cannot_ be infected and if it > does become infected, will remove that infection after execution but > prior to running. You will find it in the virus scanners area of many Jim... this is a little mis-leading... all programs will become infected but FSHLD will remove it for most viruses.. for viruses like 4096, FSHLD won't remove or even know/announce that the file is infected... When FSHLD can remove a virus, 'after execution but before running' really makes no difference since a resident virus will still go TSR and a direct action virus will still do it's infecting of other programs... But all things considered... I definately agree that FSHLD is a must have... Mike --- RBBSMail 17.3A * Origin: The TeleSoft RBBS (RBBS 1:143/204) Msg#: 2477 *Virus Info* 08-20-90 04:44:00 (Read 8 Times) From: KEN DORSHIMER To: PATRICIA HOFFMAN Subj: RE: SCANV66B RELEASED On 19-Aug-90 with bulging eyes and flailing arms Patricia Hoffman said: <KD>>does this mean i should erase the old scanv66 that i just d/l'd from <KD>>SDN? <KD>>:-( <KD>> PH> Yep, ScanV66 has a bug or two in it involving the validate codes it PH> can add to the end of files. The validate codes were not being PH> calculated correctly in PH> swell. think i'll wait for the next release. ps, you have net-mail waiting. :-) BTW why on earth would anyone take time off from a disneyland vacation to call a bbs? <grin> ...Your attorney is in the mail... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 2478 *Virus Info* 08-20-90 04:46:00 (Read 9 Times) From: KEN DORSHIMER To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 2476 (RE: CRC CHECKING) On 19-Aug-90 with bulging eyes and flailing arms Patricia Hoffman said: <KD>>the deal is that the invading program would have to know how the CRC <KD>>your <KD>>program uses works. otherwise it would have a (bytes changed!/bytes in <KD>>file!) <KD>>chance of succeeding, or somewhere in that neighborhood... <KD>> PH> Except in the case of Stealth Viruses....CRC checking doesn't work PH> with them. PH> i'd have to see that for myself. i think a complex enough algorithm would keep them at bay. the probability factor is just too low for such a stealth scheme to work. ...Your attorney is in the mail... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 2479 *Virus Info* 08-20-90 04:50:00 (Read 9 Times) From: KEN DORSHIMER To: MIKE DURKIN Subj: REPLY TO MSG# 2478 (RE: CRC CHECKING) On 19-Aug-90 with bulging eyes and flailing arms Mike Durkin said: >> You might want to take a look at McAfee's FSHLD*.ZIP. This is a new >> anti-virus program from the creator of SCAN that is designed >> specifically for developers. It will build a 'shield' into an >> application such that the application _cannot_ be infected and if it >> does become infected, will remove that infection after execution but >> prior to running. You will find it in the virus scanners area of many MD> Jim... this is a little mis-leading... all programs will become MD> infected but FSHLD will remove it for most viruses.. for viruses like MD> 4096, FSHLD won't remove or even know/announce that the file is MD> infected... When FSHLD can remove a virus, 'after execution but before i have some misgivings about this particular protection scheme myself. i don't like embedding someone else's stuff into my executables, partly for licensing reasons. not to knock what is probably a good idea... ...Your attorney is in the mail... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 2653 *Virus Info* 08-20-90 17:09:00 (Read 10 Times) From: TALLEY RAGAN To: MIKE MCCUNE Subj: RE: REMOVING JOSHI In a message to Philip Laird <08-16-90 14:09> Mike Mccune wrote: MM>> Just be sure to boot off a clean diskette to remove the MM>>virus from memory, otherwise the virus will not be removed. MM>> If RMJOSHI is used on an unifected hard drive, it will MM>>destroy the partition table. This next program, RETURN.COM MM>>will restore the partition table. MM>> I will post this program in my next listing...<MM>. Does this mean that RMJOSHI.COM, if run on an uninfected hard drive by it self is a virus? Talley --- ZAFFER v1.01 --- QuickBBS 2.64 [Reg] Qecho ver 2.62 * Origin: Southern Systems *HST DS* Tampa Fl (813)977-7065 (1:377/9) Msg#: 2654 *Virus Info* 08-21-90 09:32:00 (Read 10 Times) From: PATRICK TOULME To: MIKE MCCUNE Subj: RE: HAVE ANYONE TRIED SECURE ? MM> I have tried Secure and have found it to be the only interrupt moniter MM> that will stop all the known viruses. Mike perhaps you should add a caveat to that statement. Secure neither detects, nor does it stop, Virus-101. --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2655 *Virus Info* 08-21-90 12:11:00 (Read 8 Times) From: PAUL FERGUSON To: HERB BROWN Subj: KEYBOARD REMAPPING (AGAIN)... Herb, I stand corrected on that last bit of dialogue....You are correct, indeed.....But, you know what I mean along those lines of getting what you don't expect, whether damaging or not, NO ONE wants the unexpected on thier system.....Touche! -Paul ^@@^........ --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2656 *Virus Info* 08-21-90 22:29:00 (Read 10 Times) From: PATRICIA HOFFMAN To: YASHA KIDA Subj: AKA AND BBS HANDLES YK> What is the rule in this message echo concerning BBS HANDLES? YK> Would like some clarification, I have users expressing interest in YK> using bbs handles in this echo, since they are seeing them used . YK> As you can see I have not allowed this, feeling this echo to be YK> professial in nature. YK> YK> I understand the use of AKA names in this echo maybe needed. YK> YK> Example : YK> After my SITE Manager saw my interest in viruses, I was called in to YK> his office. After explaining my reseach, was to protect not to infect, YK> he relaxed. YK> [Note: the above quote is muchly editted....] Yasha, Aliases are ok in this echo, as long as the Sysop of the system where the messages originate knows who the user is and can contact him if the need arrises. I fully understand the sitation that you describe about your Site Manager...which is a fully valid reason to use an alias here. I used to use the alias of "Merry Hughes" for exactly that reason! Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2657 *Virus Info* 08-21-90 22:32:00 (Read 9 Times) From: PATRICIA HOFFMAN To: KEN DORSHIMER Subj: REPLY TO MSG# 2477 (RE: SCANV66B RELEASED) KD> swell. think i'll wait for the next release. KD> ps, you have net-mail waiting. :-) BTW why on earth would anyone take KD> time KD> off from a disneyland vacation to call a bbs? <grin> <laughing> I was eating dinner or lunch while entering those messages, then we went back to Dizzyland and Knott's. Besides, I had to see what you guys were up to while I was gone.....Mom instinct....what can I say? Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2658 *Virus Info* 08-22-90 18:21:00 (Read 8 Times) From: HERB BROWN To: PAUL FERGUSON Subj: REPLY TO MSG# 2655 (KEYBOARD REMAPPING (AGAIN)...) With a sharp eye <Aug 21 12:11>, Paul Ferguson (1:204/869) noted: PF>Herb, PF> I stand corrected on that last bit of dialogue....You are PF>correct, indeed.....But, you know what I mean along those lines of PF>getting what you don't expect, whether damaging or not, NO ONE wants PF>the unexpected on thier system.....Touche! PF>-Paul ^@@^........ I knew what you meant. Glad to know you do too. :-) ( No flame intended ) --- QM v1.00 * Origin: Delta Point (1:396/5.11) Msg#: 2659 *Virus Info* 08-22-90 05:37:00 (Read 8 Times) From: KEN DORSHIMER To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 2657 (RE: SCANV66B RELEASED) On 21-Aug-90 with bulging eyes and flailing arms Patricia Hoffman said: KD>> swell. think i'll wait for the next release. KD>> ps, you have net-mail waiting. :-) BTW why on earth would anyone take KD>> time KD>> off from a disneyland vacation to call a bbs? <grin> PH> <laughing> I was eating dinner or lunch while entering those PH> messages, then we went back to Dizzyland and Knott's. Besides, I had PH> to see what you guys were up to while I was gone.....Mom PH> instinct....what can I say? PH> did you go on the roller coaster at Knotts that looks like a corkscrew? my personal favorite after a big dinner. <erp!> in other news there was a report <<unconfirmed>> that there is a hack of lharc floating around called lharc190. might want to keep an eyeball open for it. what am i doing up at this hour? just got thru writting the docs for a program <yawn>. as usual, the program looks better than the docs. have fun, see ya. ...All of my dreams are in COBOL... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 2660 *Virus Info* 08-20-90 15:40:00 (Read 9 Times) From: RON LAUZON To: PAUL FERGUSON Subj: RE: KEYBOARD REMAPPING.... yes, it is possible to re-map the keyboard from a remote system. However, most people are protected by this because the term program rather than ANSI.SYS is handling the ANSI escape sequences. If you are using a "dumb" terminal that has no terminal emulation and allowing ANSI.SYS to handle your screen formatting, you may be in trouble. --- Telegard v2.5i Standard * Origin: The Flight of the Raven (313)-232-7815 (1:2200/107.0) Msg#: 2661 *Virus Info* 08-21-90 20:29:00 (Read 8 Times) From: MARTIN NICHOL To: MICHAEL TUNN Subj: WHAT'S THE SOLUTION? mt said => It seems to me our Virus checking programs will just mt said => get bigger and bigger as more viruses and strains of mt said => the same viruses are discovered. If so (and if their mt said => development is excelerating) then we may find in the mt said => near future that it has become impossiable to deal mt said => with the outbreaks! mt said => Do we do develop new Operating Systems which are far mt said => more secure! Develope different virus scanning programs. Make them more generic where virus signatures/characteristics can be kept in a seperate file and the virus scanner just reads the file and interprets it accordingly. --- * Origin: JoJac BBS - (416) 841-3701. HST Kettleby, ON (1:250/910) Msg#: 2683 *Virus Info* 08-22-90 22:55:00 (Read 8 Times) From: FRED ENNIS To: ALL Subj: VIRUS-486COMP.