virusi.102dejanr,
==========================
security/long.messages #59, from roedy, 4502 chars, Fri Nov 23 00:14:36 1990
--------------------------
TITLE: Checksum virus detection
I am in the middle of writing a simple, fast anti-viral program that
notices infected files. It occured to me, that if my program became
popular, writers of viruses might try to defeat my program. I would
like some feedback on my plan.
A:\CHECK.COM C:\MYSUB\MYPROG.EXE
requests that the program compute a checksum of that file. It outputs it
in the form:
C:\CHECK.COM C:\MYSUB\MYPROG.EXE 9011234455
Co-incidentally, if you pipe this using:
C:\CHECK.COM C:\MYSUB\MYPROG.EXE >> TEST.BAT
C:\CHECK.COM C:\MYSUB\ALSO.COM >> TEST.BAT
you could create a TEST.BAT file.
Then later you might do something like this:
C:\CHECK.COM C:\MYSUB\MYPROG.EXE 9011234455
C:\MYSUB\MYPROG.EXE
CHECK would validate the checksum. Presumably if the checksum
is the same, then MYPROG.EXE has not been tampered with.
Periodically you might recheck all the checksums. Since the
code is fast, you might validate the checksum just prior to
invoking a program, or using a large read-only data file.
Devil's Advocate
****************
Now let me pretend to be a virus maker, wanting to defend myself
against CHECK.COM.
One first approach would be to seek out CHECK.COM and defang it.
This can be slowed down by renaming it or distributing many
different versions of it (make it shareware, and make every
registered version substantially different). Direct attack can
also be foiled by keeping a copy of CHECK.COM and the expected
checksums on a write protected DOS floppy and testing all the
checksums from time to time after booting from floppy.
A virus maker might vigorously start distributing fake versions
of CHECK.COM that was specially programmed to leave his virus
intact. It might be wise to advertise CHECK and Shareware with
a $5 registration fee -- just enough to cover handling. This
way people might be encouraged to get a copy straight from me.
I could also distribute source, so knowledgeable people could
check for themselves if there is tampering.
The next approach would be to attack the file MYPROG.EXE, then
add bytes to the file with the sole purpose of fiddling the
checksum to make it come out the same as before.
This can be foiled again by distributing multiple versions of
the program, or even allowing the user to generate varying
algorithms.
Question? How difficult would it be to fake in some bytes to
force a CRC algorithm to a given value? Is there any special
merit to CRC for this purpose?
A crude virus will increase the length of a file. A subtler
virus looks for zeros in the middle of a file and implants
itself there, without changing the length. It patches the
itself in to execute before the program proper, so it can zero
out the area like the smile of a Chesire disappearing before
handing control over to the program proper. Thus tracking the
length of the file is probably not that useful.
My Plan
*******
My plan should not rely on secrecy. I will release source code.
My algorithm calls for several fudge factors configured in at
assembly time. One is the blocksize -- we process files in
chunks, e.g. 32K. Another are the initial 16 bit values for
checksum1 and checksum2. Next is a bit rotation amount r1 and
r2 [0 .. 15] for each stage. The basic algorithm is very quick.
Read a block. Compute the XOR of all the words in that block
using a tight LODSW ; XOR BX,AX ; LOOP
Add the XOR to sum1, then rotate left the sum1 by r1 bits. Add
the XOR to sum2, and then rotate right the sum2 by r2 bits.
Then read the next block. Repeat. Special handling for the
last odd byte if present.
The result is two 16-bit sum1 and sum2 bits of gibberish which
are treated as a 32-bit number and output as the decimal
unsigned checksum.
Challenge
*********
EVEN if the virus knows the desired checksum, and even if the
virus knows the magic fudge factors, blocksize, initial sum1,
sum2, r1 and r2, how could a virus adjust a tampered file to
hide the damage? If some sort of trial and error were possible,
perhaps I should expand this to 64 bits. Then If I gave a user
TWO versions of CHECK, each with different fudge factors, does
not the poor virus maker have to cry uncle? He'd have an
extremely tough time fiddling things so BOTH checksums come out
ok.
If I released this on the world, and everyone started to use it,
and you were a virus maker, how would you attack CHECK? Would
you go after the BAT files, CHECK, trapping CHECK'S messages to
the screen? Something else?
virusi.103feniks,
Evo posle nepuna dva meseca vec i novog
antivirus detektora SCAN 6.0V71 !!!!!!!!!!!!!!!!!!!!!!!
Po mojim testovima efikasno otkriva poznate viruse
i brzi je od SCAN 5.1V67 za oko 23%
SYSOP-i ce se nadam se , potruditi da se nadje na
H U IBMPC >>>> Sloba
////////////////////////////////////////////////////////
virusi.104dejanr,
-> #103, feniks>> SYSOP-i ce se nadam se , potruditi da se nadje U IBMPC
Tamo je. Hvala na prilogu.
virusi.105mikij,
Pa posto ste se potrudili za Scan71, ja evo nudim CleanP71...
Pozdrav Miki
virusi.106mikij,
-> #105, mikij A tu je i rezidentni Vshield 71 , koji toplo preporucujem svima
narocito 'snaznijima' sa vecom memorijom i brzim procesorom.
Pozdrav Miki
virusi.107feniks,
-> #103, feniks
Posle samo 4 dana , evo novog
detektora virusa SCAN 6.1B71 od 03.12.1990.
U odnosu na predhodnu verziju razlika je
u datotekama SCAN.EXE (normalno) i u
SCAN71-B.DOC , gde su nabrojana poboljsanja.
S P
virusi.108dejanr,
Svi SCAN-ovi, CLEAN-ovi i VSHLD-ovi su u PC direktorijumu.
Hvala svima koji su poslali programe.
virusi.109dejanr,
New Virus: ZUC B
Update information for altering SAM 2.0 to catch this baby:
Virus Name: ZUC B
Resource Type: CODE
Resource ID: 1
Resource Size: ANY
Search String (no spaces):
7002 A260 4E75 2014 A055 2240
String Offset: ANY
virusi.110djovicevic,
Date: Sat, 22 Dec 90 00:25:51 PST
From: Aryeh Goretsky <netcom!nusjecs!ozonebbs!aryehg@APPLE.COM>
Subject: Christmas Violator Virus
CHRISTMAS VIOLATOR VIRUS
There has been a hacked version of Omen Technology's DSZ ZMODEM
External File Protocol Module called DSZ1203.ZIP. The DSZ file inside
is infected with a new variant of the Violator virus known as the
Christmas Violator or Violator-B4 virus. The virus contains a an
ASCII
message from a group called RABID and contains a Christmas Greeting.
It is not known what else the virus does.
The following search string can be used by VIRUSCAN with the /EXT
switch to check for the virus:
"51 ba ? ? fc 8b f2 81 c6 9b 11 bf 00 01 b9 03 00" Christmas Violator
If you find this virus on your system, run VIRUSCAN with the /D
option
to delete the infected files.
Regards,
Aryeh Goretsky
Aryeh Goretsky, Tech Support vox (408) 988-3832 │
McAfee Associates fax (408) 970-9727 │
4423 Cheeney Street bbs (408) 988-4004 │
Santa Clara, California 95054-0253 // │
Internet: aryehg_ozonebbs.uucp!apple.com // │
UUCP: apple!netcom!nusjecs!ozonebbs!aryehg \X/ │
----------------------
Date: Thu, 20 Dec 90 15:02:43 CDT
From: Tom Cervenka <CTCT100%UICVMC.BITNET@UICVM.uic.edu>
Subject: Virus Scanners (V90 #191)
The author of the note suggests that the VIRUSCAN is unsafe because
of
trojan versions and suggests another product instead. Actually, the
problem is not with the program but with the distribution. VIRUSCAN
is
shareware so you are encoraged to pass it along. It is this practice
that make leaves us vulnerable to the trojans. You can be sure you
have
an authentic version however if you simply run the validation program
and call the bulletin board to verify the checksums.
Since new viruses are created each month any virus defense is going
to
require frequent updates and direct mail is too expensive what with
the
price of disk media and postage. I think that the CVIA system is one
of
the best, safest and least expensive.
Tom Cervenka - Univ of Il at Chicago, Info Cntr, Phone 6-7739
Internet: ctct100@uicvmc.aiss.uiuc.edu Prodigy: CMGB18A
------------------------------
Date: Thu, 20 Dec 90 16:03:13 cst
From: riddle@hoss.unl.edu (Michael H. Riddle)
Subject: Re: Virus scanners
In digest V90 #191, Robert_Slade@cc.sfu.ca writes:
>I suspect that the call for a "safe" virus detector, protector,
>disinfector, et al was prompted by the reports that SCAN, one of the
>best known, is *not* safe to use. The fact is the files purporting
to
>be versions 65, 68 and 70 of SCAN have been found to contain viri or
>trojan programs. The latest version that I know of is 67C (67 and
67B
>were functional but had bugs).
>An alternate is F-PROT whose author, Fridrik Skulason,can be reached
>at frisk@rhi.hi.is. This is the program that I most recommand.It is
>a very complete suite of virus detection and security utilities.
>Of the commerical software, I note that VirexPC is written by Ross
>Greenburg, well known in anti-viral circles for Flu-Shot.
Unfortunately, any utility is subject to the kind of tampering and
forgery that SCAN suffered. Starting with version 72, McAfee is
distributing it using the -AV autoverification function of PKZIP. I
suspect an adroit villian could find a way to fake the -AV signature,
but it would be a lot harder.
Still, you need to know your source. For me, that means McAfee's
board, or someplace like simtel20.army.mil which is known to get the
product straight from McAfee.(Or Greenburg or whomever.The point is
to know your source.)
riddle@hoss.unl.edu │ University of Nebraska
postmaster%inns@iugate.unomaha.edu │ College of Law
mike.riddle@f27.n285.z1.fidonet.org │ Lincoln, Nebraska, USA
virusi.111dejanr,
Copyright (c) 1988,90 Rob Rosenberger & Ross M. Greenberg
Computer Virus Myths
by Rob Rosenberger
with Ross M. Greenberg
A number of myths have popped up recently about the threat of computer
"viruses". There are myths about how widespread they are, how dangerous
they are, and even myths about what a computer virus really is. We'd like
the facts to be known.
The first thing to learn is that a virus is a malicious programming
technique falling in the realm of "Trojan horses." All viruses are Trojan
horses, but few Trojan horses can be called a virus.
That having been said, it's time to go over the terminology we use when we
lecture:
BBS Bulletin Board System. If you have a modem, you can call a BBS and
leave messages, transfer computer files back & forth, and learn a
lot about computers. (What you're reading right now, for example,
most likely came to you from a BBS.)
Bug an accidental flaw in the logic of a program which makes it do
things it shouldn't really be doing. Programmers don't mean to put
bugs in their program, but they always creep in. Programmers tend
to spend more time debugging their programs than they do writing
them in the first place. Inadvertent bugs have caused more data
loss than all the viruses combined.
Hacker someone who really loves computers and who wants to push them to
the limit. Hackers have a healthy sense of curiosity: they try
doorknobs just to see if they're locked, and they tinker with a
piece of equipment until it's "just right." The computer revolu-
tion itself is a result of hackers.
