VIRUS-L Digest Tuesday, 15 Nov 1994 Volume 7 : Issue 92 Today's Topics: Re: Press Conference Advertising in Virus-L What's a Logic Bomb ? Virus Signatures needed. The Antivirus Practice Lab any virus WWW sites? Re: 386/486 virus protection(UNIX) Re: VCL?? (PC) Re: MtE virus (PC) Re: Virus: Leandro and Kelly! GV-MG-BRAZIL Re: Any info about NATAS? (PC) Re: Unstoppable virus? (PC) Re: Die Hard 2 virus (PC) Re: Malta Amoeba (PC) Re: PC Virus _1099 found (PC) Re: Rebuilding Partition Table? (PC) Re: FORM virus Info wanted (PC) Re: Anti-CMOS Virus Infection - HELP! (PC) Re: Promise DC200 IDE caching card problems(?) / Virus? (PC) Re: KOH Problem (PC) Re: Microsoft Anti-Virus updates (PC) Re: Date Stamp (PC) Re: Need Help with Stoned Virus (PC) Holloween virus? (PC) Help - "little red" (PC) Re: DOOM II (PC) A non-viral cause of Windows being slow (PC) "antiexe" virus (PC) Stealth* What is it? Virus DB? (PC) Re: The truth about the CD-ROM (PC) Re: Lil' Red Virus (PC) master boot record viruses (PC) What does Anti-CMOS A do ? (PC) Re: ubuythis.now (PC) GenB virus - Need Help (PC) Tai-Pan!!!! Remover needed!!! (PC) F-prot external search strings (PC) Re: ubuythis.now (PC) Re: Monkey.Stoned virus on multimedia 486 won't go away... (PC) Re: Help Please: Monkey? (PC) Virus MTE-Encrypted (PC) Re: Monkey Virus is on our backs... (PC) Re: Firmware Virus Protection System For Networks (PC) Frontline anti-virus program (PC) "The Tojo Virus" by Randall VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a gatewayed and non-digested USENET counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on CORSA.UCR.EDU (IP number 138.23.166.133) or upon request.) Please sign submissions with your real name; anonymous postings will not be accepted. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on CORSA.UCR.EDU. Administrative mail (e.g., comments, suggestions, beer recipes) should be sent to me at: krvw@ASSIST.MIL. All submissions should be sent to: VIRUS-L@Lehigh.edu. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 01 Nov 94 09:35:22 -0500 From: David_Conrad@MTS.cc.Wayne.edu Subject: Re: Press Conference wschwartau@delphi.com writes: > >The Internet is a dangerous place. Ask anyone. > > * Between 85-97% of all computer break-ins go undetected. > If they go undetected, how can statistics be gathered about them? Did you know that 96.48% of all statistcs are made up? > * Industrial espionage is up 400% since the late 1980's. > This is either undetected industrial espionage, in which case I object to the statistic on the grounds mentioned above, or else it's detected industrial espionage, in which case I will point out that more detections might indicate that the net is getting safer, if the increase is due to improvements in detection rather than a higher incidence of attempts. Regards, David R. Conrad David_Conrad@mts.cc.wayne.edu ------------------------------ Date: Wed, 02 Nov 94 07:41:00 -0500 From: Nick FitzGerald Subject: Advertising in Virus-L hiwire@solomon.technet.sg (Lim Beng Cheng) wrote: > If you want to protect yourself against boot viruses of any kind, why not > try FrontLine. This program complements your existing anti-virus > software and FrontLine can detect and remove any boot virus - past, > present and future. If you want more info, please drop me a email or > drop a message in this newsgroup. > > FrontLine is currently the most reliable software to deal with boot viruses. > > Lim Beng Cheng > Hiwire Computer & Security Pte Ltd > hiwire@solomon.technet.sg Whilst I personally do not like these kinds of ads appearing in Virus-L, I accept they are "part of the deal". However, what annoyed me about this particular ad, is (apart from its very bloated opinion of the product-- an apparently new program is "the most relaible"; I doubt it) that Lim Beng Cheng posted basically the same message as replies to two other messages -to the group/list-, -AND- they were all posted. I think Ken should have screened two of them out. Lim Beng Cheng should also consider writing a more factual and less opinion laden blurb for Frontline if seriously interested in drawing "professional" attention to the product. Everyone claims to be the best--we ignore that and look for what such a product gives us over, say, Padgett's free FixMBR/SafeMBR, etc. Without at least a modicum of technical detail to suggest where Frontline's true strengths lie, I just skipped over the ads. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 ------------------------------ Date: Fri, 28 Oct 94 14:24:21 -0400 From: billy@step.polymtl.ca (Billy Nadeau) Subject: What's a Logic Bomb ? Hi, I don't know everything abouth virus and bombs, but I know how to avoid ansi bombs and I use VShield against viruses. But I don't know what's a Logic Bomb. Can anybody tell me what it is and how it strikes ? Billy Nadeau ------------------------------ Date: Fri, 28 Oct 94 23:43:47 -0400 From: rabollig@iglou.iglou.com (Randall Bollig) Subject: Virus Signatures needed. Hello all, I'm working on a system security project and need about ten virus signatures that scanners would use to identify a potential virus. Where can they be found? Thanks in advance. - -- Origin: Randall Bollig rabollig@astrostar.us CIS 72240.1640 Present Location: United States, East. ------------------------------ Date: Tue, 01 Nov 94 15:09:55 -0500 From: Zvi Netiv Subject: The Antivirus Practice Lab Hello, The ongoing debates on how good antivirus products are and how do they perform in virus threat environment, inspired an idea. This post is a pre-announcement of the Antivirus Lab, a freeware software package, about to be release. The purpose of this post is to present the AV Lab concept. Unlike any other software, most users cannot test antiviruses for themselves, nor practice with. You can evaluate a word processor or a compiler, by simply using the application and seeing whether you like it or not. I know very few that opted for Word Perfect or MS-Word, because of a test bench that appeared in a review, but most users adopt an antivirus product on the grounds of third party advice, rather than on their own evaluation. There is an objective problem with antivirus. Most users have no means to test AV, and just a few have a collection of viruses that will let them run some sort of tests. I do not doubt the ability of anybody to devise a sound and valid test to evaluate an AV feature, but I am genuinely concerned with the pretention in this matter of some individuals that managed to possess a virus collection, but lack the knowledge and skills required to test an antivirus. Unfortunately, quite a few use their self-proclaimed expertise and spread misleading information. The uninformed reader is in no position to judge the quality and