From lehigh.edu!virus-l  Wed Apr 14 03:57:10 1993 remote from vhc
Received: by vhc.se (1.65/waf)
	via UUCP; Wed, 14 Apr 93 18:01:17 GMT
	for mikael
Received: from fidoii.CC.Lehigh.EDU by mail.swip.net (5.65c8-/1.2)
	id AA14898; Wed, 14 Apr 1993 14:18:23 +0200
Received: from  (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA45655
  (5.67a/IDA-1.5 for <mikael@vhc.se>); Wed, 14 Apr 1993 07:57:10 -0400
Date: Wed, 14 Apr 1993 07:57:10 -0400
Message-Id: <9304141045.AA05988@first.org>
Comment: Virus Discussion List
Originator: virus-l@lehigh.edu
Errors-To: krvw@first.org
Reply-To: <virus-l@lehigh.edu>
Sender: virus-l@lehigh.edu
Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas
From: "Kenneth R. van Wyk" <krvw@first.org>
To: Multiple recipients of list <virus-l@lehigh.edu>
Subject: VIRUS-L Digest V6 #61

VIRUS-L Digest   Wednesday, 14 Apr 1993    Volume 6 : Issue 61

Today's Topics:

Scanners getting bigger and slower
Integrety check & checksum
Re: Sending viruses over Internet
Ides of march Virus Conference
Re: Best Net Antivirus (Novell)
Is "Untouchable" (V-analist-3) effective? (PC)
Re: VSIG availability (PC)
Abe Lincoln Virus? (PC)
Strange COMMAND.COM virus.. Password? (PC)
ANSI viruses and things that go bump in the night (mostly PC)
viruses and compression (PC)
Windows 3.1 virus (PC)
Re: Superstor and McAfee (PC)
MSAV "Updates" ? (DOS 6.0) (PC)
Re: Vir-Sig (PC)
Re: New viruses warning (PC)
Re: Loa Duong (PC)
Identifying a virus: help needed (PC)
Brazil virus (PC)
Re: Unknown little virus? (PC)
Tequila problem... (PC)
Virus Data Base (PC)
Re: VI-SPY VS Central Point AntiVirus (PC)
Terminator 2 and Bert virus ?? (PC)
Help wanted with Dir-II virus (PC)
Censoship/40-Hex (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  (The complete set of posting guidelines is available by
FTP on cert.org or upon request.) Please sign submissions with your
real name.  Send contributions to VIRUS-L@LEHIGH.EDU.  Information on
accessing anti-virus, documentation, and back-issue archives is
distributed periodically on the list.  A FAQ (Frequently Asked
Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5).  Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@FIRST.ORG>.

   Ken van Wyk, krvw@first.org

----------------------------------------------------------------------

Date:    Sun, 04 Apr 93 12:31:00 +0100
From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: Scanners getting bigger and slower

 In a reply to frisk@complex.is (Fridrik Skulason)
 Inbar Raz writes on the issue of rare viruses hitting a PC:

 > However, the way I see it, when we're discussing
 > protection of BIG companies, as opposed to the protection
 > of private people, the chances of someone downloading a virus
 > from a board in order to deliberately upload it, are much
 > smaller, if existant at all. If a company is wise enough to
 > enfore a prohibition of disk exchange, and capable of doing
 > it, then the networks/modem connection are the only
 > way to get infected, and assuming those links are
 > reliable links with reliable sources, this reduces the
 > chance even further.

I wish it was so. If it was, then they wouldn't need an Anti Virus in the 
first place, and the PC's/Networks etc' would work fine.

But take notice that *people* use these PCs, and wherevere people are
envolved anything could happened.  Someone can get a floppy from home
and run it on the network, or you can buy a *NEW* "clean" software
package to be used at work only (but the company that sold it to you
also has employees that jurk-around with thair PC at work), so
eventually, a virus can find its way in your PC by many ways, and you
cannot assume anything for a fact (unfortunately).

Just to remind you of the magazine in France that gave away
thousends of copies of infected floppies (FRODO virus), or several *major* 
companies in Israel that *SOLD* infected software....

Frisk wrote to Inbar:
 >> As I have said before - the number of viruses should not affect the speed
 >> significantly - memory shortage is a problem, however - in 5 years a virus
 >> scanner might require more than 640K of memory to run....but so what ?
 >> I think it is reasonable to expect "everybody" to have more memory than
 >> that in 5 years..

