To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #45
--------
VIRUS-L Digest   Monday, 22 Mar 1993    Volume 6 : Issue 45

Today's Topics:

Re: Laws and Viruses
F-Prot (PC)
PC-Mag (PC)
identification (PC)
partition table (PC)
Re: Michelangelo (PC)
standardization (PC)
PC Magazine on Anti-Virus (PC) and new ways of testing an A-V.
Help, Am I VIRUSED???? (PC)
LAT-9303 (PC)
Virus that infects while Scanning? (PC)
Virus found on PCs - WARNING (PC)
How do you recover from a Michelangelo attack? (PC)
Effect of Form (PC)
EXE/COM switch (PC)
scanners. (PC)
VS for Pathwork (tm) (VMS)
Michelangelo protection (CVP)
March 1992 and the media

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name.  Send contributions to VIRUS-L@LEHIGH.EDU.  Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list.  A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5).  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@FIRST.ORG>.

   Ken van Wyk, krvw@first.org

----------------------------------------------------------------------

Date:    Fri, 12 Mar 93 05:12:12 +0000
From:    curry@sctc.com (Russ Curry)
Subject: Re: Laws and Viruses

padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) writes:


>	For some time now we have been concerned about a "textbook"
>definition of viruses, perhaps it is time to discuss a legal one
>(obviously it is difficult to pass a law against something that is
>not defined):

>	From a legal standpoint it might be enough to define a virus
>as "a sequence of instructions that intentionally performs an unwanted 
>and undocumented modification within a computing system for which it is 
>intended."

	Hmm, How about an application program which creates a data
	file that isn't explicitly declared in the documentation, I think
	everyone has seen one such program at some point in time.

	If I didn't want that data file to be created on my hard drive,
	does that ( "Unwanted" and "Undocumented" ) function classify
	this application program as a virus?

	Subsequently, any shell script I create that modifies files in my
	working area can be called a virus since my system administrato
	may not always be aware of everything I am doing. That script may
	be making "unwanted" and "undocumented" modifications to a 
	computer system that I do not own and am not in control of.

>Finally, keep in mind that the current discussion is limited to *criminal*
>actions and not civil (damages) ones. Two entire different things in the US.

	Not to be sniping, but I think that somebody can find a better
	classification of a virus, we all know how perverse the legal 
	system can get at times, something like that description would
	turn into an incredible farce, IMO  


		Off to see the wizard,

			R Curry.

	( These opinions are my own,  Like I'd use someone elses? )


------------------------------

Date:    Thu, 11 Mar 93 18:52:38 -0500
From:    bill.lambdin%frenchc@eskimo.com (Bill Lambdin)
Subject: F-Prot (PC)

KT> Don't know 'bout CPAV, though -- I've never tried it.  Why pay such a
KT> amount of money, when I can get a product which I consider superior f
KT> free?

In my tests, F-Prot always ranks at or near the top.
 
I like F-Prot because it is very good at telling the user specificly which 
virus happens to be present. 

Some scanners rank all variants under the same name. This may be OK for 
some viruses. but some variants can be destructive like the 1704 Format. 
If I have that virus on my hard drive, I want to kill all specimens ASAP 
before it tries to format my hard drive
 
Bill

- ---
 * WinQwk 2.0 a#383 * MIGRAM activates any Saturday
                                                                               
                    
- ----
+----------------------------------------------------------------------+
+  The French Connection - 206/283-6453 - 206/771-1730  - 6.5g online  +
+   It takes only 11 seconds to get loaded on the French Connection!   +
+----------------------------------------------------------------------+


------------------------------

Date:    Thu, 11 Mar 93 18:52:36 -0500
From:    bill.lambdin%frenchc@eskimo.com (Bill Lambdin)
Subject: PC-Mag (PC)

FC> Date:    Mon, 08 Mar 93 10:03:09 -0500
FC> From:    fc@noether.duq.edu (Fred Cohen)
FC> Subject: Product reviews in magazines
FC> 
FC> When will you guys figure out that the PC magazine reviews of
FC> antivirus products favored those who spend a lot of money advertising
FC> These magazines don't want to offend their advertisers, they exist to

I know this, but it isn't fair.
 
Anti-viral products should be tested fairly, but testing against 11 
viruses that are all at least 1.5 years old.
 
I hope that they perform better tests next time, or not produce tests at 
all.
 