validity of the information such provided. The Antivirus Lab is aimed to the common user, at all levels, to let her/him experience virus like scenarios in a safe and controlled environment. AV Lab is based on real virus like scenarios, with synthesized and some real, but emasculated viruses. The safety of AV Lab is in the incapability of its works to escape in the wild. It can be played only on the machine that the AV Lab operates from, and its doings cannot propagate from one machine to another. An additional safety of the AV Lab is that it can remove and cure it's own doing. The Lab will suggest that you practice on copies of original programs and not on the originals themselves, as all scenarios are played live, and on real programs that you provide and select. AV Lab uses some real but emasculated viruses, such as Stoned and Monkey. They have been tamed to assure they cannot escape in the wild, yet they will let you explore how such viruses work, what are their symptoms and how to remove them safely. These specific viruses, and some others, have been selected for several reasons: First, by using them we do not provide virus writers anything new that they don't know already. Secondly, these viruses are detected as such by common antivirus products, and you can then evaluate how well your AV deals with the virus. The following are a couple of scenarios that explain how the AV Lab works. a. Let's start with how to prepare for experimenting with the AV Lab. The Lab recommends that you create a dedicated directory and copy a few COM and EXE programs to it. DOS files are a adequate for the purpose. Next you should update the antivirus recovery database for the new directory, according to the AV product you use. The last step would be to prepare the rescue diskette according to the AV producer recommendations. Now you are all set to start experimenting with the Lab. b. The file infector scenario: You first select the directory upon which to act, e.g. the one that you created for the purpose. Next you select the type of infection, for example: a companion virus or a direct infection, encrypted or plain, how many files to infect, and whether to induce deception or not. The Lab will modify the files in the selected directory, the same way that a virus would. It will attach its code to the program and this code will execute when invoking the affected program. The virus will announce its presence and then pass control to the host program, just like viruses do. The major difference between a Lab file infector and a real one is its propagation rate. If you like, you may consider the Lab viruses as a "slow infector", with its propagation rate reduced to zero. In all other aspects, the Lab file infector has all the characteristics to practice AV techniques upon. It is scannable, it can be removed by standard removal routines, it will show integrity changes that characterize viruses too, the program can be restored by generic techniques, it will trigger self integrity checking and recovery (for those programs that have one), and so on. As a safety measure, the Lab viruses can be removed by the integrated Lab scanner. c. There are several boot-mbr infection scenarios, yet one of the interesting ones is that of Monkey. The Lab will install a real, yet sterilized Monkey mbr, that will become active after rebooting the computer. Except infecting floppies, the Monkey demo exhibits all the properties of the real virus: Mbr spoofing, loss of access to the hard drive when not resident, and even detection and removal by generic and non-generic AV means. As a precaution, the AV Lab offers its ResQdiskette, just in case. Here are some thoughts on legal issues. All the Lab's emulations can only be _installed_ by the Lab, and none of its doings can _replicate spontaneously._ Thus, the Lab cannot be used to spread viruses or even virus like programs. On the other hand, the AV Lab will promote knowledge about computer viruses, show you various ways how to protect yourself from them, evaluate your AV strategy and assess the efficiency of the AV product you are using. These are heavy weight considerations in favor of the AV Lab, compared to its risks, if any at all. The AV Lab will let the user practice different antivirus strategies. AV Lab is not aimed to work with one product, it is a general purpose AV evaluation and practice environment. Here is a short list of the AV Lab scenarios. It has boot-mbr infector scenarios, both plain and stealth, with and without partition data overwriting. There are file virus scenarios of all sorts: plain, encrypted and companion. There are also deliberate deception scenarios, for testing and evaluating an AV susceptibility to false alarms and the safety of the recovery procedures. The AV techniques that can be tested with the AV Lab are: scanning, generic detection, heuristics, algorithmic removal of a virus, integrity checking, generic recovery, boot/mbr spoofing,generic counter-spoofing and recovery, and hyper-correlation. The AV Lab will be released as freeware. At a later stage, we intend to add a text book about viruses, antiviruses and AV techniques. I believe that the subject is important enough not to wait for the book, to release the AV Lab right away. Your comments are welcomed. Zvi Netiv, author of the AV Lab and InVircible ------------------------------ Date: Tue, 01 Nov 94 18:34:56 -0500 From: "Jim Powlesland" Subject: any virus WWW sites? The subject heading says it all. Are there any virus World Wide Web sites? And if so, what are the addresses? - -- ------------------------------ Date: Tue, 01 Nov 94 09:34:26 -0500 From: David_Conrad@MTS.cc.Wayne.edu Subject: Re: 386/486 virus protection(UNIX) Kevin Marcus writes: >Vesselin Bontchev wrote: >>Minix - probably, yes. However, I am pretty sure that diskettes >>formatted for Apple ][+ will not be infectable on an IBM PC. > >Are you sure about that? The overall media is the same thing, and I don't >think that INT 13h calls care about the BPB at all. I would imagien it would >still be read/writeable. WHy do you think this? > Overall media? Better than imagining, we can employ the facts: Apple ][+ disks are only 256 bytes per sector, instead of the 512 byte sectors used by PC's. The only result I've been able to get with an Apple ][+ disk in my PC is a General Failure Reading Drive B:. Regards, David R. Conrad David_Conrad@mts.cc.wayne.edu ------------------------------ Date: Mon, 31 Oct 94 14:50:00 -0500 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: VCL?? (PC) ANTHONY APPLEYARD wrote: )theoj00@DMI.USherb.CA (JEAN-FRANCOIS THEORET) wrote:- ) > Does anyone know where can be found the VCL (Virus Creation Vibrary)? )Should we really be alarmed about the emergence of such products? ) )Zeppelin@ix.netcom.com (George Paulsen) replied (Subject: Re: VCL?? (PC)):- ) > The VCL's are on every major Virus sites such as ; Hell Pit/West Coast )Institute of Virus Research/ Black Axis/Cybernetic Violence/ and any other )NuKE/Phalcom Skism site. ) If, as seems from this, computer virus writing clubs have information )exchanges at known email sites, then why can't these sites be traced and )closed down? Can't the law act against them???? But writing viruses is not illegal. