To:	   VIRUS-L@LEHIGH.EDU
Subject:   VIRUS-L Digest V6 #52
--------
VIRUS-L Digest   Tuesday, 30 Mar 1993    Volume 6 : Issue 52

Today's Topics:

Should viral tricks be publicized? (was: Integrity checking)
re: Telephones #s for BBS
Re: Disgust at the lack of interest in Atari Viruses (Atari)
Re: Disgust at the lack of interest in Atari Viruses (Atari)
Re: Catch from DIR? (PC)
Re: WordPerfect File growth etc. (PC)
could this be a virus? (PC)
RE: MICHELANGELO (PC)
Scanners and exe/com file compressors? (PC)
help-Maltese Amoeba (PC)
Re: Looking for OPCODE lists (PC)
Michelangelo (PC)
Re: Help with Michelangelo! (PC)
Boot-virus or false positive? (PC)
WIndows Virus (PC)
Re: How to remove Lao Dong virus? (was: cluster pc 5)
1575 virus (PC)
Proffesional Group Virusized ! (PC)
Catch from DIR? (PC)
Re: HELP: Harddisk deteriorating rapidly (PC)
WSMR-SIMTEL20.Army.Mil archive switches to ZIP 2.0
FIXUTL4B.ZIP (PC)
Antivirals - Define "Best" (CVP)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name.  Send contributions to VIRUS-L@LEHIGH.EDU.  Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list.  A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5).  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@FIRST.ORG>.

   Ken van Wyk, krvw@first.org

----------------------------------------------------------------------

Date:    Mon, 29 Mar 93 07:26:33 -0500
From:    Y. Radai <RADAI@vms.huji.ac.il>
Subject: Should viral tricks be publicized? (was: Integrity checking)

>>> = Malte Eppert
>>  = Me
>   = Vesselin

>>>             Then, Vesselin introduced the idea of a DOS file fragmentation
>>> attack. You could not detect that with a file-oriented CRC checker, too.
>>
>> First, Vesselin didn't introduce the idea.  It was known to some of us
>> in 1988.
>
> Well, nevertheless it was me to -introduce- the idea to the general
> public, so that people are aware about the danger... I agree that you
> (and a few others) knew about it before, but you didn't piblish it...
> I myself heard about it from a virus writer in 1990, so I decided that
> it is better to inform the good guys - since the bad guys already knew
> it... :-)

Ok, if you interpret `introduce' to mean *disclose to the public*,
then I guess Malte's remark might be considered correct.  However, I'm
not sure if *he* was aware that you were not the one who first thought
of the idea.

  However, what you have written above raises a much more fundamental
question:  When one of the "good guys" learns of a trick, knowledge of
which would help the bad guys as well as the good guys, under what
condition(s) may he or should he disclose this trick in a public
forum, where bad guys might also be listening?
  For example, even though I knew of extension companions, path com-
panions, the "fragmentation" attack, and "slow" viruses in 1988, I
felt that it would have been irresponsible of me to describe them in
Virus-L.  (Those who were around then may recall that I simply stated
that there are "loopholes".)
  Up to here, I think you agree with me.  However, you seem to be
saying that your criterion for when to publicize info is that "the
good guys should be informed about whatever the bad guys already
know."  There are two things that bother me about such a criterion:
  First, you speak of "the bad guys" collectively, as if they all had
exactly the same knowledge.  If a few virus writers in Bulgaria know
something, does that imply that virus writers all over the world know
it?  For example, you learned (you say it was in 1990, but wasn't it
really 1991?) that some Bulgarian virus writers were discussing the
fragmentation attack.  Does that mean that virus writers in other
parts of the world also know about it?  Perhaps you feel that it's
safer to *assume* that they do, and that would justify your publi-
cizing it.  But isn't it possible that your assumption about they're
all knowing the trick (or learning of it within a short time) is not
correct, and if it isn't, then maybe you're doing more harm than good
by publicizing it?  (Actually, the fragmentation attack was never a
very practical threat, and won't even work on DOS 5 and up, but this
is just an example.)
  Secondly, I wonder if you're consistent in your criterion.  As you
know, there are books (e.g. Burger's and Ludwig's), underground elec-
tronic magazines (e.g. 40 Hex and Crypt), electronic forums (e.g.
FidoNet), etc. which discuss such tricks.  If, as you state above, the
good guys should be informed about whatever the bad guys already know,
why don't you encourage everyone on this forum to read such publica-
tions?
  Please don't misunderstand me.  I'm not criticising, but merely
questioning.  At this stage all I'm trying to do is to get you to
formulate a criterion which will cover those and only those actions
which you really consider legitimate (taking into account the above
two points).  Then we can discuss your criterion and compare it with
alternative criteria.

