VIRUS-L Digest Tuesday, 12 Oct 1993 Volume 6 : Issue 131 Today's Topics: Please respond -- law/ethics/viruses Virus Documentation Re: Virus scanning for UNIX (UNIX) UNIX virus software (UNIX) Big Bad Wolf (UNIX) Virus scanning for Unix (UNIX) Re: Help! NeXT screen keeps going dark! (UNIX) re: OS/2 v1.3 Scanner??!?? (OS/2) Re: OS/2 v1.3 Scanner??!?? (OS/2) Re: unzipping antivirus programs (PC) Nice Day Virus ??? (PC) New Variant of Stoned (PC) Re: VShield 108 still buggy (PC) MSAV and Stoned 4 (PC) Re: TREMOR virus (PC) Re: Timid... (PC) NAV 3.0 vs. MtE (PC) Re: Timid... (PC) Re: TBAV false alarm (PC) Re: Tremor Virus and McAfee VIRUSCAN (PC) Re: More troble with F-prot 2.09d and FORM (PC) Re: VShield 108 still buggy (PC) Viruses on CD-ROMs? (PC) Re: VIRUS ? (PC) Re: Companion (or spawning) viral programs (CVP) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CERT.org or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CERT.org (192.88.209.5). Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.IMS.DISA.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 05 Oct 93 17:54:31 -0400 From: Sara Gordon Subject: Please respond -- law/ethics/viruses These questions are being asked to help document how different people perceive various aspects of the virus problem. Any and all responses will be appreciated. It is not necessary to include any identifying information, but you can if you wish. Affiliation/Position would be appreciated, such as Virus Writer, Virus Exchange BBS Sysop, Virus Collector, Professor of Law, Student of Psychology, etc. I've asked these general questions before, so if you responded then, I would still appreciate another response now. People change their ideas on all of this from time to time, so I'm trying to get a current perspective :) Responses can be e-mailed via Fidonet 1:227/190, Internet vfr@netcom.com or SGordon@Dockmaster.ncsc.mil, or Virnet 9:10/0. Paper mail responses are also appreciated, at the address P.O. Box 11417 South Bend, Indiana 46624. You may directly upload your answers via modem, if you wish, to 219-273-2431; logon survey , password survey. Thank you very much for the continued assistance so many of you have given in the past! 1. Laws addressing computer viruses vary from location to location. Are you familiar with the laws of your country? If so, can you tell me what laws specifically address the virus problem? Please be as specific as possible. 2. Do you know of anyone who has been prosecuted under any portion of any law pertaining to computer viruses? If so, please give as much detail as you know regarding charges, sentencing, recidivism, etc. 3. Are you familiar with the term 'incitement'? If so, how do you feel about this portion of law that many countries are now adopting? 4. Please tell me how you view this statement. "If it is not illegal to do it, it is ok to do it". Specifically, since it is legal in many places to put viruses on a BBS for anyone to take, with no restrictions, do you think this is an o.k. thing to do? Why or why not? 5. Please define "Responsible" behaviour relating to distribution of viruses. 6. Please define "Computer Virus Researcher", paying special attention to the term Researcher :). What is a researcher? What qualification and responsibilities does a Researcher have? 7. What is the function of INTERPOL as you understand it? 8. Which branch of governments that you are aware of deal with computer viruses, if any? This can be from your own country or from any country that you are familiar with. What is the function of the branch/division you are aware of. 9. Do you feel the trend in legislation against computer virus exchange bbs will continue to grow? Do you think it is a healthy trend? What possible implications do you see growing from the AIS Incident? Do you feel the U.S. Government acted responsibly in allowing computer viruses to be accessed from their BBS? 10. Do you think laws in other countries are applicable in cyberspace, where there are no formal territorial boundaries? 