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Mon, 31 Oct 94 15:08:28 -0500 From: jmccarty@spd.dsccc.com (Mike McCarty) Subject: Re: MtE virus (PC) Charley Boudreau wrote: ) Can anyone give me any info on the MtE virus. I was infected with it )yesterday. InocuLAN cleaned it up nicely, but I'd like to know what damage it )was trying to do and any technical info on it. ) Actually, there is no MtE virus. There is a thing called the MuTation Engine. It is a tool used to create polymorphic (self-encrypting) viruses. Several viruses have been created using this tool. So while the MtE may have been used to create the virus you found, we cannot know what effects the infection may have had without knowing more information. Mike - ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} ------------------------------ Date: Mon, 31 Oct 94 18:18:14 -0500 From: cjkuo@symantec.com (Jimmy Kuo) Subject: Re: Virus: Leandro and Kelly! GV-MG-BRAZIL <--Detect/Kill???? (PC) Kevin Hall writes: >We have refound a virus that we are trying to get rid of. The virus >appears to remain dormant until some date and then upon bootup displays: The message is only displayed on Oct 21. It is widespread in Brazil. We also have reports of this virus from Ohio, Pennsylvania, California, and isolated European sites that do business with Brazil. > Leandro and Kelly! GV-MG-BRAZIL > You have this virus since 11-08-94 >The date changes. >So far I have not found a virus detect program that detects or cleans >this virus. I am pretty sure it lives in the master boot block. >Detection means currently employed: Place a blank write protected >floppy in drive, chkdsk the floppy and note the values displayed. >Unwrite protect the floppy and re-chkdsk the floppy. If infected, >1024 bytes of bad sectors will show up. >The only methods I have found to remove the virus is to clean boot off >a floppy and use fdisk /mbr to re-write the master boot block. This will get rid of it. >Any thoughts please let me know. If you have NAV, you can contact our technical support and they will be able to send you a definition set which will detect and repair the virus. Jimmy Kuo Norton AntiVirus Research ------------------------------ Date: Mon, 31 Oct 94 18:29:30 -0500 From: cjkuo@symantec.com (Jimmy Kuo) Subject: Re: Any info about NATAS? (PC) Maarten Meijer writes: >Can anyone tell us if Natas does something else besides reproducing >itself? Any answers greatly appreciated! It doesn't. But, most AV programs today cannot repair damaged executables so you would need to delete and replace any infected files. Jimmy Kuo Norton AntiVirus Research ------------------------------ Date: Tue, 01 Nov 94 05:33:49 -0500 From: pb-emert@uwe-bristol.ac.uk (PB Emerton) Subject: Re: Unstoppable virus? (PC) cook cornelius john (c-cook@ux5.cso.uiuc.edu) wrote: : > From psychman@rci.ripco.com Wed Oct 19 14:44:07 1994 : > >What if there was a virus that used MSDOS's int21 backdoor to execute all : > >of it's file handling calls? In-memory virus protectors wouldn't be able : > >to detect it or stop it. : > : > How? What does this back-door allow one to do? : : Using the Jump instruction in the PSP. It points to the lower half of : the old CP/M FCB instruction sets. If you trace down, there's a standard : distance between that and the actual DOS int 21 entry point. : The majority of intelligent (sort-of anyway) virus writers either tunnel under memory resident virus scanners to make requests to the original int 21h handlers. Some use int 2fh. They still cannot effectively hide themselves in memory if you run a virus scanner from a write protected floppy disk. The real fear, i believe, is polymorhic code which can create a lot of work for the anti-virus vendors but does, however, need a detailed knowledge of instruction encoding to do well. Thankfully the anti-virus people are keeping up.....thanks guys! pb-emert@uwe.ac.uk ------------------------------ Date: Tue, 01 Nov 94 05:46:46 -0500 From: hermanni@wavu.elma.fi (Mikko Hypponen) Subject: Re: Die Hard 2 virus (PC) Wansaicheong Khin Lin Gervais (gervais@singnet.com.sg) wrote: > Does anyone have knowledge of the Die Hard 2 virus? Here's the description of this virus from F-PROT Pro's virus info database: - ----- Die_Hard DH2 4000 RESCOMEXE Die_Hard is a resident fast infector of COM and EXE files. It is known to be in the wild in at least in India, where it was found in September 1994. The virus stays resident in memory, decreasing the available DOS memory by 9232 bytes. Die_Hard infects all executed or opened COM and EXE files. The files grow by exactly 4000 bytes. Die_Hard has several layers of encryption. Once encrypted, the following text is found: SW DIE HARD 2 The encryption is not polymorphic, so the virus is quite easy to find. The virus maintains a generation counter, but it is currently not known if this information is used, or whether the virus has any activation routine at all. - ----- > Anyway, is Scan117 the only program that will pick it up F-PROT 2.14 and up will detect it. So does TBAV 6.26. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi ===> DF is moving - our mail address and phone numbers are changing <=== ------------------------------ Date: Tue, 01 Nov 94 05:50:02 -0500 From: pb-emert@uwe-bristol.ac.uk (PB Emerton) Subject: Re: Malta Amoeba (PC) Muad'dib (Muaddib@deathstar.cris.com) wrote: : Does anyone know what the Malta Amoeba virus does??? Or how to get rid : of it? (Morw specifically will NAV be enough to take care of it...) : A recent version of NAV would probably do the job. I would recommend either 'F-PROT' or 'Thunderbyte' though. Its a polymorphic .EXE infector that is, i think, memory resident. It has a destructive routine in it too so boot clean and remove it asap. Hope this helps! pb-emert@uwe.ac.uk ------------------------------ Date: Tue, 01 Nov 94 05:58:08 -0500 From: hermanni@wavu.elma.fi (Mikko Hypponen) Subject: Re: PC Virus _1099 found (PC) NG YENG YONG (isc20324@cobra.nus.sg) wrote: > Just encountered a new virus named _1099. > Check with VSUMX408 but it had no description of this virus. This virus is also known as the Mange-Tout virus. Here's a description of it from F-PROT Pro's virus info database: - ----- Mange-Tout _1099 RESCOMEXE 1099 The