To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #44
--------
VIRUS-L Digest   Friday, 19 Mar 1993    Volume 6 : Issue 44

Today's Topics:

Re: Viruses in other populations
Re: Product reviews in magazines
Re: Product reviews in magazines
Re: Laws and Viruses
Ignorance is curable (mostly PC)
Votes on Virus Scanners. (PC)
Re: Michelangelo (PC)
Which Virus is this? (PC)
New (?) virus ? (2294) (PC)
Viruses in South Africa (PC)
Minnow-V virus correction (PC)
Removing virus on stack drive (PC)
Date triggered virus (PC)
Re: wordperfect virus? (PC)
IBM PC Boot Seq (was Partition table viruses (PC))
Central Point and Stacker (PC)
Re: F-PROT (PC)
Re: Executable signitures (PC)
FIXUTIL4.ZIP from A. Padgett Peterson (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name.  Send contributions to VIRUS-L@LEHIGH.EDU.  Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list.  A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5).  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@FIRST.ORG>.

   Ken van Wyk, krvw@first.org

----------------------------------------------------------------------

Date:    09 Mar 93 16:42:10 +0000
From:    rind@enterprise.bih (David Rind)
Subject: Re: Viruses in other populations

I'm not certain this group actually cares, but rather than have
the world of computer virus researchers scared of chicken pox...

 WHMurray@DOCKMASTER.NCSC.MIL writes:
>If you introduce Herpes Simplex ("Chicken Pox") into a sterile population 

Chicken pox is caused by varicella-zoster virus which is in the family
of herpesviruses but is not Herpes Simplex virus.  Herpes Simplex
viruses are the causes of cold sores and genital herpes.

>of  10K people, about 10 percent will die, most of the remainder will
>become immune, and Herpes will die out.

About 10% of adults who get chicken pox will develop a serious
complication such as pneumonia.  The mortality in adults is not 10%.

>"childhood" disease.  It is not that children are inherently more
>vulnerable to the virus than adults, but that all of the adults are
>either immune or dead. 

Childhood chicken pox has virtually no mortality.  Also, about 10%
of adults in the U.S. are not immune to chicken pox.

 
- -- 
David Rind
rind@enterprise.bih.harvard.edu

------------------------------

Date:    Wed, 10 Mar 93 00:40:33 +0000
From:    debrown@hubcap.clemson.edu (David E. Brown)
Subject: Re: Product reviews in magazines

fc@noether.duq.edu (Fred Cohen) writes:

>When will you guys figure out that the PC magazine reviews of
>antivirus products favored those who spend a lot of money advertising?
>These magazines don't want to offend their advertisers, they exist to
>help the advertisers sell more product.  Just look at the things they
>advocate, and how can you believe anything else?

Oh sure, this has been evident for a long time.  They just hype whatever
suits them at the time.  They have it in for certain companies and are
in the pocket of others.
	In this month's issue, Dvorak, advocates doing away with the
present BIOS, and coming up with a whole new architecture.  I agree that
the present AT style bus has many limitations but really how many people
are unsatisfied with the speed of their 486/33?  I do a lot of
numerical programming (processor intensive) and it's rare that anything really
takes that long.  
	Ok I know it's his job to get people like me to say things like
the above.  So he succeeded.  BTW, have you noticed at the end of every
one of his Inside track columns he advertises some sort of software that
he really likes.  Even though it's an "inside track" column, he's
advertising software.  I guess he's just flexing his muscle.
	I don't mean to single him out too much; some of the stuff he
writes is pretty interesting.  It just a little difficult to swallow
that we all need some sort of new machine every month when apparently
everything was working pretty good,  Basically the magazine is a whole
lot of solutions in search of problems.
	In spite of all this they can be happy to know I'll resubscribe
and that will keep the important thing intact - the money.  Grudgingly,
I'll admit they're probably the best of the lot.    

						Dave

------------------------------

Date:    Wed, 10 Mar 93 07:55:14 -0500
From:    Y. Radai <RADAI@vms.huji.ac.il>
Subject: Re: Product reviews in magazines

  Fred Cohen writes:
> When will you guys figure out that the PC magazine reviews of
> antivirus products favored those who spend a lot of money advertising?
> These magazines don't want to offend their advertisers, they exist to
> help the advertisers sell more product.  Just look at the things they
> advocate, and how can you believe anything else?

