Msg#: 2473 *Virus Info* 08-19-90 09:46:00 (Read 11 Times) From: PATRICIA HOFFMAN To: KEN DORSHIMER Subj: RE: CRC CHECKING the deal is that the invading program would have to know how the CRC your program uses works. otherwise it would have a (bytes changed!/bytes in file!) chance of succeeding, or somewhere in that neighborhood... Except in the case of Stealth Viruses....CRC checking doesn't work with them. Patti --- msged 1.99S ZTC * Origin: Sir Dep's Dungeon 714-740-1130 Adult Links Network (1:103/158) Msg#: 2474 *Virus Info* 08-19-90 09:50:00 (Read 9 Times) From: PATRICIA HOFFMAN To: SHEA TISDALE Subj: FILE ECHO? Hey, what happened to connecting my system to the file echo? I have sent numerous netmail messages to you since you sent the info on setting it up and have not had a reply yet. Recheck your netmail, I sent a reply after receiving the message "What is Tick?" indicating that you need to be running Tick in order to be able to participate in the file echo since that is how the files are processed and extra files go with the .zip files that carry the description. Tick is available from most SDS nodes. Patti --- msged 1.99S ZTC * Origin: Sir Dep's Dungeon 714-740-1130 Adult Links Network (1:103/158) Msg#: 2475 *Virus Info* 08-16-90 11:56:00 (Read 8 Times) From: MIKE DURKIN To: WARREN ANDERSON Subj: RE: INTERNET WORM > I am interested in obtaining the list of passwords used by the > Internet worm in the US. I am the administrator of several The list is in the McAfee/Haynes book ("computer viruses, worms...threats to your system") (pgs 89-91)... I'll type it in for you if you can't find the book locally... Mike --- RBBSMail 17.3A * Origin: The TeleSoft RBBS (RBBS 1:143/204) Msg#: 2476 *Virus Info* 08-19-90 14:51:00 (Read 9 Times) From: MIKE DURKIN To: JAMES DICK Subj: REPLY TO MSG# 2473 (RE: CRC CHECKING) > You might want to take a look at McAfee's FSHLD*.ZIP. This is a new > anti-virus program from the creator of SCAN that is designed > specifically for developers. It will build a 'shield' into an > application such that the application _cannot_ be infected and if it > does become infected, will remove that infection after execution but > prior to running. You will find it in the virus scanners area of many Jim... this is a little mis-leading... all programs will become infected but FSHLD will remove it for most viruses.. for viruses like 4096, FSHLD won't remove or even know/announce that the file is infected... When FSHLD can remove a virus, 'after execution but before running' really makes no difference since a resident virus will still go TSR and a direct action virus will still do it's infecting of other programs... But all things considered... I definately agree that FSHLD is a must have... Mike --- RBBSMail 17.3A * Origin: The TeleSoft RBBS (RBBS 1:143/204) Msg#: 2477 *Virus Info* 08-20-90 04:44:00 (Read 8 Times) From: KEN DORSHIMER To: PATRICIA HOFFMAN Subj: RE: SCANV66B RELEASED On 19-Aug-90 with bulging eyes and flailing arms Patricia Hoffman said: >does this mean i should erase the old scanv66 that i just d/l'd from >SDN? >:-( > PH> Yep, ScanV66 has a bug or two in it involving the validate codes it PH> can add to the end of files. The validate codes were not being PH> calculated correctly in PH> swell. think i'll wait for the next release. ps, you have net-mail waiting. :-) BTW why on earth would anyone take time off from a disneyland vacation to call a bbs? ...Your attorney is in the mail... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 2478 *Virus Info* 08-20-90 04:46:00 (Read 9 Times) From: KEN DORSHIMER To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 2476 (RE: CRC CHECKING) On 19-Aug-90 with bulging eyes and flailing arms Patricia Hoffman said: >the deal is that the invading program would have to know how the CRC >your >program uses works. otherwise it would have a (bytes changed!/bytes in >file!) >chance of succeeding, or somewhere in that neighborhood... > PH> Except in the case of Stealth Viruses....CRC checking doesn't work PH> with them. PH> i'd have to see that for myself. i think a complex enough algorithm would keep them at bay. the probability factor is just too low for such a stealth scheme to work. ...Your attorney is in the mail... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 2479 *Virus Info* 08-20-90 04:50:00 (Read 9 Times) From: KEN DORSHIMER To: MIKE DURKIN Subj: REPLY TO MSG# 2478 (RE: CRC CHECKING) On 19-Aug-90 with bulging eyes and flailing arms Mike Durkin said: >> You might want to take a look at McAfee's FSHLD*.ZIP. This is a new >> anti-virus program from the creator of SCAN that is designed >> specifically for developers. It will build a 'shield' into an >> application such that the application _cannot_ be infected and if it >> does become infected, will remove that infection after execution but >> prior to running. You will find it in the virus scanners area of many MD> Jim... this is a little mis-leading... all programs will become MD> infected but FSHLD will remove it for most viruses.. for viruses like MD> 4096, FSHLD won't remove or even know/announce that the file is MD> infected... When FSHLD can remove a virus, 'after execution but before i have some misgivings about this particular protection scheme myself. i don't like embedding someone else's stuff into my executables, partly for licensing reasons. not to knock what is probably a good idea... ...Your attorney is in the mail... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 2653 *Virus Info* 08-20-90 17:09:00 (Read 10 Times) From: TALLEY RAGAN To: MIKE MCCUNE Subj: RE: REMOVING JOSHI In a message to Philip Laird <08-16-90 14:09> Mike Mccune wrote: MM>> Just be sure to boot off a clean diskette to remove the MM>>virus from memory, otherwise the virus will not be removed. MM>> If RMJOSHI is used on an unifected hard drive, it will MM>>destroy the partition table. This next program, RETURN.COM MM>>will restore the partition table. MM>> I will post this program in my next listing.... Does this mean that RMJOSHI.COM, if run on an uninfected hard drive by it self is a virus? Talley --- ZAFFER v1.01 --- QuickBBS 2.64 [Reg] Qecho ver 2.62 * Origin: Southern Systems *HST DS* Tampa Fl (813)977-7065 (1:377/9) Msg#: 2654 *Virus Info* 08-21-90 09:32:00 (Read 10 Times) From: PATRICK TOULME To: MIKE MCCUNE Subj: RE: HAVE ANYONE TRIED SECURE ? MM> I have tried Secure and have found it to be the only interrupt moniter MM> that will stop all the known viruses. Mike perhaps you should add a caveat to that statement. Secure neither detects, nor does it stop, Virus-101. --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2655 *Virus Info* 08-21-90 12:11:00 (Read 8 Times) From: PAUL FERGUSON To: HERB BROWN Subj: KEYBOARD REMAPPING (AGAIN)... Herb, I stand corrected on that last bit of dialogue....You are correct, indeed.....But, you know what I mean along those lines of getting what you don't expect, whether damaging or not, NO ONE wants the unexpected on thier system.....Touche! -Paul ^@@^........ --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2656 *Virus Info* 08-21-90 22:29:00 (Read 10 Times) From: PATRICIA HOFFMAN To: YASHA KIDA Subj: AKA AND BBS HANDLES YK> What is the rule in this message echo concerning BBS HANDLES? YK> Would like some clarification, I have users expressing interest in YK> using bbs handles in this echo, since they are seeing them used . YK> As you can see I have not allowed this, feeling this echo to be YK> professial in nature. YK> YK> I understand the use of AKA names in this echo maybe needed. YK> YK> Example : YK> After my SITE Manager saw my interest in viruses, I was called in to YK> his office. After explaining my reseach, was to protect not to infect, YK> he relaxed. YK> [Note: the above quote is muchly editted....] Yasha, Aliases are ok in this echo, as long as the Sysop of the system where the messages originate knows who the user is and can contact him if the need arrises. I fully understand the sitation that you describe about your Site Manager...which is a fully valid reason to use an alias here. I used to use the alias of "Merry Hughes" for exactly that reason! Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2657 *Virus Info* 08-21-90 22:32:00 (Read 9 Times) From: PATRICIA HOFFMAN To: KEN DORSHIMER Subj: REPLY TO MSG# 2477 (RE: SCANV66B RELEASED) KD> swell. think i'll wait for the next release. KD> ps, you have net-mail waiting. :-) BTW why on earth would anyone take KD> time KD> off from a disneyland vacation to call a bbs? I was eating dinner or lunch while entering those messages, then we went back to Dizzyland and Knott's. Besides, I had to see what you guys were up to while I was gone.....Mom instinct....what can I say? Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2658 *Virus Info* 08-22-90 18:21:00 (Read 8 Times) From: HERB BROWN To: PAUL FERGUSON Subj: REPLY TO MSG# 2655 (KEYBOARD REMAPPING (AGAIN)...) With a sharp eye , Paul Ferguson (1:204/869) noted: PF>Herb, PF> I stand corrected on that last bit of dialogue....You are PF>correct, indeed.....But, you know what I mean along those lines of PF>getting what you don't expect, whether damaging or not, NO ONE wants PF>the unexpected on thier system.....Touche! PF>-Paul ^@@^........ I knew what you meant. Glad to know you do too. :-) ( No flame intended ) --- QM v1.00 * Origin: Delta Point (1:396/5.11) Msg#: 2659 *Virus Info* 08-22-90 05:37:00 (Read 8 Times) From: KEN DORSHIMER To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 2657 (RE: SCANV66B RELEASED) On 21-Aug-90 with bulging eyes and flailing arms Patricia Hoffman said: KD>> swell. think i'll wait for the next release. KD>> ps, you have net-mail waiting. :-) BTW why on earth would anyone take KD>> time KD>> off from a disneyland vacation to call a bbs? PH> I was eating dinner or lunch while entering those PH> messages, then we went back to Dizzyland and Knott's. Besides, I had PH> to see what you guys were up to while I was gone.....Mom PH> instinct....what can I say? PH> did you go on the roller coaster at Knotts that looks like a corkscrew? my personal favorite after a big dinner. in other news there was a report <> that there is a hack of lharc floating around called lharc190. might want to keep an eyeball open for it. what am i doing up at this hour? just got thru writting the docs for a program . as usual, the program looks better than the docs. have fun, see ya. ...All of my dreams are in COBOL... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 2660 *Virus Info* 08-20-90 15:40:00 (Read 9 Times) From: RON LAUZON To: PAUL FERGUSON Subj: RE: KEYBOARD REMAPPING.... yes, it is possible to re-map the keyboard from a remote system. However, most people are protected by this because the term program rather than ANSI.SYS is handling the ANSI escape sequences. If you are using a "dumb" terminal that has no terminal emulation and allowing ANSI.SYS to handle your screen formatting, you may be in trouble. --- Telegard v2.5i Standard * Origin: The Flight of the Raven (313)-232-7815 (1:2200/107.0) Msg#: 2661 *Virus Info* 08-21-90 20:29:00 (Read 8 Times) From: MARTIN NICHOL To: MICHAEL TUNN Subj: WHAT'S THE SOLUTION? mt said => It seems to me our Virus checking programs will just mt said => get bigger and bigger as more viruses and strains of mt said => the same viruses are discovered. If so (and if their mt said => development is excelerating) then we may find in the mt said => near future that it has become impossiable to deal mt said => with the outbreaks! mt said => Do we do develop new Operating Systems which are far mt said => more secure! Develope different virus scanning programs. Make them more generic where virus signatures/characteristics can be kept in a seperate file and the virus scanner just reads the file and interprets it accordingly. --- * Origin: JoJac BBS - (416) 841-3701. HST Kettleby, ON (1:250/910) Msg#: 2683 *Virus Info* 08-22-90 22:55:00 (Read 8 Times) From: FRED ENNIS To: ALL Subj: VIRUS-486COMP.* FORWARDED BY James Dick of 1:163/118 QUOTE ON I've been informed by "reliable sources" that there's a file floating around called 486COMP.* (select your favourite packing method) which claims to "show you the difference between your machine and a 486". . When run, the program flashes a "too big for memory" message, and aborts. . Then, the next time you boot, you're informed that you have the "Leprosy 1.00" virus which then hangs the machine. . After you manage to boot from a floppy, you find that COMMAND.COM has been altered, although the date, time, and size appear not to have been changed. Just thought you'd like to know. Cheers! Fred --- msged 1.99S ZTC * Origin: Page Six, POINT of order Mr. Speaker (1:163/115.5) Msg#: 2684 *Virus Info* 08-22-90 11:07:00 (Read 8 Times) From: SHEA TISDALE To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 2474 (FILE ECHO?) Thanks Patricia... I am all ready to go now. Just poll your board? --- * Origin: >- c y n o s u r e -< 919-929-5153 (1:151/501) Msg#: 2685 *Virus Info* 08-20-90 21:50:00 (Read 9 Times) From: TOM PREECE To: PAUL FERGUSON Subj: RE: KEYBOARD REMAPPING VIA COMMUNICA I can't help but wonder if Herb was experiencing something that suggested that kind of remapping. Lately I have been experiencing keyboard problems that seem to act like that. When I use my down or left arrow the \ and | symbols toggle. I can correct this when it happens by hitting the left hand shift key - but not the right. And tonight it seems as if I am occaissionaly transposing caps on and off. If either of you hears a virus like this I'd like to know. Q&A tested my memory and keyboard fine. Scanv66 detected nothing. --- TBBS v2.1/NM * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 (1:161/208) Msg#: 2738 *Virus Info* 08-23-90 23:49:00 (Read 7 Times) From: PHILLIP LAIRD To: PATRICIA HOFFMAN Subj: ONTARIO VIRUS Patty, have you heard of such a Virus? I was in the TAG Support Echo and saw a message about a TAG Sysop who contracted that virus. Any Info? Supposedly the Virus is scanned in version SCANV66.ZIP. ???? --- TAGMAIL v2.20 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49) Msg#: 2739 *Virus Info* 08-22-90 12:55:00 (Read 7 Times) From: PAUL FERGUSON To: EVERYONE Subj: MOM! Patti- Mom, huh?...What can you say?..It seems it has already been said! -Paul --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2740 *Virus Info* 08-23-90 12:06:00 (Read 8 Times) From: PAUL FERGUSON To: TOM PREECE Subj: REMAPPING... Hello, Tom... . More than likely there was nothing like that at all. Keyboard remapping is an extremely complicated process and would take more than forethought on the part of the programmer. What you have seen us talking about here is figurative at best and personally, I would have to see it to believe it. (you know the old saying: "Believe none of what you hear and only half of of what you see."