11. Have you ever taken a class relating to ethics? If so, at what grade level. Did the class specifically address ethical behaviours as relate to computing environments? Please define the word "ethics", i.e. what does this mean to you personally. The source of all information will be publicly available unless you specifically state you do NOT want your name used, so please, make sure you specify if you do NOT want your name or any identifying information used. If you do not want your name used, and say so :), any info you give will be presented like "a virus writer from argentina" or "professor of history from china", i.e., generic. If this is still too broad for your liking, please specify to not include any reference to you personally. Laws are being tossed about daily, globally that could have far more reaching impact than I ever realised. I am interested to know what other people are thinking and doing to help stop this from happening. Also, if you have a resource file, text file, paper, article, or any information related to any of the above areas, I would appreciate receiving a copy. Please circulate these questions to anyone and anyplace you feel may have an interest in responding. Thanks :) Sara ------------------------------ Date: Thu, 07 Oct 93 13:55:25 +0000 From: worsh825@piratesarmstrong.edu (Virus) Subject: Virus Documentation Keywords: Does anyone have any files that I could get via FTP or E-Mail because I am starting up a class on Virus Prevention at where I work. I will be discussing from the simple viruses to the more, stealth type, ones. Please send all the information you can send on this topic: Viruses in the Workplace. Thanks. -- Michael ================== Michael A. Worsham Worsh825@Pirates.Armstrong.EDU Huh? What are you looking at!?! Just trying to be friendly... Guess I can't be that anymore. Too bad. *Giggle* ;) ================= ------------------------------ Date: Wed, 06 Oct 93 16:35:10 -0400 From: "David M. Chess" Subject: Re: Virus scanning for UNIX (UNIX) >From: "Tom Zmudzinski" > UNIX is not exactly a fertile field >for virus propagation (no vector for propagation beyond the local >environment). That seems to be true at the moment; not clear how long it'll remain true, though. Distribution in binary format is becoming somewhat more common, I hear, and that's one of the relevant vectors. There's no technical feature of Unix and related operating systems that keeps them from getting viruses; it's just cultural features (less binary virus exchange, apparently less people with both a UNIX system and the proper sorts of brain-damage to want to spread a virus, etc). DC ------------------------------ Date: Tue, 05 Oct 93 16:06:51 -0400 From: Jim Benenson Subject: UNIX virus software (UNIX) I am in need of a public domain virus-checking software to run on a Sun Sparc 10 (OS 4.1.3). Can anyone suggest a program, and where to get it? Thanx, Jim Benenson GSD/ISD/OCS State of New Mexico 505-827-2431 ------------------------------ Date: Tue, 05 Oct 93 16:33:37 -0400 From: Jim Benenson Subject: Big Bad Wolf (UNIX) I received a message on my UNIX machine which said something like: "There's a big bad wolf at your door. It's closer than you think". Does anyone know about this message? Jim Benenson Internet: TNGSDISD1@TECHNET.NM.ORG GSD/ISD/OCS Telephone: 505-827-2431 State of New Mexico 715 Alta Vista Santa Fe, NM 87503 ------------------------------ Date: Thu, 07 Oct 93 09:48:53 -0400 From: KIDAJ.TRANSCOM@transcom.safb.af.mil (KIDA JOHN H) Subject: Virus scanning for Unix (UNIX) We perform scans daly using Mcafee s/w on SUN UNIX systems as follows; Unix side: We find and copy all NEW files to a restricted file area we perform the copy in a manner which maintains a directory tree to some degree, but changes the owner to Wheel user-id @ 600 We logon as that Wheel USER-ID We then PC/NFS mount the area example net use g: fs: \home\fs1 RUN NETSCAN (now SCAN) scan g: /a you could run CHECKOUT with SCAN to catch compressed files this way also. If all is ok we "rm" the files in the restricted area This method takes about 15 mins to sreach 1.5 gb, move the new files to the holding area and scan them... this is done with a batch file or XTree UNIX. The batch file requires a KIDA ------------------------------ Date: Wed, 06 Oct 93 16:14:49 -0400 From: raverill@u.washington.edu Subject: Re: Help! NeXT screen keeps going dark! (UNIX) The screen on our network server began going dark at random time intervals of about a minute two days ago. Now it's going dark every few seconds and the problem seems to be spreading to the other machines on our network. Can anyone offer some advice? Ron Averill School of Music Computer Center University of Washington raverill@u.washington.edu ------------------------------ Date: Wed, 06 Oct 93 16:42:06 -0400 From: "David M. Chess" Subject: re: OS/2 v1.3 Scanner??!?? (OS/2) > From: zycor@netcom.com (UnListed) > I need to locate a scanner/cleaner for OS/2 version 1.3 - also anyone > who has ANY info on the -ZOMBIE- virus please respone via email to > zycor@netcom.com > This is a weird looking thing, launches off of the Kernal and is > visible for 20-30 seconds, then disappears. Almost certainly not a virus. "Zombie" is technical jargon for a process or task that has ended ("died") but isn't quite shut down yet (and so is "undead"). I would guess that some OS/2 application that you're using is spawning tasks now and then, and changing the title to "Zombie" between the time the task finishes and the time it's been all cleaned up. DC ------------------------------ Date: Thu, 07 Oct 93 02:41:54 -0400 From: mcafee@netcom.com (McAfee Associates) Subject: Re: OS/2 v1.3 Scanner??!?? (OS/2) Hi Vesselin, bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >UnListed (zycor@netcom.com) writes: > >> I need to locate a scanner/cleaner for OS/2 version 1.3 - > >McAfee's SCAN/CLEAN has an OS/2 version. The programs can be obtained >from their ftp site (mcafee.com), directory /pub/antivirus. The names >of the archives are oscn108.zip and ocln108.zip. [...deleted...] Our OS/2 programs are true 32-bit applications and as such will only run on OS/2 2.0 and above only. They won't run on an OS/2 1.X (16 bit) system, and there are no plans to make OS/2 1.X-compatible versions either. Regards, Aryeh Goretsky Technical Support - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, 2nd Floor| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/VSHIELD/CLEAN/WSCAN/NETSHLD/TARGET/CONFIG MGR/PROVIEW ------------------------------ Date: Wed, 06 Oct 93 13:16:40 -0400 From: smhawkin@midway.uchicago.edu (stephanie mia hawkins) Subject: Re: unzipping antivirus programs (PC) thanks for your help, everyone. it was simply a matter of using the binary mode in both ftp'ing and downloading the zipped files. stephanie - -- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Never try to outstubborn a cat. -- Lazarus Long ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ------------------------------ Date: Wed, 06 Oct 93 16:52:49 -0400 From: "David M. Chess" Subject: Nice Day Virus ??? (PC) > From: jcchan@solomon.technet.sg (Chan Joo Chong) > > Hello.... > > Do anybody know anything or hear anything about Nice-day virus ? We've seen a virus that we call YMP-NiceDay; it may be the same thing that you have. It's a diskette and hard disk master boot infector, and on the first of the month it will display "HAVE A NICE DAY (c) YMP" during boot. To clean up an infected hard disk: - Power off and boot from a clean DOS diskette. - Make sure the hard disk partitions are visible (Important! Don't skip this step!). - Use "FDISK /MBR" to replace the code in the master boot record. (This requires the FDISK command from DOS 5 or better.) We've seen this virus only in Indonesia so far, but that's not *too* far from you. Of course, the virus that you have may be completely unrelated to the one I describe here! - - -- - / We have a little garden, David M. Chess / A garden of our own, High Integrity Computing Lab / And every day we water there IBM Watson Research / The seeds that we have sown. ------------------------------ Date: Wed, 06 Oct 93 16:45:39 -0400 From: "David M. Chess" Subject: New Variant of Stoned (PC) > From: econz@vax.ox.ac.uk (Jurgen Doornik) > When booting from a clean floppy there is no harddisk > (typing "c:" gives "invalid drive"). However, when booting from an > infected floppy, the harddisk is present as normal. > > How is this possible? And what is the best way to proceed? It means that the virus is stealthed, and the master boot record doesn't contain a valid partition table. When you boot from an infected hard disk or diskette, the virus's stealth code shows everyone (including DOS) the original MBR, including the PT. But when you boot clean, the virus MBR, with no PT, is all you can see. Solutions: - Get an anti-virus program that knows about this virus, and can find and restore the original MBR (with PT), - Do it yourself, by analyzing the viral MBR, finding where it's stashed the original, and putting the original back (or have your local guru do it). The Monkey viruses are the most common viruses in North America that do this; I don't know of any common ones in the UK that do. *Don't* use FDISK /MBR on the hard disk; it will either do nothing, or it will remove the virus code from the MBR, leaving only the invalid PT, and then the hard disk won't be accessible even after booting from an infected BR... - - -- - David