Bill



- ---
 * WinQwk 2.0 a#383 * Hacked versions of X00 fossil. 1.3, & 1.3J
                                                                               
       
- ----
+----------------------------------------------------------------------+
+  The French Connection - 206/283-6453 - 206/771-1730  - 6.5g online  +
+   It takes only 11 seconds to get loaded on the French Connection!   +
+----------------------------------------------------------------------+


------------------------------

Date:    Thu, 11 Mar 93 18:53:01 -0500
From:    bill.lambdin%frenchc@eskimo.com (Bill Lambdin)
Subject: identification (PC)

0> Another reason for using a standard.  Without a standard and careful 
0> a potentially harmful variant can get mis-identified as a less harmfu
0> parent virus, take Stoned and Michelangelo for instance.

Let me give you a better example.

Cascade, and Cascade 1704 Format.
 
Bill

- ---
 * WinQwk 2.0 a#383 * Are computer viruses myth or reality?
             
- ----
+----------------------------------------------------------------------+
+  The French Connection - 206/283-6453 - 206/771-1730  - 6.5g online  +
+   It takes only 11 seconds to get loaded on the French Connection!   +
+----------------------------------------------------------------------+


------------------------------

Date:    Thu, 11 Mar 93 18:53:03 -0500
From:    bill.lambdin%frenchc@eskimo.com (Bill Lambdin)
Subject: partition table (PC)

SL> level format the harddisc (IDE). I was always under the impression
SL> that a high level format from a clean , booted floppy would be enough
SL> but this is apparently not so.

Most boot sector viruses hide in the boot sector of floppies, but on hard 
drives, they hide in the partion table.
 
The Partition table is never touched by a format.
 
A fair way to get rid of boot sector viruses without using AV softwarem or 
low level formatting the hard drive, is to boot clean from a DOS 5.0 
bootable diskette, then issue the following command.
 
FDISK/MBR.
 
Hope this helps. 

Bill

- ---
 * WinQwk 2.0 a#383 * CHRISTMAS TREE activates Dec 24 - Jan 1
                                                                               
           
- ----
+----------------------------------------------------------------------+
+  The French Connection - 206/283-6453 - 206/771-1730  - 6.5g online  +
+   It takes only 11 seconds to get loaded on the French Connection!   +
+----------------------------------------------------------------------+


------------------------------

Date:    Thu, 11 Mar 93 23:10:50 +0000
From:    hiscrp@nuscc.nus.sg (C R Pennell)
Subject: Re: Michelangelo (PC)

bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:
: 
: BTW, I am very curious how many Michelangelo hits have happened this
: year...

Well we had quite a little crop in Singapore this year, which according to
the Straits Times which is often wildly inaccurate about virus attacks,
hit car dealers in particular.

I know I shouldn;t feel this way, but if there HAVE to be viruses, car
dealers seem a suitable victim!

The point about Singapore is taht public offices work on a Saturday
morning, and the car dealers were using a computerised bidding system  to
submit last-minute applications fro licences.

Do you want more details? I coudl scan you the article, perhaps.

Richard Pennell History NUS

------------------------------

Date:    Mon, 08 Mar 93 13:32:00 +0100
From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: standardization (PC)

To: chess@watson.ibm.com (David M. Chess)

You quote me:
 >>From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)

 >>I think there is already a naming scheame present.
 >>It gose like this: McAfee gets a virus, Releases the next
 >>VIRLIST.TXT, and everyone just uses it. If a new virus
 >>apears that is not there, a name is given to it according
 >>to its behaviour, and so on...
That was a cynical remark made by me, but it has a good resemblance to the 
true scenarios.

 > Oh, do I wish it were that simple!
Me too.

 > The main problems are:
Only 2 ?

 >   - Say some authority says "we've found a new virus, its
 >     name is Blivet, and our scanner detects it as such".
 >     Now someone else finds a virus, and that scanner identifies
 >     it as "Blivet".  Is it the same virus that the authority
 >     first reported?   The only way to tell for sure is if
 >     that person has access to the original Blivet sample
 >     (and virus collections probably shouldn't be
 >     generally-available), or if someone has written a
 >     program that does precise identification of the virus.
 >     Writing such a program (or adding a description to an
 >     existing program) is quite a bit more work than just
 >     extracting a signature for a scanner, and there are
 >     some complex issues about avoiding spoofing.