That may sound plausible and it may be very convenient to believe, but
you'll have to produce some evidence to support your claim.  (Evi-
dence to the contrary: In its previous review, PC Magazine gave one
of its Editors' Choices to Alan Solomon's Anti-Virus Toolkit, and in
its first review it chose Ross Greenberg's FluShot+, despite the fact
that neither Alan nor Ross advertised in PC Magazine.)

  I think the main problem is that PC Mag's editors and reviewers are
simply amateurs when it comes to viruses.  One way in which this
manifests itself is in the fact that one of their main criteria for
Editors' Choice was that the software have a nice graphic interface.
More important, the reviewers don't have the slightest concept of
security holes.  They properly emphasized that known-virus scanning
isn't enough.  But they gave lots of points to products just because
they include some kind of integrity checking and generic monitoring
protection.  It doesn't seem to have occurred to them that there may
be tremendous differences in the quality of such software, that it may
be very simple for a virus to circumvent this protection in some of
the products, and that it's necessary to compare the products on this
basis as well.

  One other point.  Fred, I can't help suspecting that a major cause
of your writing as you did above was that the Integrity Toolkit which
you developed wasn't included in the review.  That's very unfortunate,
because from what I saw of it at last year's Lefkonference, it
certainly *looks* good.  However, I think this is partly your own
fault.  Correct me if I'm wrong, but as far as I know, you never
advertised it on any widespread level, gave out evaluation copies to
anyone, or made a shareware version available.  How then were the
editors supposed to even *know* of its existence?

                                     Y. Radai
                                     Hebrew Univ. of Jerusalem, Israel
                                     RADAI@HUJIVMS.BITNET
                                     RADAI@VMS.HUJI.AC.IL

------------------------------

Date:    11 Mar 93 01:31:48 +0000
From:    ulogic!hartman@netcom.com (Richard M. Hartman)
Subject: Re: Laws and Viruses

padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) writes:
>	From a legal standpoint it might be enough to define a virus
>as "a sequence of instructions that intentionally performs an unwanted 
>and undocumented modification within a computing system for which it is 
>intended."

As in Microsoft's undocumented software interrups in the various
DOS versions?  How about the "hidden" Windows functions?

>	Possibly "malicious software" would be a better term but IMHO
>the word "computer virus" has passed beyond any hope of control.

Hold on.  I think you may have something here.  Since when has
legal terminology been required to match up with common usage?
Perhaps "malicious software" is just what we need to define as
a legal term.  Especially since the definition of virus is so
mutable....

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Lazy day, Sunday afternoon.			|
Like to get your feet up, watch TV.		|	-Richard Hartman
	
Sunday roast is something good to eat,		|	hartman@uLogic.COM
must be lamb to day 'cause beef was last week!	|

------------------------------

Date:    Tue, 09 Mar 93 10:58:08 -0500
From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: Ignorance is curable (mostly PC)

>From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
>Subject: Scanners and Compressed Disk Boot Sectors (PC)

"A higher path..."

>> my previous posting

>> With the rise of companion and stealth viruses, to be
>> sure in checking the low levels you must first authenticate the path to
>> disk

>How exactly do you do that? If a virus has been loaded and is chained to INT 
>13h, so that when you look for Sector-X Cyl-Y Head-Z it will replace it with 
>another location and you will never know !

Read Andrew Shulman's "Undocumented DOS". Int 2F Fn 13 will return the path 
to Int 13 DOS found when loading. If it does not point to the ROM BIOS or a 
controller card ROM, you have a problem (how you WILL know). If your program 
runs at the BIOS level like mine do, the table vector *must* point to the 
ROM BIOS or a disk controller if the machine is clean.

At BIOS time, high RAM does not exist and every Intel processor is in REAL
(8086) mode. Things are very predictable.

>Any way that you might point out as the total solution to the problem, I can 
>show a hole that viruses (naturally) may (or alredy do) use.

A virus can intercept an interrupt vector. It cannot intercept as FAR CALL.
All you need to know is where to make the far call to (the exercise is left to
the student). *No* virus can infect ROM memory unless built in at the factory.