Mange-Tout virus was originally found in Hong Kong during the spring of 1994. Later, this virus was also found in China. The first discovery Mange-Tout virus in Europe happened near the end of August in Norway, where it was found on some VGA driver diskettes. These diskettes had been imported from Hong Kong. The virus is now believed to be in the wild in several European countries. This virus does a good job of keeping itself encrypted constantly, even when in memory. It has an armoured decryption routine, which it uses both at its own start-up and during interrupts when resident in memory. The virus contains specific traps for debuggers. All of this makes Mange-Tout quite laborious to analyze. In any case, it stays resident in memory, hooking interrupts 08h, 09h and 21h (system timer, keyboard and DOS), and infects COM and EXE files. There exists also another variant, 1091 bytes in length. - ----- > Scan 2.1.1 can detect it but has no remover for it. Tried > ThunderByte Anti-Virus 6.24. Worst, it cannot detect the virus. F-PROT 2.14 detects and disinfects both currently known variants of Mange-Tout. SCAN 2.1.1 detects them both as '_1099'. TBAV 6.26 detects the longer variant as Mangtout but seems to currently miss the 1091 variant. - -- Mikko Hypponen // mikko.hypponen@datafellows.fi // Finland Data Fellows Ltd's F-PROT Professional Support: f-prot@datafellows.fi ===> DF is moving - our mail address and phone numbers are changing <=== ------------------------------ Date: Tue, 01 Nov 94 12:16:59 -0500 From: hiwire@solomon.technet.sg (Lim Beng Cheng) Subject: Re: Rebuilding Partition Table? (PC) Kevin Kenney (kenney@netcom.com) wrote: : Since partition-table affecting viruses are becomming more common, and since : anyone hit by a new one won't want to wait for scanners to be updated, I'm : looking on how to rebuild a partition table, hopefully without trashing : the disk's formatting. What tools would be needed, and do they exist, : including in a commercial package? (What can access a C: drive the BIOS : can't find?) I'd be willing to write such a generic tool, if pointed : in the right direction. KpK We have a product called FRONTLINE. It is your first line of defence against all boot viruses - past, present and future. No update is necessary since it is generic. Once installed on the hard disk, it detects and removes all boot/partition viruses including stealth ones. - -- Lim Beng Cheng Hiwire Computer & Security Pte Ltd hiwire@solomon.technet.sg ------------------------------ Date: Tue, 01 Nov 94 12:32:00 -0500 From: hiwire@solomon.technet.sg (Lim Beng Cheng) Subject: Re: FORM virus Info wanted (PC) Michael Paget (paget@gaul.csd.uwo.ca) wrote: : An aquaintance of mine is currently tracking down an infection of the : FORM virus in the computer system of a large corporation. We have : sucsessfully removed it several times, but re-infection continues on an : irregular basis. We have a product called FRONTLINE which when installed in your hard disk, will automatically detect and remove all boot/partition viruses - past, present and future. You no longer have to worry about boot viruses including stealth ones. Please email me more for info. Lim Beng Cheng Hiwire Computer & Security Pte Ltd hiwire@solomon.technet.sg ------------------------------ Date: Tue, 01 Nov 94 12:44:11 -0500 From: hiwire@solomon.technet.sg (Lim Beng Cheng) Subject: Re: Anti-CMOS Virus Infection - HELP! (PC) Ulrich Pinkernell (pinkeru@uni-muenster.de) wrote: : Simon Cheung (Simon_Cheung@kcbbs.gen.nz) wrote: : : Using the latest version of scan V.2.1.1., one of my computers was found : : to be infected with the "Anti CMOS" virus. Previously, version 117 of : : scan identified the problem as a generic MBR virus. : : : : As a remover was not as yet available with V.2.1.1. of scan, does anyone : : know of what solutions I have, as I'd like to regain the use of the : : computer. : I had the same problem. Also the latest version of F-PROT found this virus : but did not remove it directly, but there was the option to overwrite the : Master Boot Record (MBR). : I did this myself with FDISK /MBR and the virus has gone. :) : A third Anti-Virus-Program (SD-Scan , commercial) found this virus as : a new version: Stoned (AntiCMOS) -virus, but it also was not able to : remove it. : You should save your data before usig fdisk /mbr. The possible : infected floppy- disks you can use later by copying your files from it : and formating them. Possibly you have to install your DOS-system : files by SYS c: (from a clean DOS-Boot-disk !! :) A simpler way is to install FRONTLINE. This is a very new product and much thought and effort was put in to make it work for all forms of boot/partition viruses. Just install into your hard disk and on boot up, if a boot virus exists, it will prompt you to remove it. All you need is just to type Y. No special training is required for your users. It is fortunate that the virus you encounter is a simple one. There are many cases when FDISK /MBR does not work. FRONTLINE will work and it work by booting up from the very hard disk that is infected. FRONTLINE can remove the virus even from an infected hard and stealth ones too. Please email me for more info. - -- Lim Beng Cheng Hiwire Computer & Security Pte Ltd hiwire@solomon.technet.sg ------------------------------ Date: Wed, 02 Nov 94 07:41:00 -0500 From: Nick FitzGerald Subject: Re: Promise DC200 IDE caching card problems(?) / Virus? (PC) stech@eskimo.com (Harvey Steck) wrote: > Anyone had problems with the Promise DC-200 caching card? I am I've heard a few grumblings about this card... > suspicious that this card has recently started garbling > apparently randomly picked filenames, but it does not affect the > contents of the files(!). It is always the third character of the > filename that is changed, and it is always changed by subtracting > 40h from its ASCII value. .but none like that! Pray tell how your IDE adapter can "know" which chunks of the stream of bits flowing through it are directories and more specifically the filename parts of directory entries, given that DOS allows directories to be written almost -anywhere- on the disk? > Does anyone know of a virus that does this? If so, please let me > know! (SCAN v117 doesn't detect it.) I don't, but it sounds more likely to be a virus -or- a fault with some other piece of software than a problem with the HD adapter. If you want to rule out the adapter, just replace it with a standard IDE adapter and see if the problem continues or disappears. