To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #47
--------
VIRUS-L Digest   Wednesday, 24 Mar 1993    Volume 6 : Issue 47

Today's Topics:

Scanners getting bigger and slower
Scanners getting bigger and slower
bill.lamdin misquoted don.peters
Privacy matters vs. Virus-related (All)
Swap-boot virus (PC)
scanners. (PC)
scanners. (PC)
Re: Virstop under windows (PC)
New (?) 2294 virus ? (PC)
Michelangelo Virus - do I have it? (PC)
WordPerfect virus may be BUG (PC)
Re: F-PROT 2.07 and Windows not compatible? (PC)
Why are McAfee's reportfile-output and screen-output different? (PC)
standardization (PC)
Re: Signitures (PC)
Re: standardization (PC)
Re: Date triggered virus (PC)
Re: EXE/COM switch (PC)
Info Needed (PC)
Strange occurances on Mar 6. (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name.  Send contributions to VIRUS-L@LEHIGH.EDU.  Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list.  A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5).  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@FIRST.ORG>.

   Ken van Wyk, krvw@first.org

----------------------------------------------------------------------

Date:    Fri, 12 Mar 93 08:06:00 +0100
From:    Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: Scanners getting bigger and slower

frisk@complex.is (Fridrik Skulason) writes:

 >>Instead of having one big huge turtle speed scanner, you would have, say, 4
 >>scanners.

 > So what ?  Remember - for any decent scanner the speed does (almost) not
 > depend on the number of viruses.  Creating 4 scanners will simly mean
 > that the time will increase by a factor of 4, if you ran them all - and any
 > one of them would be of the same speed as the original one.

The whole point of having more than one scanner, is that there is a 
considerable amount of viruses which are considered rare, or extinct, whose 
chances of infecting you are unreal. Therefore, scanning for them is less 
likely to be needed. On the other hand, there are somy viruses which are very 
common, such as Mich, Jerusalem or even 4096. Scanning for them should be done 
more requently.

 > Remember, not all scanners are turtles...

I was predicting a future situation. Perhaps today not, but in the future, if 
viruses keep multiplying like they do, soon enough all anti-viruses will have 
to be written for protected mode, otherwise there wouldn't be enough memory 
for all virus information, or speed :-)

Inbar Raz
- - --
Inbar Raz                  5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il

- ---
 * Origin: Inbar's.  (9:9721/210)

------------------------------

Date:    Fri, 12 Mar 93 08:09:00 +0100
From:    Inbar_Raz@f210.n9721.z9.virnet.bad.se (Inbar Raz)
Subject: Scanners getting bigger and slower

bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:

 >> Thus, you would use them in different frequencies, and each would run
 >> faster and better.

 > This is not very convenient from the user's point of view... But the
 > idea could be changed a bit to achieve practically the same thing -
 > there could be one scanner, with many overlays. The users will be able
 > to select how "secure" they want their scanner to be, thus selecting
 > which of the overlays will be executed during the scanning process.
 > However, the differentiation does not to be by stealth/encrypted/etc.
 > it only needs to be based on how common the viruses are.

Ofcourse. Your idea does make more sense than mine does... Still, we both 
agree that the degree of commonness should be taken into consideration.

 > This will be much like the today's option in many scanners for
 > "secure"/"turbo" scanning mode, the former usually meaning that the
 > whole file is scanned, while the latter means that only those places
 > of the files are checked, where a virus is likely to be present.

I believe this refers to complete file scan as opposed to checking the EXE 
header only, assuming a certain virus will always have the same IP or other 
header information set.

Inbar Raz
- - --
Inbar Raz                  5 Henegev, Yavne 70600 ISRAEL. Phone: +972-8-438660
Netmail: 2:401/100.1, 2:403/100.42, 9:9721/210 nyvirus@weizmann.weizmann.ac.il

- ---
 * Origin: Inbar's.  (9:9721/210)

------------------------------

Date:    Mon, 15 Mar 93 10:25:06 -0500
From:    Donald G Peters <Peters@DOCKMASTER.NCSC.MIL>
Subject: bill.lamdin misquoted don.peters

In issue 42/6 bill.lamdin mistakenly referred to some text to
which he attribute me as the author. (The words don't sound
like mine, and I never use "--" or "circumspect" in text.)