That is true, if the scanner is designed properly the number of viruses will 
have small affect on the speed: Suppose your method of chacking a file for 
virus presence in based on an algorithm which generates the pointer to the 
data concerning the virus in your scanner, so there is always but *ONE* 
process per tested-file running and a second cpecific process for verification.
. whatever the number of viruses known at that time.

As for memory requirements, programs are converted more and
more into DPMI programs, so in Protected Mode the memory
problem is smaller...
Besides: most programs are becoming GENBERIC programs, thus minimizing the 
need of huge database for more and more viruses.

Warmly

* Amir Netiv. V-CARE Anti Virus, head team *

- ---
 * Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date:    07 Apr 93 06:53:22 +0000
From:    s907997@numbat.cs.rmit.OZ.AU (Paul Yue)
Subject: Integrety check & checksum

I am currently writing my master's thesis and am doing something about
an integrity check for computer viruses. If anyone has any information
about this subject I would appreciate it if they could e-mail it to
me. Any information whatsoever would be of great help and thank you in
anticipation for your submissions.

Paul Yue

------------------------------

Date:    Wed, 07 Apr 93 14:48:00 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Sending viruses over Internet

Peters@DOCKMASTER.NCSC.MIL (Donald G Peters) writes:

> When people send viruses to each other for research (or commercial)
> purposes, how is it done? Internet mail? US Post Office?

Both e-mail and regular mail. When regular mail is used, it is, of
course, not limited to the US Post Office only - you know, the US Post
Office is not that much popular here in Germany... :-)

> My concern is that it would be easy for an untrustworthy Internet
> node to trap all mail to/from a certain Internet address in order
> to obtain virus code.

You are right.

> Of course, similar concerns exist for other networks like Fidonet
> and local area networks as well.

On FidoNet the situation is slightly different. If NetMail is used,
then you are calling directly the telephone of the recipient, so the
only way to intercept the virus code is by wiretaping. On the other
side, some idiots like to broadcast viruses to the echo conferences -
since it is not possible to moderate them, there is no way this can be
prevented...

> And how does one determine if the person to whom you intended to
> transmit the data is really a "bona fide" researcher, or even a
> person at all? 

Uh, that's a tough question... For instance, according to some people,
I am an automatic e-mail daemon; according to others (see the April
1st issue), I am a virus... :-) Indeed, several people have met me
personally, but it has probably been a spoof... :-))

[Moderator's note: I have met Vesselin and I can attest to the fact
that he is most definitely, beyond any doubt whatsoever, a virus.  ;-)]

> If some form of encryption is used (properly!), then that is a good
> thing, but I am not able to help you determine the value of a
> specific system.

Indeed, we are usually using encryption when sending viruses to other
researchers. In general, PKZIP with at least 8-character password
selected from the full ASCII set is secure enough against hackers. For
additional security, one may use DES or PGP. PGP uses public key
cryptography, which eliminates the key management problem, but there
seem to be some legal obstacles (patents) against its usage in the
USA.

I would like to use this opportunity to ask everybody to use some kind
of encryption when sending us viruses. If you cannot use PGP, use
PKZIP with a long password and send the password by a different
channel, for instance by fax. My phone and fax numbers can be found in
my .signature.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Thu, 08 Apr 93 03:25:34 -0400
From:    "Roger Riordan" <riordan@tmxmelb.mhs.oz.au>
Subject: Ides of march Virus Conference

I have sent the following message to dklefkon@well.sf.ca.us 
(Richard W. Lefkon).  I would advise everyone who has spoken at 
previous conferences, and who does not wish to be associated with 
advertising for any future conference, to consider giving similar 
instructions as to the use of their names/photos.


Dear Dick,

I have attended three of your conferences.  The organisation at 
the first two was merely disastrous, but the chaos at this years 
conference was totally inexcusable.  I prepared a paper, which 
was submitted in good time, and I was assured that it had been 
accepted, and that I had been allocated a favorable time at which 
to present it.

However when we arrived in New York I found that there was no 
program, and that no one knew what was supposed to be happening.  
Furthermore there were no Proceedings, so that it was impossible 
even to decide who to talk to, let alone which talks we should 
try to attend (IF we could determine when, where  - or if - they 
were being presented).

I was extremely disappointed to discover that, despite your 
promises, you had apparently not scheduled me to give the 
paper which you had assured me had been accepted by the 
committee.  I regard this as a gross breach of faith on your 
part, and I suspect that you have deliberately taken advantage of 
me, so that you could use my name to publicise your conference.  

