d8forma@dtek.chalmers.se. (Martin Forssen) (09/04/89)
Last night a friend called me, since he suspected he had a virus.
I gladly grabbed my copy of VirusX (3.20) and drove over, but VirusX
reported no virus. However I saw the text from the virus myself, and
a closer look at the diskette showed that the file c/addbuffers had grown,
furthermore a file with a blank name had appeared in devs.
The main symptom of this virus is that every fourth time you reboots the text:
A Computer virus is a disease
Terrorism is a transgession
Software piracy is a crime
this is the cure
BGS9 Bundesgrensschutz sektion 9
sonderkommando "EDV"
On this disk the virus had replaced the file c/addbuffers, the size of this
new file was 2608 bytes. The above text is encoded in the program, but the
string graphics.library can be found, maybe it's normal for addbuffers to call
graphics.library :-) The orginal addbuffers command was stored in a "blank"
file in the devs directory.
The addbuffers command was the second in the startup sequence on this disk.
I think the virus looks in the startup-sequence for somthing (probably
files to infect), since I found the string sys:s/startup-sequence coded
in the virus.
I don't know if this virus does any damage, but the person first infected
hasn't noticed anything.
The questions I now ask me is:
Is this a known virus?
and if the answer is no,
What is Steve Tibbets mail adress?
MaF
Chalmers |USENET:d8forma@dtek.chalmers.se | " Of course I'm not lost,
University |SNAIL: Martin Forssen | I just haven't pinpointed
of | Marielundsgatan 9 | exactly where we are at the
Technology |SWEDEN 431 67 Molndal | moment " (David Eddings)kelvin.rempel@canremote.uucp (KELVIN REMPEL) (09/09/89)
No, that's quite an old virus actually... There's been a killer out for it for a couple of months already... But VirusX still does not take care of it.... * QNet 1.03a2: Pokey's Place Winnipeg, MB (204) 253-1342 (HST) <<SmartNet>>
hrlaser@sactoh0.UUCP (Harv R. Laser) (09/12/89)
References: <716@mathrt0.math.chalmers.se> In article <716@mathrt0.math.chalmers.se>, d8forma@dtek.chalmers.se. (Martin Forssen) writes: > > Last night a friend called me, since he suspected he had a virus. > I gladly grabbed my copy of VirusX (3.20) and drove over, but VirusX > reported no virus. However I saw the text from the virus myself, and > a closer look at the diskette showed that the file c/addbuffers had grown, > furthermore a file with a blank name had appeared in devs. > [stuff deleted] > > The questions I now ask me is: > Is this a known virus? > and if the answer is no, > What is Steve Tibbets mail adress? > > > MaF > The answer comes to you from Dan James (`djj') author of "KV" which comes bundled with VirusX. Djj has no net access. Quote: Yes, this is a known virus. I have a new version of KV that will detect this virus on a floppy and alert you to its existance. It will also rename the invisible file to OLD_PROGRAM.BGS9 just to help deal with it. Steve Tibbett has the source to KV and plans to incorporate the detection features into the next VirusX. Djj End of Quote Don't ask when the new VirusX will be out nor what version number it will be. It will be out "soon" and the version number is being withheld for now so that some nasty person doesn't jump the gun and fake a new version. This happened once and annoyed Steve Tibbett to no end. Stay tuned. -- | Harv Laser | SAC-UNIX, Sacramento, Ca. | | Plink: CBM*HARV | UUCP=...pacbell!sactoh0 | | "The human brain is the only computer made of meat" |
jac423@leah.albany.edu (Jules Cisek) (11/27/90)
I recently tried running BallyIII off of one of my game disks but got a disk validation error after inserting it. Diskdoctor found track 40 to be corrupt but was able to recover everything. Then I noticed that the name of the disk was changed to "Lazarus" (it used to be "MoreGames"). No one else uses my computer and I know of no program that would change the name of a disk to that. Could this be a new virus? The fact that only track 40 was corrupt (smack in the middle) only adds to my suspicion. By the way, VirusX 4.0 noted nothing strange (I always run it since I got hit by Lamer II last summer). -- | // .______. J.Cisek CSC MiniSystems "i don't want the world, \_o_/ | | \X/--|UU UUU| jac423@leah.albany.edu i just want your half..." \\| | | AMIGA |______| Amiga Student On Campus Consultant SUNY@Albany, USA \\ |
jac423@leah.albany.edu (Julius Andrew Cisek) (11/27/90)
Thanks two the two users who responded EXTREMELY quickly. Apparently, DiskDoctor will rename the disk to "Lazarus" if it doesn't find a name for it. Simple enough. I guess I can continue trusting my VirusX... :) -- | // .______. J.Cisek CSC MiniSystems "i don't want the world, \_o_/ | | \X/--|UU UUU| jac423@leah.albany.edu i just want your half..." \\| | | AMIGA |______| Amiga Student On Campus Consultant SUNY@Albany, USA \\ |
jld8755@helios.TAMU.EDU (Jonathan Davis) (11/27/90)
jac423@leah.albany.edu (Jules Cisek) writes: >I recently tried running BallyIII off of one of my game disks but got >a disk validation error after inserting it. Diskdoctor found track 40 >to be corrupt but was able to recover everything. Then I noticed that >the name of the disk was changed to "Lazarus" (it used to be >"MoreGames"). No one else uses my computer and I know of no program >that would change the name of a disk to that. Could this be a new >virus? The fact that only track 40 was corrupt (smack in the middle) >only adds to my suspicion. By the way, VirusX 4.0 noted nothing >strange (I always run it since I got hit by Lamer II last summer). It's not a new virus; Diskdoctor changes the name of the destination disk to 'Lazarus' when it cannot determine the name of the disk you were attempting to recover. >-- >| // .______. J.Cisek CSC MiniSystems "i don't want the world, \_o_/ | >| \X/--|UU UUU| jac423@leah.albany.edu i just want your half..." \\| | >| AMIGA |______| Amiga Student On Campus Consultant SUNY@Albany, USA \\ | ** |AMIGA /// | |-----/// Jonathan Davis "Dyslexics of the world, untie!" | | \\\/// jld8755@helios.tamu.edu --Unknown. | | \XX/ |
thad@cup.portal.com (Thad P Floryan) (11/27/90)
jld8755@helios.TAMU.EDU (Jonathan Davis) in <10398@helios.TAMU.EDU> writes:
It's not a new virus; Diskdoctor changes the name of the destination
disk to 'Lazarus' when it cannot determine the name of the disk you
were attempting to recover.