Shareware
a distribution method for quality software available on a "try
before you buy" basis. You pay for the program only if you find it
useful. Shareware programs can be downloaded from BBSs and you are
encouraged to give evaluation copies to friends. Many shareware
applications rival the power of off-the-shelf counterparts, at just
a fraction of the price. (You must pay for the shareware you
continue to use -- otherwise you're stealing software.)
Trojan
horse a generic term describing a set of computer instructions purposely
hidden inside a program. Trojan horses tell a program to do things
you don't expect it to do. The term comes from a legendary battle
in which the ancient city of Troy was offered the "gift" of a large
wooden horse that secretly held soldiers in its belly. The Trojans
rolled it into their fortified city....
Virus a term for a very specialized Trojan horse which spreads to other
computers by secretly "infecting" programs with a copy of itself.
A virus is the only type of Trojan horse which is contagious, like
the common cold. If it doesn't meet this definition, then it isn't
a virus.
Worm a term similar to a Trojan horse, but there is no "gift" involved.
If the Trojans had left that wooden horse outside the city, they
wouldn't have been attacked. Worms, on the other hand, can bypass
your defenses without having to deceive you into dropping your
guard. An example is a program designed to spread itself by
exploiting bugs in a network software package. Worms are usually
released by someone who has normal access to a computer or network.
Wormers the name given to the people who unleash destructive Trojan horses.
Let's face it, these people aren't angels. What they do hurts us.
They deserve our disrespect.
Viruses, like all Trojan horses, are purposely designed to make a program
do things you don't expect it to do. Some viruses are just an annoyance,
perhaps only displaying a "Peace on earth" greeting. The viruses we're
worried about are designed to destroy your data (the most valuable asset of
your computer!) and waste your valuable time in recovering from an attack.
Now you know the difference between a virus and a Trojan horse and a bug.
Let's get into some of the myths:
"All purposely destructive code comes as a virus."
Wrong. Remember, "Trojan horse" is the general term for purposely
destructive code. Very few Trojan horses are actually viruses.
"Viruses and Trojan horses are a recent phenomenon."
Trojan horses have been around since the first days of the computer.
Hackers toyed with viruses in the early 1960s as a form of amusement. Many
different Trojan horse techniques were developed over the years to embezzle
money, destroy data, etc. The general public wasn't aware of this problem
until the IBM PC revolution brought it out into the spotlight. Banks were
still covering up computerized embezzlements six years ago because they
believed they'd lose customers if word got out.
"Viruses are written by hackers."
Yes, hackers have written viruses. So has a computer magazine pub-
lisher. Trojan horses were written for decades by middle-aged men wearing
business suits. We call people "wormers" when they abuse their knowledge
of computers. You shouldn't be afraid of hackers just because they know
how to write viruses. This is an ethics issue, not a technology issue.
Hackers know a lot about computers; wormers abuse this knowledge. Hackers
(as a whole) got a bum rap when the mass media corrupted the term.
"Computer viruses are reaching epidemic proportions."
Wrong again. Viruses may be spread all over the planet but they won't
take over the world. There are about 150 or so known "strains" at this
time and some of them have been completely eliminated. Your chances of
being infected are slim if you take the proper precautions. Yes, it's
still safe to turn on your computer!
"Viruses could destroy all the files on my disks."
Yes, and a spilled cup of coffee will do the same thing. If you have
adequate backup copies of your data, you can recover from any virus/coffee
attack. Backups mean the difference between a nuisance and a disaster. It
is safe to presume there has been more accidental loss of data than loss by
viruses and Trojan horses.
"Viruses have been documented on over 400,000 computers."
This statistic comes from John McAfee, a self-styled virus fighter who
seems to come up with all the quotes the media love to hear. If you assume
it takes five minutes to adequately document a viral infection, you have to
wonder where Mr. McAfee got almost four man-years to document a problem
which is less than four years old. We further assume his statistics
include every floppy disk ever infected with a virus, as well as all of the
computers participating in the Christmas & InterNet worm attacks. (Worms
cannot be included in virus infection statistics.) The press doesn't
really understand computer crimes, so they tend to call almost anything
a virus.
"Viruses can be hidden inside a data file."
Data files can't wreak havoc on your computer -- only an executable
program file can do that. If a virus were to infect a data file, it would
be a wasted effort. But let's be realistic: what you think is 'data' may
actually be an executable program file. For example, batch files are text
files, yet the MSDOS operating system treats them like a program.
"Most BBSs are infected with viruses."
Here's another scary myth drummed up in the big virus panic. Very few
BBSs are really infected. It's possible a dangerous file may be available
on a BBS but it doesn't mean the BBS itself is infected. If a BBS were
knowingly infected with a virus, it wouldn't stay open too long after word
got out, would it?
"BBSs and shareware programs spread viruses."
"The truth," says PC Magazine publisher Bill Machrone, "is that all
major viruses to date were transmitted by [retail] packages and private
mail systems, often in universities." (PC Magazine, October 11, 1988.)
The Peace virus, for example, made its way into a retail product sold to
thousands of customers. Machrone goes on to say "bulletin boards and
shareware authors work extraordinarily hard at policing themselves to keep
viruses out." Reputable sysops check every file for Trojan horses; nation-
wide sysop networks help spread the word about dangerous files. You should
be wary of the software you get from BBSs, that's true -- but you should
also be wary of the software you get from store shelves. (By the way, some
stores now have return policies for software. Do you know for sure you
were the first person to use those master disks?)
"My computer could be infected if I call an infected BBS."
BBSs can't write information on your disks -- that's handled by the
communications software you use. You can only transfer a dangerous file if
you let your software do it. (This might be different if your computer is
hooked up to a network, but it requires special hardware & software.) And
there is no "300bps subcarrier" that lets a virus slip through a high speed
modem. The rumor was started by a joker named Mike RoChenle (IBM's "micro
channel" PS/2 architecture, get it?) who left a techy-joke message on a
public BBS. Unfortunately, a few highly respected journalists were taken
in by this joke.
"My files are damaged, so it must have been a virus attack."
It also could have been caused by a power flux, or static electricity,
or a fingerprint on a floppy disk, or a bug in your software, or perhaps a
simple error on your part. Power failures and spilled cups of coffee have
destroyed more data than all the viruses combined.
"Donald Burleson was convicted of releasing a virus."
A recent Texas computer crime trial was hailed all over the country as a
"virus" trial. Donald Burleson was in a position to release a complex,
destructive worm on his employer's mainframe computer. This particular
worm couldn't spread to other computers, so it couldn't possibly have been
a virus. Davis McCown, the prosecuting attorney, claims he "never brought
up the word virus" in the trial. So why did the media call it one?
1. David Kinney, a witness testifying for the defense (oddly enough),
claimed he believed Burleson unleashed a virus. The prosecuting
attorney didn't argue the point and we don't blame him -- Kinney's
bizarre claim probably helped sway the jury to convict Burleson, and it
was the defense's fault for letting him testify.
2. McCown gives reporters the facts behind the case and lets them come up
with their own definitions. The Associated Press and USA Today, among
others, used such vague definitions that any program could be called a
virus. If we applied their definitions to the medical world, we could
safely claim penicillin is a biological virus (which is, of course,
absurd).
3. McCown claims many quotes attributed to him "are misleading or fab-
ricated" and identified one in particular which "is total fiction."
Reporters sometimes print a quote out of context, and McCown apparently
fell victim to it. (It's possible a few bizarre quotes from David
Kinney or John McAfee were accidentally attributed to McCown.)
"Robert Morris Jr. released a benign virus on a defense network."
It may have been benign, but it wasn't a virus. Morris, the son of a
chief computer scientist at the National Security Agency, allegedly became
bored and took advantage of a bug in the Defense Department's networking
software. This tiny bug let him send a worm through the network. Among
other things, Morris's "InterNet" worm was able to send copies of itself to
other computers in the network. Due to some bugs in the worm module
itself, the network became clogged in a matter of hours. The press
originally called it a "virus," like it called the Christmas worm a virus,
because it spread to other computers. Yet it didn't infect any computers.
A few notes:
1. Reporters finally started calling it a worm (a year after the fact),
but only because lawyers in the case were constantly referring to it as
such. The difference between a worm and a virus is subtle, but
profound.
2. This worm worked only on Sun-3 & Vax computers which run a UNIX
operating system and were specifically linked into the InterNet network
at the time.
3. The 6,200 affected computers cannot be counted in any virus infection
statistics (they weren't infected).
4. It cost way less than $96 million to clean up the attack. An official
Cornell University report claims the group behind this wild estimate
"was probably serving itself" in an effort to drum up business. People
familiar with the case estimated the final figure to be under
$1 million.
5. Yes, Morris could easily have added some infection code to make it a
worm/virus if he'd had the urge.
6. The network bug exploited in the attack has since been fixed.
7. Morris went to trial for launching the InterNet worm and was recently
handed a federal conviction.
"Viruses can spread to all sorts of computers."
All Trojan horses are limited to a family of computers, and this is
especially true for viruses. A virus designed to spread on IBM PCs cannot
infect an IBM 4300-series mainframe, nor can it infect a Commodore C64, nor
can it infect an Apple MacIntosh.
"My backups will be worthless if I back up a virus."
No, they won't. Let's suppose a virus does get backed up with your
files. You can restore important documents and databases without restoring
an infected program. You just reinstall programs from master disks. It's
tedious work but it's not as hard as people claim.
"Anti-virus software will protect me from viruses."
There is no such thing as a foolproof anti-virus program: Trojan horses
and viruses can be (and have been) designed to bypass them. Anti-virus
products themselves can be tricky to use at times. You may make a crucial
mistake deciding whether to let a "flagged" event occur. Your first line
of defense should always be a good set of backups. Anti-virus software is
a good second line of defense.
"Read-only files are safe from virus infections."
This is a common myth among IBM PC users, and it has even been published
(erroneously) in some computer magazines. Supposedly, you can protect
yourself by using the DOS ATTRIB command to set the read-only attribute on
program files. However, ATTRIB is software -- and what it can do, a virus
can undo. The ATTRIB command seldom halts the spread of viruses.
"Viruses can infect files on write-protected disks."
Here's another common IBM PC myth. If viruses can modify read-only
files, people assume they can modify write-protected floppies. What they
don't realize is the disk drive itself knows when a floppy is protected and
refuses to write to it. You can physically disable the drive's sensor but
you can't override it with a software command.
We hope this dispels the many computer virus myths. Viruses DO exist, many
of them will destroy files, and all of them can spread to other computers.
But you can defend yourself with a cool head and a good set of backups.
The following guidelines can shield you from Trojan horses and viruses.
They will lower your chances of being infected and raise your chances of
recovering from an attack.
1. Set up a procedure to regularly back up your files and follow it
religiously. Consider purchasing a user-friendly program to take the
drudgery out of this task. (There are plenty to choose from.)
2. Rotate between at least two sets of backups for better security (use
set #1, then set #2, then set #1...). The more sets you use, the
better protected you are. Many people take a "master" backup of their
entire hard disk, then take "incremental" backups of those files which
changed since the last time they backed up. Incremental backups might
only require five minutes of your time each day.
3. Download files only from reputable BBSs where the sysop checks every
program for Trojan horses. If you're still afraid, consider getting
programs from a BBS or "disk vendor" company which gets them direct
from the authors.
4. Let newly uploaded files "mature" on a BBS for one or two weeks before
you download it (others will put it through its paces).
5. Consider using a program that creates a unique "signature" of all the
programs on your computer. Run this program once in awhile to see if
any of your applications have been modified -- either by a virus or by
a stray gamma ray.