The quote was too short for me to determine the author, or to
determine if I agreed with what was being said. :-)


------------------------------

Date:    Thu, 18 Mar 93 21:11:17 -0500
From:    fergp@sytex.com (Paul Ferguson)
Subject: Privacy matters vs. Virus-related (All)

For those of you who attended last weeks "Ides of March" Conference in
New York -
 
I noticed a trend in discussion towards what I would categorize as
privacy issues. The Toots after-dinner discussion went far astray,
as far as discussion goes (perhaps you noticed my annoyance and
attempt to route folks discussing the topic to the appropriate
channels), but shall we address these topics as "virus" related
topics in the future? I'd like to think not, but I think many
of us would like to see legality and privacy cross paths somewhere in
the immediate future. Legality is bourne upon introduction. Simplified,
if you bitch about it loud and long enough, and it hurts someone,
somewhere, at sometime, without their permission or knowledge -- it's
criminal. Period. Common sense dictates measures that identify those
that endorse criminal computer activity be identified and punished.
This type of behavior in the computer community (as well as applied
to non-computer related activities) is unacceptable. This where the
topic of viruses comes into play, because in this capacity, they do
infringe upon computer users right to a _private_ system, if they
desire it. (Hey, that's why they call it a Personal Computer, right?)
 
The "privacy" issues outlined and discussed within the confines of the
conference "boundaries", have started to cross (again, what I
categorize as) Open Systems designs.
 
The linear definition of "Open Syetems" is constantly changing. With
the recent aquisition of USL by Novell, the workstation environemt is
changing, consistenty conforming and adapting to cross-platform
computing. Yesterday I walked up to the McGraw-Hill Professional
Bookstore and bought "The Programmer's Reference To Netware". This book
includes the interrupt level information on the Netware API. It
basically does for NetWare what Ralf Brown did for DOS.
 
Is UNIX next?  I've read Pete Radatti and Fred Cohen's "papers" in
response to David Thompson's "Why UNIX is immune to computer viuses"
paper. Hmmm....
 
Back on topic, (somewhat), for those of you who wish to address
privacy issues, there are two other pipelines if you wish to wade into
them:
 
Cypherpunks - A realtime, mail subscription service. Be forewarned:
It's high volume and sometimes very technical. In fact, last week one
of it's "former" subscribers mail bombed the remainder of the
subscribers because he grew impatient waiting to be "un-subscribed."
Topics include digital privacy, anonymous remailers, PGP encryption.
To subscribe: send a message to cypherpunks-request@toad.com
 
Computer Privacy Digest - ALL submissions should be addressed to
"privacy@cv.vortex.com" and must have RELEVANT "Subject:" lines.
Submissions without appropriate and relevant "Subject:" lines may
be ignored.  Subscriptions are by an automatic "listserv" system;
for subscription information, please send a message consisting of
the word "help" (quotes not included) in the BODY of a message
to: "privacy-request@cv.vortex.com".  Mailing list problems should be
reported to "list-maint@cv.vortex.com".  All submissions included in
this digest represent the views of the individual authors and all
submissions will be considered to be distributable without limitations.
 
I hope this helps filter topical messages unrelated to computer
VIRUSES.
 
Cheers.
 

Paul Ferguson                     |
Network Integration Consultant    |  "All of life's answers are
Alexandria, Virginia USA          |   on TV."
fergp@sytex.com     (Internet)    |           -- Homer Simpson
sytex.com!fergp     (UUNet)       |
1:109/229           (FidoNet)     |
         PGP public encryption key available upon request.

------------------------------

Date:    Mon, 15 Mar 93 02:04:56 +0000
From:    phbtt@wombat.newcastle.edu.au
Subject: Swap-boot virus (PC)

I have used McAfee VIRUSCAN version 102 to scan my computer and a
virus called Swap Boot [Swb] is found. I used McAfee CLEAN-UP version
9.14V102 to clean this virus. The screen prompt that `Virus can not be
safely removed from partition table.'.  I have tried to reformat the
whole hard drive, delete the partition table and create a new one and
turn the power off before rebooting again from diskette. These do not
help at all.
                                                       
I hope someone can help me!