> > As a consequence, the fact that the A-V is checking the STACed drive boot
> > sector means more than just an error is being flagged each time, it would
> > make me concered that the real boot sector may be skipped.

>Not necessarily so, but quite likely. 

Would you care to bet your PC on it ? Perhaps I was being too gentle. EVERY
A-V I have seen that flags the compressed drive has been missing the real
DBR. Further, with the possible exception of the DOS 6.0 compression (haven't
gotten that far in studying it yet, it blew up on the test XT) every one
of the compression schemes I've looked at have layered their driver on
top of DOS and intercept INT 25 & 26, not 13. If you use 13, you will never
see the compressed disk boot sector. Is that clear enough ?

>As for myself, I do not recommend using 
>these double-diskers, since the problem that you mentioned (and viral problems
 
>in whole) is only a small portion of possible problems to happened. And 
>believe me - you don't want to be the owner of a disk when it crashes.

Legitemate opinion. Mine is that compressed drives make so much sense that
they will become a standard. The key is in the recovery programs and they are
maturing nicely.

>It remindes me of the EXPANDED memory cards that people used to buy once, and 
>got stuck with it immediatelly since EXTENDED memory has emerged. Get a bigger
 
>(faster) and reliable disk.

I have not yet reached the point of being able to treat PCs as disposable 
items, nor would I want to. Extended memory is a valuable attribute for
386 and higher machines. I still have 2 XT class and 1 AT class machines that
see regular and valuable use. My next *major* purchase will be a parallel port
ethernet adaptor for my laptop. I suspect that like myself, most readers are
not independantly funded.

					Warmly (but in NY tomorrow),

						Padgett

------------------------------

Date:    09 Mar 93 19:34:01 +0000
From:    steve@wet.sbi.com (Steve Jarrett)
Subject: Votes on Virus Scanners. (PC)

I know this is probably a widely asked question but following the
complaints about the PC Mag's review of virus scanners and the
complaints concerning its accuracy what is best. Also do "shields"
work without blocking the use of device drivers etc.

Any comments via email if possible. I will summarise back.

Cheers,

Steve.

Steve Jarrett			Phone : +44-71-721-2422
Technical Services		Fax   : +44-71-416-0029
Salomon Brothers		Email : steve@wet.sbi.com

------------------------------

Date:    09 Mar 93 22:27:07 +0000
From:    twcaps@tennyson.lbl.gov (Terry Chan)
Subject: Re: Michelangelo (PC)

bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:
  +
  +BTW, I am very curious how many Michelangelo hits have happened this
  +year...

Just for a data point, I ostensibly have some PC support 
responsibilities for a program here (encompassing about
75 PCs).  We had no infections of Michelangelo (though 
this may have been mitigated in part because March 6 fell 
on a Saturday this year).

However, one of our senior scientists who frequently 
shuffles files between home and work did turn on his PC
on Saturday and found that he couldn't boot his and it
was infected by the Michelangelo virus.  Somewhat 
ironically, in the aftermath of last year's hullabaloo, 
on a whim, I scanned his hard disk and found Michelangelo 
in June 1992.  I warned him of it, but I guess it's not 
enough sometimes.

Fortunately, he was backed up.

Terry Chan
- --
Energy and Environment Division   | Internet:  TWChan@lbl.gov
Lawrence Berkeley Laboratory      | 
Berkeley, California  USA  94720  | Yeah, right.

------------------------------

Date:    09 Mar 93 22:35:42 +0000
From:    kxj6@po.CWRU.Edu (Kijin Jung)
Subject: Which Virus is this? (PC)

A friend of mine apparently got hit by a virus (poor guy! - just
another statistic...) several days ago, before March 6 I believe.  The
details are a bit sketchy, since he hastily reformated his hard drive
after the incident. Actually, he had thought that his hard drive had
gone bad, so initially, he actually went out and bought a new hard
drive!

He claims that all his executable files (.EXE) were renamed to
.COM. Also, the virus apparently rewrote some of his CMOS
settings, since the computer would not recognize his hard
drive. Correction: sometimes it would not recognize his hard
drive, but at other times, he could boot up the drive (maybe
the boot sector was affected?)

