VIRUS-L Digest Wednesday, 19 Feb 1992 Volume 5 : Issue 35 Today's Topics: Re: unremoveable michelangelo virus (PC) Re: Which Package is Best? (PC) Cascade/x170 (PC) F-PROT202D + QEMM 5.11 (PC) Re: Houston Chronicle report on Michelangelo (PC) Michaelangelo on Distribution Discs (PC) Re: Cinderella virus/ does VSHIELD work? (PC) Re: Houston Chronicle report on Michelangelo (PC) Re: Michaelangelo's ID bytes (PC) Re: STONED on MSDOS 4.01 Distribution disks (PC) Re: Viruses and Backups (PC) Re: AUX files (PC) Re: Bezrukov's virus naming scheme (PC) Re: List of all viruses available? Michelangelo virus story in The Washington Post VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 17 Feb 92 19:30:25 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: unremoveable michelangelo virus (PC) 8326442@AWIWUW11.BITNET (martin zejma) writes: > In response to tong@ee.ubc.ca (Issue # 19 ) : > during 3 subsequent infections of Michelangelo and Stoned the > following is possible : [description deleted] > Now the floppy should also not be bootable any more . In fact, the floppy already becomes non-bootable as soon as it gets infected by both viruses, not as a result of the disinfection... Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 17 Feb 92 19:34:11 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Which Package is Best? (PC) 6241weaverd@vmsf.csd.mu.edu writes: > We are comparing McAfee, Central Point and Norton's antivirus > packages. Which is best? Are there any significant differences(e.g. > ease of use, performance, technical support,etc.) since there are > quantity price differences for us. If you are comparing only those three programs, McAfee is a winner. It is small, easy to use, and has much, much higher virus detection rate than the other two packages. I have not seen NAV 2.0, but CPAV and NAV 1.5 are pretty useless as virus scanners. They are big dinosaurs with low virus detection rate. However, please have in mind that McAfee is trying to optimise the virus detection. This means that they are trying to detect as many viruses with as few scan strings as possible. This is a perfectly valid approach, since it provides a relatively high detection rate and good speed. However, the only thing you should believe SCAN is whether an object (disk or file) is infected or not. For most users this is sufficient. Anything else that SCAN reports (the name of the virus, its properties, to which viruses it is related, etc.) is quite unreliable. You can also consider some other virus scanning packages, like F-Prot and Dr. Solomon's Anti-Virus ToolKit, which are superior to SCAN, IMHO. Also, have in mind that just scanning for known viruses is a quite unreliable method for virus protection, since new viruses appear very quickly (I got about 110 only for January). You should consider adding an additional level of protection, like checksumming. If you decide to consider checksumming products, probably the Untouchable is the currently most secure one. However, have in mind that its other capabilities (scanning and disinfection) are quite miserable... And, at last, if you want a shareware checksummer (which is not as secure as the commercial one, however), take a look at the Integrity Master. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Mon, 17 Feb 92 22:37:00 +0700 From: "J.E. Verbaas" Subject: Cascade/x170 (PC) Hallo, I am new to this list. Forgive me if I'm asking a stupid thing. I tried to find in the archives of VIRUS-L something about the Cascade/x170 virus. I didn't manage it. We found in one of our PC's this virus. It has been removed. Question: what is the damage that this virus was supposed to do? Thanks for your answer, Jaap verbaas University Library Nijmegen Netherlands u149002@kunrc1.urc.kun.nl ------------------------------ Date: Tue, 18 Feb 92 00:38:55 +0000 From: medrh@uniwa.uwa.oz.au (Richard Hockey) Subject: F-PROT202D + QEMM 5.11 (PC) Hi I hope someone can help me? I am trying to install VIRSTOP.EXE high using QEMM 5.11. Whenever I do this I get a QEMM exception error and the system crashes. My system is as follows: 386sx clone DOS 5.0 4DOS 4.0 PC-NFS 3.5c I load VIRSTOP after the network is loaded as the FM tells me and it works OK if it is not loaded high. F-PROT 1.16 works OK when loaded high. Thanks in advance. - -- +-----------------------------------------------------------------------------+ | Richard Hockey email:medrh@uniwa.uwa.oz.au | | Department of Public Health phone:+61 9 389-3463 _--_|\ | | University of Western Australia fax: +61 9 389-3648 / \ | ------------------------------ Date: Tue, 18 Feb 92 01:05:08 +0000 From: medrh@uniwa.uwa.oz.au (Richard Hockey) Subject: Re: Houston Chronicle report on Michelangelo (PC) Regarding the origins of the Michelangelo virus we first came up against this virus in April 1991 when we purchased a PC from a particular vendor. Our subsequent investigations revealed the source of the infection to be a beta version of DOS 5.0. Subsequently several other people in the university purchased PCs from this dealer with the virus. As the first reports of this virus are credited to some European countries in the same month I feel that the virus was probably around earlier than this but was not yet recognised as a new virus as it seems unlikely that it could have travelled that quickly from Europe to a insignificant PC dealer in