  Btw, it should be noted that on Fidonet there appeared an article
describing tricks which can be used by virus writers to prevent tra-
cing and disassembly of their code.  The reason I mention this parti-
cular article is that it appeared under the name of someone who has
been contributing to this forum recently, Inbar Raz.  The article is
called "Anti Debugging Tricks", and one of the virus writers found it
useful enough to forward it to 40 Hex (Number 9).

                                     Y. Radai
                                     Hebrew Univ. of Jerusalem, Israel
                                     RADAI@HUJIVMS.BITNET
                                     RADAI@VMS.HUJI.AC.IL


------------------------------

Date:    Mon, 29 Mar 93 09:51:50 -0500
From:    mikael@vhc.se (mikael larsson)
Subject: re: Telephones #s for BBS

> Date:    26 Mar 93 12:28:49 +0000
> From:    hq!fhi0055@dsac.dla.mil (Marc Poole)
> 
> 
>   I'm looking for telephone numbers to call bbs for anti-viri
>   information.  I have site address that I can trade in return.
>   However, ftp and telnet take a very long time to connect.  If anyone
>   has direct number to systems that allow modem dial-in it would be
>   greatly appreciated.

Hello Marc,

        I don't know if you're interested in this, but.. we have an
        antivirus BBS here in Sweden.. with lots of information about
        viruses and most of the common antivirus programs on the market
        (shareware of course) in the BBS...

        Line1:  +46-26 275710 - USRobotics HST Dual Std/V32
        Line2:  +46-26 275715 - USRobotics HST

>   Marc Poole
>   mpoole@hq.dla.mil

MiL


- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Virus Help Centre     Phone:  +46-26 275740   Email: mikael@vhc.se
Box 7018              Fax:    +46-26 275720   or   : mikael@abacus.hgs.se
S-811 07  Sandviken   BBS #1: +46-26 275710   Fido : 2:205/204 & 2:205/234
Sweden                BBS #2: +46-26 275715   Authorized McAfee Agent!


------------------------------

Date:    29 Mar 93 17:08:02 +0000
From:    Sam Wilson <ercm20@festival.edinburgh.ac.uk>
Subject: Re: Disgust at the lack of interest in Atari Viruses (Atari)


S12609@prime-a.plymouth.ac.uk (Trantor The Last Stormtrooper) writes:
> Being a virus researcher on the Atari ST, I feel that
> I must write to complain about the lack of interest in
> discussing Atari viruses. ...
>
> [[[ more deleted ]]]
> 
> Has anyone out there (especially Atari people!) got any
> comments???

Discuss them! No one's stopping you! People in this forum can only talk
about what they know.  If you know about Atari viruses then tell us
about them. 

Sam Wilson
Network Services Division
Computing Services, The University of Edinburgh
Edinburgh, Scotland, UK

------------------------------

Date:    Tue, 30 Mar 93 01:19:45 +0000
From:    rslade@sfu.ca (Robert Slade)
Subject: Re: Disgust at the lack of interest in Atari Viruses (Atari)

S12609@prime-a.plymouth.ac.uk (Trantor The Last Stormtrooper) writes:
>Being a virus researcher on the Atari ST, I feel that
>I must write to complain about the lack of interest in
>discussing Atari viruses. I can understand why you talk

Well, if you are a researcher, tell us something about Atari viral
programs.  I, for one, am all ears.  I know very little about the
Atari: I'd love to have some more details.  What *is* a "link virus"?
Is is like a file/program infecting virus on MS-DOS?  Is it more like
a companion/spawning virus?

This is an old complaint.  The answer is always the same.  We talk
about what we know: this is a forum for sharing information.  The lack
of discussion aobut system X is due to the usual cycle: no one talks
about system X because no one here is using system X because no one is
talking about system X.  Talk, and more of your colleagues will come.


==============                      _________________________
Vancouver      ROBERTS@decus.ca    |    |     |\^/|     |    | swiped
Institute for  Robert_Slade@sfu.ca |    |  _|\|   |/|_  |    | from
Research into  rslade@cue.bc.ca    |    |  >         <  |    | Alan
User           p1@CyberStore.ca    |    |   >_./|\._<   |    | Tai
Security       Canada V7K 2G6      |____|_______^_______|____|


------------------------------

Date:    26 Mar 93 11:02:37 -0800
From:    a_rubin@dsg4.dse.beckman.com
Subject: Re: Catch from DIR? (PC)

cftdl@ux1.cts.eiu.edu (Terry Lundgren) writes:

>I have received some excellent replies to my posting on catching
>a virus.  Basically the question is this:  Assume my system is
>clean and I have an infected disk.  I put the disk in the drive
>and do a DIR.  Then I take the disk out.  Can my system be
>infected now?