I would like to know what virus this might possibly be, not
only because of curiosity, but because he and I often use the
computers at school (where he might have caught the virus), and
I would like to protect myself from this particular virus.

Thanks,
- -- 
 __ Kijin Jung ________________________ To affect the quality of the day, __
|   kxj6@po.cwru.edu                 |  that is the highest of the arts.    |
|   Case Western Reserve University  |                                      |
|__ (216) 754-1101 __________________|________________________ -Thoreau ____|

------------------------------

Date:    Wed, 10 Mar 93 10:30:21 +0000
From:    v922340@hildebrand.si.hhs.nl (Ivar Snaaijer)
Subject: New (?) virus ? (2294) (PC)

Hi virus netters,

A costomer came across last thusday, complayning about window's
(who ain't, only people who bougt a 486DX/66 with 2Mb cach local bus ide +
8Mb and a local bus video, don't complain :-) )
the window's we installed on his system didn't work and baild out 
with an error complaying about almost everything. It was likely a virus
becase when i execute a program that isn't likely to execute normaly
(tree.com) the harddisk is quite buisy but the second time it isn't
(I mean not searching the tree !)
TBSCAN (v5.04) showed behind a lot of files a U and a K witch mean 
an undocumented dos call and an odd stack. executing a file that didn't 
have the UK flags, resulted in the fact that it did get the flags,

I have beta tested TBSCAN v5.10 witch claims it is the 2294 virus,
(v5.04 doesn't recognize it) ... it stroke me like an abnormality,
because TBSCAN had recognized all the viruses i have on stock, I v'e tried
F-PROT witch says that the file is strange but doesn't report a virus
eigter, SCAN v99 doesn't see anything, and i gonna try v102 this afternoon
Is there anybody who can tell me more about this virus. (acept it is 
2294 bytes long)

Ivar.

- -----------------------------------------------------------------------------
Rule one in program optimization : Don't do it.
Rule two in program optimization (for experts only) : Don't do it yet.
Rule three in program optimization (for athlets only) : Just do it.
- -- 
- -----------------------------------------------------------------------------
E-mail : v922340@si.hhs.nl    ... i can't help it, i'm born this way ...
- -----------------------------------------------------------------------------

------------------------------

Date:    Wed, 10 Mar 93 14:31:30 -0500
From:    cjkuo@symantec.com (Jimmy Kuo)
Subject: Viruses in South Africa (PC)

[In a thread on CMOS corruptors, Paul Ducklin wrote...]
>This virus family was pretty widespread in South Africa at one time --
>which is where my knowledge of the CMOS RAM map comes from :-)

Paul,

We've been getting reports of many virus outbreaks in South Africa
lately.  Could you provide some factors that you believe is
contributing to this?  Are there any particular hotbed locations
within S. Africa or is it simply the whole of S.Africa?

I would really appreciate being able to get some insight to your
problems there.  Thanks.

Jimmy Kuo                                       cjkuo@symantec.com
Norton AntiVirus Research

------------------------------

Date:    Wed, 10 Mar 93 14:37:34 -0500
From:    fergp@sytex.com (Paul Ferguson)
Subject: Minnow-V virus correction (PC)

On 6 Mar 93 (05:45:49 GMT), bill.lambdin@frenchc.eskimo.com
 (Bill Lambdin) wrote -
 
BL> I was aware of Zero Hunt inly infecting files with areas of 00
BL> hex. Usually data or buffer areas. This is how that Zero Hunt
BL> can infect files, but not show a increase in the filesize.
 
 Bill, this area is called "stack space". The oiginal sample of the
 Minnow-V (the original name of the virus; I think one of the McAfee
 programmers named it Zero Hunt) that I isolated (check your sources)
 would only infect .COM files that contained 416 contiguous bytes of
 00h stack space. It does not use the DOS copy buffers for a transfer
 area the way the Darth Vader viruses do (you must be confusing the
 two viruses), but rather, Minnow-V is an infect_on_execute (host),
 TSR virus. According to Patti Hoffman's reference, there is a 411 byte
 variant, although I have never seen it.
 
 Hope this clears things up for you.
 
 Cheers.
 