6. DON'T PANIC if your computer starts acting weird. It may be a virus,
but then again maybe not. Immediately turn off all power to your
computer and disconnect it from any local area networks. Reboot from a
write-protected copy of your master DOS disk. Do NOT run any programs
on a "regular" disk (you might activate a Trojan horse). If you don't
have adequate backups, try to bring them up to date. Yes, you might
back up a virus as well, but it can't hurt you if you don't use your
normal programs. Set your backups off to the side. Only then can you
safely hunt for problems.
7. If you can't figure out what's wrong and you aren't sure what to do
next, turn off your computer and call for help. Consider calling a
local computer group before you call for an expert. If you need a
professional, consider a regular computer consultant first. Some
"virus removal experts" sell their services for prices far in excess of
their actual value.
8. [This should only be considered as a last resort.] If you can't figure
out what's wrong and you are sure of yourself, execute both a low-level
and a high-level format on all your regular disks. Next, carefully re-
install all software from the master disks (not from the backups).
Then, carefully restore only the data files (not the program files)
from your backup disks.
We'd appreciate it if you would mail us a copy of any Trojan horse or virus
you discover. (Be careful you don't damage the data on your hard disk
while trying to do this!) Include as much information as you can and put a
label on the disk saying it contains a malicious program. Send it to Ross
M. Greenberg, 594 Third Avenue, New York, NY 10016. Thank you.
Ross M. Greenberg is the author of both shareware and retail virus
detection programs. Rob Rosenberger is the author of various phone
bill analysis applications. (Products are not mentioned by name
because this isn't the place for advertisements.) They each write for
national computer magazines. These men communicated entirely by modem
while writing this treatise.
Copyright (c) 1988,90 Rob Rosenberger & Ross M. Greenberg
Rosenberger can be reached electronically on CompuServe as [74017,1344], on
GEnie as R.ROSENBERGE, on InterNet as `74017.1344@compuserve.com', and on
various national BBS linkups. Greenberg can be reached on MCI and BIX as
`greenber', on UseNet as `c-rossgr@microsoft.com', and on CompuServe as
[72461,3212].
virusi.112chege,
Paznja !!! Na Gradjevinskom fakultetu na dva PC-a u sobi 338
se pojavio virus koji ne otkriva SCANV72.
Naime juce sam zamenio stari scan novim (V72), proverio ga sa VALIDATE
, odmah ga startovao i nije nista nasao. Dva sata kasnije se koleginici
na istom racunaru dok je bila u editoru "dogodio virus". Napisao je
poruku koju ona nije zapamtila ali je sigurna da je bila i rec VIRUS,
napunio disk i dok je jos vrteo disk oni su ga ugasili. Posle su ga ponovo
upalili , izbrisali veliki file i startovali scan(V72) i nista nije nasao.
Meni je kasnije palo na pamet da prenesem staru verziju skana sa su-
sednog racunara i to je verzija koja trazi 41 virus. Ono sto mi je odmah
palo u oci je da ova verzija (V41) nije pretrazivala RAM. Odmah zatim sam
startovao scan(V72) i on je u RAM-u nasao Disk Killer i porucio mi da odmah
gasim racunar sto sam i uradio.
Ponovo sam ga upalio, starovao scan(V72) i nista nije nasao na celom disku
ukljucujuci i na scan(V41). Kad sam zatim startovo scan(V41) i odma potom
scan(V72), scan(V72) je opet nasao virus u RAM-u.
Da zakljucim: Postoji virus ( a ja ga na zalost imam ) kojeg ne nelazi
SCANV72 dok je na file-u ali ga nalazi kad je u RAM-u i tu ga prepoznaje kao
Disk Killer. Ja se za sada stitim sa scan /av sto mi omogucuje da saznam
ako se na josnekom fileu prosirio ali ne znam kako da ga se oslobodim.
Ako neko ima neku ideju neka pomaga. Ako neko zeli zarazen file za analizu
i eventualni lek nek se javi.
Pozdrav Sasa
virusi.113vkostic,
-> #112, chege
>> Paznja !!! Na Gradjevinskom fakultetu na dva PC-a u sobi 338
>> se pojavio virus koji ne otkriva SCANV72.
To je vrlo vrlo zabrinjavajuce.
virusi.114dejanr,
-> #112, chege>> Paznja !!! Na Gradjevinskom fakultetu na dva PC-a u sobi 338
>> se pojavio virus koji ne otkriva SCANV72.
E j*** ga.
>> Ako neko ima neku ideju neka pomaga. Ako neko zeli zarazen file za
>> analizu i eventualni lek nek se javi.
Pa, nije baš ideja ali ja bih digao računare sa DOS diskete, prekopirao
data fajlove ako ih ima na prazne diskete, pa lepo low-level format.
virusi.115nesic,
-> #112, chegeJa želim zaraženi file
virusi.116dejanr,
-> #115, nesic>> Ja želim zaraženi file
Ali ga mi ne želimo - ili bar ne u nekoj od koferencija :)
virusi.117kvelkovski,
Jeli postoji neki virus koji unistava ZIP-ove?
Evo sta kaze PKUNZIP na pokusaj otpakovanja jedne arhive:
PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90
Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
PKUNZIP Reg. U.S. Pat. and Tm. Off.
Searching ZIP: PADETC5.ZIP
Extracting: PAD00151.ZIP PKUNZIP: Warning! file fails CRC check
PKUNZIP: Warning! inconsistent local header for file: PAD00152.ZIP
Extracting: PAD00152.ZIP PKUNZIP: Warning! file fails CRC check
PKUNZIP: Warning! inconsistent local header for file: PAD00153.ZIP
Extracting: PAD00153.ZIP PKUNZIP: Warning! file fails CRC check
PKUNZIP: Warning! inconsistent local header for file: PAD00154.ZIP
Extracting: PAD00154.ZIP PKUNZIP: Warning! file fails CRC check
PKUNZIP: Warning! inconsistent local header for file: PAD00155.ZIP
Extracting: PAD00155.ZIP PKUNZIP: Warning! file fails CRC check
PKUNZIP: Warning! inconsistent local header for file: PAD00156.ZIP
Extracting: PAD00156.ZIP PKUNZIP: Warning! file fails CRC check
PKUNZIP: Warning! inconsistent local header for file: PAD00157.ZIP
Extracting: PAD00157.ZIP PKUNZIP: Warning! file fails CRC check
Extracting: PAD00158.ZIP
Extracting: PAD00159.ZIP
PADETC5.ZIP has errors!
Ovo nije usamljen slucaj, desilo mi se jos nekoliko puta. Sumnjam na
virus, zbog toga sto osim u zadnjih mesec dana, to se nije desavalo.
Isto sumnjam na kombinaciju PC-CACHE 4.3 i COMPRESS 5.1, ali mi nije
jasno zbog cega bi samo arhive bile neispravne (mozda nisam imao srece
da nabasam na neki neispravan program). Cudno je, takodje, sto CHKDSK,
NDD, i njima slicni programi ne mogu da konstatuju ostecenja, cak i
PKUNZIP -V ne primecuje nista cudno. Koristim SCANRES 1.4V61, SCAN
6.1B71 (sa Sezam-a), i dok sam koristio raniju verziju SCAN-a, nisam
imao *nikakvih* problema (nije da sumnjam, ali...).
Pozdrav,
Kire
virusi.118erin,
-> #117, kvelkovskiOvakvu poruku javlja mi PKARC ako je arhiva bila pravljena sa
passwordom ( ako ga ne upises!!!) .
Danilo Godec
virusi.119maxes,
Procitao sam skoro sve poruke i odgovore na temu virusi ali nisam primetio da
je neko pomenuo 'pesacko K
'HHK
skidanje virusa K
pomocu programa debug.Naime debug iz dos-a treba zaraziti virusom pa se
debagira onda zarazeni softver.Nakon debagiranja samo se izadje 'q' i program
je ociscen.Dok nisam imao razni softver za automatsko skidanje zaraza radio sam
ovako i to veoma uspesno.Jedino je problem sto kada imate mnogo zarazenioh
fajlova za svaki fajl se mora pozvati debug,znaci da je dosta sporo.
virusi.120rklinar,
-> #117, kvelkovski>> Evo sta kaze PKUNZIP na pokusaj otpakovanja jedne arhive:
>> PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90
>> Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
>> PKUNZIP Reg. U.S. Pat. and Tm. Off.
>> Searching ZIP: PADETC5.ZIP
>> Extracting: PAD00151.ZIP PKUNZIP: Warning! file fails CRC check
>> PKUNZIP: Warning! inconsistent local header for file: PAD00152.ZIP
Ako koristis Telix-ov Zmodem, taj nekad pravi gluposti. U vezi sa
pad-ovima na SEZAM-u mi se to nije desavalo, ali kad skupljam postu
sa MIPS-a u MarkMail-dooru, i ako kod DL snimam preko vec postojeceg
file-a, onda mi se javlja bas to sto spominjes.
RK
virusi.121dpozaric,
-> #119, maxes*************
je ociscen.Dok nisam imao razni softver za automatsko skidanje zaraza radio sam
ovako i to veoma uspesno.Jedino je problem sto kada imate mnogo zarazenioh
fajlova za svaki fajl se mora pozvati debug,znaci da je dosta sporo.
*************
Moga bi sve zarazene fajlove izlistati u jedan tekst file, onda ga
izeditirati i napisati batch (pogledaj RI.BAT) kojim pozivas debug i
izvrsis odredjenu radnju sekvencijalno i nekoliko stotina puta. No,
posto imas dobre cistace, nema se smisla time muciti, po mojem
misljenju.
dp
virusi.122dpozaric,
-> #120, rklinar***********
Ako koristis Telix-ov Zmodem, taj nekad pravi gluposti. U vezi sa
pad-ovima na SEZAM-u mi se to nije desavalo, ali kad skupljam postu
sa MIPS-a u MarkMail-dooru, i ako kod DL snimam preko vec postojeceg
file-a, onda mi se javlja bas to sto spominjes.
***********
Nije to glupost Telixovog zmodema, vec je normalno to što se dogadja
jer imaš uključen error recovery pa kad ti je slijedeći file prepisan
preko drugoga, tvoj .QWK, .ZIP itd ostane nekonzistentan. Ja imam
uvijek isključen error recovery, a ukljucim ga samo kad mi veza pukne
usred transfera pa kad slijedeci put d/l-am isti fajl. U pravilu su
mi uvijek i Telix i Telemate radili ok.
dp
virusi.123terza,
-> #122, dpozaric
>>Ako koristis Telix-ov Zmodem, taj nekad pravi gluposti. U vezi sa
>>Nije to glupost Telixovog zmodema, vec je normalno to što se dogadja
>>jer imaš uključen error recovery pa kad ti je slijedeći file prepisan
Meni s to cesto desava,na MIPS-u skupljam postu u dooru 2,radim sa
programom MTE, protokol Zmodem, d/l sam fajl ZMAIL2.zip koje
provjereno nisam imao na disku kao staru verziju.
Searching ZIP:ZMAIL2.ZIP
UnShrinking: ZMAIL2.CAP PKUNZIP: Warning! file fails CRC check
ZMAIL2.ZIP has errors!
I u raspakovanom zmail2.cap pola fajla je necitljivo.Koristio sam
i Telix ali se isto desavalo, ne uvijek nego ponekad.Sa Sezamom
nisam imao nikakvih problema.