* FORWARDED BY James Dick of 1:163/118 QUOTE ON I've been informed by "reliable sources" that there's a file floating around called 486COMP.* (select your favourite packing method) which claims to "show you the difference between your machine and a 486". . When run, the program flashes a "too big for memory" message, and aborts. . Then, the next time you boot, you're informed that you have the "Leprosy 1.00" virus which then hangs the machine. . After you manage to boot from a floppy, you find that COMMAND.COM has been altered, although the date, time, and size appear not to have been changed. Just thought you'd like to know. Cheers! Fred --- msged 1.99S ZTC * Origin: Page Six, POINT of order Mr. Speaker (1:163/115.5) Msg#: 2684 *Virus Info* 08-22-90 11:07:00 (Read 8 Times) From: SHEA TISDALE To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 2474 (FILE ECHO?) Thanks Patricia... I am all ready to go now. Just poll your board? --- * Origin: >- c y n o s u r e -< 919-929-5153 <XRS> <HST> (1:151/501) Msg#: 2685 *Virus Info* 08-20-90 21:50:00 (Read 9 Times) From: TOM PREECE To: PAUL FERGUSON Subj: RE: KEYBOARD REMAPPING VIA COMMUNICA I can't help but wonder if Herb was experiencing something that suggested that kind of remapping. Lately I have been experiencing keyboard problems that seem to act like that. When I use my down or left arrow the \ and | symbols toggle. I can correct this when it happens by hitting the left hand shift key - but not the right. And tonight it seems as if I am occaissionaly transposing caps on and off. If either of you hears a virus like this I'd like to know. Q&A tested my memory and keyboard fine. Scanv66 detected nothing. --- TBBS v2.1/NM * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 (1:161/208) Msg#: 2738 *Virus Info* 08-23-90 23:49:00 (Read 7 Times) From: PHILLIP LAIRD To: PATRICIA HOFFMAN Subj: ONTARIO VIRUS Patty, have you heard of such a Virus? I was in the TAG Support Echo and saw a message about a TAG Sysop who contracted that virus. Any Info? Supposedly the Virus is scanned in version SCANV66.ZIP. ???? --- TAGMAIL v2.20 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49) Msg#: 2739 *Virus Info* 08-22-90 12:55:00 (Read 7 Times) From: PAUL FERGUSON To: EVERYONE Subj: MOM! Patti- Mom, huh?...What can you say?..It seems it has already been said! -Paul <wide grin on this one> --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2740 *Virus Info* 08-23-90 12:06:00 (Read 8 Times) From: PAUL FERGUSON To: TOM PREECE Subj: REMAPPING... Hello, Tom... . More than likely there was nothing like that at all. Keyboard remapping is an extremely complicated process and would take more than forethought on the part of the programmer. What you have seen us talking about here is figurative at best and personally, I would have to see it to believe it. (you know the old saying: "Believe none of what you hear and only half of of what you see."?) Although I do believe that is quite possible under the proper circumstances, it would indeed be a rare occurance. Sometimes when receiving odd characters during telecommunications or not getting the exact same keys that you typed could be attributed to disparity (parity differences), differing data bits, stop bits, or even simply ANSI interpretation problems between Comm Programs. I've seen the smallest, simplest things like that have people pulling their hair out by the roots! . .....Clarke's Third Law Any sufficiently advanced technology is indistinguishable from magic. . . -Paul ^@@^........ --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2741 *Virus Info* 08-17-90 01:51:00 (Read 8 Times) From: YEN-ZON CHAI To: DOUG BAGGETT Subj: ANTI VIRUS VIRUSES DB> well..here is a question..where exactly did viruses originate DB> anyway..was it in this country or others? Probably where hacker exists, virus exists. --- outGATE v2.10 # Origin: SIGnet International GateHost (8:7501/103) * Origin: Network Echogate (1:129/34) Msg#: 2742 *Virus Info* 08-22-90 17:49:00 (Read 8 Times) From: KEVIN HIGGINS To: MIKE MCCUNE Subj: REPLY TO MSG# 2654 (RE: HAVE ANYONE TRIED SECURE ?) I took a look at it, but to be realistic, when you run a BBS, or are continuously updating your files as new releases come out, you could easily get to the point where you spend more time reconfiguring the anti-virus program than you would getting any work done. I find it much more efficient to scan every file for viruses as soon as I get it on my system, then rezip it, if I'm not going to use it... a simple .bat file can be used such that if you want to check multiple files, you can just feed the file names on the command line and let the .bat file take care of unzipping, scanning and rezipping the file. Be best if someone would write a program that would do this, but I haven't found one yet. Kevin --- TAGMAIL v2.40.02 Beta * Origin: The Hornet's Nest BBS (1:128/74) Msg#: 2743 *Virus Info* 08-22-90 21:52:00 (Read 8 Times) From: CY WELCH To: PAUL FERGUSON Subj: REPLY TO MSG# 2660 (KEYBOARD REMAPPING....) In a message to Everyone <16 Aug 90 6:32:00> Paul Ferguson wrote: PF> Isn't