From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.SEI.CMU.EDU To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #21 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Tuesday, 4 Feb 1992 Volume 5 : Issue 21 Today's Topics: VIRUS WARNING - DaVinci Discovers Michelangelo (PC) More infected floppies from vendors (PC) Campana virus: how to cure it (PC) Re: AUX files (PC) virus -> reset (PC) Re: Possible Virus, Help!! (PC) OHIO virus (PC) Will re-formatting a floppy remove ALL vires (PC) IBM PS/2 and CHKDSK ... (PC) Re: Pentagon and Keypress virus found (PC) Re: Stoned (PC) Re: very strange Mac behavior (Mac) Re: Reviews and request (PC + Amiga) New files on BEACH (PC) Revised Product Test for VIRx, version 1.9 (PC) Revision to Product Test on Virex-PC (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 04 Feb 92 08:22:01 -0500 From: "Kenneth R. van Wyk" Subject: VIRUS WARNING - DaVinci Discovers Michelangelo (PC) [Moderator's note: I received the following press release by FAX. Any typos are no doubt mine, not DaVinci's.] News Release DaVinci Systems Corporation P.O. Box 17449 Raleigh, North Carolina 27619 Tel: (919) 881-4320 Fax: (919) 787-3550 Contact: Chris Evans Vice President of Marketing DaVinci Systems Corporation (919) 881-4320 DaVinci Discovers Michelangelo Virus Warns users of possible infection RALEIGH, North Carolina, February 1, 1992 - DaVinci Systems announced today that a recent shipment of eMAIL 2.0 demonstration disks and 30-day kits may be infected with a computer virus known as Michelangelo. Approximately 900 customers and potential customers were sent the infected disks. Of these, over 600 were DaVinci resellers. DaVinci Systems immediately notified its resellers of the problem via electronic mail and will mail a new set of disks to all recipients of the infected disks by February 6th. DaVinci Systems also advises anyone who has received a DaVinci eMAIL 2.0 demo disk or 30-day kit between January 20, 1992 and January 31st, 1992 not to use the disks they received. According to Bill Nussey, President of DaVinci Systems, "While there is only a slim chance of one of our customers contracting the Michelangelo virus from these disks, we wanted to take every possible precaution." The Michelangelo virus sits passively on infected machines until March 6th (Michelangelo's Birthday) when it corrupts data on a user's hard disk. FORTUNATELY, THE VIRUS CAN ONLY BE CONTRACTED BY BOOTING UP AN INFECTED FLOPPY. Because the infected disks are not bootable, most users who have received these diskettes will not contract the virus on their machine even if they run the demo or install the software on their hard disks. The only way users could catch the virus from an infected disk is if they inadvertently boot up their computers with the infected floppy in driver A while the drive door is closed. DaVinci officials are still investigating the source of the virus. Although DaVinci's master disks are routinely checked for viruses, the virus software used apparently did not detect Michelangelo. "We are now using multiple virus-detection products and insisting that our duplicating contractors also check for viruses", said Nussey. The Michelango virus can be detected by Microcom's Virex version 2.l1 or later or by McAfee Associates shareware program VIRUSCAN version 7.9v84 or later. DaVinci users and resellers can download VIRUSCAN from DaVinci's BBS at (919) 881-4342. Based in Raleigh, North Carolina, DaVinci Systems Corporation is the leading independent supplier of LAN-based electronic mail applications. The company's products run under acknowledged personal computer network and operating system standards such as MS-DOS, Microsoft Windows, and Novell Netware. DaVinci Systems is at P.O. Box 17449, Raleigh NC 27619. Telephone (919) 881-4320, (800) DAVINCI. FAX: (919) 787-3550. The product names and trademarks referenced are the trademarks or registered trademarks of their respective companies. ------------------------------ Date: Tue, 04 Feb 92 09:04:11 -0500 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: More infected floppies from vendors (PC) This is getting silly. Then again it indicates that a real understanding of the architecture is not a prerequisite for success in vending software. What has happened is that the vendors do not know what the disks they are sending out are supposed to look like. This is understandable since there is an incredible number of disk formats since every formatter puts in Boot Record (and MBR for that matter) code that is different from everyone elses. This was part of the reason I developed the FREEWARE SafeMBR and SafeFBR code, so that I could take a quick look at the code from a clean machine and determine that it has not changed. Since the boot records of all my floppies are the same (other than the four different BPBs), it makes for an easy check whenever a floppy is put