Perth, Australia. - -- +-----------------------------------------------------------------------------+ | Richard Hockey email:medrh@uniwa.uwa.oz.au | | Department of Public Health phone:+61 9 389-3463 _--_|\ | | University of Western Australia fax: +61 9 389-3648 / \ | ------------------------------ Date: 18 Feb 92 08:07:15 +0000 From: Robert.Turner@brunel.ac.uk (Robert Turner) Subject: Michaelangelo on Distribution Discs (PC) Hi Don't know if this is old hat, but we have recently found MichaelAngelo on some legally bought (first generation) software. The virus appears on some Economics packages written and distributed by Oxford University (England) and normal scanning / removal techniques work. Rob - -- ________________________________________________________________________ / | \ | Rob Turner | email : Robert.Turner@brunel.ac.uk | | Brunel University | | | London, England | broken hearts and broken heads | \____________________________|___________________________________________/ ------------------------------ Date: 18 Feb 92 12:55:47 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Cinderella virus/ does VSHIELD work? (PC) baylor@ccwf.cc.utexas.edu (Baylor) writes: > When my compiler started acting up (keys wouldn't work), i, on > a n off chance, scanned my system. It seemed a good number of files Hmm, I don't remember Cinderella having any keyboard-related payload... In fact I don't recall it having any payload at all... > were infected (about 20, at which point i simply quit the scanner and > rebooted).I booted from a write protected floppy with vshield and scan Well, that's what you had to do from the beginning... :-) > (the one that was new two months ago or so) and scanned again. Command > com was gone of course, as were every other .com file i had. I checked > the other partition, same there. Cinderella infects every file opened or executed. This explains why you got so many infected file - each time you have accessed them for any reason (e.g., for scanning) they got infected... > After deleting all .com files (mcaffery said it couldn't fix > any of them and just wiped them out), i rebooted again off disk then Yep, CLEAN is not a very good disinfector, but disinfecting files is a bad idea in the first place... > Here's the problem. Everytime i scanned it, it came out bad. This means that the virus has been active in memory and it infected the file as soon as the scanner accessed it. That's why you must always boot from a non-infected write-protected system diskette, prior to try to scan or disinfect a system... > from. it was good), i tried copying cc to the hardrive then doing > a dir (and viewing it with norton). The file was 47k. I then thought > great, it works, and scanned it, and post-scan it was 48k and infected. This is fishy... Cinderella is only 390 bytes long and it certainly cannot cause a 1 Kb increase... > I think i finally figured out it was hooked in memory (i warm booted- > will cinderella survive this?) and when i touched anything with scan, Nope. Nothing can survive a warm reboot. I mean nothing can -really- survive a -real- warm reboot on all machines. Cinderella even doesn't try to. > scan infected the file (scan itself passed the scan check with three other > scanners; not infected and writeprotected). So effectievly, scanning > my whole hard drive infected my whole harddrive. What's > up? The virus was active while you tried to scan. > Actually, i was just wondering, if cindy was following in > scans tracks, why wasn't vshield picking it up? At work we always say > vshiled is worthless (it's failed to protect against stoned, > michelangelo and liberty), but i used it anyway at home (blind faith, > or, could more hurt?). It should have picked up any attempt to infect > a file. right? Wrong. VShield does not try to pick up any attempt to infect a file. What it does is to prevent the execution of an already infected file. However, if the virus is already active and the file not infected, then VShield will allow the file to be executed (since it is not infected) and the virus will infect it (since it infects any file being executed). > vshield)? Or was my file getting infected another way (i turned off > the machine for an hour and no more infections during scan)? What am i > missing here? :-) Yeah, when you turned the machine off, the virus was removed from memory. There are other interesting questions though. 1) Why SCAN's memory check was not able to detect the the virus is present in memory? 2) If VShield has been installed on a intially clean system, why didn't prevent the system to become infected (i.e., why didn't it denied the execution of the first infected file)? Anybody from McAfee Associates willing to explain this? Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 18 Feb 92 13:32:12 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Houston Chronicle report on Michelangelo (PC) edtjda@magic322.chron.com (Joe Abernathy) writes: > This story appeared on Saturday, Feb. 8 in the Houston Chronicle, Page > 1A. This was the most correct popular story about viruses I have ever read, but nevertheless it needs some minor corrections. > A virus is a computer program designed to spread itself without the > knowledge of users, usually causing harm to infected systems. Although A computer virus is a program, which can infect other programs by a possibly modified copy of itself. Note that there is nothing about the user's knowledge or destruction in the definition. > "It is a virus that we get calls on, multiple reports every day," said Aryeh > Goretsky, manager of technical support at McAfee Associates, a publisher > of antiviral software. "Maybe 25 percent of our calls are related to that > virus -- people that have it as opposed to people requesting information -- > so it is something that's out there, that's a real threat." Note that the above does not mean that all the people who called were infected. Most of them just need information, after having heard about the virus in the media. Our Virus Test Center got more than 5,000 phone calls related to this virus for the last two weeks. Only very few people were actually infected. But Aryeh is right that the threat is real. Maybe just not as big as the media suggests... > * Verbatim, a diskette manufacturer, has become an unwitting victim because o f > an untrue rumor that some of the company's blank diskettes were infected. Such things will happen more often in the future... It is even possible that companies get deliberately attacked by their competitors who release the rumor that the aprticular company has spread a virus... Such a rumor is very hard to disprove and a company can lost a lot of money because of it... > Viral infection commonly occurs when contaminated programs or disks are > traded among computers. It does not matter if a program comes from the No, the infection occurs when the infected programs are -executed-. > The number of viruses has multiplied rapidly since 1986, when Pakistani > Brain introduced the breed to the world of IBM-compatible computers. The form s Yep, there are currently about 1178 different virus variants only for IBM PC compatible machines... > * Symptoms: Disk directory damage; hard drive reformating, resulting in Not reformatting - overwriting. > * Computer type: All IBM PCs, all MS-DOS-compatible file systems. IBM PC - yes. MS-DOS-compatible - not necessarily. The computer can have only a Unix (Xenix, Aix, etc.) partition and become infected nevertheless. It won't be able to spread the infection further (or even to boot Unix for that matter), but its disk will be overwritten, if you try to boot from it on March 6. It's enough if the computer is IBM PC-compatible. > * Detection: Virus-detection software including ViruScan Version 80 or > later; F-Prot version 1.16 or later; IBM Scan version 2.1 or later. Can the respective producers of the above programs confirm that? I have the impression that such early versions of SCAN and F-PROT do not detect this virus, but I might be wrong. > not own one of these virus protection products, you can gain some protection > against Michelangelo by leaving your computer turned off on March 6 and by This is pure nonsense. The Maltese Amoeba virus activates on March 15. Have we not to work on this date as well? And what about the viruses that are active and destroy data every day, every hour? Does it mean that we must not turn our computers on at all?! No, people must obtain good virus protection tools and practice safe computing. Besides, I really cannot understand why people get so excited about a silly virus that happens to wake up once per year and to destroy the information on your hard disk at once. Suppose one morning you come to the office, turn your computer on, and puff! all the information on the hard disk is gone. So what? You just reformat the disk and re-install everything from your backups. You have spent at most one day doing this, and at most one day of your work is lost (if you have a good backup scheme). Nothing disastrous. There are much more devious viruses, like Phoenix and Nomenklatura. They spread every day, every hour, every minute. The corrupt information every day. But they corrupt it -slightly-. So, when you finally notice that something has gone wrong, you can no more rely on your backups - since you don't know when the infection occured, and which files are corrupted... > an attempt is made to boot the system from an infect disk. It will then infect > the hard drive and any diskettes that are inserted. Not any diskettes. Only those in drive A:. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 18 Feb 92 14:49:21 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Michaelangelo's ID bytes (PC) PIPHER@vm.utcs.utoronto.ca (William) writes: > I have modified my program extensively to search for the command > sequence suggested by Tim Martin recently. I also check the contents > of 0000:0413 using the INT 0x12 routine. All of my PC's should have > one of 0x80, 0xC0, 0xE0, in this location. I would not imagine that > even the Empire virus dare falsify this information since I expect > that it is necessary that it be true if the virus is to avoid having > DOS overwrite it when a program is executed or with the transient > portion of command.com. Sorry, wrong assumption. It is true, of course, for Michelangelo, but it is perfectly possible to design a virus which will install itself in memory and will not be overwritten by DOS, without changing anything at 0000:0413h. Even better (worse?) - such viruses already exist. So, don't rely on this method. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 18 Feb 92 15:01:08 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: STONED on MSDOS 4.01 Distribution disks (PC) ST6267@SIUCVMB.BITNET (Jerome Grimmer) writes: > hence the name. The virus attacks the boot files and destroys > the file allocation table of both the hard drive and any floppy > disks it corrupts. Eventually it makes floppys unreadable and > causes hard drives to crash. This is not exact. The virus does not destroy intentionally anything. However, due to the way it replicates, it may trash the first FAT copy on -some- (quite rare) hard disks formatted with customary DOS versions. Also, it can overwrite part of the root directory on high-capacity diskettes. Note that this damage occurs as soon as the respecive medum gets infected, so if it hasn't occured as once, it worbably won't occur in the future. > The "stoned" virus can be readily transmitted by diskette. In > this case the warning message does not appear. It is not The message does not appear if you boot from the hard disk. > necessary to copy files from a diskette onto a hard drive, or > even read them in order to spread the virus. Just reading the This is nonsense. No virus can infect anything if it is only read. You must execute it, in order to make it spread. However, if the virus is - -already- active in memory, just reading a diskette can (and in this case will) infect it (the diskette). > Downloading corrupted files by modem will also transmit this and Not -this- virus, sorry. It's a boot/master boot sector infector and can be transfered only by an attempt to boot from an infected floppy. Of course, it is possible to make a special trojan horse, which, when executed releases the virus. Then the file, containg the trojan will be transferable by modem lines. But this is not "catching as infection by downloading a file". > anti-virus program and upgrade frequently. Scan all foreign > diskettes, even commercially purchased programs. If files are - -Especially- commercially purchased programs! If you have obtained your programs from a BBS, then chances are that the SysOp has already scanned them for you. Which does not seem to be practiced by the software companies, if we believe the latest reports... :-( > drive. Scanning it again after you have loaded it to your hard > drive is also a good idea. Scan your hard drive before backing it An even better idea is not to rely on scanning at all, since it does not catch unknown viruses, and even no scanner can catch -all- of the currently existing viruses. Nowdays the viruses are just created faster than the scanners are updated... :-( A better idea is to use also alternative anti-virus techniques (e.g., checksumming, etc.). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: 18 Feb 92 16:07:47 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Viruses and Backups (PC) guccione@ccwf.cc.utexas.edu (Steve Guccione) writes: > Could Stone have overwritten what it thought was "safe" space on an > MS-DOS diskette, only to damage backup data? Yes. Definitevely. Stoned will damage any diskette with weird format, including non-MS-DOS formats, 800 Kb 5.25" diskettes, etc. This will be done not intentionally but because of the ignorance of the virus author. What actually happens is that Stoned overwrites the boot sector of the diskette with its own body. Therefore it overwrites any provious information about the particular diskette format stored there. Furthermore, the virus writes the original contents of the boot sector to what it believes to be the last sector of the root directory. But in your friend's case the backup disks didn't have any root directory! They weren't MS-DOS formatted at all. So probably the virus overwrote part of the data being backed up. So, no wonder that it was not possible to restore from such a diskette. My advice is to always verify the backups before formatting the hard disk. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Tue, 18 Feb 92 18:46:57 -0500 From: Otto Stolz Subject: Re: AUX files (PC) On 12 February 92, 11:07:53 +0100 (MEZ) I said: > > FF C:AUX*.* > I've just checked with IBM Personal Computer DOS Version 3.30 and > FF-File Find, Advanced Edition 4.50: > The above command produces the response > no files found. Meanwhile, several people asked me privately to try again without wildcards. And, behold: With IBM Personal Computer DOS Version 3.30 and FF-File Find, Advanced Edition 4.50, all of the commands ff aux ff aux. ff c:aux found a ghost-file AUX in every directory! For every ghost-file, FF reported 112 bytes as length, and the current system clock setting as time of latest update. Same symptoms with other DOS devices. I think, this answers the question posted in VIRUS-L, about a fortnight ago. Regards, Otto Stolz ------------------------------ Date: 18 Feb 92 17:20:42 +0000 From: vail@tegra.com (Johnathan Vail) Subject: Re: Bezrukov's virus naming scheme (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: In this article I'm going to describe the method for computer virus notation, invented by the anti-virus researcher Nikolay Nikolaevitch Bezrukov, from Kiev, Ukraine. His computer virus notation belongs to the type of so-called behaviouristic notations - each virus is assigned a special code, which describes its behaviour. Similar viruses have similar descriptions. The descriptions are not unique, therefore two very similar and closely related virus variants may have the same descriptions. I personally dislike this kind of methods, since it has several drawbacks: 1) The descriptions are not strictly unique and therefore cannot be used for exact virus identification. 