it possible to remap some (or any) keyboard functions via PF> communications with some funky ANSI control characters?....I seem to PF> remember mention of this somewhere.....I really can't remember if was PF> in the form of a question, though, or an answer.....It also made PF> mention of PKWares' Safe-ANSI program...Somebody help us out here... I think most of the "FAST" ansi replacements do not have the keyboard remapping so that danger is removed in those cases. --- XRS! 3.40+ * Origin: Former QuickBBS Beta Team Member (99:9402/1.1) (Quick 1:125/122.1) Msg#: 2744 *Virus Info* 08-24-90 15:14:00 (Read 8 Times) From: PATRICIA HOFFMAN To: ALL Subj: VIRUS RESCUE & F-PROT RELEASES The latest version of Fridrik Skulason's F-PROT anti-viral program is now available for download from my system as FPROT112.ZIP. The program can also be file requested as F-PROT, which will always return the latest copy I have available. This program is actually a "suite" of programs for use in preventing and detecting viruses and trojans. The program originates in Iceland, and so updates to it reaching my system for distribution have been rather sporatic. The other new anti-viral program available on my system is Virus Rescue. Virus Rescue is from Tacoma Software, and is a shell for invoking ViruScan, CleanUp, and VCopy from McAfee Associates. Unlike other shell programs I've seen, this one should not require updates every time a new release of Scan comes out. It picks up its virus information from the VIRLIST.TXT file which is packaged with Scan and CleanUp. It will be handy for those who have trouble with the Scan and CleanUp command line switches, or who want the VIRLIST.TXT information converted to english sentences. This is a first public release, so I expect we may see some changes in this product in the future. Virus Rescue can be downloaded from my system as RESQ01.ZIP. Both programs are also file requestable by other systems. File requests should ask for magic file names as follows: F-PROT for the latest copy of F-PROT (currently FPROT112.ZIP) RESCUE for the latest version of Virus Rescue Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2745 *Virus Info* 08-24-90 23:37:00 (Read 9 Times) From: KEN DORSHIMER To: KEVIN HIGGINS Subj: REPLY TO MSG# 2742 (RE: HAVE ANYONE TRIED SECURE ?) On 22-Aug-90 with bulging eyes and flailing arms Kevin Higgins said: KH> I took a look at it, but to be realistic, when you run a BBS, or are KH> continuously updating your files as new releases come out, you could KH> easily get to the point where you spend more time reconfiguring the KH> anti-virus program than you would getting any work done. I find it KH> much more efficient to scan every file for viruses as soon as I get it KH> on my system, then rezip it, if I'm not going to use it... a simple KH> .bat file can be used such that if KH> KH> you want to check multiple files, you can just feed the file names on KH> the command line and let the .bat file take care of unzipping, KH> scanning and rezipping the file. Be best if someone would write a KH> program that would do this, but I haven't found one yet. Kevin KH> sounds like a plan to me. it would actually be fairly simple to write a program to look at all the files in your upload directory, unpack them based on the extension, scan them, then re-compress them (if needed). of course you'd still have to manually put the now scanned files into the proper catagory directories yourself. when do you need it and what's it worth? :-) ...All of my dreams are in COBOL... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 2746 *Virus Info* 08-23-90 15:23:00 (Read 8 Times) From: MIKE MCCUNE To: TALLEY RAGAN Subj: REPLY TO MSG# 2653 (RE: REMOVING JOSHI) No, it just modifies the partition record to remove the virus. If the virus isn't there, it still modifies the partition record. Return.com just reverses the modifications done to the partition table. I will post an improved version of RMJOSHI that scans the partition record for the virus before modifying it...<MM>. --- KramMail v3.15 * Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0) Msg#: 2747 *Virus Info* 08-23-90 15:26:00 (Read 8 Times) From: MIKE MCCUNE To: PATRICK TOULME Subj: REPLY TO MSG# 2745 (RE: HAVE ANYONE TRIED SECURE ?) Maybe I should say all virus that are in the "public domain". Virus 101 is a research virus that only a few people have (and you wrote). Nothing is fool proof but Secure is better than any other interrupt moniter. --- KramMail v3.15 * Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0) Msg#: 2748 *Virus Info* 08-23-90 07:01:00 (Read 8 Times) From: YASHA KIDA To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 2656 (AKA AND BBS HANDLES) In a message of <21 Aug 90 22:29:34>, Patricia Hoffman (1:204/869) writes: PH> PH> Yasha, Aliases are ok in this echo, as long as the Sysop of the system PH> where the messages originate knows who the user is and can contact him PH> if the need arrises. I fully understand the sitation that you PH> describe about your Site Manager...which