							B T TAN
                                                               

------------------------------

Date:    Fri, 12 Mar 93 14:41:00 +0100
From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: scanners. (PC)

bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:

 > Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv) writes:

    >>  VB: > when I'm saying Jerusalem.AntiCAD.4096.Mozart, Frisk knows what
    >>      > I mean.
AN: >> I would differentiate the interests of Virus researchers from this of
    >> the common user.

VB: > Don't be so quick to underestimate the interests of the common user.
I'm not! they are my costomers!

VB: > When this user asks for assistance, it is not very
    > helpful if he tells you "The product XYZ found the Generic Boot virus on
    > my machine. How to remove this virus and what the hell does it do?"...
Good. So give him the information required if he asks it, let him read VSUM or 
your (not yet finished) VIRUS_INFORMATION
(or whatever it is you call it). But don't make him/her worried
about something that has no special meaning to him/her.

VB: > I agree that the two most important questions for the user are "Am
    > I infected?" and "If I am, how to get rid of it?", but the third most
    > important question is "What has it done to my data?"...
Most viruses to not temper with DATA. You probably meant "to my files" or "
Disk". If so, then I completely agree with you.

VB: > If it were not like that, everybody would use an integrity checker,
Ohh Noooooo, (But it's not such a bad idea) 8-).

VB: > instead of scanners - the integrity checker tells you that you are
    > infected, and often can repair the infection,
Tell me about it... We've invented the generic restoration method that is in 
use today also by V-ANALYST of your favour.

VB: > but is unable to identify the virus and to tell you what else to expect..

------------------------------

Date:    Fri, 12 Mar 93 10:22:01 +0100
From:    Malte_Eppert@f6051.n491.z9.virnet.bad.se (Malte Eppert)
Subject: scanners. (PC)

Hello Inbar!

 >> Sorry, it won't. It will catch any modification, that's true. But if you
 >> get infected with a slow virus, the user just would regard the change as
 >> legitimate. Then, Vesselin introduced the idea of a DOS file
 >> fragmentation attack. You could not detect that with a file-oriented CRC
 >> checker, too.

 > Look. In order for a file to infect a virus it must either add
 > itself to the file, or overwrite or replace the first file's
 > cluster (known methods of infection, correct me if I'm missing
 > anything). If you run a CRC check DAILY, you WILL locate these
 > changing.

True, but if you got a slow virus (which only infects when a file is 
intentionally written to), you just would say to yourself: Ah, of course the 
file has changed. I have done it by myself. You simply would regard any 
reported changes as legitimate, e.g. recompiling an EXE. That's why you couldn'
t catch "any virus".

The DOS file fragmentation, a theoretically possible infection described in 
one of Vesselin's papers, is another kind of attack you can not detect if you 
checksum your data file-based. That's due to the special structure of the two 
hidden system files, which are handled as a chain of physical sectors at boot 
time and get their file-character only after DOS is loaded (because when DOS 
is not loaded, there exists no file system). If a virus puts itself into a 
sector physically used by one of these files, moves the original sector to 
another location and changes the FAT chain for the file, an Integrity Checker 
which is not aware of this would not recognize
any change, because this change is transparent for a file-based checker, but 
the PC will load the virus at boot time.

 > What you're saying is true only if I had let my system
 > get infected, and only THEN, after the viruses had already
 > started to activate, I ran the tests.

Sorry :-)

 >> Unloading is a problem if the TSR is not the last one in the TSR chain.