However, in bygone years, many WOULD have claimed that "DiskDoctor" itself
was a virus! :-)
Of course, that reference is to the EARLIER versions of DiskDoctor whose
anomalies prompted Dave Haynie's wonderful "DiskSalve" program.
Thad Floryan [ thad@cup.portal.com (OR) ..!sun!portal!cup.portal.com!thad ]skank@iastate.edu (Skank George L) (12/02/90)
Two things, could someone tell me what the highest legitimate
version of VirusX is (is it in fact 4.0?), and could someone please tell
me if it runs OK under 2.0?
Thanks,
Georgetwells@eecs.cs.pdx.edu (Dark Tangent) (12/03/90)
skank@iastate.edu (Skank George L) writes: > Two things, could someone tell me what the highest legitimate >version of VirusX is (is it in fact 4.0?), and could someone please tell >me if it runs OK under 2.0? > Thanks, > George The current version of VirusX is 4.01. This was a minor fix over 4.0 so that it would run correctly under 2.0. Tabor Wells |------------------------------------| "Life. You're born. You live. You | | Tabor Wells | go on some diets. You die. | | twells@eecs.cs.pdx.edu | | |------------------------------------| -Bloom County | |
joseph@valnet.UUCP (Joseph P. Hillenburg) (12/04/90)
skank@iastate.edu (Skank George L) writes: > > Two things, could someone tell me what the highest legitimate > version of VirusX is (is it in fact 4.0?), and could someone please tell > me if it runs OK under 2.0? Latest legitimate version is 4.01. Works fine under 2.0. VX 4.00 breaks. > > Thanks, > George Joseph Hillenburg Secretary, Bloomington Amiga Users Group joseph@valnet.UUCP ...!iuvax!valnet!joseph "Only Apple could slow down a 68030 chip." -Computer Shopper
burton@latcs1.oz.au (J Anteloupas D. Bronzo.) (12/04/90)
Followup-To: Distribution: Organization: B.E.A.R. Group Incorporated,Latrobe Univ.,Melb,Australia Keywords: In <1990Nov26.215421.16919@sarah.albany.edu>, I could have sworn jac423@leah.albany.edu (Jules Cisek) managed to say: > > >I recently tried running BallyIII off of one of my game disks but got >a disk validation error after inserting it. Diskdoctor found track 40 >to be corrupt but was able to recover everything. Then I noticed that >the name of the disk was changed to "Lazarus" (it used to be ^^^^^^^^^^ I found this beastie a few months ago. I was running VirusX4.0 which didn't find it, and zerovirus V?.?? couldn't see it either so I killed it by reformatting all of my working floppies. I've had no problems since. >"MoreGames"). No one else uses my computer and I know of no program >that would change the name of a disk to that. Could this be a new >virus? The fact that only track 40 was corrupt (smack in the middle) >only adds to my suspicion. By the way, VirusX 4.0 noted nothing >strange (I always run it since I got hit by Lamer II last summer). > >-- >| // .______. J.Cisek CSC MiniSystems "i don't want the world, \_o_/ | >| \X/--|UU UUU| jac423@leah.albany.edu i just want your half..." \\| | >| AMIGA |______| Amiga Student On Campus Consultant SUNY@Albany, USA \\ | James who has just realised his 'Organisation' is out of date.
