Return-Path: Received: from IBM1.CC.Lehigh.EDU by abacus (SunOS 4.1/SMI-4.1-01) with sendmail 4.1/SMI-4.1-01 id AA07693; Fri, 14 Feb 92 17:18:03 +0100 Message-Id: <9202141618.AA07693@abacus> Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 3094; Fri, 14 Feb 92 10:59:26 EST Received: from LEHIIBM1.BITNET by LEHIIBM1.BITNET (Mailer R2.08) with BSMTP id 9647; Fri, 14 Feb 92 10:58:51 EST Date: Fri, 14 Feb 1992 10:43:37 EST Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU Sender: Virus Discussion List From: "The Moderator Kenneth R. van Wyk" Subject: VIRUS-L Digest V5 #31 Comments: To: VIRUS-L@IBM1.CC.LEHIGH.EDU To: Multiple recipients of list VIRUS-L Status: RO VIRUS-L Digest Friday, 14 Feb 1992 Volume 5 : Issue 31 Today's Topics: Re: yet another commercial Michelangelo (PC) Request for virus information (PC) DSZBREAK.* Virus (PC) Re: McAfee pgms update (PC) Re: Yankee Doodle ... What does it do? (PC) Michaelangelo's ID bytes (PC) Re: DAV/Sourcer/Rape (PC) Re: Which anti-virus should I get? (PC) Re: Polymorphic/Multipartite SOFTWAR- 1985 book with TROJAN HORSE theme Re: Iraqi Virus Question? Houston Chronicle report on Michelangelo (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Fri, 14 Feb 92 15:40:55 +0000 From: bdh@gsbsun.uchicago.edu (Brian D. Howard) Subject: Re: yet another commercial Michelangelo (PC) baalke@kelvin.jpl.nasa.gov (Ron Baalke) writes: >martin@cs.ualberta.ca (Tim Martin; FSO; Soil Sciences) writes... >>The Michelangelo virus was found at the University of Alberta on a >>diskette from "Meridian Data, Inc.", who seem to be involved in CD-ROM >>extension software for MS-DOS systems. The diskette was shipped >>write-protected, and the infection was detected immediately. Meridian >>Data have been informed of the problem. >> >>Is that 5 confirmed commercial distributions of Michelangelo, now? No. From alt.cd-rom: >Message: #16125, S/1 General information >~Date: Tue, Feb 11, 1992 4:59:17 PM >~Subject: #16092-Virus alert* >~From: Matt Seitz 75300,1721 >~To: Nick Arnett/Chief Sysop 75300,1324 (deletable) > >My God, rumours do fly fast! DON'T PANIC! Meridian customers have >nothing to worry about. The virus is not present on Meridian's >standard release disks. > >The disk we sent to the University of Alberta was a custom disk we >made here in the tech. support department. It was not one of our >standard software disks. Those are mastered on an isolated system >that is regularly checked for viruses. Checks before and after the >Alberta report show that the regular product disks are NOT INFECTED. >We have gone through the company, and the virus has been stamped out. _______________________________________________________________________________ "When open Internet access is outlawed, only Outlaws will have open Internet access"...Is there something I am missing here...? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------ Date: Wed, 12 Feb 92 17:18:00 -0500 From: "racarlton@acs.harding.edu"@UALR.EDU Subject: Request for virus information (PC) I'm needing some virus information in particular for the stoned, brain, and Jerusalem-B viruses. Any sites of information and/or program samples would be useful. ------------------------------ Date: Thu, 13 Feb 92 00:02:42 +0000 From: pentangl@spdcc.com (Big Furry Pagan) Subject: DSZBREAK.* Virus (PC) Just thought I would post this to save some others some trouble. The BBS that I am Co-Sysop on ran into a program being uploaded which is carrying (or -is-) a virus. It is called dszbreak.exe (.com?) It is a program supposedly meant to break the registration requirement on Omen Software's DSZ (zmodem protocol) The virus works on some kind of a timer, so that when you leave your machine running without using the keyboard, it will then make anything you attempt to enter from the keyboard a control character (CD DOS would become ^C^D ^D^O^S ) The situation can be fixed by reloading your .sys files back to your dos directory (Or you can go the hard way, and reformat C:, like I did!) - -- Scott Moir / Pentangle / Satyr # "There's only one requirement for pentangl@Ursa-Major.spdcc.com ____ # a prophet, and you've got it." B4 f t+ w g k+(+) s+ m r p \/\/ # "What's that?" These are my opinions, not SPDCC's # "A mouth." --God, to J.R. 'Bob' Dobbs ------------------------------ Date: 10 Feb 92 21:21:43 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: McAfee pgms update (PC) HAYES@urvax.urich.edu writes: Sorry Claude, this message is not directed to you, it just makes some comments on parts of the documentation that you are quoting. > Three new options have been added to this release of VIRUSCAN to allow > it to save and check information that can be used by CLEAN-UP to recover > infected files, partition tables, or boot sectors infected with unknown > viruses. Using this option will add 52 bytes to COM and EXE files. Several times I have stated that IT'S A BAD IDEA TO MESS WITH OTHER PEOPLE'S FILES. I have also discussed this largely in private with the programmers at McAfee Associates, and they don't seem inclined to change their mind. Adding the 52 bytes mentined above to the files has the following drawbacks: 1) It will screw up any self-checking software, including most anti-virus utitlities, and probably including McAfee's own scanners (haven't check the latter, so don't take my word for it). 