3) The descriptions include only a limited number of virus properties. Therefore, then a new idea in the virus writing appears, and a virus with a completely new property is created (e.g., the Dir II virus), the description method must be changed accordingly. It does have the advantage of not feeding the ego of the virus writers. Using the names given by the virus writers for identification and discussion just has to stroke the vanities of the writers of these viruses. jv "theobromine: a compound which, contrary to it's name, contains neither bromine nor God" -- David Throop _____ | | Johnathan Vail vail@tegra.com (508) 663-7435 |Tegra| jv@n1dxg.ampr.org N1DXG@448.625-(WorldNet) ----- MEMBER: League for Programming Freedom (league@prep.ai.mit.edu) ------------------------------ Date: 18 Feb 92 14:10:46 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: List of all viruses available? PR2JBC@primea.sheffield.ac.uk writes: > Apologies if this has been asked before, is there a listing of the > known viruses, their names, major symptoms and possible cures? It > would help when trying to follow discussions on the list as I'm new > around here. This should probably go to the FAQ list... Anyway: [Moderator's note: It just did go to the FAQ list, thanks!] There are three major sources of information about viruses. Probably the biggest one is Patrica Hoffman's hypertext VSUM. It describes only MS-DOS viruses, but almost all of them. Unfortunately, it tends to be too verbose and is -very- inaccurate, so I do not advise people to rely on it. It can be downloaded from most major archive sites - -except- Simtel20 and its mirrors. The second one is the Computer Virus Catalog, published by the Virus Test Center Hamburg (plug). It contains a highly technical description of computer viruses for several platforms - MS-DOS, Mac, Amiga, Atari ST, Unix. Unfortunately, the MS-DOS section is -very- incomplete - less than 10 % of the known MS-DOS viruses are listed there. The CVC is available for anonymous ftp from ftp.informatik.uni-hamburg.de (IP=134.100.4.42), directory pub/virus/texts/catalog. The third source of information is Virus Bulletin. It regularly publishes very detailed technical information about viruses. Unfortunately it is -very- expensive (the subscription is about $350 per year). Another source of information is the documentation of Dr. Solomon's Anti-Virus ToolKit. It is more complete than the CVC, just as accurate (if not more), but lists only MS-DOS viruses. However, it is not available electronically; you must buy his anti-virus package and the virus information is part of the documentation. Hope the above helps. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Bontchev@Informatik.Uni-Hamburg.De Fachbereich Informatik - AGN, rm. 107 C Tel.:+49-40-54715-224, Fax: -226 Vogt-Koelln-Strasse 30, D-2000, Hamburg 54 ------------------------------ Date: Mon, 17 Feb 92 20:54:00 -0500 From: "David Bridge" Subject: Michelangelo virus story in The Washington Post Major computer virus story in The Washington Post newspaper. Washington, D.C. USA. Monday, Feb. 17, 1992. pages A1,A24,A25. It seems to me that this story is generally accurate (for the public press) and useful to publicize the computer virus issue to the general public. Located on the front page of one of the nations' major newspapers is indicative of some trend, but, I'm not sure what. yours, David Bridge ======================================================================= Page A1. 'MICHELANGELO' SCARE STIRS FEARS ABOUT COMPUTER VIRUSES. By John Burgess, Washington Post Staff Writer. A new and unusually destructive type of computer "virus" -- a software program that enters a computer surreptitiously and destroys data there en masse -- has reignited concern over these electronic saboteurs. Security experts have dubbed the virus "Michelangelo," because after entering a computer it lies dormant until March 6, the Italian Renaissance artist's birthday. Then it springs to life and wipes out data stored on the computer's memory disk. In November, a copy of Michelangelo turned up at the Gaithersburg offices of the National Institute of Standards and Technology, hiding on the data disk of a computer that had been returned after being on loan to another federal agency. Using special software, institute technicians found the virus and removed it after receiving a tip from the other agency. That agency had found the virus on its computers and warned the institute to make sure its computer hadn't been infected too. Michelangelo got national attention last month after Leading Edge Products Inc., a manufacturer of personal computers compatible with those of International Business Machines Corp., confirmed that it had shipped about 500 machines that contained the virus. The manufacturer sent customers special software designed to neutralize it. Because the triggering date lies in the future, no one is known to have lost data due to the virus, which was created by an unknown programmer and has spread from computer to computer through the exchange of infected floppy disks. But security experts, using special software that scans computer disks to detect viruses, have been finding [end of story on page A1] - ----------------------------------------------------------------------- Page