VIRUS-L Digest Wednesday, 6 Dec 1989 Volume 2 : Issue 254 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Re: nVir outbreak (Mac) VIRUSCAN Versions (PC) Jerusalem-B antidote? (PC) Request for virus info (PC) Information on Mac Viruses New VirusX v4.0 is out and the BGS-9 virus (AMIGA) Re: Jude virus - Disinfectant (Mac) JUDE Virus: confirmed (Mac) Strange Video Problems? virus? (PC) Strange video - addition (PC) Viruses which infect LAN --------------------------------------------------------------------------- Date: 05 Dec 89 18:43:53 +0000 From: fred@urbana.mcd.mot.com (Fred Segovich) Subject: Re: nVir outbreak (Mac) Can anyone tell me what the symptoms/effects of nVir A and B are? I have an infection here, but no apparent damage. tnx, Fred ------------------------------ Date: Tue, 05 Dec 89 07:49:52 -0700 From: Chris McDonald Subject: VIRUSCAN Versions (PC) A reader asked the current version of Viruscan. There was at least version 50 as of Friday, 1 Dec. Version 49 available on Simtel20 does search for 51 known MS-DOS viruses, including variants. Perhaps BBS administrators chose to label Version 49 as "51" for this reason. Also, I have used Data Physician, a commercial set of programs for MS-DOS virus protection for several years. I noticed that a recent upgrade contained a "Beta Test" version of a program called "VirScan". As the name implies, the program provides a similar function as Viruscan. I ran Viruscan, Version 49, against the program and Viruscan alarmed on the presence of the Jerusalem virus, Version B and the Cascade virus (1701). Since I subsequently saw no infection action, it is my belief that this was a "false" positive. I have notified the vendor, Digital Dispatch, Inc., of the occurrence. Has anyone else encountered a similar experience? Chris Mc Donald White Sands Missile Range -------- ------------------------------ Date: Tue, 05 Dec 89 08:57:32 -0500 From: Laurence Bates Subject: Jerusalem-B antidote? (PC) Is it possible to undo the effects of the Jerusalem-B so that stricken EXE and COM files can be safely used? Thanks... Acknowledge-To: ------------------------------ Date: 05 Dec 89 09:26:57 -0500 From: bell@RCN.BITNET Subject: Request for virus info (PC) WE HAVE THE 'BRAIN' AND THE 'PING-PONG' STRAINS IN OUR PC LABS. PLEASE FORWARD ANY INFORMATION ON THESE TWO STRAINS OF VIRUS. DO YOU KNOW ANYONE WHO MIGHT HAVE A GOOD SOFTWARE TO DISINFECT OUR PC LABS? I HAVE SOME INFORMATION ON SOFTWARE THAT MIGHT DISINFECT PC/XT, BUT WOULD LIKE TO FIND OUT MORE ABOUT THIS PROBLEM FROM ANYONE WHO MIGHT HAVE SOME EXPERIENCE WITH IT. I HEARD THE 'SCANV47' SOFTWARE IS NOT QUITE EFFECTIVE AGAINST THE '(C) BRAIN' VIRUS, BUT IT KILLS THE 'PING-PONG' VIRUS. IF YOU HAVE ANY EXPERIENCE IN DEALING WITH PC VIRUS PROBLEMS, MY QUESTION TO YOU IS, WHAT CAN A SOFTWARE DO TO PREVENT VIRUS PROBLEMS IN AN OPEN PC LAB WHERE THERE IS NO PHYSICALLY CONTROLLED ACCESS TO THE PC/XT MACHINES?...PERHAPS, NOT MUCH! ANY SUGGESTIONS FROM YOU ON HOW TO MANAGE VIRUS PROBLEMS IN A PC LAB WITH NO PHYSICALLY CONTROLLED ACCESS WILL BE APPRECIATED. THANK YOU. _______________________________________________________________ E-MAIL ADDRESS: * BELLARMIN SELVARAJ * WORCESTER STATE COLLEGE MAILER: BELL SELVARAJTAYLOR * 486 CHANDLER STREET BITNET: BELLRCN.BITNET * WORCESTER,MA 01602, U.S.A * TEL: (508) 793-8000, EXT. 8664 _______________________________________________________________ ------------------------------ Date: Tue, 05 Dec 89 10:43:32 -0500 From: "Gregory E. Gilbert" Subject: Information on Mac Viruses I am trying to compile a file with information pertaining to mischievious programs running on a Mac. I have Disinfectant documentation and that is very helpful and useful. (Thank you very much John Norstad et al.) However I would like as much information as possible for my files. Any info or comments are appreciated and you can find me at the address (either