?) Although I do believe that is quite possible under the proper circumstances, it would indeed be a rare occurance. Sometimes when receiving odd characters during telecommunications or not getting the exact same keys that you typed could be attributed to disparity (parity differences), differing data bits, stop bits, or even simply ANSI interpretation problems between Comm Programs. I've seen the smallest, simplest things like that have people pulling their hair out by the roots! . .....Clarke's Third Law Any sufficiently advanced technology is indistinguishable from magic. . . -Paul ^@@^........ --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2741 *Virus Info* 08-17-90 01:51:00 (Read 8 Times) From: YEN-ZON CHAI To: DOUG BAGGETT Subj: ANTI VIRUS VIRUSES DB> well..here is a question..where exactly did viruses originate DB> anyway..was it in this country or others? Probably where hacker exists, virus exists. --- outGATE v2.10 # Origin: SIGnet International GateHost (8:7501/103) * Origin: Network Echogate (1:129/34) Msg#: 2742 *Virus Info* 08-22-90 17:49:00 (Read 8 Times) From: KEVIN HIGGINS To: MIKE MCCUNE Subj: REPLY TO MSG# 2654 (RE: HAVE ANYONE TRIED SECURE ?) I took a look at it, but to be realistic, when you run a BBS, or are continuously updating your files as new releases come out, you could easily get to the point where you spend more time reconfiguring the anti-virus program than you would getting any work done. I find it much more efficient to scan every file for viruses as soon as I get it on my system, then rezip it, if I'm not going to use it... a simple .bat file can be used such that if you want to check multiple files, you can just feed the file names on the command line and let the .bat file take care of unzipping, scanning and rezipping the file. Be best if someone would write a program that would do this, but I haven't found one yet. Kevin --- TAGMAIL v2.40.02 Beta * Origin: The Hornet's Nest BBS (1:128/74) Msg#: 2743 *Virus Info* 08-22-90 21:52:00 (Read 8 Times) From: CY WELCH To: PAUL FERGUSON Subj: REPLY TO MSG# 2660 (KEYBOARD REMAPPING....) In a message to Everyone <16 Aug 90 6:32:00> Paul Ferguson wrote: PF> Isn't it possible to remap some (or any) keyboard functions via PF> communications with some funky ANSI control characters?....I seem to PF> remember mention of this somewhere.....I really can't remember if was PF> in the form of a question, though, or an answer.....It also made PF> mention of PKWares' Safe-ANSI program...Somebody help us out here... I think most of the "FAST" ansi replacements do not have the keyboard remapping so that danger is removed in those cases. --- XRS! 3.40+ * Origin: Former QuickBBS Beta Team Member (99:9402/1.1) (Quick 1:125/122.1) Msg#: 2744 *Virus Info* 08-24-90 15:14:00 (Read 8 Times) From: PATRICIA HOFFMAN To: ALL Subj: VIRUS RESCUE & F-PROT RELEASES The latest version of Fridrik Skulason's F-PROT anti-viral program is now available for download from my system as FPROT112.ZIP. The program can also be file requested as F-PROT, which will always return the latest copy I have available. This program is actually a "suite" of programs for use in preventing and detecting viruses and trojans. The program originates in Iceland, and so updates to it reaching my system for distribution have been rather sporatic. The other new anti-viral program available on my system is Virus Rescue. Virus Rescue is from Tacoma Software, and is a shell for invoking ViruScan, CleanUp, and VCopy from McAfee Associates. Unlike other shell programs I've seen, this one should not require updates every time a new release of Scan comes out. It picks up its virus information from the VIRLIST.TXT file which is packaged with Scan and CleanUp. It will be handy for those who have trouble with the Scan and CleanUp command line switches, or who want the VIRLIST.TXT information converted to english sentences. This is a first public release, so I expect we may see some changes in this product in the future. Virus Rescue can be downloaded from my system as RESQ01.ZIP. Both programs are also file requestable by other systems. File requests should ask for magic file names as follows: F-PROT for the latest copy of F-PROT (currently FPROT112.ZIP) RESCUE for the latest version of Virus Rescue Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2745 *Virus Info* 08-24-90 23:37:00 (Read 9 Times) From: KEN DORSHIMER To: KEVIN HIGGINS Subj: REPLY TO MSG# 2742 (RE: HAVE ANYONE TRIED SECURE ?) On 22-Aug-90 with bulging eyes and flailing arms Kevin Higgins said: KH> I took a look at it, but to be realistic, when you run a BBS, or are KH> continuously updating your files as new releases come out, you could KH> easily get to the point where you spend more time reconfiguring the KH> anti-virus program than you would getting any work done. I find it KH> much more efficient to scan every file for viruses as soon as I get it KH> on my system, then rezip it, if I'm not going to use it... a simple KH> .bat file can be used such that if KH> KH> you want to check multiple files, you can just feed the file names on KH> the command line and let the .bat file take care of unzipping, KH> scanning and rezipping the file. Be best if someone would write a KH> program that would do this, but I haven't found one yet. Kevin KH> sounds like a plan to me. it would actually be fairly simple to write a program to look at all the files in your upload directory, unpack them based on the extension, scan them, then re-compress them (if needed). of course you'd still have to manually put the now scanned files into the proper catagory directories yourself. when do you need it and what's it worth? :-) ...All of my dreams are in COBOL... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 2746 *Virus Info* 08-23-90 15:23:00 (Read 8 Times) From: MIKE MCCUNE To: TALLEY RAGAN Subj: REPLY TO MSG# 2653 (RE: REMOVING JOSHI) No, it just modifies the partition record to remove the virus. If the virus isn't there, it still modifies the partition record. Return.com just reverses the modifications done to the partition table. I will post an improved version of RMJOSHI that scans the partition record for the virus before modifying it.... --- KramMail v3.15 * Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0) Msg#: 2747 *Virus Info* 08-23-90 15:26:00 (Read 8 Times) From: MIKE MCCUNE To: PATRICK TOULME Subj: REPLY TO MSG# 2745 (RE: HAVE ANYONE TRIED SECURE ?) Maybe I should say all virus that are in the "public domain". Virus 101 is a research virus that only a few people have (and you wrote). Nothing is fool proof but Secure is better than any other interrupt moniter. --- KramMail v3.15 * Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0) Msg#: 2748 *Virus Info* 08-23-90 07:01:00 (Read 8 Times) From: YASHA KIDA To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 2656 (AKA AND BBS HANDLES) In a message of <21 Aug 90 22:29:34>, Patricia Hoffman (1:204/869) writes: PH> PH> Yasha, Aliases are ok in this echo, as long as the Sysop of the system PH> where the messages originate knows who the user is and can contact him PH> if the need arrises. I fully understand the sitation that you PH> describe about your Site Manager...which is a fully valid reason to PH> use an alias here. I used to use the alias of "Merry Hughes" for PH> exactly that reason! PH> PH> Patti I understand AKA names like "MERRY", but I speak of HACKER HANDLES. like "LINE RUNNER", "DATA BYTE" etc... I must have misunderstood FIDO ECHO POLICY either way I will drop the subject. Yasha Kida --- msged 1.99S ZTC * Origin: Bragg IDBS, (FT. Bragg, NC - we're gonna kick some booty) (1:151/305) Msg#: 2749 *Virus Info* 08-08-90 23:23:00 (Read 7 Times) From: ALAN DAWSON To: DAVID SMART Subj: RE: VIRUS SCANNERS.... DS> You can't win on this! I've been downloading for quite a while DS> - always running a virus checker on the information. So, where DS> did our virus come from? Off a shrink-wrapped anti-virus DS> diskette one of our guys picked up in the US! Nothing new about this, as people learn all the time. One MAJOR company (really big, really well known) has shipped shrink-wrapped viruses twice -- once on purpose! Shrink wrap doesn't keep the bugs out. --- Opus-CBCS 1.13 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0) Msg#: 2750 *Virus Info* 08-08-90 23:31:00 (Read 7 Times) From: ALAN DAWSON To: PATRICIA HOFFMAN Subj: SCAN WEIRDNESS (All answers gratefully received despite the TO: line) Anybody heard of this? I've got a floppy with some viruses on it, among them a SCAN-known Dark Avenger. I SCAN this floppy from the C drive, and the "hey, nothing to worry about there" report comes back. Strange. I SCAN it again. This time 'round, SCAN barfs after 64K of the memory check, telling me Dark Avenger is in memory, power down, load the .45, get the cyanide tablet ready and so on. But DA of course is NOT in memory or active in any way. It is, however, on the floppy, unrun. The above occurred with SCANV64. Out of curiosity, I cranked up SCAN-54 and -- EXACTLY the same result. AST Bravo 286, no TSRs, nothing else loaded, clean (normal) boot just performed. I have a bunch of viruses that I don't expect SCAN to find -- ever. But this kind of thing has never happened to me before. Can anyone match this story, or event? --- Opus-CBCS 1.13 * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand (3:608/9.0) Msg#: 2751 *Virus Info* 08-26-90 00:59:00 (Read 7 Times) From: STEVEN TREIBLE To: KEN DORSHIMER Subj: VOICE NUMBER Ken, I haven't mailed the disk yet as you can see. I'd like to have your voice # so I can talk to instead of sending Net Mail. Thanks, Steve. --- ZMailQ 1.12 (QuickBBS) * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0) Msg#: 2752 *Virus Info* 08-25-90 06:10:00 (Read 8 Times) From: SANDY LOCKE To: HERB BROWN Subj: RE: COMMUNICATION VIRALS PH> However, unless one of the above is occurring, just connecting via PH> telecom to a system won't directly transmit a virus.... PH> HB> Well, that is not exactly what I meant. Sorry for the miscommunicatio HB> should have used an example. I'll have to dig for some old documentat HB> about z-modem when it first came out. I seem to remember it stating t HB> locked the directory that a file was able to go to when being download HB> has something to do with the structure of a .EXE file, or something. HB> to also remember that it was possible to have the .exe "go were it wan HB> as defined by this structure. Thus, having some of the file go to a c HB> part of a drive or memory. It seems wild, but without the docs I read HB> can't give any details. Thought maybe you could shed some light on th Well considering that I am hosting chuck forsberg today ... hes down here for the sco developer forum I will put the question to him directly... but as one of the suggestors for feature addition to the protocol in another personna... ZMODEM will INDEED allow one to transmit a FULL path name... however this is mitigated by the ability on the receiving end to override the transmitted pathname spec... I dont really see a problem here... and when I put the question to chuck I dont see where he will see one either... btw READ the DSZ DOCS and register the product... that will turn on ALL the neat zmodem features... sandy --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2753 *Virus Info* 08-25-90 06:18:00 (Read 15 Times) From: SANDY LOCKE To: SKY RAIDER (Rcvd) Subj: RE: VIRUS ORIGINALS SR> Doug, SR> It is my belief that viruses originated in the early days of computing SR> effort to see what kind of stuff could be done with them, a group of SR> programmers (financed by the US government as I recall) institued a se SR> programs that would attempt to 'beat' others in taking over a computer SR> system. These programs led to a gaming system known as the CORE WARS. SR> today there is an International Core Wars Society. SR> I think it can be easily seen how a program to destroy/circumvent a st SR> operating system can develope into a virus. SR> I tried to double check this information for accuracy, names, dates, e SR> but it seems I have deleted this file. I will try to get further info SR> you, but beleive this info is shrouded in secrecy, and may be hard to SR> relocate. SR> So, the original viruses did come from the US (and even possibly with SR> government help). SR> Ivan Baird SR> * Origin: Northern Connection, Fredericton, N.B. Canada SR> (1:255/3) WHAT a LOAD of UNADULTERATED CRAP... redcode is simply a GAME created by bored programmers... ORIGINAL CORE WARS games were created as far back as 1969 back on the OLD IBM 360 architectures under both OS/MFT and OSMVT OS's... neither had anything to do with so-called secret financing by the US government...BTW I was AROUND and A Systems Programmer during that period... we created our own versions when we heard of the rumours... it was an old system programmers game designed to give Egotistal programmers some lighthearted fun... at this point ALL code ran in real Address space and redcode hadnt even been though of... the MUCH later article by Scientific American in 1979 gave this fun with out harm via the redcode interpreter implemented on early 6502 and 8080 systems... really... I am going to have to move to canada... sounds like there are some really potent and fun drugs in circulation up there... jeese... what a simp... sandy --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2754 *Virus Info* 08-25-90 06:19:00 (Read 14 Times) From: SANDY LOCKE To: STEVE HOKE Subj: REPLY TO MSG# 2752 (RE: COMMUNICATION VIRALS) SH> In a message to Herb Brown <15 Aug 90 17:44:00> Patricia Hoffman wrote PH> The only way a virus could be directly transmitted via a PH> telecommunications link ... PH> is if the particular "service" has a feature where they upgrade PH> their software on your system when you connect. SH> Is there any commercial system that does this? I don't know of one, bu SH> like to know what types of systems to be wary of. SH> Steve just one word for you... PRODIGY avoid it like the plague... sandy --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2755 *Virus Info* 08-25-90 06:25:00 (Read 9 Times) From: SANDY LOCKE To: MIKE MCCUNE Subj: REPLY TO MSG# 2747 (RE: HAVE ANYONE TRIED SECURE ?) MM> I have tried Secure and have found it to be the only interrupt moniter MM> that will stop all the known viruses. It won't stop the boot viruses, MM> obviously (because a boot virus loades before Secure does), but it wil MM> detect them as soon as Secure is loaded. Secure is hard to configure, MM> but once it is configured, it will give few false alarms. With string MM> scanners becoming increasingly easy to defeat, Secure may be the way t MM> go for virus protection.... well kiddies... a certain couple of anti-viral types on HOMEBASE BBS managed to sting SECURE with modified version of JER-B... one of them continues to find holes with the same tool... SECURE is simply NOT SECURE... sandy --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2756 *Virus Info* 08-25-90 06:31:00 (Read 9 Times) From: SANDY LOCKE To: KEN DORSHIMER Subj: REPLY TO MSG# 2479 (RE: CRC CHECKING) KD> On 19-Aug-90 with bulging eyes and flailing arms Patricia Hoffman sai KD> >the deal is that the invading program would have to know how the KD> >your KD> >program uses works. otherwise it would have a (bytes changed!