 > By unloading, I don't mean removing from memory. I mean
 > disabling

That's alright.

cu!
eppi

- --- GEcho 1.00
 * Origin: No Point for Viruses - Eppi's Point (9:491/6051)

------------------------------

Date:    Wed, 17 Mar 93 11:27:19 -0500
From:    Alessandro Lombardi <alexl@dec01.ing.como.polimi.it>
Subject: Re: Virstop under windows (PC)

In VIRUS-L 43, Otto Stolz wrote he could not use Virstop 2.07 with /copy
using windows.
I use DR-DOS 6.0 with windows 3.1 and have no problems, except that
/warm(checks drive a: when ctrl-alt-del is pressed) crash the system.
I reported this to frisk, but I still have not received any answer,
neither as " you post arrived "!!!

By the way, a friend of mine gave me PcTools 8.0, and when it asked me if
to build an emergency diskette, the BIOS cried "ATTENTION: great error of
the disk while writing on drive D:(I use DR-DOS with sstor) retry?"
Has anyone the same problem??I had to format the HD using Auto interleave
and BIOS format(I have an American Megatrends).You can answer also to my
personal email, use the subject Re:PcTools 8.0.

Thanks in advance.

- -alexl


***************************************************************************
**                                                                       **
**   Alessandro Lombardi, via P.Verri,12, 21100 VARESE (VA)-ITALY        **
**   Tel.: 0332/265777;    e-mail: alexl@dec01.ing.como.polimi.it        **
**                                                                       **
**  # "Nonostante  il  paternalismo  di  noi  allenatori,  gli           **
**     esclusi  saranno  umoralmente  abbacchiati."                      **
**  # "Noi non compriamo uno qualunque per fare del qualunquismo"        **
**  # "Giocatori  con caratteristiche  diverse poi  si eludono a         **
**     vicenda e diventa poi difficile proporsi in emozione come         **
**     usate dire voi."                                                  **
**                    ( Giovanni  "gioppino"  Trapattoni )               **
**                                                                       **
***************************************************************************

------------------------------

Date:    Thu, 18 Mar 93 15:14:48 +0000
From:    v922340@multatuli.si.hhs.nl (Ivar Snaaijer)
Subject: New (?) 2294 virus ? (PC)

Hi virus netters,

A costomer came across last thusday, complayning about window's
the window's we installed on his system didn't work and baild out 
with an error complaying about almost everything. It was likely a virus
becase when i execute a program that isn't likely to execute normaly
(tree.com) the harddisk is quite buisy but the second time it isn't
(I mean not searching the tree !)
TBSCAN (v5.04) showed behind a lot of files a U and a K witch mean 
an undocumented dos call and an odd stack. executing a file that didn't 
have the UK flags, resulted in the fact that it did get the flags,

I have beta tested TBSCAN v5.10 witch claims it is the 2294 virus,
(v5.04 doesn't recognize it) ... it stroke me like an abnormality,
because TBSCAN had recognized all the viruses i have on stock, I v'e tried
F-PROT witch says that the file is strange but doesn't report a virus
eigter, SCAN v99 doesn't see anything, and i gonna try v102 this afternoon
Is there anybody who can tell me more about this virus. (acept it is 
2294 bytes long)

Ivar.


- -----------------------------------------------------------------------------
Rule one in program optimization : Don't do it.
Rule two in program optimization (for experts only) : Don't do it yet.
Rule three in program optimization (for athlets only) : Just do it.
- -- 
E-mail : v922340@si.hhs.nl    ... i can't help it, i'm born this way ...
- -----------------------------------------------------------------------------

------------------------------

Date:    Thu, 18 Mar 93 11:58:41 -0500
From:    jimf@iwtdr.att.com
Subject: Michelangelo Virus - do I have it? (PC)


I just bought my first PC, a 486SX running MS-DOS 5.0. Someone gave me
a floppy with the vi editor on it. When I went to install it,
(xcopy a:\ c:\vifiles) the virus detection software that came on my PC, 
went off warning of Michelangelo in the boot sector of my a: floppy disk 
drive.  Then MSDOS kept prompting me if vifiles was a directory. Being a PC
novice, I couldn't figure out how to break out of it and accidentally hit
the y so that some of the files did get copied to c:\vifiles before I turned
off drive a:. I then deleted (del) them and removed the directory (rmdir).
When I rebooted my machine, no viruses were detected. I did not attempt to 
execute vi or anything.