is a fully valid reason to PH> use an alias here. I used to use the alias of "Merry Hughes" for PH> exactly that reason! PH> PH> Patti I understand AKA names like "MERRY", but I speak of HACKER HANDLES. like "LINE RUNNER", "DATA BYTE" etc... I must have misunderstood FIDO ECHO POLICY either way I will drop the subject. Yasha Kida --- msged 1.99S ZTC * Origin: Bragg IDBS, (FT. Bragg, NC - we're gonna kick some booty) (1:151/305) Msg#: 2749 *Virus Info* 08-08-90 23:23:00 (Read 7 Times) From: ALAN DAWSON To: DAVID SMART Subj: RE: VIRUS SCANNERS.... DS> You can't win on this! I've been downloading for quite a while DS> - always running a virus checker on the information. So, where DS> did our virus come from? Off a shrink-wrapped anti-virus DS> diskette one of our guys picked up in the US! Nothing new about this, as people learn all the time. One MAJOR company (really big, really well known) has shipped shrink-wrapped viruses twice -- once on purpose! Shrink wrap doesn't keep the bugs out. --- Opus-CBCS 1.13 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0) Msg#: 2750 *Virus Info* 08-08-90 23:31:00 (Read 7 Times) From: ALAN DAWSON To: PATRICIA HOFFMAN Subj: SCAN WEIRDNESS (All answers gratefully received despite the TO: line) Anybody heard of this? I've got a floppy with some viruses on it, among them a SCAN-known Dark Avenger. I SCAN this floppy from the C drive, and the "hey, nothing to worry about there" report comes back. Strange. I SCAN it again. This time 'round, SCAN barfs after 64K of the memory check, telling me Dark Avenger is in memory, power down, load the .45, get the cyanide tablet ready and so on. But DA of course is NOT in memory or active in any way. It is, however, on the floppy, unrun. The above occurred with SCANV64. Out of curiosity, I cranked up SCAN-54 and -- EXACTLY the same result. AST Bravo 286, no TSRs, nothing else loaded, clean (normal) boot just performed. I have a bunch of viruses that I don't expect SCAN to find -- ever. But this kind of thing has never happened to me before. Can anyone match this story, or event? --- Opus-CBCS 1.13 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0) Msg#: 2751 *Virus Info* 08-26-90 00:59:00 (Read 7 Times) From: STEVEN TREIBLE To: KEN DORSHIMER Subj: VOICE NUMBER Ken, I haven't mailed the disk yet as you can see. I'd like to have your voice # so I can talk to instead of sending Net Mail. Thanks, Steve. --- ZMailQ 1.12 (QuickBBS) * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0) Msg#: 2752 *Virus Info* 08-25-90 06:10:00 (Read 8 Times) From: SANDY LOCKE To: HERB BROWN Subj: RE: COMMUNICATION VIRALS PH> However, unless one of the above is occurring, just connecting via PH> telecom to a system won't directly transmit a virus.... PH> HB> Well, that is not exactly what I meant. Sorry for the miscommunicatio HB> should have used an example. I'll have to dig for some old documentat HB> about z-modem when it first came out. I seem to remember it stating t HB> locked the directory that a file was able to go to when being download HB> has something to do with the structure of a .EXE file, or something. HB> to also remember that it was possible to have the .exe "go were it wan HB> as defined by this structure. Thus, having some of the file go to a c HB> part of a drive or memory. It seems wild, but without the docs I read HB> can't give any details. Thought maybe you could shed some light on th Well considering that I am hosting chuck forsberg today ... hes down here for the sco developer forum I will put the question to him directly... but as one of the suggestors for feature addition to the protocol in another personna... ZMODEM will INDEED allow one to transmit a FULL path name... however this is mitigated by the ability on the receiving end to override the transmitted pathname spec... I dont really see a problem here... and when I put the question to chuck I dont see where he will see one either... btw READ the DSZ DOCS and register the product... that will turn on ALL the neat zmodem features... sandy --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2753 *Virus Info* 08-25-90 06:18:00 (Read 15 Times) From: SANDY LOCKE To: SKY RAIDER (Rcvd) Subj: RE: VIRUS ORIGINALS SR> Doug, SR> It is my belief that viruses originated in the early days of computing SR> effort to see what kind of stuff could be done with them, a group of SR> programmers (financed by the US government as I recall) institued a se SR> programs that would attempt to 'beat' others in taking over a computer SR> system. These programs led to a gaming system known as the CORE WARS. SR> today there is an International Core Wars Society. SR> I think it can be easily seen how a program to destroy/circumvent a st SR> operating system can develope into a virus. SR> I tried to double check this information for accuracy, names, dates, e SR> but it seems I have deleted this file. I will try to get further info SR> you, but beleive this info is shrouded in secrecy, and may be hard to SR> relocate. SR> So, the original viruses did come