/by KD> >file!) KD> >chance of succeeding, or somewhere in that neighborhood... KD> > PH> Except in the case of Stealth Viruses....CRC checking doesn't work PH> with them. PH> KD> i'd have to see that for myself. i think a complex enough algorithm wo KD> keep them at bay. the probability factor is just too low for such a st KD> scheme to work. KD> ...Your attorney is in the mail... check out Gilmore Data Systems in LA authors of the OLD FICHECK and XFICHECK... the techniques is called CRC padding after the addition of the viral code the file is padded with a given number of bytes to make the CRC Polynomial come out with the same result... the FCB is then Patched to the original file length leaving nothing for standrad CRC checkers to detect... Childs play really... sandyp.s. in the case of most stealth viruses... the file read code is simply altered to disinfect the file as the CRC checking program reads it... agains simply childs play... --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2757 *Virus Info* 08-25-90 06:32:00 (Read 10 Times) From: SANDY LOCKE To: PATRICK TOULME Subj: REPLY TO MSG# 2755 (RE: HAVE ANYONE TRIED SECURE ?) MM> I have tried Secure and have found it to be the only interrupt moniter MM> that will stop all the known viruses. PT> Mike perhaps you should add a caveat to that statement. Secure PT> neither detects, nor does it stop, Virus-101. Right on Patrick... sandy p.s. Damn nice design on the code complex as HELL.... --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2758 *Virus Info* 08-25-90 06:36:00 (Read 9 Times) From: SANDY LOCKE To: PAUL FERGUSON Subj: REPLY TO MSG# 2740 (RE: REMAPPING...) PF> Hello, Tom... PF> . PF> More than likely there was nothing like that at all. Keyboard PF> remapping is an extremely complicated process and would take more than PF> forethought on the part of the programmer. What you have seen us PF> talking about here is figurative at best and personally, I would have PF> to see it to believe it. (you know the old saying: "Believe none of PF> what you hear and only half of of what you see."?) Although I do PF> believe that is quite possible under the proper circumstances, it woul PF> indeed be a rare occurance. Sometimes when receiving odd characters PF> during telecommunications or not getting the exact same keys that you PF> typed could be attributed to disparity (parity differences), differing PF> data bits, stop bits, or even simply ANSI interpretation problems PF> between Comm Programs. I've seen the smallest, simplest things like PF> that have people pulling their hair out by the roots! PF> . PF> .....Clarke's Third Law PF> Any sufficiently advanced technology is indistinguishable from PF> magic. PF> . PF> . PF> -Paul ^@@^........ well paul normally on hombase you are quite lucid... but as a long time programmer I can testify the keyboard mapping is really quite simple... no real problem and the business of using terminal control code is quite as simple... sandy --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2759 *Virus Info* 08-25-90 06:39:00 (Read 9 Times) From: SANDY LOCKE To: CY WELCH Subj: REPLY TO MSG# 2743 (RE: KEYBOARD REMAPPING....) CW> In a message to Everyone <16 Aug 90 6:32:00> Paul Ferguson wrote: PF> Isn't it possible to remap some (or any) keyboard functions via PF> communications with some funky ANSI control characters?....I seem to PF> remember mention of this somewhere.....I really can't remember if was PF> in the form of a question, though, or an answer.....It also made PF> mention of PKWares' Safe-ANSI program...Somebody help us out here... CW> I think most of the "FAST" ansi replacements do not have the keyboard CW> remapping so that danger is removed in those cases. Well if you are referring to FANSI.SYS by hershey Microsystems it too is vunerable to remap effects... and since it implemnt FULL ANSI 3.64 terminal control codes plus some extensions it is even more vunerable to a whole class of tricks that go way beyond noremally keyboard remapping... but to there credit they ahve include a way to turn this "FEATURE" OFF... just most users get it off a BBS and never order or look at the 50.00 set of docs that come when you pay for the products... sandy --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2760 *Virus Info* 08-25-90 08:49:00 (Read 9 Times) From: PATRICIA HOFFMAN To: PHILLIP LAIRD Subj: REPLY TO MSG# 2738 (ONTARIO VIRUS) PL> Patty, have you heard of such a Virus? I was in the TAG Support Echo PL> and saw PL> a message about a TAG Sysop who contracted that virus. Any Info? PL> Supposedly the Virus is scanned in version SCANV66.ZIP. Yep, I've heard of this one....I was the one that named it after it was submitted by Mike Shields (Sysop of 1:244/114). Ontario is a memory resident generic infector of .COM and .EXE files, including COMMAND.COM. Infected .COM files will increase in length by 512 bytes. Infected .EXE files will increase in length between 512 bytes and 1023 bytes on disk drives with standard 512 byte sectors. When files are infected, the virus adds itself to the end of the program, and then places a jump at the beginning so that the virus's code will always execute before the program that was infected. Ontario is not a low-system memory TSR, it goes memory resident installing itself at the top of free memory, but below the 640K line. Available free memory will decrease by 2,048 bytes. Once the virus has installed itself in memory, any program which is executed will then become infected. It was reported with the sample I received from Mike that infected systems may experience hard disk errors, but I was unable to duplicate that here. This may only happen in severe infections, I try not to let them get that severe when I'm working with a virus :-). Scan V66 and above can detect the Ontario Virus on both .COM and .EXE files. Unfortunately, Ontario is one of the viruses that uses a "double-encryption" technique to prevent scanners from being able to use a search string to detect it, so there isn't a simple way to find it with a hex string and a utility such as Norton Utilities. As of right now, there aren't any disinfectors available for the Ontario virus, so if you happen to be infected with it you need to remove the infected programs and replace them with clean copies from your uninfected backups or original write-protected distribution diskettes. A more complete description of the Ontario virus is in VSUM9008, which was released on August 10. The above is just off of the top of my head, which happens to hurt right now. Hope it is understandable..... Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2761 *Virus Info* 08-25-90 09:02:00 (Read 10 Times) From: PATRICIA HOFFMAN To: YEN-ZON CHAI Subj: REPLY TO MSG# 2741 (ANTI VIRUS VIRUSES) YC> DB> well..here is a question..where exactly did viruses originate YC> DB> anyway..was it in this country or others? YC> YC> Probably where hacker exists, virus exists. YC> Well, the two oldest known viruses for MS-DOS are the Pakistani Brain and VirDem. The Brain is from Pakistan, VirDem from West Germany. Both of these originated in 1986. Both have known authors. The viruses from 1987 include Jerusalem and the Suriv series from Israel, Alameda/Yale from the United States, and 405 from Austria or Germany. Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2762 *Virus Info* 08-25-90 09:07:00 (Read 10 Times) From: PATRICIA HOFFMAN To: KEVIN HIGGINS Subj: REPLY TO MSG# 2757 (RE: HAVE ANYONE TRIED SECURE ?) KH> I took a look at it, but to be realistic, when you run a BBS, or KH> are continuously updating your files as new releases come out, you KH> could easily get to the point where you spend more time reconfiguring KH> the anti-virus program than you would getting any work done. I find it KH> much more efficient to scan every file for viruses as soon as I get it KH> on my system, then rezip it, if I'm not going to use it... a simple KH> .bat file can be used such that if you want to check multiple files, KH> you can just feed the file names on the command line and let the .bat KH> file take care of unzipping, scanning and rezipping the file. KH> Be best if someone would write a program that would do this, but I KH> haven't found one yet. You might want to take a look at CheckOut and Shez. CheckOut uses ViruScan to check .ARC, .PAK, .ZIP, .LZH, and other archive formats for viruses by automatically creating a temporary directory and unarchiving the file to it. It then invokes Scan to check the executable files. One of its nice features is that it will never invoke a program in that temporary directory, as well as you can have it either delete an infected file or move it to a badfiles directory. It will also find archives which are damaged for you. It can be invoked easily from a .BAT file, such as if you want to run it at midnight against all new uploads. Shez is another program which can be used to scan inside archives. It is interactive, so you need to manually invoke it. After you have selected the archive and listed the contents, hitting ctrl-Z will result in Scan checking the contents. There are other scanning shells which handle archived files, though these are the two that I've used regularly and are the most familiar with. I was also involved in the beta testing of CheckOut with some known to be infected files, and it does function properly in that instance. I've also tested Shez with infected files, and it works well.... Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2763 *Virus Info* 08-24-90 16:53:00 (Read 8 Times) From: PRAKASH JANAKIRAMAN To: ALL Subj: LEPROSY Exactly what is the Leprosy virus supposed to do? I was informed that it had been included in McAfee's latest version of Scan, but, having never used Scan before in my life, and never having encountered a virus, are there "symptoms", shall we say, caused by the Leprosy virus, or for any virus? If there is a textfile explaining what each virus is capable of doing, and how it can be detected, I'd like to get a copy of it, if any of you know where I can get something of that sort. Also, does anyone have the number to McAfee's BBS? I'd like to become a user over there as well. (I remember it being in the 408 area code, but I can't recall the actual number). Anyways, thanks a bunch, all... Prakash --- TBBS v2.1/NM * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 (1:161/208) Msg#: 2896 *Virus Info* 08-26-90 20:55:00 (Read 9 Times) From: HERB BROWN To: SANDY LOCKE Subj: REPLY TO MSG# 2754 (RE: COMMUNICATION VIRALS) With a sharp eye , Sandy Locke (1:204/869) noted: SL> Well considering that I am hosting chuck forsberg today ... hes down SL>here for the sco developer forum I will put the question to him SL>directly... but as one of the suggestors for feature addition to the SL>protocol in another personna... ZMODEM will INDEED allow one to SL>transmit a FULL path name... however this is mitigated by the ability I have the understanding that other protocols would do this, not by choice. Without the security on the recieving end, this could be disasterous, to say the least.. I would be happy to hear what you find.. Speaking of registering zmodem, is it still free to sysops? You can asnwer that in net-mail.. :-) --- QM v1.00 * Origin: Delta Point (1:396/5.11) Msg#: 2897 *Virus Info* 08-24-90 13:39:00 (Read 7 Times) From: MIKE MCCUNE To: VESSELIN BONTCHEV Subj: REPLY TO MSG# 2746 (REMOVING JOSHI) In your recent letter to me you wrote to me you suggested that I check for the virus before trying to remove it. Now that I've got a working copy of the Joshi (and don't have to let someone else test RMJOSHI), I rewrote the program to check for the virus first. mov dx,80h mov cx,1h mov bx,200h mov ax,201h int 13h or ah,ah jnz read_error es: cmp w[bx],1feb jnz no_virus mov cx,000ah mov ax,301h int 13h or ah,ah jnz write_error mov cx,9h mov ax,201h int 13h or ah,ah jnz read_error mov cx,1h mov ax,301h int 13h or ah,ah jnz write_error mov ah,9h lea dx,remove_message int 21h int 20h remove_message: db 'Joshi Removed$' no_virus: mov ah,9h lea dx,virus_message int 21h int 20h virus_message: db 'Joshi not found$' read_error: mov ah,9h lea dx,read_message int 21h int 20h read_message: db 'Read Error$' write_error: mov ah,9h lea dx,write_message int 21h int 20h write_message: db 'Write Error$' I wrote it for the shareware A86, but it should assemble under MASM, TASM or WASM with minor modifications. Next I will scan the memory for the virus because the remover won't work while the virus is active in memory..... --- Opus-CBCS 1.13 * Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0) Msg#: 2898 *Virus Info* 08-25-90 23:46:00 (Read 6 Times) From: TALLEY RAGAN To: MIKE MCCUNE Subj: REPLY TO MSG# 2897 (RE: REMOVING JOSHI) In a message to Talley Ragan <08-23-90 15:23> Mike Mccune wrote: MM>>No, it just modifies the partition record to remove the virus. MM>>If the virus isn't there, it still modifies the partition MM>>record. Thanks for the information. That clears up the question just fine. Talley --- ZAFFER v1.01 --- QuickBBS 2.64 [Reg] Qecho ver 2.62 * Origin: Southern Systems *HST DS* Tampa Fl (813)977-7065 (1:377/9) Msg#: 2899 *Virus Info* 08-23-90 17:31:00 (Read 6 Times) From: DAVID BURGESS To: MARTIN NICHOL Subj: REPLY TO MSG# 2661 (WHAT'S THE SOLUTION?) In a message to michael tunn <21 Aug 90 20:29:00> Martin Nichol wrote: MN> mt said => It seems to me our Virus checking programs will just MN> mt said => get bigger and bigger as more viruses and strains of MN> mt said => the same viruses are discovered. If so (and if their MN> mt said => development is excelerating) then we may find in the MN> mt said => near future that it has become impossiable to deal MN> mt said => with the outbreaks! MN> mt said => Do we do develop new Operating Systems which are far MN> mt said => more secure! MN> Develope different virus scanning programs. Make them more generic MN> where virus signatures/characteristics can be kept in a seperate MN> file and the virus scanner just reads the MN> file and interprets it accordingly. That opens the door to having the virus scanner or part of the virus scanner to become contaminated. --- [Q] XRS 3.40 * Origin: Eurkea! I've found the secret elephant playground (RAX 1:124/3106.6) Msg#: 2900 *Virus Info* 08-17-90 21:06:00 (Read 6 Times) From: CHRIS BARRETT To: PATRICIA HOFFMAN Subj: RE: VIRUCIDE V1.2 Thanks for the info.. If ya remeber the name could ya tell us it.. I think i'll stick with the ScanV?? and CleanP?? for now then.. Chris.. --- TBBS v2.1/NM * Origin: 1990 MultiLine Perth Western Australia - 09-370-3333 - (690/654) Msg#: 2901 *Virus Info* 08-17-90 06:26:00 (Read 6 Times) From: ZEBEE JOHNSTONE To: ALL Subj: MAC VIRUS Anyone know anything about a mac virus which: Sets the delete flag on any folder with a name which starts with the letter "o" or higher (eg