Pozdrav Terza
virusi.124erin,
Ko zna nesto o virusu DARK AVENGER? Ima li ko killer zanj?
Navodno se DARK AVENGER siri sa SCAN V72 !!!
Danilo Godec
virusi.125nesic,
Evo nekakav novi virus scaner sa CHANNEL1 BBS-a.
Video sam i verziju scan74b ali nisam imao vremena da je
pokupim. Možda sutra. Nešto nisam primetio da tamo
postoji i odgovarajući CLEAN.
Pozdrav, Nešić
virusi.126alazic,
-> #125, nesicMalo paznje bi vam savetovao posto po Beogradu kruzi VIRUSLJIVA verzija SCAN 74
programa koja svuda seje jedan virus koji lici na Jenkija (bar nekim drugim
antivirus programima)!!!!
virusi.127dejanr,
-> #125, nesicZahvaljujemo se na programu koji je u direktorijumu IBMPC\VIRUSI.
Evo šta u dokumentaciji kaže o novoj verziji.
Version 74 of VIRUSCAN adds 51 new viruses and over one
hundred new strains of existing viruses, bringing the total
number of known computer viruses to 475. In addition, version 74
improves the throughput of the scanning algorithm and handling of
nonstandard hard drives, and now provides the option of displaying
all messages in French.
The 1591 virus was sent to us from multiple sites in Quebec,
Canada, Oslo, Norway, and the United States. It is a
memory-resident file infector that attaches to .COM and .EXE files
when a disk is accessed via internal DOS commands.
The 903 virus was sent to us by Djennad Nasser from France.
It is a .COM file infector.
The Holocaust virus was sent to us by David Llamas of
Barcelona, Spain. It is a .COM file infector that uses "stealth"
type techniques.
The BeBe, Kuka, Kuka/Turbo, Lozinsky, MGTU, Nina, Off Stealth,
Polish-532, Sverdlov, Tiny-133, USSR-series, and Voronezh viruses
were discovered in the Soviet Union and Eastern Europe and sent to
us from numerous sources there and in Western Europe. They are not
believed to exist in the West.
The Christmas Violator, F-Word, Parity, Beeper, Best Wish,
Leapfrog Destructor, Happy New Year Hymm, Justice, Label, V961,
Swiss-143, Sentinel, Plague, Monxla-B, Little Pieces, IKC528,
Hybrid, Dir-Vir, Stone90, Saddam, and Iraqui Warrior viruses were
sent to us from various sources around the globe.
For summary information about these viruses, please refer to
the enclosed VIRLIST.TXT file. For a detailed description of all
known viruses, please refer to the Virus Summary Document (VSUM),
copyrighted by Patricia Hoffman and available and most bulletin
boards.
A new command line option, /FR has been added. Running
VIRUSCAN with the /FR option will cause all output to be displayed
in French instead of English.
A trojan version of VIRUSCAN, Version 73, appeared on BBSes
in Miami, Florida USA. In order to prevent confusion, we have used
the next version number, Version 74.
virusi.128chege,
Ne da se pozalim vec samo da se zna !!!
Ni nova verzija scana (V74) ne otkriva na file-u onaj virus
koji sam prijavio u poruci 18.112. Zato narode ako su vam
podaci na file-ovima mili koristite opcije /av i /cv.
P.S. jos uvek imam zarazen file i ako ga neko zeli na analizu
ili neki od registrovanih korisnika scan-a zeli da ga posalje
proizvodjacima scan-a neka se javi.
Pozdrav Sasa
virusi.129dejanr,
-> #128, chege>> P.S. jos uvek imam zarazen file i ako ga neko zeli na analizu
>> ili neki od registrovanih korisnika scan-a zeli da ga posalje
>> proizvodjacima scan-a neka se javi.
Ako je fajl mali, daj mi ga pa ću ga poslati autorima SCAN-a.
Što pre ga "ugrade", to smo sigurniji!
virusi.130dejanr,
Ima li neko voljan da odnekud download-uje ovaj tekst? Verovatno bi
bio zanimljiv - opisi SVIH virusa poznatih McAfee-ju.
==========
security/long.messages #88, from hshubs, 3811 chars, Wed Feb 20 01:05:34 1991
----------
TITLE: McAfee updates for MS-DOS based machines
------------------------------------------------
vsum9102.zip 145792 Approx time: 0:19 at 2400 baud, 0:38 at 1200 baud
Contributed by: mfg Date: Wed Feb 20 00:51:54 1991
Documentation on all known viruses by a researcher in connection with McAfee's
SCAN series. Large file identifies and describes all viruses as of 2/15/91.
Keywords: $binary mcafee protection scan shield virlist virus vshield vshield1
Home area: ibm.utils Download count: 0
virusi.131alazic,
-> #130, dejanr>Ima li neko voljan da odnekud download-uje ovaj tekst? Verovatno
>bi bio zanimljiv - opisi SVIH virusa poznatih McAfee-ju.
Mene bi vepma interesovalo samo mislim da zbog lose veze i sl. ne bi bilo
lose da se podeli u dva dela. :(
virusi.132alazic,
Potrebna mi je kolekcija virusa da bi testirao jedan antivirusni paket
(a mozda i mala demonstracija). Dakle molim sve korisnike koji imaj po neki
zarazeni fajl da mi ga posalju MAIL-om. Isto tako ako nekom zatreba bilo koji
od tih poslatih virusa neka mi se javi. Unapred hvala
ALAZIC
virusi.133feniks,
-> #128, chege
>> Ne da se pozalim vec samo da se zna !!!
>> Ni nova verzija scana (V74) ne otkriva na file-u onaj virus
>> koji sam prijavio u poruci 18.112. Zato narode ako su vam
>> podaci na file-ovima mili koristite opcije /av i /cv.
Onaj tvoj "zarazeni" SCANV41.EXE aktivirao sam i zaista
ga ne otkriva najnoviji SCANV74 , ali ga isto tako ne otkrivaju
ni SCAN-ovi : 48 , 56 , 60 , 61 tj. nema virusa :))
Otkrivaju ga samo SCAN-ovi 71 i 72 i daju poruku:
" Found Disk Killer Virus [Killer] active in memory...."
Naime , o cemu se radi. Ovaj virus pojavio se u Americi
pre skoro 2 godine , (kod nas nesto kasnije ) i po dejstvu je
veoma opasan ( formatira disk , kvari BOOT sektor , FAT tabelu itd..)
tako da bi ga i raniji SCAN-ovi otkrili ( od verzije 48 pocinje da se
pretrazuje i RAM ). Verzije 71 i 72 imaju dosta bagova , tj. otkrivaju
viruse gde ih zapravo i nema ili samo neki njihov deo koji sam
za sebe ne moze da postane AKTIVAN !
Primera radi , kolega u firmi mi je napomenuo da mu je SCAN72
u jednom profesinalnom paketu firme HP koji uspesno koristi vec
3 godine , "pronasao" virus , sto naravno nije tacno.
Sto bi rekli matematicari: "potreban ali ne i dovoljan uslov" :)
Najbolji dokaz za gornje receno je da ni posle svih provera
nisam uspeo da otkrijem bilo kakvo ostecenje HD niti sistemske diskete
na kojoj sam eksperimentisao.
PS. Bio bi zahvalan svakom ko mi posalje ZIP-ovano na MAIL
zarazene files , radi testiranja SCAN-va i antivirusnih paketa.
( moguca i razmena )
Pozdrav , S.P.
virusi.134chege,
-> #133, feniks
>> Onaj tvoj "zarazeni" SCANV41.EXE aktivirao sam i zaista
>> ga ne otkriva najnoviji SCANV74 , ali ga isto tako ne otkrivaju
>> ni SCAN-ovi : 48 , 56 , 60 , 61 tj. nema virusa :))
>> Otkrivaju ga samo SCAN-ovi 71 i 72 i daju poruku:
>>
>> " Found Disk Killer Virus [Killer] active in memory...."
Proverio sam i izgleda da si u pravu jer ako nakon "zaraze-
nog" startujem SCAN V72 daje poruku:
Scanning 640K RAM
Found Disk Killer Virus [Killer] active in memory.
Power down the system immediately.
Reboot from a clean, write protected system diskette and then
re-run SCAN to determine extent of hard disk infection.
Ako medjutim ignorisem poruku i startujem SCAN V74 nista ne
nalazi kao ni SCAN V72 ako se statuje nakon V74.
Zao mi je ako sam izazvao laznu uzbunu ali ako je gore navedeno
tacno onda bi SCAN V72 morao davati poruku da je nasao virus i kod
ciste verzije SCANV41. Zato ako neko ima negde sacuvanu verziju
SCANV41 neka je startuje a zatim SCAN V72 i neka se javi da kaze
sta se dogadja. Ja na zalost nemam drugu verziju 41 sem ove koja
je bila "osumljicena".
Pozdrav Sasa.
virusi.135kaza,
Poruka aktivan virus u memoriji (ne samo Disk Kiler), ne mora
obavezno da znaci da je to istina ???
Naime meni se to desavalo sa nekim starijim verzijama SCAN-a. Cak mi
se desilo da mi je prijavio tri razlicita virusa aktivna u memoriji
sto je kod mene izazvalo paniku te sam sve temeljito pretresao i
nisam nasao nista. Medjutim poruka da je SCAN nasao virus u fajlu ili
butu je alarmantna. Ovo iz memorije vjerovatno potice od nekih
rezidentnih programa.
Radi vase informacije ovo mi se desavalo prije godinu dana a od tada
ni traga od bilo kakvih iznenadjenja.
Nadam se da sam vas malo umirio!
KAZA
virusi.136dejanr,
Zahvaljujući jtitovu, u IBMPC\VIRUS direktorijumu su novi
scanv74b, clean74b i vshld74b. Koliko sam primetio u dokumentaciji,
jedina razlika između verzija 74 i 74-B je:
>> Version 74-B fixes a bug which caused SCAN to mis-identify the
>> Stoned virus on some removable media.
virusi.138nesic,
-> #137, nesic U datoteci SCANER75.zip se nalaze SCANV75, CLEAN75 i
VSHLD75. Morao sam tako zbog stalnog NO CARRIER. Izvinite.
virusi.139dejanr,
-> #137, nesic>> Najnoviji SCANV
Hvala na prilogu, međutim sačekaćemo sa njegovim stavljanjem u
direktorijum. Naime, pre izvesnog vremena je bilo virusa koji su
se krili u SCANu pa je uvedena novina da se pri dearhiviranju
vrši i kontrola ispravnosti. Zato je opšte mišljenje da na BBS-ove
treba stavljati samo *originalne arhive* pa ćemo sačekati da
nabavimo potpunu verziju.
Koliko sam uspeo da proverim, ovaj VSCAN je OK pa ga ostavljamo u
konferenciji dok ga ne nabavimo u obliku pogodnom za direktorijum.
Hvala još jednom,
Dejan
virusi.140nesic,
-> #139, dejanr Juče mi je veza sa Sezamom bila izuzetno loša. Nadam
se da će sada biti bolja. Ne mogu da koristim MNP kada
šaljem file. Ne znam zašto.
Evo da probam da prenesem SCANV75 Authentic Version.