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 ------------------------------ Date: Wed, 02 Nov 94 07:41:00 -0500 From: Nick FitzGerald Subject: Re: KOH Problem (PC) Pietro wrote: > I have a small problem--at school, someone installed KOH on a library > computer, claiming it to be the "ultimate" encryption program (he was > encrypting the harddrive because students were messing around with it > and causing a lot of problems) However, something happened (what, I'm > not exactly sure) and KOH will not let the computer to boot up > properly. The computer says "Enter Passphrase", and after we do, it > says "Loading MS-DOS" (everything normal so far). After that, > however, it says there's an error reading the harddrive. So far, it's Read the recent postings to comp.virus or pull them from one of the virus-l archive servers. The author of the KOH virus occasionally posts here, and did so recently, at which time he proudly reported that KOH is "supported freeware"--if you use it and have problems you can contact his company and get user support. As this person makes (some of) his income from selling viruses, I will not identify him here, as that kind of recognition of scum of his ilk goes against my ethical code. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 ------------------------------ Date: Wed, 02 Nov 94 07:41:00 -0500 From: Nick FitzGerald Subject: Re: Microsoft Anti-Virus updates (PC) gedaliah@panix.com (Gedaliah Friedenberg) wrote: > I have Microsoft Anti-Virus which is dated copyright 1993. Is it > possible to get an update from Microsoft to include new viruses since > then? As anyone (with the possible exception of Eli) who has read this forum for any length of time would say: Why bother? MSAV is a watered down version of CPAV. The latter wins Editors' Choice awards from PC Rag and the like, but sod all else. The general opinion of these programs here, is they are over-rated and under-powered. As you are a student, save the money MS will rip you off to keep their program out-of-date and get something like F-Prot (which is free for personal use) and/or TBAV. If you want to spend more than a typical shareware registration look through the FAQ and past postings and product reviews here. Note that a "good" antivirus setup should include more than a scanner or two--look at integrity checkers, integrity shells, generic detectors/disinfectors, etc. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 ------------------------------ Date: Wed, 02 Nov 94 07:41:00 -0500 From: Nick FitzGerald Subject: Re: Date Stamp (PC) sean.doherty@channel1.com (Sean Doherty) wrote: > I recently installed McAfee's Virusan v2.1.1 onto our Novell network. I > scanned all 3.5GB of our Netware v3.11 network and to my horror found > that many the date stamps on files ending in EXE, COM, BIN, DLL, SYS and > OVL were changed by eight months! As you know, this is a major problem [rest deleted] Hmmmm--I realise that this is a NW-aware program and therefore probably able to circumvent this, but did you have the files flagged RO? You don't say, but I assume you did this from a supervisor or equivalent account. (I doubt any other account would ever need full access to the whole drive and -hope- that people don't have such badly configured servers as to allow this!) Not having any experience with 211 I can't be sure, but did you really need write access to any of these files? If not, I'd have run from an unprivileged account with RF trustees in the root of each logical volume (and files individually set to RO as mentioned above). +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 ------------------------------ Date: Wed, 02 Nov 94 07:41:00 -0500 From: Nick FitzGerald Subject: Re: Need Help with Stoned Virus (PC) enniaun@delphi.com opined: > You hit that on one the head. He should use the McAfee (or similar) 'CLEAN' > program. Stoned it very easy to remove with it. Be sure to 'clean' EVERY > bootable floppy you've got. ^^^^^^^^ Bzzzt--thank you for playing, and collect your "Misleading post of the day" banner on your way out. What Ennuian meant to say was: Be sure to clean EVERY, EVERY, EVERY floppy you have. This cannot be overstressed. In the PC world there is no such thing as "a bootable floppy" because the structure of English suggests that such a concept means there -is- such a thing as a "non-bootable floppy". There --ISN'T--. -Any- floppy that doesn't have a data error on the first track bad enough to prevent a BIOS INT 13 call from reading the first physical sector is "bootable". In the PC world, "bootable" doesn't mean that an OS (usually DOS) will be loaded--it simply means that the first physical sector will be read and flow of execution will jump to the beginning of the (presumably) code loaded from there. If you have a boot sector/MBR virus you have to check --ALL-- your floppies as part of the cleanup procedure. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z. n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332 ------------------------------ Date: Fri, 28 Oct 94 11:00:01 -0400 From: adamsp@umbsky.cc.umb.edu (Peter C.S. Adams) Subject: Holloween virus? (PC) A user here at UMass said that when he ran a program, he got a big orange pumpkin on his screen. He eliminated it by changing the date. He is at home, so I could not verify this or check his setup, but it raises a question: Are there any viruses (new or old) that go off on or near Halloween? I have found nothing pertinent in the Scan or F-Prot documentation. +--------------------------------------+ | The sunlights differ, but there is | Peter C.S. Adams | only one darkness. --Ursula LeGuin | UMass-Boston +--------------------------------------+ ------------------------------ Date: Fri, 28 Oct 94 11:56:09 -0400 From: MIKE PILKINGTON 919-541-1392 Subject: Help - "little red" (PC) Where can I find info on "little r' or "lil red" virus. Infection in progress. Need help now. Thank you. ------------------------------ Date: Fri, 28 Oct 94 12:31:59 -0400 From: erosenba@nubis.rutgers.edu (Evan Rosenbaum) Subject: Re: DOOM II (PC) Bert.Martin@UAlberta.CA (Bert Martin) writes: >I have a 486 with 46 corrupt files, mostly WINDOWS files. >Many more must be corrupt as the system hangs on most DOS commands. >F-PROT 2.14 detected nothing(except the corrupt files) from a clean boot. >VIRUSCAN 9.24 v116 found nothing. >CPAV hung on a file with sector not found. I had a machine with a bad cache card display these exact symptoms. When the card was replaced, the problems went away. Just a thought, check the hardware. - -- Evan Rosenbaum Software Project Engineer Holtec International erosenba@nubis.rutgers.edu ------------------------------ Date: Fri, 28 Oct 94 13:10:58 -0400 From: ANTHONY APPLEYARD Subject: A non-viral cause of Windows being slow (PC) When Windows runs, it swops matter between RAM and a big hidden system file called (in my PC) C:\386SPART.PAR, which in my PC is 20,135,936 bytes long, but I cave seen them over 