in the drive. Nonwithstanding the anti-viral aspect, when a vendor prepares a distribution disk, statistical sampling should permit a quick scan and comparison with a "gold copy" cryptographic checksum. For some time, it has been my belief that Scanners are best used for identifying a problem, not in the first notice that there is a problem. Since we have now reached the point at which floppies are not expected to have bad sectors (I do not use any that do), the FATs and Programs on a disk and their locations should be stable in a duplication process. Given a stable Boot Record, then all distributed disks should be mirror images of each other. At this point normal statistical sampling should be sufficient for integrity management. What I do not understand is why the vendors refuse to acknowlege this - I would think that it would be a selling point. Not only would this make it very difficult for viruses to spread, the incidences of corrupt files on distribution disks (have been receiving quite a few lately) would be sharply reduced. It would also provide a defense against claims of "shrink- wrapped" viruses though more vendors seem to be picking up on "notchless" floppies. Maybe that's why I am not a vendor. Warmly, Padgett padgett%tccslr.dnet@mmc.com Disclaimer: Obviously not my employer's opinions ------------------------------ Date: Fri, 31 Jan 92 15:48:11 -0300 From: Jean-Pierre Gattuso Subject: Campana virus: how to cure it (PC) My PC is apparently infected by a virus. The symptom: most of the time floppy disks formatting fails and when it succeeds, a dir command shows very odd caracters. I was told that this virus might be Campana. Norton anti-virus, which I purchased last October, does not detect it. It is not the the viri list anyway. Does anyone has an idea on how I could get rid of it. May be there is some freeware virus checker which could do the job. I'm not familiar at all with the PC stuff, especially for downloading software. If anyone recommends a program, can I download it on my Mac and then save it in DOS format via Apple File exchange? Thanks in advance for your help. Jean-Pierre Gattuso, Bitnet: JPG@FRPERP51 ------------------------------ Date: Fri, 31 Jan 92 12:37:12 -0400 From: Doc Cottle Subject: Re: AUX files (PC) - -----> Leonard Erickson <70524.2603@CompuServe.COM> writes: - -In VIRUS-L V5#15, diaz@leland.stanford.edu (Kathy Diaz) writes: - ->I have a question it seems that I have come across some sort of virus. - ->My Dos Machine has in every directory a file called aux. It seems also - ->that you can't find it by normal means. I guess the best way to find - ->it is to use any editor(edlin, edit, vi, etc..) to look at it, but - ->what you actually get is a computer freeze. - ->You could also try to rename a file to aux and you will some sort of - ->duplicate file error. - ->Each aux file is about 112 bytes long. - ->It doesn't seem to be malicious aside from taking up space but I can't - ->even look in the file and try to dump the contents onto a file or - ->something. And scanv85 doesn't find it. Same thing with CPAV. If - ->anybody knows something about this all your help will be greatly - ->appreciated. >AUX is one of the default *devices* in MS-DOS. It is usually mapped to >COM1:. Like all devices it can be *addressed* as if it were a file. (ie >COPY XYZ AUX) >The 112 bytes (how'd you get that?) is probably the buffer size for AUX. >The list of standard MS-DOS devices follows: >device Input Output >CON yes yes input=keyboard/output=screen >PRN no yes mapped to LPT1 >AUX yes yes mapped to COM1 >NUL yes yes --- rest deleted. I've also noted one other response to Kathy's question that was of a similar nature. It seems to me that BOTH respondees missed the thrust of what she was asking. While it is true that AUX is another name for COM1 what we are dealing with is a logical HANDLE. What she is ASKING about is the existence of numerous FILES which carry the name AUX - and I believe that that is ^^^^^ an entirely different matter. I don't know the answer to her question (sorry Kathy) but it seems that answers are occurring to people based on a faulty reading of same. What meager knowledge I've obtained to this point tells me that all of these device drivers are memory resident! I see NO REASON AT ALL for numerous 112 byte FILES to've been created residing in EVERY directory (including all sub, sub sub, and sub sub ... etc ones? Ohmygawd!!) of (what I presume is) Kathy's hard drive! Pardon any misunderstandings on my part but I feel that those of you who are trying to help those of us with lesser knowledge (and we DO appreciate it, believe me!) should try to be sure that you are answering the question we ASKED, not the question you that you've ASSUMED that we asked (due to a too quick read?). I'm very interested in knowing what WOULD cause a proliferation of 112 byte files that would appear to be