system...) IT doesn't actually delete the folder, the machine will still boot, but the folder is missing from the desktop and the delete flag is set. Weird one hmm? --- * Origin: Lighten up! What man can make, man can break! (3:680/813) Msg#: 2902 *Virus Info* 08-19-90 22:31:00 (Read 6 Times) From: BRENDON THOMPSON To: PATRICIA HOFFMAN Subj: "STONED 2" Patti, I sent you a message the other day about a new variant of "Stoned" that I found in Christchurch, New Zealand. It had reference to some "S & S program for testing anti-virus software" and the phone number 0494 791900 in it. I have since had the time to pull it to bits, and it is only the original "Stoned" virus. The code at the start of the sector is still the same, but some clown has modified the message after location 65H. I'm still pleased to send you a specimen by airmail if you like, but it ain't "Stoned 2". Regards.. ... Doon. --- Via Silver Xpress V2.26 * Origin: TONY'S BBS - Gateway to New Zealand. (3:770/101) Msg#: 2903 *Virus Info* 08-19-90 09:25:00 (Read 6 Times) From: DONALD ANDERSON To: FRIAR NESTOR Subj: RE: LOOKIN' FOR FUN? I always looking for fun --- KramMail v3.15 * Origin: get real (3:621/221.0) Msg#: 2904 *Virus Info* 08-26-90 23:36:00 (Read 7 Times) From: GLENN JORDAN To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 2761 (ANTI VIRUS VIRUSES) PH> The Vacsina Viruses were written in Bulgaria to seek out and destroy PH> certain other viruses, or at least that was their original purpose. In examples of the VACSINA virus I have investigated, I have found the following odd behavior, which I wonder if you have also noted : .COM files of over a certain size are infected at first bite, but .EXE files are different. It takes two Exposures to infect an .EXE file, each of which adds a bit to the file length, but only at the second exposure do you get a live virus, signaled by a short beep. A tiny .EXE will take the first exposure, but never complete on a subsequent exposure to become a live virus. I wonder if in some way this behavior, which I have not seen in any other viruses so far, is in some way related to the original "anti-virus" nature of this beast ? --- XRS 3.30-DV (286) * Origin: Jordan Computer Consulting (RAX 1:151/223.3) Msg#: 2905 *Virus Info* 08-26-90 07:54:00 (Read 6 Times) From: KEN DORSHIMER To: SANDY LOCKE Subj: REPLY TO MSG# 2756 (RE: CRC CHECKING) On 25-Aug-90 with bulging eyes and flailing arms Sandy Locke said: SL> check out Gilmore Data Systems in LA authors of the OLD FICHECK and SL> XFICHECK... the techniques is called CRC padding after the addition of SL> the viral code the file is padded with a given number of bytes to make SL> the CRC Polynomial come out with the same result... the FCB is then SL> Patched to the original file length leaving nothing for standrad CRC SL> checkers to detect... Childs play really... sandyp.s. in the case of SL> most stealth viruses... the file read code is simply altered to SL> disinfect the file as the CRC checking program reads it... agains SL> simply childs play... SL> could you send me this article? i still believe that the virus would have to know your crc algorithm in order to perform this magic. additionally if the file is padded, it's size would increase and would be detected that way. correct? sooo, the person writting the virus would require a copy of your file to disassemble, see how you performed your checks, then create a means to circumvent it. sounds like a lot of trouble to me for very little gain. catch ya on the rebound. ...All of my dreams are in COBOL... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 2906 *Virus Info* 08-26-90 23:58:00 (Read 6 Times) From: KEN DORSHIMER To: STEVEN TREIBLE Subj: REPLY TO MSG# 2751 (RE: VOICE NUMBER) On 26-Aug-90 with bulging eyes and flailing arms Steven Treible said: ST> Ken, I haven't mailed the disk yet as you can see. I'd like to have ST> your voice # so I can talk to instead of sending Net Mail. Thanks, ST> Steve. you got it look for it in a net-mail-o-gram. i'd rather not leave it in the public msg area as everyone would try to call and shoot the breeze. :-) ...All of my dreams are in COBOL... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 2907 *Virus Info* 08-26-90 13:09:00 (Read 6 Times) From: PAUL BENDER To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 2744 (VIRUS RESCUE & F-PROT RELEASES) * Replying to a message originally to All PH> Both programs are also file requestable by other systems. PH> File requests should ask for magic file names as follows: PH> PH> F-PROT for the latest copy of F-PROT (currently PH> FPROT112.ZIP) PH> RESCUE for the latest version of Virus Rescue PH> Would it be possible for you to hatch these out into SDS or arrange for the authors to do so? Paul --- RemoteAccess 0.04a via QEcho 2. * Origin: -=* Rassi's Retreat *=- 10pm to 8am Only! (615) 831-1338 (1:116/37) Msg#: 2908 *Virus Info* 08-26-90 12:44:00 (Read 7 Times) From: PATRICIA HOFFMAN To: ALL Subj: VIRUS_INFO INTRODUCTION & RULES Welcome to the VIRUS_INFO echo. The purpose of this echo is to allow BBS users and sysops to ask questions about computer viruses and to be able to get back up-to-date information. Discussion topics may include, but is not necessarily limited to: - what are viruses - how to prevent getting infected - how to determine if your system is infected - how to clean up an infected system and salvage as much information as possible - reviews and announcements of new anti-viral products and product releases. There was a lot of hysteria in the press over the Columbus Day/ DataCrime/October 12 virus, for example, but little mentioned of how rare the virus is or how to determine if a system is infected with it and how to remove it. This type of information is an example of what this echo is intended to carry. Some messages appearing in this conference may be cross-postings from the Dirty_Dozen echo which is sysop only. Cross-postings may only be done by the originator of the message. For example, several of my messages posted in the Dirty_Dozen echo will be cross-posted here. Messages from the HomeBase/CVIA BBS run by Mr. John McAfee in Santa Clara, CA and/or CVIA bulletins may be posted here by Patricia Hoffman, these are being done with Mr. McAfee's permission. Replies to these messages, as well as netmail received at 1:204/869 for Mr. McAfee, is manually transferred to his system as it is received. Conference rules are very simple..... 1. Discussions of how to write a virus, specific technical discussions of how a virus works, or anything of an illegal nature, are not allowed. This rule is *not* open to debate. 2. Messages with a sexually suggestive nature are not allowed, please keep in mind that minors as well as adults participate in this conference. 3. Discussions of a ethical or retorical nature that lead into a debate are considered off-topic in that they will not ever be resolved and do not help anyone. An example in this category would be a discussion in the area of "Should live viruses or virus disassemblies be made available to the public?". These questions and topics will be allowed until such a point that they start to severely disrupt the echo, or start a flame war. At that point, the moderator will request that the discussion be discontinued. 4. Be courteous to your fellow echo participants, and remember there is no such thing as a dumb question, except for the question that some- one is afraid to ask. Everyone needs to help everyone else understand viruses and why they are a problem. 5. This conference is not to be distributed thru Group-mail or any other mail processor which will obscure the ability to track a message back to an originating system. All messages must have seen-bys and path statements if the BBSs participatings software can generate them. 6. If you have a question or problem of an extremely sensitive nature, consider sending it NetMail to 1:204/869 or 99:9403/2 instead of posting it here. If you are netmailing a file that you think is infected, be sure to send a message in NetMail with it so I know what it is, I'll be sure it gets to someone to get analysed for you. Do not under any circumstances host route a file that you think is infected. Suspect files may also be sent on diskette via US Mail to the following address: Patricia Hoffman 1556 Halford Avenue #127 Santa Clara, CA 95051 7. This conference is available to FidoNet and EggNet systems. The conference echomail tag in FidoNet is VIRUS_INFO, in EggNet the conference is available as E_VIRUS_INFO. 8. This conference is available on the FidoNet Backbone. While you are welcome to freely pass this echo along to other systems, out of region links must be approved by moderator of the echo. Gating the echo into another network or Zone must be approved by the conference moderator. 9. Opinions are welcome in the conference, however the ethics of the behavior of people that write viruses, or name calling, is frowned upon. Likewise, accusations of virus writing are strictly forbidden. Please keep opinions down to a single message, and do not repeatedly post them, as these messages tend to water down the purpose of the conference and degrade the level of information that is being presented. 10. Handling of off-topic messages or messages that violate the conference rules will be done by the moderator. First and second warnings on these messages will be in private Netmail. Please do not respond to the off-topic messages so that the conference doesn't get further off-track. Let the moderator do the moderating. 11. Handles are allowed in this conference, however sysops of boards carrying the conference are expected to be able to determine which of their users entered a message if a problem arises. This in effect means, for example, that Opus systems must not set this echo up to allow anonymous messages. 12. If a matter arises where the moderator needs to contact a participant in the echo, the moderator will contact the system where the message was entered and request that the sysop allow the user netmail access, or call the participant with a request for them to logon to the moderator's system or provide a phone number with the participant's permission. Sysops are not expected to provide their users' phone numbers to the moderator without the user's express permission, their privacy is important. There are times, however, when a phone call or chat can resolve a problem much faster than any other route. This is the only reason for this rule. 12. This echo is not a programming echo for answering questions on how to code programs in assembler. If you want to exchange assembler (or any other program language) techniques, please locate an appropriate programming echo or start your own echo. Patricia M. Hoffman is the moderator of the VIRUS_INFO echo conference. She has previously used the name "Merry Hughes" in moderating this conference, and is the originator of the conference and the original moderator. Patricia Hoffman is also the author of the Virus Information Summary List, and is an independent anti-viral researcher. Please contact the moderator, Patricia Hoffman, at 1:204/869 or 99:9403/2 if you need assistance on setting up an echofeed for this echo to your system. thanks... Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2909 *Virus Info* 08-26-90 15:13:00 (Read 7 Times) From: PATRICIA HOFFMAN To: PRAKASH JANAKIRAMAN Subj: REPLY TO MSG# 2763 (LEPROSY) PJ> Exactly what is the Leprosy virus supposed to do? I was informed that PJ> it had been included in McAfee's latest version of Scan, but, having PJ> never used Scan before in my life, and never having encountered a PJ> virus, are there "symptoms", shall we say, caused by the Leprosy virus, PJ> or for any virus? If there is a textfile explaining what each virus is PJ> capable of doing, and how it can be detected, I'd like to get a copy of PJ> it, if any of you know where I can get something of that sort. The Leprosy virus is a non-resident overwriting virus. It infects .COM and .EXE files, overwriting the first 666 bytes of the file. Symptoms of it include that infected files will not execute properly...instead of what they are supposed to do, they will upon execution, infect other files then display a message and end. A complete description of this virus and all (with the exception of V2P2, V2P6, V2P6 and Stoned II) known MS-DOS viruses as of August 10, 1990 is available in the Virus Information Summary List. Its current version is VSUM9008.ZIP. It is available on my system at 408-244-0813, as well as many other systems, including McAfee's BBS. Check around your area before you make the long distance call, it could save you the phone call cost. PJ> PJ> Also, does anyone have the number to McAfee's BBS? I'd like to become a PJ> user over there as well. (I remember it being in the 408 area code, but PJ> I can't recall the actual number). Anyways, thanks a bunch, all... The number of the HomeBase BBS is 408-988-4004. The 9600 HST number is 408-988-5138. Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 2910 *Virus Info* 08-24-90 23:05:00 (Read 7 Times) From: CY WELCH To: TALLEY RAGAN Subj: REPLY TO MSG# 2898 (REMOVING JOSHI) In a message to Mike Mccune <20 Aug 90 17:09:00> Talley Ragan wrote: >MM>> Just be sure to boot off a clean diskette to remove the >MM>>virus from memory, otherwise the virus will not be removed. >MM>> If RMJOSHI is used on an unifected hard drive, it will >MM>>destroy the partition table. This next program, RETURN.COM >MM>>will restore the partition table. >MM>> I will post this program in my next listing.... TR> Does this mean that RMJOSHI.COM, if run on an uninfected hard TR> drive by it self is a virus? Actually I think it would fit the description of trojan rather than virus as it doesn't replicate. --- XRS! 3.40+ * Origin: Former QuickBBS Beta Team Member (99:9402/122.1) (Quick 1:125/122.1) Msg#: 2911 *Virus Info* 08-26-90 21:13:00 (Read 6 Times) From: TOM PREECE To: SANDY LOCKE Subj: REPLY TO MSG# 2758 (RE: REMAPPING...) As you may see by looking at my other entry's, I have been loading a cache program that is clearly implementing software to remap my keys to s certain extent. If this is possible as a glitch, its is obviously possible as an attack. Let's hope it never comes to that. --- TBBS v2.1/NM * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 (1:161/208) Msg#: 2993 *Virus Info* 08-27-90 07:54:00 (Read 7 Times) From: JAMES DICK To: KEN DORSHIMER Subj: REPLY TO MSG# 2762 (RE: HAVE ANYONE TRIED SECURE ?) On Fri, 24 Aug, 1990 at the ungodly hour of 23:37, while ducking Broccoli Jello and drinking jolt, Ken Dorshimer wrote to Kevin Higgins, TO WIT... KD > sounds like a plan to me. it would actually be fairly simple to write KD > a KD > program to look at all the files in your upload directory, unpack them KD > based KD > on the extension, scan them, then re-compress them (if needed). of Sounds like CHECKOUT....available here, homebase excaliber! and others as CKOT11.