60,000,000 bytes long. This should be consecutive, because of the way Windows accesses it. But, if you are installing or re-installing Windows and it can't find that much consecutive free disk space, it must set up C:\386SPART.PAR fragmented, and having to use a fragmented swop file makes Windows S----L----O----W as in `snail', and not a virus need be within a mile of the place. So, when (re)installing Windows, first:- (1) Delete any old C:\386SPART.PAR that may be in the PC. (2) Run the defragmenter in full "configure" mode. Note that the defragmenter won't defragment C:\386SPART.PAR, because it is marked as "not to be moved", because Windows accesses it by the absolute disk addresses of its various parts. ------------------------------ Date: Fri, 28 Oct 94 15:04:48 -0400 From: gspiegel@paltech.com Subject: "antiexe" virus (PC) Anybody know anything about the "antiexe" virus. McAfee's v. 2.12 keeps finding it in memory, but not on the disk, and won't remove it. Any help would be appreciated. ------------------------------ Date: Fri, 28 Oct 94 15:25:03 -0400 From: bbecke1@umbc.edu (Bryan M. Becker) Subject: Stealth* What is it? Virus DB? (PC) My company is having a problem with the Stealth* virus. I check the latest VSUM (408) and it isn't included. What kind of virus is it? And are there programs that have a virus DB on them like VSUM? Thanks, Bryan +-------------------------------------------------------------------------+ | Bryan M. Becker | University of Maryland | | E-Mail : bbecke1@gl.umbc.edu | Baltimore County Campus | | broknoz@aol.com | U.M.B.C. Retreivers | | WWW : http://umbc8.umbc.edu/~bbecke1/ | BS Information Systems | | |-------------------------| | USF&G Insurance | Pi Kappa Phi Fraternity | | Network Administrator | Vice President | | Baltimore, Maryland | Founding Father 005 | +-------------------------------------------------------------------------+ ------------------------------ Date: Fri, 28 Oct 94 09:22:31 -0800 From: a_rubin@dsg4.dse.beckman.com Subject: Re: The truth about the CD-ROM (PC) "AMERICAN EAGLE PUBLICATION INC." <0005847161@mcimail.com> writes: >Iolo Davidson writes: >For example Thunderbyte is often a target of virus writers. Why? Well, >it's a half-way decent product. Likewise, McAfee's SCAN and Central Point's >CPAV are often targets because they are successful. So why don't A-V >developers write lousy products and shun commercial success. Next time >PC Mag offers you Editor's Choice, threaten to sue! Why not? CPAV is a target because it's successful? Perhaps it's successful, but I don't think "good" or even "half-way decent" should be applied to it. I've never seen a good review of it here. - -- Arthur L. Rubin: a_rubin@dsg4.dse.beckman.com (work) Beckman Instruments/Brea 216-5888@mcimail.com 70707.453@compuserve.com arubin@pro-sol.cts.com (personal) My opinions are my own, and do not represent those of my employer. This space intentionally left blank. ------------------------------ Date: Fri, 28 Oct 94 21:38:49 -0400 From: al026@yfn.ysu.edu (Joe Norton) Subject: Re: Lil' Red Virus (PC) I've only seen Little Red in the wild because of one thing. It is (was) being distributed on Trident 9400 local bus video card software, straight from the factorys in Tiawan. ScamV/Clean could just find & delete infected files. F-Prot did a very nice job of cleaning the few infections I found. Joe ------------------------------ Date: Fri, 28 Oct 94 21:46:52 -0400 From: susanbs@satelnet.org (Susan Sassoon) Subject: master boot record viruses (PC) Hi. My office computers were recently infected with form and Monkey b. We've cleaned up our floppies, but 2 of the computers still have the virus in the master boot record. We've reformatted the hard drives of 3 of the computers to get rid of the viruses, making a tape backup of info that was not replaceable. I'd like to clean up the remaining 2 computers without reformatting, if possible. We tried booting from a clean floppy, then typing sys a: c:, but that didn't seem to clean out the viruses. Also, we then had trouble getting the computer to know it had a c: drive. We were forced to do a low level format and then reinstall dos. My questions are: Is there an easier way to clean up the master boot record? What did I do wrong? Also, the info backed up on the tape does not seem to be infected. Can it still contain the virus? Should I continue to use this tape, now that I have better AV software on the computer? I'm now using Disk Secure2 and F-Prot. Is that a relatively safe combination? Thanks for your advice! - -Susan Sassoon ------------------------------ Date: Sat, 29 Oct 94 02:01:50 -0400 From: iii@mercury.interpath.net (Scott Ferwerda - Integrated Industrial Info.) Subject: What does Anti-CMOS A do ? (PC) What does it do besides prevent Windows from running with 32-bit disk access ? I found it with McAfee, removed it with fdisk /mbr, but so far have found no ill effects ? Was I just lucky or might I yet find some corrupted data ? ------------------------------ Date: Sat, 29 Oct 94 09:20:41 -0400 From: be423@freenet.carleton.ca (Francis Ng) Subject: Re: ubuythis.now (PC) In a previous article, tony.brower@factory.com (Tony Brower) says: >Something (presumably a virus?) is causing an empty file called >"ubuythis.now" to be created in my root directory on my hard drive. If >it is eraeed it just reappears soon. >Virusscan doesn't find anything and no damage seems to have been done, >but it's disconcerting all the same. >Anyone have any clues? The file is created by an unregistered version of Telix for Windows. It's not a virus. ------------------------------ Date: Thu, 20 Oct 94 22:16:00 +0200 From: Peter_Hoste@f0.n319.z9.virnet.bad.se (Peter Hoste) Subject: GenB virus - Need Help (PC) > )McAfee 2.01 GenB at 960k > )Thunderbyte Unknown Boot sector virus > )MSAV Nothing > )CPAV Nothing > )No attempts to remove the virus work. I have done the following (as > ) 1. Make 6.2 boot disk on clean machine with only Himem.sys and > ) Emm386 loading > ) - boot infected machines and check with Scanner - Same Result > ) as above > ) 2. Sys the hard drive from a clean floppy > ) 3. Re-format hard drive, re-install DOS from BRAND NEW package > ) 4. Low level drive, then do step 3. > ) > )None of these or anything else helped the situation at all. > ) > ) ANY HELP ON THIS WOULD PROBABLY GET MY BLOOD PRESSURE > ) BACK TO SOME SORT OF ACCEPTABLE LEVEL !!! > ) > 3 and 4 are really overkill. It is possible that your low-level Everything of the above is overkill. FDISK /MBR should do the trick (if the boot-disk is clean!) without any loss of data and time. Grtz. Peter. - --- FMail 0.98a * Origin: FreeLinK.. Een nieuwe kijk op netwerken (9:319/0) ------------------------------ Date: Sat, 29 Oct 94 