from the US (and even possibly with SR> government help). SR> Ivan Baird SR> * Origin: Northern Connection, Fredericton, N.B. Canada <HST 14.4K> SR> (1:255/3) WHAT a LOAD of UNADULTERATED CRAP... redcode is simply a GAME created by bored programmers... ORIGINAL CORE WARS games were created as far back as 1969 back on the OLD IBM 360 architectures under both OS/MFT and OSMVT OS's... neither had anything to do with so-called secret financing by the US government...BTW I was AROUND and A Systems Programmer during that period... we created our own versions when we heard of the rumours... it was an old system programmers game designed to give Egotistal programmers some lighthearted fun... at this point ALL code ran in real Address space and redcode hadnt even been though of... the MUCH later article by Scientific American in 1979 gave this fun with out harm via the redcode interpreter implemented on early 6502 and 8080 systems... really... I am going to have to move to canada... sounds like there are some really potent and fun drugs in circulation up there... jeese... what a simp... sandy --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2754 *Virus Info* 08-25-90 06:19:00 (Read 14 Times) From: SANDY LOCKE To: STEVE HOKE Subj: REPLY TO MSG# 2752 (RE: COMMUNICATION VIRALS) SH> In a message to Herb Brown <15 Aug 90 17:44:00> Patricia Hoffman wrote PH> The only way a virus could be directly transmitted via a PH> telecommunications link ... PH> is if the particular "service" has a feature where they upgrade PH> their software on your system when you connect. SH> Is there any commercial system that does this? I don't know of one, bu SH> like to know what types of systems to be wary of. SH> Steve just one word for you... PRODIGY avoid it like the plague... sandy --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2755 *Virus Info* 08-25-90 06:25:00 (Read 9 Times) From: SANDY LOCKE To: MIKE MCCUNE Subj: REPLY TO MSG# 2747 (RE: HAVE ANYONE TRIED SECURE ?) MM> I have tried Secure and have found it to be the only interrupt moniter MM> that will stop all the known viruses. It won't stop the boot viruses, MM> obviously (because a boot virus loades before Secure does), but it wil MM> detect them as soon as Secure is loaded. Secure is hard to configure, MM> but once it is configured, it will give few false alarms. With string MM> scanners becoming increasingly easy to defeat, Secure may be the way t MM> go for virus protection...<MM>. well kiddies... a certain couple of anti-viral types on HOMEBASE BBS managed to sting SECURE with modified version of JER-B... one of them continues to find holes with the same tool... SECURE is simply NOT SECURE... sandy --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2756 *Virus Info* 08-25-90 06:31:00 (Read 9 Times) From: SANDY LOCKE To: KEN DORSHIMER Subj: REPLY TO MSG# 2479 (RE: CRC CHECKING) KD> On 19-Aug-90 with bulging eyes and flailing arms Patricia Hoffman sai KD> <KD>>the deal is that the invading program would have to know how the KD> <KD>>your KD> <KD>>program uses works. otherwise it would have a (bytes changed!/by KD> <KD>>file!) KD> <KD>>chance of succeeding, or somewhere in that neighborhood... KD> <KD>> PH> Except in the case of Stealth Viruses....CRC checking doesn't work PH> with them. PH> KD> i'd have to see that for myself. i think a complex enough algorithm wo KD> keep them at bay. the probability factor is just too low for such a st KD> scheme to work. KD> ...Your attorney is in the mail... check out Gilmore Data Systems in LA authors of the OLD FICHECK and XFICHECK... the techniques is called CRC padding after the addition of the viral code the file is padded with a given number of bytes to make the CRC Polynomial come out with the same result... the FCB is then Patched to the original file length leaving nothing for standrad CRC checkers to detect... Childs play really... sandyp.s. in the case of most stealth viruses... the file read code is simply altered to disinfect the file as the CRC checking program reads it... agains simply childs play... --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2757 *Virus Info* 08-25-90 06:32:00 (Read 10 Times) From: SANDY LOCKE To: PATRICK TOULME Subj: REPLY TO MSG# 2755 (RE: HAVE ANYONE TRIED SECURE ?) MM> I have tried Secure and have found it to be the only interrupt moniter MM> that will stop all the known viruses. PT> Mike perhaps you should add a caveat to that statement. Secure PT> neither detects, nor does it stop, Virus-101. Right on Patrick... sandy p.s. Damn nice design on the code complex as HELL.... --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2758 *Virus Info* 08-25-90 06:36:00 (Read 9 Times) From: SANDY LOCKE To: PAUL FERGUSON Subj: REPLY TO MSG# 2740 (RE: REMAPPING...) PF> Hello, Tom... PF> . PF> More than likely there was nothing like that at all. Keyboard PF> remapping is an extremely complicated process and would take more than PF> forethought on the part of the programmer. What you have seen us PF> talking about here is figurative at best and personally, I would have PF> to see it to believe it. (you know the old saying: "Believe none of PF> what you hear and only half of of what you see."