2) A LOT OF people will begin to ask questions about what is that virus that adds 52 bytes to all my executable files. 3) A file can be infected with a virus, and the 52 bytes added after it. This can a) make the virus unrecognizable by several other existing anti-virus programs, and will certainly make the file non-disinfectable by any self-respecting anti-virus program, which at least tries to perform exact virus identification, before attempting to remove the virus. b) be transfered (the whole thing - file+virus+52 bytes) to a new system. If the user of the new system is running VShield or something similar, s/he may decide that since the file has it's 52-byte checksum record, it has been checksummed and scanned, and therefore cannot be a source of infection. c) mask the existing virus out, so that it is not able to recognize that the file is already infected and will re-infect it. 4) It is trivial to design a virus, which will look for such 52-byte records and will remove them. In fact, there is already a virus, which removes the 10-byte record that the /AV option adds to the file - this is the Tequila virus. 5) It is relatively easy to design a virus, which will infect a file and add the appropriate 52-byte record to it, so that the file will look as "checksummed and therefore not dangerous". 6) The mentioned method for "generic virus removal" DOES NOT WORK even with all of the currently existing viruses. So, don't expect it to provide you with security against the future ones. In fact, it provides no security at all. There are numerous other problems as well. I therefore advise all the users: DO NOT USE THIS FEATURE! Do not permit to anything to change your files - even to the McAfee's SCAN. I myself will promptly refuse to analyze any file for possible viruses, if the latter has this 52-byte record appended to it, and will promptly refuse to provide any virus-related consultation for a system, where this option has been used. > An option allow VSHIELD to be loaded off of network drives has been > added, plus the option to check to check for viruses any time an executable > file is accessed for any reason. This includes ZIPing executable files, > moving files from one subdirectory to another, etcetera. Wouldn't it a better idea to check the write operations only? This would reduce the time overhead and after all, it is by copying an infected file -to- your disk that you get infected; not by copying an already existing file -from- the disk... The check on any file access seems a bit unnecessary to me... Or do you know a method to become infected by RENaming a file? (Note: EXEC calls are already checked anyway.) > We've done a virus audit and have started re-writting the VIRLIST.TXT > file, adding in viruses that were not listed or listed incorrectly and > updating information when necessary. Unfortunately, we did not have > time to separately list the viruses that were added in this release. > The number of viruses now detected is 480 with 719 strains, for a total > of 1199. This is compared with 373 viruses/977 strains in the last > (V85) release. Nope, this is the number of viruses -listed- in VIRLIST.TXT. (Well, in fact, the exact number listed is 482 if you count them correctly.) The total amount of variants detected is probably roughly correct (+/- 100 variants), but have in mind that SCAN detects much -more- viruses than listed, and the viruses have much -less- variants than listed (13 different variants of the AIDS Information Trojan? C'mon, they are kidding...) I am currently trying to fix up the errors in the VIRLIST.TXT file and am sending reports to McAfee Associates. They have been rather cooperative on this subject, so let's hope that we'll be able to fis the thing up before the next release. > Of particular interest in this release is the Pogue, which is a > polymorhphic virus. This virus uses a new and difficult-to-detect self- > mutating engine employing a very sophisticated variable encryption technique > loosely based on one developed by the author of Dark Avenger virus and > contains code similar to that found in other Bulgarian viruses. The virus wa s > uploaded anonymously to our BBSso it is not clear as to whether it is from > Eastern Europe or the USA. It also unknown if it is widespread or not. The only problem is that SCAN does not seem to detect all instances of this virus... :-( Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 10 Feb 92 22:45:11 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Yankee Doodle ... What does it do? (PC) rodahl@watsci.uwaterloo.ca (Ken Ritchie) writes: > I was just wondering if anyone knows what the Yankee Doodle virus does Yes, a lot of people do. Including myself. :-) This virus has several variants, the most recent ones will play the Yankee Doodle tune a few seconds before 17:00. Some of the last variants