M. Chess High Integrity Computing Lab IBM Watson Research ------------------------------ Date: Thu, 07 Oct 93 02:04:52 -0400 From: mcafee@netcom.com (McAfee Associates) Subject: Re: VShield 108 still buggy (PC) Hello, CMEELBOO@vmtecqro.qro.itesm.mx (Elite of the Network) writes: >Hello: > > Two days ago, I downloaded vshield 108 from mcafee.com but this version >still has the /lh bug. Im using qemm 7.01 and vshield says there is not [...deleted...] VSHIELD can not be loaded high with Quarterdeck Office Systems' LOADHIGH.COM program. If you are trying to load VSHIELD high by using LOADHIGH.COM it will fail. Instead, run VSHIELD by itself with the /LH switch. For example, changing the VSHIELD line in your AUTOEXEC.BAT to read C:\MCAFEE\VSHIELD /LH {...other options go here...} will allow VSHIELD to load the majority of its code into upper memory (approximately 1.5Kb remains in conventional, 25Kb loads high, and 20Kb goes into EMS, if present) successfully. One thing to watch out for is the OPTIMIZE program that comes with QEMM 7.01: One of our agents had a problem with VSHIELD locking up when run--it turned out he needed to exclude his network interface card from the upper memory area and OPTIMIZE was not detecting this. Regards, Aryeh Goretsky Technical Support - -- - - - - - - - Please send your reply, if any, to Aryeh@McAfee.COM - - - - - - McAfee Associates, Inc. | Voice (408) 988-3832 | INTERNET: mcafee@netcom.com 2710 Walsh Ave, 2nd Floor| FAX (408) 970-9727 | or try: support@mcafee.com Santa Clara, California | BBS (408) 988-4004 | CompuServe ID: 76702,1714 95051-0963 USA | USR HST Courier DS | or GO MCAFEE Support for SENTRY/SCAN/VSHIELD/CLEAN/WSCAN/NETSHLD/TARGET/CONFIG MGR/PROVIEW ------------------------------ Date: Thu, 07 Oct 93 03:52:22 -0400 From: "Roger Riordan" Subject: MSAV and Stoned 4 (PC) We have been getting some flak recently from users who have been told by MSAV that their PC has Stoned 4, but everything else says it is clear. Also we are told that some service types have been making a packet "removing" the infection, or even replacing perfectly good hard disks (and naturally saying VET, or whatever, is no good "because it can't detect the virus"). Most of these reports have come from Tasmania. We have eventually managed to establish what appears to be happening. The PCs have had Stoned (the standard variety), and someone has used something (some version of FDISK /MBR, or some other AV software?) which has overwritten the start of the virus with a good MBR, but left part of it after the boot program. This contains the signature used by MSAV, so it reports Stoned 4. Naturally nothing else finds the "virus" because there isn't one. I reported an almost identical false alarm with VET last year. No one knew of a version of FDISK which did not zero the offending area, but no one could offer an alternative explanation of how the good boot program had been put back without overwriting all the virus. We chose another signature to avoid the problem, but of course it is too much to hope that MSAV would do anything as sensible. Roger Riordan Author of the VET Anti-Viral Software. riordan.cybec@tmxmelb.mhs.oz.au CYBEC Pty Ltd. Tel: +613 521 0655 PO Box 205, Hampton Vic 3188 AUSTRALIA Fax: +613 521 0727 ------------------------------ Date: Tue, 05 Oct 93 15:22:43 -0400 From: datadec@ucrengr.ucr.edu (kevin marcus) Subject: Re: TREMOR virus (PC) Maren Thiele wrote: >Is there anybody who knows about the TREMOR virus. What exactly does he do? >Is he able to stay in the High Mem part of your system? Are there programs It is a memory resident polymorphic steatlh virus. It's 4000 bytes long, and when it activates ( I forget the cause), it rattles your screen back and forth. It DOES use high memory (if available). >that are able to remove it. So far I have only found programs that are able to >detect him. I hope there are other possibilities than reinstalling the system. >Thanks for any tips and information. > Norton AntiVirus 3.0 is capable of detecting and removing this virus. - -- -- Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu Author: TSCAN, MICHEX, RE-xxx. AntiVirus/Music BBS: (619)/457-1836. CSLD Room Monitor Saturday, 12-5p (909)/787-2842. Comp. Sci. Major, University of California, Riverside. ------------------------------ Date: Tue, 05 Oct 93 15:26:22 -0400 From: datadec@ucrengr.ucr.edu (kevin marcus) Subject: Re: Timid... (PC) >I have encountered a virus on my system. With a virus scanner, I learned that >it's called TIMID and that it comes from a little black book. And I know that >it infects COM files. Yes, that's all it does. It doesn't intentionally cause any damages, if that is what you're concerned about. The Little Black Book is written by Mark Ludwig, and it contains source code for entire viruses, as well of descriptions how o write them. > >I would like to know two things: > >1) What exactly does it do. (I'm in Computer Science so I don't mind the >technical explanations...!) It infects .COM files, in the current directory I beileve. It has a very low chance of spreading. I'm curious how you got it. >2) How do you trace the execution of a virus? ... > Debug? Codeview? ... Either of those would work, but pay attention to what you're doing, if you should do this, as you can infect your system if you don't. - -- -- Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu Author: TSCAN, MICHEX, RE-xxx. AntiVirus/Music BBS: (619)/457-1836. CSLD Room Monitor Saturday, 12-5p (909)/787-2842. Comp. Sci. Major, University of California, Riverside. ------------------------------ Date: Tue, 05 Oct 93 16:06:49 -0400 From: "Jeff Rice - Pomona College, Claremont, CA." Subject: NAV 3.0 vs. MtE (PC) I saw the post about NAV 2.1's hopelessness against MtE based viruses, but does v3.0 do any better? I like Norton as a product, but I'm certainly not going to buy an upgrade for a product labeled as "hopeless"! Jeff Rice ------------------------------ Date: Tue, 05 Oct 93 17:14:14 -0400 From: rslade@sfu.ca (Robert Slade) Subject: Re: Timid... (PC) Well, "The Little Black Book" will tell you more than all you need to know about it. (How, by the way, did you learn that it was from "a little black book"?) From the assembly source code comments: Yes, the virus only infects COM files. The first five bytes of the file are repositioned, and replaced with a jump and the letters VI which are used as an infection marker. The body of the virus is appended to the end of the host file. TIMID doesn't seem to carry any payload, although, of course, with the source code published in a book there is no telling what variants are possible. Timid hasn't been seen very widely "in the wild" in spite of the book: where does this infection originate? ============== ______________________ Vancouver ROBERTS@decus.ca | | /\ | | swiped Institute for Robert_Slade@sfu.ca | | __ | | __ | | from Research into rslade@cue.bc.ca | | \ \ / / | | Mike User p1@CyberStore.ca | | /________\ | | Church Security Canada V7K 2G6 |____|_____][_____|____| @sfu.ca ------------------------------ Date: Thu, 07 Oct 93 11:04:44 -0400 From: M.F.C.vdnHout@kub.nl (M.F.C.VDN HOUT) Subject: Re: TBAV false alarm (PC) "al026@yfn.ysu.edu (Joe Norton)" says: > > I just wanted to let Frans know that TBAV605 is flagging a copy > of Timeset 6.0 as "Dropper of Bad_Taste".. I'm used to TBAV > yelling that Timeset is suspicious, but this new version of TBAV > is actually saying it's a virus. Timeset is packed using > ICE v1.0 acording to UNP v3.11 if that helps any.. > TBAV 6.07 is out.. maybe it has this bug fixed? I'll pass the report through to the EsaSS BBS anyway. - ---------------------------------------------------------------------- ! ..Ya wanna see a real dino? Check out da Pope!.. ! . Marco van den Hout.. - PorQpine of White labeL (Amiga!) . . Member of Safe Hex International - the Amiga virus wizards. : : >> .. Internet: M.F.C.vdnHout@kub.nl .. << . : >> Snail Mail: P.O.Box 139, NL-5080 AC HILVARENBEEK << : - --------------------------------------------------------------[~Q~]--- ------------------------------ Date: Thu, 07 Oct 93 12:26:18 -0400 From: datadec@ucrengr.ucr.edu (kevin marcus) Subject: Re: Tremor Virus and McAfee VIRUSCAN (PC) >As I have said several times here - SCAN is essentially useless for >virus identification. It doesn't use consistent virus names, the names >often change from version to version, not all of them are listed in >the documentation, many names listed in the documentation are never >reported, some names listed in the documentation are misspelled, often >two closely related virus variants are reported with two completely >different names, and often two completely different viruses are >reported with one and the same name. Infections by some viruses are >reported with two different names, even if only one virus is present. >Sometimes one and the same virus is reported under different names in >COM and EXE files. > >SCAN is relatively good only in one thing - to decide