A24. DESTRUCTIVE NEW COMPUTER VIRUS FOUND copies of Michelangelo since last summer and removing them before they activate. It remains unclear whether large numbers of computers contain undetected copies of the virus, though estimates of millions of machines have been published in the news media. Michelangelo affects only IBM-compatible personal computers, but there are about 60 million of these in existence. Past scares about viruses often have proven to be overblown. But due to Michelangelo's unusually destructive nature, as well as the potential presence of other viruses, some computer experts are suggesting that personal computer users take no chances over getting caught by a virus. "When it hits, it's dramatic," said Lance Hoffman, a professor of computer science at George Washington University. Computer users can protect themselves by making additional electronic copies of information they cannot afford to lose, by reducing the exchange of floppy disks and the transmission of software over phone lines, and by obtaining special software that detects viruses. Viruses are a surprise byproduct of the computer age. Complex sets of computer instructions, they are usually written by anonymous programmers as pranks, or in the case of Michelangelo, in a deliberate effort to destroy the information of people the programmer has never met. Fighting the virus writers is a coalition of software companies, academics, researchers and users of personal computers. The two play a constant cat-and-mouse game -- virus writers sometimes send their creations to the experts as a challenge. If an infected floppy disk is put into a computer, the virus orders the machine to copy it onto any other disk that the computer contains, generally without the operator knowing that this is taking place. Or a virus may enter a computer when its operator receives infected software programs from a computer "bulletin board" reached by phone. Many viruses are considered benign, doing little more than flashing whimsical messages on the screen or playing a tune. But others, like Michelangelo, are engineered to seek out stored data and destroy it, sometimes on a specific date. That can be devastating. Companies might lose all of their account records, for instance, or an author using a home computer might lose the entire manuscript of a novel. To dissect Michelangelo and find out how it works, security experts have deliberately introduced the virus into test computers and advanced their internal clocks to March 6 to trigger the virus. Michelangelo-infected machines that are not functioning on March 6 will not activate the virus, according [end of story on page A24] - ----------------------------------------------------------------------- Page A25. COMPUTER USERS WARNED TO GUARD AGAINST VIRUS to experts. By the same token, the virus can be kept dormant by shifting the clock on the machine so that in never reads March 6. Computer experts agree that getting hit by a virus -- more than 1,000 types have been identified over the years -- can be devastating as society progressively puts more and more reliance on computers. But there is continuing debate as to how prevalent the programs really are. "I'm finding virus catastrophes everywhere," said Martin Tibor, a data recovery consultant in San Rafael, Calif., whose repeated calls to the media after the Leading Edge incident help publicize Michelangelo. "These things are replicating like crazy." David Stang, director of research at the National Computer Security Association, offers a more conservative assessment. While stressing the danger of viruses, he puts the probability of a virus residing in a given computer at a large company at about 1 in 1,000. Michelangelo constitutes a tiny fraction of those viruses, he said. The National Institute of Standards and Technology has 5,000 personal computers and has detected about one to three viruses a month since last summer. In contrast, Total Control Inc., an Alexandria computer security firm said that about 70 percent of the 300 personal computers at one unnamed federal agency have been found to have Michelangelo. San Jose research firm Dataquest Inc. surveyed 600 large U.S. companies late last year and found that 63 percent had found a virus on at least one company computer. However, it noted that these companies often operated hundreds of computers. Antiviral software has created a thriving new niche for the personal computer software industry. Such products can be purchased in software stores or obtained for free or at a nominal cost through on-line computer networks. Antiviral software is not foolproof, however. "You can't write a generic program that detects every virus," said Hoffman, noting that new strains are always appearing. Some computer users suggest that the antiviral software companies want to stoke fear to build a market for their products. Consultant Tibor conceded that the calls he made to the media were in part motivated by hopes of bringing business his way -- it in fact brought in only one client, he said. But his main motivation, Tibor said, was to get the word out about a serious computer danger. "I see the victims of viruses all the time," he said. He calls viruses "the digital equivalent of germ warfare." ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 35] *****************************************