>The responses are running about 1/3 saying no way and 2/3 saying
>it is possible.  I would really like to get a definitive answer. 
>If a virus can be passed in this way, would someone please
>describe how it might happen?  Or not.

(1) Not on a PC.  Nothing from the disk is ever executed.

(2) On a Mac, maybe.  I can't give a definiative answer, but I believe the
a disk driver or file system can be loaded from the disk, and THAT could be
infected.
- --
Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea
216-5888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal)
My opinions are my own, and do not represent those of my employer.

------------------------------

Date:    Sat, 27 Mar 93 02:42:47 +0000
From:    dhartung@chinet.chi.il.us (Dan Hartung)
Subject: Re: WordPerfect File growth etc. (PC)

seborg@first.org (Brian Seborg) writes:
>I have seen the same problem with WordPerfect file growth in a Banyan
>environment.  We have traced it to users exiting WordPerfect abnormally.
>Meaning that they either use cntrl-alt-delete to exit, or they turn off their
>machines while still in WordPerfect.  This causes WordPerfect to create a huge
>file sometimes in excess of available disk space.  The only way to prevent
>this from happening is to educate your users not to abnormally exit from 
>WordPerfect.  This is a known bug by WordPerfect, I imagine that they will
>address it in the next release if enough people complain.

There are problems related to abnormal exits from WP5.1 -- I haven't seen
"huge files" but we do occasionally get situations where a user is 
locked out of their own SET file by Novell Netware.  But the file-growth
problem (of about 2K each time) is different.  WP seems to be making
multiple copies of the header information for fonts, printers, styles,
and so on.  (If you look at the file with DISKEDIT or the like this
can easily be seen.)

It only seems to happen to certain files under certain situations.  It
is a WordPerfect "behavior", however, and no virus causes it.

- -- 
The Presidential Towers complex here   | Dan Hartung               |  Ask me
in Chicago is bounded by four streets: | dhartung@chinet.chi.il.us |  about
Jefferson, Adams, Monroe  .....        | Birch Grove Software      | Rotaract!
        and Clinton!

------------------------------

Date:    Fri, 26 Mar 93 22:21:51 -0600
From:    tom mckibben 2 <U51773%uicvm.uic.edu@OHSTVMA.ACS.OHIO-STATE.EDU>
Subject: could this be a virus? (PC)

This was originally posted on comp.os.msdos.pcgeos but it looks like it might
belong here. Can anyone help this guy out?

=========================================================================
Path: uicvm.uic.edu!news.acns.nwu.edu!zaphod.mps.ohio-state.edu!
 rpi!batcomputer!munnari.oz.au!
From: zjiang@metz.une.edu.au (ZHUHAN JIANG)
Newsgroups: comp.os.msdos.pcgeos
Subject: Help on 486PC problem
Message-ID: <506@grivel.une.edu.au>
Date: 27 Mar 93 01:22:12 GMT
Sender: usenet@grivel.une.edu.au
Organization: University of New England, Armidale, Australia
Lines: 28
Nntp-Posting-Host: metz.une.edu.au

I am having trouble with my 486 PC machine. I was wondering
if anyone can shed some lights on the matter.

The program is that my two floppy drives (5|1/4 and 3|1/2)
failed *simultaneously* during a machine-to-machine file
transfer done by a friend of mine. My PC since ceased to
read data from either of the floppy disks--screaming
'data reading error' for a formated disk and 'general
reading error' for a unformated disk.

The machine, under DOS 3.3, is working as usual on hard
disk. But I can neither read or directly reboot from floppy
drives. I have looked at my CMOS configuration at the
booting point, the disk configurations are correct.

I firmly believe that the problem lies in software or configurations
as I can hardly believe that both drives physically failed at
the same time when no violent physical impact was experienced
by the PC.

If you have any idea or advice on how to locate the problem of
my PC properly, please give me some suggestions---big or small,
complete or incomplete--all of them will be greatly and
equally appreciated.

Thank you very much for your efforts

Zhuhan

------------------------------

Date:    Sat, 27 Mar 93 12:30:27 -0500
From:    mikko.hypponen@compart.fi (Mikko Hypponen)
Subject: RE: MICHELANGELO (PC)

bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:

> BTW, I am very curious how many Michelangelo hits have happened
> this year...

