From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #7 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Tuesday, 14 Jan 1992 Volume 5 : Issue 7 Today's Topics: Re: Novell Inadvertantly distributes virus with update (PC) Stoned III / CIAC adv. 11 (PC) Re: Michellangelo & HD's (PC) More Stoned virus questions (PC) Re: Norton Anty Virus (PC) Norton's AV (PC) 1575/1591 Virus (PC) VIRUS at AT286 in SCAN85 (PC) help! Jersusalem in MY PC (PC) Untouchable (PC) re: What Does Michael Angelo Do? (PC) Re: Macs Running Soft PC (Mac) (PC) PC virus infects UNIX system (UNIX) (PC) New to the forum - question Gulf War "virus" Viruses against Iraq?????? The modem virus myth VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 10 Jan 92 16:30:25 +0000 From: trent@rock.concert.net (C. Glenn Jordan -- Microcom) Subject: Re: Novell Inadvertantly distributes virus with update (PC) We at Microcom want to make sure we know what virus this "STONED3" is, exactly. Novell will not provide us with a sample, but we are pretty sure this is the virus we originally called "LastDirSect" and then later (when we found out what others were calling it) renamed to "NOINT". Anybody have a sample of the virus Novell is reported to have inadvertantly distributed ? If so, could you run our VIRx v1.9 against it, to check our theory ? We would sure appreciate it. C. Glenn Jordan - Virex for the PC Development (919) 490-1277 vw Virex Support BBS - (919) 419-1602 V.32bis ------------------------------ Date: 09 Jan 92 14:59:12 +0100 From: Carl Bretteville Subject: Stoned III / CIAC adv. 11 (PC) Alan Fedeli writes in VIRUS-L 5/002: - ->We also know Stoned-3 as NOINT. NOINT may be a useful addition to further - ->correspondence on this advisory. And even more input on this: The virus was named "NoInt" by Micke McCune when he isolated it in MAY91 as the virus dosen't use interrupts to send commands to BIOS. McAffe calls it "Stoned III" for some reason or another and Norton AntiVirus calls it "Bloomington" - the city of it's discovery. Carl Bretteville Arcen Data AS, Norway ------------------------------ Date: 09 Jan 92 15:01:27 +0100 From: Carl Bretteville Subject: Re: Michellangelo & HD's (PC) homan@envmsa.eas.asu.edu (Thomas H. Homan (aka Bit Bucket Bandit)) writes in VIRUS-L 5/002 >Is there some other program for removing the michaelangelo virus from >a stricken hard drive....I have a Seagate 3120A (IDE) drive that I >cannot remove this virus from. Here's what I have tried so far: >1 - Fprot 2.01 - nope >2 - Scan V80 - nope >3 - Scan v84 - nada >4 - Repartition drive as 40m and format - nope >5 - Return partition size to 100m and format - still there >what can be done? Yes indeed! If you can handle physical sector editors like Norton Utilities or PCTools you can do it your self by copying Head 0 Track 0 Sector 7 to Head 0 Track 0 Sector 1. This will copy the original Master Boot Sector back where it belongs and radicate the virus in the process. But, remember to boot the PC off a clean floppy disk before you start. Hope this helps. Carl Bretteville Arcen Data AS ------------------------------ Date: Fri, 10 Jan 92 13:40:00 -0700 From: JGUNDERSON@cudnvr.denver.colorado.edu Subject: More Stoned virus questions (PC) Another quick Stoned 3 question. At the University of Colorado (Denver) we got hit hard by the inadvertant mass release of the FORM virus last year. I found myself spearheading the process of cleaning up and hardening the defenses of one of our computer labs. I would like to be ahead of the game if the Stoned 3 release hits us. We have been relying on Simon McAuliffe's NoStone as an ongoing defense against Stoned, however I notice that the Stoned 3 variant is listed a stealthed variety. Does anyone know if NoStone v4.1 (released June 1990) will do any good? By the way, thanks for all the help. What reputation I have as a virucidal maniac is due mostly to what I have gleaned from this news group. Thanks No signature, just a name. JIM ------------------------------ Date: Fri, 10 Jan 92 20:14:33 +0000 From: keithm@norton.com (Keith Mund) Subject: Re: Norton Anty Virus (PC) This is no shareware version the The Norton AntiVirus available. What do you wish to know about the product? Keith Mund ------------------------------ Date: Fri, 10 Jan 92 17:55:52 -0400 From: Andrew Brennan Subject: Norton's AV (PC) Question for anyone: We have been using