My questions:

1) Could I have the virus now even though my virus detector says no?

2) If I do, how can I find it and get rid of it?

------------------------------

Date:    Thu, 18 Mar 93 12:14:22 -0500
From:    moy@xp.psych.nyu.edu ()
Subject: WordPerfect virus may be BUG (PC)

Greetings:

	There have been several posts about a possible "WordPerfect
Virus" where the hard disk usually runs out of space.  The most recent
posting mentioned that retrieving *.WQ1 files led to this problem.
The behavior cited may be the result of a bug in WordPerfect.

	I call this the "Infinite Retrieve" bug.  WordPerfect versions
4.2, 5.0 and 5.1 (DOS), when retrieving a damaged document file or a
foreign-format file, sometimes appears to continue "retrieving" until
you reboot the machine.  It seems to allocate only free disk space
until no more remains, yet it does not stop or report an error when
the disk is completely allocated.

	I first discovered this problem a few years ago when I tried
to retrieve a WordStar 3.3 document (actually, the original WordStar
PRINT.TST) file.  This behavior is repeatable and occurs with each of
the three versions of WordPerfect I've tried it on.  Recently, I have
encountered the same behavior with a WordPerfect 5.1 document file
with a damaged header.  As an experiment, I tried truncating this
damaged file to see how little was needed to trigger this effect.
Only a 128-byte long fragment of this broken header was enough to cause
WordPerfect to go silly.

	While later versions of WordPerfect supress the retrieving of
certain system files like its own executables and temporaries,
WordPerfect is still not clever enough to elegantly reject faulty
files.  This problem is NOT related to retrieving document files into
the current document, effectively merging them together.


Moy Wong, PC Specialist, Dept. of Psychology, New York University
(moy@xp.psych.nyu.edu)


------------------------------

Date:    18 Mar 93 19:38:58 +0000
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: F-PROT 2.07 and Windows not compatible? (PC)


>VIRSTOP is the TSR component of the F-PROT package. VIRSTOP 2.07 has
>been enhanced with new features, which can be invoked via command line
>options. Apparently, one of the new options, viz. "/COPY", is not com-
>patible with Windows. The symptoms are thus:

Actually, this seems to happen (almost ?) only if the /COPY and /DISK
switches are used together.  I have created version which disables /COPY
while windows is running, but I expect to have a proper solution in place
in version 2.08....until then don't use /COPY and /DISK together.

- -frisk

- -- 
Fridrik Skulason      Frisk Software International     phone: +354-1-694749
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-28801

------------------------------

Date:    Thu, 18 Mar 93 22:49:17 +0000
From:    RUTGER@KUBVX1.KUB.NL (Rutger van de GeVEL)
Subject: Why are McAfee's reportfile-output and screen-output different? (PC)

Dear networkers,

I'm not sure if this is the right place to ask this, but I'll do it
anyway. Maybe some of you have noticed that the screen output from
both SCAN.EXE and CLEAN.EXE (from McAfee Associates) is different from
the output produced when the /REPORT option is used. The output in the
report file is very brief and (for example) doesn't show if a virus is
(or isn't) removed: it only tells that a virus has been found. Why is this? 
The reason why I ask this is that I would like to process the report files
from SCAN.EXE and CLEAN.EXE in order to automatically eliminate any virus
that is found with a self-written program. So IMHO the output in the report
files should be more elaborate or at least the same as the screen-output
(this applies to both SCAN.EXE and CLEAN.EXE).

Example:
Output on the screen from CLEAN.EXE when cleaning [Stoned]:

Cleaning [stoned]

Scanning for memory resident viruses.
Scanning 64K RAM......
Drive B: has no volume label.
Scanning boot sector of disk B:

  Found the Stoned [Stoned] Virus in boot sector.
  Virus cannot be safely removed from boot sector. <--- Yes, message is there
                
 Found 1 file containing viruses.

     This McAFEE(TM) software  may.....
     Copyright (c) McAfee Associates 1989-1993. All Rights Reserved.