Pozdrav, Nešić
virusi.141nesic,
-> #140, nesicRadi. Evo CLEAN75 Authentic Version.
virusi.142nesic,
-> #141, nesicRadi. Evo VSHLD75 Authentic Version.
virusi.143nesic,
-> #139, dejanr A sada mali ekperiment pošto je od jutros dobra veza
Brišem poruku 18.137 zajedno sa datotekom SCANER75.ZIP Da
li ću uspeti?
Pozdrav, Nešić
virusi.144dejanr,
-> #40, dejanrHvala, programi su u direktorijumu!
Dejan
virusi.145sdolzan,
PAZNJA !!!
U fajlu MA_JONGG.ZIP koji se nalazi na Fenix BBS-u
se nalazi virus koga ne prepoznaje SCANV(59, 67, 72,
74, 74b i 75 (ostale verzije nisam isprobao)). Fajl se
nalazi u "recent uploads". Koliko sam mogao da zakljucim
"virus" (neznam koji je) se manifestuje tako sto dodaje
odredjen broj bajtova (oko 936) na kraj (nekad i u sredinu)
.exe i .com fajlova. Zarazene fajlove mozete prepoznati
po tekstu koji se u njima nalazi : "Hey, YOU! Something's
happening to you. Guess what is it? HA HA HA HA ..."
Ako neko skuplja viruse naka mi ostavi poruku na mail.
Puno pozdrava od StanislaVa.
virusi.146sdolzan,
Gore pomenuti virus se nalazi i u TCT1.ZIP i TCT2.ZIP koji se
takodje nalaze u "recent uploads" na Fenix BBS-u.
StanislaV
virusi.147dejanr,
Ukoliko vam se desi (kao što je jedan korisnik danas prijavio) da
po startovanju SCAN-a dobijete poruku da je "SCAN oštećen ali da
nastavlja rad" a posle i da je sve Ok, to najverovatnije znači
da je VAŠ SISTEM ZARAŽEN VIRUSOM. Možda je to onaj novi virus
koji je stigao sa Fenixa i koji je pomenut u prethodnoj poruci.
U svakom slučaju, PUN OPREZ! Posmatrajte fajlove (COM i EXE) koje
svaki dan startujete i proveravajte da li rastu!
virusi.148mikij,
Zamolio bih ljude koji imaju iskustva sa virusima da mi se jave privatnom
porukom.
Pozdrav Miki
virusi.149mikij,
Evo, nakon sto je na vise mesta primecen virus kojeg ne otkriva
ni SCAN niti jedan drugi virus scaner (za sada), spremio sam fajl koji
omogucava njegovu detekciju uz pomoc SCAN-a. Potrebno je startovati SCAN
sledecom linijom:
SCAN /EXT VIR C:
gde C: moze biti i ime nekog drugog diska ili direktorijuma.
SRECNO!!!
Pozdrav Miki
virvirusi.150majkl,
-> #147, dejanr
Dobra ideja je staviti u autoexec.bat poziv programa koji
´knakon startovanja proverava svoju dužinu. Ovo "žrtveno jagnje"
odmah pokazuje ima li novih virusa u sistemu, poznatih ili
nepoznatih. U kombinaciji sa SCAN programom daje solidnu zaštitu.
Pozdrav, Majkl
virusi.151feniks,
-> #149, mikij
Neke osobine novog virusa 936 :
1. Povecava COM i EXE datoteke za 935 do 938 bytes
2. Otkriva ga na disku SCANV75 postupkom u poruci 18.149 :
>> SCAN /EXT VIR C: <<
koji svima najtoplije preporucujem - hvala autoru !
3. Po aktiviranju "zarazene" datoteke , virus 936
ostaje rezidentan u osnovnoj memoriji tj.
( ako ste imali uk. 640 K ==> DOS report 639 K ! )
tacnije namesto 655360 imate ukupno 654416 bytes.
Ako tada aktivirate neki zdravi COM ili EXE program ,
on ce se "zaraziti" ali istovremeno racunar zablokira ,
tj. neophodan je reset ( odnosno iskljucenje ) racunara.
4. Po podizanju sistema moguce je aktivirati samo jednu
"zarazenu" datoteku i to samo jednom. Program obicno
funkcionise . Ta datoteka se dalje nece povecavati.
Moze se desiti ( ne uvek ) da racunar zablokira
pri povratku u DOS.
5. Ako se "zarazi" COMMAND.COM ( ili odgovarajuci drugi
interpreter ) , mozete podici sistem ali necete moci
da aktivirate nijedan drugi program.
Sve u svemu , moze se reci da je ovo dosta naivno
napravljen virus i da ga je sada lako otkriti u
najranijoj fazi. :)
Pozdrav , S.P.
virusi.152dejanr,
-> #151, feniksDa taj glupi virus nije neko ovde previo? ;)
Hvala na zapažanjima.
virusi.153georges,
IMA LI LEKA "HA HA HA HA HA HA" VIRUSU?
=======================´==============
virusi.154mikij,
-> #153, georges Na zalost jos nema. Samo predostroznost (otkrivanje na vreme) pomaze.
Cini mi se da sam na nekom slovenackom BBS-u video program koji leci od ovog
virusa ali i on leci samo COM programe. Ostaje samo da sacekamo McAfeea da
poboljsa Clean.
Pozdrav Miki
virusi.155dzakic,
********** V A Ž N O ***** V A Ž N O **** V A Ž N O ************
Ne znam da li je to već pomenuti virus u ovoj temi od pre
sedmicu, dve, ne znam ni da li je tada postojao SCAN 6.9V75,
uglavnom, postoji virus koji .com i .exe fajlove produžava za
nećto preko 900 bajtova koga scan v75 *N E* prepoznaje, i to ovde
u Beogradu! Sada vam ne mogu reći ništa preciznije, pošto je
zaraženi (kolega zonjic na sezamu) trenutno zauzet, i iskreno se
nadam da je sve lažna uzbuna. Virus ispisuje nešto u stilu "Hey,
something is happening to you!". Ovo mi deluje prilično naivno
;), pa ne verujem da ga novi scan ne bi prepoznao. Moguće je da
je i sam scan zaražen, ali je fakat da virus postoji i to na
nekom od BG BBSova, jer su startovani samo programi sa Politika i
Tanjug BBSa. Zato, oprez dok se stvar ne ispita. Uskoro, nadam
se, više informacija...
Ako je neko prepoznao o kom se virusu radi, neka mi ostavi
poruku.
virusi.156dejanr,
-> #155, dzakicDa, bilo je tog virusa u nekim fajlovima na Fenix-u i Politici, za
Tanjug nisam znao ali je moguće. Možda je to neki domaći virus pa
ga Scan zato ne nalazi? Uzgred, poslao sam zaražen fajl McAffee-ju.
virusi.157miha,
Jedno upozorenje svim vlasnicim Hercules monitora.
--------------------------------------------------
Postoji velika vjerovatnoća da programi userdiag.com i diagnstc.com, koji
trebaju da obavljaju test hercules kartice, izazivaju pregaranje monitora.
Spomenuti programi se nalaze, npr. na Tanjugu u arhivi hercules.zip a
pokreću se batchom test.bat... Moguće je da je u pitanju koincidencija, zato
bih zamolio sve koji ili imaju dokumentaciju ili su probali osumnjičene
programe da ostave komentar.
miha
virusi.158miha,
-> #151, feniks Pošto sam danas imao napad '936' virusa, koga sam uspješno uklonio,
zahvaljujući mikiju, red je i ja nešto da kažem ;) Vshield75 je uočio da nešto
nije Ok, a prvo su zaraženi scan, clean, validate, vshield i vshield1.
miha
virusi.159mikij,
-> #158, miha Drago mi je da sam nekome pomogao... Nego uz to. Preporucujem svakom
vlasniku jace masine (386 ili jaci 286) da koristi i CheckSum (ili CRC) opciju
SCAN-a i VSHIELD-a jer se tom opcijom garantovano otkriva prisustvo svih (i
buducih) link virusa.
Ovde prilazem i programe PVICTIM.COM i PVICTIM.EXE koji sluze kao mamci za
viruse. Imaju ugradjeni mehanizam za samo-testiranje tako da ako slucajno budu
zarazeni virusom dizu uzbunu i prijavljuju duzinu virusa.
Pozdrav Miki
virusi.160mikij,
-> #159, mikij Umalo da zaboravim...
PVictim sam preuzeo sa PIPSS-a 018/713-836.
Pozdrav Miki
virusi.161dristic,
HELP! HELP! HELP !!
MNOGO Te molim da mi pomognes! Imam neki virus koji ni Scanv75 ne moze da
prepozna, vec samo da otkrije pomocu "scan c: /av" ali ne zna mu ime.
Molim te ako nesto znas da mi kazes o tome.
VIRUS menja duzinu .COM i .EXE fajlovima za u proseku 933 bajta ali to nije
pravilo, nekad 942, 930 itd. kada je aktivan, a aktivira ako bootam sa c:
diska ili pokrenem neki zarazen fajl. Kada je aktivan nerade mi pod dos-om
funkciski tasteri F1 i F3 (vracanje prosle ukuzcane naredbe ).
Obrisao sam bio COMMAND.COM (i on je bio promenio duzinu za 933 bajta), zatim
IBMDOS i IO.SYS i stavi na cistoj dos a:" sys a:" a sa nortonovim WIPEFILE
obrisao sve zarazene fajlove, i virusa nije bilo, nije dalje ostecivao .COM
fajlove a radili su F1 i F3.
kada sam ponovo pustio novi SCANv75 sa sezama, tek ga raspakovao i pustio
javio je da je sam SCAN ostecen ! a posle scan c: /av (dodaje verifikacione
kodove CRC) i ostale fajlove je javio kao ostecene (one koje sam startovao
kada sam mislio da se virus izgubio ).
sada mi neda da snimim system na c: kaze "NO ROOM FOR SYSTEM ON DISK" iako
sam obrisao COMMAND.COM IBMDOS.SYS i IO.SYS.
Dali smem da otkucam FORMAT C: ako imam SEAGATE 157A sa DISKMANAGEROM
fizdeljenim na particije, zadnji put sam imao velikih problema pa sam morao
da idem u servis BG ELEKRTONIK kada sam pokuzao da formatiram C: disk
Unapred hvala na pomoci.
PS poslacu disketu sa programima MOM MIKRU i McAffee-ju sto pravi SCAN
PSS CLEAN ne moze da uradi nista jer SCAN nezna ime virusa
virusi.162dristic,
Epilog:
PSSS Drug mi je upravo nasao na zarazenom FLUSHOT2.COM niz heksa faljova koji
znace u prevodu:
"Hey, YOU !!!Something's happening to you !...Guess what it is ?!...
Kada sam stavio SCAN da traxi taj niz (/ext vir.txt) nasao sam i izbrisao
sve, valjda je to kraj mojim mukama
Jos me jedino muci sto ne mogu da prebacim system na hard disk, sys c: sa a:
drajva javlja no room for system a cuo sam da to moze sa NDD da se moj NDD
to ne moze, nema tu opciju.
Ako neko jos nesto zna o tom virusu, nek napise
Hvala.
virusi.163mikij,
-> #162, dristic O ovom virusu je bilo vec 'dosta' reci. Evo da se podsetimo:
1) Virus povecava programske datoteke za 928 do 943 byte-a. Kao rezultat
dobija se datoteka cija duzina je deljiva sa 16, sto je vazno za
izvrsavanje virusa.