whether some >object (file or boot sector) is infected or not. In order to determine >with what exactly it is infected, you should use another program that >does this job better. > I recall reading an article in which John McAfee said he feels the common user doesn't care what virus their computer is infected with, they just want to know whether or not they have one, and if they do, they want to get rid of it. Wouldn't that be sooo nice? The problems are that SCAN doesn't reliably identify all of the common polymorphic viruses, so this argument begins to lose it's strength. Detecting some viruses is worse than not detecting them at all, IMHO... Simply, because the person gets a false sense of security, after "cleaning" their system. Next, There are many closely related viruses, many of which have small changes to the size of the virus (look, for example, at all the Vienna viruses, and their respective sizes...!) If a scanner can't identify the viruses right, how do you expect to clean them!? If virus A is detected as, say, some 300 bytes virus, and then, in fact, the virus is 600 bytes long, when removing it, there are going to be some problems, eh? If Clean does do checking to make sure it has the right virus, then why not put it in scan, and reliably detect viruses, too? Scan is also hella-slow. I think SCAN will slowly become a heuristics scanner in the future.. Sorta seems where they're headed now. - -- -- Kevin Marcus: datadec@ucrengr.ucr.edu, tck@bend.ucsd.edu Author: TSCAN, MICHEX, RE-xxx. AntiVirus/Music BBS: (619)/457-1836. CSLD Room Monitor Saturday, 12-5p (909)/787-2842. Comp. Sci. Major, University of California, Riverside. ------------------------------ Date: Thu, 07 Oct 93 17:12:59 -0400 From: maven@kauri.vuw.ac.nz (Jim Baltaxe) Subject: Re: More troble with F-prot 2.09d and FORM (PC) doug@viper.ELP.CWRU.Edu (Douglas Bell) writes: |Well, the FORM virus came back to our site on a buch of computers that |were booting from the a: drive. I booted off of a clean diskette and |disinfected the computers with f-prot. On 2 of the four infected |computers, one is a zenith z386-20 and the other a compuadd 325, |f-prot disinfected the boot sector, but reported errors when opening |all of the files on the hard drive. I exited f-prot and found that |I could see all of the files on the hard drive, copy and delete files |on the hard drive, run norton 7.0 disk doctor on the hard drive, |all without any problem. I rebooted the computer using the hard |drive and found that f-prot would not report errors any more and the |file system appeared intact. I booted from my write protected floppy |disk again and every thing seemed hunky-dory except for f-prot which |still could not read the files on the hard drive when it would scan the |computer. | |???? | |At this point I decided to stop playing around and I backed up the |computer, repartitioned the hard drive and restored the data. F-prot |still could not open the files on the hard drive if and only if I |booted from my clean disk. | |Can anyone help me with this one? | |p.s. I'm using MS-DOS 5.0. Are you sure that you are running the same version of mushDOS on the floppy? Earlier versions of MSDOS can have trouble with the modifications to the file system introduced with version 5. Just a guess for what its worth. - -- Jim Baltaxe - jim.baltaxe@vuw.ac.nz ******************** Are you man enough to change things? ********************* Contact: Wellington Men for Nonviolence or Manline Telephone Counselling Service - phone (04) 472 7982 ------------------------------ Date: Thu, 07 Oct 93 17:29:48 -0400 From: "Steve Bonds (007" Subject: Re: VShield 108 still buggy (PC) CMEELBOO@vmtecqro.qro.itesm.mx (Elite of the Network) writes: > Two days ago, I downloaded vshield 108 from mcafee.com but this version >still has the /lh bug. Im using qemm 7.01 and vshield says there is not >enough high ram to load (it says it needs 198 KB!!!). I know I can loadhi >vshield by using DOS=UMB, but QEMM manual says dont use that option! > I want to use vshield without using DOS=UMB, just like vshield 106 did it. >Is there any other suggestion to loadhi vshield with QEMM 7.01? Vshield108 seems to be a real memory hog during initialization. I checked it out using QEMM's LOADHI /GS (get statistics), but QEMM reported it needing anywhere from 230K to 580K to start up!! If memory is a real concern, you might try either using disk swapping (VSHIELD /SWAP, in conventional memory) or use frisk's VIRSTOP, which is much