Output in the report file by CLEAN.EXE (with /report option) when
cleaning [Stoned] (the same disk with the same virus):

Options: b: [stoned] /a /m /chkhi /nopause /unattend /report c:\clean.log

Drive B: has no volume label.
  Found the Stoned [Stoned] Virus in boot sector.
- ---> Am I missing something here? <----

 Found 1 file containing viruses.


Thanks,



*******************************************************************************
Three Accounts for the Super-users in the sky,    * Rutger van de GeVEL,
  Seven for the Operators in their halls of fame, * Student Information
Nine for Ordinary Users doomed to crie,           * Management & Technology,
  One for the Illegal Cracker with his evil game  * Tilburg University, Holland
In the Domains of Internet where the data lie.    *********** Email address:
  One Account to rule them all, One Account to watch them,  * rutger@kub.nl
  One Account to make them all and in the network bind them * Phone : (66)2049
In the Domains of Internet where the data lie.              * Office: B512
*******************************************************************************

------------------------------

Date:    Sun, 14 Mar 93 10:07:00 +0100
From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: standardization (PC)

frisk@complex.is (Fridrik Skulason) in an answer to
Amir Netiv on the issue of naming viruses writes:

 > the actual name is not significant, with respect to
 > cleaning - what matters is the ability of the anti-virus
 > software to distinguish between variants that must be
 > removed in different ways or have different effects
Right...
Tell that to Vesellin...

 > - something you cannot do if you call all the Jerusalem
 > variants just "Jerusalem-B"
What you call it does not matter as you say in the above text, but only if the 
scanner can make the distinction, and if that is so... call it whatever you 
want.

Regards

* Amir Netiv. V-CARE Anti Virus, head team *

- --- FastEcho 1.21
 * Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date:    Fri, 19 Mar 93 08:15:01 +0000
From:    wolfgang.stiller@rose.com (wolfgang stiller)
Subject: Re: Signitures (PC)

Date Entered: 03-19-93 03:04

hdg@fm11ap03.tu-graz.ac.at (Bernhard Heidegger) writes:

HD>motazev@hobo.ECE.ORST.EDU wrote:
HD>: To check for an executable file a virus will read in the appropriate bytes
HD>: and check to see if it is "MZ".

HD>: Why do some viruses check for "ZM"? What kind of file does this denote?

HD>I think the signature is always "MZ" but Intel - processors (like 80386)
HD>store a word (2 Bytes) in the form "lo-byte hi-byte". So, if a virus
HD>checks the signature as a word it test for "ZM".

It's a somewhat little known "feature" of DOS that .EXE loadable files can
also begin with "ZM" as well as "MZ".  Several viruses (as well as AV
products of course <g>) are well aware of this fact and will look for
files begining with either ZM or MZ to infect.

Regards, Wolfgang  (Author of Integrity Master)

Stiller Research, 2625 Ridgeway St. Tallahassee, FL 32310, U.S.A.
- ---
   SLMR 2.1a  
   RoseMail 2.10 :

------------------------------

Date:    Fri, 19 Mar 93 15:07:42 +0000
From:    gerald@vmars.tuwien.ac.at (Gerald Pfeifer (Prak Gusti))
Subject: Re: standardization (PC)

bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:

>Hm, that's rather natural, maybe we should include this in the naming
>scheme... Currently it allows abbreviations in the "opposite
>direction", i.e., if your scanner cannot distinguish between
>Jerusalem.AntiCAD.4096.Mozart and Jerusalem.AntiCAD.4096.Danube, you
>are allowed to report just Jerusalem.AntiCAD.Mozart. 
                            ^^^^^^^^^^^^^^^^^^^^^^^^

Shouldn't that read "Jerusalem.AntiCAD.4096"?

                                        Gerald,
                                        in a pedantic mood

............................................................................
. Gerald Pfeifer (Jerry)              Technical University Vienna, Austria .
. gerald@kongo.vmars.tuwien.ac.at     Home: Mondweg 64, 1140 Wien, Austria .
............................................................................