e-mail or US MAIL below). Thank you very much. Greg Postal address: Gregory E. Gilbert Computer Services Division University of South Carolina Columbia, South Carolina USA 29208 (803) 777-6015 Acknowledge-To: ------------------------------ Date: 05 Dec 89 13:16:30 -0500 From: fac2@dayton.saic.com (Earle Ake) Subject: New VirusX v4.0 is out and the BGS-9 virus (AMIGA) The BGS-9 virus is real and out there. I just got the newest VirusX program from Steve Tibbett and ran it on my system. It found the BGS-9 virus on my workbench disk, my backup copy of my workbench disk and two other disks. I had a few friends also find it on their disks. The virus seems to inflict damage on the first executable file in your startup sequence. It infests itself in it and moves part of the original code to df0:devs/. The file shows up there without a filename (or it is masked somehow). VirusX v4.0 is out and will find/kill that virus. It can be had on compuserve and is showing up on many of the Amiga BBS's throughout the country. Better check your system, it may be infected. _____________________________________________________________________________ ____ ____ ___ Earle Ake /___ /___/ / / Science Applications International Corporation ____// / / /__ Dayton, Ohio - ----------------------------------------------------------------------------- Internet: fac2%dayton.saic.com@uunet.uu.net uucp: uunet!dayvb!fac2 ------------------------------ Date: Tue, 05 Dec 89 16:32:36 -0500 From: Frank Steele Subject: Re: Jude virus - Disinfectant (Mac) I've sent along a copy of Disinfectant 1.3. The new version recognizes the "Jude" virus and fixes a few other bugs..... -------------------------------------------------------Frank------------- ------------------------------ Date: Tue, 05 Dec 89 22:54:08 +0000 From: ethz!macman@relay.EU.net (Danny Schwendener) Subject: JUDE Virus: confirmed (Mac) C0195@UNIVSCVM.BITNET (Gregory E. Gilbert) writes: >I saw a posting on VALERT-L stating that a new virus has been found >called the 'Jude' virus. Does anyone have any information beyond what >was reported on VALERT-L? Has this been CONFIRMED to be a virus? Yes. I have received and analyzed an application infected with this virus. It is another nVIR B clone. MacMASH has been very active these days to update the existing anti-virus tools. The results so far: - Disinfectant 1.3, who now correctly detects and removes this strain - SAM 1.2 (idem) Trap watchers like Vaccine and GateKeeper don't neet to be updated for this new strain. Some disk browsers like Antipan 1.3 already detect all nVIR B clones, and therefore don't need to be updated either. - -- Danny +-----------------------------------------------------------------------+ | Danny Schwendener, Apple Developer Services Switzerland | | AppleLink: danny.s UUCP : {cernvax,mcvax}ethz!macman | | Internet: macman@ifi.ethz.ch Voice : yodel three times | +-----------------------------------------------------------------------+ DISCLAIMER: These are my very own opinions. Leave my employer alone. ------------------------------ Date: 06 Dec 89 02:35:47 +0000 From: boulder!tramp!baileyc@ncar.UCAR.EDU (BAILEY CHRISTOPHER R) Subject: Strange Video Problems? virus? (PC) I'm having some very strange problems with my video output on both my home computer system and my universities PS/2's. My home system is an XT clone (V20-10, Phoenix bios), and the PS/2's I've noticed it on are 55SX's that are networked with Novell. Both systems have monochrome video, mine with a hercules clone and Samsung flat screen and the PS/2's with some card and I think 8513 mono monitor. My problem is that starting about column 12 or so, to column 30 or so, the characters and such in that reagion (any row), jump up about 5 or 10 lines and stay there. This reeks havoc as far as command lines and such. I first noticed this in Telix, my terminal program. It has done it without fail