14:01:00 -0400 From: a Subject: Tai-Pan!!!! Remover needed!!! (PC) could someone please tell me where to get a remover for the taipan virus??? I only have a program that will keep it from going into memory, but I haven't fully removed it. thanx a lot. Please email me!! thanx ------------------------------ Date: Sat, 29 Oct 94 14:18:44 -0400 From: Ullrich_Fischer@mindlink.bc.ca (Ullrich Fischer) Subject: F-prot external search strings (PC) I recently downloaded from complex.is a file NOV94.TXT which seems to contain search strings for a bunch of new viruses. Are these already built into f-prot 2.14's signature database? Are we expected to type in this 150-line file throught F-prot's interactive user search strings entry facility? Is there a way to point f-prot to an ascii file for external search strings? I scanned the documentation for 'signature' and obtained no clues. I know Frisk rarely answers email (probably because he doesn't have the time), but I'm hoping someone following this group will have answers. - -- Ullrich_Fischer@mindlink.bc.ca Before people are governable, they have to have something to lose. - Nils Christie ------------------------------ Date: Sat, 29 Oct 94 17:08:15 -0400 From: cmassa@post.its.mcw.edu (Christopher Massa) Subject: Re: ubuythis.now (PC) Tony Brower (tony.brower@factory.com) wrote: : Something (presumably a virus?) is causing an empty file called : "ubuythis.now" to be created in my root directory on my hard drive. If : it is eraeed it just reappears soon. : Virusscan doesn't find anything and no damage seems to have been done, : but it's disconcerting all the same. : Anyone have any clues? This is put there by certain shareware programs (Telix for Windows is one) to determine how long you can use the program. However deleting it will not restore full time back to the shareware. When you use that program it will make that file again. Chris Massa ------------------------------ Date: Tue, 01 Nov 94 13:03:12 -0500 From: hiwire@solomon.technet.sg (Lim Beng Cheng) Subject: Re: Monkey.Stoned virus on multimedia 486 won't go away... (PC) Jimmy Kuo (cjkuo@symantec.com) wrote: : "Andy Berger - ITS User Support Services 803-953-6988" writes: : > Tried FDISK/MBR to no avail. Tried F-Prot and CLEAN with no : > effect. F-Prot says to boot from a clean disk. When I do this, : > it "disengages" the hard drive so the system doesn't recognize : > it. Reboot from the hard drive and the drive "pops" back to life : > as if nothing happened. : Monkey takes the partition table that was in the MBR, encrypts it and stores : it away. The partition table area is then wiped clean. Thus, when booted : from the harddisk (and using Monkey's viral code), it knows the whereabouts of : the partition table and everything's fine. But when booted from a clean boot, : no partition table, not a valid hard disk. : > Microsoft Antivirus doesn't even find the virus. : NAV 3.0 takes care of it fine. Boot clean. Run NAV 3.0. We access the hard : drive, even if DOS doesn't think there is one, specifically because of Monkey. : > It hasn't done any damage(yet) so maybe there's really no virus???? : If you ever need to boot clean and repair something that has gone awry on your : hard disk, that's when you'll realize that you have a serious problem. But : you already know that you can't boot clean. So, the damage is that you can't : boot clean and expect to use your computer. : Jimmy Kuo : Norton AntiVirus Research Try FRONTLINE. When installed in your hard disk, it can detect and remove all boot viruses - past, present and future including stealth ones and that Monkey virus. Since it is generic, no update is necessary. FRONTLINE has been carefully designed and thought out. It is the most reliable defence against boot viruses. Moreover, it is designed to complement your existing anti-virus software thus saving your investment. It reliably detects and removes all boot viruses even those missed by the anti-virus software. No false alarm! For more info, just email me. Thank you. Lim Beng Cheng Hiwire Computer & Security Pte Ltd hiwire@solomon.technet.sg ------------------------------ Date: Tue, 01 Nov 94 15:27:31 -0500 From: Steve Hathaway Subject: Re: Help Please: Monkey? (PC) > palam@delphi.com writes: > >I use Norton Antivirus to check my computer and see the "Monkey" > >virus message. What is that? > > It's the Monkey virus! On your machine, the MBR has been encrypted > and moved. If you boot clean, DOS will not recognize the HD as a valid > drive. > > >If anyone know how to get rid of it, please give me a hand. > ======= I have successfully removed Monkey by booting from a clean DOS diskette and run PC-TOOLS DISKFIX program to restore a usable MBR. Access to all files on the hard disk remained usable. I then restored the boot image using the SYS command. Booting then from the hard disk showed no more monkey. ------------------------------ Date: Tue, 01 Nov 94 17:36:03 -0200 From: Marcantonio abra Subject: Virus MTE-Encrypted (PC) Hello all, I would like to know urgently informations about the virus called MTE-Encrypted. How can i exterminate it ? Regards, Fabra ------------------------------ Date: Wed, 02 Nov 94 03:06:52 -0500 From: bpb@stimpy.us.itd.umich.edu (Bruce Burrell) Subject: Re: Monkey Virus is on our backs... (PC) Lim Beng Cheng (hiwire@solomon.technet.sg) wrote: : However, I have written a program called FRONTLINE. It is specifically : designed to detect and remove boot virus of any kind, including stealth : and polymorphic boot viruses - past, present and future. ^^^^^^^^^^ I have a lot of problems with claims like this.... : There is no need to update FRONTLINE because it is a generic virus : detector. Just install into your hard disk and you can totally forget : about the threat of boot viruses. The moment you switch on you PC and : boot up from the hard disk, if there is a boot virus, it will be detected : and removed automatically. The user just have to type Y in response to : "Remove suspected boot virus (Y/N)?". "Removing the boot sector virus" is not the same thing as "fixing the problem". : FRONTLINE is the most reliable software solution to your boot viruses : problem - don't even need a system disk to recover from an infection. : Moreover, it saves your investment in your existing anti-virus software. : FRONTLINE complements your anti-virus software. Suppose FRONTLINE encounters a piece of boot code (virus or otherwise) which uses at least some of its 512 bytes to encrypt and decrypt other areas of the disk. If the code is overwritten with generic boot sector code, any encrypted sectors may be forever lost. If those sectors happen to be critical (FAT, root dir, or just important data), overwriting could be disastrous. Can