will do this only with probability of 1/8. Unfortunately, I cannot provide more information, since I don't know which variant you are infected with. Try running F-Prot - it reports the exact variants. > ever since we have wondered what it does. Also, is there any info as > to known viruses and what they do? There are many sources, but none of them is complete, since there are too many viruses (about 1150) and nobody is able to describe them all. The largest source of information is Patricia Hoffman's hypertext document, called VSUM. The lates version is 201 and is available on most archive sites (but NOT on Simtel20). Unfortunately, it contains a lot of errors. A much more exact, but a much less complete, is Prof. Brunnstein's Computer Virus Catalog, published by the Virus Test Center Hamburg (plug). It also describes several of the currently known Macintosh, Amiga, and Atari ST viruses, and with much more technical details. The latest version is available for anonymous ftp at ftp.informatik.uni-hamburg.de (IP=134.100.4.42); directory pub/virus/texts/catalog. The MS-DOS section is waiting for an update: it will be probably published at the end of this month. At last, one of the most correct (error-free) sources of information, is the manual of Dr. Solomon's Anti-Virus ToolKit. However, this is a commercial product, and is not available in electronic form. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Wed, 12 Feb 92 18:00:13 -0500 From: William Subject: Michaelangelo's ID bytes (PC) > Date: 07 Feb 92 13:58:56 -0500 > From: "David.M.Chess" > Subject: re: Michaelangelo ID sigs comp/w Stoned (PC) >checking for "stone" will *not* find this variant, and this variant >*is* out there... I have modified my program extensively to search for the command sequence suggested by Tim Martin recently. I also check the contents of 0000:0413 using the INT 0x12 routine. All of my PC's should have one of 0x80, 0xC0, 0xE0, in this location. I would not imagine that even the Empire virus dare falsify this information since I expect that it is necessary that it be true if the virus is to avoid having DOS overwrite it when a program is executed or with the transient portion of command.com. >Is there some reason you don't want to use some commercial or >shareware/freeware anti-virus program? We have an extensive site license for McAffee's products. However, we have been hit so often with "stoned" that I want a routine which can literally be run a 100 times per day entirely transparently to the user. VIRUSCAN is not suitable for that kind of application. Additionally, I have more than 200 PC's to look after, and a user community not highly computer literate. I can't afford the extensive customization that many products require in order to be effective. You know what it is like upgrading software versions on 200 PC's spread all over a 200 acre campus? Ultimately, I have to balance many costs/probabilities in my work otherwise I'd never survive! *WmP* *-----------------------------* | William M. Pipher | | pipher@utorvm.bitnet | | University of Toronto | | Library Systems | *-----------------------------* ------------------------------ Date: 10 Feb 92 20:40:23 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: DAV/Sourcer/Rape (PC) RUTSTEIN@HWS.BITNET writes: > First, has anyone heard about Dark Avenger's latest? I got a report > secondhand last week that he'd come up with a new gem...I believe the > report came from a researcher in the UK. Fridrik/Vesselin/others, can > you confirm/deny this report? Yeah, I can confirm it... :-( And it is a first-hand information, since I have it. The long-rumored Mutating Engine is real and is circulated to several virus exchange BBSes... :-(( The bad news is that the damn thing really mutates, no kidding! It comes as an OBJ file, which is supposed to be linked to any virus, with a detailed do-it-yourself guide, and with a demo virus. The demo virus is in source, but the source of the Mutating Engine (called MtE) is not provided. According to the docs, what we have is version 0.90-beta of the MtE, but version 0.91 is also known to exist... I'm wondering what will be implemented more in version 1.00... :-((( The damn thing is really difficult to crack! I mean, it contains no encryption or anti-debugging and anti-disassembling thechniques, but it mutates too well... I have observed changing of encryption algorithms, random bytes padding, usage of different ways to express one and the same algorithm (yeah, that's right - different ways, not just modifying the opcodes and inserting do-nothing instructions)... The currently most mutating virus (V2P6Z) is a toy compared to it... The worst of all is that just anybody can sit and use it to create a virus. Well, some experience in assembly language programming is needed, so the kids from RABID, NukE, and the other punk virus writing groups that use to write overwriting viruses in high-level languages will have a little bit of trouble to learn how to use it... But a very little bit! Currently there are only two viruses, which use the MtE. The first is