Paul Ferguson                     |
Network Integration Consultant    |  "All of life's answers are
Alexandria, Virginia USA          |   on TV."
fergp@sytex.com     (Internet)    |           -- Homer Simpson
sytex.com!fergp     (UUNet)       |
1:109/229           (FidoNet)     |
         PGP public encryption key available upon request.

------------------------------

Date:    Wed, 10 Mar 93 16:26:45 -0800
From:    Pete Wong <pwong@igc.apc.org>
Subject: Removing virus on stack drive (PC)

To whomever that can help me with this catastrophic dilemna,

     I recently discovered that a virus exist within my computer.  My PC is
stacked with a Stacker.  I used the Norton Anti-Virus to scan the drives and
it advised me to turn off the computer and boot it up again with an un-affected
boot disk.  Since my drives are stacked, the NAV would not read drive C or D.

I also tried to boot it up with the Stacker files in the un-affected DOS boot
up disk.  Once I use the NAV to scan the drives, it would say there is a virus
detected in the memory and then it would not scan any further.  This goes the
same for scanning the floppy drives. 

The virus is called Stoned.  What should I do?  If anyone has come across this
or has a solution to this problem, I would appreciate it if you could contact
me.  Even if anyone would like to look into this issue or inquire about the
problem, please feel free to email me or respond to this posting.

I am desperate for  HELP!!

					Pete
					( pwong@igc.apc.org )
					         or
					( easu322@orion.oac.uci.edu )

------------------------------

Date:    11 Mar 93 04:44:03 +0000
From:    marx@vms.huji.ac.il (Michael M. Marx / Jerusalem, Israel)
Subject: Date triggered virus (PC)

Hi there --
I will be very thankful if someone will send me a list of viruses (virii...)
triggered by dates, such as Michael Angello and April 1st etc etc.

Thanks for your urgent response,

Michael...

- ----------------------------------------------------------------------------
Michael M. Marx, Jerusalem, Israel. marx@hujivms.bitnet, marx@vms.huji.ac.il
Telex: G 9312132257. Disclaimer: "I speak not to disprove what Brutus spoke"
- ----------------------------------------------------------------------------

------------------------------

Date:    Thu, 11 Mar 93 04:50:09 +0000
From:    jdc@selway.umt.edu (John-David Childs)
Subject: Re: wordperfect virus? (PC)

In article <0009.9303041259.AA21084@first.org> GMS@PSUVM.PSU.EDU (Gerry Santoro
 - CAC/PSU 814-863-7896) writes:
>A number of our lab machines are exhibiting very strange WordPerfect
>behavior.  For example, very small user documents are growing to
>extremely large size, until they fill up available disk space.  Scans
>with F-PROT do not identify any known virus.
>
>Can anyone clue me into what is happening?  In all cases the version
>of WP5.1 is being run from a read-only volume of a Banyan network
>server.
>
>Any info would be greatly appreciated!
>
>gerry santoro  (gms@psuvm.psu.edu)                            |
>academic computing/speech communication                     -(*)-
>penn state university                                  .....  |  .....

Old, semi-well documented Word Perfect bug!  Each time you edit/save a
file, especially if you change printer definitions (e.g. you load up a
file and WP says "Reformatting Document for Default Printer") WP adds
the printer definition information to the "header" (top) of the file.
The solution is to retrieve the existing document into a blank 
(current) document.  I tried to search the WPCORP-L archives for
more specific information, but was unable to come up with any
hits.  You should repost your question to that group and they'll
be able to give more specifics.

			John-David Childs
			Consultant, University of Montana CIS
			jdc@selway.umt.edu

------------------------------

Date:    11 Mar 93 12:34:47 +0000
From:    virusbtn@vax.oxford.ac.uk
Subject: IBM PC Boot Seq (was Partition table viruses (PC))

Sarel Lugtenburg writes:

>We had just an outbreak of a virus that infects the partition table.
>It triggers on any date in March. Reformatting the hard disk and
>running fdisk, changing everything, has no effect. You have to low  
>level format the harddisc (IDE). I was always under the impression
>that a high level format from a clean , booted floppy would be enough
>but this is apparently not so.
>
>Can someone tell me what happens during the whole boot process from
>poweron. Where does this virus get into the chain of the bootup
>sequence ?