 >     Does the user care whether or not he really has
 >     the same Blivet virus as was originally named?
 >     Yes!
And I say, NO !  As long as the scanner that calls it Blivet is capable of 
making the distinction between variants of the virus, and clean it correctly (
as I also said in my partly- quoated-by-you article). The information is of no 
use to the user if the virus is variant Vir.11.a234.5-A or  Vir.234.87.1-D/45
of it (by any relatioship tree that you can invent).

 >     The new Blivet might have different behavior,
 >     requring different clean-up, and the user *must*
 >     know that.  "Cleaning up" a virus without knowing
 >     exactly what it does is a contradiction in terms.
Does this action is considered user responsibility? If so, it's a bad atitude. 
You cannot consider all users as capable of making the decision.

 >   - Naming viruses based on behavior isn't as easy as
 >     it sounds.
You tell me, I do it all the time. I only don't bother sending it to Patricia 
Hoffman due to the enless conversations that you can read in Virnet about that 
issue.

 >     Here's a brand-new virus.  It goes
 >     resident, and infects any file that's executed. It
 >     has no payload.  What do you call it?  There are
 >     probably hundreds of viruses that like.  Naming
 >     continues to be a hard problem; a good name would
 >     be easy to remember, different from other names,
 >     and have something to do with what the virus does.
 >     It's generally impossible to do all three, though...
Well, the answer to this is easy too. Did you here of the 1963, 1049, 1260, 
1530, 1677, 757, 903, 1024 (do I have to write more?) viruses?

Not all viruses have a name attached to them. Especially the kind that has no 
specific behaviour. Those will usualy get their
"size name".

Warmly

* Amir Netiv. V-CARE Anti Virus, head team *

- --- FastEcho 1.21
 * Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date:    Mon, 08 Mar 93 13:02:00 +0100
From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: PC Magazine on Anti-Virus (PC) and new ways of testing an A-V.

Hello everyone.

Regarding the PC-Magazine's article and Editors Choice.
Well, you know what they say:
" BENCHMARKS DO NOT LIE... LIERS MAKE BENCHMARKS ! "

Bill Lambdin writes:
 > If they had tested the 70 or 80 common viruses known
 > to be in the wild, their tests would have been more valid.
Don't you think its about time that these kind of tests should expire? Is it a 
whise idea to test modern Anti-Viruses with the oldest test in the book? Is it 
still a valid test?

 > I find it very hard to believe that there are more than 2,000
 > specimens known, and 70 or 80 common viruses known to be
 > circulating in the wild, and they feel that 11 viruses are
 > enough ti use for testing purposes.
Believe it, there are more. As for the 70 or 80 common ones, it could be even 
less, but the point is that if you are a user, and you are infected by the 1% 
that is not on the selebrity list, you will still have a 100% major problem in 
your hands. That's maybe the reason why the test is not valid. 8-)

Besides these 11 common viruses may represent the status in the USA, but 
definitly not in any other country, since viruses spread differently in 
various countries. For example: DIR-2 and 1963 are the most widly spread in 
Israel at the moment, but no one (almost) had seen them in France or Germany. 
Therefore the Benchmark made by PC-Mag' has no real meaning in most countries 
of the world, except comercial.

I think it's time to establish a new way of testing an Anti Virus, and I'm 
calling all of you, Virus researchers to initiate the process.

Regards

* Amir Netiv. V-CARE Anti Virus, head team *

- --- FastEcho 1.21
 * Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date:    Fri, 12 Mar 93 15:35:06 +0000
From:    vic@astro.ocis.temple.edu (Victor Kasacavage)
Subject: Help, Am I VIRUSED???? (PC)

     Yesterday, our fileserver crashed.  Some of the files on the
Server were corrupted when we tried to access them today.  I tried
restoring the files from a backup tape and in the process of 
scanning the tape, I got an error opening some files and had to
quit the restore.  After exiting the message below appeared on
my monitor


                                                  Invali
busted jail and I'm gone forame = xas,
busted jail andted man in Texas,

we have a program running on the Novell 3.11 fileserver called
LanProtect v1.5 from Intel.  It constantly scans incoming and
outgoing files on the network.  We are using virus pattern
lrx$rpn.022 and have had no problems with this program.