the demo virus in the package (a silly, non-resident, COM file infector, infects only the files in the current directory), and a virus, called Pogue, which has been available on some VX BBSes in the USA. McAfee's SCAN 86-B claims to be able to detect the Pogue virus. Unfortunately, I haven't had the time to verify this (I recieved the virus just two days ago). There are reports that in fact not all possible variants of the virus are detected. SCAN 86-B DOES NOT detect the MtE for sure - I tested it on the demo virus supplied with the package. As a conclusion, don't panic. Currently there are only two viruses, using the MtE and both are too silly to pose a serious threat. Copies of the MtE have been provided to several anti-virus researchers (no, don't write me to ask for a copy, you won't get one), including McAfee Associates, Fridrik Skulason, Dr. Solomon, etc., so there are a lot of people working right now on the problem. The good news is that once we learn to recognize the MtE, we'll be able to detect -any- new viruses that are using it. Oh, yes, just out of interest. The whole package comes in a neat ZIP archive, with -AV code for "CrazySoft, Inc.". The Bulgarian hackers have demonstrated again that the -AV authenticity verification in PKZIP is just crap, so PLEASE DO NOT RELY ON IT! > Next, for those using the Sourcer disassembler...why does it sometimes > produce machine code output, while other times it produces assembly > output? Is there something I'm missing in the manual (probable something > obvious :) )? Sourcer does this when it thinks that the appropriate areas contain data, not code. To force it to change its mind, use the FORCE, CODE directive (look in your manual for it). > Finally, have others had reports of increasing numbers of RAPE infections? > I've noted quite a few in the last month or so...has anyone else had > similar experience? Sorry, have no information on this subject. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 10 Feb 92 22:35:17 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Which anti-virus should I get? (PC) ZEM0@ARGCNEA2.BITNET writes: > i would like to know which antivirus is the best to detect and clean > virus. i have an AT 286 with MSDOS This probably must go in the FAQ list. There's no "best" anti-virus program. It depends what exactly you need. From your words, I understand that you need disinfection. This is a Very Bad Idea, IMHO, but if you desperately need it, I'll recomend you Dr. Solomon's Anti-Virus ToolKit. It performs exact identification on the virus, so you know that it won't try to disinfect the wrong variant... If it says it is unable to remove a virus, there's usually a perfect reason for this. Unfortunately, it cannot deal with viruses, which use encryption. (That is, it can find them, but not remove them.) Cascade (1701/1704) is an exception. The program is commercial and is manifactured by S & S International, UK. > i have the tntvirus (not original) and when i inmunize all the diskket > the virus ohio appear in the memory that the tnt not detect, > i detected by mean of scan84 I strongly advise you to stop using TNTVIRUS! This is a very bad program and can actually damage your data (depends on the version you have; I can confirm this for version 6.80A, but it is pretty old by now). The program has several major drawbacks, and as far as I know is discontinued by now; it authors are producing now Central Point Software's Anti-Virus. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 12 Feb 92 14:42:40 -0600 From: werner@cs.utexas.edu (Werner Uhrig) Subject: Re: Polymorphic/Multipartite I had sent an email response to the original poster, but have not seen my suggestion mentioned in the public discussion (I thought he might summarize email reactions): anyway, I suggested the term "cloaked" or "cloaking" might be appropriate to use to best "classify" some critter behavior. from Webster's II (a dated 1984 copy) cloak n. 1. a loose outer garment 2. something that covers or conceals cloak v. 1. to cover with or as if with a cloak 2. to hide; conceal from Scribner-Bantam (even older) .... SYN: hide, secrete, disguise, mask (see conceal) on the other hand, as always, it behooves to be wary of using terms which already have acquired (loaded?) meanings in other taxonomies; sometimes it is preferable to use a classification system which is strictly numeric (as in Type 1, Type 2, Type 2.3.7) and associate rather verbose and precise attempts at definitions to those numbers. for conversational use, no doubt "polymorph" or "cloaking" is much preferable, and once a numeric classification is established it might be quite alright to refer to critters of class 2, subclass 3 as "polymorph" -- at least that way one has something concrete and verbose to refer to when someone is confused or confusingly uses the term... 5 cents (adjusted for inflation) - -- --(werner@rascal.ics.utexas.edu)--*OR*--(...!uunet!cs.utexas.edu!werner)-- ...One, two, even three years of deficit budgets might be considered ....a couragous move by a government; however 10+ years of deficits ..............is theft from our children's generation. ------------------------------ Date: Wed, 12 Feb 92 23:42:18 +0000 From: hoffmann@sci.ccny.cuny.edu (Nicholas Hoffmann) Subject: SOFTWAR- 1985 book with TROJAN HORSE theme I would like to buy or borrow a book that is out of print and is not available at NY libraries or from the publisher. The book is- SOFTWAR by Thierry Breton and Denis Beneich, c 1985, trnaslated from the French by Mark Howson, published by Holt, Rinehart, and Winston ISBN 0030049989. It is a novel about the sale of super- computers to the then Soviet Union that contain Trojan Horses that can be activated at a future date by the United States. Nicholas Hoffmann ------------------------------ Date: 10 Feb 92 21:13:55 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Iraqi Virus Question? HSR4@vax.oxford.ac.uk (Bald Oldie) writes: > I had a chat with an engineer friend who seems knowledgeable about > these things, and he suggested that IF the printer connection was > RS232 rather than Centronics and IF the cable was configured > appropriately and IF the printer had been engineered to behave briefly > as an RS232 terminal (rather than simply having a PROM replaced) THEN > it was just conceivable that control of the host processor could be > siezed long enough to transfer one or more viruses without the change > in behaviour being noticed. Wrong. Tell your engineer friend that I challenge him to connect ANYTHING (not just a printer) to my serial port and to do whatever he wishes on this anything. As soon as I do not permit him to execute a program on my PC, he has NO WAY to send me something, neither to force me to execute it. NO WAY. Period. Now, if the printer needed a special device driver, and your friend tells me "You need to install this in your CONFIG.SYS, if you want to be able to print on this wonderful printer", this is another story. Or if his printer was a networked device and I had to run some kind of network software, this is also another story. But what you said above is IMPOSSIBLE. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Wed, 12 Feb 92 18:56:19 -0600 From: edtjda@magic322.chron.com (Joe Abernathy) Subject: Houston Chronicle report on Michelangelo (PC) This story appeared on Saturday, Feb. 8 in the Houston Chronicle, Page 1A. It may be redistributed as individuals/moderators see fit in order to serve the online community. Thanks to all who helped. Comments to edtjda@chron.com - -- edtjda Michelangelo: Master of disaster Insidious computer virus, timed for artist's birthday, infects PCs worldwide By JOE ABERNATHY Copyright 1992, Houston Chronicle A fast-moving, highly destructive computer virus called Michelangelo is spreading among IBM-compatible personal computers in Houston and around the world. Michelangelo is set to strike on March 6 -- the birthday of the Renaissance master -- erasing vast amounts of information, according to computer scientists specializing in viruses. "This destructive virus is spreading worldwide very rapidly," wrote virus specialist A. Padgett Peterson in a bulletin recently circulated on computer networks. "Unlike the DataCrime 'fizzle' of 1989, which contained similar destructive capability but never spread, the Michelangelo appears to have become 'common' in just 10 months following detection. "I have never seen so many reports of a virus in so short a time before." A virus is a computer program designed to spread itself without the knowledge of users, usually causing harm to infected systems. Although viruses have become common, Michelangelo's exceptional rate of reproduction and potential for harm are causing special concern. DataCrime was the last virus that prompted such concern when, in 1989, a number of news reports warned of its destructive potential. Most experts said later that these fears had been overblown, although they did boost awareness and prevention efforts. While scientists said that Michelangelo could represent another such 'fizzle,' the prospects for that are decreasing with word of widespread infections. "It is a virus that we get calls on, multiple reports every day," said Aryeh Goretsky, manager of technical support at McAfee Associates, a publisher of antiviral software. "Maybe 25 percent of our calls are related to that virus -- people that have it as opposed to people requesting information -- so it is something that's out there, that's a real threat." The manager of one Houston retail computer center acknowledged that Michelangelo infections have been frequent of late. He requested anonymity, saying, "It's not good to let people know that you've had Michelangelo." Store employees run a program to disinfect each computer before it is sold, but Michelangelo's surprising presence in a number of software products when shipped from the factory has made it difficult to guard against every avenue of spread. "The virus got a head start through major distributions," said Christoph Fischer, who as director of the Micro-BIT Virus Center at the University of Karlsruhe, Germany, first analyzed Michelangelo. "The many reports