ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ THE VIRUS INFORMER ³ ³ your weekly virus newsletter ³ When buying 'pre-formatted' blank ³ by Mark E. Bishop edited by ³ disks, don't trust that they are ³ Alan Bechtold ³ virus free, SCAN THEM FIRST! ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ CHAPTER 2: 'FROM THE VIRUS MESSAGE BOARD' real life people and their virus questions The following messages are taken from various online anti-virus research systems. The names have been changed and the content edited. They cover situations and people's computers from all over the country. You should find these messages very interesting. MAKE USE THIS INFORMATION. QUESTION: 1 ZARAGOZA MAKES IT VISIT TO TOWN, ARE YOU NEXT? I just received my SCAN93 program and ran it showing no viruses on my systems. However, when I ran it on my network it then reported that I had a virus with the name of ZARAGOZA active in memory and that I should power down. What is this virus and why does it show on my network and not my PC? ANSWER: 1 The ZARAGOZA virus is a .COM and .EXE., and overlay file infector that infects when a file is 'open' common in the use of networks. It was first reported from Zaragoza, Spain, and has been reported just recently here in the United States. QUESTION: 2 DOS 5 IS SPIRIT-FILLED AND CAUSES HAVOC Recently I have had an interesting phenomenon occur on my computer system. When I run CHKDSK has revealed pairs of files existing on my hard drive and on my floppy. The files have certain unique characteristics such as: 1. Their length is always zero '0' 2. Their date and time are always the current ones 3. They can't be referred to in any way 4. Their names are both fixed and variable. The first three characters are fixed for each pair, "BFC." 5. And they can't be removed. Do I have a virus or what, HELP! ANSWER: 2 The files that you have mentioned above are 'temporary files' that are created by DOS when you use the PIPE "|" command. At the end of the piping they are deleted. It is possible that you have a program that is abnormal terminating the piping process and as a result these mystery files are being left on your disk. QUESTION: 3 VALIDATE MY PARKING PLEASE, ER RATHER MY PROGRAM! What is this 'Validation' program I keep seeing in my downloads? Is this a program that helps detect computer viruses? I'm confused! ANSWER 3: VALIDATE is always with any McAfee anti-virus program and one you're seeing also on many other quality Shareware programs. Validate is a 'file-authentication' program that is used to check software programs from tampering. VALIDATE uses two discrete methods to generate what is known as a Cyclic Redundancy Check (known as CRCs) which are then displayed to the user to compare against the known value for the program being validated. For example, let's say that I write a computer software program and as the author I know that my program is exactly 53,245 bytes in size. If I use my Validate program on the file name it should tell me that the file is indeed EXACTLY that size. Remember, a computer virus will generally increase the SIZE of a .COM or .EXE file. HOW TO USE VALIDATE: Okay, for example purposes let's say that my GIZBO.EXE program is 53,245 bytes. How do I check that out as a guy who just downloaded my file back in Kansas, here's how: -> VALIDATE GIZBO.EXE <- this is the exact size of the program itself. this is what you see next ... Filename: GIZBO.EXE Size: 53,245 Date: 3-25-1992 <- this information proves that the file has NOT be altered. File Authentication Check Method 1 - 9215 Check Method 2 - 0CA6 To CONFIRM that a program is in its original and un-tampered state, run the VALDIATE program on it, record the validation information (see above) and then compare it with what the author says the size should be. Note: Do not rely completely upon the documentation that came with your download UNLESS you received that program directly from the author or company themselves! Documentation can be changed. ------------ SPECIAL NOTE about the authentification program and McAfee products: ------------ Beginning with Version 72, all McAfee Associates programs for download are archived with PKWare's PKZIP Authentic File Verification. If you do not see the "-AV" message after every file is unzipped and receive the message "Authentic Files Verified! # NWN405 Zip Source: McAFEE ASSOCIATES" when you unzip the files then do not run them. If your version of PKUNZIP does not have verification ability, then this message may not be displayed. Please contact McAfee Associates if your .ZIP file has been tampered with. * The above questions are REAL. However, the names of the message senders has been changed and the messages also have been edited. Does anyone know what in the heck is the 'BLOODY' computer virus? It's also know as the AZUSA virus. It apparently is infecting my boot sector of my floppy diskettes. Now MANY of my clients have this virus and I need to know how to remove it. Please Help! Also, is this virus dangerous? Is it destructive