------------------------------

Date:    Fri, 19 Mar 93 11:59:34 -0500
From:    mikael larsson <mikael@vhc.se>
Subject: Re: Date triggered virus (PC)

marx@vms.huji.ac.il (Michael M. Marx / Jerusalem, Israel) writes:

> Hi there --
> I will be very thankful if someone will send me a list of viruses (virii...)
> triggered by dates, such as Michael Angello and April 1st etc etc.
> 
> Thanks for your urgent response,

Try downloading VSUMX3nn.ZIP (where nn is the number of the month, like
02 for February.) From a BBS...
VSUM have a list with viruses that activates on different dates.

You can contact the following BBS in Israel:

Rudy's Place, Rishon le Zion Israel
Phone: 972-3-9667562
SysOp: Nemrod Kedem


Regards,

MiL

- ---
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Virus Help Centre        Phone:  +46-26 275740      Email: mikael@vhc.se
P.O. Box 7018            Fax:    +46-26 275720         or: mikael@abacus.hgs.se
S-811 07 Sandviken,      BBS #1: +46-26 275710
Sweden                   BBS #2: +46-26 275715      Authorized McAfee Agent


------------------------------

Date:    Fri, 19 Mar 93 13:33:08 -0500
From:    BOORMABC@snyalfva.cc.alfredtech.edu (Brian C. Boorman)
Subject: Re: EXE/COM switch (PC)

>From:    Donald G Peters <Peters@DOCKMASTER.NCSC.MIL>

[text deleted for brevity].....

>APP discusses how 4B works and leaves the reader to draw his own
>conclusions. My question to APP is how do I resolve the difference
>between the description in Norton's book and Duncan's book regarding
>how to load a program WITHOUT executing it. One book says to use
>subfunction 1 and the other says subfunction 3. Neither book gives
>enough detail that I can gain a good understanding of it without
>experimenting first.

>Controversially,
>Don Peters

There is no difference in the discussions of Function 4Bh between the Norton
and Duncan Books.  The books that I referenced, Norton's Guide to PC/PS2
2nd Edition, and Duncan's Advanced MS-DOS Programming.  Both of them state that
subfunction 00h load and execute a program (as Command.com would) and that
subfunction 03h loads but doesn't execute.  Neither book makes any mention of
subfunction 01h.  The Undocumented DOS by Andrew Schulman does make some
reference to a subfunction 01h, but doesn't go into enough detail.

Either way, if a virus intends to infect any executable, and uses function
4Bh to locate executables as they are run, then simply changing the name
won't do any good, since it will still be able to find the files when they
are executed.

Brian C. Boorman
Sysop, Tech-Line BBS (VAX/VMS)
SUNY College of Technology at Alfred

------------------------------

Date:    Fri, 19 Mar 93 22:12:10 +0000
From:    wad22023@uxa.cso.uiuc.edu (Frumious Manxome )
Subject: Info Needed (PC)

Could somebody please send me some info on the Icelandic family of viruses.
Thanks in advance.

wad22023@uxa.cso.uiuc.edu


------------------------------

Date:    20 Mar 93 00:09:49 +0000
From:    lhdsy1!kato.lahabra.chevron.com!hwrvo@uunet.UU.NET (W.R. Volz)
Subject: Strange occurances on Mar 6. (PC)


On Mar 5 I ran NAV 2.1 and CP tools A-V and they found nothing. On Mar 6
I booted and twice I got a message "cannot boot from floppy". No floppy
was in either drive. The first time was at power on boot, the second
was after replying 'yes' to reboot. I powered off and powered back on
and all has been normal. No problems with the HD. I have noticed
that sometimes the HD will start writing for no apparent reason.
Sometimes it is in a burst while sometimes it quickly repeats the writing
(this from wathing the HD active light). This is running dos/windows
on a gw2k 66v.  Any clues as what it happening?

All is appreaciated.
- -- 

======================
Bill Volz
Chevron Petroleum Technology Co.
Earth Model/Interpretation & Analysis Division.
P.O. Box 446, La Habra, CA 90633-0446
Phone: (310) 694-9340 Fax: (310) 694-7063

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 47]
*****************************************