clearly indicate the wide and manifest infection." Among the notable infections: * DaVinci Systems Corp. announced last week that it had shipped a large number of infected copies of its electronic mail software eMAIL 2.0. The copies were sent to more than 900 customers, more than 600 of whom are DaVinci resellers. "We are now using multiple virus-detection products and insisting that our duplicating contractors also check for viruses," Bill Nussey, president of DaVinci Systems, said in a statement. * Between Dec. 10 and Dec. 27, Leading Edge PRoducts shipped up to 6,000 computers whose hard drives were infected at the factory with Michelangelo. * All of the PCs at Southeastern Louisiana University recently were infected. * At the University of Florida, half of the PCs recently tested positive for the virus. * In New Zealand, Victoria University of Wellington received 400 requests for an antivirus disk within three days. * A magazine spread 10,000 to 12,000 copies of the virus in a diskette included with the magazine. * Verbatim, a diskette manufacturer, has become an unwitting victim because of an untrue rumor that some of the company's blank diskettes were infected. Fischer named the virus based on its trigger date. Viral detection and analysis is a difficult process even for experts; a formal method Fischer has designed will in fact be the topic of a research paper to be presented at the Fifth International Conference on Viruses and Computer Security, in March in New York. Interviewed online via the Internet computer network, Fischer warned that Michelangelo is especially dangerous because it permanently erases the entire hard drive, rather than just deleting some information, as most viruses do. Michelangelo was first found in April 1991, in Sweden and the Netherlands. Beyond that, nothing is known of its author or his motives. Rob Slade, an expert at the Vancouver Institute for Research into User Security, in British Columbia, recently pointed to the infection of supposedly "safe" commercial products as one of the biggest challenges facing the computing community. "If I had to choose one viral myth which most contributed to the unchecked spread of viral programs that exists today, it would be that of the 'safety' of commercial software," Slade said, writing in a copyrighted contribution to Virus-L, an electronic journal serving the computer science community. Viral infection commonly occurs when contaminated programs or disks are traded among computers. It does not matter if a program comes from the store, a friend or over the telephone lines. "I'm trying very hard not to draw too close a parallel between computer use and sexual activity," said Ray Trent, a scientist at SRI International, the Menlo Park, Calif., research and consulting firm. "But the fact is that people who use computers promiscuously are most at risk." The number of viruses has multiplied rapidly since 1986, when Pakistani Brain introduced the breed to the world of IBM-compatible computers. The forms of spread and attack also have grown steadily more sophisticated. In November, the national Computer Security Association commissioned a virus survey of 600,000 North American businesses by Dataquest, the San Jose, Calif., market research firm. The results show that 63 percent of the firms have experienced a virus encounter, and 9 percent have experienceda virus disaster, which the survey defines as an incident affecting 25 or more PCs or diskettes. Of those struck by a virus, 62 percent reported lost productivity; 4 percent reported screen messages, interference or lockup; and 38 percent reported that files were corrupted. In 1991, among companies with more than 1,000 PCs, 16 percent experienced a virus disaster. Trent said that good computing practices, including regular, incremental backups, are the best response to any system threat, whether from a virus or other problems. With graphic:/ Diagnosis: Michelangelo virus * Symptoms: Disk directory damage; hard drive reformating, resulting in destruction of data and programs; decrease in total system and available memory. * Trigger: System date of March 6 of any year, birthda6y of the Renaissance artist. * Computer type: All IBM PCs, all MS-DOS-compatible file systems. * First detected: April 1991. * Origin: Sweden or the Netherlands. * Detection: Virus-detection software including ViruScan Version 80 or later; F-Prot version 1.16 or later; IBM Scan version 2.1 or later. * Cure: CleanUp Version 80 or later; F-Prot Version 12.16 or later. If you do not own one of these virus protection products, you can gain some protection against Michelangelo by leaving your computer turned off on March 6 and by backing up data. * Comments: The Michelangelo virus becomes memory resident the first time an attempt is made to boot the system from an infect disk. It will then infect the hard drive and any diskettes that are inserted. Source: Christoph Fishcer; Micro-BIT Virus Center; University of Karlsruhe, Germany. ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 31] *****************************************