Yesterday (25th of March) I consulted one Finnish company that
was hit. One of their employees went to work on Saturday the
sixth and turned his machine on. The machine did not boot.

They had no idea that a virus might be the cause of this. They
tried to recover the drive but, as one might except, were unable
to do it. So they posted to hard drive back to the manufacturer
to USA.

What makes this case more interesting, is that the hard drive
in question was quite large: over one gigabyte. The workstation
(a fast 486) was used for pre-press production and needed big
storage space. Unfortunately there were no current backups of the
contents of the 1GB hard drive -- but the employee who got hit
says there's no problem as he "can easily recreate almost all of
the lost data".

The Michelangelo connection was found out almost three weeks
later as one of the workers runned antivirus software on his
machine, which was also infected.

The source of the infection seems to be an original infected
diskette received directly from USA. The software in question
is a rare special-purpose program. The manufacturer has been
notified about the problem.

- ---
          mikko.hypponen@compart.fi / mikko.hypponen@mpoli.fi
      Mikko Hypponen // Data Fellows Ltd's F-PROT Support, Finland
              PGP 2.2 public key available, ask by e-mail
               
- ----
+-----------------------------------------------------------------------+
| Delivered by: ComPart BBS  Finland  +358-0-506-3329  19 lines V.32bis |
+-----------------------------------------------------------------------+

------------------------------

Date:    Sun, 28 Mar 93 21:51:57 +0000
From:    phil@wearbay.demon.co.uk (Philip Coull)
Subject: Scanners and exe/com file compressors? (PC)

I have been reading comp.virus for a while now, and find it most
informative, and interesting (apart from some of the nit-picking on
definitions!).

Anyhow, I have a question which I have not seen asked, and which is not
in the FAQ:

Do virus scanners "unpack" exe/com files that have been
packed/compressed?  If they do, how do they cope with all the various
packing programs?  I'm absolutely sure that most "average" users are
totally unaware that some of their executables are modified in such a
way.  Does it compromise the ability of scanners?  I've never seen the
ability of scanners to deal with such programs mentioned in any reviews.

Even more worrying, is the following quote from PKWare's PKLite
documentation, when discussing the Professional PKLite version:

   It uses a slightly different algorithm, which also scrambles the
   excutable file.  This scrambling makes the executable data more
   resistant to disassembly or "reverse engineering" procedures. After a
   file is compressed using this method, it cannot be expanded to match
   the original executable file.


What if a virus writer managed to deliberatley "distribute" his virus
within such a file, would any scanners ever find the offending file???

- ---------------------------------------------------------------
Philip Coull G3XVY   phil@wearbay.demon.co.uk     CI$ 76046,332

------------------------------

Date:    Mon, 29 Mar 93 01:53:58 +0000
From:    smasilam@midway.ecn.uoknor.edu (Senthilamudhan Masilamani)
Subject: help-Maltese Amoeba (PC)


	A file I have is infected with the Maltese Amoeba. I installed
Norton Desktop for Windows 2.0 and installed the Norton Anti-virus. For
some stupid reason , I scanned a disk I had and NAV reported  
a strain of the maltese amoeba. The latest McAfee scan did not report
the virus (version 102?). Luckily I havent executed the .exe infected file
yet (I think, no problems with my system so far, I had a low memory problem,
but running qemm6.02 optimize corrected the problem). But NAV wont repair
the file, I think it had to have info of the infected file prior to infection,
I dont know, i havent looked at the docs yet, if so, what a lame program,
suppose you scan a file you just got and it is infected(like in my case), you
wont have a record of the file prior to infection. Is there any anti-virus
program out there that will id the virus and clean it? I dont want to lose
the file if possible. 
Thanks,
	Sm



------------------------------

Date:    Thu, 25 Mar 93 16:54:00 +0100
From:    Kees_Boss@f0.n462.z9.virnet.bad.se (Kees Boss)
Subject: Re: Looking for OPCODE lists (PC)

 -=> Hello Charles,
 
 You had a question:
 
 CH> My question:

 CH> What are some opcodes that have two possible numeric values?
 CH> This is for the 80x86 family of machines.