* -={ Jim }=- --- QM v1.00 * Origin: The Clipperist - Home to happy Clippheads in Ottawa, Canada (1:163/118.0) Msg#: 2994 *Virus Info* 08-27-90 19:34:00 (Read 6 Times) From: PHILLIP LAIRD To: ALAN DAWSON Subj: REPLY TO MSG# 2750 (RE: SCAN WEIRDNESS) ** Quoting Alan Dawson to Patricia Hoffman ** >among them a SCAN-known Dark Avenger. I SCAN this floppy from >the C >drive, and the "hey, nothing to worry about there" report comes >back. >Strange. I SCAN it again. This time 'round, SCAN barfs after > >--- Opus-CBCS 1.13 > * Origin: PCBBS -- WOC'n in the Land of Smiles -- Thailand >(3:608/9.0) ** End of Quote ** Allan, I NEVER SCAN from the C Drive or any hard disk. I always scan from a write protected Floppy Diskette in Drive A. I also have a third system (Yep that's right a third system to do all my scanning from. However, I have never had happen to me what happened to you. I did one time find Scan.EXE infected at my place of employment when I didn't write protect the floppy and scanned the b drive, PLEASE write protect the floppy or SCAN.EXE on the hard drive... --- TAGMAIL v2.20 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49) Msg#: 2995 *Virus Info* 08-27-90 19:50:00 (Read 10 Times) From: PHILLIP LAIRD To: SANDY LOCKE Subj: REPLY TO MSG# 2753 (RE: VIRUS ORIGINALS) Sandy, maybe this might help. I have read an excellent book on the Subject of Origins of Viruses, but let me quote you guys first... ** Quoting Sandy Locke to Sky Raider ** >SR> effort to see what kind of stuff could be done with them, >a group of >SR> programmers (financed by the US government as I recall) >institued a se >SR> programs that would attempt to 'beat' others in taking >over a computer >SR> system. These programs led to a gaming system known as >the CORE WARS. >SR> today there is an International Core Wars Society. > >SR> I think it can be easily seen how a program to destroy/circumvent >a st >SR> operating system can develope into a virus. > >SR> I tried to double check this information for accuracy, >names, dates, e >SR> but it seems I have deleted this file. I will try to get >further info >SR> you, but beleive this info is shrouded in secrecy, and >may be hard to >SR> relocate. > >SR> So, the original viruses did come from the US (and even >possibly with >SR> government help). > >SR> Ivan Baird >SR> * Origin: Northern Connection, Fredericton, N.B. Canada > >SR> (1:255/3) >WHAT a LOAD of UNADULTERATED CRAP... redcode is simply a GAME >created by >bored programmers... ORIGINAL CORE WARS games were created >as far back >as 1969 back on the OLD IBM 360 architectures under both OS/MFT >and >OSMVT OS's... neither had anything to do with so-called secret >financing by the US government...BTW I was AROUND and A Systems >Programmer during that period... we created our own versions >when we >heard of the rumours... it was an old system programmers game >designed >to give Egotistal programmers some lighthearted fun... at this >point >ALL code ran in real Address space and redcode hadnt even been >though >of... the MUCH later article by Scientific American in 1979 >gave this >fun with out harm via the redcode interpreter implemented on >early 6502 >and 8080 systems... really... I am going to have to move to >canada... >sounds like there are some really potent and fun drugs in circulation >up there... jeese... what a simp... > sandy > > >--- QM v1.00 > * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 >(1:204/869.0) ** End of Quote ** O.K. The above message is what I am quoting to you.... If you get a chance, you can pick this book up at Wladen Software at the following locations in California and maybe other bookstores near you can order the book, too: Viruses, A High Tech Disease By Ralph Burger Published by Abacus ISBN 1557550433 Retails at 18.95 US Can be picked up at the following Walden Software Stores: Doly City, Ca (415) 756-2430 San Leandro, Ca (415) 481-8884 It starts from way back when... Phillip Laird --- TAGMAIL v2.20 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49) Msg#: 2996 *Virus Info* 08-27-90 19:58:00 (Read 7 Times) From: PHILLIP LAIRD To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 2760 (RE: ONTARIO VIRUS) ** Quoting Patricia Hoffman to Phillip Laird ** >after it was submitted by Mike Shields (Sysop of 1:244/114). > Ontario is a memory resident generic infector of .COM and >.EXE files, including COMMAND.COM. Infected .COM files will >increase in length by 512 bytes. Infected .EXE files will >A more complete description of the Ontario virus is in VSUM9008, >which was released on August 10. The above is just off of >the top of my head, which happens to hurt right now. Hope >it is understandable..... > >Patti > > >--- QM v1.00 > * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 >(1:204/869.0) ** End of Quote ** Yea, I think Mike was the one the message came from I read about. He Was instrumental in helping us with another problem he found, too. I am sure that he is on the up and up about the hard disk problems. Nope, I don't have the Ontario Virus that I know of! I read about the Virus after I had posted to you, Thanx for the info. Nice to know where it loads in Mem, that would make a util easier to write once I had a fix on what you have already told me. I will see if I can locate that message from Mike about the Virus originally and let you read it... --- TAGMAIL v2.20 * Origin: DATAMANIAC'S HIDEOUT BBS 409-842-0218/BEAUMONT,TX (1:19/49) Msg#: 3029 *Virus Info* 08-26-90 14:01:00 (Read 7 Times) From: RICK WILSON To: SANDY LOCKE Subj: RE: CORE WARS yep core wars was something that a bunch of people that had access to systems messed with after hours, there was a artical in DDJ a few years ago about a bunch of em out a Berkely of Stanford or something. really weired how these folks that have recently ( within the last 8 to 10 years ) become such experts on micros and mainframes and their history. later... Rick --- Telegard v2.5 Standard * Origin: Telegard BBS (000-000-0000) (1:161/88.0) Msg#: 3030 *Virus Info* 08-26-90 16:45:00 (Read 7 Times) From: JOE MORLAN To: CY WELCH Subj: KEYBOARD REMAPPING. In addition to PKWares's Safe-ANSI, ZANSI does not support keyboard remapping. However, NANSI.SYS does have keyboard remapping. --- Telegard v2.5 Standard * Origin: Telegard BBS (000-000-0000) (1:161/88.0) Msg#: 3070 *Virus Info* 08-30-90 23:11:45 (Read 9 Times) From: SKY RAIDER To: SANDY LOCKE Subj: REPLY TO MSG# 2753 (Re: VIRUS ORIGINALS) Firstly, I did not wish to anger you (although I seem to have done just this), but only sought to answer your question to the best of my abilities (which you seem to doubt). Secondly, I stand by my original assertions that viruses were developed through the original Core Wars gaming system. This has been corroborated by various 'virus gurus' here at the local university. In fact, without prompting, one mentioned Bell Labs. Since, as you state, you are a Systems Programmer - it should be obvious to yourself that a RedCode program could be easily adapted to the microcomputer world. It should also be equally as obvious that these RedCode experiments have laid the groundwork for many of the various virus types infecting micros today (ie. trojans, worms, etc.). Thirdly, I did not state, nor did I mean to imply (as you seem to believe), that these RedCode 'fighter programs' are in fact the viruses we see today - merely that they (RedCode fighters) provided the techniques for the micro viruses. Furthermore, since the RedCode experiments were "old system programmers games designed to give Egoistical programmers some lighthearted fun", and since it is generally accepted that virus writers are in this for the same reasons (the egotistical, not the fun), I find it hard to beleive that you cannot equate the two. If you will note in the extract below, I am not the only person who who beleives the RedCode experiments were the forerunners of the modern viruses (in fact, it may be noted they refer to these as viruses - which, of course, they were); From the Sept./89 issue of Popular Science; Despite all the recent publicity, viruses aren't new. In the 1950's researchers studied programs the called "self-altering automata," says Mike Holm... In the 1960s computer scientists at Bell Laboratories had viruses battling each other in a game called Core Wars. The object was to create a virus small enough to destroy other viruses without being caught.... Also, just for the record, allow me to mention that this is an American publication (apparently there are strange drugs down there too). Again, for the record, allow me to mention that it is fact that Robert Morris, Sr. was a participant in the Core Wars games. Is it a coincidence that his son wrote the Internet Virus, or did his father give him the building blocks to build upon? (With my apologies to the Morris family, but I felt this example might carry some weight with Know-it-all System Programmers). To answer your original question, in a form that you may deem acceptable (ie. no RedCode, no mainframe systems, the US is not the origin - all those naive things), the original micro virus was (at least in the IBM world, I can not be sure this applies to early Apple ][ systems, or even the Pets from Commodore) the "Pakistani Brain", released in Jan. '86. But it must be noted (although I feel you will reject this also (ie. mainframe, US, etc)), in Nov. '83, Fred Cohen, in 8 hours wrote a virus which attached itself to users programs, and proceeded to use this program to gain access to all system rights (in an average time of 30 mins). Also, although I don't have a date (the computer name itself may give some indication of age) - on a UNIVAC 1108, with a secure operating system using the Bell-Lapadula model for OS security, a virus was created that: infected the system in 26 hours, used only legitimate activity with the Bell-Lapadula rules, and the infection took only 250 (approx.) of code (From "Computer Security: Are Viruses the AIDS of the Computing Industry?", by Prof. Wayne Patterson, Chairman, Dept. of Computer Science, University of New Orleans.). I am not interested in a war of words, so I will suggest some reading before you go off half cocked to this reply - "Computer Security; A Global Challenge," J.W. Finch & E.G. Douglas, eds., Elsevier Science Publishers, North-Holland - especially the chapters by Fred Cohen. I have not read this, but will try to when it becomes available to me. Also see the message posted by Phillip Laird. --- TBBS v2.1/NM * Origin: Northern Connection, Fredericton, N.B. Canada (1:255/3) Msg#: 3154 *Virus Info* 08-28-90 06:33:00 (Read 7 Times) From: PATRICIA HOFFMAN To: ALAN DAWSON Subj: REPLY TO MSG# 2994 (SCAN WEIRDNESS) AD> Anybody heard of this? I've got a floppy with some viruses on it, AD> among them a SCAN-known Dark Avenger. I SCAN this floppy from the C AD> drive, and the "hey, nothing to worry about there" report comes back. AD> Strange. I SCAN it again. This time 'round, SCAN barfs after 64K of AD> the memory check, telling me Dark Avenger is in memory, power down, AD> load the .45, get the cyanide tablet ready and so on. AD> But DA of course is NOT in memory or active in any way. It is, AD> however, on the floppy, unrun. AD> The above occurred with SCANV64. Out of curiosity, I cranked up AD> SCAN-54 and -- EXACTLY the same result. AD> AST Bravo 286, no TSRs, nothing else loaded, clean (normal) boot AD> just performed. AD> I have a bunch of viruses that I don't expect SCAN to find -- AD> ever. But this kind of thing has never happened to me before. Can AD> anyone match this story, or event? There are a couple of possibilities here. First, if the virus is on a non-executable file, such as one with a .VOM or .VXE extension, Scan won't find it since it is not one of the file extensions it checks for Dark Avenger. In this case, a subsequent run of Scan may find it in memory anyways since the DOS buffers in memory are not cleaned out between program executions. If this is the case, running Scan with the /A option will find it on any file, regardless of extension. Likewise, if your copy of Dark Avenger has ever had a disinfector run against it, it may have some "dead" Dark Avenger code after the end of file mark, but within the last sector of the program as allocated on disk. In this case, Scan won't find it on disk, but may later find it in memory since the code after the end of file mark was read in with the rest of the last sector of the program to memory. This is what is sometimes referred to as a "ghost virus", it isn't really the virus, just dead remnant code remaining in the slack space in the sector. It can't be executed. Running a disk optimization utility such as Speed Disk from Norton Utilities will get rid of the "ghost virus". They are caused by the way DOS fills out the end of the buffer before it writes it out to disk, doesn't always occur when disinfecting programs, but it sometimes will occur. The other case is if your copy of Dark Avenger does not occur at the correct place in the file. Dark Avenger always adds its code to the End Of Programs. If your copy happens to have it at the beginning of the program, or perhaps imbedded in the middle where it shouldn't be, it may not get found. In this case, your copy doesn't match either of the Dark Avenger's that McAfee has. Hope that helps....those are the only three cases that I've heard of a similar problem to yours. Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 3155 *Virus Info* 08-28-90 15:16:00 (Read 5 Times) From: KEN DORSHIMER To: JAMES DICK Subj: REPLY TO MSG# 2993 (RE: HAVE ANYONE TRIED SECURE ?) On 27-Aug-90 with bulging eyes and flailing arms James Dick said: JD> On Fri, 24 Aug, 1990 at the ungodly hour of 23:37, while ducking JD> Broccoli Jello and drinking jolt, Ken Dorshimer wrote to Kevin JD> Higgins, TO WIT... KD >> sounds like a plan to me. it would actually be fairly simple to write KD >> a KD >> program to look at all the files in your upload directory, unpack them KD >> based KD >> on the extension, scan them, then re-compress them (if needed). of JD> Sounds like CHECKOUT....available here, homebase excaliber! and JD> others as CKOT11.* JD> thanks but you might want to tell kevin higgins about that. :-) as for me, hell i'll write the bloody thing myself. just wouldn't be a day without some programming in it. ...All of my dreams are in COBOL... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 3156 *Virus Info* 08-27-90 14:14:00 (Read 5 Times) From: MICHAEL CHOY To: ALL Subj: IN THE MAC WORLD Disinfectant 2.0 was released in July...it has the Disinfectant INIT, which is like SAM only it removes viruses as well as detecting them..it catches the Frankie virusa whoch in an old virus that ran on mac emulators for Atari..I guess nobody has to worry about that...it also has much more info on protecting yourself from virus and such.. --- Telegard v2.5 Standard * Origin: Telegard BBS (000-000-0000) (1:161/88.0) Msg#: 3157 *Virus Info* 08-27-90 20:25:00 (Read 5 Times) From: JOE MORLAN To: ALL Subj: LHARC114? I had heard that and infected version of LHARC was released last year under the name LHARC114. I also heard that because of that, the next release of LHARC was expected to be LHARC200 to avoid confustion with the virus. This week a file appeared on a local board called LHARC114. I left a message to the sysop to check it out and he says it's clean. The docs say that this is version 114b, the latest version. Does anybody know what the deal is or was here? Is LHARC114 safe to use? Is there a virus associated with this program? Thanks. --- Telegard v2.5 Standard * Origin: Telegard BBS (000-000-0000) (1:161/88.0) Msg#: 3158 *Virus Info* 08-28-90 15:01:00 (Read 6 Times) From: KEVIN HIGGINS To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 3155 (RE: HAVE ANYONE TRIED SECURE ?) Thanks for the info on CheckOut. I'd seen the file description usage included in a .bat for for TAG, but never implemented it, or d/l'd the checkout file because on my XT it sometimes takes awhile to dearc. a large .zip file--a real pain for L/D types... Probably be wise to start using something like that, though, since the BBS can do all the checking automatically following uploads.... Guess most users won't mind waiting a minute or so, if it makes their d/l's almost certifiably safe. Kevin --- TAGMAIL v2.40.02 Beta * Origin: The Hornet's Nest BBS (1:128/74) Msg#: 3177 *Virus Info* 08-28-90 18:10:00 (Read 6 Times) From: RICK PERCIVAL To: KEVIN HIGGINS Subj: REPLY TO MSG# 3158 (RE: HAVE ANYONE TRIED SECURE ?) > command line and let the .bat file take care of unzipping, scanning > and rezipping the file. Be best if someone would write a program > that would do this, but I haven't found one yet. > Kevin Hi there, you guys must be behind the times or something but there is a very good program which does exactly what you are looking for. Its called CHECKOUT. The version we are using over here is called CKOT11.ZIP and it is a little pearler!! What it does is, unzips a file, scans it and rezips it, menu driven or command line driven. Try it, you'll love it. --- FD 1.99c * Origin: The Cyclops BBS Auckland NEW ZEALAND (3:772/170) Msg#: 3178 *Virus Info* 08-14-90 09:39:00 (Read 7 Times) From: DAN BRIDGES To: KEN DORSHIMER Subj: RE: CRC? I've been reading, with interest, the messages about a program that provides a demo of circumventing a single CRC generating program. I thought that its name would be common knowledge, but apparently it isn't. You were told the name of the file was MCRCx. May I suggest that you look for it as FICHECKx. The one I got is v5 and has program called PROVECRC which demonstrates the problem. ********************** * FICHECK Ver 5.0 * * MFICHECK Ver 5.0 * ********************** (C)Copyright 1988,1989 Gilmore Systems P.O. Box 3831, Beverly Hills, CA 90212-0831 U.S.A. Voice: (213) 275-8006 Data: (213) 276-5263 Cheers, Dan (no connection with the above firm). --- Maximus-CBCS v1.02 * Origin: Marwick's MadHouse (3:640/820) Msg#: 3179 *Virus Info* 08-18-90 14:19:00 (Read 7 Times) From: YVETTE LIAN To: FRED GOLDFARB Subj: RE: VIRUS GROUPS.... FG> writing viruses". The idea I got was that there are actual FG> "virus groups" similar to the game cracking groups you hear FG> of occasionally, who's sole purposes are to write viruses, FG> not for research's sake, but to infect people. Has anyone FG> else heard of this before? Are there really such groups? FG> Imagine, when a new virus comes out three or four groups FG> claiming to be the writers.. Kinda like terrorist bombings FG> only different. Come to think of it, I remember reading a That'd be right... you would think that if these people were intelligent enough to program something such as a virus they'd probably be better off not wasting their time with it... --- QuickBBS 2.64 (Eval) * Origin: Virus Info .. how to do it and not get it ! (3:640/886) Msg#: 3180 *Virus Info* 08-18-90 14:42:00 (Read 7 Times) From: ROD FEWSTER To: KERRY ROBINSON Subj: RE: VIRUS CHECKERS > In a message of <12 Jun 90 7:31:31>, Patrick Curry (1:133/425) writes: > > Rarely does a MAC get a virus It is an IBM phonomonum ^^^^^^^^^^^^^^^^^^^^^^^ Tell it to an Amiga user !! B-) --- FD 1.99c * Origin: The Edge of Reality .. THE NIGHTMARE BEGINS ! (3:640/886) Msg#: 3181 *Virus Info* 08-30-90 13:01:00 (Read 7 Times) From: BRIAN WENDT To: ALL Subj: NEWSPAPER CLIPPING The following item appeared in a newspaper in Brisbane, Austsralia yesterday. Anyone care to comment? VIRUS ATTACKS STATE'S PERSONAL COMPUTERS A sophisticated computer virus is feared to have infected Queensland Government and home computers. The COMPUTER VIRUS INFORMATION GROUP at the QUEENSLAND UNIVERSITY OF TECHNOLOGY has issued it first major warning to personal computer users about the virus. The virus, initially detected by the Israeli defence force, freezes computers on September 22, the birthday of a character in Tolkien's book, 'Lord of the Rings'. A computer virus is a program designed to attach copies of itself to software and disable a computer system, or destroy files. Acting technologist, MR EMLYN CREEVY said the warning was issued after a State Government public servant gave the virus to the group for investigation. Mr Creevy said somputers infected with the virus - known as FRODO, 4096, or CENTURY - would freeze on September 22 or until the end of the year unless it was removed. He said the group expected to know if the virus had infected computers in Queensland next week after users report the results of searches they were requested to conduct. The group warned all personal computer operators that there was a bug in the FRODO virus which prevented it from displaying a message 'FRODO LIVES' on September 22 and instead caused the computer to 'hang' or freeze. "It is from the FRODO name that the significance of the 22nd September can be identified," they said. "This is the birthday of Frodo Baggins in Tolkien's story. Users are advised to theck for the virus as soon as possible. Mr Creevy said the virus had the ability to avoid detection and spread but was not 'seriously destructive'. He said it could become damaging if an expert could disassemble the virus and change the instructions to wipe the computer's disk. "I'd say there's people working on it somewhere although probably not in Australia," Mr Creevy said. An expert would have created the Frodo virus because it had only one bug while most viruses had more. Mr Creevy said more than 100 viruses were believed to exist worldwide. ENDS Brian Wendt Sysop SUNMAP BBS --- Maximus-CBCS v1.02 * Origin: Sunmap BBS Node 5 (HST/DS) - Brisbane - Australia (3:640/206) Msg#: 3182 *Virus Info* 08-28-90 19:33:00 (Read 7 Times) From: SANDY LOCKE To: PATRICK TOULME Subj: REPLY TO MSG# 3177 (RE: HAVE ANYONE TRIED SECURE ?) MM> Maybe I should say all virus that are in the "public domain". MM> Virus 101 is a research virus that only a few people have (and MM> you wrote). Nothing is fool proof but Secure is better than any MM> other interrupt moniter. PT> PT> I agree with you, Mike. and I have to concur with patrick, out of all the TSR type monitor programs out there , SECURE is indeed the best of the group... BUT PLEASE do NOT depend upon this as your ONLY protection... as on part of a multilayered protection scheme it would be fine... I guess my real problems with it stem from the NAME the Mark wasburn has chosen...it can mislead the neophyte too easily...into thinking that it really is the be-all and end-all of protection...I wouldnt hestitate to recommend it over the socalled commercial products in this class... BUT again NOT as a SOLE protection against viruses... sorry for any confusion my comments may have caused... cheers sandy --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 3183 *Virus Info* 08-28-90 19:35:00 (Read 6 Times) From: SANDY LOCKE To: ALAN DAWSON Subj: REPLY TO MSG# 2749 (RE: VIRUS SCANNERS....) DS> You can't win on this! I've been downloading for quite a while DS> - always running a virus checker on the information. So, where DS> did our virus come from? Off a shrink-wrapped anti-virus DS> diskette one of our guys picked up in the US! AD> Nothing new about this, as people learn all the time. One MAJOR AD> company (really big, really well known) has shipped shrink-wrapped AD> viruses twice -- once on purpose! Shrink wrap doesn't keep the bugs AD> out. UH ALAN... you mind sending the NAME of this vendor via private e-mail... accidentally I can understand BUT ON PURPOSE??? what end would this kind of action serve??? cheers sandy --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 3184 *Virus Info* 08-28-90 19:44:00 (Read 6 Times) From: SANDY LOCKE To: KEN DORSHIMER Subj: REPLY TO MSG# 2905 (RE: CRC CHECKING) well close... without discussing HOW its done... the file length is altered back to the original length... its not that hard and does point out one of the MAJOR problesm with crc scanners...that is that the critical information that tells the operating system how long the file is can be altered at will... as far as the comments of a virus author disassembling the CRC package its commonly done during product testing to find out ahead of time what algorithms are in use by the product... it really depends on the level of security one wants for ones PC... I really wouldnt put it past a good virus author to specifically target anti-viral programs in this fashion... as far as disassemblies being hard... well I do an average of 5-6 per day with files ranging in size from 2k to 90k(although I will admit that some of the trickier ones do cause head scratching occasionally...) note that i said programs and not specifically viruses... cheers sandy --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 3185 *Virus Info* 08-28-90 19:53:00 (Read 6 Times) From: SANDY LOCKE To: TOM PREECE Subj: REPLY TO MSG# 2911 (RE: REMAPPING...) TP> As you may see by looking at my other entry's, I have been loading a c TP> program that is clearly implementing software to remap my keys to s ce TP> extent. If this is possible as a glitch, its is obviously possible as TP> attack. Let's hope it never comes to that. Tom, without adding too much fuel to any fire... certain non-communication programs are susceptible to the ANSI programmable attack... on my end I run no program that implements ANSI3.64 terminal control language without having a way to turn thoses "FEATURES " off... certain programs without mentioning brand names do allow this. if the echo moderator allows I will post a list of good and bad programs in this regard... so that you can all protect yourselves better...(n.b. after being chewed out by the moderator I am constraining my comments carefully...) cheers sandyp.s. these attacks have been common since programmable terminals came into being during the middle 1970's the problem is that when these features were implemented in comm programs the possibility arose that it was possible for malicious individuals to finally do some real damage...the way to protect yourself is to STOP using programs that implement such features and switch to others that are more secure in their usage of such features... --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 3186 *Virus Info* 08-29-90 05:44:00 (Read 6 Times) From: PATRICIA HOFFMAN To: SANDY LOCKE Subj: REPLY TO MSG# 3185 (RE: REMAPPING...) SL> attack... on my end I run no program that implements ANSI3.64 SL> terminal control language without having a way to turn thoses "FEATURES SL> " off... certain programs without mentioning brand names do allow SL> this. if the echo moderator allows I will post a list of good and bad SL> programs in this regard... so that you can all protect yourselves SL> better...(n.b. after being chewed out by the moderator I am SL> constraining my comments carefully...) Please feel free to go ahead and post the list. Was just trying to keep you out of trouble, you do sometimes get over excited in messages...didn't mean for it to be "chewing out". Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 3187 *Virus Info* 08-29-90 06:27:00 (Read 7 Times) From: PATRICIA HOFFMAN To: PHILLIP LAIRD Subj: REPLY TO MSG# 2996 (RE: ONTARIO VIRUS) PL> Nope, I don't have the Ontario Virus that I know of! I read about the PL> Virus after I had posted to you, Thanx for the info. Nice to know PL> where it loads in Mem, that would make a util easier to write once I PL> had a fix on what you have already told me. PL> Ontario loads into the top of free memory, right below the 640K boundary. It takes up 2,048 bytes. If you run chkdsk after it is in memory, both total system memory and free available memory will have decreased by 2,048 bytes. Patti --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 3326 *Virus Info* 08-30-90 15:05:00 (Read 6 Times) From: KEN DORSHIMER To: SANDY LOCKE Subj: REPLY TO MSG# 3184 (RE: CRC CHECKING) ...at a time when Western civilization was declining too rapidly for comfort, yet too slowly to be very exciting Sandy Locke was saying: SL> well close... without discussing HOW its done... the file length is SL> altered back to the original length... its not that hard and does SL> point out one of the MAJOR problesm with crc scanners...that is that interesting why don't you drop me some net-mail on this (see origin line) SL> the critical information that tells the operating system how long the SL> file is can be altered at will... as far as the comments of a virus SL> author disassembling the CRC package its commonly done during product SL> testing to find out ahead of time what algorithms are in use by the i think that's one of the things i mentioned; that they would have to have pre-existing knowledge of the crc scheme in order to make that work. SL> product... it really depends on the level of security one wants for SL> ones PC... I really wouldnt put it past a good virus author to SL> specifically target anti-viral programs in this fashion... as far as one of the reasons i am interesting in developing my own anti-viral utils for my software business. i figure if they stay primarily in house, the chance that some bozo will screw around with them and try to break them is reduced. SL> disassemblies being hard... well I do an average of 5-6 per day with SL> files ranging in size from 2k to 90k(although I will admit that some SL> of the trickier ones do cause head scratching occasionally...) note SL> that i said programs and not specifically viruses... cheers sandy heh, yup source to assembled is always easier than the reverse process, of course there's head scratching that goes on at that end too. :-) the client said he wanted it to do what?! ...just part of the food chain... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 3327 *Virus Info* 08-29-90 11:37:00 (Read 6 Times) From: PAUL FERGUSON To: EVERYONE Subj: FLOPPY MBR BACKUP I had originally posted this question to the moderator, but after a little thought decided that I would be sure to receive a myriad of answers from the ECHO participants if asking the question here, also..... It is simply this: Does anyone have any decent (and simple) suggestions for extraction of the floppy MBR???.....There are several very good utilities in the public domain for strictly Hard Drive Boot Sector (ie. ST0) and other utilities contained within, say for instance, PCTools, that can back-up the HARD Drive Partition Table (I forgot to mention several PD programs to back-up the FAT).....But, almost all of these that I have seen pertain to the HDU! I realize that there are ways to write it to a file using certain SPY-type programs, but what I am really interested in is a simplified program that is easy to use at the lowest end of the USER pyramid -Thanks in advance for your suggestions and assistance..... -Paul ^@@^......... --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 3328 *Virus Info* 08-29-90 18:46:00 (Read 6 Times) From: PAUL FERGUSON To: EVERYONE Subj: STEALTH FAMILY I have read with great interest the July editions of VIRUS-L digest (along with about the first week or so of August) and cannot, for the life of me, figure the almighty hype with The (noticed that I capitolized that!) Stealth Family of Virus....Only a Trojan should deserve such attentention.....If one takes appropriate precautionary measures, then the virus will (theoretically) be caught in memory.. ...that is, it will make (and reside) a noticeable difference in vectoring.....I truly believe WAY too much hype (Ok, maybe that is a little strong!) has been given to this.....Yes, it can be a true menace if one does not expect such a rogue, but come on.......I downloaded some code today....Yes, I must say it IS quite ingenius, but at the same time, I must also say, I enjoy the work I do, etc.... PS.....Patrick Toulme, Check your E-Mail.... ........"The Delicate Sound of Thunder"....... --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 3329 *Virus Info* 08-29-90 22:07:00 (Read 6 Times) From: PAUL FERGUSON To: EVERYONE Subj: LATENITE Ok, so we're up again in the pale moonlite (unquote)... Next question (in paticular, to you, Sandy) is: What diverse opinions do you have concerning those that, also, fight the battle on the front lines (I'm noy alluding to who has any more experience, to wit)...I feel that many of us (Tech Support/Slash/Gov't Contractors)(No, We're not scum, nor unknowledgable) have done much to benefit the Anti-Viral Research Community.....I would like a little input on this topic..... .......We're not all BAD guys!........ --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 3330 *Virus Info* 08-31-90 13:05:00 (Read 6 Times) From: HERB BROWN To: ALL Subj: PKZ120.ZIP I was informed that there is a bad version of PKZIP floating around by the name of PKZ120.ZIP.. I am not sure if it is viral or not, but delete it if you find it.. --- QM v1.00 * Origin: Delta Point (1:396/5.11) Msg#: 3331 *Virus Info* 09-01-90 11:34:00 (Read 7 Times) From: DEREK BILLINGSLEY To: ALL Subj: POSSIBLE VIRUS? This just hit me today - I am not sure if it is some kind of system error or a potential virus. Last night (September first) and before gave me no indication of any virus being present on my system. It is now september 1st and now, whenever a file is written to disk (I noticed the text files first, but a downloaded zip'd file was also garbled...) it took out about 10 bytes from the beginning of each line... When I realized this may be set to occur on this date, I set my DATE back a night and everything worked fine... I made a sample text file with a known pattern of characters -- any date past september 1st 1990 leaves the file altered as mentioned above. Any date previous is written unharmed... SCANV56 reports only that the SCAN program is damaged - no disk presence of the source is evident. Has anyone heard of something like this happening? Derek Billingsley --- SLMAIL v1.36M (#0198) * Origin: Atlantic Access SJ/NB 1-506-635-1964 HST You can Run With Us ! (1:255/1) Msg#: 3354 *Virus Info* 08-29-90 09:02:00 (Read 6 Times) From: CY WELCH To: SANDY LOCKE Subj: REPLY TO MSG# 2759 (KEYBOARD REMAPPING....) In a message to Cy Welch <25 Aug 90 6:39:00> Sandy Locke wrote: >CW> In a message to Everyone <16 Aug 90 6:32:00> Paul Ferguson wrote: > PF> Isn't it possible to remap some (or any) keyboard functions via > PF> communications with some funky ANSI control characters?....I seem to > PF> remember mention of this somewhere.....I really can't remember if was > PF> in the form of a question, though, or an answer.....It also made > PF> mention of PKWares' Safe-ANSI program...Somebody help us out here... >CW> I think most of the "FAST" ansi replacements do not have the keyboard >CW> remapping so that danger is removed in those cases. SL> Well if you are referring to FANSI.SYS by hershey Microsystems it too SL> is vunerable to remap effects... and since it implemnt FULL ANSI 3.64 SL> terminal control codes plus some extensions it is even more vunerable SL> to a whole class of tricks that go way beyond noremally keyboard SL> remapping... but to there credit they ahve include a way to turn this SL> "FEATURE" OFF... just most users get it off a BBS and never order or SL> look at the 50.00 set of docs that come when you pay for the SL> products... Actually I was refering to zansi.sys which is a high speed replacement which part of what they did to do it was to remove the keyboard remapping functions. --- XRS! 3.40+ * Origin: Former QuickBBS Beta Team Member (99:9402/122.1) (Quick 1:125/122.1) Msg#: 3355 *Virus Info* 08-26-90 15:45:00 (Read 6 Times) From: MIKE MCCUNE To: SANDY LOCKE Subj: SECURE Sandy, Thanks for the information. I suspected that Secure probably had some holes in its protection scheme and that someone knew about it. I am curious about how the modified Jerusalem-B got around it. I'm pretty sure how Virus 101 does it (the Air Force uses it) but I would like to know if there are any other hole in secure... --- Opus-CBCS 1.13 * Origin: The Slowboat BBS (404-578-1691) Atlanta, GA (1:133/311.0) Msg#: 3477 *Virus Info* 09-01-90 15:56:00 (Read 6 Times) From: KEN DORSHIMER To: HERB BROWN Subj: REPLY TO MSG# 3330 (RE: PKZ120.ZIP) > > I was informed that there is a bad version of PKZIP floating > around by the name of PKZ120.ZIP.. I am not sure if it > is viral or not, but delete it if you find it.. seem to remember seeing something about this a couple of months ago. mostly, i wanted to drop a line and say "hey". got your net-mail, hopefully if the routing is working right, you got a response. :-) how's new orleans this time of year? later. --- Opus-CBCS 1.12 & NoOrigin 3.7a --- QM v1.00 * Origin: Ion Induced Insomnia (1:203/42.753) Msg#: 3478 *Virus Info* 09-02-90 10:45:00 (Read 6 Times) From: JAMES KLASSEN To: PRAKASH JANAKIRAMAN Subj: REPLY TO MSG# 2909 (LEPROSY) I have a copy of the Leprosy virus along with its source and "documentation". What it does is copies itself to 4 exe or com files each time it is run and produces a memory error code so the user thinks there is a problem with memory and runs it again. After all the com and exe files have been infected, it displays a message that they have a virus and "Good luck!"... It increases file sizes by 666 but when I tested it on a floppy, the bytes didn't increase... --- W2Q v1.4 * Origin: The C.F.I BBS * Norfolk, Va. * (804)423-1338 * (1:275/328) Msg#: 3479 *Virus Info* 09-01-90 07:18:00 (Read 6 Times) From: YASHA KIDA To: PAUL FERGUSON Subj: REPLY TO MSG# 3329 (LATENITE) In a message of <29 Aug 90 22:07:29>, Paul Ferguson (1:204/869) writes: PF> EID:6368 151db0ee PF> Support/Slash/Gov't Contractors)(No, We're not scum, nor PF> unknowledgable) have done much to benefit the Anti-Viral Research PF> Community.....I would like a little input on this topic..... PF> I am a Private contractor for a Large Network installation an support company. I work for the good of the Customer and the population (users). I hear the phrase " SLIMY CONTRACTOR" " M.F.C." everyday. I also heard "Can this be done", "Would you look into this...", "What are your suggestions so I can put them in my report" when things get deep. We are the WHIPPING BOYS and EMERGENCY 911 all in one. I am sure there are Software contractors who have planted or released a virus at contract renewal time. To show how much they are needed. There are also those of us the that want to see their job sites safe from such problems. We are the ones who own our time (Non-Paid) Compile information on ways to safe guard our data from compermise or viral attacks. The Anti-Viral reseach done by Mrs. Hoffman (PAT) and John McAfees group is carefully read and evaluated on my end. I am sure it has saved many a rear from a bear trap. --- msged 1.99S ZTC * Origin: Bragg IDBS, (FT. Bragg, NC - we're gonna kick some booty) (1:151/305) Msg#: 3480 *Virus Info* 09-02-90 19:19:00 (Read 6 Times) From: HERB BROWN To: KEN DORSHIMER Subj: REPLY TO MSG# 3477 (RE: PKZ120.ZIP) With a sharp eye , Ken Dorshimer (1:203/42.753) noted: > > I was informed that there is a bad version of PKZIP floating > around by the name of PKZ120.ZIP.. I am not sure if it > is viral or not, but delete it if you find it.. KD> KD>seem to remember seeing something about this a couple of months ago. KD>mostly, i wanted to drop a line and say "hey". got your net-mail, KD>hopefully if the routing is working right, you got a response. :-) KD>how's new orleans this time of year? later. KD> Hmmmm, first time I heard of this file. How long ago did it appear? Rained Sunday and had to BBQ inside. Made watching TV a little hard, but we managed. --- QM v1.00 * Origin: Delta Point (1:396/5.11) Msg#: 3630 *Virus Info* 09-01-90 20:49:00 (Read 6 Times) From: PAUL FERGUSON To: KEN DORSHIMER Subj: REPLY TO MSG# 3326 (RE: CRC CHECKING) Ken... I've GOT to agree with you on this one....only preconceived CRC defeaters are just that...preconceived....no such luck... --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 3813 *Virus Info* 09-01-90 13:11:00 (Read 6 Times) From: KEVIN HIGGINS To: JAMES DICK Subj: SECURING YOUR UPLOADS I've got checkout, and while its a pretty neat program, there are a few things I don't like about it, the main one being the initial memory scan. I also don't like the auto-pause that seems to be at the beginning of it. That means running gateway, which means the user may be able to get into DOS and party. (have heard of Key-fake, but never seen it around to play with it..). TAG calls a file named postul.bat after every upload (if the .bat file is present), so I hacked up this .bat file to auto-check for virii. But I'm not smart enough to know how to use the %%f in a batch file to have it run through for all the files in the active directory (for batch uploads)... Maybe there's a genius out there who can help. FYI the parameters passed to the .bat file are: [Baud] [ComPort] [User#] [U/L Dir] [Filename]. Here it is. Chuckle, then help make it better . echo off cd\bbs\uploads echo Verifying latest Pkzip version...... > com2 REM This program checks file integrity. ozf -v %5 > com2 echo : > com2 REM These are the directories I don't want checked. if %4 == D:\ZIPSTUFF\WRITERS\ goto end if %4 == D:\ZIPSTUFF\AMIGA goto end echo Testing file integrity, and checking for virii. > com2 echo Please wait..... (this is the scary part, eh?) > com2 echo : > com2 echo Moving the suspect file to a sterile cell for interogation.... > com2 REM This moves the file to an empty directory for the examination. move %4%5 d:\bbs\bads echo File is now undergoing interrogation... > com2 cd\bbs\bads pkunzip -x D:\bbs\bads\%5 *.exe *.com > com2 scan d:\bbs\bads\*.exe /NOMEM > com2 scan d:\bbs\bads\*.com /NOMEM > com2 if errorlevel 1 goto Oops echo Alright! (whew) File passed. > com2 del *.exe del *.com echo Almost finished. Releasing innocent file back into public. > com2 move %5 d:\bbs\uploads echo : > com2 echo Now adding (Nested) zip comment to file... > com2 cd\ REM This adds the Hornet's Nest comment to the .Zip file. call d:\commentr.bat cd\bbs echo Thanks for waiting!.. goto end :Oops echo Arrrrgghhhhh! File had a virus! File deleted! > com2 erase *.* echo Logging your name to Scumbag.lst! > com2 echo Hey, Kato! User number %3 tried to upload a virus infected file! >> d:\fd\scumbag.lst echo Maybe you need to leave a message to Kato, eh? > com2 cd\bbs :end (Note: the fourth line from the end is a continuation of the line above it.) Also, I have a program that will make a .com fil out of a .bat file, for faster processing. Any reason why this couldn't be done with the above .bat file? How about after the %%f is added? Kevin --- TAGMAIL v2.40.02 Beta * Origin: The Hornet's Nest BBS (1:128/74) Msg#: 3814 *Virus Info* 09-03-90 23:40:00 (Read 5 Times) From: RICK THOMA To: HERB BROWN Subj: REPLY TO MSG# 3480 (RE: PKZ120.ZIP) > Hmmmm, first time I heard of this file. How long ago did it > appear? I have a copy, and think it came out around March, or so. At the time, SCANV detected no virus, but I thought better of running it. Sorry, folks. Whatever it is, it isn't available for downloading, so please don't ask. I'm just waiting for the time to pick it apart, to see just what kind of hack it is. --- FD 2.00 * Origin: Village BBS, Mahopac, NY 914-621-2719 *HST* (1:272/1) Msg#: 3815 *Virus Info* 09-03-90 03:38:00 (Read 5 Times) From: KEN DORSHIMER To: PAUL FERGUSON Subj: REPLY TO MSG# 3630 (RE: CRC CHECKING) ...at a time when Western civilization was declining too rapidly for comfort, yet too slowly to be very exciting Paul Ferguson was saying: PF> Ken... I've GOT to agree with you on this one....only preconceived CRC PF> defeaters are just that...preconceived....no such luck... PF> that's what i figured. that is if you're responding to the msg i think you're responding to. what the hell does that mean? ...space is merely a device to keep everything from being in the same spot... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 3816 *Virus Info* 09-03-90 18:03:00 (Read 5 Times) From: KEN DORSHIMER To: HERB BROWN Subj: REPLY TO MSG# 3814 (RE: PKZ120.ZIP) ...at a time when Western civilization was declining too rapidly for comfort, yet too slowly to be very exciting Herb Brown was saying: HB> Hmmmm, first time I heard of this file. How long ago did it appear? HB> Rained Sunday and had to BBQ inside. Made watching TV a little hard, HB> but we managed. i think it was a couple of months ago. which means any mention of it has long since been renumbered off my system. yup BBQing indoors does have a certain mystique. i know dinner is ready when the smoke alarm goes off. ...space is merely a device to keep everything from being in the same spot... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 3817 *Virus Info* 09-03-90 18:08:00 (Read 7 Times) From: KEN DORSHIMER To: DEREK BILLINGSLEY Subj: REPLY TO MSG# 3331 (RE: POSSIBLE VIRUS?) ...at a time when Western civilization was declining too rapidly for comfort, yet too slowly to be very exciting DEREK BILLINGSLEY was saying: DB> This just hit me today - I am not sure if it is some kind of system DB> error or a potential virus. DB> DB> Last night (September first) and before gave me no indication of any DB> virus being present on my system. It is now september 1st and now, DB> whenever a file is written to disk (I noticed the text files first, DB> but a downloaded zip'd file was also garbled...) it took out about 10 DB> bytes from the beginning of each line... DB> could you send a copy of what you believe is infected to me? i'd like to analyse this myself, thanks. my address is: Dorshimer Software Systems P.O. Box 191126 Sacramento, Ca. 95819-1126 USA ...space is merely a device to keep everything from being in the same spot... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 3818 *Virus Info* 09-03-90 20:57:00 (Read 4 Times) From: JOHN HERRBACH To: ALL Subj: PUBLIC KEY ENCRYPTION Does anyone know the status or progress in regards to public key encryption? Thanks. John {|-) --- ME2 * Origin: The Lighthouse BBS/HST; Lansing, MI; 517-321-0788 (1:159/950) Msg#: 3819 *Virus Info* 09-01-90 20:26:00 (Read 5 Times) From: SEAN SOMERS To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 3186 (RE: REMAPPING...) Off topic here, anybody out there encounter the French Revoloution virus? I was the first out here to discover it. What it does is nuke your HD while displaying an anti Western/English speaking Canadians. --- outGATE v2.10 # Origin: SIGnet International GateHost (8:7501/103) * Origin: Network Echogate (1:129/34) Msg#: 3938 *Virus Info* 09-06-90 11:51:00 (Read 13 Times) From: YASHA KIDA To: SKY RAIDER (Rcvd) Subj: REPLY TO MSG# 2995 (RE: VIRUS ORIGINALS) GLAD TO SEE SOMEONE does their homework... Well written.. If you don't mind I wish to post it as a bulletin on my System (BBS).. Re written to as a document instead of a msg reply... ' Yasha sysop 151/305 "What do you do when all of your users are in the sand lands, without a phone." --- Maximus-CBCS v1.00 * Origin: Bragg IDBS, We hunt bugs for the 82nd Airborne (1:151/305) Msg#: 3974 *Virus Info* 09-08-90 13:42:35 (Read 5 Times) From: SKY RAIDER To: YASHA KIDA Subj: VIRUS POST ON BBS Yasha, You write: GLAD TO SEE SOMEONE does their homework... Well written.. If you don't mind I wish to post it as a bulletin on my System (BBS).. Re written to as a document instead of a msg reply... Sure, no problems in rewritting and posting on your system. I try not to enter into this type of a conversation without at least a bit of a footing in fact. I wish I could find the original document I had quoting these things (it had names, dates, etc.). How about giving me your system number so I can call and see the finished form (never been quoted in this manner before). A questor of knowledge, Sky Raider Ivan Baird, CET --- TBBS v2.1/NM * Origin: Northern Connection, Fredericton, N.B. Canada (1:255/3) Msg#: 4025 *Virus Info* 09-06-90 13:32:00 (Read 6 Times) From: JONO MOORE To: JOE MORLAN Subj: REPLY TO MSG# 3157 (LHARC114?) JM >I had heard that and infected version of LHARC was released JM >last year under the name LHARC114. I also heard that JM >because of that, the next release of LHARC was expected to JM >be LHARC200 to avoid confustion with the virus. This week a JM >file appeared on a local board called LHARC114. I left a JM >message to the sysop to check it out and he says it's clean. JM >The docs say that this is version 114b, the latest version. LHARC v1.14b is a real release. The author brought it out after the controversy on the fake 1.14 release. --- outGATE v2.10 # Origin: SIGnet International GateHost (8:7501/103) * Origin: Network Echogate (1:129/34) Msg#: 4026 *Virus Info* 09-05-90 19:47:00 (Read 5 Times) From: PATRICIA HOFFMAN To: PAUL FERGUSON Subj: LET ME REPHRASE THAT..... PF> Actually, I really should have said "virtually preconceived". PF> From what I can gather on the topic (I don't yet have a copy of 4096), PF> they actually redirect CRC/Checksum interrogators to a "snapshot" of PF> the original file as it appeared before infection.(Someone, I'm sure, PF> will correct me if I'm wrong or at least add enlightenment.) You are correct.....What the CRC/Checksum interrogator sees, if 4096 is in memory, is the disinfected version of the program in memory, not what is actually out on disk. Fish 6 also does this, as do a couple of other viruses using Stealth techniques. PF> The infected file, in the case of 4096, has in reality grown by 4096 PF> bytes and would more than likely hang the system, therefore, which PF> would lead me to believe that running the CRC check without the virus PF> TSR would allow you to identify the actual infected files. Also, it PF> seems like the only way to catch it TSR is to trace the interrupt PF> vectors (although everyone seems to have a little bit of differing PF> ideas on this '->) Lots of 4096 infected files will run without hanging the system....the virus disinfects the program when it is read into memory so that anti-viral packages can't find the virus as easily. CRC checkers and scanners won't be able to find it in the infected file if the virus is in memory, in fact, these viruses usually infect on file open as well as execute. Run a CRC checker or Scanner that doesn't check memory for the virus with it present and you'll infect everything that is openned that meets its infection criteria. If the virus isn't in memory, the CRC checker technique will work to identify the infected files in 99% of the cases. I'm not going to say 100% because I believe some of the 512 virus variants can get around it due to the way it attaches to the files in some cases, but not all. Some CRC checkers don't actually CRC the entire file either....and as soon as I state it is a fool proof way of doing it, someone will write a virus that gets around it perfectly in all cases. Patti PF> Until I can get my hands on this little fellow, I guess that I'll PF> just follow the more logical explanations from the sources with PF> credibilty and make a judgement from that! Sounds credible. But, as I'v PF> said before- I sure would like to see it. PF> PF> I've been following several different message base threads on PF> this particular virus, with input from users at the basic levels to BBS PF> SysOps to the AntiViral research community.......I must say, it gets PF> overwhelming at times to keep objective. *:) PF> PF> -Paul PF> PF> PF> --- QM v1.00 PF> * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 PF> (1:204/869.0) PF> --- W2Q v1.4 * Origin: The C.F.I BBS * Norfolk, Va. * (804)423-1338 * (1:275/328) Msg#: 4027 *Virus Info* 09-07-90 12:48:00 (Read 4 Times) From: MICHAEL ADAMS To: RICHARD HUFFMAN Subj: RE: ARC.EXE Thank you for the warning .... Kill keep an eye out for it. --- Maximus-CBCS v1.00 * Origin: The Southern Star - SDS/SDN/PDN - 504-885-5928 - (1:396/1) Msg#: 4028 *Virus Info* 09-07-90 20:21:00 (Read 5 Times) From: HERB BROWN To: JONO MOORE Subj: REPLY TO MSG# 4025 (LHARC114?) JM >I had heard that and infected version of LHARC was released JM >last year under the name LHARC114. I also heard that JM >because of that, the next release of LHARC was expected to JM >be LHARC200 to avoid confustion with the virus. This week a JM >file appeared on a local board called LHARC114. I left a JM >message to the sysop to check it out and he says it's clean. JM >The docs say that this is version 114b, the latest version. JM>LHARC v1.14b is a real release. The author brought it out after the JM>controversy on the fake 1.14 release. JM> Now, how is someone going to know the difference? That is about as dumb as BBQ'ing indoors and forgetting to open the windows... Sheesh.. --- QM v1.00 * Origin: Delta Point (1:396/5.11) Msg#: 4029 *Virus Info* 09-07-90 20:25:00 (Read 4 Times) From: HERB BROWN To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 4026 (LET ME REPHRASE THAT.....) PH>can't find the virus as easily. CRC checkers and scanners won't be PH>able to PH>find it in the infected file if the virus is in memory, in fact, these PH>viruses PH>usually infect on file open as well as execute. Run a CRC checker or PH>Scanner PH>that doesn't check memory for the virus with it present and you'll PH>infect PH>everything that is openned that meets its infection criteria. I seem to be missing something here. As I understand it, to check for virii with a scanner, such as SCAN, or whatever, you boot from a uninfected floppy that has scan residing on it. Ok, now, how would a virus that works as a TSR, that probably is loaded from the boot sector from the hard disk be loaded, if you are booting from the floppy? Which, the floppy being write protected, of course, would not have this viral infection. I was under the assumption that the BIOS first checked drive A: at bootup for a disk, etc. It seems that it would be impossible to find a virii in memory with this type of scheme.. Please enlighten me.. --- QM v1.00 * Origin: Delta Point (1:396/5.11) Msg#: 4030 *Virus Info* 09-07-90 17:03:00 (Read 5 Times) From: TALLEY RAGAN To: MIKE MCCUNE Subj: REPLY TO MSG# 2910 (RE: REMOVING JOSHI) In a message to Talley Ragan <09-04-90 16:04> Mike Mccune wrote: MM>>I have posted a new version that checks for the virus MM>>before MM>>trying to remove it (now that I have a working copy of the MM>>virus). It will not damage the partition table on MM>>uninfected MM>>hard disks.... Thanks for the information. This was very educational, as I have had one case of a virus. I don't know how it workedbut the screen would show all garbage and then the computer would hang. I low level formatted the hard disk and restored from good backups. I sure would like to know how it got to me and where it came from!!... Thanks again. Talley --- ZAFFER v1.01 --- QuickBBS 2.64 [Reg] Qecho ver 2.62 * Origin: Southern Systems *HST DS* Tampa Fl (813)977-7065 (1:377/9) Msg#: 4031 *Virus Info* 09-05-90 21:23:00 (Read 5 Times) From: TOM PREECE To: HERB BROWN Subj: REPLY TO MSG# 3816 (RE: PKZ120.ZIP) I seem to remember running into this file several months ago. I don't remember concluding that it had a virus - just that it didn't work properly. The sysop on the sytem that had it apparently reached the same conclusion or something similar because it disappeared here (SF Bay Area.) --- TBBS v2.1/NM * Origin: G.A.D.M. Multi-User TBBS Hayward,CA.(415) 581-3019 (1:161/208) Msg#: 4032 *Virus Info* 09-06-90 19:15:00 (Read 5 Times) From: KEN DORSHIMER To: PAUL FERGUSON Subj: REPLY TO MSG# 4029 (RE: LET ME REPHRASE THAT.....) ...at a time when Western civilization was declining too rapidly for comfort, yet too slowly to be very exciting Paul Ferguson was saying: PF> Ken- This is a continuation of msg.# 156 (I dropped the just FYI the msg numbers don't have much bearing here. on my system is was #75 or something. :-) PF> don't yet have a copy of 4096), they actually redirect CRC/Checksum PF> interrogators to a "snapshot" of the original file as it appeared PF> before infection.(Someone, I'm sure, will correct me if I'm wrong or interesting. seems there would be some simple method of circumventing what the virus does. (i don't have a copy of that one yet either) PF> system, therefore, which would lead me to believe that running the CRC PF> check without the virus TSR would allow you to identify the actual PF> infected files. Also, it seems like the only way to catch it TSR is to PF> trace the interrupt vectors (although everyone seems to have a little i've always thought that by having your own tsr grab the interupts first might be a good way to stop unwanted tsr's from grabbing them. (i'm sure someone will argue the point tho) ...space is merely a device to keep everything from being in the same spot... --- ME2 * Origin: Ion Induced Insomnia (Fidonet 1:203/42.753) Msg#: 4278 *Virus Info* 09-08-90 13:51:00 (Read 5 Times) From: DUANE BROWN To: PHILLIP LAIRD Subj: REPLY TO MSG# 3813 (SECURING YOUR UPLOADS) PL>present. I have the Key fake program if it will help you! PL>That file will enter the "Y or N" Question when the batch PL>file comes to Are you sure? Y or N. Meaning you had the PL>batch file to delete all programs in the temp check That's easy to fix the problem about del *.* -- just do echo y | del *.* then the Y gets placed in there automatically...no keyfake, nothing! --- * Origin: End of the Line. Stafford, Va. (703)720-1624. (1:274/16) Msg#: 4279 *Virus Info* 09-07-90 12:45:00 (Read 5 Times) From: CHARLES HANNUM To: PHILLIP LAIRD Subj: REPLY TO MSG# 4031 (RE: PKZ120.ZIP) >Didn't someone say that because someone had already hacked an earlier >version of PKZIP that 120 would be the next scheduled release? >Anybody have any info? Yes. Phil Katz said it. --- ZMailQ 1.12 (QuickBBS) * Origin: The Allied Group BBS *HST* Buffett's Buddy (1:268/108.0) Msg#: 4280 *Virus Info* 09-08-90 10:49:00 (Read 4 Times) From: JAMES BARRETT To: ALL Subj: SEPTEMBER 18-20, 1990 I have heard somebody mention that there will be a major virus in the next couple of weeks. What's the scoop? I'm involved in a college campus computer lab and need to know what's coming and how to prepare for it. Will ScanV66 catch it???? Thanks in advance... --JCB --- XRS 3.40+ * Origin: >- c y n o s u r e -< 919-929-5153 (RAX 1:151/501.14) Msg#: 4281 *Virus Info* 09-08-90 17:39:00 (Read 4 Times) From: HERB BROWN To: KEN DORSHIMER Subj: REPLY TO MSG# 4032 (RE: LET ME REPHRASE THAT.....) With a sharp eye , Ken Dorshimer (1:203/42.753) noted: KD>i've always thought that by having your own tsr grab the interupts KD>first KD>might be a good way to stop unwanted tsr's from grabbing them. (i'm KD>sure KD>someone will argue the point tho) Depends on who got there first, I would presume.. Also, multiple TSR's would be a nightmare, colliding and such. --- QM v1.00 * Origin: Delta Point (1:396/5.11) Msg#: 4535 *Virus Info* 09-07-90 08:04:00 (Read 4 Times) From: PAUL FERGUSON To: DOUG EMMETT Subj: SCAN FROM C: Hello, Doug.... Doug, I must tell you that it is not advisable to run ViruScan from your hard disc....It really should ALWAYS be run from a WRITE PROTECTED FLOPPY....Scan can become easily infected when ran in an infected environment on a HD. BTW....Software that "Write Protects" you r hard disc may work in some cases, but can be circunvented. Be safe..... -Paul --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 4536 *Virus Info* 09-07-90 08:06:00 (Read 4 Times) From: PAUL FERGUSON To: LONNIE DENNISON Subj: WELCOME... Glad to have you........ Welcome aboard.... -Paul ^@@^........ --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 4537 *Virus Info* 09-07-90 08:09:00 (Read 4 Times) From: PAUL FERGUSON To: RICHARD HUFFMAN Subj: REPLY TO MSG# 4027 (ARC.EXE) Richard, Please E- me out of the conference....I would like to discuss this a little further......Better yet, contact me at the NCSA BBS in DC (202) 364-1304 at 1200/2400, 8,N,1.....I can be reached in the VIRUS Conference.....Thanks, -Paul --- QM v1.00 * Origin: Excalibur/Virus_Info - Sunnyvale CA - 408-244-0813 (1:204/869.0) Msg#: 4538 *Virus Info* 08-16-90 08:30:00 (Read 5 Times) From: ALAN DAWSON To: PATRICIA HOFFMAN Subj: REPLY TO MSG# 3183 (RE: VIRUS SCANNERS....) PH> I just wish the people writing this viruses would find more PH> useful things to do with their talents....