smaller (since it is written in assembly, whereas VSHIELD is mostly C) and can be loaded high easily with QEMM's LOADHI. -- Steve Bonds - -- 000 000 7777 | sbonds@jarthur.claremont.edu and Steve_Bonds@hmc.edu 0 0 0 0 7 |----------------------------------------------------------- 0 0 0 0 7 | Childhood is short... [Calvin & Hobbes] 000 000 7 | ...but immaturity is forever. ------------------------------ Date: Tue, 05 Oct 93 19:08:28 -0400 From: vfreak@aol.com Subject: Viruses on CD-ROMs? (PC) From: ian@unipalm.co.uk (Ian Phillipps) >Have there been any reports of viruses on CD? Has anyone else been >through this and come to some sort of conclusion? The only infected CD that I am aware of is "SO MUCH SHAREWARE VOLUME II" XYPHR2.ZIP is infected with the Power Pump virus. Bill ------------------------------ Date: Thu, 07 Oct 93 17:39:54 -0400 From: "Steve Bonds (007" Subject: Re: VIRUS ? (PC) buex93d@urc.tue.nl (Richard Braeken) writes: >I have a problem. Lately when I work with Word Perfect (don't start to laugh) I Are you kidding? WordPerfect is a wonderful program! Version 5.1 is one of the last of the fast, truly code-optimized programs. (Except for most viruses, that is...) :-( >notice that some characters in a file has been changed since the last time >I used that same file. [Another example of a changed program omitted.] Something is clearly corrupting your files. >Although I used almost "every" scanprogram (svanv108, TBAV, FPROT), no >program can detect a virus. >Do I have a virus? If so, what sort of virus and what van I do against >it? Are there any other scanners who might recognize "my virus"? Make sure you reboot from a clean, write-protected floppy disk with the same version of DOS before you scan. This will keep "stealth" viruses from hiding themselves during scanning. The programs you have described are typically quite good at finding viruses, even if they are in memory, but the cold boot is ALWAYS a good idea. I doubt if a virus is deliberately corrupting your files, more likely it is due to a TSR conflict with something in your system, or just a buggy program somewhere. Are you running Stacker or another disk compression program? Are you using Smartdrv or another disk cache with write-caching? Do you ever power down your computer while programs are running? (excluding DOS, of course) Have you checked out your hardware with Norton Calibrate and/or CheckIt Pro? I would also strongly recommend that you install some sort of integrity checking software. One shareware program is Integrity Master, available as "i-m201.zip" from Simtel-20 mirror FTP sites. Install it to a bootable floppy disk and write-protect it. Periodic scanning for changes in your programs takes some time, but it will help alert you to patterns of file corruption, whether due to unknown viruses or hardware/software failures. -- Steve Bonds - -- 000 000 7777 | sbonds@jarthur.claremont.edu and Steve_Bonds@hmc.edu 0 0 0 0 7 |----------------------------------------------------------- 0 0 0 0 7 | Childhood is short... [Calvin & Hobbes] 000 000 7 | ...but immaturity is forever. ------------------------------ Date: Thu, 07 Oct 93 09:02:38 -0400 From: mikko.hypponen@df.elma.fi Subject: Re: Companion (or spawning) viral programs (CVP) Robert Slade (roberts@decus.ca) writes: > Thus, under MS-DOS, no program named DIR.COM will ever be run. > (Alright, unless you specify the full file name. Don't be picky.) Gotcha! Didn't test this, did you? MS-DOS parses the internal commands first, just as you described, but it will execute the internal commands even if they are entered on the command line with any extension whatsoever. So, even if you have DIR.COM in the current directory, command "DIR.COM" will execute the internal DIR. Same goes for EXE, BAT, TXT, TMP or anything else (actually it's quite strange that internal commands entered with a non-executable extension work). I tested this under MS-DOS 5.00 and 6.00 - the older versions may act differently. Command interpreter replacement 4DOS acts just like MS-DOS's COMMAND.COM in this respect. MH PS Another thing: we finally got our direct internet link running. Data Fellows Ltd's F-PROT Support can be reached in the future at address f-prot@df.elma.fi. - -- Mikko Hypponen // mikko.hypponen@df.elma.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@df.elma.fi PGP 2.3a public key available, ask by e-mail ------------------------------ End of VIRUS-L Digest [Volume 6 Issue 131] ******************************************