First question: what virus was it, and how did you detect it (hopefully not 
by its trigger :(  .....) It's not the EXEBUG virus by any chance is it?
BTW Just running FDISK isn't enough - you need to run FDISK /MBR (from DOS
v5) to re-write the Master Boot Sector - but more on this below...

In answer to your second question (briefly):

When a machine is first switched on, the power supply activates and voltages 
begin to build to their normal operating levels within the machine. A 
hardware timer will eventually trip and kick the main processor into action, 
whereupon it will start executing a program stored at a fixed address in ROM.

This program enables the processor to carry out sensible hardware tests and, 
in ATs, collects information from the CMOS of the machine about its hardware 
configuration. All of this sequence is referred to as the Power On Self Test, 
or POST.

The actions at this point vary depending on the BIOS installed in the 
computer. The original PC design intended that the machine would check if a 
floppy disk was present in the A: drive, and if one was, would boot from it. 
If no floppy disk was found, the machine is booted from the hard disk. 
However, some BIOSes provide a way to disable the floppy disk boot sequence 
so that it is impossible to pick up a pure boot sector viruses by accident. 
In this case the PC will boot from the C: drive by default.

The early versions of MS-DOS used a similar method of booting either from 
floppy disk or hard disk. However, as disk drives got bigger, different 
routines were developed for hard disk boots. In order to cope with multiple 
partitions etc a sector (called the Master Boot Record or Master Boot 
Sector), located at track 0, head 0, sector 1 is loaded and executed. This 
code examines the data held in the partition table and locates the position 
of the active partition on the disk. The code then loads this second boot 
sector (called the DOS Boot Sector or Partition Boot Sector) which in turn 
loads the appropriate system files.

So, for a hard disk boot sequence:

BIOS: Switch on, and load POST routines
      Load and execute MBR from track 0, head 0, sector 1.

MBR:  Examine the Partition Table and find the entry marked 
      as active. Load the associated DOS Boot Sector and
      execute it.

DBS:  Load the system files and pass control to them.

Therefore, if you boot from a clean floppy, and fdisk/MBR and SYS your hard 
drive, any boot sector virus is gone, right? WRONG :(

All BIOSes are created equal - but some are more equal than others. If the 
CMOS information tells *certain* BIOSes that there are no floppy disk drives 
present on the system then the machine is booted from the hard drive. 
Therefore every time you FDISK or SYS the hard drive, the virus re-infects, 
because you are attempting to disinfect with the virus active in memory. 
This doesn't work on all PCs, but is a problem on some. However, there are 
free utilities available which can disable the virus in memory, and then 
disinfect the hard drive. It's messy, but unfortunately that's the way it is. 
Low level formatting works too, as this routine is usually executed from ROM. 
However, Low level formatting is a last resort - you don't need to do that 
to recover.

There was a four page article in the December Virus Bulletin on exactly 
what happens when a PC boots up (pp 5-8) - if you want more info, let me know.

Yours aye,

Richard Ford                  E-mail VIRUSBTN@uk.ac.ox.vax
Editor, Virus Bulletin        Tel: +44 235 555139      Fax: +44 235 559935

------------------------------

Date:    Thu, 11 Mar 93 08:51:36 -0500
From:    DONNY@iris.netcom.com
Subject: Central Point and Stacker (PC)

Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) writes

> Remember that stacker (or any other disk doubler) uses the DOS
> environment to do what ever it is doing,
> and so does Anti Virus TSRs (especially those that use many interrupt
> monitoring). A conflict might be fatal (generally speaking).

Most TSR writers disagree with you especially since DOS is built for
TSRs. If you're right you should be warning anybody using any sort of
TSR with Stacker (including keyboard handlers, EMM386, Windows, etc).

Donny Gilor (Dr. Virus)    donny@iris.ilnet.net
- -----------------------------------------------
Development manager, Iris Software (Israel)
Iris produces software for Text-Retrieval, Anti-Virus, and Copy-Protection.
Telephone: (972)-3-5715319     Fax: (972)-3-318731

------------------------------

Date:    Thu, 11 Mar 93 09:26:26 -0700
From:    martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences)
Subject: Re: F-PROT (PC)

MARIE@sclients.scs.uottawa.ca (Marie-Andre Giroux) writes:

>Hi! I need some information about VIRSTOP from F-Prot. That program
>is suppose to let you know if a virus is trying to do some
>dammage on your disk. I was reported to me that VIRSTOP 2.07 did not
>detect the presence of the Monkey virus. If anyone has
>experienced such a problem let me know about it or of any solution to
>it.