 I guess these are the mnemonics you are looking for:
 
 MOV reg,reg
 XOR reg,reg
 OR  reg,reg
 ADC reg,reg
 ADD reg,reg
 SUB reg,reg 
 SBB reg,reg
 CMP reg,reg
 AND reg,reg
 
 reg = any register both 16bit & 8bit but NOT a Segment register.
 
 the opcodes for these instructions are two 8-bit bytes, build 
 according this scheme:
 
 byte 1                            byte 2
   7_________________________0          7_________________________0
   |. |. |. |. |. |. | d | w |          | 1 | 1 |. |. |. |. |. |. | 
      i n s t r u c                   mod field   r e g 1  r e g 2
   
    d       :  direction,  if 1 operation-result into reg1 
    w       :  word,       if 1 then  word opertion    
 mod field  :  both 1 in case of register register operation.
 
  codes for reg
                   W = 1         W = 0
    000             AX             AL
    001             CX             CL
    010             DX             DL
    011             BX             BL
    100             SP             AH
    101             BP             CH
    110             SI             DH
    111             DI             BH

 So, if you swap the d-bit and reverse the reg1 & reg2 codes
 you have two opcodes that perform exactly the same task!.
 
 For   OR AX,BX 
     
   the two possible opcodes are
                        
      instr  d w    m  r1  r2
      000010 0 1   11 011 000     =   09 D8
      000010 1 1   11 000 011     =   0B C3
      

 I hope you got the idea, is a bit hard to explain.
 
 Kees.

... Luc. 6:45.      
- --- GoldED 2.41/FMail 0.93e+
 * Origin: -=[ Quest For Data BBS +31-40-854657 ]=- (9:313/6.0)

------------------------------

Date:    Sat, 27 Mar 93 05:15:11 +0100
From:    Chris_Franzen@f3020.n491.z9.virnet.bad.se (Chris Franzen)
Subject: Michelangelo (PC)

 >> Oh come on. There is NO town in Germany where Mich could not be
 >> found.

 > The question was: where did it hit :-) So far I know about three blank
 > hard disks.

Uh ok.

Yesterday, we (the PC manufacturing company I work for) received a 40 MB hard 
disk from a German distributor. It seems it was infected with Mich.

We checked three additional disks from the lot (~30-40 HDDs). None found.

So you can add *at* *least* 1 to your Mich hits highscores. The infected HDD 
was returned by the customer who received it. He was unable to make it 
bootable. He checked all disks (including, and especially) & all floppy disks -
- - no Mich found.

It looks like Mich was on the HDD when it reached our house. At that time, 
there was no partition on the HDD. Crazy. Horrible.

 > cu!
 > eppi


Chris, The Blast I

- --- GEcho 1.00/beta+
 * Origin: You wanted junk -- so I drop some. (9:491/3020)

------------------------------

Date:    Mon, 29 Mar 93 05:20:23 -0500
From:    "Michal Weis (Infi)" <weis@elf.stuba.cs>
Subject: Re: Help with Michelangelo! (PC)

	How to recover computer after michelangelo's action.

 Recomended tools - Norton Utilities 6.0: Norton Disk Doctor, Diskedit,
					  Disktool, Unerase.

* At first the best way when miki is activated is to turn off the computer as
soon as possible.
* Miki's action: on 6th march he (after re-boot-ing) owerwrite a disk from
data from memory (adress 5000:5000 - un-defined bytes in memory). He
owerwrite first 255 tracks of Hard-disk 0 completly (all sectors on all
heads). It stars from track 0 (of course), up to 255, (if you didn't turn
him off before he finish...)
* result of action: you can't boot from hard-disk (computer probably still
after it), and after re-boot from system disk in A: the hard-disk drives
(C:, may be D:  etc. are non-acessable). 
* Possiblities to recover data: data after track 255 (or before, if miki was
turned off) are o.k, but low data are overwritten and there is no way to
repair it.
* lost data & partitions: If your disk was devided into more partitions (HD
0 was disk C:, D: may be E:), and another partitions on disk are farer than
255 tracks, they are o.k. (but un-acessable in this step). Data about disk
partitions was destructed very first, it meens that you cann't acess other
partitions.
* how to proove partitions: If you have back-up of your partition table
(created e.g. in Disktool's "Create Rescue Disk") re-fresh your partition
from flopy-disk, if you don't have a backup of partition table, you must
creat new table, that is same that before. Run Norton Disk Doctor, & he try
to make a disk table o.k. - he search for partitions and put then into 1st
sector with loader program.
* after re-booting from flopy again, Other partitions (if they are situated
after track 255) shold be done and fully working.
* recovering data on first partition: If you have backup created via
Disktool, you would recover boot-sectors too. If not, you must creat buut
sector of first partition. He was probably situated on sector 1, track 0,
head 1 (as usualy). If DiskDoctor didn't repair him, you must create him
e.g. this way: copy boot-sector from any disk-media (floppy): create two
windows in Norton's DiskEdit, in first of them put HardDisk's physical
sector 1, head 1, track 0; in second - floppy's physical sector 1, head 0,
track 0. Copy one sector from floppy to hard-disk (via Ctrl-B, <select>,
Ctrl-B, Ctrl-C, <put cursor to HD>, Ctrl-V). Then switch to View menu and
put view as boot-record. Set data that looks as non-hard-disk: set media
deskriptor to F8, phisical drive to 128, sectors per cluser to 4 (as on
another partition), fat to 16bit  then it would be enought. Run Norton disk
doctor again, and try to answer YES on question if repair boot-sector.
* then can be probably your first chain lived again.
* to recover undestructed data on first chain: run Unerase, switch to C: and
start a command: search for directory. When he found undestruced directory,
unerase it and it would be done. (note: before this step you wold clear fat
on disk (select block in Diskedit, and fill him by 0)).