At the time you kept promising us that the Proceedings would 
arrive "tomorrow", and then that they would be posted to us 
"immediately".  I am exceedingly disgusted to discover that still 
no-one has received them.  I would point out that you have a 
legal obligation to deliver the Proceedings, which were 
advertised as an integral part of the Conference.  WHEN WILL WE 
GET THEM?

So it seems that we have gone to considerable trouble to prepare 
a paper which was not presented, or - apparently - even 
published.  It cost us over $US6500 to send two delegates to this 
conference, and in the circumstances we can only regard this as 
having been largely wasted.  

I believe that the disaster this year was of such epic proportions 
that no-one would attend any conference scheduled for this time 
and date, even if you had no part in the organisation.  However 
as you still seem to think that you can do better next time I 
wish to advise you that you may not, IN ANY CIRCUMSTANCES, make 
any use of my name or photograph in any advertising relating to 
any future conference.  If you should disregard this instruction 
I will instruct my legal advisers to take appropriate action.

Roger Riordan                 Author of the VET Anti-Viral Software.
riordan.cybec@tmxmelb.mhs.oz.au

CYBEC Pty Ltd.                                 Tel: +613 521 0655
PO Box 205, Hampton Vic 3188   AUSTRALIA       Fax: +613 521 0727

------------------------------

Date:    Thu, 08 Apr 93 11:01:31 +0000
From:    v922340@kemp.si.hhs.nl (Snaaijer)
Subject: Re: Best Net Antivirus (Novell)

swimmer@fbihh.informatik.uni-hamburg.de (Morton Swimmer) writes:
|> keren@math.tau.ac.il (Keren Shmuel) writes:
|> 
|> >  Hello there
|> 
|> >  I am sorry if it is not the right place to ask this Q but i dont know
|> >   where else i can post it:
|> 
|> >  The Q is : what is the best AntiVirus for a net (NOVELL) today ?
|> 
|> Of course it is: Mine by ______________
|>                          ^ ^ ^ insert company name here :-)
|> 
|> Oh, and by the way my company is: S&S International (Deutschland) GmbH

or you can try TBAV .. it also has a full network support.

Ivar.

- -- 
E-mail : v922340@si.hhs.nl    ... i can't help it, i'm born this way ...
- -----------------------------------------------------------------------------

------------------------------

Date:    Sun, 04 Apr 93 12:02:00 +0100
From:    Amir_Netiv@f120.n9721.z9.virnet.bad.se (Amir Netiv)
Subject: Is "Untouchable" (V-analist-3) effective? (PC)

In a message to everyone From: chermesh@chen.bgu.ac.il (Ran Chermesh)
asks:

 > Our department considers buying an anti virus package. High in the list
 > is an Israeli product, sold in Israel under the name V-analyst-3 and
 > in the US as Untouchable. The feature of most interest to us is
 > the way this package claims to deal with future viruses. Since this
 > feature can't be tested experimentally, the best way is to learn from
 > the experience of other.

 > Thus, please post a reply, or send me a private note what's your
 > experience with this feature of the package. Of most interest for us
 > is your experience with cases where the package FAILED to
 > deliver the good, meaning to rebuid a useful binary file.

This mailing network is *NOT* a comercial network. It should not supply such 
straight forward information, however you may learn your answer from talks 
about the product in VIRUS_L.
What I do not understand is: since you are close to the dish, whay can't you 
obtain the information form clos-by sources, your country is a multi Anti-
Viral nation?

regards

* Amir Netiv. V-CARE Anti-Virus head team *

- ---
 * Origin: <<< NSE Software >>> Israel (9:9721/120)

------------------------------

Date:    Tue, 06 Apr 93 14:24:00 -0400
From:    Mikael Larsson <mikael@vhc.se>
Subject: Re: VSIG availability (PC)

bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) writes:

> The latest revision of Vsig that I have seen was 9301 Yjey have added a 
> lot of signatures to the new January release.
>  
> I don't have FTP access, but I downloaded VSIG9301.ZIP from French 
> Connection BBS in Seattle, Wa. (206) 771-1730.

VSIG9303.ZIP is available at most of the VirNet connected BBSes,
otherwhise Sara Gordon at VFR Systems should have it I guess.