If this message is from a virus, I need to know because I just
scanned the fileserver and my hard drive and both came up clean.
We are using this program all over campus and would hate to 
see someone elses files get corrupted.

please respond to:    vic@astro.ocis.temple.edu

thanks in advance.
- ----------------------------------------------------------------
Victor Kasacavage                      vic@astro.ocis.temple.edu
Lan Technical Consultant               Temple University
- ----------------------------------------------------------------

------------------------------

Date:    Fri, 12 Mar 93 17:37:14 -0500
From:    bill.lambdin%frenchc@eskimo.com (Bill Lambdin)
Subject: LAT-9303 (PC)

                                  LAT 9303

 Product                    Total  Detected  Ratio   Flags
 +--------------------------------------------------------+
 | F-Prot 2.07             | 841   | 836    | 99.4% | S   |
 | Virus Net 2.06B         | 841   | 835    | 99.3% | C   |
 | VIRx 2.6D               | 841   | 813    | 96.7% | S   |
 |                         |       |        |       |     |
 | TBAV 5.04 VSIG9301      | 841   | 812    | 96.6% | S   |
 | Scan 102                | 841   | 810    | 96.3% | S   |
 | Dr Sol A-V toolkit 6.04 | 841   | 796    | 94.6% | C   |
 |                         |       |        |       |     |
 | IM-141A                 | 811   | 751    | 92.6% | DGS |
 | UT Scan 25.1            | 811   | 749    | 92.4% | CDG |
 | SD Scan 1.0             | 811   | 747    | 92.1% | CD  |
 +--------------------------------------------------------+

      C- Commercial software

      D- This product does not scan for boot sector viruses
         inside droppers. I tried to be fair.

      G- Generic Virus detector. The other utilities with
         this product may detect viruses that this scanner
         misses, so don't judge this product too harshly
         because the scanner isn't as effective as you would
         like.

      S- Share Ware or Free Ware procuct.

      I removed the following products from the LAT report.

      PC-Scan Unable to get the new signature update
      Win-RX getting old
      Virucide 2.37 unable to get the new update.
 ========================================================================
      I have tested the following generic products, and
      recommend them.

      Victor Charlie (Bangkok Security Associates)
      PC-Rx (Trend Micro Devices)
      Untouchable (Fifth Generation Systems)
      Integrity Master (Stiller Research)
      PC-cillin (Trend Micro Devices)
 ========================================================================
      I would like to thank most of these companies for
      providing me with evaluation copies of their
      software to test.
 ========================================================================
      These tests were performed on a 33 MHZ 486

                        Bill Lambdin
                        P.O. Box 577
                        East Bernstadt, Ky. 40729

- ---
 * WinQwk 2.0 a#383 * McAfee voice support (408) 988-3832
                          
- ----
+----------------------------------------------------------------------+
+  The French Connection - 206/283-6453 - 206/771-1730  - 6.5g online  +
+   It takes only 11 seconds to get loaded on the French Connection!   +
+----------------------------------------------------------------------+


------------------------------

Date:    Fri, 12 Mar 93 23:38:53 +0000
From:    rkolter@csuohio.edu (Ryan Kolter)
Subject: Virus that infects while Scanning? (PC)

Please do not get alarmed by this.  This is not rumormonging, but
is a serious question.  I do not know if this virus exists, and
for this reason I am asking about it.

A friend of mine recently (a few months ago) told me about what
appeared to be a computer virus his machine had caught that (in some
manner) appeared to infect the files of his hard disk just after they
were scanned.  His claim was that it dodged the scan by taking itself
out of memory during the memory check (McAffee) and then reloaded into
memory and removed itself from the infected file during the scan of
that file.  After that, it would infect every .exe that was scanned.
Thus the process of scanning actually infected the whole drive.

I don't know if there is a virus out there that does this.  Is there?
If so, is there a way to protect against it?  He said that Mcaffee didn't
pick it up. (I don't know what version he used).

Sorry for being vague, and also sorry for wasting your time if this
virus doesn't exist.  But... does it?

- --Hills




------------------------------

Date:    Sat, 13 Mar 93 11:20:16 +0000
From:    paul_r@bruny.cc.utas.edu.au (Paul Roberts)
Subject: Virus found on PCs - WARNING (PC)

A virus has been discover on one the of Computing Centre PCs.  The virus is
no longer on any machine in the Computing Centre, but the virus is believed
to have been there for a number of weeks.
The virus infectes both .exe and .com files.  It is a nondesctructive virus.
It can be by using the following string in F-Prot.  "b8969633db8Ec3bb8400"
A disinfectant is being written and will be available when it is finished
in the few days.