If any problems found, contact me...


						Regards,
						Michal Weis
						Virus Analyzer (may be)	 

- --  This is not a trick, this is  --- _ ------------------------------------
                         ,     _  _  | )   ,
                        /|    / )/ ) |/   /|
                       / |   /  /  / /---' |  
                      '   \_/  /  (_/|\     \_/
- ------------------------------------ |_) ----- Origin: weis@elf.stuba.cs ---


------------------------------

Date:    Mon, 29 Mar 93 10:42:57 +0000
From:    eliza@swix.nvg.unit.no (Elisabeth Bull)
Subject: Boot-virus or false positive? (PC)

I think maybe I have a virus on my 486sx. MacAffees Scan says that there
is a change in the boot-sector, and that there might be an unknown virus
there. This message is not confirmed by NAV or f-prot. Could this be a
false positive? 
Can one virusscanner leave traces in the boot-sector that another scanner
thinks is a virus? I load vshield and nav at boot-up. The only peculiar
thing that has happened on my machine was that I suddenly kept running out
of memory/ resources in the windows environment. One day I ran Access,
Excel and Word - the next day It would not run notepad besides Excel..

IF this is a virus - how do I get rid of it?  I tried clean/grf (or sth.
like that - from clean102.doc), but this *unknown* boot-virus could not be
removed. I also tried fdisk/mbr (from a clean boot-disk), but nothing
seemed to happen. Or - if it did I did not notice.. 

  Any help will be greatly appreciated!
- --------------------------------------------------------------------------
Elisabeth Bull                        e_mail: eliza@swix.nvg.unit.no
- --------------------------------------------------------------------------

------------------------------

Date:    29 Mar 93 16:24:08 +0000
From:    rogera@compnews.co.uk (Roger Allen)
Subject: WIndows Virus (PC)

	Has anyone else experienced a virus that fades the screen to
black after starting Windows 3.1. I tried the lastest version of scan
(March 93) but it didn't recognise it. I even tried re-installing both
DOS and Windows.  Changing the date seemed cure it for about a day or
two, I even tried comparing file sizes with a clean disk but no
difference. In the end the only solution was to reformat the disk!

Roger

------------------------------

Date:    29 Mar 93 16:28:03 +0000
From:    frisk@complex.is (Fridrik Skulason)
Subject: Re: How to remove Lao Dong virus? (was: cluster pc 5)


A.APPLEYARD@fs1.mt.umist.ac.uk writes:

>How to remove Lao Dong? 

  3 different ways:

  Hard disks:

  1) move track 0, head 0, sector 8 to track 0, head 0, sector 1
  2) run DOS 5 FDISK/MBR
  3) Run F-PROT :-)

  Floppies
 
  1) locate the original boot sector - which should be somewhere on head 1,
     track 0 and move it to head 0, track 0 sector 1.
  2) Run SYS
  3) Run F-PROT

> Any info re it? Any history of false positives of it?

No known false positives, as far as I know...but then I don't know which
scanner you used.

- -frisk
- -- 
Fridrik Skulason      Frisk Software International     phone: +354-1-694749
Author of F-PROT      E-mail: frisk@complex.is         fax:   +354-1-28801

------------------------------

Date:    Mon, 29 Mar 93 17:47:46 +0000
From:    hofstett@snake1.cs.wisc.edu (Dean Hofstetter)
Subject: 1575 virus (PC)


I was recently involved in the cleaning of the Green Caterpillar virus from
an infected PC.  I used version 2.07 of F-Prot to remove the virus from 
six infected files, including COMMAND.COM from DOS 5.0.  I noticed that 
the virus increased the size of COMMAND.COM by 1588 bytes (the infected
COMMAND.COM was 49575).  Once the virus was removed the size was 48000,
13 bytes larger than the original size.  I was wondering if anyone had
any similar experiences using F-Prot on this virus, or whether someone
could explain what the additional 13 bytes are.  Thanks in advance for
any info.