I tested virstop from f-prot 2.07 against the two Monkey strains.
You are correct: it doesn't notice them on an infected system.  It
does notice if a system is infected with "Stoned".  I think the 
reason is probably that Monkey uses a level of stealth that may be
keeping virstop from seeing the infected MBR.  And in memory it is
installed not at "Top of Memory", but at offset 200h from TOM.  So
a device that checks what is at TOM won't find the virus there.

I tested the f-prot 2.07 scanner as well.  Scanning diskettes, it
correctly identifies Monkey variant 1, but still calls Monkey variant
2 a "new variant of stoned".  F-prot cannot find either variant on
a hard disk, if you boot from a clean floppy, because Monkey encrypts
and moves the partition table data, so f-prot can't find the hard 
disk partitions at all.  (It should still be able to check the MBR,
though.)

I am not sure the fprot I tested was the very latest, though:
I think Frisk has released some bug-fixed versions.

As to a solution, the easiest is probably to get killmonk.zip from
your favorite ftp site.  (For example, it is at oak.oakland.edu,
in /pub/msdos/virus.)

Tim.

 -------------------------------------------------------------
  Tim Martin                   *
  Spatial Information Systems  *   These opinions are my own:
  University of Alberta        *      My employer has none!
  martin@cs.ualberta.ca        *
 -------------------------------------------------------------


------------------------------

Date:    11 Mar 93 17:14:01 -0500
From:    ac999512@umbc.edu (ac999512)
Subject: Re: Executable signitures (PC)

>To check for an executable file a virus will read in the appropriate bytes
>and check to see if it is "MZ".
> 
>Why do some viruses check for "ZM"? What kind of file does this denote?
 
  I believe both signify an EXE file. Someone correct me if I'm worng, 
but it is my understanding that both "MZ" and "ZM" mean that it is an
EXE..
 
 
+-------------------------------------------------------+
| Ed T. Toton III,  Virus Researcher  ac999512@umbc.edu |
|     BREAKFST.COM halted! Cereal port overflow!        |
+-------------------------------------------------------+

------------------------------

Date:    Tue, 09 Mar 93 13:56:13 -0500
From:    HAYES@urvax.urich.edu
Subject: FIXUTIL4.ZIP from A. Padgett Peterson (PC)

Hi fellows.

Just received and made available for anonymous FTP the new suite of virus
defence programs from A. Padgett Peterson.  Following is an excerpt of the
"what's new" file:

- ----- begin excerpt --

FixUtilities copyright (C) 1989-1993 by Padgett - all rights reserved.

FixUtil4 is the March 1993 revision of the FixUtils.

WHAT'S NEW
The major change is that the FixUtils are now all FREEWARE. 

Major Changes
FixMBR now generates automatically a copy of the original MBR with
a user designated name of up to 7 characters. This .DAT file should be
stored in a safe place off-line. When changed to a .COM file and executed,
the original MBR will be restored.

On machines having BIOS selection of the boot disk, users may now select
booting only from the C: drive for additional protection from viruses.
If the CTRL key is held down during the boot, SafeMBR, following integrity
checking of the hard disk MBR will transfer the boot process to drive A:
to allow booting from floppy for maintenance purposes.

- -----  end excerpt --

Site:       urvax.urich.edu,  [141.166.36.6]    (VAX/VMS using Multinet)
Directory:  [anonymous.msdos.antivirus]

FTP to urvax.urich.edu with username anonymous and your email address
as password.  You are in the [anonymous] directory when you connect.
cd msdos.antivirus, and remember to use binary mode for the zip files.

Thanks Padgett!

Best, Claude.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes     HAYES @ URVAX                 (Vanilla BITNET)
University of Richmond   hayes@urvax.urich.edu     (Bitnet or Internet)
Richmond, VA  23173

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 44]
*****************************************