?) Although I do PF> believe that is quite possible under the proper circumstances, it woul PF> indeed be a rare occurance. Sometimes when receiving odd characters PF> during telecommunications or not getting the exact same keys that you PF> typed could be attributed to disparity (parity differences), differing PF> data bits, stop bits, or even simply ANSI interpretation problems PF> between Comm Programs. I've seen the smallest, simplest things like PF> that have people pulling their hair out by the roots! PF> . PF> .....Clarke's Third Law PF> Any sufficiently advanced technology is indistinguishable from PF> magic. PF> . PF> . PF> -Paul ^@@^........ well paul normally on hombase you are quite lucid... but as a long time programmer I can testify the keyboard mapping is really quite simple... no real problem and the business of using terminal control code is quite as simple... sandy --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2759 *Virus Info* 08-25-90 06:39:00 (Read 9 Times) From: SANDY LOCKE To: CY WELCH Subj: REPLY TO MSG# 2743 (RE: KEYBOARD REMAPPING....) CW> In a message to Everyone <16 Aug 90 6:32:00> Paul Ferguson wrote: PF> Isn't it possible to remap some (or any) keyboard functions via PF> communications with some funky ANSI control characters?....I seem to PF> remember mention of this somewhere.....I really can't remember if was PF> in the form of a question, though, or an answer.....It also made PF> mention of PKWares' Safe-ANSI program...Somebody help us out here... CW> I think most of the "FAST" ansi replacements do not have the keyboard CW> remapping so that danger is removed in those cases. Well if you are referring to FANSI.SYS by hershey Microsystems it too is vunerable to remap effects... and since it implemnt FULL ANSI 3.64 terminal control codes plus some extensions it is even more vunerable to a whole class of tricks that go way beyond noremally keyboard remapping... but to there credit they ahve include a way to turn this "FEATURE" OFF... just most users get it off a BBS and never order or look at the 50.00 set of docs that come when you pay for the products... sandy --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2760 *Virus Info* 08-25-90 08:49:00 (Read 9 Times) From: PATRICIA HOFFMAN To: PHILLIP LAIRD Subj: REPLY TO MSG# 2738 (ONTARIO VIRUS) PL> Patty, have you heard of such a Virus? I was in the TAG Support Echo PL> and saw PL> a message about a TAG Sysop who contracted that virus. Any Info? PL> Supposedly the Virus is scanned in version SCANV66.ZIP. Yep, I've heard of this one....I was the one that named it after it was submitted by Mike Shields (Sysop of 1:244/114). Ontario is a memory resident generic infector of .COM and .EXE files, including COMMAND.COM. Infected .COM files will increase in length by 512 bytes. Infected .EXE files will increase in length between 512 bytes and 1023 bytes on disk drives with standard 512 byte sectors. When files are infected, the virus adds itself to the end of the program, and then places a jump at the beginning so that the virus's code will always execute before the program that was infected. Ontario is not a low-system memory TSR, it goes memory resident installing itself at the top of free memory, but below the 640K line. Available free memory will decrease by 2,048 bytes. Once the virus has installed itself in memory, any program which is executed will then become infected. It was reported with the sample I received from Mike that infected systems may experience hard disk errors, but I was unable to duplicate that here. This may only happen in severe infections, I try not to let them get that severe when I'm working with a virus :-). Scan V66 and above can detect the Ontario Virus on both .COM and .EXE files. Unfortunately, Ontario is one of the viruses that uses a "double-encryption" technique to prevent scanners from being able to use a search string to detect it, so there isn't a simple way to find it with a hex string and a utility such as Norton Utilities. As of right now, there aren't any disinfectors available for the Ontario virus, so if you happen to be infected with it you need to remove the infected programs and replace them with clean copies from your uninfected backups or original write-protected distribution diskettes. A more complete description of the Ontario virus is in VSUM9008, which was released on August 10. The above is just off of the top of my head, which happens to hurt right now. Hope it is understandable..... Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2761 *Virus Info* 08-25-90 09:02:00 (Read 10 Times) From: PATRICIA HOFFMAN To: YEN-ZON CHAI Subj: REPLY TO MSG# 2741 (ANTI VIRUS VIRUSES) YC> DB> well..here is a question..where exactly did viruses originate YC> DB> anyway..was it in this country or others? YC> YC> Probably where hacker exists, virus exists. YC> Well, the two oldest known viruses for MS-DOS are the Pakistani Brain and VirDem. The Brain is from Pakistan, VirDem from West Germany. Both of these originated in 1986. Both have known authors. The viruses from 1987 include Jerusalem and the Suriv series from Israel, Alameda/Yale from the United States, and 405 from Austria or Germany. Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2762 *Virus Info* 08-25-90 09:07:00 (Read 10 Times) From: PATRICIA HOFFMAN To: KEVIN HIGGINS Subj: REPLY TO MSG# 2757 (RE: HAVE ANYONE TRIED SECURE ?) KH> I took a look at it, but to be realistic, when you run a BBS, or KH> are continuously updating your files as new releases come out, you KH> could easily get to the point where you spend more time reconfiguring KH> the anti-virus program than you would getting any work done. I find it KH> much more efficient to scan every file for viruses as soon as I get it KH> on my system, then rezip it, if I'm not going to use it... a simple KH> .bat file can be used such that if you want to check multiple files, KH> you can just feed the file names on the command line and let the .bat KH> file take care of unzipping, scanning and rezipping the file. KH> Be best if someone would write a program that would do this, but I KH> haven't found one yet. You might want to take a look at CheckOut and Shez. CheckOut uses ViruScan to check .ARC, .PAK, .ZIP, .LZH, and other archive formats for viruses by automatically creating a temporary directory and unarchiving the file to it. It then invokes Scan to check the executable files. One of its nice features is that it will never invoke a program in that temporary directory, as well as you can have it either delete an infected file or move it to a badfiles directory. It will also find archives which are damaged for you. It can be invoked easily from a .BAT file, such as if you want to run it at midnight against all new uploads. Shez is another program which can be used to scan inside archives. It is interactive, so you need to manually invoke it. After you have selected the archive and listed the contents, hitting ctrl-Z will result in Scan checking the contents. There are other scanning shells which handle archived files, though these are the two that I've used regularly and are the most familiar with. I was also involved in the beta testing of CheckOut with some known to be infected files, and it does function properly in that instance. I've also tested Shez with infected files, and it works well.... Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2763 *Virus Info* 08-24-90 16:53:00 (Read 8 Times) From: PRAKASH JANAKIRAMAN To: ALL Subj: LEPROSY Exactly what is the Leprosy virus supposed to do? I was informed that it had been included in McAfee's latest version of Scan, but, having never used Scan before in my life, and never having encountered a virus, are there "symptoms", shall we say, caused by the Leprosy virus, or for any virus? If there is a textfile explaining what each virus is capable of doing, and how it can be detected, I'd like to get a copy of it, if any of you know where I can get something of that sort. Also, does anyone have the number to McAfee's BBS? I'd like to become a user over there as well. (I remember it being in the 408 area code, but I can't recall the actual number). Anyways, thanks a bunch, all... Prakash --- TBBS v2.1/NM * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 (1:161/208) Msg#: 2896 *Virus Info* 08-26-90 20:55:00 (Read 9 Times) From: HERB BROWN To: SANDY LOCKE Subj: REPLY TO MSG# 2754 (RE: COMMUNICATION VIRALS) With a sharp eye <Aug 25 06:10>, Sandy Locke (1:204/869) noted: SL> Well considering that I am hosting chuck forsberg today ... hes down SL>here for the sco developer forum I will put the question to him SL>directly... but as one of the suggestors for feature addition to the SL>protocol in another personna... ZMODEM will INDEED allow one to SL>transmit a FULL path name... however this is mitigated by the ability I have the understanding that other protocols would do this, not by choice. Without the security on the recieving end, this could be disasterous, to say the least.. I would be happy to hear what you find.. Speaking of registering zmodem, is it still free to sysops? You can asnwer that in net-mail.. :-) --- QM v1.00 * Origin: Delta Point (1:396/5.11) Msg#: 2897 *Virus Info* 08-24-90 13:39:00 (Read 7 Times) From: MIKE MCCUNE To: VESSELIN BONTCHEV Subj: REPLY TO MSG# 2746 (REMOVING JOSHI) In your recent letter to me you wrote to me you suggested that I check for the virus before trying to remove it. Now that I've got a working copy of the Joshi (and don't have to let someone else test RMJOSHI), I rewrote the program to check for the virus first. mov dx,80h mov cx,1h mov bx,200h mov ax,201h int 13h or ah,ah jnz read_error es: cmp w[bx],1feb jnz no_virus mov cx,000ah mov ax,301h int 13h or ah,ah jnz write_error mov cx,9h mov ax,201h int 13h or ah,ah jnz read_error mov cx,1h mov ax,301h int 13h or ah,ah jnz write_error mov ah,9h lea dx,remove_message int 21h int 20h remove_message: db 'Joshi Removed