MiL

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Virus Help Centre     Phone:  +46-26 275740   Email: mikael@vhc.se
Box 7018              Fax:    +46-26 275720   or   : mikael@abacus.hgs.se
S-811 07  Sandviken   BBS #1: +46-26 275710   Fido : 2:205/204 & 2:205/234
Sweden                BBS #2: +46-26 275715   Authorized McAfee Agent!


------------------------------

Date:    Tue, 06 Apr 93 19:32:56 +0000
From:    Erik Scot Hatcher <esh6h@fulton.seas.virginia.edu>
Subject: Abe Lincoln Virus? (PC)

A week or so ago, one of the PC's in our office began
acting strangely in Windows 3.1 - the effects were that
any process that went out into DOS would die.

We scanned the PC with Norton AntiVirus (latest version)
which turned up nothing.  Soon after that, the PC (from
Windows) cleared the screen and drew a detailed picture
of Abe Lincoln.

Finally after much digging into the system, we noticed that
the COMMAND.COM file in the C:\DOS directory was larger
than the one in the root directory, and that the only place
where the one in the DOS directory was being referenced was
in some of the Windows .INI files, etc.  We replaced the
COMMAND.COM and now our system works fine.

Has anyone experienced such an occurrence?  I would like to
know more about this "virus".

Thanks,
	Erik Hatcher (esh6h@virginia.edu)


------------------------------

Date:    Tue, 06 Apr 93 18:00:56 +0000
From:    killion@eis.calstate.edu (Dave Killion;Pac Bell)
Subject: Strange COMMAND.COM virus.. Password? (PC)

We have had two calls yesterday from someone in England and someone in
Puerto Rico that on April 5th, when trying to run COMMAND.COM, it asks
them for a password....  I'm not sure what it is, but it's only these two
machines, and not ours in our shop.  One user said he can run DOSSHELL,
but when he exits to the command prompt, it asks for this password...  We
think it's a virus.   Any suggestions?   Please either repost a reply, or
respond to my Email box:   Killion@Eis.Calstate.EDU

Thanks,

Dave Killion
Tech Support
Altima Systems

------------------------------

Date:    Tue, 06 Apr 93 15:50:08 -0400
From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: ANSI viruses and things that go bump in the night (mostly PC)

a) If you have the stock ANSI.SYS loaded, have demonstrated that it
   is possible to construct a mechanism that will cause an infection
   to occur on execution of a DIR command on a "prepared" floppy.

b) There is no real need for anyone to have ANSI.SYS loaded.

IMHO while ANSI.SYS once had a real value for key redirection, this
is no longer true. Today the main reason is to set the screen colors
(a PROMPT string containing <esc>[37;44m will produce a blue background 
with white letters). You can do the same thing with a one byte change 
to COMMAND.COM (DOS 5.0 and 6.0 COMMAND.COM contain on byte pair "B7 07". 
The second byte defines the screen colors on a CLS (07 is low white on 
black). Using DEBUG you can change this byte (found at DEBUG offset 4A53
in DOS 6.0) to 17 for a blue background or 0F for bright white on black 
- - nice on older laptops - Note: you will need to reboot after the change
& COMSPEC must point to the new COMMAND.COM.

If you *must* have key redirection via ANSI.SYS then the fix is another
simple change using DEBUG - for 6.0 the byte at DEBUG offset 161 is a 
hex 70 (lower case "p"). Change this to a character unused by ANSI (no
hints here, diversity is strength 8*) and you ansi will not recognize
a "stock" ANSI redirection command (e.g. <esc>[<key>;<string>p). Unless
the malefactor can guess your new character, ANSI bombs will not work.
 
					Warmly,
						Padgett

------------------------------

Date:    Tue, 06 Apr 93 20:43:20 -0400
From:    sosc1043@wc05.writer.yorku.ca (Colin Beckmann)
Subject: viruses and compression (PC)

Greetings
	I was wondering if anybody could tell me if it is possible for a  
scanner to detect a virus in a compressed file or on a stacked hard drive  
or if the virus can be detected on a file that has been backed up using  
DOS  or Norton backup.  Some how I doubt it but I am asking to be sure.   
If it can be detected could you tell me the name of the software that can  
do it

Thanks 
Colin Beckmann 

------------------------------

Date:    Tue, 06 Apr 93 21:35:43 -0400
From:    fites@qucis.queensu.ca (Philip Fites)
Subject: Windows 3.1 virus (PC)

I keep seeing people who report "general protection faults" and
similar things and attribute them to virus action.  I'm having similar
problems with the same error mesages; Microsoft insists this almost
certainly is a wonky SIMM, not any sort of virus.  They back it up
with technical manual pages by fax.