at all? So far it seems that it only slows down the system and sometimes sends un- authorized messages to the user. AN IMPORTANT NOTE ABOUT THE STONED VIRUS: Removing the Stoned virus can cause loss of the partition table on systems with non-standard formatted hard disks. As a precaution, backup all critical data before running CLEAN-UP. Loss of the partition table can result in the LOSS OF ALL DATA ON THE DISK. QUESTION: 4 DOWNLOADED COPY OF SCAN AND DOES NOT HAVE -AV I just took of my BBS a copy of SCAN93.ZIP and after unzipping the program I noticed that after each file was unzipped it did not have the Validation Code, -AV, shown to the right of each file as it unzipped. Also, it had an advertisement for a BBS inside the file. Is this okay to use or should I make sure it has the Authentication code first? ANSWER: 4 SEE how to read and understand the Validation Code and -AV in question #3 above. Any of McAfee's Shareware programs are safe to use and have not been modified when you see the "-AV" displayed after each file that is uncompressed and that you run the "Validate" program and make sure the program(s) is the exact size it says it is. QUESTION: 5 VIRUSES ON OS/2? I'm a recent convert to OS/2 2.0 operating software and was curious about the availability of any virus scanning programs for this platform. Does McAfee Associates have such a program or any plans in having an anti- virus program for OS/2? I still use SCAN to check all of my DOS programs and that program runs well under OS/2 in DOS mode. Thank you. ANSWER: 5 There are currently NO OS/2 viruses as of yet, but we're not taking any chances. Presently we are looking into OS/2 virus protection and intend to develop an anti-viral program for OS/2 which should be available by mid-summer. Stay tuned as THE VIRUS INFORMER newsletter will keep you informed. ------------- The below portion was seen in last week's THE VIRUS INFORMER. A few users have asked to see it again. So, by popular demand. ------------- ---------- VIRUS HINT ... preventing computer viruses from infecting you! ---------- The following is a hardware attempt to prevent writes to your hard disk. DO NOT attempt this if you are not experienced with the inside workings of your computer! Here is how you can virus-proof a PC that has MFM or RLL disk drives (st- 506). Basically, you can add a write protect switch for one of the two disks (I recommend C:) and put all your executables on it, along with dos. It's very simple, almost anyone can do it. This is it: _ _ =============| | | | | Controller |===========| |=====================================| | | | | .XX cut wire 6 XX. | | 1|===========|1|===========|================|========|1| =============| /^\ |_| | | |_| | Drive D: | | Drive C: 34 Pin Hard Disk | Conn. | | Conn. Ribbon Cable -More-_____| | | |__________o/o___| Switch Open=Protected Closed=Unsafe Okay, here's what's going on. We have interrupted pin 6, which is writegate. Leave the terminator resistors in on both drives, and make sure both sets are in or you will blow the data on drive C:. What I suggest is you use the keyboard lock key switch on the front of most pc's. The little lock icon is correct. With the switch in the lock position, all writes to C: will be ignored, without any error or warning message. With the switch in the unlock position, the system will behave normally. You must look at the motherboard and jumper the connector that the switch used to go to, usually this can be done with a 0.1" shunt like is used to set unit ID on many disk drives. Or if you wish, you can drill a hole in your case and install a switch or key interlock or whatever. You could also use the turbo switch. I like the key switch because it's more idiot resistant. Wire 1 on the ribbon cable has a red stripe on it, and you just count wires to wire 6. You obviously need to solder extension wires to reach the switch. Don't make them over 2 feet long, though. The shorter the better. With the switch in the locked position, you are completely immune to boot sector viruses, and file infectors who try to infect executables on drive c:. Since this solution is 100% hardware, there is no way that a present or future virus can get past it. PERFECT FOR COMPUTER LABS AND RESEARCHERS! This technique is ideally suited to virus researchers, and university "data slut" computing center machines. This way, the dos, networking code, compilers, and word processing software could stay intact on a machine. The students would be directed to place their data on drive D: Only the facility director would have the unlock key. For the techie: it doesn't hurt to doubly terminate the st506 control bus. The margins are sufficient to make it reliable. If it bugs you, use an ohmmeter to figure out which terminator pin is wire 6 on the 34 pin cable, and clip off all other terminator pins on drive C:. * questions and answers have bee modified or adapted from original material for editing purposes. - end - - end - Downloaded From P-80 International Information Systems 304-744-2253