the latest (I think) version of NAV at the center I work in. We scan disks when people enter, and also run a scan of the machines a couple of nights a week just to be on the safe side. (ok, maybe the paranoid side ... :^) We have had a re-occurring problem with NAV crashing after scanning a single 5.25 disk. It's not terrible when a person is only intending to use 1 5.25, but people who come in with 5 or 6 disks means that you either have to enter NAV, scan one, exit, start NAV again ... OR enter NAV, scan one, attempt again (with a high chance of crashing and needing a re-boot). Sometimes (?!) the disk goes through w/out a hitch and we are able to scan more than one 5.25 at a time. It's not happened (to my knowledge) on 3.5 scans, and it's not a memory-resident conflict - the machine can have the same problem on the second run, other machines have this problem with different memory loads, etc. Someone was in the other day and mentioned that Norton had had a problem with that version and that a letter had been sent to people, but we haven't seen anything along those lines ... Anyone know about this? Andrew. (brennaaa@duvm.ocs.drexel.edu) ------------------------------ Date: 11 Jan 92 13:53:58 +0000 From: harvey@oasys.dt.navy.mil (Betty Harvey) Subject: 1575/1591 Virus (PC) Our facility has been infected by virus 1575/1591 virus. The virus had infected an entire building. I am not sure how long the virus had been traveling around and I suspect that I will see this virus again. However, none of the infected machines showed any signs of being infected except for one. This machine was obviously the most used and the most infected. A green catepiller with a yellow head crawled across the screen and munched the letters then shifted the margins to the right. I was able to clean-up the disks using McAfee's CLEAN (ver. 85) without any damage to the files (except it destroyed versions of SCAN and CLEAN that were on the hard drive). QUESTION: Does anyone have any information on this virus? I am interested in finding more about this virus since the odds are I will see this little green fellow again. Thanks! /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ Betty Harvey | Maybe I was absent or David Taylor Research Center | or was listening too Office Automation Systems Branch | fast. Bethesda, Md. 20084-5000 | Catching all the words | but then the meaning (301)227-4901 | going past. D. Gates /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\\/\/ ------------------------------ Date: Sat, 11 Jan 92 23:36:23 -0600 From: Jarda Dvoracek Subject: VIRUS at AT286 in SCAN85 (PC) !!! AT 286 USERS !!! !!! WARNING !!! WARNING !!! WARNING !!! !!! SCANV85 INFECTED, CLEAR85 MAYBE TOO !!! In Czechoslovakia, I got some new virus with the SCANV85.ZIP from some BBS. It makes all .COM, .EXE and .ASM files 10 bytes longer, the first 6 bytes are: F0 FD C5 AA FF F0 No antivirus program has i detected, except from those watching files' length. During 3 days it has infected all files but COMMAND.COM, some of them worked normally, several terminated just after calling them. It is possible that it writes in FAT1 - into last sectors. The same string was in: CLEAN85.ZIP, there in CLEAN.EXE and VALIDATE.COM, uploaded from BBS ##### adresa: AEC Ltd., Sumavska 33, ### ### ################ 61264 Brno, Czechoslovakia ### ### ### ### Tel: +42-5-7112 linka 502 ################### ### Fax: +42-5-744984 ### #### ########## BBS: +42-5-749889 ########## FidoNet: 2:421/16 Association for Electronics & Computers VirNet: 9:421/101 authorized agent of InterCom: 83:425/1 (NCN mail) McAFEE ASSOCIATES SCANV85 was not from this BBS. If I detect something more, I will report. If there are some questions, please be patient, I have 2 big obstacles: 1) I can reach my E-mail box only rarely (by modem, always "line busy") 2) as I am physician only, Jarda Dvoracek, M.D. 1st.Internal Clinic Faculty Hospital I.P.Pavlova 6 772 00 Olomouc Czechoslovakia E-mail(bitnet): dvoracek @ csearn Phone: 0042 68 474, ext. 3201(secretary) ------------------------------ Date: 13 Jan 92 18:18:25 -0500 From: x90yahya2@gw.wmich.edu Subject: help! Jersusalem in MY PC (PC) hi, My PC 386 been infected by Jursusalem virus. How can I get rid of this virus ? Please send step-by-step instruction to remove this beast. Mazlan P.O. Box 19501-9501 Kalamazoo EMAIL: X90YAHYA2@GW.WMICH.EDU ------------------------------ Date: Mon, 13 Jan 92 07:14:56 -0800 From: dusty.henr801e@xerox.com Subject: Untouchable (PC) Can anyone comment on the anti-virus package 'Untouchable' by Fifth Generation Systems, Inc? It claims to be able to detect both known and future viruses without upgrades. I received a mailing offering for $99 (normally $165) until 2/1/92. Is it worth it? dusty Dominic G. Flory dusty:henr801e:xerox Eastern Time Zone 801-15A 8-227-5082 160.25220610241.0 ------------------------------ Date: 13 Jan 92 16:20:45 -0500 From: "David.M.Chess" Subject: re: What Does Michael Angelo Do? (PC) > From: "21478, SCHILLIG,JR., LAWRENCE K" > Does anyone know what this virus can do to a IBM system? If you have the same "Michelangelo" virus that I've analyzed, it will overwrite the bottom of the boot disk (the first floppy or the first hard disk) with trash if booted on March 6th. You probably want to make sure you've cleaned it up well before then! As usual, your mileage may vary: the virus you have may have little or nothing in common with the virus I've examined. Have a local guru disassemble it if you want to be sure; it's quite small! DC ------------------------------ Date: Sun, 12 Jan 92 08:10:29 +0000 From: plains!umn-cs!LOCAL!aslakson@uunet.uu.net (Brian Excarnate) Subject: Re: Macs Running Soft PC (Mac) (PC) lev@amarna.gsfc.nasa.gov (Brian S. Lev) writes: >fprice@itsmail1.hamilton.edu (Frank Price) writes... >>SoftPC does such a good job of emulating an MS-DOS machine that many >>(most? virtually all?) viruses WILL infect it. SoftPC uses a (big) >>data file for the contents of the simulated PC's hard drive. I believe >>Mac antiviral programs consider this to be a data file and do not >>check it. Even if they did, they would not know how to recognize >>MS-DOS viral code. >Ummm... I'm not 100% positive, but I seem to remember the more recent >versions of the Mac's "Big 4" (Disinfectant, Virex, SAM, SUM) all _do_ >look at data files if you tell 'em to scan your disk... They scan for Mac viruses, Frank is talking about MS-DOS viruses. Brian - -- Suspecious mind ------------------------------ Date: Fri, 10 Jan 92 09:40:56 -0700 From: bear@fsl.noaa.gov (Bear Giles 271 X-6076) Subject: PC virus infects UNIX system (UNIX) (PC) Forwarded to VIRUS-L by Keith Peterson We were configuring the ethernet card on our new 486 UNIX (SVR5) box when we determined that we needed to boot and run DOS to run the ethernet configuration program. (Or possibly the EISA configuration -- this happened in my office but I was not involved). No problem: simply create a boot disk from the DOS system across the hall and reboot DOS. Unfortunately, that system had been infected with the 'Stoned' virus. This virus overwrote the UNIX BOOT TRACK when the infected DOS was booted. Result -- no more SVR5. We will probably have to perform a low-level format of the disk and rebuild the UNIX from original media. Morals: 1) don't ignore DOS viruses simply because you run UNIX unless you NEVER need to use DOS. 2) Pound on DOS users to note and report strange behavior because some infections are very costly (several person-days to rebuild this system -- at least it was new and had no work-in-progress on it!) Bear Giles bear@fsl.noaa.gov ------------------------------ Date: 10 Jan 92 14:33:00 -0800 From: "LUSTIG, ROB L." Subject: New to the forum - question Greetings, I am new to this area and wonder how often people actually come across virui? I have found only a couple per year crop up and haven't had one actually do any real damage (except to people's egos). Rob Lustig ------------------------------ Date: Sat, 11 Jan 92 21:55:05 -0600 From: fstuart@eng.auburn.edu (Frank Stuart) Subject: Gulf War "virus" [Moderator's note: I've received several (!) postings about this topic, but I'm only including two here. Relevant, substantiated follow-ups will be posted as well.] CNN is reporting that a computer "virus" was used during the Gulf War. Reportedly, the virus was used to blank the screens of Iraq's air defense computers. The alleged virus was supposed to have been hidden in a printer chip that was smuggled in from Jordan. I (and many others, I'm sure) would be very interested if anyone has further information. | 'A man in love is incomplete until he has marrried. Frank Stuart | Then he's finished.' fstuart@eng.auburn.edu | --Zsa Zsa Gabor ------------------------------ Date: Sun, 12 Jan 92 00:32:41 -0500 From: stus5239@mary.cs.fredonia.edu (Kevin Stussman) Subject: Viruses against Iraq?????? I was watching CNN (Sun Jan 12 00:04:57 EST 1992), and they were talking about things that helped the US defeat Iraq. One of the things they mentioned was a "virus" on a chip which the CIA planted in some printers in Jordan bound for Iraq. Apparently, it blanked out computer screens attached to the printers, and those screens were part of the air defense network over Baghdad. Virus on a chip?? How and when did it go off? What type virus? (it probably wasn't a real virus (not self replicating) but nasty screen killing code on a chip) So now hacking is now legal, but only during wartime against an enemy. (goes with killing) What's the deal here? Am I the last to hear this? (has it been discussed?) K. +*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ _ __ | | / / -=> stus5239%mary.cs.fredonia.edu@cs.buffalo.edu | | / / stus5239@mary.cs.fredonia.edu | |< < UUCP:...{ucbvax,rutgers}!sunybcs!mary!stus5239 | | \ \ |_| \_\ evin Stussman -=>Never has so many known so little about so much.<=- +*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ Rock climbing Joel...rock climbing.... -- Crow (MST3K) <<<---- KEEP CIRCULATING THE TAPES ----->>> <<<---- Mail Me If Interested And Local ---->>> +*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ ------------------------------ Date: Fri, 10 Jan 92 19:11:49 -0800 From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: The modem virus myth [Moderator's note: Please be sure to read this and the other myth postings as the MYTHS that they are.] DEFMTH6.CVP 920105 The Modem Virus of 1989 Continuing with Padgett's list: 5) "Modem" virus The first report I got of the modem virus is from VIRUS-L Volume 1, number 42 in early December, 1988. It came from the JPL, of all places. The original report was supposed to have come from a telecommunications firm in Seattle, and contained all kinds of technical bafflegab, including the fact that the virus was transmitted via the "sub-carrier" on 2400 bps modems, so you should only use 300 or 1200. The "subcarrier" was supposed to be some secret frequency that the modem manufacturers used for debugging. The virus was supposed to do all kinds of changing of the internal registers of the modem. That first report gave no indication of how the virus got from the modem into the computer. As people started to raise objections to the possibility of this ridiculous scenario, the initial report was traced back to a posting on Fidonet (the earliest date I have in my records is October 6, 1988) by someone who gave his name as "Mike RoChenle". Ken later suggested this might be read as "microchannel", the then new bus for IBM's PS/2 machines. Among the serious researchers, these rumours were dealt with rather quickly, within about two weeks. We continued, however, to receive reports of the virus for most of 1989. The facts; that modem manufacturers use all the bandwidth available for transmission, that the internal registers are data rather than programs, that "unused" pins in an RS-232 cable are still "assigned" and can't be used for spurious transmissions, and that terminal emulation programs do not "call" incoming data as programs; only served to spur the reporters to greater flights of fancy in their descriptions of the "modem virus". With the phenomenon being flat out physically impossible, why did the rumour persist for such a long time? One reason is that the rumour itself may have prompted a lot of interest in computer viral programs from among computer and modem users. As these people joined virus discussion groups, and not seen the modem virus being discussed, they continued to post reports of it. Also, the rumours contained enough "pseudo- technical" language as to seem credible, while remaining essentially incomprehensible to those who, while suing a modem, know little of the technology involved. One of the major reasons, however, is likely that people were primed to believe it. BBSes, and, by extension, modems, have had a consistently, and unfairly, bad press over the past few years. BBSes are seen as the ultimate source of all "evil" programs; viri and trojans; and anything bad said about them is to be believed. Which is ano Downloaded From P-80 International Information Systems 304-744-2253