Today, someone reported actually cleaning up a 36 byte virus.  I,have
real trouble believing this; the smallest I know of is 44 bytes and
isn't viable, much a Windows specific infector.

Do you know of anyone with real data on this?  (Bontchev or Skulason,
perhaps?)

All diagnostivc tactics I have available indicate no virus.  This
includes checksums on some critical programs, scan 107, (oops, 102 I
think), fprot 207, limited file examination (I can't read 36 bytes of
hex somewhere in some Windows kernel of several hundred K!)  Yes, I
booted from a known-clean diskette that doesn't load anything from the
hard disk.
 
Once the school term ends and I can do without my rather crippled
computer for a few days, I'll know for sure if there's a hardware
problem.  I"ll let ya know -- bu this won't necessarily rule out a
Windows-specific virus in other systems.

Any pointers?

------------------------------

Date:    Wed, 07 Apr 93 01:34:51 +0100
From:    gb03@ns1.cc.lehigh.edu (GEORGE PHILIP BLUHM)
Subject: Re: Superstor and McAfee (PC)

> I'm posting this question for a friend.  He has had some problems using
> McAfee and Superstor.  He scanned the files on his Superstor disk, and
> McAfee reported no viruses.  However, he could not access the Superstor disk;
> he could only access the regular disk with the Superstor temporary files.
> Luckily, when he rebooted, all was fine-- he could access his Superstor
> disk and all files were in tact.
>
> Are there any problems with using Superstor and McAfee?  What may have
> caused his inability to access the Superstor disk?

I have had similar problems with my system running drdos 6.0 with the
windows upgrade.  I have noticed mostly when I exit windows.
Rebooting seems to remedy the problem.  I have used F-prot and McAfee
and found no virus.  I have also run AVS and the files remain clean.

George Bluhm
- -- 
Phylee THEE MacNasty

------------------------------

Date:    Tue, 06 Apr 93 23:10:53 -0400
From:    padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: MSAV "Updates" ? (DOS 6.0) (PC)

On a coupon in the back of the MS-DOS 6.0 Upgrade Manual where you are told
to send in your money for all of the optional extras (like EDLIN & EXE2BIN)
for MSAV updates it says "...the first will ship now..."

On page 277 of the same booklet you are advised to call a BBS (seems to 
be at Central Point) at (503)531-8100. Quoting from the book again "As
viruses are discovered, their signatures are posted on a bulletin board 
system (BBS), which is available 24 hours a day, 7 days a week."

Called the number on Saturday. No answer. Called tonight (Tuesday) got
answer (@14,400 8*). Went through login procedure. No signatures. Not
even a *place* for signatures that I could find. No place to leave comments. 
(Did open with presumably voice telephone numbers). Since I did not want to 
read a text file on the Michelangelo, I signed off. Wake me if the 
signatures appear.

					Cynically,
						Padgett

Opinions are my own & do not necessarily reflect those of any other entity.

ps Was able to download the "supplemental disk" file from the MS bulletin
board (has EDLIN & EXE2BIN). 480 compressed k of it. DOS6SUPP.EXE.
(206)936-6735 - page 256.

pps: some of the above may be trademarks or copyrights. They are owned by
whoever owns them.

ppps: Has anyone seen a NETX.COM that runs with DOS 6.0 without patching &
      pipe warning ?


------------------------------

Date:    Wed, 07 Apr 93 08:03:26 +0000
From:    v922340@kemp.si.hhs.nl (Ivar Snaaijer)
Subject: Re: Vir-Sig (PC)


bill.lambdin%acc1bbs@ssr.com (Bill Lambdin) writes:
|> >From Demetre Koumanakos to All About Vir-Sig (PC) on 03-26-93 
|> .bill.lambdin@frenchc.eskimo.com
|> 
|> DK| It has been now more than 2 months since I was able to find
|> DK| a new Vir-Sig file for TBAV from any of the known sources
|> 
|> The latest revision of Vsig that I have seen was 9301 Yjey have added a 
|> lot of signatures to the new January release.
|>  
|> I don't have FTP access, but I downloaded VSIG9301.ZIP from French 
|> Connection BBS in Seattle, Wa. (206) 771-1730.


I've uploaded something to Timo Salmi, but he isn't around untill 12th of
April, I can send people who need it terrably, but i don't thinke there
is that lot of change, (in the signatures) The datafile i have doesn't 
recognize Terminator II. the beta version of TBSCAN does ...