Paul.
- --
| Paul Roberts   Keeper of Queen Lore  snail mail : 55 Tara Drive, Lauderdale  
|
| Student at University of Tasmania                 Tasmania, Australia 7021   
|
| e-mail : paul_r@bruny.cc.utas.edu.au    Phone +61 02 487370 (International)  
|
|          paul_r@postoffice.utas.edu.au            002 487370 (Australia)     
|

------------------------------

Date:    14 Mar 93 01:32:28 +0000
From:    acw@calmasd.Prime.COM (Alan Wilson)
Subject: How do you recover from a Michelangelo attack? (PC)

I've learned from my son that many of his high-schoolmates here 
have their IBM/PC hard disks corrupted due to the Michelangelo 
virus recent activation.  Please send any techniques on how to 
recover a corrupted disk and I'll pass them along via my son.
This would be greatly appreciated.

Alan Wilson
acw@calmasd.prime.com

------------------------------

Date:    Mon, 08 Mar 93 11:51:05 +0100
From:    Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert)
Subject: Effect of Form (PC)

Hi Eugene!

Your info about the FORM virus has been correct, I guess except to these line:

 > If you work with a hard disk, the data can be lost.

How? FORM does not write data to the hard disk, except of its viral code to 
the active DOS Bootsector ant that bootsector to another unused sector.

cu!
eppi

- --- GEcho 1.00
 * Origin: No Point for Viruses - Eppi's Point (9:491/6051)

------------------------------

Date:    Mon, 08 Mar 93 11:04:00 +0100
From:    Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: EXE/COM switch (PC)

 > From: antkow@eclipse.sheridanc.on.ca (Chris Antkow)

 >  The fact of the matter is, that any resident virus that monitors
 > function 4Bh, subfunction 00h (Int 21h) WILL be able to infect a file,
 > even if the extention has been renamed... (Provided the virus is written
 > "correctly"... Gack).

 >  Whenever a file is executed, it is immediately passed to AX,4B00h/INT
 > 21h. The rest is at the mercy of the viral code... If the file can't be
 > executed, then it's never passed to AX,4B00h/INT 21h...

 >  (Someone correct me if I'm wrong...)

Well, you souldn't go as specific as sub-function 00h.

Viruses also monitor service 03h and undocumented 01h that are used to load 
overlays.

04B is general enough.

Inbar Raz
- - --
Inbar Raz                  5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il

- ---
 * Origin: Inbar's.  (9:9721/210)

------------------------------

Date:    Mon, 08 Mar 93 11:14:00 +0100
From:    Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: scanners. (PC)

Malte Eppert writes:

 >> Making CRC checks from a BOOTING FLOPPY will also catch ANY
 >> virus, provided it hasn't infected your floppy yet.

 > Sorry, it won't. It will catch any modification, that's true. But if you
 > get infected with a slow virus, the user just would regard the change as
 > legitimate. Then, Vesselin introduced the idea of a DOS file
 > fragmentation attack. You could not detect that with a file-oriented CRC
 > checker, too.

Look. In order for a file to infect a virus it must either add itself to the 
file, or overwrite or replace the first file's cluster (known methods of 
infection, correct me if I'm missing anything). If you run a CRC check DAILY, 
you WILL locate these changing. What you're saying is true only if I had let 
my system get infected, and only THEN, after the viruses had already started 
to activate, I ran the tests.

If you run this test daily and consistantly, I think it might come out quite 
effective.

 > Unloading is a problem if the TSR is not the last one in the TSR chain.

By unloading, I don't mean removing from memory. I mean disabling - ie. making 
as if the thing was never loaded, and therefore whatever protection it was 
supplying, does not exist anymore.

 > How do you get your system straight if you remove a TSR out of the
 > middle of the chain - is there a method?

I once started a thread about this in the FidoNet 80XXX folder. We had some 
pretty good ideas there, and I had something that would free all memory by the 
program, minus 5 bytes per each interrupt you are hooking.

If you wish to get more information about this, netmail me on any of the 
addresses on my signature.