Kyle Ertel
l

------------------------------

Date:    Mon, 29 Mar 93 21:02:48 +0000
From:    mac%utkvx.BITNET@utkvm1.utk.edu (Richard J. McDougald)
Subject: Proffesional Group Virusized ! (PC)

Nobody's immune.  The East Tennessee PC Users Group released its "Disk
of the Month" (don't know who many folks bought it, but club is about
500 members) with the Michelangelo Virus as a free bonus!  Was detected
quickly (mass mailing went out) and haven't heard of anyone losing their
whole shebang, but it was real all right (one guy intentionally tried it
on an old XT he didn't mind reformatting and also on a spare hard drive
for his 386 and sure enough, ol' Mikie made scrambled eggs of them!)


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 Mac McDougald                   *   Any opinions expressed herein 
 The Photography Center          *   are not necessarily (actually,
 Univ. of Tenn. Knoxville 37996  *   are almost CERTAINLY NOT) those
 mac@ur.utk.edu                  *   of The University of Tennessee. 
 mac@utkvx.bitnet                *      
 (615-974-3449)                  *   "Things are more like they are now     
 (615-974-6435) FAX              *    than they've ever been before."
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
            

------------------------------

Date:    Sat, 27 Mar 93 22:57:12 +0100
From:    Malte_Eppert@f6050.n491.z9.virnet.bad.se (Malte Eppert)
Subject: Catch from DIR? (PC)

Hi Terry!

 > a virus.  Basically the question is this:  Assume my system is
 > clean and I have an infected disk.  I put the disk in the drive
 > and do a DIR.  Then I take the disk out.  Can my system be
 > infected now?

It is impossible, since nothing from the disk is executed in this sequence, 
and a virus needs to be executed to take control and install itself, replicate 
or activate in some way.

But DOS may fool you in a way that you _think_ you became infected: With the 
DIR A: or DIR B: command, DOS loads the bootsector of the disk into a buffer. 
If you scan the memory after such an action, a scanner may find the virus in 
the DOS buffer - but this copy is not active, as it's never referenced and 
will not be just by chance :-). This phenomenon is called a "glost virus".

cu!
eppi

- --- GEcho 1.00
 * Origin: Another Virus Help Node - The EpiCentre! (9:491/6050)

------------------------------

Date:    Tue, 30 Mar 93 03:11:25 -0500
From:    A.APPLEYARD@fs1.mt.umist.ac.uk
Subject: Re: HELP: Harddisk deteriorating rapidly (PC)

  > Date:    Fri, 26 Mar 93 08:05:18 +0000
From:    u920666@daimi.aau.dk (Lasse Reichstein Nielsen)
Subject: HELP: Harddisk deteriorating rapidly (PC)
  > ... long list of miscellaneous faults ...

  How old is that hard disk? Hard disks like anything else have a limited life
span, particularly if they are used all day every day; the signs of old age
are often miscellaneous faults. Whetever the matter is, backup everything onto
floppies and then virus-scan all those floppies on another PC.


------------------------------

Date:    Mon, 29 Mar 92 03:45:42 -0500
From:    <w8sdz@TACOM-EMH1.Army.Mil>
Subject: WSMR-SIMTEL20.Army.Mil archive switches to ZIP 2.0

PD1:<MSDOS.FILEDOCS>CHANGES.DOC            Last revised: March 29, 1993

            WSMR-SIMTEL20.Army.Mil switches to ZIP 2.0

Effective April 2, 1993 many of the new ZIP files uploaded to SIMTEL20
will be in the public domain ZIP version 2.0 format.  After that date
the index files SIMIBM.ZIP and SIMLIST.ZIP will be created in the new
format.

SIMTEL20 has standardized on the Info-ZIP group's ZIP and UNZIP because
they are freely distributable and they have no restrictions on exporting.
The latest version of Info-ZIP's ZIP and UNZIP can always be found in
directory PD1:<MSDOS.ZIP> and will always have the name "Info-ZIP" in
the description to make them easy to locate.

PKWare's PKZIP 2.x will not be offered due to export restrictions.
Older versions of PKZIP will be deleted to avoid confusion due to
the fact that they cannot handle the ZIP version 2.0 format files.

[Moderator's note: Just in case it isn't obvious to all of you, this
will also affect all Simtel20 mirror sites like oak.oakland.edu.]