(see also other posting.)

Ivar.
- -- 
E-mail : v922340@si.hhs.nl    ... i can't help it, i'm born this way ...
- -----------------------------------------------------------------------------

------------------------------

Date:    Mon, 05 Apr 93 19:01:50 +0000
From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: New viruses warning (PC)

EM436861@ITESMVF1.RZS.ITESM.MX (Mario Rodriguez Cardenas) writes:

>    The Susan 1 virus is a resident overwriting virus. When an infected file i
s

[stuff deleted]

>   You can check for this virus with the following signature:
>              "C91FCD21B43ECD21C3505256571E068C"

Yes, we have that one here.

> The FoneSex virus is also an overwriting virus and seems to be nonresident, i
t

[stuff deleted]

> You can check for the signature "EB079000B43BCD21C3E89B00E89F00".

This one seems to be new; the signature didn't match any of my
samples.

Regards,
Vesselin
- -- 
Vesselin Vladimirov Bontchev          Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226      Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de    D-2000 Hamburg 54, Germany

------------------------------

Date:    Wed, 07 Apr 93 11:06:59 -0400
From:    "David M. Chess" <chess@watson.ibm.com>
Subject: Re: Loa Duong (PC)

>From:    bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)

>The standard CARO name for this virus is Lao_Doung. I have no idea
>where the name comes from. I know that McAfee is using a different
>spelling.

I think I was the first Westerner to get a sample of this virus.
It came from Thailand in May of 1991, and the person I got it
from said that the tune it sometimes plays is a Thai tune
called "Lao Doung Duen".  Hence the name (and the spelling).

DC


------------------------------

Date:    Wed, 07 Apr 93 16:10:13 +0000
From:    preneel@esat.kuleuven.ac.be
Subject: Identifying a virus: help needed (PC)

Hello,
I have been contacted by a company whose computers are probably hit by a 
virus. The guy I spoke to is not a DOS expert, so I have only very little 
information. 

The "virus" is NOT detected or identified by "recent" versions of:
Norton AV (2.1), Dr. Solomon, Elia shim virusafe and Central Point AV.

Operating system: DrDOS 5 and MSDOS 5
Symptoms: 
- - the virus creates several new files until the hard disk is full. 
  the names of the new files are: 
    AIAMBEAN
    AMCBAODC,ALDHABEF,ALCHOCK,APPLOAD.DFS    size      0
    ALCHCOCK.SWR,ALDHABEF.SWR,AMCBAODC.SWR   size 100000
- - many lost clusters
- - after starting up from a floppy, the CMOS is overwritten and DOS is 
  not available 

Any help or comments is welcome. Please reply by email to 
bart.preneel@esat.kuleuven.ac.be       

------------------------------

Date:    Wed, 07 Apr 93 15:50:24 +0000
From:    SKLEPZI@SSB1.SAFF.UTAH.EDU (Steven Klepzig)
Subject: Brazil virus (PC)

Another university here in Utah is reporting an outbreak of a virus called 
Brazil or Brazilian.

Is there such a beast?

I haven't seen it here nor have I heard of it on our campus.  The reports 
also say that F-PROT doesn't find it, but they do refer to something called 
antibras.

Any help is appreciated.  Thanks.

Steven Klepzig (sklepzi@ssb1.saff.utah.edu)
University of Utah

------------------------------

Date:    Wed, 07 Apr 93 13:31:09 +0000
From:    gary@sci34hub.sci.com (Gary Heston)
Subject: Re: Unknown little virus? (PC)

motreba@mat.torun.edu.pl (Maciej Otreba) writes:

|Last time I had virus in my PC. It came from Internet probably with one
|from shareware games. The problem is that teh virus was not detected by any
|program.

Interesting. If you didn't detect it with any virus scanner, how do you
know it was a virus? 

|         I tried to find it by Scan 100, F-Prot 2.07 and Polish AV program
|MkSVir (available at FUNET with on-line translator). This virus caused
|General Protection Fault in Windows 3.1 in krnl386.exe when running Write,
|Paintbrush, MS Word 2.0 and System Editor. It was probably very small. I
|think it took 32 bytes of base memory (difference between memory with and
|without virus). 

32 bytes isn't enough to write an interrupt service routine, much less
anything resembling a virus.

|                I throw it out by formatting HD and setting up system
|again.