2) Otkruva se uz SCAN koriscenjem opcije /EXT VIR gde je VIR datoteka
uz poruku 18.149. (Start: SCAN /EXT VIR C: )
3) Sledeci text se nalazi na kraju svakog zarazenog programa:
Hey, YOU !!!
Something's happening to you !
Guess what it is ?!
HA HA HA HA ...
4) Programi tipa MI (Memory Info) iz PCTools-a ga ne primecuju. Uocava
se samo smanjenje memorije za 1K.
5) Ne preuzima vektore na uobicajen nacin tako da ga programi tipa
FLUSHOT ne mogu zaustaviti pred instaliranjem.
6) Ovo nije osobina nego samo napomena. U nekoj od predhodnih poruka
receno je da posle virusa moze da se startuje samo jedan program.
Po mojim iskustvimaw3 to nije tacno (covek nije lagao nego...). Kod
mene sistem je radio normalno (osim sto se zaraza sirila).
7) Virus ne koristi nikakvo sifrovanje. Znaci na zrtvu se kaci cist kod.
8) Ne nanosi nikakvu stetu osim povecanja duzine programa i ispisa gore
navedene poruke.
9) Pokusaj zarazavanja zrtve se MOZE otkriti (i spreciti) upotrebom
programa tipa FLUSHOT.
Toliko o virusu (za sada). Sto se tvog diska tice... Nije mi jasno
zasto ne moze da se prenese sistem. Ako ti je DOS verzija ista, problema ne
sme da bude. U krajnjem slucaju, mogu da ti, uz pristanak Sys*, posaljem NDD
koji automatski pravi mesto za sistem ako nije prethodno ostavljeno.
I jos nesto. Ako i malo cenite svoje programe i podatke,
upotrebljavajte SCAN /av i SCAN /cv. Jeste da traje duze, ali jeste i da ste
99,99% sigurni od virusa.
Pozdrav Miki
P.S. Prilazem i program koji predstavlja veliku pomoc u kontrolisanju virusa.
Preporucujem svima koji se bave virusima (za ostale je mozda malo bucan).
anti4us2.zipvirusi.164dejanr,
Sad pročitah na BIX-u jednu strašno kvarnu forua koju možeš da
"zaradiš" virus čitajući najobičniji fajl, dakle običnim TYPE ili
(ne daj Bože) odgovarajućom komandom na nekom BBS-u ;(
Mislio sam se da li da prenosim ili ne, ali najzad zaključih da
i nije baš TAKO opasno kao što na prvi pogled izgleda, a i zanimljivo
je pa...
==========
security/critters #286, from dts, 515 chars, Sun Apr 14 21:35:41 1991
Comment to 282. Comment(s).
----------
Actually just connecting via modem can get you a virus, if you
are on a PC with ansi.sys (or compatible screen speeder uppers).
The ansi.sys driver besides driving the screen has provision
for adding keyboard macros. As the text is scrolling by on
you screen it could have some escape sequences embeded in it
that reprogram your keys. When you press a reprogrammed key
it might delete a file or modify one, or add one. This
is why many people do not use ansi.sys on a system that
(PC) that has a modem on it.
virusi.165dristic,
-> #163, mikijMiki hvala ti,
ja sam tek danas stigao da procitam sta ima u CONF virusi, jako sam bio
zauzet ovih dana, tako da sam se kolko znam sam lecio od virusa, sam napravio
svoj TXT fajl od heksa niza "HEY YOU...HA HA HA HA.." i uz SCAN75 odstranio
virus. Ostaje mi da osposobim disk za bootanje, uzecu NDD v5 od druga ja ga
imam na disketi aliima BAD CRC. Trebalo bi da to spreci vaskrsenje virusa i
ako je u boot sektoru i onda sam miran.
pozdrav Dristic
virusi.166nesic,
Evo najnoviji SCANV Authentic Version.
virusi.167nesic,
Evo najnoviji CLEAN Authentic Version.
virusi.168nesic,
Evo najnoviji VSHLD Authentic Version.
virusi.169dejanr,
-> #166, nesicHvala, programi su u IBMPC\VIRUS.
virusi.170feniks,
Ni novi SCANV76 ne otkriva virus 936! :((
Zato i dalje ostaje stara dobra metoda za pretrazivanje
>> SCAN /EXT VIR C: <<
Pozdrav , S.P.
virusi.171mikij,
Jedno zapazanje. Novi SCAN i CLEAN su znacajno kraci od verzije 75.
Rezultat optimizacije ili ... ?! Nabavio sam prvo ne autenticnu verziju i odmah
pomislio na TROJAN-ce, ali SEZAM-ova verzija me je ubedila da je McAffe nesto
uradio.
Pozdrav Miki
virusi.172sjankovic,
-> #164, dejanrThat's one of the reasons for purchasing an Amiga.
virusi.173alexa,
-> #172, sjankovicPa, dečko, nije problem u PCju ili DOSu (ovaj put), nego u ANSI
standardu, ako se ne varam. Na Amigi ste bezbedni samo ako niste u
skladu sa standardom :)
virusi.174sjankovic,
-> #173, alexaAko sam dobro razumeo, reprogramiraju se macrokeys, tako da mogu da
ostete programe ako se pritisnu. To verovatno znaci da im se upisu
DOS-komande koje npr. brisu fajlove. Ako se daju te iste DOS-komande
nekom kompjuteru koji nema isti DOS, one nece nista uspeti da ucine.
Pored toga, Amige najcesce nemaju hard-disk, i kad bi DOS-komande i
radile, nista ne bi uradile :)))))
Decko
virusi.175alexa,
-> #174, sjankovicxex, xex, pa onda je najbolje imati računar koji ne radi - on je bar
bezbedan od računarskih virusa.
virusi.176sjankovic,
-> #175, alexaPa sad, ako Vi kvalitet racunara merite po tome koliko virusa
za njega postoji i kakvu sve stetu mogu da ucine, onda ste
u pravu.
S.J.
virusi.177dejanr,
Evo malo diskusije o par puta pominjanom virusu koga SCAN ne
prepoznaje sa AdriaNET-a.
==============================================================================
Date: 03/11/91 (15:28) Number: 2 GimVic BBS
To: ALL Refer#: NONE
From: DALIBOR CERAR Read: YES
Subj: 928 VIRUS Conf: (13) VIRUSES
------------------------------------------------------------------------
Posiljam opis virusa 928, ki se je pojavil na MicroArt BBS-u.
Oblika opisa je podobna VSUM-u (to je datoteka z opisi virusov,
avtor je Patricija Hoffman), ker mi je osebno tak opis blize, kot
pa opisi v MM. Za podrobnejse informacije mi pustite sporocilo.
Virus Name: 928
Aliases : 933, 936
V Status : Redek
Discovery : Februar, 1991 (datoteka MA-JONGG.ZIP na MicroArt-u)
Symptoms : .COM in .EXE programi se podaljsajo za 928-943 bytov,
virus ostane pritajen v pomnilniku, ob dolocenih pogojih
okuzen program ni vec izvrsljiv (virus namesto izvrsitve
programa izpise sporocilo)
Origin : ???
Eff Length: 928
General Comments:
Virus 928 je bil izoliran februarja 1991 v Kopru (na MicroArt
BBS-u). Je residentni okuzevalec .COM in .EXE programov, vkljucujoc
COMMAND.COM. Virus je napisan pregledno in preprosto ter vsebuje
tudi dele iz drugih virusov.
Virus okuzene programe podaljsa za najmanj 928 bytov. Pred tem
se dolzina programa zaokrozi na naslednji paragraf, tako da so
okuzeni programi lahko podaljsani za vrednost med 928 in 943.
Ker je dolzina virusa deljiva z 16, dobimo tudi po deljenju dolzine
okuzenega programa z 16 ostanek 0.
Pogoji, ki morajo biti izpolnjeni, da okuzeni program ne bo vec
izvrsljiv: leto okuzbe mora biti najmanj 1991, mesec mora biti
najmanj februar, dan v mesecu pa vsaj 25. Med okuzbo mora biti na
naslovu 0000:046C (ura realnega casa) vrednost 7 (vsebina lokacije
se poveca 18.2-krat na sekundo, torej bo po okuzbi neizvrsljiv
priblizno vsak 256-ti program). Ce so vsi ti pogoji izpolnjeni,
program ne bo vec deloval. Namesto izvrsitve programa bo
racunalnik zapiskal (^G) in na zaslon se bo izpisalo sporocilo:
"Hey, YOU !!!
Something's happening to you !
Guess what it is ?!
HA HA HA HA ...
"
Tudi programi, ki prej se niso bili okuzeni, v primeru, da so
med okuzbo izpolnjeni zgornji pogoji, ne bodo vec delovali (virus
program namrec najprej okuzi in sele nato izvede).
Virusa SCAN verzija 74B se ne najde. Zaradi tega si lahko pri
iskanju pomagate tako, da v datoteko 928.DAT napisete:
"E8 00 00 5B B1 04 D3 EB 8C C8" 928 virus
in pozenete SCAN z :
SCAN C: /M /EXT 928.DAT
| | |
| | dolocimo mu datoteko, ki vsebuje dodatna zaporedja
| za vsak slucaj naj preisce se pomnilnik
ime diska, katerega naj preisce
Okuzene programe se da popolnoma razkuziti. Virus namrec vse
podatke o zdravem programu shrani (vkljucno z dolzino).
Upam, da je opis napisan dovolj razumljivo. Napisal bi ga lahko
tudi bolj tehnicno, vendar bi ga verjetno potem le redki razumeli.
Delov tega sporocila brez moje vednosti in omembe ne dovolim
uporabljati.
D.C.
==============================================================================
Date: 03/11/91 (20:50) Number: 4 GimVic BBS
To: DALIBOR CERAR Refer#: NONE
From: JANEZ DEMSAR Read: NO
Subj: 928 VIRUS Conf: (13) VIRUSES
------------------------------------------------------------------------
DC> Pogoji, ki morajo biti izpolnjeni, da okuzeni program ne bo vec
DC>izvrsljiv: leto okuzbe mora biti najmanj 1991, mesec mora biti
DC>najmanj februar, dan v mesecu pa vsaj 25.
Programer ! :))))
"Normalen" clovek rece kar - po 25.2.1991 :)))))
DC>Med okuzbo mora biti na
DC>naslovu 0000:046C (ura realnega casa) vrednost 7 (vsebina lokacije
DC>se poveca 18.2-krat na sekundo, torej bo po okuzbi neizvrsljiv
DC>priblizno vsak 256-ti program).
Zanimivo - podoben pogoj uporabljata tudi PingPong in (po trditvah samozvane
eminence Erjavca) Stoned.
Jaz sem se ukvarjal le s PingPongom - a ti, ki poznas tudi druge, opazas se
kake podobnosti -> namrec, PingPongu pravijo tudi Italian, Koper pa je tudi
blizu Italije - morda imata virusa istega avtorja ?
JAnez
---
■ EZ 1.33 ■ Samo brez panike !
==============================================================================
Date: 03/12/91 (23:48) Number: 5 GimVic BBS
To: JANEZ DEMSAR Refer#: NONE
From: DALIBOR CERAR Read: NO
Subj: 928 VIRUS Conf: (13) VIRUSES
------------------------------------------------------------------------
JD>DC> Pogoji, ki morajo biti izpolnjeni, da okuzeni program ne bo vec
JD>DC>izvrsljiv: leto okuzbe mora biti najmanj 1991, mesec mora biti
JD>DC>najmanj februar, dan v mesecu pa vsaj 25.
