VIRUS-L Digest Thursday, 3 Jan 1991 Volume 4 : Issue 4 ****************************************************************************** Today's Topics: Need help with (c) Brain Virus Prosecutions Latest version of McAfee's vcopy program? (PC) Virus Vaccine (PC) Re: Macvirus index? (Mac) CMOS devuce settings "Stoned" Virus (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 25 Dec 90 04:23:14 +0000 From: ecs50145@zach.fit.edu ( COLDENHOFF) Subject: Need help with (c) Brain Hello All... I seem to have been infected by the (c) Brain virus recently, and I have some questions... I do not quite understand how this boot sector virus was able to contaminate my disks without actually booting from them. Does DOS routinely load in and execute some portion of a floppy if referenced?? Or is there a program that is typically the carrier? From what I have read, (c) Brain resides in memory and infects floppies - but how is the virus initially loaded in? Does anybody know what the typical virus scanner looks for in reference to this virus? I hope it doesn't just look for the label - as none of my other disks seem to have it and I have never used anyone else's disks... I would like to know that for instance, McAfee's SCAN will tell me a disk is infected regardless of the presence of the (c) Brain label... Now, I had the impresion that if (c) Brain was in memory that chkdsk /a would return about 7K less total system memory than the computer actually has. When I tried it however, the total memory was ok, but available memory was down by some 50K... Did I miss something here? Please respond via e-mail and I will post a summary at a later date. Thank you in advance, Tim Coldenhoff Internet: ecs50145@zach.fit.edu ------------------------------ Date: 26 Dec 90 23:20:35 -0500 From: Robert McClenon <76476.337@CompuServe.COM> Subject: Virus Prosecutions I read in a recent issue of VIRUS-L that the author of the Scores virus is being prosecuted under a Texas statute. I have a question. Have there been any previous prosecutions of the authors of viruses, strictly defined? The Morris Internet worm was similar to a virus in terms of being a computer crime not enriching the perpetator, but was a worm rather than a virus. If there have been any previous virus prosecutions (or civil actions), what was the outcome? Thank you. Robert McClenon ------------------------------ Date: 27 Dec 90 13:02:17 +0000 From: cheewai@spinifex.eecs.unsw.oz (Wai Yeung) Subject: Latest version of McAfee's vcopy program? (PC) I am looking for the latest version of McAfee's "vcopy" program. There had been releases of "scan", "vshield", "clean" and "netscan" up to V72, but the latest version of "vcopy" that I've got is V67. Is there any site that I may get a later version? Please reply via email since /usr/spool on our machine is running out of space and the system administrator chose to dispose ALL news arrived. Thanks in advance ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Chee-Wai YEUNG | Tutor | Dept. of Computer Science | UNSW | Australia | E-Mail: cheewai@spectrum.cs.unsw.oz.au ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------ Date: Mon, 31 Dec 90 13:50:56 -0500 From: Evelyn Duncan Subject: Virus Vaccine (PC) A friend of mine has an IBM-compatible computer and wants to dial into the VM system here, but he needs a program that will prevent viruses from infecting his system at home. He would like a program such as Virex. He called Virex's 1-800 number, but it was disconnected. If you know of any program, please contact me. ------------------------------ Date: Wed, 02 Jan 91 15:45:35 +0000 From: hv@uwasa.fi (Harri Valkama LAKE) Subject: Re: Macvirus index? (Mac) rrk@planets.risc.com (Richard Killion) writes: >Does anyone know where I could down load the macvirus index. >I have heard it is in the form of a self extracting archive and >that it might be in an ftp site with ".fi" somewhere in its name. If you haven't found it already it is available from nic.funet.fi (128.214.6.100). It is in pub/mac/doc dir. == Harri Valkama, University of Vaasa, Finland =========================== P.O. Box 700, 65101 VAASA, Finland (tel:+358 61 248426 fax:+358 61 248465) email: hv@garbo.uwasa.fi hv@nic.funet.fi harri.valkama@wmac00.uwasa.fi Anonymous ftp chyde.uwasa.fi (128.214.12.3) & nic.funet.fi (128.214.6.100) ------------------------------ Date: Wed, 02 Jan 91 21:17:20 +0000 From: vancleef@nas.nasa.gov (Robert E. Van Cleef) Subject: CMOS devuce settings I had what I thought was a viral infection on my PC Clone system although VIRASCAN did not detect any problems. What I was seeing was recently updated files had problems. Finally the system started reporting BAD SECTORs in these files. This was only on my 3.5" 1.4 MB floppy disk. What had happened is... My system had been hit with a power surge that wiped out the CMOS table entries. When I reconfigured the system, I set up drive B: as a 5.25" 1.2 MB system instead of a 3.5" 1.4 MB system. This allowed me to be able to read the contents of the disk! However, anytime I wrote to the disk it screwed it up. Even using NORTON utilities worked half way. Norton's disk check would report bad blocks and mark them as such.... I am/was surprised that things actually worked as well as they did, as I would have expected the improperly configured disk not to work at all. - -- Bob Van Cleef vancleef@nas.nasa.gov NASA Ames Research Center (415) 604-4366 - --- Perception is reality... ------------------------------ Date: 02 Jan 91 21:22:37 +0000 From: jhp@apss.ab.ca (Herb Presley, Emergency Planning Officer) Subject: "Stoned" Virus (PC) I have had a problem with the "Stoned" virus on my 8088 based XT. After the virus appeared on Christmas Day, I reformatted (high level) the hard drive and reconfigured the partition table using FDISK. Although the message appeared on Christmas Day, the only problem that my PC seemed to develop was the inability to load RAMDRIVE.SYS at bootup. Reconfiguring the partition table and reformatting the hard drive do not seem to have helped RAMDRIVE.SYS to load. I'm not even sure if the problems are related. When I bootup, the error message appears: RAMDRIVE.SYS:Insufficient memory Remember that the RAMDRIVE.SYS load worked prior to the appearance of the "Stoned" virus. I didn't change any parameters prior to that time. I use MS-DOS 3.31. Reloading a fresh copy of RAMDRIVE.SYS from the original system disks does not have seemed to help either. Any suggestions would be welcome. I would appreciate either email replies or postings if the information is of more general interest. DISCLAIMER: Any views expressed here are mine alone and do not represent those of this organization email : jhp@apss.ab.ca (UUCP) mail : 10320 - 146 St., Edmonton, Alberta, Canada T5N 3A2 phone : (403) 451-7151 ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 4] ****************************************