This was probably unnecessary.

|       My question is: has anyone heard/seen anything about this virus?

It doesn't sound like a virus; it sounds like one of your Windows files
got corrupted. Most likely, all you had to do was reinstall Windows.

|                                                                        Is
|there any signature? 

It would take a captured copy to extract a signature from, and since you
formatted your drive, you destroyed any possibility of finding out what
happened. 

Don't assume that every problem that pops up on a computer is a virus.
There are many other possible causes, which is what you should have looked
for after not finding anything with the scanners.

|                     Which programs in Internet might be infected?

Probably a very small number. Certainly none with a 32-byte virus.


- -- 
Gary Heston    SCI Systems, Inc.  gary@sci34hub.sci.com   site admin
The Chairman of the Board and the CFO speak for SCI. I'm neither.
Remember: A majority of the American people voted against *all* of the
Presidential Candidates. How encouraging....

------------------------------

Date:    Wed, 07 Apr 93 20:19:00 +0000
From:    "Look, and see the darkness..." <9008411@ul.ie>
Subject: Tequila problem... (PC)

Ummm,

a friend of mine has had his HD infected by what appears to be Tequila.

He's tried every single anti-virus program he can lay hands on, but it
 keeps re-appearing, for no apparent reason. Its not from a floppy or
 anything as he has had it re-appear BEFORE even using the floppy drive
 after disinfection.

My only suggestion is that Stacker 2.0 (which he has installed on the
 infected drive) may be quirky.....can anyone suggest anything?

Thanx in advance....

John Cullen, University of Limerick (yup...YABStudent)

9008411@ul.ie


------------------------------

Date:    Wed, 07 Apr 93 17:20:26 -0400
From:    keith.watson@stucen.gatech.edu
Subject: Virus Data Base (PC)

I just found an ad for a hypertext virus database. V-Base from
International Computer Security Associates. A free demo is available from
their BBS at 202-364-0644. Is this a rehash of Vsum or is the long awaited
for virus database finally here? Comments?


Keith R. Watson
Georgia Institute of Technology, Atlanta Georgia, 30332-0453
uucp:  ...!{decvax,hplabs,ncar,purdue,rutgers}!gatech!prism!kw3
Internet: keith.watson@stucen.gatech.edu



------------------------------

Date:    Thu, 08 Apr 93 07:57:15 +0000
From:    smt0@ns1.cc.lehigh.edu (STEFAN M. THIEME)
Subject: Re: VI-SPY VS Central Point AntiVirus (PC)

>Hi netters,
>
>       This is not an comparison between the two scanners.  I ran into some
>problems while running Vi-Spy version 10 while scanning my hard disk.
>
>       Vi-Spy consistently pick the Central Point Antivirus files like
>vsafe.com or Vsafe.sys saying that Flip virus is found.  I think I have used a
>Virus scanner from Taiwan Eten group which report the same thing.
>
>       Just wondering if anyone has this problem?  Is it just coincidence that
>Flip's signature was found in CPAV files?

I had the exact same thing happen to me, except that it was F-proot
that noticed the Flip virus signiture , and it was in Vwatch(.com oor
.sys? I can't remember). Since CPAV was about 18 months out of date
(and just taking up hard disk space) I deleted the whole program. But
yeah, I think it does have that sig. somewhere in it. I never had any
problems with viruses (knock on woood) other than finding flip, and
only in that one file.

bye.
- -- 
*The Avatar****************************************************SMT0@LEHIGH.EDU*
***************** These are my opinions. Mine mine mine mine! *****************

------------------------------

Date:    08 Apr 93 08:38:51 +0000
From:    houkes@eb.ele.tue.nl (Vincent Houkes)
Subject: Terminator 2 and Bert virus ?? (PC)

Hello there,

Can anyone help me with the following problem !!??

Yesterday morning I found my system infected with two virusses.  Scan
v100 found only one, and scan v102 detected a file with two.  I found
the origin of the viruses, namely a file called passrem.exe, which I
downloaded from a BBS.

The viruses were called the Terminator 2 virus (stealth), and the Bert
virus.  The latter was only found by vers. 102.  Alas there is no
description of those viruses in the virlist.txt, and vsum x303 doesn't
answer completely too (only some info on the terminator, terminator
2001 (or something like that) and the terminator 3002 (or something
like that)).

Does anyone know these viruses. (scan gives [Term2] and [Bert] )

Second of all, is there a way to check zip files before extracting
them on viruses ??.