JD>
JD>Programer ! :))))
JD>
JD>"Normalen" clovek rece kar - po 25.2.1991 :)))))
Ne. Ce je dan npr. 12.3.1991 pogoj ne bo izpolnjen !!!
(Torej si do 25.3.1991 varen ...) :)
JD>DC>Med okuzbo mora biti na
JD>DC>naslovu 0000:046C (ura realnega casa) vrednost 7 (vsebina lokacije
JD>DC>se poveca 18.2-krat na sekundo, torej bo po okuzbi neizvrsljiv
JD>DC>priblizno vsak 256-ti program).
JD>Zanimivo - podoben pogoj uporabljata tudi PingPong in (po trditvah samozvane
JD>eminence Erjavca) Stoned.
JD>Jaz sem se ukvarjal le s PingPongom - a ti, ki poznas tudi druge, opazas se
JD>kake podobnosti -> namrec, PingPongu pravijo tudi Italian, Koper pa je tudi
JD>blizu Italije - morda imata virusa istega avtorja ?
Deli virusov so (vsaj po mojem osebnem mnenju) pobrani iz razlicnih virusov.
To lahko pomeni, da je ta virus napisal nekdo, ki se mu ni dalo na novo
odkrivati stvari. Mozno pa je tudi, da je vse te viruse napisal isti clovek.
Ce si kaj bral VSUM, potem ves, da je npr. iz Bolgarije ogromno razlicnih
virusov in njihovih podverzij ... (Ubogi Vesselin Bontchev)
"normalen" clovek D.C.
---
■ EZ 1.33 ■ No real problem has a solution ...
==============================================================================
Date: 03/14/91 (19:41) Number: 6 GimVic BBS
To: DALIBOR CERAR Refer#: 8097794
From: JANEZ DEMSAR Read: NO
Subj: 928 VIRUS Conf: (13) VIRUSES
------------------------------------------------------------------------
DC>>> Pogoji, ki morajo biti izpolnjeni, da okuzeni program ne bo vec
DC>>>izvrsljiv: leto okuzbe mora biti najmanj 1991, mesec mora biti
DC>>>najmanj februar, dan v mesecu pa vsaj 25.
JD>>Programer ! :)))) "Normalen" clovek rece kar - po 25.2.1991 :)))))
DC> Ne. Ce je dan npr. 12.3.1991 pogoj ne bo izpolnjen !!!
DC> (Torej si do 25.3.1991 varen ...) :)
:)))
Tolazim se s tem, da se je najbrz zmotil kar avtor virusa ...
JAnez
---
■ EZ 1.33 ■
■ EZ 1.33 ■ GimVic BBS ■ +38 61/ 267-940 ■ non-stop ■
■ RNet 1.08D:■ AdriaNet ■ MojsteR BBS ■ Novo mesto, Sl ■ +38 68 23731/22455
Date: 04-15-91 (22:45) Number: 121 of 122 (Echo)
To: ALL Refer#: NONE
From: DALIBOR CERAR Read: (N/A)
Subj: PRIHAJAJO VIRUSI !!! Status: PUBLIC MESSAGE
Conf: VIRUSES (9) Read Type: GENERAL (+)
V zadnjem mesecu so se pojavili na podrocju Slovenije najmanj stirje
novi virusi (928, V2000 (verzija virusa Dark Avenger), Plastique in
Liberty). Vzorce virusov sem si priskrbel pred kratkim (razen virusa
928, ki ga imam ze nekaj casa), zato jih se nisem utegnil analizirati.
V prihodnjih dneh bom pogledal, kako "zlobni" so.
D.C.
---
■ SLMR 1.0 ■ Smile ... Tomorrow will be worse ...
■ RNet 1.08D:■ AdriaNet ■ MojsteR BBS ■ Novo mesto, Sl ■ +38 68 23731/22455
virusi.178alexa,
-> #176, sjankovicNe vidim po čemu je ovo odgovor na moju poruku???
virusi.179sjankovic,
-> #178, alexaRecimo da postoje dva kompjutera: Kompjuter A i kompjuter B.
Kompjuter A je, npr. prosecnih performansi i za njega npr. ima
puno virusa. Kompjuter B je velikih performansi, i za kompjuter B
nema virusa. Zbog nekompatibilnosti, virusi sa kompjutera A ne mogu nista
kompjuteru B. To ne znaci da je kompjuter B losiji,
i jos manje znaci da ne treba imati nikakav kompjuter, jer bilo je
pitanje kompatibilnosti softvera (pa ako softver nije kompatibilan,
kako ce virusi?!). Znaci, virusi sa A nece napasti kompjuter B
ne zato sto je on suvise los, vec zato sto nije kompatibilan sa A.
Pitate po cemu je ono odgovor na vasu poruku? Evo zasto:
Po Vama:
Kad nema kompjutera => nema ni virusa.
Logicno sledi:
Kad je kompjuter los => ima malo virusa.
Kad je kompjuter dobar => ima puno virusa.
I onda je izveden vrlo glup zakljucak (oprostite na izrazu) da ne treba
nabavljati racunar da ne bi bilo virusa. Mozete imati perfektan
racunar koji ne reaguje na komande PC-jevog DOS-a, i bezbedni ste
od svih virusa koji ovako pokusaju da Vam naprave stetu.
S.J.
virusi.180mikij,
-> #179, sjankovic Decko... Molim te ovo je prvo konferencija za PC, drugo pisi o
virusima, trece siguran sam da si 'MNOGO' iskusan i da si u pravu i svi mi koji
imamo PC trebamo odmah da se ubijemo.
Pozdrav Miki
virusi.181sjankovic,
-> #180, mikijVidim ja da je ovo konferencija za PC, ali sta cu kad
konferencije za Amigu nema.
S.J.
virusi.182alexa,
-> #179, sjankovic > Po Vama:
> Kad nema kompjutera => nema ni virusa.
> Logicno sledi:
> Kad je kompjuter los => ima malo virusa.
> Kad je kompjuter dobar => ima puno virusa.
???? To sigurno nije po meni, i tu *logiku* ne mogu da sledim.
Nisam ja taj koji tvrdi da je neki računar dobar, a drugi nije.
virusi.183sjankovic,
-> #182, alexaOK, onda nema problema...
Mi na Amigama smo bezbedni, a gospoda sa PC-jem ce da
se tresu svaki put kad se pojavi poruka:"CONNECT ...".
S.J.
virusi.184mjova,
Evo jednog pitanja:
koliko treba da se dobije vrednost pri proveri scan-a
sa validate? ja dobijam 1. B62A i 2. 14E2
u uputstvu piše 2. 14E4.
Ne bih ja pitao za ovo da sam siguran da je sve ok.
scan mi prijavljuje mogućnost da postoji virus na
nekom programu i u boot sektoru D: particije??!
Mada ni sam nije siguran :) čas prijavi virus čas ne :)
Ako nekom nije teško nek proba.
mjova
virusi.185drakce,
-> #184, mjova
Izgleda da nesto nije u redu sa SCAN-om. Meni VALIDATE za SCAN (verzija76)
prijavljuje:
______________________________________________________________________
VALIDATE 0.3 Copyright 1988-89 by McAfee Associates. (408) 988-3832
File Name: scan.exe
Size: 58,483
Date: 4-8-1991
File Authentication:
Check Method 1 - B62A
Check Method 2 - 14E4
_______________________________________________________________________
Nadam se da nije virus, pa jos u particiji. Ne d'o bog. Pu!
virusi.186.bale.,
-> #185, drakceMamu mu, stvarno... Meni prijavljuje:
File Authentication:
Check Methof 1 - 3569
Check Method 2 - 10C1
Zanimljivo... Ko je stavio scanv76 u dir?
Regards from .bale. !
#8*)+-<
virusi.187mikij,
-> #186, .bale. Ja dobijam isto:
File Authentication:
Check Methof 1 - 3569
Check Method 2 - 10C1
Jos jedna 'zanimljivost'!!!!!!!! Stavio sam SCAN C: /AV. On sve iskenira
itd. Ali VSHIELD1 koji vrsi samo checksum proveru SVAKI put po ukljucenju
racunara ispise nesto u stilu:'BOOT sector changed...'. Pomislio sam da je neki
BUG, ali sada... Pocinjem da se pitam... Napominjem da su i SCAN i CLEAN znatno
kraci od prethodne verzije!
Pozdrav Miki
virusi.188nesic,
-> #186, .bale. Ja sam poslao SCAN76.ZIP, CLEAN76.ZIP i VSHLD76.ZIP u
konferenciju koje sam dobio sa CHANNEL1 BBS-a, a u
direktorijum ih je ostavio, naravno, SYSOP ili MODERATOR.
Ne verujem da su zaraženi. Pre će biti da ćemo za
koji dan imati programe ????76B.ZIP
Nešić
virusi.189mjova,
-> #185, drakceIh, nije da me je ovo sve namučilo, ali bar sam pročitao
uputstvo za scan i clean (i validate). Radi se o tome da
scan na kraju svakog testiranog fajla doda 10 byta radi
kasnije provere da li se nešto promenilo, lepo piše u
uputstvu. (Kad se radi sa parametrom /av)
Evo rezultata:
Ovo je posle scan /av
File Name: scan.exe
Size: 58,483
Date: 4-8-1991
File Authentication:
Check Method 1 - B62A
Check Method 2 - 14E4
Ovo je posle scan /rv
File Name: scan.exe
Size: 58,473
Date: 4-8-1991
File Authentication:
Check Method 1 - 3569
Check Method 2 - 10C1
naravoučenije: treba čitati uputsvo :)
eh, još nešto: kako sam se tek obradovao kad se pri ponovnom
startu računara startovao program PVICTIM1 (zatim i PVICTIM2)
pa kad reče da je sistem zaražen i da je virus dužine 10 byta.
I onda se setih da je to SCAN ostavio :))
ps. dakle, sve je u redu
(hvala na pomoći onima koji su probali validate)
mjova
virusi.190zormi,
-> #188, nesic> Ja sam poslao SCAN76.ZIP, CLEAN76.ZIP i VSHLD76.ZIP u
> konferenciju koje sam dobio sa CHANNEL1 BBS-a, a u
> direktorijum ih je ostavio, naravno, SYSOP ili MODERATOR.
>
> Ne verujem da su zaraženi. Pre će biti da ćemo za
> koji dan imati programe ????76B.ZIP
Ima već u USA od pre nekoliko dana SCANV76C.ZIP i isto je
dužine oko 58 kB, a razlika je samo što je ispravljeno lažno
prijavljivanje jednog virusa...
virusi.191dejanr,
-> #189, mjova>> ps. dakle, sve je u redu
:)
Ne znam da li ste primetili, ali svi novi SCANV-ovi su ZIP-ovani
pomoću registrovanog PKZIP-a koji u njih ugrađuje serijski broj
jedinstven za firmu McAffee. Na taj način i proveravamo autentičnost
fajla pre nego što ga stavimo u direktorijum.
Sad, sve na svetu se može falsifikovati pa valjda i taj CRC. Ali,
ne vidim drugi način da proverimo da li u fajlu ima virusa ili ne -
sve i da ima, to bi bio NOVI virus koji stari SCAN ne bi otkrio.