FRONTLINE, therefore, figure out all possible future boot sector infectors and guarantee that if the boot sector is fixed, all side effects are removed as well? Until it is (and that's a highly non-trivial exercise), I'll stick to products which are updated periodically to handle all past and present infections. I prefer to wait for an upgrade which I know will work than to risk using a product which claims today to handle "all future infections". -BPB ------------------------------ Date: Wed, 02 Nov 94 03:18:53 -0500 From: bpb@stimpy.us.itd.umich.edu (Bruce Burrell) Subject: Re: Firmware Virus Protection System For Networks (PC) EMD Enterprises (emd@access.digex.net) wrote: : --ROMArmor Provides Seamless Anti-Virus Protection-- : How ROMArmor Prevents And Eliminates Boot Viruses : ROMArmor prevents the most feared of computer viruses, the boot virus. : ROMArmor prevents infection by installing itself as an extended BIOS : before the system accesses the boot and master boot record (MBR) of the : system disk. With ROMArmor activated in the system, the presence of : any boot viruses hiding within the MBR and boot sector will be : detected. : Because boot viruses are difficult to detect and prevent, they are a Difficult to *detect*?!? How about just booting clean from floppy and using FDISK, DEBUG, or a disk utility like e.g. Norton NU or DE? : large part of the reported virus infections. Boot viruses most common : method of entry is when the user accidentally boots the computer from : an infected floppy disk or uses a floppy disk infected by one of the : common boot viruses such as FORM, Stoned or Michelangelo. **Uses** a floppy infected with a bsv? The virus may "enter" the computer's buffers, but it certainly isn't infecting the boot record. I hope your product is more robust than your advertising copy. I realize that this may just be entered in straight from a flier, but there are a lot of technically sophisticated readers here. I submit that it would be in a company's best interests to be accurate here when introducing a product. -BPB ------------------------------ Date: Wed, 02 Nov 94 04:12:01 -0500 From: Henrik Stroem Subject: Frontline anti-virus program (PC) hiwire@solomon.technet.sg (Lim Beng Cheng) writes: > There is no need to update FRONTLINE because it is a generic virus > detector. Just install into your hard disk and you can totally forget > about the threat of boot viruses. The moment you switch on you PC and > boot up from the hard disk, if there is a boot virus, it will be detected > and removed automatically. The user just have to type Y in response to > "Remove suspected boot virus (Y/N)?". I wrote such a program 3 years ago, named 'HS Anti-Bootvirus'. It is available from most anti-viral FTP sites as 'hs-v358.zip'. I am still developing it. > FRONTLINE is the most reliable software solution to your boot viruses > problem - don't even need a system disk to recover from an infection. This is of course wrong! Many viruses can make the machine crash at the MBR level of code execution, making a boot from diskette the only way to recover. Read the documentation of my 'HS Anti-Bootvirus' for more on this. Sincerely, Henrik Stroem Stroem System Soft ------------------------------ Date: Sun, 30 Oct 94 12:37:20 -0500 From: "Rob Slade, Ed. DECrypt & ComNet, VARUG rep, 604-984-4067" Subject: "The Tojo Virus" by Randall BKTOJOVR.RVW 940817 "The Tojo Virus", Randall, 1991, 0-8217-3436-9, U$4.95/C$5.95 %A John D. Randall %C 475 Park Avenue South, New York, NY 10016 %D 1991 %G 0-8217-3436-9 %I Zebra Books, Kensington Publishing Corp. %O U$4.95/C$5.95 %T "The Tojo Virus" Score one for internal evidence! All the way through this book, I was muttering that the author knew a *lot* about IBM the corporation, IBM sales, IBM demos and PROFS screens. (He hasn't had any better luck than I have with getting typesetters to do screen shots properly, but ...) Lo and behold, the author's note at the end says that he is a former IBM salescritter and manager. In other words, he's a "suit", and wouldn't know technology, high *or* low, if it bit him in the leg. What we have, here, is possibly the precursor to "Terminal Compromise". Published a year before, the plot centres around a diabolical Japanese scheme to refight Pearl Harbour--only on an electronic battlefield. The Yellow Peril set out to insert a virus into the computers of the mighty IGC corporation and bring it to its knees. (Anyone who does not recognize IGC as IBM simply doesn't know what's happening in the computer world.) The author, in his end note, makes a lot of silly suggestions about computer security which basically reduce to the idea that personal computer users will have to adopt the "mainframe mentality". Obviously, this guy is too heavily propagandized to recover. The bad guys set up a blackmail sting costing them (ultimately) four million dollars just to get one password. (Anyone for a little social engineering?) The blackmail operation serves primarily to introduce (the book's term, here) a "high priced slut" who provides wild and steamy sex scenes. Fortunately (or unfortunately), depending upon your taste (or lack thereof), the author has as little imagination in pornography as in technology: most of the sex scenes have little more description than "then wild sex takes place". (This female character, though unsure of what a "file" or a "disk" is, provides vital plot direction by minutely dissecting the technical security weaknesses in the original plan.) The plan is to introduce a virus into the (mainframe) email system. I think. (There is an awful lot of extraneous detail.) The email, whether read or not, will encrypt PC hard disks on a given date. (The bad guys somehow think this is safe because it doesn't do anything illegal.) Once the virus hits, no one can access anything, because everyone uses PCs as terminals. Encrypted PCs can't be booted from floppies. The deadly message contained screens full of ones and zeros--obviously "Assembly language" written by REXX hackers! (REXX, boys and girls, is an interpreted language.) While all of this is going on, a single PC with a dialer program is managing to tie up the entire phone system of huge corporate offices. I am not making this up. (Randall is.) He even gets a standard IBM joke wrong, misquoting "This page intentionally left blank." Ragged plot, inconsistent characters, enough tech to fool those who know even less than Randall. copyright Robert M. Slade, 1994 BKTOJOVR.RVW 940817 ====================== DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 Author "Robert Slade's Guide to Computer Viruses" (Oct. '94) Springer-Verlag ------------------------------ End of VIRUS-L Digest [Volume 7 Issue 92] *****************************************