Keith
- --
Keith Petersen
Maintainer of the MS-DOS archive at WSMR-SIMTEL20.Army.Mil [192.88.110.20]
Internet: w8sdz@WSMR-SIMTEL20.Army.Mil   or     w8sdz@Vela.ACS.Oakland.Edu
Uucp: uunet!umich!vela!w8sdz                         BITNET: w8sdz@OAKLAND

------------------------------

Date:    Sat, 27 Mar 93 16:23:14 -0500
From:    HAYES@urvax.urich.edu
Subject: FIXUTL4B.ZIP (PC)

Hello.

Just received from Padgett a msg telling me that one of the files, namely
FIXUTIL4.VAL from his FIXUTIL4.ZIP suite of program was empty, and that the
file LIST.VAL (inside the same .ZIP) contained the info which was to be in
FIXTIL4.VAL.  The correction is now made --  FIXUIL4.VAL contains the values,
and VAL.LST is now deleted.

The new name for the archive (archived with PKZIP 204G) is:
	FIXUTL4B.ZIP
due to the DOS filename limitation.

For those who already fetched the file, please note that the previous version
is perfectly OK; simply take the values from VAL.LST instead of FIXUTIL4.VAL.

Best, Claude.

- -----
Site:       urvax.urich.edu,  [141.166.36.6]    (VAX/VMS using Multinet)
Directory:  [anonymous.msdos.antivirus]

FTP to urvax.urich.edu with username anonymous and your email address
as password.  You are in the [anonymous] directory when you connect.
cd msdos.antivirus, and remember to use binary mode for the zip files.
- -----

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes     HAYES @ URVAX                 (Vanilla BITNET)
University of Richmond   hayes@urvax.urich.edu     (Bitnet or Internet)
Richmond, VA  23173



------------------------------

Date:    27 Mar 93 00:17:00 -0600
From:    "Rob Slade, DECrypt Editor, VARUG NLC rep, 604-984-4067" <roberts@decu
	  s.arc.ab.ca>
Subject: Antivirals - Define "Best" (CVP)

PRTAVS1.CVP   930326
 
                    Antivirals - Define "Best"
 
We have already (see the PRTCKL series) looked at general guidelines
and procedures for keeping your system as safe as possible.  At that
time I deliberately did not go into the various types of antiviral
software.  In this section we will be dealing with software
specifically designed to detect, protect or disinfect viral attacks.
 
When I speak to user groups, the most common question is "what is
the best protection program I can get".  Indeed, many people are
only interested in the answer to this question, and do not want to
have to endure any talk about what a virus is or how it works.  They
want to buy something and then forget about the whole virus
situation.
 
This attitude ignores three vitally important points.  The first is
that "the best" may not be good enough by itself.  No security force
would ever pick "the best" guard, and then leave him to guard an
entire refinery by himself.  There is always a trade-off between
security and cost, but I always recommend that more than one
antiviral be used, and hopefully different types as well.
 
The second point is that, even within the limited realm of anti-
viral programs, data security software operates in many different
ways.  Thus, one type of security may be better in one situation,
while another variety may be better in a different environment. 
(Which make better guards, dogs or men?  Wise security firms use
both.)  There are basically five "classes" of anti-viral packages;
activity monitors, change detection software, operation restricting
software, encrypting software and scanners.  Each type has it's own
strengths and weaknesses, and one type of software that works
perfectly in the word processing pool may be worse than useless in
the development shop.
 
(By the way, I am not adamant about the number of classes listed
above.  Some say there are only three types of antiviral software:
some add the various types of implementation and say there are
fourteen or more.  I will be describing the classes enumerated, with
added details on the different implementations.)
 
The final point is that security, of every type, is always a "moving
target", and the virus world moves faster than most.  Not only are
new viral programs being written every day, but new types of viral
functions are being coded all the time (albeit at a much slower rate
than the run-of-the-mill copycat virals).  Any antiviral program
that purports to "guarantee" protection against "all known and
unknown" viral programs simply does not comprehend the reality of
the situation.
 
copyright Robert M. Slade, 1993   PRTAVS1.CVP   930326

==============
Vancouver      ROBERTS@decus.ca         | Omne ignotum pro magnifico.
Institute for  Robert_Slade@sfu.ca      |  - Anything little known
Research into  rslade@cue.bc.ca         |    is assumed to be
User           p1@CyberStore.ca         |    wonderful.
Security       Canada V7K 2G6           |               - Tacitus

PS - I recnetly received a request from one rkaplan@rosedale.org or
rkaplan@research.rosedale.org or kaplan@research.rosedale.org, depending
upon which part of the header or sigblock you believe.  None of the above
seem to work as a return path.  Anyone know who this might be?  (No, it's
not Ray.)

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 52]
*****************************************