Inbar Raz
- - --
Inbar Raz                  5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il

- ---
 * Origin: Inbar's.  (9:9721/210)

------------------------------

Date:    Sat, 13 Mar 93 13:32:38 -0500
From:    HAYES@urvax.urich.edu
Subject: VS for Pathwork (tm) (VMS)

Hello.  Just to announce the availability of John Burke's Virus Scanner (VS)
for Pathwork.  Please note:

IMPORTANT:  This site has "prime-time" from 10:00 to 22:00.  Please do not
            initiate any file transfers during this period (all times EST)

	    The files in this directory are provided "as-is."  They are
	    supplied as a public service, and the University of Richmond has
            not checked, used, or recommended them.  If you do use them please
            contact the author.
  
	    Neither university computing nor this user are responsible in case
            of problems occuring after using these programs.

            Neither University Computing nor this user will support these
            programs.

===========

Directory content (03/13/93):     [ANONYMOUS.MSDOS.ANTIVIRUS.VMS]
- -----------------

This directory contains John Burke's "Virus Scanner (VS)" for Pathworks.

Suggested retrieval:  get VS040.COVER and VS040.INSTALL (ASCII files) and see i
f
you want the rest.  If so, get LZDCMP.EXE and VS040.A_LZ in binary mode and:

$ LZDCMP == "$SYS$DISK:[]LZDCMP"    ! set up LZDCMP as a "foreign image"
$ LZDCMP VS040.A_LZ VS040.A         ! decompress and restore attributes

LZDCMP.EXE;2    194   decompression program (from old decus tape)
VS040.A_LZ;1    286   compressed version of original distribution
VS040.COVER;1     5   original cover letter from author
VS040.INSTALL;1  85   original installation letter from author
                   
Size is in "blocks" of 1/2 K (512 bytes) each.

Please remember also that you have some _privileges_ to install this program. 
It is NOT for the end user...

Many thanks to John Lundin Jr., our site manager, for the help he provided when
dealing with this program.

=====
Site:       urvax.urich.edu,  [141.166.36.6]    (VAX/VMS using Multinet)
Directory:  [anonymous.msdos.antivirus.vms]

FTP to urvax.urich.edu with username anonymous and your email address
as password.  You are in the [anonymous] directory when you connect.

cd msdos.antivirus.vms <cr> to enter the directory where these files reside.
===

Best, Claude.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes     HAYES @ URVAX                 (Vanilla BITNET)
University of Richmond   hayes@urvax.urich.edu     (Bitnet or Internet)
Richmond, VA  23173

------------------------------

Date:    11 Mar 93 18:01:00 -0600
From:    "Rob Slade" <roberts@decus.arc.ab.ca>
Subject: Michelangelo protection (CVP)

HISVIRY.CVP   930210
 
                      Michelangelo protection
 
A number of suggestions were made during early 1992 as to how to
deal with Michelangelo.  Since so very many antiviral programs,
commercial, shareware and freeware, identified the virus, it was odd
the lengths that people were willing to go to in order to avoid this
obvious step.  The "computer expert" in one of our local papers
wrote an article on Michelangelo for his weekly column.  It was
packed with errors, and he was roundly chastised by many people.  A
large contingent of his detractors were local BBS sysops who urged
him to simply get one of the shareware scanners and make certain. 
His response, the next week, was to publish a column stating that no
self respecting business would be caught dead with a modem.  Among
the other recommendations of the high and mighty:
 
Backups - *always* a good idea.  And, given that Michelangelo is a
boot sector infector, it wouldn't be able to "store" on a tape
backup.  On diskettes it would.  Even worse, many popular backup
programs use proprietary "non-DOS" disk formats for reasons of speed
and additional storage.  These, if "infected" by Michelangelo, would
become unusable.
 
Change computer clock - if Michelangelo was set to go off on March
6, just make sure March 6 never happened.  Part of the trouble with
this was that many people did not understand the difference between
the MS-DOS clock and the "system" clock read by interrupt 1Ah.  The
MS-DOS DATE command did not always alter the system clock.  Certain
network connected machines also have "time server" functions, so
that the date would be reset to conform to the network.  Finally,
1992 was a leap year, and many "clocks" did not deal with it
properly.  Thus, for many computers, "March 6" came on the Thursday,
not Friday.  (An even sillier suggestion was to "test" for
Michelangelo by setting the date to March 6 and then rebooting the
computer.  This is known as "Michelangelo roulette".)
 
OS/2, Novell or UNIX boxes - Michelangelo is widely perceived as an
MS-DOS virus.  This is not quite correct.  It is, rather, a BIOS
virus.  It can "infect" Intel CPU BIOS/ISA compatible machines,
although many will no longer run after the infection.
 