redundant. Thanks for reading, Darryl O. (Doc) Cottle docottle@ukcc.uky.edu* *That's the account I monitor daily. I only look at this one about once (maybe twice) a week. ......................................................... : : : "That was NOT manual override, Captain." Mr. Data. : :.......................................................: ------------------------------ Date: Thu, 30 Jan 92 13:13:52 +0000 From: K.W.Chan@cm.cf.ac.uk (K W Chan) Subject: virus -> reset (PC) Hi, Does anyone know of a virus on the PC that reboots the computer every-so-often. :-) Kai. ------------------------------ Date: Fri, 31 Jan 92 18:57:32 +0000 From: sequent!techbook.com!cetek@uunet.uu.net (Ron Coleman) Subject: Re: Possible Virus, Help!! (PC) RCG1659@TNTECH.BITNET (RICKY GATES) writes: >I was working on a friends Gateway 2000 386SX-20 MHz computer this >weekend, when every time I hit the space bar on the keyboard. It stops >taking input from the keyboard, but the computer types out TUMARC FROM >CHINA on the screen and beeps for about 3 to 4 minutes. It then stops >and leaves the text on the screen. I can backspace it off the screen, >but as soon as I hit the spacebar again it does it again. I asked my Gateway 2000s come with an AnyKey Keyboard that allows you to redefine the keyboard with macros. You're description sounds like someone redefined the space bar to enter the above characters instead of a blank space. The fact that you can the backspace over them may support this. Has anyone had the opportunity to mess around with his computer? I've accidently redefined a key on my keyboard, though it doesn't sound like the above would be accidental. Thomas Coleman - -- cetek@techbook.COM ...!{tektronix!nosun,uunet}techbook!cetek Public Access UNIX at (503) 644-8135 (1200/2400) Voice: +1 503 646-8257 Public Access User --- Not affiliated with TECHbooks ------------------------------ Date: Fri, 31 Jan 92 23:28:04 +0000 From: joer@lawlords.law.csuohio.edu (Joe Rosenfeld) Subject: OHIO virus (PC) Greetings to you all: Can anyone tell me what the OHIO virus is? How does it infect? How can I clean it (and with what product)? I saw it today, and McAffee's Clean does not seem to handle it (it is not listed by name). All help is appreciated. Thanks! - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joe Rosenfeld Automation Librarian CSU Law Library joer@lawlords.law.csuohio.edu loki@asgard.csuohio.edu "Now my name is on the line ... how could people get so unkind?" ------------------------------ Date: Sat, 01 Feb 92 01:02:43 +0000 From: washer@sequent.com (Jim Washer) Subject: Will re-formatting a floppy remove ALL vires (PC) I am know the proud and happy owner of an infected 3.5" 1.44Mb floppy. Should I immediately burn it in a large bonfire, or will re-formatting exorcise it adequately. just want to be safe... - jim washer@sequent.com ------------------------------ Date: Sat, 01 Feb 92 00:00:46 -0400 From: Andrew Brennan Subject: IBM PS/2 and CHKDSK ... (PC) When you run CHKDSK under Dos 3.3 on a PS/2, shouldn't the numbers for total memory still come up to 655360? I have four machines here (at least) all pulling 1k short of that. The only explanation I have is that it might be linked to the Microchannel, etc. I booted from (what I think to be a) clean Dos and still have the same results. I'm about to start looking through VSUM for Stealth virii as nothing shows up in a clean scanning with NAV 1.5 (I know, I know ... get the update! :^) Time to dig out McAfee and F-Prot to see what they say. Andrew. ------------------------------ Date: Sat, 01 Feb 92 11:03:59 +0000 From: Fridrik Skulason Subject: Re: Pentagon and Keypress virus found (PC) In Message 24 Jan 92 16:51:55 GMT, NVCARLE@VCCSCENT.BITNET (Eric Carlson) writes: >Pentagon and Keypress viruses were found on floppys in one of our labs. > >Pentagon virus was NOT FOUND by SCANv84, but it was found with SCANv69. The Pentagon "virus" is not a real virus - for a simple reason - it simply doesn't work...never has, and never will. However, if it was found on a diskette, I see two possible explanations False alarm - (very likely) A problem in v69 that was corrected later New and updated version of the virus - (highly unlikely) Frankly, I wouldn't worry to much about this... - -frisk ------------------------------ Date: Sat, 01 Feb 92 16:14:51 +0000 From: grnwood@gagme.chi.il.us (Jerry Greenwood) Subject: Re: Stoned (PC) ....yes, and I also found stoned on my hard drive. It was also in the boot sector of eight of my disks. It never went off ( no screen message) and what puzzles me is that I've had some of these disks lying around here for quite a long time (a year?). Why didn't it go off? What sets it off? - -- Jerry Greenwood N9NRG grnwood@gagme.chi.il.us "Logic is the begining of wisdom, Lieutenent, not the end" ------------------------------ Date: Fri, 31 Jan 92 23:57:46 +0000 From: samba.acs.unc.edu!Jesse.Taylor@mcnc.org (Jesse Taylor) Subject: Re: very strange Mac behavior (Mac) If your computer isn't that important,and/or you have all stuff backed up, try setting the file privs for those programs in Gatekeeper. If your computer goes crazy,at least you're not in the dark anymore. You may simply have an error in your Gatekeeper INIT,it may be incompatible with a new program or init/cdev,if you have just installed one. Or it could simply be a hardware problem... I have not heard of any viruses that would do something like that... It may be a new strain? (shrug) L8R/// ------------------------------ Date: Thu, 30 Jan 92 13:23:30 +0000 From: leeuw@fwi.uva.nl (Jacco de Leeuw) Subject: Re: Reviews and request (PC + Amiga) d90mb@efd.lth.se (Maarten Berggren) writes: >>Now, a request. We haven't heard much from the Amiga people lately. Can >>I get some feedback on the top Amiga antiviral shareware of recent date? >I more or less write this to prove that Amiga-owners read this channel, >although there isn't much amiga-related stuff here. >I havn't had much problems with viruses recently. The only virus got last >year was a lamer-exterminator, and I think I used BootX to remove it. >I think that more Amiga-owner ought to write to this channel, to share >the latest info. about viruses. One Amiga virus which caused many problems here in Holland was/is the Saddam virus, which can infect memory as soon as you insert an infected disk (are Amiga viruses more advanced than PC viruses? ;-). I use VirusChecker by John Veldthuis to protect, and in conjunction with FixDisk to wipe it off. Personally, I had no real problems with it, but many beginners in my computerclub still have... Jacco - -- Jacco de Leeuw | Dpt. of Computer Science | J.C. van Wessemstr. 54 | University of Amsterdam. | Fidonet: 2:512/128.347 1501 VM Zaandam, Holland | Email: leeuw@fwi.uva.nl | Phone: +31-75-352068 This signature was infected by several viruses!(What an asshole, eh?) [SProt3.1] ------------------------------ Date: Tue, 04 Feb 92 08:19:31 -0600 From: PERRY@beach.gal.utexas.edu (John Perry KG5RG) Subject: New files on BEACH (PC) Hello Everyone! The 86B version of the McAfee anti-viral software suite is now available on beach.gal.utexas.edu (129.109.1.207). Please contact perry@beach.gal.utexas.edu if you have any questions or problems. John Perry KG5RG | perry@beach.gal.utexas.edu - Internet University of Texas Medical Branch | PERRY@UTMBEACH - BITnet Galveston, Texas 77550-2772 ------------------------------ Date: Sun, 19 Jan 92 13:00:05 -0700 From: Chris McDonald ASQNC-TWS-R-SO Subject: Revised Product Test for VIRx, version 1.9 (PC) ******************************************************************************* PT-41 July 1991 Revised January 1992 ******************************************************************************* 1. Product Description: VIRx is a copyrighted program written by Ross M. Greenberg to detect computer viruses and malicious programs. VIRx is the detection portion (VPCScan) of the commercial protection program Virex-PC (reference PT-23, revised January 1992). This product test addresses version 1.9, 17 December 1991. 2. Product Acquisition: The program is freely distributed by Microcom Systems, Inc., with special instructions for business and corporate users. These users have only a 30 day license for product evaluation, after which they must contact Microcom for site license authorization. THIS CONSTITUTES A MAJOR LICENSING CHANGE FROM PREVIOUS VERSIONS. Microcom has made VIRx available on many bulletin boards and software repositories, to include the MS- DOS repository on simtel20 [192.88.110.20]. The current path on simtel20 is pd1:virx19.zip. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. [Moderator's note: The remainder of this product test is available by anonymous FTP on cert.sei.cmu.edu (IP=192.88.209.5) in the pub/virus-l/docs/reviews/pc directory under the filename mcdonald.virx.] ------------------------------ Date: Tue, 21 Jan 92 09:17:38 -0700 From: Chris McDonald ASQNC-TWS-R-SO Subject: Revision to Product Test on Virex-PC (PC) ******************************************************************************* PT-23 March 1991 Revised January 1992 ******************************************************************************* 1. Product Description: Virex-PC is a software package to detect, disinfect and prevent computer viruses and malicious programs for the MS-DOS environment. This product test addresses version 2.0. 2. Product Acquisition: Virex-PC is available from Microcom Software Division, P.O. Box 51489, Durham, NC 27717. The telephone number is 919-490- 1277. The price is $99.00. There are several third party vendors who sell single copies at a significantly reduced cost. Registered users receive discounts on product upgrades. 3. Pr Downloaded From P-80 International Information Systems 304-744-2253