everytime in Telix since, sometimes when not even connected. The s screen just looks garbled. It usually takes about 10 minutes for it to happen. This was on my home machine. I have also noticed it using my editor, Multi-Edit v4.00. I could just PgUp then PgDn in ME and it would be fixed, same with Q Edit, but I can't do anything about it in Telix, not even clearing the screen fixes it. I then started using ZComm instead of Telix, but it did wierd things there too, mostly just a specific graphic block character was interspersed between things and the screen was a little out of order. Later I began getting Internal stack errors and messages such as this, but I think that was due to my disk cache (which I remedied by adding stack space - I think). Anyway, I started to use the Engineering Centers' computers instead of mine. Just today my editor did the same trick, that specific section/column of the screen jumped. Until today, I thought I had a memory chip gone bad or something, but why would it do it on the PS/2's also? My only clue now is that it's some type of virus or something. But I doubt that. My command com is fine, and the floppy I'm using at the EC doens't have Command.COM on it, and I've copied my backup of Telix over mine and it still has the same problem. As for my system and the floppy, the only thing they have in common as far as files go (it's a 1.44MB 3.5") is about 10 Turbo Pascal source code files, and their respective compiled version and my editor - Multi Edit. I had been using Multi-Edit for about 3 months before this happened, so I doubt it's the problem. I have also had problems with Turbo Pascal environment on my system, but I don't use it, I just use the command line compiler, and the same goes with the engineering center. I haven't even compiled code on my system for about 2-3 weeks and I still have my problem. Any ideas???? Any programs I can use to test my system? The only think that comes to mind is a worm or logic bomb type of thing. I saw them do a "viruscan" at the engineering center about 3 or so weeks ago. Help anyone... Chris Bailey :: baileyc@tramp.Colorado.EDU One Agro Mountain Biker - Dialed in for ultra gonzo badness! "No his mind is not for rent, to any god or government" - RUSH Member of Team Buck Naked of Buckingham Palace ------------------------------ Date: 06 Dec 89 02:42:00 +0000 From: boulder!tramp!baileyc@ncar.UCAR.EDU (BAILEY CHRISTOPHER R) Subject: Strange video - addition (PC) I forgot to say, when I exit telix, then re run it, the screen is still messed up. However, if I reboot my system the screen is ok the next time I run Telix. As for the editors, to get rid of it, all I have to do is the PgUp, PgDn sequence, no reboot is necessary. Thanx. Chris Bailey :: baileyc@tramp.Colorado.EDU One Agro Mountain Biker - Dialed in for ultra gonzo badness! "No his mind is not for rent, to any god or government" - RUSH Member of Team Buck Naked of Buckingham Palace ------------------------------ Date: Wed, 06 Dec 89 17:51:03 +0700 From: "S. Yeo" Subject: Viruses which infect LAN I am doing some research on viruses which are capable of infecting LAN and I am looking into area such as : - - how normally viruses get into a LAN - - how these viruses spread - - can viruses such as Jerusalem, Ping-pong, Stoned which infect stand- alone PC infect LAN server as well - - will the server be infected if a network user who after established a link with the server, run an infected program from his harddisk I'll be very much appreciate if someone out there who have the info or experience dealing with virus in a LAN environment share some(if not all) of the info/experience with me. You can send the info to this list (if you think it will be of interest to the list readers) or you can send direct to me at CCEYEOYT@NUSVM.BITNET Thanks in advance for all your help. S. Yeo ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253