Thank you very much  !!!!!!

Vincent Houkes

PS.

f-prot 207  cannot locate the viruses, not even in a heuristic scan. !!

E-mail
houkes@eb.ele.tue.nl
 V.J. Houkes                                      \    /   /
 Student University of Technology of Eindhoven     \  /---/
 E-Mail :  houkes@eb.ele.tue.nl                     \/   /
- ----------------------------------------------------------------------

------------------------------

Date:    Thu, 08 Apr 93 08:47:11 +0000
From:    kleyngel@dutiws.TWI.TUDelft.NL (Raymond Kleijngeld)
Subject: Help wanted with Dir-II virus (PC)

Hi everyone,

I recently discoverd the Dir-II virus on my system (486/33 with a
212 Mb Hd). I've a bootable flop  which contains no virus and
includes a virusscanner, scan v102 from Mcafee. I scanned the HD but
scan didn't detect any virus. So I assumed that the HD was clean.
I have read in the virlist.txt that the dir-II virus uses stealth 
techniques and selfencryption . Maybe this is the reason that the
virus can't be detected. 

Actually I have the following problem. Because the virlist.txt
describes that the dir-II virus crosslink files and directories I used
chkdsk and norton diskdoktor to correct the problem. There are crosslinked
files and directories. Norton disktor (ndd) repairs the files.
After using NDD I use chkdsk and the unallocated chained are nicely
converted to files. I delete those files. But when I run NDD again
I get the same errors and even some more. So I think that my system 
is still infected. 

Can anyone help me with this problem. Because I have optimized the
programs to communicate with eachother I don`t like formating the 
disk again.  

So any comments about the dir-II virus are welcome.

Thanks in advance

Raymond

- -- 
+--------------------------------------+------------------------------------+
|     Raymond Kleijngeld               |   Delft University of Technology   |
+--------------------------------------+------------------------------------+
|                       kleyngel@dutiws.TWI.TUDelft.NL                      |

------------------------------

Date:    Thu, 08 Apr 93 06:19:00 -0400
From:    David Hanson <afrc-mis@augsburg-emh1.army.mil>
Subject: Censoship/40-Hex (PC)

Vesselin says:
> Burger's and Ludwig's books are crap

After wasting my time on a couple of bogus virus books ("dangerous",
because they contained <gasp> *actual viral source code*), I dusted off
my assembly books, and am looking for some good disassemblers so I
can get decent information on the two virii that I have encountered
here in the "wild".  It seems that in the current climate of viral
censorship, the only way to get decent info is to

a) Go to the "underground" (not always good information, but at least
   they aren't afraid to share it...)
   
b) DIY (Which I'm currently in the process of doing.  It costs me spare time,
   but I (slowly) gain knowldege and I know that the only person BS'ing
   me is me.
     
I've yet to read a decent virus book.  Can you recommend a solid,
relevant virus book?

Vesselin says:
> Some articles in 40-Hex are interesting. I wouldn't recommend the
> - -distribution- of this electronic magazine, because it contains
> potentially harmful code (viruses in source or as DEBUG scripts), but
> if some "good guy" already has it, I would recommend him/her to read
> it. 

And how does a "good guy" get 40-Hex?  Wouldn't receipt of 40-Hex from
*any* source be participation in the -distribution- of this magazine?
Not necessarily by dissemenating the info ("good guys" would NEVER do
that), but by creating demand.  Even if you get it from another "good guy",
passing the magazine from one place or person to another is distribution.
This is something that is ok for YOU to participate in, but not ME (if I am
to be a "good guy")???

Tell me, where do YOU get 40-Hex from?

Why should it be ok for you to receive it, but not me?

I do not wish to detract from the extremely valuable and "good" work that
you do as a virus researcher, just want to point out that "good"/"bad"
is not black/white, more like shades of gray.  Case in point - your
participation in 40-Hex distribution.  If you're going to fight the "bad"
guys, you've got to get your hands dirty.

BOTTOM LINE:  I really get peeved when access to information such as
	      40-Hex is limited "for my own good".  In the short term,
	      censorship may seem like a good idea, but in the long term,
	      it just limits information to the  (good/bad/ugly)
	      and leaves all of us neutral/gray people at the mercy of
	      self-appointed "experts" (good/bad).

	      I trust any expert as far as I can independantly verify what
	      they say.

------------------------------

End of VIRUS-L Digest [Volume 6 Issue 61]
*****************************************