Najzad, kako se to kaže, "od nečega se mora i umreti" :( :)
Hvala na zanimljivoj diskusiji o VALIDATE-u.
virusi.192jtitov,
-> #189, mjova>Ih, nije da me je ovo sve namučilo, ali bar sam pročitao
>uputstvo za scan i clean (i validate). Radi se o tome da
Bravo MJovo! :)) Biće nešto od tebe čim si počeo da čitaš uputstva. Lepo sam se
zabavljao čitajući one uspaničene poruke u vezi novog SCAN-a. PA LJUDI NAUČITE
ENGLESKI I ČITAJTE TA UPUTSTVA. Ona se ne pišu da bi vam koristila kao
toalet-papir.
virusi.193bulaja,
-> #192, jtitov> PA LJUDI NAUCITE ENGLESKI I CITAJTE TA UPUTSTVA. Ona se ne pisu da bi
> vam koristila kao toalet-papir.
Objasni mi tajnu kako koristis readme file kao toalet papir?
Jel na 5.25'' ili 3.5'' disketama?
virusi.194mjova,
-> #192, jtitov>> Lepo sam se zabavljao čitajući one uspaničene poruke u vezi novog
>> SCAN-a. PA LJUDI NAUČITE ENGLESKI I ČITAJTE TA UPUTSTVA. Ona se ne
>> pišu da bi vam koristila kao toalet-papir.
Prvo što mogu da primetim to je da si sadista, baba i da se ponašaš
kao PRAVI KOMUNISTA - ti se uvek nađeš da nekom deliš savete kad
nikom tako nešto nije potrebno.
KO SI TI BRE DA POPUJEŠ SVIMA!?!?!?
Možeš li se naći negde među normalnim ljudima? Gadiš mi IME kad se
kačiš na moje poruke!! Da li ti imaš ideje kako se disketa pretvara u
toalet papir? (ja nemam, niti mi je pala na pamet takva budalaština,
jer je pravi papir mnogo mekši i prijatniji za upotrebu od plastične
diskete (ih tek hard disk?!!?))
ŠTA SE TI BRE MEŠAŠ?!?
Ako već NE ZNAŠ da odgovoriš na postavljeno pitanje, što se onda
praviš pametan? U principu, kad neko nešto pita, ako se ZNA odgovor,
trebe mu ili odgovoriti NA PITANJE ili to PREĆUTATI! Ti NE ZANŠ a
ipak odgovaraš! Po kom rezonu?
OVO JE POSLEDNJA PORUKA KOJU SAM NAPISAO KAO REPLAY jTITOv-U
(ps. pošto ne razumeš srpski: više ti ne odgovaram! nisam ni sad
hteo, ali čitao sam stare konferencije i ovaj pseudonim sam zapamtio
kao najljigviji)
mjova
virusi.195gbiocic,
-> #192, jtitov> PA LJUDI NAUCITE ENGLESKI I CITAJTE TA UPUTSTVA. Ona se ne pisu da bi
> vam koristila kao toalet-papir.
> Objasni mi tajnu kako koristis readme file kao toalet papir?
> Jel na 5.25'' ili 3.5'' disketama?
Sjajno! Prvi put uzimam aktivo učešće u jednoj konferenciji SEZAMA
i upadam u pravu temu :(
jtitov, bulaja i mjova otvaraju nove vidike. Ali prethodno treba
rešiti nekoliko hardverskih i softverskih pitanja:
Ý 1. Da li se kapacitet disketa u funkciji toalet-papira meri u
kilobajtovima ili u inčima ?
2. Mogu li se koristiti ako je stavljena zaštita od pišanja ?
3. Kako se obavlja formatizacija, da li 3.5 inča za decu a
5.25 za odrasle ( za moju ženu bi morao nabaviti 8-inčne) ?
4. Da li se zahteva određeni kvalitet ili se možemo osloniti
i na NO NAME diskete ?
5. Mogu li se povećani troškovi smanjiti ZIP-ovanjem nuždoteka ?
(Već zamišljam paket WCZIP i program WCZIPFIX koji bi se
koristio za vađenje iz g...).
6. Kako organizovati zaštitu od virusa ?
7. Da li je bitno redovno raditi BACKUP ?
itd.
Jasno je da sva ova pitanja izlaze iz teme virusi, pa predlažem
da SYSOP-i otvore novu konferenciju IBMWC i u njoj za početak
dve teme :
1. WC.HARD ( za normalnu stolicu);
2. WC.SOFT ( za mekšu stolicu).
Kriterijum za izbor moderatora je očigledan, a mislim da se
na SEZAMU mogu naći izvanredni kandidati :).
ÝyŃőŇJŠü╬biocic
virusi.196vkrstonosic,
-> #195, gbiocic>> Jasno je da sva ova pitanja izlaze iz teme virusi, pa predlažem
>> da SYSOP-i otvore novu konferenciju IBMWC i u njoj za početak
>> dve teme :
;)))))))))))) osmeh za celu poruku.
Što se tiče konferencije, ovde već postoje vicevi, pa predjite tamo, ako
nastavite ovako dobićete i temu WC vrlo brzo. U konferenciji Vicevi, imate i
realne šanse da za jednu ovakvu studiju dobijete nagradnih 30 minuta dnevno na
Sezamu.
virusi.197vcalic,
-> #196, vkrstonosic>> Što se tiče konferencije, ovde već postoje vicevi, pa predjite tamo,
>>ako nastavite ovako dobićete i temu WC vrlo brzo. U konferenciji Vicevi,
>>imate i realne šanse da za jednu ovakvu studiju dobijete nagradnih 30 minuta
>>dnevno na Sezamu.
Tooo, Chetka. Tako se reklamira svoja konferencija !!! ;))
WR
virusi.198drakce,
-> #195, gbiocic
>>jtitov, bulaja i mjova otvaraju nove vidike. Ali prethodno treba
>>resiti nekoliko hardverskih i softverskih pitanja:
>>
>> 1. Da li se kapacitet disketa u funkciji toalet-papira meri u
>> kilobajtovima ili u incima ?
>> 2. Mogu li se koristiti ako je stavljena zastita od pisanja ?
U principu se slazem sa time da poruke takve prirode na pripadaju ovoj
konferenciji, ali samo u principu, jer se u necemu BITNO ne slazemo. A
to je stavljanje Gospodina Mjove i Gospodina Bulaje u isti kos sa "drugom"
jtitovim, ili jos bolje jtitovim drugom. Tesko je ne nasmejati se tvojoj
duhovitosti, ali posto sam se i sam nasao pogodjenim jtitovljevom (izvinjavam
se ako sam pogresio padez, ali arapskim jezikom ne vladam) u najmanju ruku
ogavnom porukom, molio bih te da mi odgovoris na sledece:
1. Da li se slazes da je Gospodin Miljan koristio ovu konferenciju
za svrhe za koje je i namenjena, tj. za pomoc i diskusiju oko
virusa i programa koji treba da ih od istih stite? Kamo srece kad
bi takvi programi postojali i za zastitu od ljudi ciji mozgovi su
neizlecivo oboleli.
2. Mislis li da je poruka kamarada jtitova (steta sto ne postoji condensed
mod na Sezamu) u najmanju ruku uvredljiva i prostacka?
3. Smatras li da njegova poruka (da na trenutak zanemarimo njen ulicni ton)
ne sadrzi ni jednu jedinu misao od znacaja za ovu konferenciju.
4. Mozemo li se sloziti da on nije nadlezan za ocenjivanje necijeg
poznavanja ili nepoznavanja engleskog jezika, jer bi prvo morao
da se izrazava kulturno na maternjem jeziku (koji god da je), da
bi mogao da daje ocene o stranim jezicima.
5. Da li smatras da na uvredu, nicim izazvanu, treba odgovoriti,jer
tipovi kao sto su jtitov (zahtevam condensed mod!) se upravo i
hrane odbojnoscu ljudi prema prljavim polemikama.
Ukoliko se slazes na, barem deo postavljenih pitanja, mozda ces se
sloziti, a mozda i neces, sa sledecim mojim zakljucima koje iz gore
navedenih razloga izvlacim:
a) DA DRUG jtitov MOZE SVOJOJ MAMI DA NUDI TOALET PAPIR, A NE MENI
NI BILO KOM DRUGOM.
b) DA ISTI MOZE DA KONZUMIRA UZ ODGOVARAJUCI PRILOG U NEOGRANICENIM
KOLICINAMA, ALI DA NE NAVODI OSTALE DA MU SE PRIDRUZE.
c) DA ME UBUDUCE ZAOBILAZI U SVIM PRILIKAMA, STO I JA NJEMU SVECANO
OBECAVAM.
I na kraju moram da ti se izvinem na tonu mog pisma, koji ni u kom slucaju
nije upucen tebi, a takodje ni ostalim korisnicima Sezama, kojima se isto
izvinjavam. Bilo je mozda bolje da mu postom uputim poruku, ili da mu
direktno odgovorim, ali sam smatrao da mu treba javno odgovoriti, a bilo
mi je mrsko da mu se obracam. Takodje moram da napomenem da nisam imao
tu cast da upoznam Gospodu Mjovu i Bulaju, ali ni nesrecu da upoznam "onog",
tako da nisam imao nikakvih licnih motiva za ovo pismo, osim gneva koji
je "onaj" izazvao i nazalost me primorao da se spustim na njegov nivo.
Sa postovanjem Dragan
virusi.199gbiocic,
-> #198, drakce> a) .............. MOZE SVOJOJ MAMI DA NUDI TOALET PAPIR, A NE MENI
> NI BILO KOM DRUGOM.
▀
Sa tobom se slažem u sledećem: Ne mogu se svi članovi SEZAM-a trpati
u isti koš. Svakoga treba ceniti po sadržaju i tonu poruka koje
šalje.
Nikako se međutim ne mogu složiti sa tvojim zaključcima koje si
napisao VELIKIM (a ne condensed) slovima. Želim da verujem da se
ÚĆ sa njima ni sam ne slažeš.
Svima ostalima koji su u ovom incidentu na bilo koji način
učestvovali ili bili pomenuti, uputiću privatne poruke.
Sve ostale, koji su sve ovo bili prinuđeni da čitaju molim da
razumeju da je ovo bilo moje *PRVO* učešće u konferencijama SEZAMA,
a osnovni cilj da, spuštanjem lopte na zemlju, doprinesem vraćanju
konferencije njenoj osnovnoj temi. Nažalost ispao sam nespretan i
snosim svoj deo krivice.
Pozdrav, gbiocic
virusi.200dejanr,
Nadajući se da ćemo po ovom pitanju konačno "zakopati ratnu sekiru",
mogu samo da kažem da je jedna od svrha Sezama da se korisnici upoznaju
sa raznim stvarima koje im nisu poznate, pa prema tome i sa stvarima
koje pišu u uputstvima.
Ni ja (kao ni ostali) ne čitam uputstva detaljno, tako da sam zahvalan
kada mi neko skrene pažnju na nešto značajno što tamo piše. Tako nešto
obično stigne i do "Bajtova lične prirode", što je i jedna od namena te
rubrike.
Molim vas da se vratimo konstruktivnoj diskusiji.
Pozdrav,
Dejan
virusi.202ppekovic,
Evo novog scan-a ...
Paya
virusi.203ppekovic,
-> #202, ppekovic... i clean-a 77 (DL-ovano sa BIX-a)
Paya