Stay off modems - neither the master/partition boot record nor the
boot sector are identifiable files under MS-DOS.  Therefore, neither
can be transmitted as files over a modem or bulletin board by the
average user.  Although "dropper" programs are theoretically
possible, if they exist at all they are extremely rare.  The danger
of getting a Michelangelo infection from a BBS is therefore so small
that for all practical purposes it does not exist.  The prohibition
against bulletin boards merely cuts you off from a major source of
advice and utility software.
 
copyright Robert M. Slade, 1992   HISVIRY.CVP   930210

==============
Vancouver      ROBERTS@decus.ca         | Omne ignotum pro magnifico.
Institute for  Robert_Slade@sfu.ca      |  - Anything little known
Research into  rslade@cue.bc.ca         |    is assumed to be
User           p1@CyberStore.ca         |    wonderful.
Security       Canada V7K 2G6           |               - Tacitus

------------------------------

Date:    11 Mar 93 18:10:00 -0600
From:    "Rob Slade" <roberts@decus.arc.ab.ca>
Subject: March 1992 and the media

HISVIRZ.CVP   930210
 
                Michelangelo - March 1992 and Media
 
In the fall of 1989, there was a large amount of media attention
given to two Jerusalem variants, Datacrime and "Columbus Day".  The
promotion appeared to be instigated by a particular antiviral
service vendor.  It turned out that these viri had far less
distribution than was being claimed.  I suspect that the media has
had a distrust of "virus hype" stemming from this date.
 
However, the epidemic of Michelangelo in the spring of 1992 could
not be denied.  Vendors were making unsubstantiated claims for the
numbers of infections which, in retrospect, turn out to have been
surprisingly accurate.  More importantly, the research community as
a whole were seeing large numbers of infections.  The public was
seeing them as well, since no less than thirteen companies shipped
commercial products which turned out to be infected with the
Michelangelo virus.
 
"Instant experts" arose to fill the need for press releases,
confusing Michelangelo with every other virus that ever put a
message on a screen.  (One such "consultant" called a researcher for
a "professional courtesy consultation" -- to ask what a "boot
sector" was.)  Accounting firms (why are accountants supposed to be
so "computerate"?) trumpeted the injunction not to call bulletin
boards, heedless of the fact that BSIs don't *spread* via modem. 
The media darlings, of course, took full advantage, but even I had
twenty seconds of my fifteen minutes of fame used up on the tube. 
(But who got his picture in the paper?  My brother, who did not
*believe* in viral programs, to whom I had given a copy of a
scanner, and who found the computer in his church to be infected --
at 11:50 pm on March 5.)
 
(Two producers of commercial antiviral programs released crippled
"freeware" versions of their scanners.  These I view with some
disfavour.  The programs *did* briefly mention that they only
checked for Michelangelo, but certainly gave users the impression
that they were checking the whole system.)
 
Because of the media attention, a number of checks were made that
would have been done otherwise.  Hundreds, even thousands, of copies
of Michelangelo were found in single institutions.  Infection rates
ranged from one per thousand to 25% and more in some parts of
Europe.  Some reports, such as the infection of an entire network of
pharmacy computers in South Africa, were later found to be spurious,
but estimates of millions of copies had a sound basis.  (There were
no reports of Michelangelo detected in Japan beforehand, but a small
number of computers were wiped out on the Friday.  This is
particularly interesting in view of the fact that MITI had been
loudly proclaiming that Michelangelo would not be a problem in
Japan.)
 
Having found, and removed, a great many copies, the number of "hits"
on March 6 was not spectacular.  Hundreds, and perhaps thousands, of
machines were struck, but the damage was nothing as great as it
might have been.  Predictably, perhaps, media reports on March 6
started to dismiss the Michelangelo scare as another overhyped
rumour, completely missing the reality of what had transpired.
 
copyright Robert M. Slade, 1992   HISVIRZ.CVP   930210

==============
Vancouver      ROBERTS@decus.ca         | Slade's Law of Computer 
Institute for  Robert_Slade@sfu.ca      |        Literacy:
Research into  rslade@cue.bc.ca         |   - There is no such thing
User           p1@CyberStore.ca         |     as "computer illiteracy";
Security       Canada V7K 2G6           |     only illiteracy itself.

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 45]
*****************************************