lphillips@lpami.wimsey.bc.ca (Larry Phillips) (12/05/90)
In <9300@latcs1.oz.au>, burton@latcs1.oz.au (J Anteloupas D. Bronzo.) writes: >Followup-To: >Distribution: >Organization: B.E.A.R. Group Incorporated,Latrobe Univ.,Melb,Australia >Keywords: > >In <1990Nov26.215421.16919@sarah.albany.edu>, > I could have sworn jac423@leah.albany.edu (Jules Cisek) managed to say: >> >> >>I recently tried running BallyIII off of one of my game disks but got >>a disk validation error after inserting it. Diskdoctor found track 40 >>to be corrupt but was able to recover everything. Then I noticed that >>the name of the disk was changed to "Lazarus" (it used to be > ^^^^^^^^^^ > I found this beastie a few months ago. I was running VirusX4.0 >which didn't find it, and zerovirus V?.?? couldn't see it either > so I killed it by reformatting all of my working floppies. >I've had no problems since. Great going James. You've resurrected a disk with DiskDoctor, and then proceeded to kill it by formatting it. That'll teach it! -- The only things to survive a nuclear war will be cockroaches and IBM PCs. +-----------------------------------------------------------------------+ | // Larry Phillips | | \X/ lphillips@lpami.wimsey.bc.ca -or- uunet!van-bc!lpami!lphillips | | COMPUSERVE: 76703,4322 -or- 76703.4322@compuserve.com | +-----------------------------------------------------------------------+
amiga@ccwf.cc.utexas.edu (Paul) (12/06/90)
The disk is named "lazarus" due to disk doctor. I.E. DiskDoctor raised your disk from the dead. (if your confused read the bible). This isn't a virus. -- Amiga@ccwf.cc.utexas.edu .....Paul......
david@howitt.dog.oz.au (David Le Blanc) (12/06/90)
In article <9300@latcs1.oz.au>, burton@latcs1.oz.au (J Anteloupas D. Bronzo.) writes: > Organization: B.E.A.R. Group Incorporated,Latrobe Univ.,Melb,Australia > In <1990Nov26.215421.16919@sarah.albany.edu>, > I could have sworn jac423@leah.albany.edu (Jules Cisek) managed to say: > > > >I recently tried running BallyIII off of one of my game disks but got > >a disk validation error after inserting it. Diskdoctor found track 40 > >to be corrupt but was able to recover everything. Then I noticed that ^^^ ^^^^ ????? Diskdoctor COULD not recover the *name* of the disk. So it has to generate a name for the disk. Since the disk has 'just come back from the dead' it was appropriately names 'Lazarus' (Read ya Bible dudes, there are heaps of great quotes in there :-) > >the name of the disk was changed to "Lazarus" (it used to be > > I found this beastie a few months ago. I was running VirusX4.0 > which didn't find it, and zerovirus V?.?? couldn't see it either Of course virus killers wont find it, it is NOT a virus. Someone at Commodore can be accused of having a sense of humour. > so I killed it by reformatting all of my working floppies. > I've had no problems since. Drastic, but I have to laugh!! > [ .sig and comment deleted ] -- Email: david@dogmelb.dog@munnari.oz | Division of Geomechanics, TEL. (03) 881 1355 | CSIRO, P.O. Box 54 FAX (03) 881 2052 | Mt Waverley 3149, | AUSTRALIA.
markv@kuhub.cc.ukans.edu (12/07/90)
>>I recently tried running BallyIII off of one of my game disks but got >>a disk validation error after inserting it. Diskdoctor found track 40 >>to be corrupt but was able to recover everything. Then I noticed that >>the name of the disk was changed to "Lazarus" ... >> ...notes about virus checking deleted... Ha ha ha ha ha, or should I say Ho ho ho ho ho? :-). The only virus that got you was Diskdoctor!!! Diskdoctor calls a fixed disk "Lazarus" when it is unable to "ressurrect" a volume name. The Volume name is stored in the root block which is on track 40 on a floppy, so Diskdoctor couldn't find a root block, no it couldn't find the original name of the disk. I had this happen to me many years ago in the early days of 1.2. I was confused, but when I found the answer I was tickled pink. Just another example of the "levity" of the amiga design team. For those of you wondering "Why Lazerus?", think... What was the name of the man Jesus resurrected from being dead? Good... An appriate though at this time of year. Good cheer :-), -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mark Gooderum /\ \ | / H a p p y Academic Computing Services / v\ -- * -- H o l i d a y s ! :-) University of Kansas /v v\ / | \ /// /__v___\ Only /// /| __ _ Bitnet: MARKV@UKANVAX || \\\ /// /__| |\/| | | _ /_\ makes it Internet: markv@kuhub.cc.ukans.edu \/\/ / | | | | |__| / \ possible ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
bleys@tronsbox.xei.com (Bill Cavanaugh) (12/07/90)
>>the name of the disk was changed to "Lazarus" (it used to be > ^^^^^^^^^^ I don't know what might have killed track 40, but amongst it's other "charming features", it changes the name of a disk to "Lazarus" when it tries to "resurrect" it. Cute undocumented feature, no? Get a copy of DiskSalve and delete DiskDoctor. It's the worst program you can find for recovering data. /**************************************************************** * All of the above copyright by the below. * * Bill Cavanaugh uunet!tronsbox!bleys * * "A language is a dialect with an army and a navy." * ****************************************************************/